Critical Infrastructure Cybersecurity faces matchless challenges from every direction today, as threats are upscaling to new levels of sophistication and damage. Recently, the rapid digitisation of essential services and the development of geopolitical conflicts, such as those between Russia and Ukraine, have tremendously increased risks against critical infrastructure systems.
Sectors dealing in electricity grids, healthcare, and transportation systems are always preferred targets of cybercriminals and nation-state threat actors. These infrastructures form the core of modern existence; hence, any cyber attack on critical infrastructure always escalates into cybersecurity risks with catastrophic implications regarding wide-scale chaos, economic decline and even loss of life.
Additionally, such entities aren’t always well protected. For instance, publicly funded critical infrastructure in the UK can be under-resourced. This is why investment in cybersecurity and IT modernisation is inadequate. In turn, this is why cyber threat actors are often able to use relatively well-worn attack paths to continue to cause damage with regular success against critical services.
This combination of disturbing factors has led to a growing wave of cyberattacks. In early September, Transport for London-TfL was victimised by a cyber incident that disabled its online services and digital platforms for over a week. Similarly, Tewkesbury Borough Council had to shut down systems for an extended period owing to a cybersecurity breach.
These are only a few recent examples of this diversification, ranging from an incident in the US that saw the Colonial Pipeline fall victim to an incident that caused a fuel distribution disruption to an incident in Western Europe that saw 17 ports and oil terminals targeted. Closer to home, the British Library and NHS are just two well-known casualties suffering from extended disruptions due to cyberattacks in recent times.
To address these threats more effectively, a proactive approach is crucial. And here, the role of the UK Government is worth looking at.
Critically, the government’s primary role should not be to respond to every attack, but to create robust policy guidelines and support organisations with their own preparedness. While several useful guidelines and resources already exist, many of these largely serve as introductory tools. The next step is for the government to offer more targeted support and guidance to help organisations advance their cybersecurity measures.
It is, therefore, promising to hear discussions about a new Cybersecurity and Resilience Bill, signalling the government’s commitment to continually improve digital protection measures across the country. However, the effectiveness of this initiative remains uncertain.
It may simply reflect a push to adopt successful European models like NIS2 and DORA on a national scale, and that would be no bad thing. However, in the context of critical infrastructure in the UK, it is also important to focus on those areas that should be addressed with urgency.
While the government has largely been affective at educating individuals in the basics of avoiding phishing scams and general fraud awareness, the existing guidance becomes insufficient when addressing organisational needs.
Within the context of the growing threat against critical infrastructure, there is a clear need for improved and more comprehensive support for organisations.
This could become especially crucial following the Autumn Budget. When funding is scrutinised, cut or reduced, many critical services will need to look at optimising their use of taxpayer money, working to sustain effective security levels as finances become constrained.
To meet these challenges, entities will likely need to modernise their ageing IT infrastructure, conduct thorough reviews of their cybersecurity spending, and critically evaluate their investments for effectiveness. It will be a complex process – one that organisations will again require guidance to navigate effectively.
In light of these challenges, it would be beneficial to consider the following actions as a means of more effectively managing and mitigating the growing tide of attacks on critical infrastructure:
- Provide clear guidance on cybersecurity fundamentals: The government should develop and deliver clear, actionable guidance for organisations focused on essential practices such as asset identification, vulnerability assessment, risk management, and regular updates. Organisations need straightforward, practical advice on how to implement these fundamentals effectively.
- Centralise cybersecurity management: Currently, cybersecurity responsibilities are dispersed across various government departments, including the NCSC, DCMS, Services, Cabinet Office, ICO, and NCA. Centralising these responsibilities into a single function could reduce confusion, enhance clarity, and improve accountability by consolidating policy and guidance under a single authority.
Critically, as digital systems continue to expand and global tensions intensify, it’s clear that the focus must shift from reactive measures to forward-looking policies and targeted support for the essential organisations that keep the country running.
More practical, clearer cybersecurity guidance provided by a centralised body can only help to strengthen resilience. And with economic pressures mounting, the need to modernise outdated IT systems and make smarter security investments will only become even more crucial moving forward.