Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.
An integrated resilience workspace that seamlessly integrates 10 core solutions into one, easy-to-use software platform.
The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.
Explore Noggin's integrated resilience software, purpose-built for any industry.
Integrated Resilience Software
Published February 16, 2024
Key assets are under attack. Vedere Labs recorded more than 420 million cyber attacks on global critical infrastructure assets between January and December 2023.i
That figure averages out to 13 attacks per second, a staggering increase of 30% over 2022, with the UK coming in second, only behind the US, among global targets.
Why is the threat climate for UK critical assets heating up specifically? Experts point to Russia’s invasion of Ukraine, beginning in February 2022, as a critical moment of proliferation in the cyber capabilities of state and non-state actors.ii
But after two years of fighting, the threat level hasn’t come down. In fact, it keeps getting higher.
Responding to this rising threat level, the National Cyber Security Centre (NCSC) issued an alert to critical national infrastructure organisations. It reads in part:
While the cyber activity of these [state-aligned] groups often focuses on DDoS attacks, website defacements and/or the spread of misinformation, some have stated a desire to achieve a more disruptive and destructive impact against western critical national infrastructure (CNI), including in the UK. We expect these groups to look for opportunities to create such an impact, particularly if systems are poorly protected.iii
Later in 2023, the Science, Innovation and Technology Committee began an official inquiry into the cyber resilience of the UK’s critical national infrastructure (UK CNI).iv
The backstory, here, is that the Government’s National Cyber Strategy 2022 and its Cyber Security Strategy 2022-2030 both recognise cyber threats to critical national infrastructure, i.e., assets critical for supporting growth and helping to transform the delivery of public services, as an area of “particular concern.”ii The Inquiry in Parliament will, therefore, explore the following avenues:
As Parliament deliberates, the CNI sector remains under threat. And so, the purpose of this guide is to provide research-based, best-practice protective security measures critical national infrastructure organisations in the UK can take to safeguard their people, assets, and the nation’s wellbeing against adverse events.
Who should read this guide? This guide is written for the critical national infrastructure community.
National infrastructure, as defined by the National Protective Security Authority (NPSA), are those facilities, systems, sites, information, people, networks, and processes, necessary for a country to function and upon which daily life depends.
Defined along these terms, national infrastructure also includes some functions, sites, and organisations which are not critical to the maintenance of essential services, but which need protection due to the potential danger to the public, e.g., civil nuclear and chemical sites.
The following 13 sectors have been designated as national infrastructure industries:
Is national infrastructure the same as critical infrastructure, though?
The answer is no.
As noted, not all national infrastructure assets are critical. Critical infrastructure elements include assets, facilities, systems, networks or processes, and the essential workers that operate and facilitate them.
What makes them critical then? As the NPSA finds, their loss or compromise could result in the following:
Indeed, critical national infrastructure is increasingly interconnected and interdependent. This makes it harder for government to understand and manage risk faced by the country. As a result, government has put in place a process to collect data related to the country’s CNI.
What does it do? Well, the Criticalities Process gives risk owners in government (i.e., sectoral regulators) a common approach to collect and structure data on the CNI they oversee. The process itself supports the systematic identification of the Essential functions, the Systems that provide them (and their interdependencies), and the Organisations that operate those systems.
This information gets pooled into the CNI Knowledge Base, the single source of truth for UK CNI. Using this Knowledge Base, risk owners in government can view UK CNI on a map or as a network, with interdependencies mapped across it.
Here are the steps that go into building the CNI Knowledge Base:
How then to protect the underlying assets as the threat level rises?
The National Cyber Security Centre, for one, has issued guidance stipulating specific actions CNI organisations should take when the cyber threat is heightened, as it is.
The guidance consists of more rudimentary cyber controls, such as the following:vi
Ensuring that the fundamentals of cyber security are covered is hardly enough at this time. Advanced actions must be taken, as well, in accordance with an organisation’s resources.
CNI organisations with the requisite resources are advised to take the following advanced steps when the threat level is heightenedvii:
For organisations responsible for services and activities that are of vital importance, the NCSC has also published the Cyber Assessment Framework (CAF). The CAF provides a systematic and comprehensive approach to assessing how resilient your organisation is to the cyber threat.
Organisations should look to the CAF to determine whether they have the appropriate structures, policies, and processes in place to understand, assess, and systematically manage security risks to the network and information systems supporting essential functions.
