Cyber threat to critical infrastructure

More than a third of national critical infrastructure organisations in the UK, including the emergency services, have not completed basic cyber security standards issued by the Government. According to the data revealed under a Freedom of Information (FoI) request by Corero Network Security, specialists in real-time DDoS (distributed denial of service) defence solutions, the fact that so many infrastructure organisations have not completed the ‘10 Steps to Cyber Security programme’ “indicates a lack of cyber resilience within organisations which are critical to the functioning of UK society”. It also suggests that some of these organisations could be liable for fines of up to £17 million – or four per cent of global turnover – if lax cyber security standards result in loss of service under the Government’s proposals to implement the EU’s Network and Information Systems (NIS) directive from May 2018. Corero also warned that critical infrastructure organisations could be ignoring 90 per cent of the DDoS attacks on their networks by not mitigating short duration DDoS attacks, which are frequently used by hackers to distract from data theft attempts May 12 saw the NHS undergo a crippling cyber attack. Hackers targeted the backbone of the NHS, tapping into computers, telephone lines, MRI scanners, blood-storage refrigerators and theatre equipment. Surgeons were forced to use their mobile phones for communication while critical information, such as X-ray imaging, was moved around the hospital on CDs. The NHS – and just as critically the emergency services – are becoming increasingly reliant on machines that are connected to the internet. Only recently, Durham Constabulary Chief Constable Mike Barton, national policing lead for crime, told the Crime Reporters Association that devices connected to the internet were a “back door into your network”. The FoI requests were sent by Corero in March to 338 critical infrastructure organisations in the UK, including police forces, fire and rescue services, ambulance trusts, NHS trusts, energy suppliers and transport organisations. In total, 163 responses were received, with 63 organisations (39 per cent) admitting to not having completed the ‘10 Steps’ programme – guidance issued by the National Cyber Security Centre on how organisations can protect themselves in cyberspace. Among responses from NHS Trusts, 42 per cent admitted not having completed the programme. Thirty police forces responded to the FoI request – but 28 of these refused to answer the questions in the interests of national security. In effect, two responses were received, said Corero: both had completed the ‘10 Steps’ programme and neither had suffered DDoS attacks in the past year, although one admitted it did not detect sub-saturating DDoS attacks. Sean Newman, director of product management at Corero, said: “Cyber attacks against national infrastructure have the potential to inflict significant, real-life disruption and prevent access to critical services that are vital to the functioning of our economy and society. These findings suggest that many such organisations are not as cyber resilient as they should be, in the face of growing and sophisticated cyber threats.” Corero says modern DDoS attacks represent a serious security and availability challenge for operators of essential services. This is why DDoS protection is highlighted in the Government consultation on the NIS directive as a mechanism that critical infrastructure should consider when protecting their services and availability from disruption caused by cyber attacks. But while most people equate DDoS with high-volume attacks, like that against DNS (domain name system) service provider Dyn in 2016 that took down large parts of America’s internet, the majority of today’s attacks are actually short and low volume in nature. In fact, 90 per cent of DDoS attack attempts stopped by Corero during the first quarter of this year were less than 30 minutes in duration, and 98 per cent were less than 10Gbps in volume. Due t