Industry experts have responded to comments made about cybersecurity risks posed to the UK’s critical infrastructure.
Speaking with the BBC Today programme, and reported by the Daily Telegraph, General Sir Christopher Deverell, Commander of the UK’s Joint Forces Command, warned that traffic control systems were at risk of cyberattack, with road systems one of several potential points that could be targeted.
Responding to the comments, Andrea Carcano, Nozomi Networks’ Chief Product Officer, said Sir Christopher’s observations voiced concerns that the security community had been raising for a number of years.
“The everyday reality is that the UK’s infrastructure and those in every developed country around the world is being continually poked and probed not just by nation states but equally by criminals, hactivists and even curious hobbyists. A major incident is not just inevitable but potentially imminent,” he said.
“We’ve seen the damage that can be done from hacks in the Ukraine where attackers were able to compromise systems and turn the lights out. With each incursion, both successful but also those that are thwarted, the attackers will learn what has worked, what hasn’t and what can be improved for the next try.
“The challenge for those charged with protecting our critical infrastructure is visibility as you can’t protect what you don’t know exists.
“A total of 80% of the industrial facilities we [Nozomi] visit do not have up-to-date lists of assets or network diagrams.
“Ironically, this doesn’t pose a problem to criminals who are using readily available open source tools to query their targets and build a picture of what makes up their network environment and is potentially vulnerable – be it a power plant, factory assembly line or our transport infrastructure as Sir Deverell suggests.
“Our [Nozomi] researchers recently embarked on a project to create a security testing and fuzzing tool, using open-source software (OSS), capable of automatically finding vulnerabilities in proprietary protocols used by ICS devices.
“Using just this tool, and in a limited time period, they identified eight zero-day vulnerabilities that, if exploited could be used to shut-down the controllers (i.e. DoS attack) to being unable to manage the devices through their software and potentially the corruption of normal processes which could be extremely serious or even fatal.
“As the cybersecurity risk to critical infrastructure and manufacturing organisations increases, it is important for enterprises to actively monitor and secure operational technology (OT) networks. An important aspect of this is having complete visibility to OT networks and assets and their cybersecurity and process risks.”
Also offering his reaction, Sean Newman – Director at Corero Network Security, said there were many good reasons for connecting operational and information networks, including efficiency and effectiveness.
However, this opens up operational controls to potential attacks from across the internet, where previously they were completely isolated and only accessible from the inside.
“There is nothing particularly new in the recent claims from the Joint Forces Command, as the potential for such attacks has been growing for several years now, as more and more systems become ‘connected’,” he said.
“The question now, is more around who is bold enough, rather than capable of, carrying out such attacks, and risking the likely repercussions. It’s reasonable to assume it’s more a matter of time than if, so the operators of such systems need to be fully cognisant of the potential risks and deploy all reasonable protection to minimise it.
“This includes preventing remote access to such systems, as well as real-time defences against DDoS attacks which could disrupt their operation or prevent legitimate access for operation and control purposes.”
Meanwhile, Michael Fabian, Principal Consultant at Synopsys, said an increase in connectivity comes with an increase in risk.
“Any time new pathways to these systems are added, they must be properly secured based on their individual characteristics following a risk-based approach,” he said.
“With the increase in risk, the opportunity for directed cyberattacks also increases. Potential attackers range from hobbyists to nation-states, disrupting infrastructure. Now, the actual risk versus the perceived risk is complete speculation and is about as difficult to predict as the next location lightning will strike. That said, the precedent for infrastructure disruption as a powerful means of attack has already been set globally.
“What we can take away as a positive is that officials are aware of the potential risks, and we can hope they are actively pursuing remediation programs to improve the security of their operations, keeping the UK’s core infrastructure safe.”