Skip to content
We're taking a short break over the festive period and hope you will be too. Our office will be closed from 3pm on 24 December and re-opening on 2 January 2025.

CNI security: turning vulnerability into resilience

Added to your CPD log

View or edit this activity in your CPD log.

Go to My CPD
Only APM members have access to CPD features Become a member Already added to CPD log

View or edit this activity in your CPD log.

Go to My CPD
Added to your Saved Content Go to my Saved Content
A man with glasses smiles while using his laptop, reflecting a positive and focused work environment.

Millions wake up to no electricity after power grids are taken offline… Online banking systems crash and customers can’t access money… Drinking water ruled unsafe after water treatment facilities breached… 

Such headlines are classic examples of what might happen if the UK’s Critical National Infrastructure (CNI) fails. These are the services that all of us rely on and can often take for granted, such is their sheer ubiquity and importance to our daily life. 

In previous generations, CNI was primarily seen as physical property — dams and bridges, motorways and power plants. Now, though, the increasing digitalisation of such infrastructure means that these assets have become prime targets for cyber criminals worldwide — and the risks are very real. 

Just consider the disruption caused to millions of passengers at major UK airports and ferry ports last May as real-life. The Border Force electronic passport gates failed due to reported “IT issues”. This disruption grounded flights for several hours and the root cause never published.  

Nearly a year on, the vulnerability of UK border security couldn’t be under more public scrutiny and criticism both in terms of electronic and manned support. Does this mean that the Government’s UK Border Strategy 2025 failed, because of security management requirements and solution? If so, what lessons can we learn to ensure improved resilience for other CNI Projects and Programmes going forward? 

Also consider the seriousness of major cyberattacks disclosed last year by three of the UK’s largest public data holding organisations: (1) UK’s Electoral Commission 40m registered voter records vulnerable and exploitable (August 2021-October 2022 — disclosed 8th August 2023); (2) Royal Mail £33m ransom for 44GM compressed 7-Zip file (10th January 2023); and (3) Capita’s “significant risk” data exfiltration of its 4.3m membership of over 450 pension schemes (22nd March 2023).  

Evidence gathering 

One must ask why a public investigation to understand what, if any, common vulnerability issues exist across all three IT systems has not yet been commissioned.  

The extent of vulnerability may indeed be narrow. Failing to identify root cause and other vulnerability enablers will stifle advancements to turn cyber vulnerability into resilience across CNI.  

Investing in discovery, identification, reparation and rehabilitation of public IT systems and indeed CNI as a collective rather than silos will be an important step forward.  

The public’s confidence and trust in the Government’s ability to build and maintain resilient CNI is a basic essential for continued investment support and data retention for public services and economic growth. 

Data thefts which threaten or harm the public will undermine trust in digital infrastructure for the long term. 

Should the House of Commons commission a detailed report like that of Carillion to identify root causes of exploitation, understand spend transparency on security, together with recommendations that enable project teams to prevent similar vulnerabilities and attacks now and in the future? I think so. 

Future warnings 

The Cyber Security in Critical National Infrastructure Organisations: 2023 report by Bridewell highlighted that over a third (34%) of organisations across UK CNI anticipate a rise in cybercrime as a direct result of the current economic crisis. 

Even more recently, the UK’s National Cyber Security Centre has warned that artificial intelligence is poised to increase the intensity and volume of these attacks in the near term. 

CNI organisations such as utility, healthcare and financial services companies also must safeguard huge amounts of their customers’ personal data — another tempting target for cyber criminals. 

At the same time, they are having to balance legacy IT systems while evolving more of their services to the cloud — a complicated process which can leave security gaps for cyber criminals to exploit. 

CNI organisations operating in oil and gas, space and defence also must deploy enhanced intellectual property security to protect sensitive data from both their competitors and nation-state actors as it is transmitted across their networks. 

Action stations 

All too often there is a systematic lack of cyber threat and landscape expertise during CNI procurement programmes, with budgetary constraints or lack of resources looming large across the process. However, the acute vulnerabilities of the UK’s CNI to cyber-attack means that organisations — both public and private — are starting to become more aware of the threat they face. 

If you would like to learn more about how Primes and SMEs can build better CNI & IP security resilience against online threats, feel free to join this one-hour webinar at 10am on Tuesday 23rd April which will feature Sophie and Mark Chang from Capgemini. For more information, and to secure your free place, please visit our website for more details.

 

 

You may also be interested in:

 

1 comments

Join the conversation!

Log in to post a comment, or create an account if you don't have one already.

  1. Unknown User 21 May 2024, 12:09 PM

    A subject that should be a priority for all organisations. Beyond the organisations, it is also an end-user issue. All end users need to be aware of the issues and not allow viruses to be invited into company systems due to ignorance of the problem and how vulnerabilities from the user is not taken advantage of. Hence polices of no USBs or disinfect documents and do not respond to emails you do not recognise or click on links with fake headings. It the criminals using AI systems more, it is with sad regret I feel governments and companies are way behind the curve in deploying counter AI measures. Sophie, this is not a new problem, its been an issue ever since windows operating system evolved, whats new is that AI is working for criminals and we need to step up our game and deploy AI to work for us. How do we do this? What are the impacts to the business if we ignore this issue and do not devote funds and resources? I would like to understand more on what is being done to counter the criminals, as I am no expert in this new field.