Skip to content
February 28, 2022
3 min read time

Critical Infrastructure Attacks: Considerations for Small-to-Medium Enterprises

Executive Summary

In the UK, Critical National Infrastructure (CNI) is defined by the National Cyber Security Centre as ‘Those critical elements of Infrastructure (facilities, systems, sites, property, information, people, networks and processes), the loss or compromise of which would result in major detrimental impact on the availability, delivery or integrity of essential services, leading to severe economic or social consequences or to loss of life.’ This encompasses thirteen sectors: chemicals, civil nuclear, communications, defence, emergency services, energy, finance, food, government, health, space, transport, and water.

What are the dangers?

Earlier this month, the National Cyber Security Centre released the first ever joint advisory notice with international partners – the Australian Cyber Security Centre (ACSC), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) – to warn against a ‘growing wave of increasingly sophisticated ransomware attacks.’

For small-to-medium enterprises, such attacks may not be considered within cyber security planning and operations. However, in the context of the current threat landscape, attempts aimed at organisations that are adjacent or otherwise related to the sectors outlined above could pose a credible risk.

Adversaries have differing motivations - for example, ransomware attacks routinely leverage financial gain against the publication of sensitive or proprietary data. If the attacks are related to CNI, achieving the maximum disruption to the smooth running of society could be done by compromising multiple third-party vendors to CNI industries. In turn, enforced downtime in the event of a breach could lead to shortages of essential products, lack of availability of services, increased workload for public services, as well as reputational damage should the exfiltrated data be published. As the aforementioned joint advisory notice exhorts, ‘…there is more work to be done to build collective resilience.’

Should you be worried?

Taking the SolarWinds breach of 2020 as an example, the malicious actors established command and control within systems up to a year before the attack was actioned. Malicious code facilitating the delivery of a Trojan was added to a legitimate patch for SolarWind’s network management software, Orion, which was subsequently downloaded by customers. As of the time of writing, there have been 31 confirmed data breaches related to this event, with up to 100 private sector companies compromised - investigation into the full scope of the attack is still ongoing.

Although the adversaries targeted the high-value assets first, any of the estimated 18,000 customers who installed the infected patch could potentially be compromised – unless systems have been fully investigated and, if signs of malicious activity were identified, rebuilt. Remediating the threat can, in itself, cause a lot of disruption.

Multiple concurrent attacks on what would be considered tertiary services and businesses could impact a significant portion of the population. Outsourced services are often provided by small but vital organisations, such as independent pharmacies, school bus services and home care services. Smaller retail outlets would not only lose revenue, but their problems would have knock-on effects on other services in turn.

What can be done to protect your business?

Ascertaining the current status of an organisation’s security posture is the first step in securing against a possible breach becoming a point of escalation, or otherwise affecting an organisation. Consider which, if any, aspects of a system could be leveraged to gain access, beginning with the fundamentals: network and security architecture, the attack surface landscape, and any possible entry points. Hosting systems within a cloud service rather than an on-premises data centre would allow for changes to be made proactively if they’re necessary (for instance, to quarantine aspects of a system that may be infected, while investigation into an attempted breach is ongoing.) Firewall configuration, and identifying which alerts are set to trigger an alarm, should be evaluated. Ideally, discrete aspects of the network should be adequately segmented to prevent the lateral spread of any malware should it be introduced, and an up-to-date antivirus product should be in place.

Every client and supplier could potentially be an access or escalation point depending on whether access to systems is required, how that access occurs, and the level of privilege they’ve been assigned. A minimal trust policy should apply throughout, with access granted on a need-only basis, and revoked immediately when it’s no longer required. Anywhere that data is held or actions take place around accounts, such as customer relationship databases and booking software, should have secure login portals requiring multi-factor authentication (MFA).

If the organisation has a website, then you should assess any code, templates and plugins and check for vulnerabilities. Where card payments are taken, these should be done via a PCI compliant merchant service. Human factors shouldn’t be overlooked; a simple Disclosure and Barring Service (DBS) check on staff may flag up any questionable backgrounds or motivations that might have otherwise been missed. Finally, should a breach happen, a contingency plan can be enacted to ensure your organisation remains functional - even if on a reduced basis - alongside a clear chain of escalation to repair and rebuild your systems in order to minimise downtime.M

For many small-to-medium enterprises, undertaking a rigorous assessment might prove difficult due to a lack of IT personnel, expertise, and budget. Bringing in an independent third party such as Cyber Security Associates will give you an unbiased view of the security defences and procedures. We offer customers a range of services, ranging from full consultancy through to penetration testing, and passive website analysis to staff awareness training. Get in touch now to find out how we can help you and your business, and get expert advice from our team of cyber security professionals.