• House of Commons Committee declares UK at “high risk of catastrophic cyberattack.”
• Fractured legacy technology infrastructure and an evolving cyberthreat pinpointed as urgent issues.
• The issue will be dwarfed by the UK’s economic woes at the next election.

“Poor planning and a lack of investment.” According to the more acid-tongued political observers in the UK, that’s a judgment that could be applied to any number of areas of any current government. But there’s a difference between the judgment of media observers and the pronouncements of the UK’s Joint Committee on the National Security Strategy.

READ NEXT

Critical infrastructure and the cybersecurity threat – a UK perspective

The Committee, comprised of members of both the UK’s elected chamber (House of Commons) and its appointed chamber (House of Lords), has drawn attention to a paucity of both government funding and strategic planning for the cyber-safety of the nation, saying the country’s critical national infrastructure is “at high risk of a catastrophic cyberattack.”

Few in the House of Commons dare to use the word “catastrophic” without proof to back up the term. Doing so tends to be thought frivolous, and can end the career of any Chicken Little Member of Parliament (MP) who cries that the sky is falling in when it turns out not to be. It should be stated, however, that Committee pronouncements are commonly accepted to be a conduit through which more partisan language and thought might flow. The two chambers of the UK Parliament are traditionally more reticent.

The House of Commons Joint Committee on National Security Strategy has spoken.

The proof behind the Committee’s assertion is set out in its report. It acknowledges three significant factors that make the UK’s critical national infrastructure especially vulnerable, leaving a fourth unspoken but the province of observer gossip.

Vulnerability #1: fractured legacy technological layers.

Technology in the UK’s critical national infrastructure (CNI) is not only dependent on legacy equipment, but on layers of legacy equipment, some of which are not interoperable across departments, geographical sites or timeframes. That’s down to a lack of consistent funding and determination over time, meaning a large problem has been poorly addressed with piecemeal solutions.

The report explains that:

“• In the context of ‘ever-increasing digitalization of the UK’s CNI operations,’ many CNI operators are still operating outdated legacy systems. According to Thales, it is ‘not uncommon’ to find aging systems within CNI organizations with a long operational life, which are ‘not routinely updated, monitored or assessed.’ The increase in hybrid and remote working also brings additional risks.

• Legacy operational technology (OT) poses a particular challenge: digital transformation is resulting in these assets, which were ‘never designed with smart functionality in mind,’ being ‘overlayed with IT and hyperconnectivity.’ OT systems are ‘much more likely to include components that are 20-30 years old and/or use older software that is less secure and no longer supported”.

Thales is seeing ‘increased [threat actor] activity across all of the critical national infrastructure sectors,’ with a move towards attacks on certain types of OT. Reliance on digital systems also means that attacks against operators’ wider IT systems can force companies to shut down their OT—as in the case of the US Colonial Pipeline attack, in which the affected systems were responsible for corporate functions such as billing and accounting.’”

It is worth noting, however, that Thales is a long-standing government contractor tasked with both physical and cyber defense provision, so it will certainly have monetary skin in this game.

READ NEXT

Protecting critical infrastructure from cybersecurity threat – a UK perspective

As will surprise no one, the UK’s National Health Service (NHS) – a single nationwide healthcare provider for everything from antibiotics to brain surgery and ER-based trauma – was a source of particular despondency when it came to legacy technology vulnerability.

“• The NHS remains particularly vulnerable: healthcare is a ‘large and growing target across Europe,’ and the NHS operates a ‘vast estate of legacy infrastructure,’ including ‘IT systems that are out of support or have reached the end of their lifecycle.’ This puts it in a ‘particularly difficult position to protect itself from cyberattacks,’ despite the fact that many critical medical devices and equipment are now connected to the internet. Many hospitals lack the capacity to undertake even ‘simple upgrades’ as a result of crumbling IT services and a lack of investment.’”

The UK’s critical national infrastructure is at least partially decades out of date and out of warranty.

Vulnerability #2: the evolving nature of the threat.

While ransomware has been a significant threat to UK critical infrastructure for some time, the Committee’s report dwelled at length on the evolving nature of the cyberthreats the UK faces – especially as the evolution is happening faster than the technology underpinning critical infrastructure has can be refreshed in practical terms.

“Witnesses were almost unified on the changing nature of the threat, describing the evolution of a mature and complex ecosystem with a ‘cell-like architecture, akin to other forms of serious organised crime.’ Key developments include:

• The growth in ransomware-as-a-service (RaaS), in which an efficient division of labour has evolved. Typically, ‘initial access brokers’ will achieve the initial hack and sell the access onto ‘affiliates;’ ransomware operators will also sell a malware source code to affiliates (and might also negotiate with victims); and affiliates will then pay a service fee to ransomware operators for every collected ransom. These ‘groups’ of actors are connected in quite loose ways, making attribution of responsibility for attacks more difficult. This efficiency of specialization has increased the tempo of ransomware operations. It has also lowered the cost barrier to entry into ransomware, because less sophisticated criminal groups (affiliates) can purchase the required technology to conduct more advanced attacks. One witness described the typical threat actor now as ‘quicker, more agile and brazen.’
• Innovations in marketing, recruitment and communication: RaaS operatives are known to offer their services on a monthly subscription basis with optional extras, and have actively recruited affiliates. Groups operate on closed chatrooms to communicate with one another, and some even act like legitimate enterprises, establishing HR functions to coordinate their annual leave.
• A shift towards larger, higher-value targets (sometimes described as ‘big game hunting’), with threat actors developing more ‘sophisticated weaponry’ and achieving much larger ransom payouts.
• An increase in double or triple extortion methods, in which ransom demands are linked to threats to publish sensitive data online; in these cases, the data may be “exfiltrated” (removed) rather than encrypted. Organizations are thus held to ransom on the grounds of confidentiality (release of sensitive data), and not just availability (access to files). In triple extortion, the victim’s customers or suppliers may be threatened with the release of sensitive data if they do not pay a further ransom; a “premium subscription” might also be on sale—to the victim and others—in exchange for exclusive rights over the data.”

Vulnerability #3: geopolitics

The report, authored by members of both the House of Commons and the House of Lords, from across the political spectrum – cites external geopolitics as a factor in the UK’s particular vulnerability.

READ NEXT

clOp hits companies worldwide with massive MOVEit supply chain hack

“The National Cyber Security Centre’s (NCSC’s) 2022 Annual Review noted that most of the ransomware groups targeting the UK are ‘based in and around Russia,’ benefiting from ‘the tacit consent of the Russian State’;

• The NCSC’s Annual Review 2023 raised the same concerns but placed emphasis on the development of ‘a new place of cyber-adversary’ who are often ‘sympathetic to Russia’s further invasion of Ukraine and are ideologically, rather than financially, motivated.’
• In its written evidence to this inquiry, the Government stated with near certainty that ‘the deployment of the highest impact malware (including ransomware) affecting the UK remains concentrated mostly in Russia;’ and
• DXC Technology, a US IT company, told us that, of the ten most prolific and dangerous ransomware strains identified by the NCSC’s Ransomware Threat Assessment Model, eight are ‘likely based in Russia.’

According to RUSI, some of these groups are experienced in this evolving field of offending: in many cases, the same Russian actors were conducting ‘malware and botnet operations’ against UK financial institutions from 2010 onwards, and have subsequently ‘pivoted their business model’ towards ransomware operations. The lines between state activity and criminal groups are also blurred.

Prior to Putin’s full-scale 2022 invasion of Ukraine, it harbored an element of the ransomware threat: Jamie MacColl from RUSI commented that the ransomware ecosystem contained ‘multiple nationalities from former Soviet Union countries, including Ukraine.’ The NCA told us that it had worked with the Ukrainian Government in the past to investigate and arrest some of those offenders, but that the Ukrainian attackers had subsequently either gone to Russia or had ‘turned to attacking Russia,’ rather than the West. The impact of the war on cyberthreat levels overall appears mixed: a reported wave of cyberattacks against Ukraine encountered strong defences, and some downward global trends have been attributed to the war distracting Russian aggressors away from conducting ransomware attacks. It has also caused splits within ransomware groups, with members coming out for and against the Russian Government. This splintering may have made such groups even harder to disrupt.”

