The UK’s critical national infrastructure (CNI) “could be left dangerously exposed” if managers don’t respond appropriately to the increasing threat of cyber attack due to tensions between the UK and Russia, China and Iran, officials have confirmed.
NCE contacted CNI stakeholders after a recent flurry of cyber threats to critical UK bodies and government departments.
In early May, BBC reported a “hack” resulting in a “significant data breach” of payroll information at the Ministry of Defence. The report emerged on 6 May and on 7 May the defence secretary Grant Shapps said state involvement could not be ruled out.
In the hours and days following, at least two more cyber-related incidents hit NHS Scotland and the UK Border Force.
NHS Dumfries and Galloway said children’s mental health data had been published following a cyber-attack and e-passport gates stopped working at major airports.
There was no indication that the NHS and Border Force incidents were linked to malign state actors, but the situations with the wars in Ukraine and Israel/Gaza, and simmering tensions with China, mean infrastructure managers are concerned about future attacks against their assets.
On 17 May, CNN reported that Arup been scammed out of HK$200M (£20.2M) after one of its finance employees in its Hong Kong office was targeted by email phishing and a sophisticated deepfake video call with faked iterations of Arup chief financial officer and other senior finance employees.
CNN quoted Arup East Asia regional chairman Michael Kwok as having said that the “frequency and sophistication of these attacks are rapidly increasing globally, and we all have a duty to stay informed and alert about how to spot different techniques used by scammers”.
The US Government’s Cybersecurity & Infrastructure Security Agency (CISA) issued an advisory in May 2023 which linked to a notification from Microsoft warning about a Chinese state-based cyber weapon called Volt Typhoon which it described as “a state-sponsored actor based in China that typically focuses on espionage and information gathering”.
It added: “Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”
Volt Typhoon is also referred to as Vanguard Panda, Brronze Silhouette, Dev-0391, UNC3236, Voltzite, and Insidious Taurus.
Infrastructure managers confirm cybersecurity concerns
NCE contacted UK bodies which have responsibility for CNI.
The cyber security threat to National Highways has increased, the organisation confirmed.
National Highways, which is responsible for the strategic roads network (SRN) in England noted the increase in malign actors using Artificial Intelligence (AI) as a weapon in cyber-attacks.
A National Highways spokesperson said: “National Highways has a dedicated security team that remains up to date with the latest developments in the cyber security landscape.
“This team actively engages with the government, professional cybersecurity bodies, and our supply chain to ensure that our security posture is both current and robust.
“Additionally, we conduct regular security assessments and incident response exercises.
“These efforts help us anticipate future risks and adapt our strategies to ensure the safe and secure operation of the strategic road network.”
Network Rail confirmed it was aware that global cyber security risks are linked to the wars in Ukraine and Israel/Gaza and noted that the picture is complex and changing.
A Network Rail spokesperson said: “Safety is our top priority, which is why we work closely with government, the security services, our partners and suppliers in the rail industry and security specialists to combat cyber threats.
“Our cyber-security is constantly under review and we are always monitoring global security risks and their potential impact on our railway.”
Cybersecurity firms recommend investment in AI
Private companies working in the cybersecurity space confirmed that Russia, China and Iran are using AI in their offensive cyber suites.
Microsoft and Egress, a cybersecurity firm, told NCE that CNI managers should be responding by investing in AI in a defensive capacity.
Microsoft UK director – security business group Paul Kelly said: “Cybercriminals and nation-state actors like China, Russia and Iran, are using AI to enhance their operations, from deepfakes to scam emails, making the cyber threat landscape more sophisticated than ever before.
“We know they target critical infrastructure, accounting for 41% of nation-state attacks we observed last year. Meanwhile, the growing number of IoT devices and operational technology (OT) systems in critical infrastructure present a global challenge.
“Whilst we have a strong security footing in the UK, there’s a lot of work to be done, with our recent research revealing that 87% of UK organisations are vulnerable to cyberattacks in the age of AI.”
Kelly believes that “active intelligence sharing and collaboration is key” if infrastructure is to tackle this and respond to emerging threats faster.
He added: “To fight fire with fire, we recommend the adoption of AI technology and encourage visibility into devices across IT, OT and IoT as part of a comprehensive approach to organisational security.
“This includes following a Zero Trust model, operating on the principle of never trust, always verify.”
A spokesperson for Egress said the time for CNI managers to act is now and warned that “critical infrastructure could be left dangerously exposed” if there’s a failure to respond.
Egress SVP of threat intelligence Jack Chapman said: “State-sponsored cyberattacks make up a small proportion of the threats that organisations face – but with the resources sitting behind them, they are typically highly sophisticated, and their impact far outweighs their number.
“A single successful attack could cause widespread disruption – from disrupting citizens’ daily lives and business functions to undermining national security and even causing loss of life.
“Where systems are interconnected, a single attack can cascade through interconnected systems, amplifying the overall impact and making recovery more challenging.
“These are the stakes that cybersecurity professionals working in critical infrastructure face every day.
“Their challenge is staying at least one step ahead of threat actors against a shifting geopolitical landscape, changing tensions, and evolving attack techniques and threats.
“They must understand the current threats, such as the most likely channel or mechanism for attack by specific state-sponsored actors, and ensure they continually implement robust, layered cyber defences.
“Inevitably, the people working for these organisations all have targets on their backs – after all, it’s far easier to hack a human than a firewall.
“People are unpredictable – and they can’t be patched – so they’re much harder to secure than technical layers.”
Chapman believes that the best response is “to increasingly invest in AI-based cybersecurity solutions that provide the granular levels of protection and support that people need to do their jobs securely”.
He continued: “Intelligent detection technology should also be combined with robust security and awareness training (SA&T) programs that have a laser focus on advanced threats commonly associated with state-sponsored attacks.
“Although these breaches are not siloed to email, targeted organisations may expect to see sophisticated spear-phishing attacks that aim to get a foothold in the organisation.
“As a result, employees and key stakeholders should confidently know how to spot the signs of a targeted phishing email that uses malicious links or social engineering tactics to induce recipients to share sensitive information.”
Additionally, he believes that “infrastructure managers could take this one step further by evaluating and adjusting email security policies, sacrificing the potential increase of false positives in light of these specific threats, to ensure their anti-phishing technology is carrying out more vigorous checks on incoming communications”.
Chapman continued: “With this clear and pronounced increase in aggressive cyber activity globally, every organisation should be considering a thorough and invasive evaluation of their security posture to ensure they can keep pace with state-aligned attacks.
“Heeding the recent warning from the Director of GCHQ about the “genuine and increasing” cyber risk for the UK, those in the critical sectors could start by carrying out penetration testing to uncover vulnerabilities in their ecosystem.
“The stakes are high and the time to act is now, otherwise, critical infrastructure could be left dangerously exposed.”
Like what you’ve read? To receive New Civil Engineer’s daily and weekly newsletters click here.
