Best-Practice Measures to Protect UK Critical National Infrastructure Organisations

Best-Practice Measures to Protect UK Critical National Infrastructure Organisations

Key assets are under attack. Vedere Labs recorded more than 420 million cyber attacks on global critical infrastructure assets between January and December 2023.ⁱ

That figure averages out to 13 attacks per second, a staggering increase of 30% over 2022, with the UK coming in second, only behind the US, among global targets.

Context surrounding UK critical national infrastructure

Why is the threat climate for UK critical assets heating up specifically? Experts point to Russia’s invasion of Ukraine, beginning in February 2022, as a critical moment of proliferation in the cyber capabilities of state and non-state actors.ⁱⁱ

But after two years of fighting, the threat level hasn’t come down. In fact, it keeps getting higher.

Responding to this rising threat level, the National Cyber Security Centre (NCSC) issued an alert to critical national infrastructure organisations. It reads in part:

While the cyber activity of these [state-aligned] groups often focuses on DDoS attacks, website defacements and/or the spread of misinformation, some have stated a desire to achieve a more disruptive and destructive impact against western critical national infrastructure (CNI), including in the UK. We expect these groups to look for opportunities to create such an impact, particularly if systems are poorly protected.ⁱⁱⁱ

Later in 2023, the Science, Innovation and Technology Committee began an official inquiry into the cyber resilience of the UK’s critical national infrastructure (UK CNI).^iv

The backstory, here, is that the Government’s National Cyber Strategy 2022 and its Cyber Security Strategy 2022-2030 both recognise cyber threats to critical national infrastructure, i.e., assets critical for supporting growth and helping to transform the delivery of public services, as an area of “particular concern.”ⁱⁱ The Inquiry in Parliament will, therefore, explore the following avenues:

• The progress of UK CNI toward achieving recently announced resilience targets by 2025
• The support the sector needs to achieve those targets and efforts to make computer hardware architecture more secure by design to protect CNI
• Proposals for the Government’s approach to standards and regulations for cyber resilience and preparedness, supply chain access, and trusted partners

As Parliament deliberates, the CNI sector remains under threat. And so, the purpose of this guide is to provide research-based, best-practice protective security measures critical national infrastructure organisations in the UK can take to safeguard their people, assets, and the nation’s wellbeing against adverse events.

What is critical national infrastructure?

Who should read this guide? This guide is written for the critical national infrastructure community.

National infrastructure, as defined by the National Protective Security Authority (NPSA), are those facilities, systems, sites, information, people, networks, and processes, necessary for a country to function and upon which daily life depends.

Defined along these terms, national infrastructure also includes some functions, sites, and organisations which are not critical to the maintenance of essential services, but which need protection due to the potential danger to the public, e.g., civil nuclear and chemical sites.

The following 13 sectors have been designated as national infrastructure industries:

1. Chemicals
2. Civil Nuclear
3. Communications
4. Defence
5. Emergency Services
6. Energy
7. Finance
8. Food
9. Government
10. Health
11. Space
12. Transport
13. Water

Is national infrastructure the same as critical infrastructure, though?

The answer is no.

As noted, not all national infrastructure assets are critical. Critical infrastructure elements include assets, facilities, systems, networks or processes, and the essential workers that operate and facilitate them.

What makes them critical then? As the NPSA finds, their loss or compromise could result in the following:

• Major detrimental impact on the availability, integrity, or delivery of essential services, including those services whose integrity, if compromised, could result in significant loss of life or casualties; and/or
• Significant impact on national security, national defence, or the functioning of the state

How government gets data about critical national infrastructure

Indeed, critical national infrastructure is increasingly interconnected and interdependent. This makes it harder for government to understand and manage risk faced by the country. As a result, government has put in place a process to collect data related to the country’s CNI.

What does it do? Well, the Criticalities Process gives risk owners in government (i.e., sectoral regulators) a common approach to collect and structure data on the CNI they oversee. The process itself supports the systematic identification of the Essential functions, the Systems that provide them (and their interdependencies), and the Organisations that operate those systems.

This information gets pooled into the CNI Knowledge Base, the single source of truth for UK CNI. Using this Knowledge Base, risk owners in government can view UK CNI on a map or as a network, with interdependencies mapped across it.

Here are the steps that go into building the CNI Knowledge Base:

• Step 1. Map Essential Functions. Understanding what is important.
• Step 2. Determine Systems. Mapping the Systems that provide the function.
• Step 3. Assess Sector impacts. Understanding the impact of system compromise.
• Step 4. Identifying supporting Systems, Organisations, and Relationships. Mapping the Systems in more detail.
• Step 5. Assess Cross-sector impacts. Understanding the impact on other sectors.