Which structures, policies, and processes are needed? Within these focus areas, the following will be needed:
Of course, the UK isn’t the only country whose critical national infrastructure sector is experiencing heightened threat levels. The US, for instance, leads the way when it comes to attacks on critical infrastructure assets.
However, it’s Australia that’s gone further than most other peer nations, codifying enhanced critical infrastructure protections into law in its Security of Critical Infrastructure Act.
In fact, amendments to that Act, originally passed in 2018, include enhanced cyber security obligations required for operators of systems of national significance, i.e., the country’s most important critical infrastructure assets.
What obligations are now required of this subset of critical infrastructure asset owners and operators? Obligations include:
Following the obligations above and the prescribed protective security measures is a great place to start when upleveling the security of critical infrastructure assets. If doing so seems daunting, CNI organisations need not act alone.
Government is on hand to provide any number of resources to the sector. And technology providers are also available to enhance your level of CNI protection.
Specifically, certain vendors provide integrated resilience workspaces where teams can work together to anticipate and manage threats, conduct preparedness activities, effectively respond to disruptions, and continually learn from insights to strengthen resilience.
Here are some CNI protective security software capabilities to consider:
Consolidate information about critical infrastructure and operators including descriptions, locations, and key functions. Generate automated notifications when information changes to ensure updates are shared with the regulator in a timely manner to meet reporting obligations.
Take a proactive approach to risk management in a standardised manner that makes it simple to identify risks, assess their inherent risk level, implement controls, confirm their effectiveness, and monitor residual risk levels on an ongoing basis in a single workspace.
Perform vulnerability assessments to pinpoint potential gaps that may expose the organisation to specific types of cyber incidents. Use the findings to determine areas where additional resources and capabilities are needed to enhance the organisation's readiness and resilience to cyber threats.
Streamline the capture of Critical Infrastructure operator information including key entity details, descriptions of the arrangements in place and details about how relevant data types are managed using automated questionnaires and document requests.
Build incident response plans using automated plans and checklist functionality then leverage these to conduct exercises on an ongoing basis to ensure that plans are effective, key personnel understand their roles and responsibilities, and shortcomings are addressed.
Stay ahead of potential threats to critical infrastructure and your operators using real-time threat intelligence alerts. Leverage situational awareness dashboards to consolidate feeds from multiple sources to streamline threat detection and improve the incident response process.
Improve incident response times and team activation with automated emails, SMS, and voice notifications. Identify personnel required to update the regulator, then assign tasks, record decisions, and share updates as the incident evolves before using investigations to identify controls to prevent reoccurrence.
Centralise critical infrastructure information to enable data visualisation through interactive dashboards, charts, and maps in real-time on any device. Easily share insights with internal stakeholders to improve decision making and keep the regulator updated on relevant changes to critical infrastructure where required.
Finally, threats to critical national infrastructure have increased in kind and intensity. Among peer nations, the UK ranks just behind the US in the number of attacks its CNI sector receives. CNI entities must, therefore, act expeditiously to enhance the security of key assets under their management.
To that end, this guide has sought to provide a number of best-practice measures entities can take as well as advanced software capabilities entities should seek out. Following our recommendations will help CNI organisations improve their security posture amidst a drastically heightened cyber threat environment.
i Security Today: World's Critical Infrastructure Suffered 13 Cyber Attacks Every Second in 2023. Available at https://securitytoday.com/Articles/2024/01/29/World-Critical-Infrastructure-Suffered-13-Cyber-Attacks-Every-Second-in-2023.aspx?Page=1.
ii HM Government, Government Cyber Security Strategy: Building a cyber resilient public sector. Available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1049825/government-cyber-security-strategy.pdf.
iii National Cyber Security Centre: Heightened threat of state-aligned groups against western critical national infrastructure. Available at https://www.ncsc.gov.uk/news/heightened-threat-of-state-aligned-groups.
iv Cyber resilience of the UK's critical national infrastructure: Inquiry. Available at https://committees.parliament.uk/work/7934/cyber-resilience-of-the-uks-critical-national-infrastructure/.
v HM Government, Government Cyber Security Strategy: Building a cyber resilient public sector. Available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1049825/government-cyber-security-strategy.pdf.
vi National Cyber Security Centre: Actions to take when the cyber threat is heightened. Available at https://www.ncsc.gov.uk/guidance/actions-to-take-when-the-cyber-threat-is-heightened.
vii Ibid.