The intensification of pro-Russian hacking has an effect on the UK’s vulnerability.

The unspoken vulnerability.

While the report runs to a handful of pages on specific actions that should be taken to address the parlous state of the UK’s cybersecurity in critical national infrastructure, the unspoken vulnerability remains visible in the condemnation the report withholds for those two central weaknesses – a lack of funding, and a lack of planning.

To deliver on either of those things, a government has to be willing and able to focus on the widespread cyberthreat on the nation’s critical national infrastructure in the long term.

The government of the UK has been a revolving door for 7 years, with five Prime Ministers in that time.

The UK has had what is technically one government since 2010. During that time however, it has had no fewer than five Prime Ministers, all from the Conservative party. All but the first (David Cameron) have campaigned, won, and governed with a single central political goal – making a success out of the 2016 Brexit vote, which divorced the UK from the rest of the EU.

Until recently, delivering a successful post-Brexit reality has been the main concern of both the Home Office and the Foreign and Commonwealth Office, leaving little in the coffers for any fundamental revamp of cybersecurity across the UK’s critical national infrastructure.

Add the hugely negative economic impact of Brexit (a sudden lack of equal access to the UK’s closest economies, labor, and law) and you have a situation that has taken up the vast amount of government time, focus, and money.

It has also been a period of extraordinary upheaval – one of the Prime Ministers (Liz Truss) lasted just 44 days, having managed to cost the UK economy £30 bn single-handedly in little more than a day.

Obviously, there was the Covid pandemic, and the economic time-bomb of several extended national furloughs. A Parliamentary enquiry was ongoing, even as the Committee’s findings were hitting House of Commons printers, over the extent to which the Covid response by the UK government was mishandled.

Prime Minister Boris Johnson was forced to resign after it was discovered he had knowingly lied to both the House of Commons and the nation. Inflation soared, creating a cost of living crisis and forcing whole groups of workers to strike for decent wages – including several groups in the NHS.

The report warns amelioration could cost the country “tens of billions.” The UK needs a government that’s stable and focused on solving the cyberthreat problem long term, rather than delivering piecemeal solutions to parts of the infrastructure.

The cyberthreat question may have snuck up on the government over time – but the UK government has also never been stable enough in 13 years to tackle it effectively.

In the next 12 months, there will be a general election in the UK. The cybersecurity of the country’s critical national infrastructure is unlikely to be a front-line campaign issue in a country with underfunded schools, hospitals, and infrastructure, and an ailing economy where the gulf between rich and poor is the widest in the world (save the US).

It is to be hoped though that reports like that of the Joint Committee can at least make CNI cybersecurity a tangential priority of whichever party forms the next working majority in the House of Commons, and the country’s next government.

NB – this was five years ago, after the WannaCry attack. Nothing appears to have improved since then.

The post UK at high risk of catastrophic cyberattack appeared first on TechHQ.

• Critical national infrastructure can be especially vulnerable to cyberattack.
• There may not be an awareness of the solutions that secure cloud can deliver.
• Similarly, there’s a need for more open recruiting in cyber to unlock potential.

As part of our look into the businesses using the UK’s Cyber Runway from Plexal in 2023, we spoke to one of this year’s cohort, Emma Humphrey, CEO of secure cloud specialist Kuro about the challenges of protecting critical national infrastructure, and the role that secure cloud has to play in that. 

THQ:

We’re seeing a lot more critical national infrastructure targeted for cyberattack in recent years. The UK had the Royal Mail attack early in 2023, the NHS gets targeted with a staggering regularity, and so on. How can a secure cloud capability help towards protecting our national interests? And why isn’t it already in place?

READ NEXT

Building businesses in the UK cyber sector

EH:

Well, why is it not in place? Why is it not more widely used? Fundamentally, there are two big reasons. Firstly, it’s not widely understood. Explaining the benefits of cloud is like explaining the benefits of a laptop – you can use it for so many different things. And that makes it quite difficult to understand where problems you have and cloud as a solution to those problems interlink.

But the fact is, even if you fully understand the problem you have with a piece of critical national infrastructure, you don’t necessarily know the cloud product you need, or the products to bundle together to actually solve that problem.

Secondly, even if you do understand how the cloud is going to solve your problem, you may not necessarily have the right skillsets available in-house at a reasonable cost to implement it.

So those two things – skills and understanding – are real blockers to cloud, both generally, and particularly in critical national infrastructure.

Fixing the problems.

THQ:

So how do we address those blockers?

EH:

What we try to do as a business is ask what the cloud can do about the threat environment. The answer’s usually “a great deal.” I alluded to the fact that it should be considered almost like a laptop, in that it can be used for anything, really. But we ask questions about how configurable the security environment is, and the many, many layers of security that you can put around your cloud infrastructure.

Taking cloud away from on-prem is much more secure, because there’s no longer a physical asset to attack, which is a benefit in and of itself. The next thing is the business resilience and continuity aspect of the situation. The cloud isn’t a physical thing, and there are benefits in that, in being able to recall your data access and set up alternative infrastructures to give yourself that business resilience if something does go wrong – that is exactly what the cloud is designed to do.

And if we can overcome those first two hurdles, it’ll be a wonderful thing for security posture in both the public and private sector.

Solving problems for critical national infrastructure the military way.

THQ:

As a veteran yourself, you’re pushing to get more veterans into cyber and cloud. There’s a very particular mindset that comes with the military, isn’t there? It’s that “Get it done, get it done right, and get it done fast” way of thinking, yes? How do you expect that to affect the overall cyber posture of a nation?

EH:

Well, veterans are adaptable by nature. And the threat picture is very fast moving, as is the technology that you work with. And what you find is that veterans are very well able to understand the threat and then apply their toolset to that threat. That’s what we’re all trained to do across the board.

We trust them to protect our nation and its interests – why not its cyber-infrastructure?

The other thing, as you say, is that we have a get-things-done mentality. We go in and nothing is too difficult. Our mentality is “80% now is better than 100% never,” and in security that is a big deal. How can I improve our posture now to the best it can be, because guess what, cybersecurity is never going to be 100% solved.

READ NEXT

Building the Cyber Runway – an accelerator for cyber businesses

Soldiers are a lot more comfortable in that position – “I will do the best I can and I will keep improving.” That’s really the mentality that you need within cybersecurity.

THQ:

But there’s more to it, isn’t there, in terms of getting veterans in the door in the first place?

EH:

Definitely. As employers, we need to get better at recruiting these people and taking advantage of their skills. I’m part of many different groups where people talk about breaking into cyber as if it’s a locked Fort Knox of a career, that requires someone to kick down a door somewhere. And that shouldn’t be the case, because it’s a business like any other.

So apply and put your bid in and talk about your adaptability, talk about your confidence. Most importantly, talk about your ability to effectively communicate. It’s something that we all share. Because these are complicated ideas. And they need plain English speakers to bridge the gap between the guys sitting alone somewhere wearing hoodies and the businesses who need to care about what those guys are doing. Veterans need to have that awareness about their own skills.

Getting more women into cyber.

THQ:

That’s a solid point, because there’s that notion of the guy sitting alone somewhere, whereas bringing more veterans in is almost the antithesis of that, isn’t it? Because veterans are trained to get things done, but the fundamental preparation for that is communication, so everyone knows the same “obvious,” so everyone can do the right thing, and do it now.

What’s more, the percentage of women in tech as a whole, let alone in cyber, is still woefully small. How would you encourage more cyber and cloud businesses to be more gender-inclusive as well as veteran-inclusive?

EH:

By not operating as a dark art. What we do in the cyber community is phenomenal. And a lot of it is deeply technical. But we need to be very aware of the language that we use and make it inclusive. There are plain English ways of saying the complicated things, and we should always do that. And within the military, there’s the maxim: “Keep it simple.”

