Critical Infrastructure Attacks: Considerations for Small-to-Medium Enterprises
In the UK, Critical National Infrastructure (CNI) is defined by the National Cyber Security Centre (NCSC) as ‘Those critical elements of Infrastructure (facilities, systems, sites, property, information, people, networks and processes), the loss or compromise of which would result in a major detrimental impact on the availability, delivery or integrity of essential services, leading to severe economic or social consequences or to loss of life.’ This encompasses thirteen sectors: chemicals, civil nuclear, communications, defence, emergency services, energy, finance, food, government, health, space, transport, and water.
What are the dangers?
Earlier this month, the NCSC released the first-ever joint advisory notice with international partners – the Australian Cyber Security Centre (ACSC), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) – to warn against a ‘growing wave of increasingly sophisticated ransomware attacks.’
For small-to-medium enterprises, such attacks might not be considered within cyber security planning and operations. However, in the context of the current threat landscape, attempts aimed at organisations that are related to the sectors outlined above could pose a credible risk. Cyber attacks on the rise - earlier this year, a survey revealed that 64% of UK businesses had experienced a cyberattack or data breach over the last 18 months. It’s more vital than ever to ensure your systems are safe and secure, and our partners at Cyber Security Associates (CSA) can help to keep you protected.
Adversaries have differing motivations - for example, ransomware attacks routinely leverage financial gain against the publication of sensitive or proprietary data. If the attacks are related to CNI, and hackers are aiming to achieve the maximum disruption to the smooth running of society, that could easily be done by compromising multiple third-party vendors to CNI industries. In turn, enforced downtime in the event of a breach could lead to shortages of essential products, lack of availability of services, increased workload for public services, as well as reputational damage should the exfiltrated data be published. As the aforementioned joint advisory notice exhorts, ‘…there is more work to be done to build collective resilience.’
Should you be worried?
Taking the SolarWinds breach of 2020 as an example, the malicious actors established command and control within systems up to a year before the attack was actioned. Malicious code facilitating the delivery of a Trojan was added to a legitimate patch for SolarWinds’ network management software, Orion, which was subsequently downloaded by customers. As of the time of writing, there have been 31 confirmed data breaches related to this event, with up to 100 private sector companies compromised - investigation into the full scope of the attack is still ongoing.
Although the adversaries targeted the high-value assets first, any of the estimated 18,000 customers who installed the infected patch could potentially be compromised – unless systems have been fully investigated and, if signs of malicious activity were identified, rebuilt. Remediating the threat can, in itself, cause a lot of disruption.
Multiple concurrent attacks on what would be considered tertiary services and businesses could impact a significant portion of the population. Outsourced services are often provided by small but vital organisations, such as independent pharmacies, school bus services and home care services. Smaller retail outlets would not only lose revenue, but their problems would have knock-on effects on other services in turn.
What should be done to protect your business?
Ascertaining the current status of an organisation’s security posture is the first step in securing against a possible breach becoming a point of escalation, or otherwise affecting an organisation. Consider which aspects of your system could be leveraged to gain access, beginning with the fundamentals: network and security architecture, the attack surface landscape, and any possible entry points. Hosting systems within a cloud service rather than an on-premises data centre would allow for changes to be made proactively if they’re necessary (for instance, to quarantine aspects of a system that may be infected, while investigation into an attempted breach is ongoing.) Firewall configuration, and identifying which alerts are set to trigger an alarm, should be evaluated. Ideally, discrete aspects of the network should be adequately segmented to prevent the lateral spread of any malware should it be introduced, and an up-to-date antivirus product should be in place.
It’s not just your own network that will need to be protected. Every client and supplier could potentially be an access or escalation point depending on whether access to systems is required, how that access occurs, and the level of privilege they’ve been assigned. A minimal trust policy should apply throughout, with access granted on a need-only basis, and revoked immediately when it’s no longer required. Anywhere that data is held or actions take place around accounts, such as customer relationship databases and booking software, should have secure login portals requiring multi-factor authentication (MFA).
If your organisation has a website, then you should assess any code, templates and plugins, and check for vulnerabilities. Wherever card payments are taken, these should be done via a PCI compliant merchant service. Human factors shouldn’t be overlooked; a simple Disclosure and Barring Service (DBS) check on staff may flag up any questionable backgrounds or motivations that might have otherwise been missed. Finally, if a breach should happen, a contingency plan can be enacted to ensure your organisation remains functional - even if on a reduced basis - alongside a clear chain of escalation to repair and rebuild your systems in order to minimise downtime.
How can we help you?
For many small-to-medium enterprises, undertaking a rigorous assessment could prove difficult due to a lack of IT personnel, expertise, and budget - or even all three. That’s where we at FluidOne come in. Our expert cyber partners, CSA, will give you an unbiased view of the security defences and procedures. They will help identify weaknesses or vulnerabilities such as out-of-date software, as well as help you develop plans to address these issues and mitigate any future risks. Combined, the founders have over 50 years of experience dealing with online threats, and thanks to their expertise, we have a unique offering for our clients that puts us leagues ahead of our competitors.
From full consultancy through to penetration testing, and passive website analysis to staff awareness training, our cyber partners at CSA also offer our customers a range of other cyber services to ensure they’re always cyber secure.
You can find out more about the cyber security services here, or if you want to find out how we can help you and your business, get in touch with us now to get expert advice from our team of cyber security professionals.