Significant outages in critical infrastructure services caused by cyberattacks are thankfully very rare. That’s why incidents such as Colonial Pipeline achieve significant press and media attention and top-level political engagement: they have rarity value.
Computer code on a screen with a skull representing a computer virus / malware attack.
As these outages are rare, it seems a reasonable proposition to say that critical infrastructure and services are strongly protected against cyber threats that can cause significant service outages. As such, the vulnerabilities that were exposed in the Colonial Pipeline case are not typical of other critical infrastructure elements.
The validity of the above proposition might be easily undermined when we reflect on what is actually meant by the phase 'critical infrastructure', or if we reflect on the potential resilience levels that critical infrastructure might need to display in a radically changed environment. For example, if we step outside of the tight (and arguably artificial) boundaries of current categorisations of critical infrastructure, then we might realise that other truly critical services are more exposed to outages and changing threat levels that we currently acknowledge. Or if we imagined a full-on 'cyberwar', what would our risk look like?
What is critical infrastructure?
So what is 'critical infrastructure'? One of the reasons why this question arises is provided by the example of the incident affecting the Royal Mail. Are postal services part of critical infrastructure? What is the scheme of regulation that applies for cybersecurity in this sector?
Edinburgh, Scotland, UK - 27th May 2011: The Royal Mail logo on an exterior wall of a public ... [+]
In the UK, there are 13 critical infrastructure sub-sectors, but postal services do not fall within them, or within the scope of the Cybersecurity Regulations ('NIS'). Its also a moot point whether cybersecurity in postal services falls within the scope of sectoral regulation overseen by Ofcom, in the sense that the achievement of the universal service requirement for postal services requires cybersecurity as a condition.
The position is clearer in the EU: postal services can fall within the scope of cybersecurity law, albeit they do not fall within the new list of critical infrastructure sub-sectors.
Defence against cyber weapons
When we look at the issue of critical infrastructure resilience in a different way - i.e., rather than taking the absence of widespread significant outages in areas that have been formally designated as critical infrastructure as the primary benchmark of resilience - we might observe that despite the immensity of the cyber threats that we are facing, most of the Western World is not currently formally at war with its adversaries. So perhaps we are not feeling the full force of the cyber weapons that Ukraine is dealing with and, hence, our cyber defences are not being tested to the limits. Another argument is that the threat actors need to get lucky only once, whereas critical infrastructure defences need to be successful all the time, at least insofar as protecting against serious outages is concerned. The NotPetya wiper program attack in 2018 is a case study for the destructive capacity of cyber weapons.
IT expert in front of binary background clicking on a padlock connected to the most recent security ... [+]
We also need to keep in mind Black Swan events. Prior to the financial crisis and the pandemic, we had misplaced confidence in our resilience levels in these areas, then events took over and we realised to our cost that we weren’t in a good position. Cybersecurity probably needs to be looked at in the same way.
Of course, the security community for critical infrastructure consists of highly competent and highly motivated professionals who are clear-eyed on the responsibilities they carry. There is a vibrant, pro-active ethos of intelligence sharing and cooperation in this community and in countries like the UK they are supported by very strong public authorities (CERTs and CSIRTs). And returning back to the opening comments in this article, the security community can rightly point to a strong track record of success in the sectors that fall within the scope of the formal definition of critical infrastructure.
Checks and balances
There is wide recognition of the need for checks and balances. These derive from activities such as penetration testing, internal audits, certifications and peer review, on top of which sits independent regulation.
Yet a quick tour of the regulatory system that oversees critical infrastructure in the UK reveals what seems to be a paucity of engagement. Thus, the challenges might be even bigger than determining what should or should not fall within the scope of cybersecurity regulation. A review of the websites of the regulators who are charged with supervision of the UK Cybersecurity Regulations ('NIS') will show you some content, but hardly anything about actual regulatory engagement and next to nothing about enforcement of the law. Does this mean that there is a risk that the checks and balances are inadequate even for the few areas of the UK economy that have been brought into the scope of cybersecurity regulation?
Part of the answer might be that there is active engagement behind the scenes and there’s no need for enforcement because the controls for cybersecurity are strong. These could both be legitimate arguments, but to assuage any reasonable doubts, they would need to be accompanied by active regulatory transparency, otherwise we just don’t know.
Confidence in regulation
Being uncertain about the scope and effectiveness of cybersecurity regulation is not ideal. Indeed, uncertainty about regulation was probably a symptom of the environment that failed to predict and cater for the Black Swan events mentioned earlier: if no-one truly knows what's happening in regulation, there's a risk that no-one has ultimate responsibility or accountability.
Royal Mail is a wake-up call. Whether or not cybersecurity in postal services falls within the arc of critical infrastructure legislation for security, or part of related legislation for the universal service of post, this is exactly the kind of situation where we need regulatory clarity and accountability, as the EU has recognised with the coming into force of the Second Cybersecurity Directive, NIS2. Therefore, it would be unhelpful to make the autopsy into Royal Mail to be simply about the organisation itself, or its leaders. It should consider the overall regulatory scheme for cybersecurity, including what should fall into scope and how to judge its overall effectiveness. If there are deficits in cybersecurity regulation, whether due to a gap in the regulatory scheme or a gap in the quality of regulation, that needs to be understood so that it can be addressed.
If we're unsure of the state of regulation for critical services - regardless of how they are officially classified - our confidence levels for those services will be bounded, despite the excellent work done by the security professionals in those areas.