Critical national infrastructure needs more veterans in cyber to protect it.

If you’re communicating in a way that doesn’t include the entire audience, then you are not an effective communicator, you are showing off, or you are talking to a very small proportion of people. And that’s not what we aim to do.

READ NEXT

Women in tech: the Cyber Runway and a beautiful mindset

So, I think to include more women, we need to make clear that we are a business and there is a role for everyone there. But also, that if you don’t understand the terms, you can learn, and you can adapt.

I mean, I’m a lawyer by trade, and here I am, CEO of a cyber company. It’s not a dark art, and it shouldn’t pretend to be one, because in doing that, cyber is auto-rejecting a lot of otherwise exceptional skills fits.

The other thing is policies.

If a woman has caring responsibilities, it’s a yes or no decision based on whether the job ad says three days minimum mandatory is in London. You’ll rule out a great percentage of the people who are perfectly capable if you do that, people who’d add so much value, because they simply feel it’s incompatible with their caring responsibilities.

So use words like “flexible” and follow through on them. Understanding things like jobshare, shiftshare – let’s make them a reality.

Cyber does not depend on everybody being around for the pizza party.

THQ:

Hey, we did it during Covid.

EH:

Exactly, businesses flexed, and they were able to show that it could be done. A lot of industries thrived, including cyber. So, let’s carry forward some of those lessons we learned and include everyone in this picture.

THQ:

In cyber particularly, it’s not like you have to have everybody in the same room to do anything. So why would you insist on the “return to office” mentality?

EH:

Precisely that. So let’s build systems management where transparency doesn’t mean I can see you, it means I can trust you. And it means we have other ways of making sure that you’re communicating.

We did it before and it worked. Let’s do it again, because the value you can get in unlocking skills, from veterans, from women, from people with caring responsibilities and from people with mobility issues, is absolutely worth it.

The veteran mindset and the cyber mindset are practically identical.

In Part 3 of this article, we’ll talk about quantum cryptography – another area getting a boost from the Cyber Runway in 2023.

The post Protecting critical national infrastructure through secure cloud appeared first on TechHQ.

All across the world, safeguarding critical national infrastructure (CNI) is of paramount importance. Allowing it to be compromised in any way could mean dire consequences for national security, economic stability, and public safety. But, as society becomes more digitized, threats are no longer limited to physical attacks. Cyber attacks, data breaches, and other malicious online activities all pose risks to CNI.

To ensure that the companies that provide CNI are not compromised, there’s an increasing volume of cyber security frameworks being put in place by governments and international organizations for their locality.

In the USA, the Cyber Security Framework (CSF) from the US National Institute of Standards and Technology (NIST) is promoted by sector regulators, while companies operating in the EU must adhere to Member States’ laws implemented under the Network and Information Security Directive (NIS which are to be strengthened further by NIS2 soon) . Since leaving the EU, the UK has been updating its own NIS regulations, and Australian CNI providers must abide by the Security of Critical Infrastructure Act (SOCI).

Source: NCC Group

However, it is not just the CNI providers that must be aware of these regulations. To ensure that all possible entry points for cyberattacks are protected, supply chain companies associated with CNI providers must also take steps to ensure their own cyber security.

Why must third-party suppliers to CNI providers be cyber secure?

“You could have a supplier as a route to compromise; someone hacks in through them to get to their customers’ systems,” said Chris Proctor, Senior Advisor at cyber security specialists NCC Group.

“You can have the supplier taken down which results in disruption to the client. Or it can be that their product, software or hardware, that goes to the client is used as a route to compromise. The regulatory landscape is increasingly focused on supply chain because of the number of threats.”

When advising CNI providers, NCC Group encourages them to consider their supply chain as well as their own systems. They must continuously review their level of cyber security from the moment the third-party organization is selected and onboarded through to after the termination of the contract when they need to separate connectivity and destroy data.

Rick Tahesh, Associate Director at the organization, said: “Supply chain integrates a lot of business functions. Think about your procurement, think about your IT and legal, think about business continuity management.

“That’s why we ensure we have an integrated approach on behalf of our clients. Only then can we gain a good understanding of the risk of that supplier to the client’s business.”
“Often the [suppliers’] systems or products that they provide are quite old, they use legacy technology, and are at higher risk of impact from a cyber event,” added Mick Flitcroft, Global Lead for Government Compliance Services at NCC Group. “Often this technology is not backed up in the traditional IT sense; we don’t necessarily have dual backups and cloud technology.”

But, in recent years, supply chain companies have become increasingly integral to the CNI companies themselves , meaning that any lack of cyber security measures on their part puts the CNI more at risk.

Mick said: “For example, we’re seeing what we call ‘condition monitoring’ by the supply chain, where they have a permanently live view into that client’s key infrastructure, looking for things like vibrations or wear and tear, and they’re trying to predict a breakdown before it happens. So before the [device] fails, the new one is there and being installed to reduce the impact on the availability of critical systems.

“Whilst this proactive approach has operational benefits, this presents a threat vector that [they] may never have had to deal with historically. Instead of coming down the stack – through the corporate enterprise, through that firewall, and into the operational technology (OT) network – we often see the supply chain punching straight through the side and coming in at the control layer or even the industrial control unit layer.”

What do third-party suppliers have to do?

Abiding by the appropriate cyber security frameworks simultaneously acts as a USP (unique selling proposition) for suppliers looking to renew contracts with CNI providers and improves their survivability in the event of a cyberattack.

But making a supply chain organization compliant with CNI cyber security regulations can be challenging, not least since the frameworks are drawn up specifically to be read and interpreted by the CNI companies who are in scope of regulations.

Mick said: “Quite often you look at NIS and it just says ‘you must consider your supply chain’ and then there’s some broad-brush sweeping statements and a couple of technical ones about remote access, so the requirements themselves are often not articulated in detail.”

Therefore, it is, at least in part, the responsibility of the CNI organization to understand what they expect from their third-party suppliers in terms of security and communicate that to them.

“[For the CNI organization], it’s a case of understanding what your critical assets are and knowing if your supply chain supports the resilience you need,” explained Mick.

Source: NCC Group

Rick said: “Then [the suppliers] have got to provide that assurance that they have the processes, frameworks, tools, etc. to secure the supply chain as well.”

NCC Group advisors encourage CNI providers to outline the cyber security requirements they have for third-party suppliers in their contracts, even if they have already been in place for many years and have never needed to be reviewed in the past. Then, the suppliers must update their legacy products and systems to abide by these requirements.

How can NCC Group help?

NCC Group helps suppliers to CNI companies navigate the complexities of becoming compliant with various cyber security frameworks.

Chris said: “Many suppliers are getting all these questionnaires from potentially different types of CNI clients; you can get snowed down in lots of regulatory paperwork. We can help people understand how to be more efficient about getting through it and have the support available to help them if they need it.”

Rick added: “Given the current economic environment, we know budgets are under a lot of pressure. CNI clients, as well as suppliers, need to understand what the critical assets they really need to secure are so we can focus the investment and budget on these areas.”

NCC Group security consultants can help suppliers through a comprehensive risk assessment which will identify their critical assets. These are ones that would have a significant negative impact on the CNI organization if there were a breach or denial of service. The advisors will weigh up the cost of this potential unavailability next to the cost of regulating it.

“It’s having the ability to separate the valuable critical assets from the things that can wait,” Rick said. “We help them gain a good understanding of the security controls and measures around these critical assets, and if there are any gaps or issues.”

In the future, suppliers to CNI companies may be asked to review their own supply chain in a similar way if regulations are extended to cover fourth-party CNI suppliers. For example, both the EU’s Digital Operational Resilience Act (DORA) and the UK’s Financial Services and Markets Act are paving the way for critical third-party suppliers to the financial services sector to be brought under CNI regulation.

If you would like to learn more about what is required of your business to become compliant with local cyber security regulations, contact an NCC Group advisor here.

The post The important role of suppliers in achieving critical national infrastructure cyber compliance appeared first on TechHQ.

