chungking - Fotolia

UK critical infrastructure skipping security checks

Almost two-fifths of the UK’s national infrastructure providers have not completed basic cyber security steps recommended by the UK government, an FOI response shows

There is a potential lack of cyber resilience among the providers of UK critical national infrastructure, a freedom of information request by Corero Network Security has revealed.

Data shows that 39% of CNI organisations have not completed the government’s 10 Steps to Cyber Security programme, with 42% of NHS Trusts who responded admitting they had not completed the programme.

Some of these organisations could be liable for fines of up to £17m or 4% of global annual turnover under the government’s proposed legislation implementing the EU’s Network and Information Systems (NIS) directive from May 2018.

Corero received 163 responses to FOI requests sent to 338 critical infrastructure organisations in March 2017, including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers and transport organisations.

“Cyber attacks against national infrastructure have the potential to inflict significant, real-life disruption and prevent access to critical services that are vital to the functioning of our economy and society,” said Sean Newman, director at Corero.

“These findings suggest many such organisations are not as cyber resilient as they should be in the face of growing and sophisticated cyber threats.”

In particular, the data shows CNI operators are not doing enough to address distributed denial of service (DDoS) attacks.

Read more about DDoS attacks

DDoS attacks represent a serious challenge to security and availability for operators of essential services and DDoS protection is highlighted within the government consultation on NIS as a mechanism that critical infrastructure should consider when protecting their services and availability from disruption caused by cyber attacks.

But while most people equate DDoS with high-volume attacks, like that against DNS provider Dyn in 2016 that took down large parts of the internet in the US, the vast majority of today’s attacks are actually short and low-volume in nature. 

In fact, 90% of DDoS attack attempts stopped by Corero during Q1 2017 were less than 30 minutes in duration, and 98% were less than 10Gbps in volume.  Due to their small size, these “stealth” DDoS attacks often go unnoticed by security staff, but they are frequently used by attackers in their efforts to target, map and infiltrate a network.

Smaller, shorter DDoS attacks are also commonly used by attackers to provide cover for installing malware and stealing data.

In launching “low and slow” DDoS attacks, the attacker disrupts operations and distracts security teams, while keeping the target network operational enough to plant malware and exfiltrate data.

“DDoS attacks are often used as a smokescreen to distract security teams while other malicious activity is carried out,” Deborah Clark-McGinn, senior director of product marketing at Neustar told Computer Weekly in May 2017.

DDoS attacks accompanied by malware infections

According to Neustar, 42% of European organisations polled in May 2017 said DDoS attacks were accompanied by malware infections, up 10% compared with the previous year, and 27% of DDoS attacks in the past year were accompanied by either ransomware or attempts to extort money by threatening further DDoS attacks, compared with 15% in the previous year.

Globally, 23% of DDoS attacks were accompanied by ransomware infections or threats of further, more powerful DDoS attacks for extortion, an increase of 53% compared with the previous year.  

The FOI data collected by Corero shows that 51% of responding UK critical infrastructure organisations are potentially vulnerable to DDoS attacks because they do not detect or mitigate short-duration surgical DDoS attacks on their networks.

While just 5% of these infrastructure operators admitted to experiencing DDoS attacks on their networks in the past year to March 2017, Corero said that if 90% of the DDoS attacks on their networks were shorter than 30 minutes, the real figure could be considerably higher.

“In the face of a DDoS attack, time is of the essence. Delays of minutes, tens of minutes or more, before a DDoS attack is mitigated is not sufficient to ensure service availability, and could significantly impact the essential services provided by critical infrastructure organisations,” said Newman.

“By not detecting and investigating these short, surgical, DDoS attacks on their networks, infrastructure organisations could also be leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber attacks.

“To keep up with the growing sophistication and organisation of well-equipped and well-funded threat actors, it’s essential that organisations maintain comprehensive visibility across their networks, to instantly and automatically detect and block any potential DDoS incursions, as they arise,” he said.

NIS Directive low on the agenda

The NIS Directive has largely gone unnoticed, according to Simon Shooter, a partner specialising in cyber security at international law firm Bird & Bird.

“While most businesses are squaring up to the challenges of GDPR [General Data Protection Regulation] compliance, the NIS Directive appears on few agendas,” he told Computer Weekly.

“Given that operators of essential services, including the defined Digital Service Providers, face the prospect of sanctions equal to those in the GDPR, compliance with the NIS Directive should be high on the priority list,” said Shooter.

Read more on Hackers and cybercrime prevention