Fortunately for most UK citizens, we live in a fairly peaceful country. Things tick along typically without too much fuss. Yes, we have problems, we have a cost of living crisis, we have a failing health system, we have a woefully inadequate railway infrastructure, to name but a few. However, that being said, things are, when you compare life here to places such as Ukraine, or Gaza – pretty damn good.
But, what if it weren’t?
What if the telecoms system we all rely on for daily life were to disappear?
What if the medical care we are so grateful for were to be unavailable?
What if the power went off for an unknown period of time?
What if the banks were unable to process our wages, and our bills?
What if it all came crashing down?
These are the horror stories that keep people like me awake at night, these are the scenarios played out in table top exercises, and simulations by countless players in the field of security, these are the facts of modern life that countless civil servants, industry experts, and academics have to tackle every day to keep our country functioning.
In the United Kingdom, we consider the vital services required to keep the country running as CNI – Critical National Infrastructure, and there are 13 defined sectors in that space:
- Chemicals
- Civil Nuclear
- Communications
- Defence
- Emergency Services
- Energy
- Finance
- Food
- Government
- Health
- Space
- Transport
- Water
Within those sectors, there are some sub-sectors which play an equally vital role, so for example within the Emergency Services we have the Police, the Ambulance service, the fire service, and the coast guard
Each sector has one or more lead government departments which is responsible for that sector, to govern it, but also to ensure that protective security is in place for the critical assets within that sector.
Within a sector, not everything would be classed as critical. The UK definition of Critical National Infrastructure is:
“Those critical elements of infrastructure (namely assets, facilities, systems, networks or processes and the essential workers that operate and facilitate them), the loss or compromise of which could result in:
- Major detrimental impact on the availability, integrity or delivery of essential services – including those services whose integrity, if compromised, could result in significant loss of life or casualties – taking into account significant economic or social impacts; and/or
- Significant impact on national security, national defence, or the functioning of the state.”
Responsibility for the protection of CNI in the cyber context is the responsibility of the National Cyber Security Centre (NCSC) which is a part of the Government Communications Headquarters (GCHQ)
Responsibility for the Physical and personal Protective Security for National Infrastructure falls to the National Protective Security Authority (NPSA) which is part of the Security Service (MI5).
How resilient is UK CNI to a cyber attack?
This is a question posed by the Science, Innovation and Technology committee back in October, and is a question that needs a good, well-investigated answer.
Since the start of the Russian invasion of Ukraine, the UK has become the worlds third most targeted country after Ukraine, and the United States. This fact alone means the question posed above is one which carries a fair bit of urgency.
Two recent publications (The National Cyber Strategy 2022 and the Government Cyber Security Strategy 2022-2030 ) by the UK government highlight possible attacks on UK CNI as areas of particular concern.
We require government departments, the wider public sector and regulated operators of critical national infrastructure (CNI), to raise their standards and manage their risk more proactively. We expect large businesses and organisations, including providers of digital services and platforms to be more accountable for protecting their systems, services and customers as a core part of running their business. In return, government will do more to secure the digital environment and tackle systemic risks and provide support through advice, tools, accreditation in the marketplace, and developing the skills that enable improvement.
National Cyber Strategy 2022
Government’s critical functions to be significantly hardened to cyber attack by 2025, with all government organisations across the whole public sector being resilient to known vulnerabilities and attack methods no later than 2030.
Government Cyber Security Strategy 2022-2030
NCSC Incident Response Matrix
When managing a cyber incident in the UK, the NCSC refers to a matrix of criticality.
This matrix defines 6 levels of severity, and the resulting UK responses.
Wannacry
To date, the UK has never experienced a Category 1 incident. The most severe incident suffered by the UK was the Wannacry event in 2017 – that incident was categorised as a C2 incident.
The National Audit Office report into the lead up to the wannacry incident and the subsequent effects of the attack highlight a requirement for better preparedness, and responses.
- The Department was warned about the risks of cyber attacks on the NHS a year before WannaCry and although it had work underway it did not formally respond with a written report until July 2017. The Department and Cabinet Office wrote to trusts in 2014, saying it was essential they had “robust plans” to migrate away from old software, such as Windows XP by April 2015. In March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry. However, before 12 May 2017, the Department had no formal mechanism for assessing whether local NHS organisations had complied with their advice and guidance and whether they were prepared for a cyber attack.
- The attack led to disruption in at least 34% of trusts in England although the Department and NHS England do not know the full extent of the disruption. On 12 May, NHS England initially identified 45 NHS organisations including 37 trusts that had been infected by the WannaCry ransomware. In total at least 81 out of 236 trusts across England were affected. A further 603 primary care and other NHS organisations were infected by WannaCry, including 595 GP practices. However, the Department does not know how many NHS organisations could not access records or receive information, because they shared data or systems with an infected trust.
- Thousands of appointments and operations were cancelled and in five areas patients had to travel further to accident and emergency departments. NHS England identified 6,912 appointments had been cancelled, and estimated over 19,000 appointments would have been cancelled in total. Neither the Department nor NHS England know how many GP appointments were cancelled, or how many ambulances and patients were diverted from the five accident and emergency departments that were unable to treat some patients.
- The Department, NHS England and the National Crime Agency told us that no NHS organisation paid the ransom, but the Department does not know how much the disruption to services cost the NHS. Costs included cancelled appointments; additional IT support provided by NHS local bodies, or IT consultants; or the cost of restoring data and systems affected by the attack.
- The cyber attack could have caused more disruption if it had not been stopped by a cyber researcher activating a ‘kill switch’ so that WannaCry stopped locking devices. Between 15 May and mid-September NHS Digital and NHS England identified a further 92 organisations, including 21 trusts, as contacting the WannaCry domain, though some of these may have been contacting the domain as part of their cyber security activity. Of the 37 trusts infected and locked out of devices, 32 were located in the North NHS Region and the Midlands & East NHS region. NHS England believe more organisations were infected in these regions because they were hit early on 12 May before the WannaCry ‘kill switch’ was activated.
Fragile society
When you consider more recent events such as COVID, and the incident in the Suez Canal when the Evergiven container ship got stuck, and the impact both events had on global supply chains, we realise how fragile modern society can be – the queues to get essential supplies of food, the empty shelves, the rise in prices. The knock on effects were felt for months, rationing of essential supplies, people panic buying toilet rolls, eggs, flour, and fuel. It causes chaos in society very quickly.
If a sustained cyber attack took out the UK’s power supply, or telecommunications infrastructure, the effects would be felt by entire swatches of the country causing wide-spread troubles.
We can all help keep our systems safe
We all have a part to play in keeping the systems we use safe and secure – good cyber hygiene will help ensure cyber criminals don’t have easy access to the systems we use and the data within them. Reporting suspicious activity to IT departments, or the police helps ensure nefarious activity is quickly identified and stopped.
Being cautious with email messages asking for information, or those containing links or attachments, by following the guidance for password policies, by being suspicious of “too good to be true” offers, by keeping the systems we use up to date and patched, By not using accounts with high privilege levels, By having a backup policy for critical data, we can all help to keep the systems we use safe and secure against attackers.
