[BreachExchange] Best practice CNI defence should emphasise resilience, not just compliance

[Audrey McNeil]

https://www.scmagazineuk.com/best-practice-cni-defence-
should-emphasise-resilience-not-just-compliance/article/766551/

Across all parts of critical national infrastructure, we are seeing a
greater number of sophisticated and damaging cyber-threats which are often
believed to be the work of foreign governments seeking to cause political
upheaval. In recent weeks the US and UK governments accused Russia of
launching cyber-attacks on computer routers, firewalls and other networking
equipment used by government agencies, businesses and critical
infrastructure operators around the globe.

Previous reports have also highlighted the dangers of infrastructure
attacks, such as last year's attack on a Saudi Arabian petrochemical plant
and Russia's wide-ranging cyber-assault on the US energy grid. Ciaran
Martin, the head of the National Cyber Security Centre (NCSC) warned in
January that he expects the UK to suffer a major, crippling cyber-attack
against its critical infrastructure within the next two years.

We are clearly at a turning point in terms of protecting these systems.
Operators of essential services need to stay up-to-date with both the
cyber-security challenges and the methods available to monitor and mitigate
threats. Nation state attackers are well aware of the public confidence and
political fallout that could arise as a result of successful attacks on
operators' online systems or, even more worryingly, the safety risk of
cyber-attacks on control networks.  Whether the imperative is reputation,
compliance or safety, the resilience of these systems to withstand today's
cyber-attacks must be addressed.

Industrial control systems at risk

Best practice, including the recently published guidance from the NCSC,
implores operators to isolate their control systems from the Internet.  In
an ever more connected Internet of Things (IoT) enabled world, convenience
and productivity often means that this “air gap” has been compromised.
This potentially exposes industrial control systems to the full spectrum of
damaging cyberattacks.

For example, DDoS attacks can be used to disrupt the availability of
critical services and compromise the systems that enable them.  Once
compromised, attackers may be able to plant weaponised malware and/or steal
data.  Within the last year, separate DDoS attacks against the railway
operators in Sweden and Denmark caused train delays, disrupted travel
services and made it all but impossible to buy a ticket.  In the UK, the
WannaCry ransomware attacks last May blocked access to medical records and
caused poorly maintained medical equipment to fail; demonstrating the
capacity for cyber-attacks to impact people's access to essential services.

To investigate this issue, Corero carried out a Freedom of Information
study last year, which found that over a third (39 percent) of UK critical
infrastructure operators have not completed basic cyber-security standards
issued by the UK government (the '10 Steps to Cyber Security' programme).
Alarmingly, the requests also found that 51 percent of critical
infrastructure organisations are potentially vulnerable to the most common
DDoS attacks – those of short duration and modest volume – due to failures
to deploy technology which can detect or mitigate such attacks. Modern DDoS
attacks represent a serious security and availability challenge for
infrastructure operators because even a short duration attack can
significantly disrupt the delivery of essential services.

The NIS Regulations – a golden opportunity for change?

The pressure is now on for the cyber-security community and governments to
really focus on this issue in the face of increasing nation state attacks.
In this light, the UK government's new legislation, known as the NIS
Regulations, includes penalties of up to £17 million on any of the 432
identified operators of essential services who fail to protect against
cyber-attacks on their networks is an important step. Despite the political
rhetoric and the threat of fines, how much difference to our national
security will the NIS Regulations really make?

In January, the NCSC published its initial guidance for organisations
looking to comply with the NIS Regulations.  These were extended to include
the new Cyber Assessment Framework (CAF) at the end of April.  The measures
outlined so far are heavily weighted on reactive attack reporting rather
than advising organisations on how to better shore up their perimeter with
proactive defence solutions. As an example, within the guidance,
organisations are asked to define their own risk profile, and then prove
their resiliency against that profile – the equivalent of getting to mark
your own homework.

However, there is cause for optimism within the legislation. Just as with
GDPR, the key phrase “state of the art” appears within the operators'
security duties; “measures taken must, having regard to the state of the
art, ensure a level of security of network and information systems
appropriate to the risk posed”. The intended outcome from NIS should
genuinely be tied to resilience against cyber-attacks; meaning that our
healthcare, transportation, energy and drinking water services should be
required to remain available during an attack.

That said, the balance of both the legislation and current messaging from
government and the regulatory authorities suggests far more emphasis on
disclosure and recovery from failure than on investing in genuine
resilience.  There is a very real risk that, for the foreseeable future,
that NIS will be seen a “tick box” exercise.  If this is allowed to happen
then the golden opportunity will have been squandered.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180611/9cc1148d/attachment.html>