As societies rely increasingly on digital systems and networks to power essential services, the vulnerability to cyber threats of companies providing ‘critical infrastructure’ has been amplified. The potential disruption a breach could cause is significant, with sectors like energy, transportation, healthcare, and communication falling under this remit.

Governments worldwide recognise this and have therefore prepared (or are preparing) rigorous cyber security frameworks which these operators must abide by in their locality.

Source: NCC Group

But knowing whether your company is considered a provider of national critical infrastructure, or an essential service is not straightforward. According to Mick Flitcroft, Global Lead for Government Compliance Services at cyber security specialists NCC Group, the UK NCSC define it as “national assets essential for functioning society, such as those associated with energy, water, transportation, and similar” in the UK, but it varies by country.

This means that multinational companies, with their vast supply chains and global operations, face a unique challenge in ensuring compliance with regulations across their operating locations. Indeed, parts of the frameworks themselves are also “open to interpretation”, said Mick, making it more challenging to know whether a company qualifies.

Mick added: “many companies face difficulties when trying to become compliant because they run devices and systems of vastly different ages, and the historical reliance on “airgaps” between them to reduce risks is now changing as we move to IT/OT convergence and therefore new and emerging threats in a connected world. Trains five years ago were never connected; you’ve now got Wi-Fi on them.” This became particularly prevalent post-COVID when employees almost immediately required remote access to old systems in sectors such as power generation and transmission.

While all this can be overwhelming for your security, legal and risk departments, the most important thing you can do is educate and inform yourself about the frameworks in which you operate.

By understanding the details of each one, you’ll be able to build a compliance roadmap tailored to your business’s specific needs.

What are the main critical infrastructure cyber security frameworks to be aware of?

1. NIS2 – EU

In December, the European Council’s Network and Information Security (NIS) Directive was updated to ‘NIS2’, and Member States under its remit have until October 17 2024, to adopt the new regulations. The 73-page document outlines necessary provisions on risk analysis, incident handling, supply chain security, cyber security training, and more. As well as providing new regulations, the European Council has extended the scope of NIS2 so that more sectors must abide by it. Notably, it now covers managed service providers (MSPs) such as IT outsourcing service providers.

2. NIS – UK

UK businesses must prepare for the country’s own set of updated NIS protocols. These amendments have yet to be published, but it is known that the updated version will set more stringent incident reporting requirements and also apply to MSPs and flexible energy providers. It will also likely include data centre operators. The thresholds for being a regulated entity – e.g. the amount of energy generated by a power plant – will continue to be set by authorities specific to their sector.

3. NIST Cybersecurity Framework – USA

The Cybersecurity Framework (CSF) from the US National Institute of Standards and Technology (NIST) holds firm. This was last updated in 2018, but companies in the USA should expect changes to come at some point this summer after a concept paper for CSF 2.0 was published in January 2023. The current NIST CSF is targeted at critical national infrastructure organisations, but the new version will likely make it more applicable to small businesses and higher education facilities. There will also be a significant focus on supply chain risk management and more guidance on measurement and assessment.

4. SOCI – Australia

In Australia, amendments were made to the Security of Critical Infrastructure Act (SOCI) last year, which meant many businesses had to impose new measures as part of their Risk Management Programs. The sectors included under the scope of critical infrastructure were also expanded, and now include electricity, communications, data storage or processing, financial services and markets, water, health care and medical, higher education and research, food and grocery, transport, space tech, and the defence industry.

Does my business have to comply?

Despite the complexities involved, adhering to multiple cyber security regulations is important for businesses operating in different countries. Doing so helps protect sensitive data, mitigates cyber risks, and maintains the trust of customers, partners, and stakeholders. The number of threats large companies face is growing due to increased digitisation.

By implementing robust cyber security practices that meet or exceed the requirements of each jurisdiction, companies establish their commitment to data security and compliance, enhance their reputation and reduce the likelihood of regulatory penalties.

Source: NCC Group

Each framework specifies which industries and geographies should follow them, but trying to comply with all of them at once is ‘almost impossible’, according to Mick. “We would always advocate to start with one framework at a time. “What you can do from there is map to all your frameworks, so you don’t try and implement five frameworks all at once.” He adds that “90% of the questions [that make up each framework] are the same, using a different order or slightly different names,” and therefore only minor tweaks are necessary to comply with more than one. Get the first one right and then the rest can follow.

Cyber security experts at NCC Group are aware of the commonalities across the frameworks and standards. They regularly work with their multinational clients to manage the regional and sectoral nuances that apply. After checking the appropriate regulations against the company’s current operations, they can recommend a comprehensive plan that will allow it to meet all its compliance requirements.

However, the process must be taken seriously by the company and “driven and championed from the top down,” Mick said: “Without an investment of time, effort and money, you’re just wasting time.” One of the most common things he tells businesses is to communicate the necessity of compliance to all their teams. This especially includes those who “will never talk about IT” and may worry about how changes will impact system availability.

He said: “Go into control rooms and you’ll see a shift password that hasn’t changed in five years and is used by 25 people. Processes are running 24/7, so you can’t just log off and log back in again because the process stops. You’ve got to adapt, and what we can do is ensure there are defensive depth measures, such as control access of the building, to mitigate the risk.”

How can my business remain compliant but spend effectively?

When thinking about how to allocate your company’s budget for becoming compliant with cyber security regulations, there are a few manageable steps you can take.

1. Implement training and awareness programs for employees, who play a critical role in maintaining security. Providing them with the necessary knowledge is an efficient way of helping prevent costly security incidents and facilitate compliance.
2. Investing in cyber security automation tools and technologies that streamline compliance processes can also be helpful for monitoring IT systems, detecting threats, and reporting incidents.
3. You do not have to do it alone. Consider partnering with external cyber security advisors who can conduct thorough security assessments and review all systems and networks. As well as being well-versed in all things cyber security for different operating locations, the advisors you choose should understand the challenges unique to different sectors, including energy, transport, and telecoms, and provide expertise tailored to your industry.

If you would like to learn more about how the updated regulations will impact your business, contact an NCC Group advisor here.

The post Cracking the code: How to manage critical infrastructure cyber security regulations appeared first on TechHQ.

• MOVEit is a file sharing app used in the Zellis payroll system.
• A supply chain hack targets one program used by multiple organizations.
• The true scale of this supply chain attack has yet to be determined.

Organizations worldwide have had their data – and their staff’s data – compromised in the largest supply chain hack of 2023, and possibly, the largest such hack ever on record.

A supply chain hack is an attack that, rather than aiming for a single target, usually with ransomware in mind, instead inserts malware into a commonly used app or piece of software used by many different organizations. A similar – but significantly smaller – attack was launched on the London stock market earlier this year.

READ NEXT

UK Minister warns of Russian hackers’ intent to “destroy Britain’s critical infrastructure”

This time, the attack comes from the Russian-based clOp cybercrime group, and has hit lots of organizations both large and small. Malware was inserted into Progress Software’s MOVEit product, which usually delivers a secure way of moving files around an organization.

In particular, the product was part of the Zellis system – a specialist payroll services provider, based in the UK.

A large scale supply chain attack.

That’s significant in two ways. Firstly, a lot of high-profile companies, especially within the UK, use Zellis for their payroll processing. Three that have already grabbed headlines are the BBC (the UK’s national broadcaster of record), British Airways, one of the country’s leading airlines, and the Boots pharmacy chain, with 2,200 branches in the UK alone.

Between them, those companies have been notified that the details of 100,000 members of staff have been compromised, and unless an agreement is reached, will be released onto the internet – allowing any hacker, spoofer, phisher or other bad actor to perpetuate the harm of the hack almost indefinitely.

The attack is not limited to those three companies, though. Aer Lingus, an Irish airline, the Government of Nova Scotia in Canada, and the University of Rochester, New York, have subsequently come forward to acknowledge that they too are victims of the clOp attack – and it’s fully expected that others will join them as the days go by.