Strategies to protect UK critical infrastructure

How then to protect the underlying assets as the threat level rises?

The National Cyber Security Centre, for one, has issued guidance stipulating specific actions CNI organisations should take when the cyber threat is heightened, as it is.

NCSC cyber control guidance

The guidance consists of more rudimentary cyber controls, such as the following:^vi

Incident Plan

• Check your incident response plan is up to date.
• Confirm that escalation routes and contact details are all up to date.
• Ensure that the incident response plan contains clarity on who has the authority to make key decisions, especially out of normal office hours.
• Ensure your incident response plan and the communication mechanisms it uses will be available, even if your business systems are not.

Third-party access

• If third party organisations have access to your IT networks or estate, make sure you have a comprehensive understanding of what level of privilege is extended into your systems, and to whom.
• Remove any access that is no longer required.
• Ensure you understand the security practices of your third parties. 

Brief the wider organisation

• Ensure that other teams understand the situation and the heightened threat. Getting buy-in from the rest of the business is crucial in being able to complete the actions described here.
• Ensure colleagues in other areas understand the possible impact on their teams’ workloads and tasking. Make sure everyone knows how to report suspected security events and why reporting during a period of heightened threat is so important.

Ensuring that the fundamentals of cyber security are covered is hardly enough at this time. Advanced actions must be taken, as well, in accordance with an organisation’s resources.

Actions to take when the cyber threat is heightened

CNI organisations with the requisite resources are advised to take the following advanced steps when the threat level is heightened^vii:

• If your organisation has plans in place to make cyber security improvements over time, you should review whether to accelerate the implementation of key mitigating measures, accepting that this will likely require reprioritisation of resources or investment.  
• No technology service or system is entirely risk free and mature organisations take balanced and informed risk-based decisions. When the threat is heightened, organisations should revisit key risk-based decisions and validate whether the organisation is willing to continue to tolerate those risks or whether it is better to invest in remediation or accept a capability reduction. 
• Some system functions, such as rich data exchange from untrusted networks, may inherently bring a greater level of cyber risk. Large organisations should assess whether it is appropriate to accept a temporary reduction in functionality to reduce the threat exposure.   
• Larger organisations will have mechanisms for assessing, testing, and applying software patches at scale. When the threat is heightened, your organisations may wish to take a more aggressive approach to patching security vulnerabilities, accepting that this may have a service impact itself. 
• During this time, large organisations should consider delaying any significant system changes that are not security related.  
• If you have an operational security team or Security Operations Centre (SOC), it may be helpful to consider arrangements for extended operational hours or to put in place contingency plans to scale up operations quickly if a cyber incident occurs. 
• If you have systems in place that can take automated action or notifications based on threat intelligence, you might also consider procuring threat feeds that may give you information relevant to the period of heightened threat.

Cyber Assessment Framework for managing security risk for critical national infrastructure organisations

For organisations responsible for services and activities that are of vital importance, the NCSC has also published the Cyber Assessment Framework (CAF). The CAF provides a systematic and comprehensive approach to assessing how resilient your organisation is to the cyber threat.

Organisations should look to the CAF to determine whether they have the appropriate structures, policies, and processes in place to understand, assess, and systematically manage security risks to the network and information systems supporting essential functions.

Which structures, policies, and processes are needed? Within these focus areas, the following will be needed:

Governance

• Your organisation's approach and policy relating to the security of networks and information systems supporting the operation of essential functions are owned and managed at board level. These are communicated, in a meaningful way, to risk management decision-makers across the organisation.
• Regular board discussions on the security of network and information systems supporting the operation of your essential function take place, based on timely and accurate information and informed by expert guidance.
• There is a board-level individual who has overall accountability for the security of networks and information systems and drives regular discussion at board-level.
• Direction set at board level is translated into effective organisational practices that direct and control the security of the networks and information systems supporting your essential function.

Roles and responsibilities

• Necessary roles and responsibilities for the security of networks and information systems supporting your essential function have been identified. These are reviewed periodically to ensure they remain fit for purpose. 
• Appropriately capable and knowledgeable staff fill those roles and are given the time, authority, and resources to carry out their duties.
• There is clarity on who in your organisation has overall accountability for the security of the networks and information systems supporting your essential function.

