Security provider Anomali has published its United Kingdom Threat Landscape Report (registration required). The report will make for uncomfortable reading for anyone involved in the UK Critical National Infrastructure (CNI). Anomali has identified where there are specific risks, calls out known attacks and named weak spots.
Two sectors are of particular concern; Emergency Services and the Defence Equipment and Supply Organisation. Both are concentrated and seen as key targets. The emergency services, for exmple and especially especially healthcare, have well publicised problems. None are simple to fix and to do so will take significant sums of money, change and education.
The Report also says that the UK has moved up to the 38th most attacked country by cyber. This makes it more likely to be attacked than the US (90th), France (67th) and Germany (67th) – figures attributed by Anomali to Checkpoint Software. The UK also has the fourth highest detection rate for ransomware in 2016. This may have risen given the sustained attacks in 2017.
Detection rates for malware in the UK are twice as high as in Russia, though this is not necessarily bad. A high detection rate is not the same as a high infection rate. Unfortunately the report fails to identify infection rates to enable a more balanced view to be taken.
Hugh Njemanze, CEO of Anomali said: “The UK presents a complex cyber risk picture – previous foreign policy commitments and current tensions between NATO and other nation states make it a target for international terror organisations.
“Within the UK, the nature of the economy and industry present a combination of opportunity and risk to those looking to plan a hybrid attack. The network of small and medium enterprises which support Critical National Infrastructure strengthens its resilience, whereas the geographical clustering of industries can weaken the system leaving them vulnerable to attack.”
Which parts of the CNI are worst?
None come out with a “well done”. Some, however, fare particularly badly. As mentioned above, the emergency services are singled out as having serious weaknesses.
The communications market also has serious flaws but unlike the emergency services has mechanisms in place to deal with disruption to their networks. This does not mean that customers are safe. Data breaches such as TalkTalk and Vodafone have exposed customer data. Hardware problems – such as the router vulnerabilities suffered by Virgin Media – are not uncommon.
Not all attacks against UK CNI are against UK-based assets. There are examples in the report where attacks against suppliers create risk for the CNI. This is something that affects all companies and industries. For sectors designated ‘CNI’ there is a need for these to do more to protect their suppliers, especially smaller ones who are seen as easy targets for hackers.
The UK energy industry, including the country’s nuclear industry, comes in for criticism. There are concerns about its centralisation of assets. This makes these susceptible to attacks that take out regional networks. Electricity networks are a particular pain point though the UK is not as at-risk of the same cascade failure as the US has suffered on a couple of occasions. However, it does have a dependency on Europe through the electricity interconnectors and gas pipelines. The report suggests that Brexit poses an additional threat to supply.
What does this mean?
There are multiple takeaways from this report. While it is easy to focus on the negative (and look just at the number of attacks and risks for UK CNI), the UK does do a better job than most when it comes to detecting attacks. This enables it to build resiliency across all parts of the CNI. However, to do that, requires money. With Brexit dominating, this is cannot be guaranteed, at least from government.
Much of the UK CNI, nevertheless, is in private hands. This allows the government to divert responsibility elsewhere. In doing so it needs to make sure that those private companies are aware of their obligations. As has been seen over pricing in the energy sector, private companies have a different view (to government) of what is important. This divergence raises the question of what is needed to ensure companies invest enough into cybersecurity.
For government-controlled bodies – such as the Ministry of Defence (MoD) and the emergency services – the position is bleak. The MoD has large shortfalls of cash due to constant overspend. It struggles to hold on to skilled cybersecurity staff. To counter this it has created a cybersecurity regiment that relies on non-regular service personnel. In order to get the skills it needs it has also had to compromise in areas such as age and military fitness.
Health and the emergency services have an equally difficult problems to solve. The report calls out the use of Android by emergency service employees, with its susceptibility to malware, as a serious risk. At the same time the Health Service is cash strapped and so under resourced that it is incapable of addressing the current wave of cyber-attacks.
If this were a school end of term report it might say: “need to try much, much harder.”