“We need legislation because simply issuing a government advisory means there will always be organisations that will ignore that,” he told Computer Weekly.
Research by ZPryme on smart grids indicates that more than half of infrastructure providers in the US believe electrical networks are insecure, while 57% expect attacks against infrastructure to both increase in frequency and expand further into both IT and operations technology systems in 2013.
McIntosh, a former lieutenant-colonel in the Royal Signals responsible for secure communications, believes the situation in the UK is very similar, with many infrastructure providers in the private sector.
More on critical national infrastructure
- US researchers find 25 security vulnerabilities in SCADA systems
- Critical infrastructure providers are less engaged with government cyber protection
- Government to monitor companies supporting critical national infrastructure
- Is UK critical national infrastructure properly protected?
- Cyber security study reveals mismatch between awareness and preparedness
- Critical infrastructure security in dire need for standards
“Legislation is necessary to ensure that all suppliers of critical national infrastructure have all the necessary checks and balances in place and are protecting their IT systems appropriately because it appears that is not happening to the level you would expect,” he said.
While UK military networks are held to strict standards, said McIntosh, the same standards are not being applied to providers of critical national infrastructure.
He said the planned rollout of smart metering technology is of particular concern when it comes to securing power-supply networks.
According to the ZPryme research, the least secure of an electricity grids components were the end user segment and the distribution system, with only 4% of smart grid and utility professional polled saying that US electricity grids were very secure.
Previously, infrastructure companies would use dedicated lines of communication between offices, generating stations and sub-stations.
This meant any attacker had to break into these physical connections, but the gradual replacement of these dedicated lines with internet-based communication has created many more opportunities for potential attackers to breach the system, said McIntosh.
“This becomes even clearer with the increased adoption of smart meters in homes and businesses. By providing a direct connection to critical infrastructure networks in a location that is unlikely to be heavily defended, electronically or physically, infrastructure companies are introducing an extra level of vulnerability to their systems,” he said.
While the smart meter rollout has stalled once again, McIntosh said there is the potential for attackers to have a point of entry to critical infrastructure systems from every household and business in the UK.
To prevent attackers from finding ways around traditional perimeter defences, he said legislation is needed to ensure utility companies review all their IT systems to identify and block potential points of entry for attackers.
“The network itself and all its connections with the outside world that are the most vulnerable points,” said McIntosh.
Legislation is needed to ensure utility companies review their IT systems
He believes legislation is the only way the UK can ensure the benefits of expanding the capabilities of the grid are balanced by the necessary protections. Specifically, the smart metering programme should be allowed to go ahead only if the necessary security can be guaranteed, he said.
McIntosh said the legislation should dictate what all infrastructure suppliers must do to protect their IT systems to an adequate level along with clear deadlines for meeting those requirements.
The types of things that will need to be considered, he said, include firewalls, protection of interconnection points, encryption of data links, and continuous monitoring of networks.
“Assuming the bad guys will get into your network, there also needs to be some form of internal inspection of networks such as intrusion prevention and intrusion-detection systems,” said McIntosh.
“We need to identify breaches as soon as they occur and respond appropriately,” he said.
Returning to the prospect of smart metering in the UK, McIntosh said the government has to ensure that potential gains are balanced with potential losses.
“Government could, for example, mandate that all disconnections are done physically because the potential for attackers to disconnect users outweighs the business benefit of having a remote disconnect capability built into smart metering systems,” he said.
It is a “dynamic battlefield,” said McIntosh, which means that only by having the right checks and balances in place, will defences be updated automatically as vulnerabilities and threats evolve.