CNI security: turning vulnerability into resilience

Millions wake up to no electricity after power grids are taken offline… Online banking systems crash and customers can’t access money… Drinking water ruled unsafe after water treatment facilities breached…

Such headlines are classic examples of what might happen if the UK’s Critical National Infrastructure (CNI) fails. These are the services that all of us rely on and can often take for granted, such is their sheer ubiquity and importance to our daily life.

In previous generations, CNI was primarily seen as physical property — dams and bridges, motorways and power plants. Now, though, the increasing digitalisation of such infrastructure means that these assets have become prime targets for cyber criminals worldwide — and the risks are very real.

Just consider the disruption caused to millions of passengers at major UK airports and ferry ports last May as real-life. The Border Force electronic passport gates failed due to reported “IT issues”. This disruption grounded flights for several hours and the root cause never published.

Nearly a year on, the vulnerability of UK border security couldn’t be under more public scrutiny and criticism both in terms of electronic and manned support. Does this mean that the Government’s UK Border Strategy 2025 failed, because of security management requirements and solution? If so, what lessons can we learn to ensure improved resilience for other CNI Projects and Programmes going forward?

Also consider the seriousness of major cyberattacks disclosed last year by three of the UK’s largest public data holding organisations: (1) UK’s Electoral Commission 40m registered voter records vulnerable and exploitable (August 2021-October 2022 — disclosed 8th August 2023); (2) Royal Mail £33m ransom for 44GM compressed 7-Zip file (10th January 2023); and (3) Capita’s “significant risk” data exfiltration of its 4.3m membership of over 450 pension schemes (22nd March 2023).

Evidence gathering

One must ask why a public investigation to understand what, if any, common vulnerability issues exist across all three IT systems has not yet been commissioned.

The extent of vulnerability may indeed be narrow. Failing to identify root cause and other vulnerability enablers will stifle advancements to turn cyber vulnerability into resilience across CNI.

Investing in discovery, identification, reparation and rehabilitation of public IT systems and indeed CNI as a collective rather than silos will be an important step forward.

The public’s confidence and trust in the Government’s ability to build and maintain resilient CNI is a basic essential for continued investment support and data retention for public services and economic growth.

Data thefts which threaten or harm the public will undermine trust in digital infrastructure for the long term.

Should the House of Commons commission a detailed report like that of Carillion to identify root causes of exploitation, understand spend transparency on security, together with recommendations that enable project teams to prevent similar vulnerabilities and attacks now and in the future? I think so.

Future warnings

The Cyber Security in Critical National Infrastructure Organisations: 2023 report by Bridewell highlighted that over a third (34%) of organisations across UK CNI anticipate a rise in cybercrime as a direct result of the current economic crisis.

Even more recently, the UK’s National Cyber Security Centre has warned that artificial intelligence is poised to increase the intensity and volume of these attacks in the near term.

CNI organisations such as utility, healthcare and financial services companies also must safeguard huge amounts of their customers’ personal data — another tempting target for cyber criminals.

At the same time, they are having to balance legacy IT systems while evolving more of their services to the cloud — a complicated process which can leave security gaps for cyber criminals to exploit.

CNI organisations operating in oil and gas, space and defence also must deploy enhanced intellectual property security to protect sensitive data from both their competitors and nation-state actors as it is transmitted across their networks.

Action stations

All too often there is a systematic lack of cyber threat and landscape expertise during CNI procurement programmes, with budgetary constraints or lack of resources looming large across the process. However, the acute vulnerabilities of the UK’s CNI to cyber-attack means that organisations — both public and private — are starting to become more aware of the threat they face.

If you would like to learn more about how Primes and SMEs can build better CNI & IP security resilience against online threats, feel free to join this one-hour webinar at 10am on Tuesday 23rd April which will feature Sophie and Mark Chang from Capgemini. For more information, and to secure your free place, please visit our website for more details.