Why are only moneymen doing cyber resilience testing?
...and the National Grid?
Analysis Although Chancellor George Osborne recently spoke of the National Grid, hospitals and air traffic control as being potential targets of online attacks in a recent high-profile speech at GCHQ, only the financial services sector runs comprehensive stress tests.
The lack of exercises designed to hone defences raised serious questions about the robustness of key components of the UK’s critical national infrastructure.
The banking industry is getting tested but there isn't anything like Waking Shark II and Resilient Shield for other elements in the critical infrastructure (power, telecoms etc.) And the need for preparedness against attack in other sectors is certainly there.
“For our country, defending our citizens from hostile powers, criminals or terrorists, the internet represents a critical axis of potential vulnerability,” Osborne said during his speech at GCHQ. “From our banks to our cars, our military to our schools, whatever is online is also a target.”
“We see from this place every day the malign scope of our adversaries’ goals, their warped sophistication and their frenetic activity. The stakes could hardly be higher – if our electricity supply, or our air traffic control, or our hospitals were successfully attacked online, the impact could be measured not just in terms of economic damage but of lives lost,” he added.
Osborne said during his speech that “GCHQ is monitoring cyber threats from high end adversaries against 450 companies across the aerospace, defence, energy, water, finance, transport and telecoms sectors”. The Chancellor warned that “every British company is a target, that every British network will be attacked”.
In the line of fire
Evidence that targeted attacks have spread and have affected victims far outside the financial sector is all too apparent, even though incidents of hackers taking out power grids (squirrels are a much bigger threat to power distribution systems, at least) or threatening lives are conspicuous by their absence.
Ed Wallace, director of incident response and advanced threats at security consultancy MWR Infosecurity, told El Reg: “After Stuxnet, Shamoon is probably the most widely known destructive computer attack and is frequently attributed to Iran. It targeted several organisations’ networks, most publicly Saudi Aramco (one of the world's largest companies), wiping out their corporate network of nearly 30,000 machines, along with a similar attack against RasGas, as well as several others.”
Media and telecoms have also been hard hit by nation-state orchestrated attacks.
"The ’Dark Seoul’ attacks that wiped computers at three banks and three media organisations in South Korea [were an example]. Since then many parts of CNI [Critical National Infrastructure] in different countries have been attacked from telecommunications to nuclear power plants.
"By far and away the majority of these attacks have continued to focus on information theft but the recent attack a few months ago against French TV5 news channel (now attributed to Russia and the 'APT-28' group, often thought to be running under the Russian Military service, the 'GRU') shows that it's not just the financial sector that is increasingly at risk.”
Wallace added: "At MWR we track various countries’ cyber programmes and most are looking to adopt variants of China's 'Unrestricted Warfare' doctrine, which singles out five key sectors: Finance, Media, Energy, Telecommunications and Transport. The focus for most remains on Finance (as it is in China's UW doctrine) but the other sectors are also under attack and are at risk."
Jim Gumbley, who worked on security within the Cabinet Office before moving on to the private sector with global IT consultancy ThoughtWorks, said that financial sector firms are ahead of the resilience game.
“Our finance clients almost always have a structured and resourced approach to protecting against attack, however things are patchier in other sectors,” Gumbley told El Reg. Most of the finance sector works within regulation or policy that explicitly makes handling information security risk an executive responsibility. When the leaders of an organisation take information security risk seriously, it does seem to have an impact on outcomes.”
The high-profile hacks over the last year underline the need for companies to build more secure software from the outset, rather than adding it on at the end, according to Gumbley.
Dr Evangelos Ouzounis, head of secure infrastructures and services unit ENISA, the EU cyber-security agency, told El Reg that the banking sector does resilience testing because the regulator in that area has more authority.
Simply the CBEST
Cyber resilience tests are currently mandatory for the financial sector, and this is enforced by the bank of England.
MWR Infosecurity’s Wallace added that CBEST, a vulnerability testing framework designed to properly test key financial organisations cyber security, has no equivalent outside the banking sector.
