In an attempt to boost the cyber-protection of the UK’s most critical industries, the government is pushing firms to turn to the best standard of cyber defence available. But will these fines be enough to encourage the C-Suite to take action?
In recent years, there have been sudden shutdowns of transport systems and power grids that we are familiar with from Hollywood blockbusters but nowadays these have become real-world possibilities as hackers continue to breach critical systems. We’ve witnessed the damage ransomware such as WannaCry can cause as the NHS in the UK was brought to its knees due to flaws in using legacy software and systems.
Critical services organisations are risking more than just their own bottom line by not implementing proper cyber-protection, they are risking lives and livelihoods. So far we’ve been lucky. And fortunate that no malicious group or individual has targeted critical infrastructure systems for gains other than notoriety and ransom.
The cyber-attack against the MUNI transport system in San Francisco should have pushed cyber-security to the top of the agenda in boardrooms across the world. In this attack, ransomware disabled ticket machines across the city over Thanksgiving weekend, leaving the rail network with little choice but to let passengers ride for free. Data was also encrypted on the transport network’s internal systems, with a ransomware note appearing on screens.
The rail network was able to overcome all the obstacles without paying the ransom, although the network had to miss out on a weekend’s revenue. Thankfully this attack was intended to not cause harm, instead it was for financial gain.
But if a more sinister attempt was made to shut-down rail operations, then would traditional cyber-security protect against it? The simple answer is no. We’re seeing that organisations need to protect at more granular level, as opposed to the one-size-fits all solution. This approach is the board and CSO’s attempt to tick-a-box, and not adequately protect themselves. Every single border of an organisation needs the best standard of technology in place to prevent attacks from gaining into the critical systems.
Where is CNI vulnerable?
Education is often cited as something that organisations lack when it comes to the risks involved in cyber-security. But more often than not it is negligence that let’s hackers in the door. Negligence from the top by not investing in the best-standard of cyber defence, and negligence from employees who open email attachments that may pose elements of risk.
Many organisations still fail to appreciate the huge dangers presented by emails. It only takes one employee to click open an everyday file-type in an email attachment and an entire city can be brought to its knees as code hidden in the structure of a document downloads malware to commence a full-scale attack.
The lethal dangers lurking in everyday email attachments are constantly overlooked. More than 90 per cent of successful cyber-attacks begin with someone clicking open an email attachment. A million new types of malware are found on a daily basis, but governments and their agencies seem happy to carry on as if nothing has changed in the last decade, relying on creaking old anti-virus detection that can never keep up with the inventiveness of cyber criminals.
While new forms of malicious code are being written every minute, social engineering has also become hugely sophisticated, making it difficult for busy employees to resist clicking open an email that appears to be legitimate.
Opportunities for network penetration have grown as the Internet of Things and use of connected devices has expanded, with large infrastructure organisations now operating a huge number of internet-connected devices that criminals can attack or subvert. This extends the security border of any infrastructure organisation way beyond its physical boundaries.
Compounding this risk are the twin forces of IT conservatism and lack of investment which leave many organisations using outdated, legacy operating systems and reliant on old-fashioned protection.
What is the solution?
The public sector is well-known for lengthy procurement periods. However, by the time new solutions are put in place, hackers are even further ahead of you. Therefore, technology that is able to look for known good, rather than bad has to be implemented.
What this means is that the technology is not looking out for the constantly updated malware, and other mechanisms that hackers employ. This archaic approach leaves organisations vulnerable because the technology is always going to be one step behind. You have to know all the threats first, to be able to protect against them. However, if technology targets only the known good, then you end up preventing cyber-attacks from happening rather than looking for post-infection band aids.
Technologies such as Content Disarm and Reconstruction (CDR) are already well-developed and tested and will combat threats such as malicious email attachments. There is no possibility that an organisation can ban the use of email attachments – they are what every business depends on. It just takes a more forward-thinking attitude to technological innovation, and critical infrastructure organisations can protect themselves and the rest of us much more effectively.