Securing Critical National Infrastructure

James Neilson at OPSWAT explores the urgent need for a defence-in-depth strategy to secure CNI

 

The cyber-resilience of the UK’s essential services, from utilities to telecommunications, health and transport, has been under greater scrutiny in recent months. Earlier this year, the Government announced its intention to introduce the Cyber Security and Resilience Bill (CSRB) to better protect the UK’s critical national infrastructure (CNI). 

 

The proposed CSRB will further strengthen the powers of industry-specific regulators, e.g. the energy sector’s Ofgem. In September, it was also announced that data centres would be designated within the CNI sector to ensure better ‘co-ordination and co-operation’ against cyber-attacks. These changes will better align the UK with the EU NIS2 regulations that recently came into force.

 

It follows a period in which attacks on organisations and key institutions have brought widespread disruption to critical services and threatened the public’s safety and well-being. 

 

We cannot afford major outages to these services because of simple security lapses. A defence-in-depth approach - a strategy recommended by the NCSC which establishes layers of interconnected security - is essential for improving resilience against these attacks. 

 

However, research has found that many organisations have yet to get to grips with this approach. So, what is standing in the way and how can security leaders build the layered defences needed for today’s threats? 

 

Gaps in cyber-security preparedness 

The cyber-risks to CNI providers extend across multiple different vectors as threat actors are no longer just targeting the network perimeter; they are leveraging a wide range of tactics to breach critical systems. The NCSC has issued multiple urgent advisories this year on state-sponsored actors from nations including Russia and China using botnets and zero-days to target the UK’s critical infrastructure.

 

Despite the recommendations from the NCSC to adopt a multi-faceted approach to secure against such threats, our research found that many security leaders have low confidence in their ability to deal with DDoS attacks and more advanced threats like APTs, botnets, and zero-day malware.

 

These sophisticated attack methods highlight the need for organisations to go beyond basic security measures. Guarding against advanced threats requires the integration of multiple layers of security in a defence-in-depth approach to ensure that vulnerabilities are covered at every stage.

 

For example, while network appliance tools provide protection against network-based attacks, they typically do not inspect the content of uploaded files. Integrating a file scanning solution as part of network defences, however, will account for this blind spot and close off the attack path. 

 

However, implementing a defence-in-depth strategy is easier said than done. Just 17% of organisations in our research reported that they have fully implemented a strategy, with most only “slightly” or “somewhat” getting their measures in place. 

 

Barriers to achieving layered defences 

While the need for a defence-in-depth strategy is widely acknowledged by security decision-makers, many organisations face significant obstacles to full implementation. 

 

One of the biggest initial challenges is that establishing an effective defence-in-depth strategy needs a sustained, coordinated, cross-departmental effort to connect all the dots. Having organisational visibility and understanding of their infrastructure, services, suppliers, and business priorities is key for security teams to be able to have a rich foundation of organisational understanding to operate from.  We find organisations often struggle to maintain the focus and prioritise this amidst all their other security and operational demands.  

 

Budget pressures are a particularly pressing concern, with many cyber-security leaders reporting flat or shrinking budgets despite the growing threat landscape. This lack of funding often forces security teams to prioritise immediate risks over long-term resilient strategies, making it difficult to build the layered defences required for comprehensive protection​​.

 

Additionally, the shortage of skilled cyber-security personnel continues to hamper efforts to implement a more connected, layered strategy. In many cases, security teams are stretched thin, managing a diverse range of systems with insufficient resources. 

 

Lack of attention from senior leadership can also be a barrier to cyber-preparedness. Without adequate training or support from leadership, even the most well-intentioned security initiatives can fall short, resulting in a patchwork of defences rather than the robust multi-layered strategy.   

 

The interplay between these issues has led to greater challenges as network environments become more complex. For example, web application security has become more difficult due to the use of interconnected tools spanning in-house solutions. The growing prevalence of cloud storage and potentially vulnerable open-source tools has added to the challenge. As a result of this complexity, organisations often feel paralysed and unsure of where to start.

 

Key layers of defence-in-depth

A robust defence-in-depth strategy involves multiple security layers of technical controls and integrated processes across an organisation’s infrastructure, reducing the chance of attackers exploiting a single point of failure and building organisational resilience so that it can maintain operations. 

 

The first layer focuses on network security, using firewalls, gateways and data diodes to control traffic flows and prevent unauthorised access and data movement. Even if one area is compromised, segmentation ensures threats are contained.

 

Data security is equally essential, as files can carry hidden malware. Integrated with network appliances, file scanning technology sanitises or blocks malicious content before it reaches sensitive systems.

 

Similarly, endpoint protection safeguards devices like laptops and desktops, which are often targeted and access routes via removable media. Integrated suites of multiple malware detection engines, behavioural sandboxes and threat intelligence feeds help identify and prevent infections and mitigate the risk of known and zero-day attacks.

 

Email security is another key layer, as phishing is a common entry point for ransomware payloads. Solutions that block phishing and scan attachments and URLs for malicious content reduce this risk significantly.

 

Finally, zero-day defence uses advanced tools like machine learning and behavioural analysis to detect new vulnerabilities that traditional methods may miss. Together, these layers provide a comprehensive defence that protects at every stage of a potential attack.

 

Achieving defence-in-depth

For many CNI organisations, implementing a comprehensive defence-in-depth strategy may seem overwhelming, but a structured, step-by-step approach can make it manageable. While the attackers may be different and IT environments vary, the same core strategy applies to all organisations. 

 

The first step is to align with established security standards, frameworks and best practices, such as NIST, CIS.ISO 27001and MITRE ATT&CK. These guidelines offer clear actions to improve security posture, and the USA’s CISA recommendations for critical infrastructure can also provide a roadmap for strengthening defences.

 

Organisations should address the core security building blocks such as patch management and multi-factor authentication (MFA). MFA is a fundamental measure that is still frequently missed, particularly in Operational Technology (OT) networks. Still, it can significantly reduce risks by ensuring attackers cannot access critical systems even if credentials are compromised.

 

Next, conducting a gap analysis is essential to identify vulnerabilities. By comparing their current setup to industry standards, organisations can find and prioritise areas that need improvement, from network security to endpoint protection.

 

Finally, before investing in new technologies, organisations should leverage all the capabilities of their existing security stack. Security solutions may have unused features that can further enhance security and reduce risk. For example, enabling sandboxing or file content disarm, and reconstruction to sanitise files into a known safe condition.  Optimising these tools ensures organisations maximise resources while simplifying management and tool sprawl.

 

By following these steps, CNI organisations can lay the groundwork for a more resilient cyber-security posture which protects their network and sensitive data. With authorities warning of the growing threat to our critical infrastructure, it’s vital for organisations in this sector to prioritise a comprehensive, multi-layered approach to defend against more sophisticated, persistent and powerful adversaries.  

 

---

 

James Neilson is SVP International at OPSWAT

 

Main image courtesy of iStockPhoto.com and kelvinjay