He said: ”CBEST is a trail-blazing scheme in the UK and one which many other countries across the globe are following with great interest as they also look to implement similar improved security testing regimes. However, beyond the financial sector, there are little similar testing methodologies as advanced as CBEST for other parts of the critical national infrastructure.”
Other infosec experts warn that replicating this capability outside finance may take time and a lot of heavy lifting.
Greg Tebbutt, head of engineering at Sparrho, a London-based startup developing a scientific literature recommendation service, commented: "Resilience testing is costly, difficult to address, and without immediate payoff. This is why companies don't like spending on it in general. Add in the fact that many managers aren't directly involved in or familiar with the technical side of things, and the financial and, more importantly, time commitment becomes too much."
Rob Partridge, head of The BT Security Acadamy, at the Cyber Security Challenge UK's masterclass, said that the telco was active in running resilience tests internally despite the lack of telecoms industry framework, or at least the absence of one as mature as that already established by the banking industry.
"We are fully prepared for any threat that comes our way and we respond accordingly, and we practice and practice, and test, and we do that both as tabletop exercises,” Partridge told El Reg. “But clearly we wouldn't want to discuss that openly because that would then mitigate our responses."
Telcos already co-operate on security, Partridge explained.
"We certainly work together and cooperate. Government but cooperation strategies in place, things like the Cyber Information Sharing Partnership which is a publicly subscribable organisation run by CERT UK for us to share intelligence about threats and things like that."
A comment from NATS (the "UK's leading provider of air traffic control services", according to its website) received Monday afternoon read:
"NATS is part of the UK critical national infrastructure and while we don’t discuss the details of our security controls, we are working closely with the UK government and other aviation industry partners to ensure that security levels are monitored, managed and appropriate."
"NATS is ISO27001-certified and we constantly review our procedures and technologies to understand, and guard against, the latest threats," it added.
State of readiness
Marcus de Wilde of mobile application security testing biz Codified Security, highlighted one US precedent that illustrated how regulators might play a role in insisting in improvements to corporate security. The FTC had insisted on improvements at hotel chain Wyndham Worldwide Corporation and this policy was upheld by the courts when the hotel chain appealed. “Wyndham Worldwide Corporation is interesting due to Starwood hotel and others facing breaches recently,” he said.
The US National Cybersecurity Center of Excellence (NCCoE) recently released a draft document called "Identity and Access Management for Electric Utilities," which was based on the NIST Cybersecurity Practice Guide. The proposals underscored the need for energy sector companies to do better and also displayed the state they are in through inference. Industry comment on the proposals from Lieberman Software Corporation can be found here.
During a recent high profile speech, GCHQ director Robert Hannigan said private industry wasn't doing enough to improve cyber-security.
Jonathan Sander, VP of product strategy at privileged identity management firm Lieberman Software Corporation, responded that the spy centre boss may have a point and that private sector firms need to learn how to share information, something that cuts against the grain.
“Doing cybersecurity well means doing at least two things that commercial organisations are very uncomfortable with – admitting errors in public and sharing information they create through their own investment to benefit all,” Sander said.
“These are things that fly in the face of what most think of as postmodern business practice in many cases. There are organisations who see past the petty competitive impulses and do wish to share and collaborate. However, since true cybersecurity will take a large dose of herd immunity, these information-sharing outliers are not enough to immunise the pack against today’s relentless attackers,” he added.
Sander added that pushing tougher regulations is not necessarily the way to improve security.
“While putting more laws and regulations into place will likely be ineffective, the government could create safe spaces for commercial organisations to share and collaborate that reduce their perception of the risks of that sharing,” Sanders said. “They could act as a clearing house for signal intelligence and threat data.”
We asked GCHQ’s press team for a comment on resilience testing outside the financial sector but it referred our inquiry to the CPNI, the lead UK agency for infrastructure protection.
“CPNI (the Centre for the Protection of National Infrastructure) works on programmes to protect major industries (example here) so for a response to your enquiry you would be best to contact them. CESG's role is to work in conjunction with CPNI,” GCHQ told El Reg.
Press inquiries about the CPNI are run by the Home Office. Nobody knowledgeable on the topic was available for comment on Friday afternoon. We’ll update this story as and when we hear more. ®
Additional reporting by Alexander Martin