Decision-making

• Senior management have visibility of key risk decisions made throughout the organisation.
• Risk management decision-makers understand their responsibilities for making effective and timely decisions in the context of the risk appetite regarding the essential function, as set by senior management.
• Risk management decision-making is delegated and escalated where necessary, across the organisation, to people who have the skills, knowledge, tools, and authority they need.
• Risk management decisions are periodically reviewed to ensure their continued relevance and validity.

Risk management

• Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed.
• Your approach to risk is focused on the possibility of adverse impact to your essential function, leading to a detailed understanding of how such impact might arise as a consequence of possible attacker actions and the security properties of your networks and information systems.
• Your risk assessments are based on a clearly understood set of threat assumptions, informed by an up-to-date understanding of security threats to your essential function and your sector.
• Your risk assessments are informed by an understanding of the vulnerabilities in the networks and information systems supporting your essential function.
• The output from your risk management process is a clear set of security requirements that will address the risks in line with your organisational approach to security.
• Significant conclusions reached in the course of your risk management process are communicated to key security decision-makers and accountable individuals.
• Your risk assessments are dynamic and updated in the light of relevant changes which may include technical changes to networks and information systems, change of use and new threat information.
• The effectiveness of your risk management process is reviewed periodically, and improvements made as required.
• You perform detailed threat analysis and understand how this applies to your organisation in the context of the threat to your sector and the wider CNI.

Assurance

• You validate that the security measures in place to protect the networks and information systems are effective and remain effective for the lifetime over which they are needed.
• You understand the assurance methods available to you and choose appropriate methods to gain confidence in the security of essential functions.
• Your confidence in the security as it relates to your technology, people, and processes can be justified to, and verified by, a third party.
• Security deficiencies uncovered by assurance activities are assessed, prioritised and remedied when necessary in a timely and effective way.
• The methods used for assurance are reviewed to ensure they are working as intended and remain the most appropriate method to use.

Asset management

• All assets relevant to the secure operation of essential functions are identified and inventoried (at a suitable level of detail). The inventory is kept up-to-date.
• Dependencies on supporting infrastructure (e.g. power, cooling etc) are recognised and recorded.
• You have prioritised your assets according to their importance to the operation of the essential function.
• You have assigned responsibility for managing physical assets.
• Assets relevant to essential functions are managed with cyber security in mind throughout their lifecycle, from creation through to eventual decommissioning or disposal.

Supply chain

• You have a deep understanding of your supply chain, including sub-contractors and the wider risks it faces. You consider factors such as supplier’s partnerships, competitors, nationality and other organisations with which they sub-contract. This informs your risk assessment and procurement processes.
• Your approach to supply chain risk management considers the risks to your essential functions arising from supply chain subversion by capable and well-resourced attackers.
• You have confidence that information shared with suppliers that is essential to the operation of your function is appropriately protected from sophisticated attacks.
• You understand which contracts are relevant and you include appropriate security obligations in relevant contracts. You have a proactive approach to contract management which may include a contract management plan for relevant contracts. 
• Customer / supplier ownership of responsibilities are laid out in contracts.
• All network connections and data sharing with third parties are managed effectively and proportionately.
• When appropriate, your incident management process and that of your suppliers provide mutual support in the resolution of incidents.

Global examples of critical infrastructure protections

Of course, the UK isn’t the only country whose critical national infrastructure sector is experiencing heightened threat levels. The US, for instance, leads the way when it comes to attacks on critical infrastructure assets.

However, it’s Australia that’s gone further than most other peer nations, codifying enhanced critical infrastructure protections into law in its Security of Critical Infrastructure Act.

In fact, amendments to that Act, originally passed in 2018, include enhanced cyber security obligations required for operators of systems of national significance, i.e., the country’s most important critical infrastructure assets.

What obligations are now required of this subset of critical infrastructure asset owners and operators? Obligations include:

• Developing cyber security incident response plans to prepare for a cyber security incident. An incident response plan is a written plan detailing how an entity will respond to cyber security incidents that affect its systems. This obligation will assist entities to articulate ‘what to do’ and ‘who to call’ in the event of a cyber incident.
• Undertaking cyber security exercises to build cyber preparedness. Cyber security exercises test preparedness, mitigation, and response capabilities. Ultimately, an exercise is designed to reveal whether the existing resources, processes and capabilities of an entity sufficiently safeguard the system from being impacted by a cyber security incident.
• Undertaking vulnerability assessments to identify vulnerabilities for remediation. Vulnerability assessments identify ‘gaps’ in systems that expose entities to particular types of cyber incidents. These assessments will help entities identify where further resources and capabilities are required to improve an entity’s preparedness for, and resilience to, cyber incidents.
• Providing system information to develop and maintain a near-real time threat picture. System information is data generated about a system for the purposes of security, diagnostic monitoring or audit, such as network logs, system telemetry and event logs, alerts, netflow, and other aggregate or metadata that provide visibility of malicious activity occurring within the normal functioning of a computer network.