What has become clear over the few days since news of the attack broke though is that the group may have pulled off a hack too large for it to handle.

In a standard ransomware attack, the hackers tend to nominate an initial ransom amount, and then there’s a process of either negotiation or stand-off until something happens to the data – either it’s exposed, or flushed, or returned, and either some amount of money is exchanged or it isn’t.

This is not strictly speaking a ransomware attack though – it’s more akin to demanding money with menaces.

clOp has written a blog to more or less any company that has been using Zellis for its payroll function, announcing that they (the companies) have seven days (until June 14) to contact the hackers to begin negotiation of a sum that will stop the group publishing the details of staff onto their own site.

Conflicting incentives.

The exact nature of the vulnerable data changes from victim to victim – the BBC said it understood that staff ID numbers, dates of birth, home addresses and national insurance numbers of its staff had been compromised, while British Airways warned its staff that some may also have had their bank details stolen.

YOU MIGHT LIKE

RANSOMWARE

Ransomware hits major London stock market software supplier

It’s details like this that make organizations with a concern for the welfare of their staff – lots of whom are already enduring a cost of living crisis and throat-punchingly high inflation – want to negotiate with the cybercriminals to avoid the data becoming the common currency of every hacker with a name or a living to make.

The neogtiations between organizations and cybercriminals have the tone of a data-based horror movie.

Naturally though, advice from the likes of the UK Cybersecurity Council is not to pay any ransom if one is demanded or suggested. There’s a strategic logic to that – as with bullies, blackmailers, and terrorists in the non-cyber world, giving them what they want only tends to encourage them to push their luck, regarding their victims as weak or desperate.

But strategic logic is likely to be cold comfort to the hundred thousand confirmed staff whose data is currently compromised, or the hundred thousand more worldwide who could be compromised through the Zellis payroll service.

A potentially expanding supply chain attack.

Almost as soon as the hack was confirmed, the US Cybersecurity and Infrastructure Security Agency issued a warning to all firms that have been using MOVEit, that they should download and install a security patch to avoid further breaches – because naturally, now clOp has a way in through that system, unless it’s patched, the group can continue to use their access to compromise ever more data.

Security scans reveal that thousands of company databases could still be at risk, as the take-up of the patch has been mind-bogglingly low considering the potential danger to available data.

In a rare moment of altruism, though, clOp has announced that government, city, and police services are outside the remit of its interest this time around.

It issued an addendum to its general “contact us to negotiate for your data” message, saying that data from those three times of organization had already been erased, and formed no part of the extortion plan.

READ NEXT

Learning from the Royal Mail ransomware

This, as much as the inverted way the group has gone about seeking to monetize its mega-strike, has led analysts to believe the attack has become too big and too successful for clOp to handle.

The sheer amount of data collected, and the difficulty in grouping it coherently, looks to be giving the group an ironic issue faced by businesses in the legitimate world – too much data, insufficient data management.

Add to that the fact that there are very likely to be companies who are as yet unaware that they’re affected by the hack and it could become a logistical nightmare – as much for the hackers as for the companies who’ve been hacked.

What happens on the run-up to the communication deadline – and after it – will define how this enormous hack will eventually be remembered. Right now though, companies will be taking as much advice from their cyber-experts as possible about how to play this entirely unusual situation.

The post clOp hits companies worldwide with massive MOVEit supply chain hack appeared first on TechHQ.

CISOs have been warning for some time that cybercriminal gangs – especially those with pro-Russian sympathies – could easily target critical infrastructure in the UK. In fact, in January and February 2023, the Royal Mail – the UK’s default mail carrier – was hit by a ransomware demand that crippled the organization’s ability to send or receive packages in or out of the country. The attackers claimed to be from the LockBit Group – a gang of criminals believed to have Russian backgrounds or sympathies. Certainly, they used some version of the LockBit ransomware framework.

READ NEXT

Royal Mail appears to call LockBit’s ransomware bluff – loses gigabytes of data

So it should come as no surprise to anyone in power in the UK that pro-Russian groups could be targeting Britain’s potentially vulnerable critical infrastructure. In addition to the pressure of updating legacy systems in a digital transformation process and a recent history of political chaos and economic suicide, the country’s systems may have drawn interest from pro-Russian cybercriminal groups over former Prime Minister Boris Johnson’s swift condemnation of President Putin’s illegal invasion of Ukraine, and actions to freeze Russian assets in the UK.

Johnson was subsequently ousted from power after almost his entire cabinet resigned over questions of his honesty, and is currently facing an investigation over whether he misled the UK parliament during the Covid pandemic.

New announcement, old news.

But today, UK Minister Oliver Dowden told the CyberUK conference in Belfast that Britain’s national critical infrastructure was at risk from “Wagner-like” assailants (Wagner being a reference to Russian mercenaries currently trying to kill people in Ukraine).

Raising perhaps an eyebrow or two from anyone in the infrastructure security industry, to whom this was pre-existing knowledge, Mr Dowden, who is Chancellor of the Duchy of Lancaster, said that he did not “disclose this threat lightly.”

But he added that the government – and, more importantly, the National Cyber Security Centre – believed it was “necessary if we want these companies to understand the current risk they face, and take action to defend themselves and the country.”

Mr Dowden then announced plans to set cyber-resilience targets that critical sectors will be expected to meet within two years. He also said private sector companies working on critical infrastructure would be brought under the scope of resilience regulations.

READ NEXT

The contradictory fall in ransomware in 2022

Justifying the move, he explained that “These are the companies in charge of keeping our country running. Of keeping the lights on. Our shared prosperity depends on them taking their own security seriously.”

Spoiling for a fight.

It’s worth noting that the current UK government has been looking for a fight for some time, potentially to prove it still has verve and purpose against a backdrop of having been in power for 13 years, crashing the economy in one day one Prime Minister ago, overseeing an arguably disastrous Covid response two Prime Ministers ago (the UK had three Prime Ministers in 2022, despite all forming a single contiguous government), presiding over a cost of living crisis and now facing labor strikes in several sectors simultaneously.

Its current Home Secretary is famous for describing her “dream and obsession” as being able to send asylum seekers to Rwanda on planes, and for demonizing those who come to the country “illegally” – despite there being no legal routes for asylum seekers.

As such, it would be fair to say that the UK government will find it, at the very least, useful to have an external enemy at which it can direct its efforts.

But as we mentioned, the idea of pro-Russian cybercriminals attacking British critical infrastructure is not especially new, despite the announcement – which means it is especially plausible.

READ NEXT

Critical infrastructure and the cybersecurity threat – a UK perspective

The investment shopping list.

Lindy Cameron, the CEO of the NCSC, also speaking at the Dublin conference, echoed Mr Dowden’s warnings, giving them additional weight.

“If the UK is to be the safest place to live and work online, then resilience must urgently move to the top of our investment shopping list,” she said.

In fact, the NCSC went as far as to issue an official threat alert to critical businesses, warning that pro-Russian cyber-gangs were likely to be “less predictable” than fully state-sponsored groups, as they are not subject to formal controls and levels of power.

“Some have stated a desire to achieve a more disruptive and destructive impact against western critical national infrastructure, including in the UK,” the NCSC said.

“We expect these groups to look for opportunities to create such an impact, particularly if systems are poorly protected.”

A recent Tech HQ interview with Mike McLellan, Director of Intelligence at the Secureworks Counter Threat Unit, seemed to confirm this assessment, in that older and more mature groups of cybercriminals are aiming to fly significantly below the radar of international response, while younger, newer players with a name to make may well go “off script” and launch attacks where they can.

Previous interviews with Deryck Mitchelson, Field CISO at Check Point, also particularly highlighted the threats to UK critical infrastructure – most notably the country’s national socialized medicine service, the NHS, which is currently undergoing significant digital transformation, but which also suffers from legacy equipment, radical understaffing, and also potentially significant staff demotivation – both nurses, paramedics, and junior doctors within the system are currently staging strikes over pay and conditions as a result of prolonged underfunding of the service.

“Show me the money!”

