Security researchers have listed the UK's Defence Equipment and Supply Organisation as among several critical infrastructure organisations that are vulnerable to cyber attacks.
A monopoly of ownership and geographic clustering of critical infrastructure organisations in the UK have made them primary targets of hackers looking to exploit their weaknesses.
The new UK Threat Landscape report released by intelligence provider Anomali has revealed the extent to which critical infrastructure organisations in the UK are vulnerable to potent cyber attacks and has highlighted weaknesses that need to be plugged to ensure such organisations are immune from emerging cyber threats.
Through this report, Anomali has stressed on how emergency services, financial services, and critical national infrastructure organisations, all of which are essential to the UK's stability and growth, are vulnerable to potential cyber attacks to certain degrees. It also highlighted the Defence Equipment and Supply Organisation as a prime target for actors seeking to disrupt defence procurement.
“The UK presents a complex cyber risk picture – previous foreign policy commitments and current tensions between NATO and other nation states make it a target for international terror organisations.
"Within the UK, the nature of the economy and industry present a combination of opportunity and risk to those looking to plan a hybrid attack. The network of small and medium enterprises which support Critical National Infrastructure strengthens its resilience, whereas the geographical clustering of industries can weaken the system leaving them vulnerable to attack," said Hugh Njemanze, CEO of Anomali.
He added that the breadth and complexity of the organisations which comprise the UK's emergency services present a number of points of potential weakness. To ensure that hackers don't make such weaknesses count, emergency services need to ensure that knowledge of cyber threats is shared between emergency services operators. This will also help them ensure the resilience of their networks.
Commenting on Anomali's UK Threat Landscape report, Paul Norris, senior systems engineer for EMEA at Tripwire, said that critical infrastructure organisations of all sizes need to take note of emerging cyber threats. "Whether part of a small hospital system or a large energy plant, the data these organizations have is valuable to criminals," he said.
"All CNI services should take the time to review not only their tools and processes for defense but also their incident response plans. The worst time to evaluate this is during an attack. Many successful breaches have been attributed to organizations failing to patch or mitigate known vulnerabilities so keeping on top of them is crucial.
"As other industries have ramped up security due to increased breach activity, attackers are migrating to less protected targets. Therefore, it is vital that all devices are on current operating systems, which are continuously being updated and ensuring that the latest security patches are installed. This might not be exciting, but it’s proven to reduce the number of successful attacks," he added.
Last year, data obtained by security research firm Corero through a Freedom of Information request revealed that as many as 39% of critical national infrastructure organisations in the UK, including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers, and transport organisations had not completed the government-mandated '10 Steps to Cyber Security’ programme, thereby affecting their preparedness for cyber-attacks.
Considering the wide-ranging threat faced by critical infrastructure organisations, the government is working towards implementing the EU’s Security of Network Information Systems (NIS) in the UK to ensure the security of critical infrastructure firms.
According to the government, the new law would incentivise operators who take adequate measures to deter cyber attacks, assess security risks effectively and engage with competent authorities. Penalties against such operators for suffering cyber attacks despite taking such measures would be a last resort.