FOI request reveals UK critical infrastructure organisations lack ‘cyber resilience’
New data has revealed a lack of cyber resilience among national critical infrastructure (CNI) organisations in the UK, with more than a third of organisations skipping basic cyber security checks and ignoring DDoS threats.
The information, which was obtained following a Freedom of Information Act request by Corero Network Security (LSE: CNS), a leading provider of real-time DDoS defence solutions, reveals that some 39 per cent of CNI organisations have not completed tests adhering to basic cyber security standards issued by the UK government.
“Cyber-attacks against national infrastructure have potential to inflict significant, real-life disruption and prevent access to critical services that are vital to the functioning of our economy and society,” says Sean Newman, Director of Product Management at Corero. “These findings suggest that many such organisations are not as cyber resilient as they should be, in the face of growing and sophisticated cyber threats.”
The Freedom of Information requests were sent in March 2017 to 338 critical infrastructure organisations in the UK, including fire and rescue services, police forces, ambulance trusts, , energy suppliers and transport organisations.
In total, 163 responses were received, with 63 organisations admitting to not having completed the UK government’s ‘10 Steps to Cyber Security’ programme – indicating a lack of cyber resilience within organisations which are critical to the functioning of UK society.
The results come following UK government’s proposals to implement the EU’s Network and Information Systems (NIS) directive from May 2018 – a move which would impose fines of up to £17m for infrastructure organisations that fail to protect themselves against cyber-attacks.
“The world isn’t ready for cyber threats against critical infrastructure – but criminals are clearly ready and able to launch attacks on these facilities,” says David Emm, principal security researcher at Kaspersky Lab. “We’ve seen attempts on power grids, oil refineries, steel plants, financial infrastructure, seaports and hospitals – and these are cases where organisations have spotted attacks and acknowledged them. However, many more companies do neither, and the lack of reporting these incidents hampers risk assessment and response to the threat.
“Security must be tailored to the specific needs of each organisation and be seen as an ongoing process. This is true also of the human dimension – tricking people into taking action that launches the initial exploit is as common in attacks on such facilities as it is in any other context.”
Of similar concern, Corero argues, is CNI organisations’ tendency to ignore short duration distributed denial of service (DDoS) attacks on their networks, which are frequently used by hackers to distract from data theft attempts.
DDoS protection is highlighted within the government consultation on NIS as a mechanism that critical infrastructure should consider when protecting their services and availability from disruption caused by cyber-attacks.
While the threat of high-volume DDoS attacks – like that against DNS provider Dyn in 2016 that took down large parts of America’s internet – are well known, the vast majority of today’s attacks are actually short and low volume in nature. Due to their small size, these stealth DDoS attacks often go unnoticed by security staff, but they are frequently used by attackers in their efforts to target, map and infiltrate a network.
In the first quarter of 2017, 90 per cent of DDoS attack attempts stopped by Corero were less than 30 minutes in duration, and 98 per cent were less than 10Gbps in volume. Worryingly, the Freedom of Information data revealed more than half of the UK’s critical infrastructure organisations (51 per cent) are potentially vulnerable to these attacks, because they do not detect or mitigate short-duration surgical DDoS attacks on their networks.
Results suggest just five per cent of infrastructure operators experienced DDoS attacks on their networks in the past year (to March 2017). However, if 90 per cent of the DDoS attacks on their networks were shorter than 30 minutes, the real figure could be considerably higher.
“In the face of a DDoS attack, time is of the essence,” says Newman. “Delays of minutes, tens-of-minutes, or more, before a DDoS attack is mitigated is not sufficient to ensure service availability, and could significantly impact the essential services provided by critical infrastructure organisations.
“By not detecting and investigating these short, surgical, DDoS attacks on their networks, infrastructure organisations could also be leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber-attacks. To keep up with the growing sophistication and organisation of well-equipped and well-funded threat actors, it’s essential that organisations maintain comprehensive visibility across their networks, to instantly and automatically detect and block any potential DDoS incursions as they arise.”