Mr Dowden’s announcement appears to entail more regulation on cybersecurity in critical national infrastructure companies and organizations, but did not appear to come with any mention of governmental financial support to insure those critical infrastructure elements against any imminent threat and “keep the lights on.”

The post UK Minister warns of Russian hackers’ intent to “destroy Britain’s critical infrastructure” appeared first on TechHQ.

In Part 1 of this article, we spoke to Mike McLellan, Director of Intelligence at the Secureworks Counter Threat Unit about a seeming rise in reports of business email compromise being used against business in 2022 – as revealed by the Unit’s annual report on the cyber-threat landscape. In Part 2, we took a look at the rising tide of attacks based on multifactor authentication fatigue. But the leading – not to mention the best known and probably best understood – cyberthreat remains ransomware. While we had Mike in the chair, it seemed almost indecent not to ask him about it.

Especially as figures in the report showed ransomware down by a staggering 57% in 2022. Our first question, then, was probably inevitable.

THQ:

What gives with the plummeting number of ransomware attacks in 2022?

READ NEXT

The renaissance of business email compromise?

MMcL:

Ransomware grabs a lot of attention, because you have attacks like the Royal Mail, the US Marshals Service, just to name a couple from the last few months. They are very high-profile organizations that are impacted by this with, with a clear impact on people.

Typically, the general public only care about these things when they actually have some impact on their lives, and some of these ransomware attacks do, because they hit critical infrastructure or critical services.

The Ukraine factor.

So yes, it’s interesting that we’ve seen a reduction in the number of incidents this year. And I don’t think we’re alone in seeing that – it’s not a blip in our data. Some other vendors have reported similar trends, though whether it continues to be a trend throughout 2023 remains to be seen…

THQ:

You’re about to tell us something mind-blowing with a tinge of horror, aren’t you?

MMcL:

What makes you say that?

THQ:

We’ve interviewed you before. We know that pause.

MMcL:

Well… it’s possible the war in Ukraine had a significant cooling effect on ransomware last year. We saw a two- or three-month period where there was a huge disruption to the ecosystem, because you had groups who had operators in Ukraine, or they had split political loyalties, and that impacted on the volunteer activity.

So whether we will see that decline continue, I’m not sure. I think we will start to see it pick up again, because I think it remains a very lucrative form of revenue for cybercriminals.

But, you know, reasons why we could see a reduction would include organizations getting better at defending against it, which we always like to say is a thing.

Law enforcement disruption getting better, having more impact on the groups is a thing. Groups deciding it’s not economical because of the price of cryptocurrency or the challenges of conducting attacks. That’s a potential thing, too.

Finally, and possibly the most likely explanation, is that we’re just seeing an underreporting of it to the likes of ourselves, to law enforcement, and to other places. One theory that we’ve got is that following Colonial Pipeline and some of those very big attacks, the more sophisticated ransomware gangs decided that actually, if they could keep their heads under the radar a bit more and conduct more attacks against smaller organizations, they could still generate enough money, but without bringing the headlines, and so without bringing the law enforcement interest.

The quiet life.

READ NEXT

Multifactor authentication – and the dangers of multifactor authentication fatigue

THQ:

Cybercriminals opting for a quiet life?

MMcL:

It’s possible, yes. There are plenty in the criminal organizations who are absolutely only in it for the money. If you can make a good living without bringing the FBI or Interpol down on your own head, why not do that?

So it’s very hard for us to say, because we only work with organizations who pay us to come and do incident response for them. But there is potentially a much larger number of very small organizations who aren’t mature enough, don’t have those relationships to report these things, don’t know how to report it to law enforcement, and we’re just not seeing it. So I think our data on this tells potentially only part of the story.

There are reasons why that might be, but it’ll be interesting to see over the next 12 months whether insurance firms and other organizations report similar trends or not based on their data and their view of that threat.

I do think we’ll see the numbers start to creep back up, sadly. But we definitely saw a reduction last year driven probably by the war in Ukraine, and by some of the heat that came from some of the very high-profile attacks, forcing a rethink of the operation.

A busy year?

THQ:

This is inevitably going to sound crass, but is it possible that, with the illegal Russian invasion of Ukraine, lots of cybercriminals had… more pressing things to focus on?

MMcL:

I think they undoubtedly will have, yes. Ukrainian police arrest people for their involvement in ransomware gangs, and while those may not be the core operators, (the really sophisticated criminals probably live in places where they’re never going to be arrested), it will have an impact on your operation if there’s suddenly a war which encompasses places where you or some of your colleagues live.

READ NEXT

Royal Mail appears to call LockBit’s ransomware bluff – loses gigabytes of data

So yeah, undoubtedly, that caused a significant distraction, and possibly some kind of physical disruption if people had to relocate.

Obviously, we hope that situation improves over the next 12 months. But it certainly looks like most of the criminal gangs that were disrupted have managed to reconfigure themselves to carry on as they were before. So we will be keeping a very close eye on that, just seeing if the fall in ransomware numbers becomes a long term trend, or if it was just a bit of a blip last year.

An offer they can’t refuse.

THQ:

As we understand it, some of the pro-Russian groups have died out or been agglomerated into the bigger groups too, right?

MMcL:

Yes, some of the big ransomware-as-a-service schemes have. There’s been a sort of stratification of the landscape where you’ve got two or three ransomware schemes, which are now very large, with lots of affiliates, lots of people kind of participating in them.

I think that’s making it harder for other schemes to establish themselves and break into that market, you’ve got a bit of a monopoly going on there with a very small number of schemes now running lots of affiliates, potentially.

And again, when we see some of the high-profile attacks, the likes of the US Marshal Service, it’s possible that was some affiliate who just hasn’t really appreciated the potential impact of that attack on the scheme.

We think the criminals who have been doing this for a long time have come to the realization that you don’t really want to try and take down the Irish Health Service, or the Royal Mail or whatever, because the potential blowback on you from law enforcement could be significant, could cost you a lot in terms of having to adapt and retool and all that sort of thing.

So we’re seeing a small number of schemes with lots of affiliates. And I’d be interested to see if we see some kind of unintended behaviour from some of those affiliates who are less easy to control, maybe because they’re less experienced.

THQ:

Apologies if this is cliché, but it sounds like there’s a mafia-style structure developing in those schemes. The cyber-mafia?

MMcL:

It’s interesting, because if you go back 15-20 years, some of the people in charge now are the same people who started out back then. And it’s always important to know that there are people behind these attacks. The central people have probably been around for a long time, but you end up with a much broader pyramid of other people who get involved.

Potentially, the people who’ve been in the business for less time are just making a sort of salary rather than generating the big payouts, but they are nevertheless getting paid well to do the job they’re doing. So you do have this kind of organizational structure.

And if you look at something like the constant leaks from last year which exposed some of this, it’s fascinating to see them talking about things like HR disputes, and salaries and all that kind of thing, and having to deal with the kind of things that most managers have to deal with in legitimate organizations.

THQ:

It’s curious to think that some of the players responsible for the bigger, flashier, more headline-grabbing ransomware attacks may actually be the people with less experience, who have yet to buy into the quiet life philosophy of advanced cybercrime. You can’t help wondering if that might be a useful thing for companies to consider in their future negotiations with these players.

In the final part of this article, having dipped into the conflict in Ukraine, Mike turns his attention to other national-level state actors that have been especially busy delivering cyberattacks in 2022. Will the leading threat surprise you at all…?

The post The contradictory fall in ransomware in 2022 appeared first on TechHQ.

With winter brownouts and blackouts an increasing threat to business continuity, it’s comforting to understand that the electrical grid, both locally, nationally, and around the world, is undergoing a process of significant digital transformation, and that with luck and scheduling, energy delivery in the relatively near future will be a lot more even and consistent than anything we’ve ever known. Part of that digital transformation is down to the increasing use of digital twins, so we sat down with Joe Travis, Vice President of Energy Industry Solutions at Bentley Systems (a leading provider of digital twin technology), to find out whether the future was as bright – and consistent – as promised.