Digital technology for critical infrastructure organisations

Following the obligations above and the prescribed protective security measures is a great place to start when upleveling the security of critical infrastructure assets. If doing so seems daunting, CNI organisations need not act alone.

Government is on hand to provide any number of resources to the sector. And technology providers are also available to enhance your level of CNI protection.

Specifically, certain vendors provide integrated resilience workspaces where teams can work together to anticipate and manage threats, conduct preparedness activities, effectively respond to disruptions, and continually learn from insights to strengthen resilience.

Key software features that support CNI protection

Here are some CNI protective security software capabilities to consider:

Critical infrastructure management

Consolidate information about critical infrastructure and operators including descriptions, locations, and key functions. Generate automated notifications when information changes to ensure updates are shared with the regulator in a timely manner to meet reporting obligations.

Risk management

Take a proactive approach to risk management in a standardised manner that makes it simple to identify risks, assess their inherent risk level, implement controls, confirm their effectiveness, and monitor residual risk levels on an ongoing basis in a single workspace.

Vulnerability assessments

Perform vulnerability assessments to pinpoint potential gaps that may expose the organisation to specific types of cyber incidents. Use the findings to determine areas where additional resources and capabilities are needed to enhance the organisation's readiness and resilience to cyber threats.

Third-Party risk management

Streamline the capture of Critical Infrastructure operator information including key entity details, descriptions of the arrangements in place and details about how relevant data types are managed using automated questionnaires and document requests.

Preparedness

Build incident response plans using automated plans and checklist functionality then leverage these to conduct exercises on an ongoing basis to ensure that plans are effective, key personnel understand their roles and responsibilities, and shortcomings are addressed.

Threat intelligence

Stay ahead of potential threats to critical infrastructure and your operators using real-time threat intelligence alerts. Leverage situational awareness dashboards to consolidate feeds from multiple sources to streamline threat detection and improve the incident response process.

Incident management

Improve incident response times and team activation with automated emails, SMS, and voice notifications. Identify personnel required to update the regulator, then assign tasks, record decisions, and share updates as the incident evolves before using investigations to identify controls to prevent reoccurrence.

Analytics and reporting

Centralise critical infrastructure information to enable data visualisation through interactive dashboards, charts, and maps in real-time on any device. Easily share insights with internal stakeholders to improve decision making and keep the regulator updated on relevant changes to critical infrastructure where required.

Finally, threats to critical national infrastructure have increased in kind and intensity. Among peer nations, the UK ranks just behind the US in the number of attacks its CNI sector receives. CNI entities must, therefore, act expeditiously to enhance the security of key assets under their management.

To that end, this guide has sought to provide a number of best-practice measures entities can take as well as advanced software capabilities entities should seek out. Following our recommendations will help CNI organisations improve their security posture amidst a drastically heightened cyber threat environment.

Sources

ⁱ Security Today: World's Critical Infrastructure Suffered 13 Cyber Attacks Every Second in 2023. Available at https://securitytoday.com/Articles/2024/01/29/World-Critical-Infrastructure-Suffered-13-Cyber-Attacks-Every-Second-in-2023.aspx?Page=1.

ⁱⁱ HM Government, Government Cyber Security Strategy: Building a cyber resilient public sector. Available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1049825/government-cyber-security-strategy.pdf.

ⁱⁱⁱ National Cyber Security Centre: Heightened threat of state-aligned groups against western critical national infrastructure. Available at https://www.ncsc.gov.uk/news/heightened-threat-of-state-aligned-groups.

^iv Cyber resilience of the UK's critical national infrastructure: Inquiry. Available at https://committees.parliament.uk/work/7934/cyber-resilience-of-the-uks-critical-national-infrastructure/.

^v HM Government, Government Cyber Security Strategy: Building a cyber resilient public sector. Available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1049825/government-cyber-security-strategy.pdf.

^vi National Cyber Security Centre: Actions to take when the cyber threat is heightened. Available at https://www.ncsc.gov.uk/guidance/actions-to-take-when-the-cyber-threat-is-heightened.

^vii Ibid.