The likelihood of a serious security breach in part of the UK critical national infrastructure is still remote but it is becoming increasingly probable due to standardisation of IT systems, according to security experts.
On Thursday the UK’s National Infrastructure Security Co-ordination Centre (NISCC) issued a statement that 300 government departments and businesses have been the victims of an ongoing series of trojan horse-based attacks from the Far East since the start of the year.
Neil Hare-Brown, managing director of incident response and risk management consultancy, QCC Security said the warning should stand as a wake-up call to businesses that aren't taking security seriously.
“This is about raising the bar. Attacks and payloads are getting more sophisticated all the time and so the authorities are getting much more seriously worried about it because cyber-terrorism is starting to rear its ugly head. It’s no longer just about kids playing about,” he said.
The report from the NISCC is the first time the usually low-key organisation has made such a high-profile warning. "Parts of the UK's critical national infrastructure are being targeted by an ongoing series of email-borne electronic attacks. While the majority of the observed attacks have been against central government, other UK organisations, companies and individuals are also at risk," the report stated.
But the annoucement by the NISCC seems to contradict earlier claims by governement that the chances of a severe electronic attack against critical national infrastrcture was actually quite low.
Following claims that Britain stood at risk of an "electronic 9/11" because the companies who run parts of the Critical National Infrastructure (CNI) are not compelled to maintain the highest levels of security, a Home Office spokesperson insisted that this threat is under "constant review" already, with the National Infrastructure Security Co-ordination Centre (NISCC) working "around the clock" to assess the threat of attack.
"The threat of the sort of attack that could disable a critical service is low," said the spokeswoman. "Less serious, but damaging attacks that might deface a Web site or deny service from a Web site are more likely," she added, insisting that "well-established defences" are in place in the event of a serious incident.
The CNI includes Britain's telecoms, water and power networks, as well as the emergency and health services.
Bob Jones, managing director of internet security specialist Equiinet said NISCC had woken-up to the serious issue of cyber crime and businesses should do the same. "Businesses that have been lagging behind in getting the right security protection in place need to sit up and listen to the NISCC's warning. Whilst anti-virus software and firewalls are critical components of any security infrastructure, the NISCC is right in its statement that companies need to go beyond these traditional defences."
The latest NISCC warning claims that companies using Microsoft systems are especially at risk from attack because of the pervasiveness of the software.
The more systems that are based on common interfaces and the more they use common mechanisms to interoperate, the higher the cyber-terrorism risk will grow, added Hare-Brown.
“Most people think that a real cyber-terrorism attack is still some way off because there’s still a level of diversity in the systems that people use, although this shows that it’s moving in that direction,” he explained. "The likelihood that someone is going to perform a broad-based attack where the damage is widespread also increases. That’s why the NISCC is getting more vocal because it’s worried and it’s letting people know of the growing threat."
The likelihood that a company may have its critical systems compromised is also being increased by the rise of criminal gangs paying top-level hackers huge sums to engage in industrial espionage and economic terrorism, said Hare-Brown.
“Organised crime can afford to purchase top level skills, but if you’re trying to make a political statement, there’s not generally enough money in it to pay for this. These skills don’t come cheap. This is economic terrorism, but it’s not about trying to destabilise the economy for political reasons. It’s about exploiting it for criminal gain,” he said.