THQ:

Clearly, there are a lot of challenges in the whole electrical grid area. What are the most challenging things, and the most interesting things that technology like digital twins can tackle?

READ NEXT

Digital twins in power generation

Two sides to every story.

JT:

We’re focused on two major sides of the electrical grid. First and foremost, it’s around the rules, the resilience and reliability of the grid. We want to make sure that the grid stays up, and that there are as few outages as possible, for any reason.

So one of the primary things we have our digital twin software do is to make sure that the grid has been designed with strength and reliability in mind.

And that goes everywhere from the generation side all the way to the meter on the house, and everything in between.

When we design the electrical grid, we’re focused on the structural integrity of the grid. So the transmission towers that we have are highly focused on structural capabilities. When we design our substations, same thing, substations need to be designed with strength in mind.

READ NEXT

Data democratization and digital twins in power generation

We also have to consider pole loading for wooden poles, to make sure that the cross arms and the lights and all the transformers and everything are all strong enough, that the load on the pole is not going to make them fall over. These are all weird things that you don’t think about until you actually have to think about them.

With the increasing frequency of storms, and the increase in both the volume and the velocity of some of those storms, it’s really important for us to think about both the structural integrity and the resilience reliability of the grid. That’s a big part of why we design our grids the way we do.

But in terms of digital twins, it’s not just those design decisions we can model. It’s mapping all of those assets on the grid, so that if you do encounter a major hurricane, or tornado, you’re able to look back on your mapping system, and you know exactly what was out there. So that when you go to fix it, the first time you go, you have all the right equipment on the truck, you’re ready to go and get the power back on as quick as possible. That’s really a primary function of the grid, and the software that we have for the grid.

READ NEXT

Infrastructure digital twin projects lauded at Going Digital awards

The other half of the equation.

THQ:

So digital twins help in the design process in terms of resilience and reliability, and in repairs by ensuring a first-time solution with all the right equipment. What’s the second side you mentioned?

JT:

The second side is really trying to understand where that power is coming from, from the generation side of it. As we transition to the world of alternatives and renewables, that’s something that we’re definitely keeping an eye on, investing in making sure we understand how to feed in renewables from hydro, from solar, from geothermal, all those ways you can generate power, so that we end up with a strong grid that’s able to take power from all those sources.

That’s the two-pronged effort we’re making to ensure that the grid stays resilient today, and evolves to be resilient for tomorrow’s needs too. As we generate more energy from a variety of sources, we need to make sure we’re able to keep the grid growing and reliable for consumers.

THQ:

We were going to ask about the change in the nature of the job of keeping the lights on with the growing climate issues that we have.

Is it the same sort of challenge now as it used to be?

JT:

I think the challenge itself remains the same – as you say, keep the lights on as long and as consistently as possible. But the approach to the job has changed significantly as technology has advanced. We’ve seen things go from paper maps and drawing on old aerial photos, to digitizing those maps and photos, to the world of GPS and mapping with a different level of accuracy.

Of course, now with reality modeling, that’s one major adoption that we’ve seen grow over the last few years, and we’re going to see used a tremendous amount in the next few years. As we move forward, the ability to step back and look at the way utilities have grown organically over the last 50-60 years in many cases is amazing. And what we’re finding is that in many areas, they don’t know what they have. There’s often a kind of a false sense of security of exactly what’s on that document or in that mapping system and what’s really in the field.

So now to be able to take out an inexpensive drone with very simple training, to use our software and map that substation or transmission tower very quickly, and understand what you already have out there and what you can build upon, it’s a major difference that we’re seeing.

The evolving reality of power.

THQ:

Are power grid operators open to this new evolution of technology?

JT:

Sure, some are. Some utilities are hiring their own flight crews are buying their own drones. They’re becoming certified and they’re able to map their own systems. Others are invested in subcontractors in that ecosystem to go out there and do the reality-mapping for them.

That’s a tremendous benefit to the grid overall, to be able to understand very quickly what you have existing in terms of the operations and maintenance of it as you move forward.

THQ:

How much of the overall grid is in your view?

JT:

We cover everything from the generation side, including the dams for hydro and renewables with the wind. As that power flows, the transmission side of things goes through the towers that we’re designing with PLS CAD, and our substations that step down that power to a level at which you can distribute it. And then of course, we are highly focused on the substation, but also on the distribution network that takes it to the meter on the house.

So we cover everything involved.

In fact, even if you go a level before the windmills, you have to do subsurface mapping, and especially subsea mapping, you have to understand what the soil is like before we ever even build that windmill. So we also touch that part, because we want to make sure that if you’re going to put that wind farm up, it’s not going to fall over! That you’re building it with the right resilience and structural integrity.

In Part 2 of this article, we’ll look at what ideal resilience looks like in the electricity grid, and how digital twins can not only help deliver it, but maintain it for the foreseeable future in a much more rational way than has been possible in the pre-twin era.

The post Digital twins and the electrical grid appeared first on TechHQ.

Just weeks ago, we spoke to Deryck Mitchelson, Field CISO at Check Point Software, about the weaknesses of critical infrastructure systems to cyberattack, especially ransomware. In the wake of the UK’s Royal Mail attack, which continues to paralyze Great Britain’s ability to send letters and packages anywhere abroad, we got back in the room with Deryck to discuss the lessons that can be learned from major critical infrastructure ransomware attacks.

READ NEXT

UK’s postal service hit by “cyberincident”

Once more, with feeling.

THQ:

Well… here we are again.

DM:

Yes. The thing is, something like this was not unexpected. We’ve all had various conversations around critical national infrastructure, particularly around popular public sector organizations. I know Royal Mail’s not public sector as such, but it’s thought of as critical infrastructure, and it has all the hallmarks of being public sector left over from the time when it was. In other words, it’s not fully matured and digitally prepared for the 21^st century, so we shouldn’t really be surprised when it gets attacked.

It had an issue in November too, which was more about information access, letting customers using its click and drop service see some other customer information. But when you see that, and then you start to see things like this attack, for me, you start to see a trend, which is an organization that probably isn’t as mature as you’d expect, and doesn’t have the controls in place that you hope it does.

THQ:

We were going to say – the November incident felt like an initial probing, and now the overseas mail capacity is paralyzed. It has that sense of people pushing to see how far they can get, no?

READ NEXT

Guardian attacked by ransomware – definitely

DM:

Yes, and that’s often how these things work – the creeping infiltration. I’m a huge evangelist for the idea that whenever there’s an issue, you need to speak about it, you need to make it visible, so that others can learn.

That’s a huge thing around citizens that are impacted as well – they want to know as soon as possible when there’s been an issue, you know, rather than getting told three months later, with a small apology saying “it’s had very little impact.”

THQ:

Paging Guardian Media Group…

That’s me in the spotlight.

DM:

But there’s the other side to it, too – a company comes under the spotlight when it’s had a breach of some sort. Does that mean that threat actor groups then have a better look to see whether the company’s systems can be compromised? They’ve done that before, absolutely.

The reconnaissance for attacks like this starts months before they actually get deployed. So there’s no doubt that if they see some weakness, cybercriminals will then start to have a much deeper look to see whether they could potentially compromise that organization.

READ NEXT

Robust cyberprotection for critical infrastructure – a UK perspective

THQ:

And it works like a hole in the dam – the more interest that people show, the bigger the hole gets for next time…

DM:

Indeed – but it does put the right level of spotlight on the executive team. I’ve been saying this for years – cyberattacks can bring down organizations. They can stop organizations from functioning. And that vulnerability or brittleness starts from the chief executive down.

So I think being transparent and visible around issues means that there’s a focus both ways. There’s got to be a focus internally, down through the organization to say this is a top priority, we need to invest, we need to get this done and fix these things.

There’s also then more scrutiny from external stakeholders, too, from the customers that are using the services, and from investors. People say “What are you doing about this? We’re relying on this investment, and in order for us to be successful, please tell us this investment is secure.” That’s why it needs to be done. It’s just a shame that it’s happened again within three months at Royal Mail.

