Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Is enough being done to keep UK critical infrastructure secure?

Duncan Fisken asks whether critical infrastructure interdependencies are being effectively addressed.

A recent US Department of Justice ruling that sharing threat data does not constitute antitrust violations, has opened the door to increased security for utilities in that country. But what about energy companies, and other critical national infrastructure, here in the UK? While there’s been much publicity for the banking sector’s preparations, with The Bank of England’s Waking Shark I, II and III initiatives, little is known of the energy sector’s collaborative testing – or even if it exists? Are we just in the dark? Or are we at risk of complete darkness if our critical energy infrastructure was targeted in a cyber attack?

Lifting the lid

Whether it’s a nuclear power plant, an electricity substation, a water treatment reservoir or even the HVAC (heating, ventilation, air conditioning) for a communication hub, what all these utilities have in common is the nuts and bolts that make them work. Inside each, there will be hundreds, thousands and even millions of valves, pumps and switches that control the rate and flow of various chemical compounds and electrical signals around the site. These complex mechanical control systems govern what happens – how much water flows into the filtration tanks, how the fuel rods are engaged in the reactor at a given time etc. Historically, these would all have been very mechanical and physical in nature, and some may even have had radio based telemetry systems to monitor activity – for example how open a valve was in a reservoir. At the time, these systems were largely isolated from the outside world, in that virtually nothing was IP connected.

Today, things could not be more different. SCADA (supervisory control and data acquisition systems) have changed the way our critical national infrastructure functions beyond recognition.

The Internet of Things

Today’s trend is to IP enable any and all of these systems and devices so that they’re easier to control and monitor, often with automated systems, and usually remotely. Everything, from valve and control systems, to reactor control systems, can be connected wirelessly or even through the Internet. There are a number of reasons for doing so but, fundamentally, all fall back to the same principles – it’s far more efficient, easier to manage and simplifies building bigger networks.

And that, in itself, is what gives makes them vulnerable. If something is IP connected, in theory, it can be reached from the Internet.

Under attack

Today there is a very real threat to our critical national infrastructure.

While for years it’s been the plot of block buster movies, it’s not beyond the realms of possibility that a cyber attacker, motivated by terrorism or even state sponsored, would target a major power plant in an effort to cripple our nation – and while Bond villains may use plastic explosive as the weapon of choice, realistically it doesn’t have to be a massive explosion. Exploiting a network vulnerability to gain access to a nuclear generating plant’s process control systems is, unfortunately, not the stuff of science fiction.

And it doesn’t even have to be malicious.

We’ve already experienced instances of the domino effect, where one sub-station is taken out and that in turn increases the load on the rest of the network. Under too much pressure, and one by one the nodes fall over and the system fails. Singapore is a case in point – an engineer applying a software upgrade to one of its local telecom switches caused huge outages when he flipped the switch, bringing down much of Singapore’s digital telephone network.

It’s called critical for a reason

It’s difficult to argue if any utility is more critical than another since, as a nation, we all rely on our national infrastructure. Whether its power, or communications, if one were taken away we’d all eventually fail.

As illustration, while the banks are busy playing war games with ‘Waking Shark’, if the power or communications networks failed, this would in turn compromise the banks’ ability to do business equally as effectively.

In the current climate of multiple energy suppliers sharing the same grid or distribution network, it seems obvious that not only the sharing of threat data is essential but also collaboration of system testing (penetration testing for example). That said, while I’m certain the energy utilities, have a robust plan to protect against attack and compromise, I do question how connected it is to the rest of critical national infrastructure, and therefore left vulnerable from another being exploited. After all, I’ve not heard of Waking Lion – for want of a better name?

In the absence of, or perhaps irrespective of, a collaborative program, clearly it’s down to individual organizations to ensure that they are as prepared as they can possibly be. The fundamental priority being to implement, in a cyber context, whatever measures and tools enable the business to take a predictive view of the vulnerability of the network as a whole. And predictive in the context of being able to spot, in advance, exposure to business or mission critical assets.

And that’s where it becomes difficult.

Prioritising the priorities

Most network security tools will not differentiate business criticality from one device to another. To counteract this, the line of business needs to be conjoined with the security operations to be able to identify and place asset values on those that are crucial and critical to the business. Only then can the CISO and CEO take an informed view of where to concentrate any remediation efforts on exposures which would bring down the business. If this is even slightly misaligned, focus and energy could be wasted remediating a compromise within one area of the business which, while it may be open to the outside world, in reality doesn’t present an actual risk, direct or downstream - whilst leaving a tiny, but actually gaping, hole that could fatally cripple the business.

Ultimately, attention needs to be paid to implement proactive and predictive security infrastructure management. Situational awareness and automation are key - sunlight is the best disinfectant and computers are better at reading phonebooks than humans! Close collaboration across the supply chain is crucial: both horizontally between critical infrastructure operators and, because attackers will also try to exploit weaknesses in the supply chain, down through their partner ecosystem.

The author

Duncan Fisken is SVP & MD EMEA, RedSeal Networks.

•Date: 15th May 2014 • UK •Type: Article • Topic: Critical infrastructure protection

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here