On Wednesday 19 April 2023 the National Cyber Security Centre (NCSC), part of GCHQ, issued a unprecendented warning about threats to UK critical infrastructure and services posed by Russia-aligned cyber attackers.
The alert urged infrastructure and services providers to take urgent steps to increase their cyber security resilience. The alert achieved widespread publicity, including articles by The Independent; The Guardian; and The BBC.
A notable feature of the alert is that the Government has detected a serious change in the motivations of these threat actors. As DWF has been warning clients since the start of the invasion of Ukraine, the risk is that we will see a change in the criminal typologies of Russia-aligned threat actors, away from cyber-attacks for gain (i.e., to secure a ransom payment or other economic advantage) and towards cyber-attacks for damage and destruction. The alert makes it crystal clear that this change in motivation is now very real.
Therefore, the obvious risk is that without urgent steps being taken to increase resilience, critical infrastructure and service providers could suffer huge - potentially catastrophic - damage if, for example, the threat actors unleash wiper programs (to destroy data and systems), or malware to cause information assets (information technology, computer and communications systems and data) to be unavailable (i.e., “denial of service” attacks, or “DoS” and “DDoS”). In these cases, the victim would be unable to provide some or all of its services to its customers.
The attack surface
When considering exposure levels, clients should be mindful of the true extent of their attack surface. This covers not just technology, but also human factors (consider the problem of social engineering and phishing attacks) and the supply chain.
An area of the supply chain that is often less resilient than might be imagined is Cloud Computing. Due to the buying power and economies of scale of Cloud service providers, cognitive biases have developed at the customer side, which has sometimes led to unreliable assumptions being made about Cloud resilience: DWF regularly sees this problem manifest itself in the security breach cases that we handle.
Therefore, it is not surprising that Cloud instances are constantly targeted by threat actors. We strongly encourage our clients to consider their Cloud risk levels, especially where there is a large scale “single point of failure” risk potential, or where Cloud services have been procured without a full security risk assessment having been performed, or where usual procurement channels have been bypassed, or where the use, administration and management of Cloud instances has been outsourced to third parties, such as professional services providers.
Human factors
Regarding human factors, while over the past 15 years or so the technological sophistication levels for cyber security risk management have improved dramatically, which has enhanced the organisation’s security confidence levels, we have not yet reached a point of corresponding levels of improvement in human factor risk reduction. As well as considering human user risks for ICT, clients should consider the human factors involved in the development, configuration, deployment and administration of ICT. Similarly, clients should consider whether their incident management and incident response teams are properly prepared to deal with heightened and novel risks of the kind that NCSC has alerted us to.
