The Defence Secretary, Gavin Williamson, has warned Russia could cause “thousands and thousands and thousands” of deaths in an attack on Britain’s energy supply. He said Moscow had been looking at UK critical infrastructure such as power stations and links transferring electricity across borders.
Commenting on this news, Ian Ashworth, security consultant at Synopsys, said: “In today’s parlance, ‘cyber warfare’ is not an unheard of term, and any nation will take this as seriously as a threat of physical attack or war. It is not something you can necessarily see or touch if its embedded within computers or networks, but the consequences can be just as extreme and widespread if successful.
Clearly, the efforts to inflict such carnage would have to be highly motivated, possibly from a government body, since the Critical National Infrastructure (CNI) of any country would be expected to be heavily fortified and with appropriate levels of backup and redundancy. Efforts to try and overcome this would thus need to be similarly complex and extensive, requiring high levels of skill, knowledge and patience. Understanding motivations and reward become part of any defenders risk assessment and mitigation planning.
A distributed and defence-in-depth strategy to protect critical assets is applied with multiple layers (physical and otherwise) to avert deep penetration of any attack, averting disaster. These measures also makes it difficult for any plotter to deduce potential weaknesses which could be used in exploit planning. Dedicated Security Operation Centres (SOCs) continuously monitor their premises, networks and servers looking for intrusions and anomalies to usual traffic and activity by running crafted and often self-learning algorithms. These would alert of anything deemed suspicious and perhaps an indicator of any unfolding plot.
Systems are becoming more distributed and complex, heavily dependent on software to both deliver the service in question and also act as our “eyes and ears” measuring and maintaining its health.
Our task to keep availability levels at “five nines” or even higher is demanding, expensive and reliant on many teams or organisations delivering high integrity of their own key contributory services. Only a certain amount of resilience and redundancy can be built-in to such, however, and it becomes a balance of cost vs effectiveness.
Security is thus everyone’s responsibility and it starts with education – you can’t defend against something unless you know what “an attack” might look like.
Careful security-conscious architectures and system design lead the way with further refinement of processes, scanning and tooling for building and running secure software-controlled applications or services. Maintaining this edge and continually learning and re-assessing these practices is essential and hence automation and innovation to date have been key to maintaining our stance to foil such malicious cyber attacks. Our investment in these areas must accelerate as our ecosystem grows in size and complexity.”