ISJ Exclusive: How vulnerable is our critical infrastructure?

Philip Ingram MBE takes an in-depth look at the global critical infrastructure landscape.

CNI, CPNI, CISA, EPCIP with its related CIIP are all acronyms we hear thrown about a considerable amount in the security community. However, have many of us looked at the detail behind them, what they do and what the risks are?

I also challenge our security professionals to know what all of the opening acronyms are without having to check on a search engine.

In fact, in March, the Daily Express reported that: “People throughout the East of England across Suffolk, Cambridgeshire, Hertfordshire and Bedfordshire lost all power. There have been widespread problems on travel networks, with Thameslink trains unable to stop at St Albans. UK Power Networks has apologised for the disruption and said it is down to a ‘fault on the electricity network’.”

At around the same time the latest British Airways “global IT system failure” was reported – coming only a couple of years after we heard of reports of the baggage handling system at Heathrow breaking down and BA check-in IT system failures – signals out of Euston station failing and then two power generating stations also failing within two minutes of each other at rush hour on a Friday. As you can imagine, this caused chaos in hospitals and confusion with traffic lights in London, on the rail networks and in multiple airports.

However, all of these incidents were not assessed to be caused by attacks on critical infrastructure, rather than by faults in a creaking infrastructure. One thing they have done however, is ensure that resilience planning and business continuity planning remains at the fore. So, how vulnerable is our critical infrastructure and are those vulnerabilities through security risks or just age or mismanagement and underfunding?

Harden defences and remain vigilant

On 24 March 2022, four Russian Government employees were charged in the US for two historical hacking campaigns targeting critical infrastructure worldwide. They were accused of two separate conspiracies between 2012 and 2018. In total, these hacking campaigns targeted thousands of computers at hundreds of companies and organisations in approximately 135 countries.

Deputy Attorney General Lisa O. Monaco said: “Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world.

“Although the criminal charges unsealed reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defences and remain vigilant. Alongside our partners here at home and abroad, the Department of Justice is committed to exposing and holding accountable state-sponsored hackers who threaten our critical infrastructure with cyber-attacks.”

“The FBI, along with our federal and international partners, is laser-focused on countering the significant cyber-threat Russia poses to our critical infrastructure,” remarked FBI Deputy Director Paul Abbate. “We will continue to identify and quickly direct response assets to victims of Russian cyber activity; to arm our partners with the information that they need to deploy their own tools against the adversary and to attribute the misconduct and impose consequences both seen and unseen.”

One question has been asked time and time again given the Russian re-invasion of Ukraine: “Why has Russia not launched massive attacks against the critical infrastructure of Ukraine and those countries supporting Ukraine politically, economically and with materiel?”

Gen. Paul Nakasone, the Head of U.S. Cyber Command spoke about this: “The negligible role of cyber-attacks in the Ukraine conflict should come as no surprise. Through war simulations, statistical analyses and other kinds of studies, scholars have found little evidence that cyber-operations provide effective forms of coercion or that they cause escalation to actual military conflict.

“That is because for all its potential to disrupt companies, hospitals and utility grids during peacetime, cyber-power is much harder to use against targets of strategic significance or to achieve outcomes with decisive impacts.”

Growing threats

All threats tend to head in a cyber direction quickly, but the physical domain remains equally important.

ISIS and Al Qaeda have not gone away with the loss of territory in Iraq and Syria and, according to several analysts, are in a transition phase. What is clear is that they maintain significant support across the globe and critical infrastructure is always on their target list.

Closer to home in the UK, a rise in extreme right-wing terror has seen the responsibility for countering it passed to the Security Service (MI5) from the police and wrapped in with the increasingly active Irish Republican terrorism, still confined to the island of Ireland, but growing in its visibility. These organisations are less likely to target critical infrastructure, but Irish terrorism in the past has done so.

Those working in critical infrastructure are prime targets for espionage and approaches from hostile intelligence services. Such is the threat, especially when initial approaches are often made over social media connections, that CPNI, the Centre for Protection of National Infrastructure, initiated a campaign called “Think before you link.” Some of the background to this campaign used, as an example, an approach that was made to the author by Chinese intelligence services – but that is another tale.

This brings me back to the acronyms at the beginning of the article. CNI is clearly Critical National Infrastructure and CPNI is the UK Government agency for providing advice to protect it, but their advice is available on a wider circulation. CISA is the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency with EPCIP is the European Programme for Critical Infrastructure Protection, with its related CIIP, EU initiative on Critical Information Infrastructure Protection.

CIIP aims to strengthen the security and resilience of vital information and communication technology (ICT) infrastructures. EPCIP is to reduce the vulnerabilities of critical infrastructures, with a package of measures aimed at improving the protection of critical infrastructure in Europe across all EU States and in all relevant sectors of economic activity. 

The common denominator for all these acronym’d agencies and initiatives is that they have websites filled with up-to-date, easy to follow guidance and advice. They are examples of where you can get good security advice and guidance for free. And, whilst all of the incidents described at the start of this article were caused by a creaking infrastructure, our infrastructure keeps our resilience planning tested.

This article was originally published in the May edition of ISJ. To read your FREE digital copy, click here.