Transparency is key.

THQ:

Again, the Guardian case comes to mind. The group had a “potential” attack in December, and only in mid-January did it finally come out with a statement saying “Yes, that was a cyberattack. Yes, it was ransomware. And yes, our UK staff’s data were compromised – but not our subscribers’ or readers’ data.” Presumably that’s been an anxious month for Guardian stakeholders, internal and external.

DM:

I published an article in in December calling for organizations to actually be forced to put something up on their on their websites to be transparent around the number of breaches they’ve had, what they were and what the impact was. You know, in many ways, you look at things that you get from Trustpilot and you look at other third party websites. Google does that as well.

I do think we need a lot more visibility and transparency on organizations. I think as consumers, we need to have more choice to say whether we want to transact with an organization. Is this an organization we think is secure enough for us? Do we want to give them our personal information? Our financial information? Do we want to give them our confidential information? And I think we’re near that tipping point of consumers starting to say, “We understand you can’t be 100% protected from ransomware. But are you doing enough?”

Building blocks.

That’s the question I asked – Could you do more? And for me as a consumer, if you could do more, then I’m really keen to see what’s stopping you from doing more.

It’s not because the technology is not there to block most ransomware.

THQ:

Speaking as a representative of a firm that makes that technology…

DM:

Absolutely, we make a platform that blocks most ransomware. Other companies are available… But it’s a question worth asking – are these major critical infrastructures just investing in things that are not quite as good? Or do they not have the money to invest in the technology at all? Do they have people issues? I’m just keen to see what their remediation and improvement strategy is. What has the chief executive signed off?

Is the chief executive aware of these issues, but not releasing the investment funding to fix the issues? Is there an unfortunate culture in the organization? If I’m doing business with you, I want to know these things about your business – or your organization – so that it feels as safe as it can be.

THQ:

Royal Mail is an odd case, because it used to be fully public sector, but now is private sector delivering what is still thought of as public infrastructure. So it’s a complex business infrastructure in its own right. Do we think that having been hit by this Lockbit ransomware attack, it will learn its lessons, or will it go back to business as usual, focusing more on profitability than cybersecurity?

Learning lessons?

DM:

I’m in two minds as to whether organizations really do fully learn from being hit by ransomware. I think some organizations do. But you do regularly see organizations that get breached again and again.

For me, it’s about how organizations show they’re really taking on board what’s happened to them. The Royal Mail will have a myriad of systems, some legacy, some new. They’ve obviously got some DevOps and a lot of segmentation in place as well, because this breach has not impacted all their transactions, only the section dealing with mail that’s going abroad. But there’ll be a lot of legacy systems in there as well, there’ll be a lot of different systems that all try and interact and speak to each other, it will be very complex, but it will not all be new and shiny, so it’s probably at a different level of risk. It’s certainly much more difficult to manage in that state. It takes a lot of effort and a lot of conversations internally around the levels of risk, the levels of vulnerability that you need to focus on.

THQ:

So, initial lessons from the Royal Mail ransomware attack would be what?

• Report even minor intrusions, as they could be the start of reconnaissance for something much bigger.
• Come clean with the public and visibly post your breaches, so you’re not seen to be hiding important information.
• Invest in the best possible anti-ransomware tech you can afford.
• In multi-system infrastructures, work on upgrading vulnerable systems.
• And presumably train staff thoroughly in avoiding things like phishing and business email compromise.

DM:

Good start. But there’s more.

In Part 2 of this article, we’ll find out what else the Royal Mail ransomware attack can teach us about infrastructure security – and why organizations should learn their lessons the first time around.

The post Lessons from the Royal Mail Ransomware Attack appeared first on TechHQ.

On December 20^th, 2022, the UK’s Guardian newspaper reported that it had been hit by a ransomware attack – probably. Despite announcing that much, the newspaper group then went quiet on whether the incident – which hit a behind the scenes system, and at the time was regarded as affecting neither the newspaper’s production nor the integrity of the Guardian website – was a ransomware attack or not.

Ransomware confirmed.

Now, some three weeks later, The Guardian has confirmed both that the incident was a ransomware attack, and that the personal data of UK staffmembers were compromised.

READ NEXT

Guardian newspaper hit by ransomware – probably

Three weeks after the initial attack in which their data was harvested, Guardian staff were told of the details by an email from Guardian Media Group chief executive Anna Bateson, and the newspaper’s editor-in-chief, Katharine Viner.

It’s understood that neither the personal data of Guardian staff in other countries like the US and Australia, nor the data of readers or subscribers were compromised in the attack. That is at least something the Guardian Media Group will be thankful for, as The Guardian is the eighth most read newspaper in the UK (as of 2021), and the ninth most read news website in the world, so the potential for a reader-based data breach could well have been catastrophic for its fortunes.

As no evidence has yet emerged of The Guardian’s UK staff data being exposed online in hacker forums, the email they received said the risk of fraud was considered to be low – rather than, for instance, “delayed.”

Nevertheless, most UK Guardian staff have been working from home since the attack on December 20^th, to avoid the potential worsening of the situation by allowing further unauthorized access to the paper’s systems.

READ NEXT

Critical infrastructure and the cybersecurity threat – a UK perspective

The nature of the attack has been revealed as “a highly sophisticated cyberattack involving unauthorized third-party access to parts of our network,” which is thought most likely to have occurred as a result of phishing – the practice of getting someone to click on a link in an email, which usually triggers the download of a piece of malware into the system.

“We believe this was a criminal ransomware attack, and not the specific targeting of The Guardian as a media organization,” Bateson and Viner added in their email. “These attacks have become more frequent and sophisticated in the past three years, against organizations of all sizes and kinds, in all countries.”

They’re right as far as they go – ransomware for profit was always the more likely explanation for the attack, compared to, for instance, politically-motivated sabotage of what is seen as a largely liberal mouthpiece. A government report in 2022 revealed that two in five UK businesses had reported cybersecurity breaches or attacks in the previous 12 months – so arguably, the attack on The Guardian was nothing special.

READ NEXT

Protecting critical infrastructure from cybersecurity threat – a UK perspective

The increasing reality.

Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, explained:

“Any organization can be targeted for cyberattacks like this. The Guardian and other companies need to realize the importance of educating employees – and executives – about the dangers of these attacks, as well as how to recognize, avoid, and report such phishing schemes. In addition, organizations need to make sure they have recent offline backups, allowing them to quickly restore their systems in case of attacks. They also need to ensure that their systems are updated to plug security holes that allow bad actors to perform these attacks successfully.”

Another Consumer Privacy Advocate, Paul Bischoff from Comparitech, highlighted the potentially too blasé approach of The Guardian’s editors in regarding the risk to their employees to be “low” based on the fact that the data hasn’t been exposed online after three weeks.

The opportunity for exploitation.

“The theft of Guardian UK employees’ names, address, SIN numbers, government identity documents, and salary details puts those employees at risk of further attacks in the future. That information could be used for identity theft, tax fraud, and other scams. It could also allow bad actors to target and retaliate against Guardian staff who publish something they don’t agree with. Thus far, the stolen data has not surfaced publicly, and hopefully it never does.”

But with each large-scale attack that makes headlines, the cybercriminal community gains boldness and information on how to attack major organizations and systems.

The first major attack of 2023 has been revealed to be the Royal Mail “cyberincident,” which is now being widely described as a cyberattack, using Lockbit 3.0 ransomware – an increasingly popular choice of ransomware among Russian cybercriminal gangs.

Deryck Mitchelson, Field CISO at Check Point Software, who predicted an attack against some element of UK critical national infrastructure when talking to Tech HQ just weeks ago, explained that the country will undoubtedly see further major ransomware attacks throughout the course of 2023. “The thing about ransomware attacks is that they do reconnaissance work before they deploy their encryption packet, he said. “The next big ransomware attack is probably already taking place as we speak – it just hasn’t been activated yet.”

The post Guardian attacked by ransomware – definitely appeared first on TechHQ.