Critical infrastructure needs more 21qs6Q#S$, less P@ssw0rd, UK.gov security committee told
Plus: No one will say whether Huawei, ZTE are the baddies
Banks could plug their security vulnerabilities by simply improving password protections, the deputy CEO of the Prudential Regulation Authority has told the House of Lords in England.
Asked by the Joint Committee for the National Security Strategy what kept him awake at night, Lyndon Nelson named shared infrastructure and software systems as his number-one concern. He said if those systems were attacked, it could affect numerous companies.
"In reality, however, and our testing [has shown this]: basic systems and controls are to a large extent the source of many of the vulnerabilities. So if firms were to improve their password controls... we would see a large proportion of these vulnerabilities reduced quite significantly," he said.
Nelson identified large banks, payments systems and the Bank of England as coming under the definition of critical national infrastructure.
He said during Monday's "Cyber Security: Critical National Infrastructure" session: "They are very much subject to higher levels of scrutiny, they are the ones where we have carried out the first phase of penetration testing."
Under a government crackdown, national critical infrastructure companies could be liable for a £17m fine if they are found to have inadequately protected themselves from cyber attacks.
In addition, last week the National Cyber Security Centre (NCSC) and the Federal Bureau of Investigation warned that Russian state-sponsored cyber actors are targeting network infrastructure.
The joint Technical Alert (put out by the US's Dept of Homeland Security, the FBI and UK's NCSC) described a global assault on routers, switches, firewalls, and network intrusion detection hardware.
Steve Ungar, chief technology officer at regulator Ofcom, told peers the two main areas of risk facing telecoms suppliers emanated from China and Russia.
"The first is about the supply chain risk, the concern that UK networks may contain components that are supplied by companies that may not be trusted. That concern is a long-standing concern particularly in relation to China.
"Historically, the main concern is in relation to Huawei, more recently it's been around ZTE as a potentially untrusted supplier.
"The other set of concerns ... is the risk that some unfriendly state might use existing known vulnerabilities in networks to attack our infrastructure with the aim of taking out elements of critical national infrastructure, particularly in relation to Russia."
He said Huawei was regarded as a potential risk by the NCSC because of the possibility of Chinese government control. Although he added that in Huawei's case mitigations have been put in place such as the cybersecurity evaluation centre.
For ZTE the ownership is more direct by the Chinese government, he said. "But it's also about [the] supply chain ... the fact the US government is not allowing ZTE to use US components. And that creates a concern of how [ZTE] systems can be maintained." ®