Security of the Critical National Infrastructure has been a hot topic in the UK for several years, driven by several factors such as the Stuxnet[1] virus in 2010, the gradual and alarming sale of organisations and whole sectors to foreign investors, the development of the Internet of Things and the ubiquitous nature of cheap IP technology. However, becoming a ‘hot topic’ is rarely enough if observations, debates and concerns are not swiftly followed by decision, action and investment.
Let us briefly examine Stuxnet and the effect it caused outside of its intended target. Stuxnet was not the first time that a computer virus had achieved a kinetic effect, but it was the first which captured public imagination and proved two things: that the ‘air gap’ no longer existed once a human carrying a data device could cross that space; and that a sophisticated virus could pivot across many operating systems and interact at multiple levels (obfuscating the evidence around it), so was no longer the sole concern of Windows users.
If Stuxnet was then a wake-up call, what tangible effect did it have on security stances in terms of critical national infrastructure? Initially, we started to see the terms SCADA (Supervisory Control and Data Acquisition) and ICS (Industrial Control Systems) come into general usage, in some cases interchangeably, although there are some fundamental differences (SCADA monitors and ICS controls) and indeed a bedrock of modern SCADA/ICS security is to separate data traffic from these two functions. Once the Internet of Things took hold as a concept, the cross-pollination between these areas became evident, although there are significant deltas. For example, the majority of SCADA/ICS in the power sector is legacy while most IoT devices will be brand new. Both of course have issues, with legacy SCADA/ICS being designed for performance and availability and IoT devices being designed for low cost and mass production. In neither case has security been a high priority, if it has even been considered at all.
In the UK, cyber security at the .gov level is coordinated by the National Cyber Security Centre, which was stood up in 2016 to bring together several cyber security related agencies notably CESG (the Communications-Electronics Security Group, formerly a component of GCHQ) and the CPNI (Centre for the Protection of National Infrastructure),[2] the latter with the primary responsibility for CNI and with an industry facing role.
The CPNI classes CNI in the following 13 areas: Chemicals, Civil Nuclear, Communications, Defence, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport and Water. It is interesting to note that the US recognises the importance of the retail industry to national resilience while this is largely unrecognised in the UK. The fragility of the domestic supply chain, and the increasing cost-driven reliance on the just-in-time model, means that our dependence on the 24/7 convenience store is extremely dangerous, and we are continually, as Alfred Lewis put it in 1906, ‘Nine Meals from Anarchy.’[3] Examine the way in which that fragile supply chain is completely dependent upon other CNI elements such as IT, communications, energy and finance, and it adds up to a source of real and pressing concern.
In 2016 the UK also dusted off its National Cyber Security Strategy,[4] updated from the 2011 original version which itself was given life in 2010 via the National Security Strategy when cyber attacks were classed, for the first time, as a Tier One threat (alongside terrorism, nation state war and natural disaster). Key to this direction, initiated in 2011, was the creation of a cyber reserve.
The cyber reserve has its roots in the reserve components of the British Armed Forces, with the Army component being by far the largest. The new cyber reserve was, unsurprisingly, tri-service and drew its recruits from and into each of the distinct Armed Forces, with an aspiration to create a separate category for non-military reservists (essentially, reserve civil servants) which, to the best of the author’s knowledge, has not actually been realised. The purpose of the uniform is to allow the individual to take military action (i.e. an action which could, within the rules of engagement, take life). In addition, because the majority of the cyber reserve are not intended to deploy outside of the UK or one of the Permanent Joint Operating Bases (Cyprus, Gibraltar, the Falkland Islands, Diego Garcia), they are waived the normal fitness and medical requirements and, pointedly, they are allowed waivers for beards, visible tattoos, piercings and other ‘unmilitary’ physical attributes, in order to attract skills and talent which the military would otherwise filter out. Deployable, old school military is left largely to an Army Reserve unit called LIAG (the Land Information Assurance Group), which has been in operation since 1999 and has since served in support of every deployed UK operation (and continues to do so) ever since.
So, could this cyber reserve ever step up in support of defensive operations during an attack on UK CNI? The answer is complicated. Yes, the skills are very much in this area to create a home team which could support industry security specialists, but in some cases those people will be the same people, so some double-accounting is taking place when the figures of supporting cyber reserves are presented—many of those people will be too busy (and importantly) doing their day job within the CNI when the balloon goes up. Additionally, the UK Armed Forces reserve is not the US National Guard—there is no quick route to mobilisation, and they remain fully ‘federal’ forces even when deployed in MACA (Military Assistance to Civil Authorities) roles, a fundamental difference to the National Guard Title 32/Title 10 (State service/federal service) split.[5] Delays in mobilising cyber reserves could literally be closing the door after the horse has bolted—cyber-attacks can be done and dusted in very short periods of time.
In the UK, under current conditions, applying cyber reserves to a CNI situation, at least in an incident response capacity, is probably unrealistic.[6] A better scenario is to employ them in a tiered, phases of readiness fashion, with those in flexible employment or who put themselves forward at a high state of readiness at the top of the list, and those less flexible further down, rather like a First Line, Second Line, Third Line support system. In this way, active and dedicated resources can be deployed quickly while the expertise in the reserve community is efficiently warned off and prepped for supporting roles.
In conclusion, cyber resilience in the UK CNI is being taken very seriously, is the recipient of significant funding and resources, but has yet to be fully ‘tested in battle.’ The community I represent waits with trepidation for the call.
References
[1] Nicholas Falliere, Liam O. Murchu, and Eric Chien, W32.Stuxnet Dossier, Symantec, Ver. 1.4 (Feb. 2011), https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
[2] Critical National Infrastructure, Centre for the Protection of National Infrastructure, https://www.cpni.gov.uk/critical-national-infrastructure-0
[3] Jeff Thomas, “Nine Meals from Anarchy,” International Man, N.D., http://www.internationalman.com/articles/nine-meals-from-anarchy
[4] National Cyber Security Strategy 2016 (London: Cabinet Office, National Security and Intelligence, 2016), https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021
[5] 10 U.S. Code § 10101 et seq.; 32 U.S. Code § 101 et seq.
[6] Noel Hannan, “Using Reserves in Support of Cyber-Resilience for Critical National Infrastructure: US and UK Approaches,” RUSI 160, no. 5 (Nov. 2015), https://rusi.org/publication/rusi-journal/using-reserves-support-cyber-resilience-critical-national-infrastructure-us