The Government has identified ‘cyber’ as one of six Tier 1 threats to UK national security. This POST note focuses on the cyber security of the UK’s critical national infrastructure, describing measures to improve cyber security and challenges in implementing them. It also reviews the new National Cyber Security Strategy, along with international policy and legislation.
The number of attempted cyber-attacks on critical national infrastructure is growing. Ukraine has already suffered the first confirmed instance of a disruptive cyber-attack on an electricity network, which caused a power outage that affected 225,000 customers.
The Government says that foreign states or state-sponsored groups regularly attempt to penetrate UK networks, targeting in particular the defence, finance, energy, telecommunications and government sectors.
The majority of critical national infrastructure is privately owned. The Government mostly provides non-mandatory cyber security support to private operators, although many sector-specific regulators cover aspects of cyber security, with varying powers and responsibilities. The Government aims to better understand the state of cyber security across UK critical infrastructure, and is currently reviewing regulation to ensure it has the measures in place to intervene where necessary.
* Critical national infrastructure (CNI) refers to infrastructure whose disruption would have significant national impact. CNI is making increasing use of computer systems connected into large networks, and often to the internet. This is raising the potential for cyber-attacks to achieve physical disruption.
* A variety of technical and organisational measures can improve cyber security, but it is impossible to guarantee invulnerability from cyber-attack. For this reason, measures to ensure service continuity during an attack and full recovery after an attack are also important.
* The Government published its second five-year national cyber security strategy in 2016. Noting that the previous strategy’s dependence on market forces to drive cyber security improvement did not achieve sufficient progress, the new strategy promises greater Government intervention.
* There is a global cyber skills shortage, with a particular shortfall identified in the UK. Specific challenges for CNI cyber security include the need for people with experience of infrastructure technologies as well as computer systems, and nationality requirements for certain roles.
* Potential aims motivating cyber-attacks include conducting espionage and disrupting the essential services provided by CNI. Over 30 nations are thought to be developing offensive cyber capabilities, including the UK.