Blog by Chris Flynn, Arcanum Cyber Security Consultant.
The Blackberry Cylance Threat Report is a report compiled by cyber security experts across many specialisations and is an accurate annual take on the current state of cyber security as well as a look at what is likely to come. So, what does the 2020 threat report tell us about future risks for Operators of Essential Services (OES) and Critical National Infrastructure (CNI)?
It is clear from our daily lives that the number of networked devices (known as the Internet of Things or IoT) is increasing rapidly; all of us have smart phones, most of us have fitness technology and some of us even have networked lightbulbs. The number of networked devices is also on the increase in the workplace and the OES are not exempt from this. The ability to monitor and control physical equipment from afar presents cost and operational benefits to business, but with every silver-lining there is unfortunately an accompanying cloud:
“Connectivity growth creates expansion of the attack surface, providing multiple opportunities and venues for threat actors to compromise systems … and … keeping business technology secure as it interacts with IoT devices is difficult” 
The larger attack surface that comes with networked devices is increased further when we delve into the realms of mobile devices:
“Mobile security is facing several challenges ranging from vulnerable mobile device management (MDM) servers, to enterprise clients and their interaction with IoT devices” 
It is clear that we must keep a good handle on exactly which devices are connecting to our networks and also where else those devices have connected: an air gapped system is not air gapped unless the devices connecting to it are secure. This point was highlighted very well by the Stuxnet Attacks on Iran’s nuclear enrichment programme identified in 2010. 
The 2020 Threat Report also highlights the increased prevalence of the use of ransomware in attacks over the past 12 months:
“We have observed a substantial increase in cases of big companies, public institutions, and governments being hit by ransomware.”
Ransomware has also been used as a distraction technique to hide a mass deletion of data, notably this technique was employed in the Sandworm’s NotPetya attacks: 
“Some ransomware attacks may aim to disrupt processes and services by destroying vital data. In some cases, the payment infrastructure and/or the encryption routines are flawed, making file decryption or ransom payment impossible.” 
NotPetya leveraged attacks against a vast array of targets and consequently created losses of around $10 Billion across the world – the most prolific and costly cyber attack in history. The 2020 Threat Report expands upon the threat facing CNI:
“Attacks against government entities can have cascading effects that not only impact critical national infrastructure, but impact individuals as well. Some of the more serious forms of government-focused cyber attacks can threaten lives.” 
It is very clear that the threat posed to both information and operations is very real, highly-skilled threat actors work around the clock to bend and break our defences. What is also clear is that we can defend ourselves. With appropriate management, leadership and guidance our critical infrastructure can be securely operated.
The UK National Cyber Security Centre (NCSC) have issued the Cyber Assessment Framework Version 3.0 (CAF) to “provide a systematic and comprehensive approach to assessing the extent to which cyber risks to essential functions are being managed by the organisation.” 
Within the CAF, the NCSC identify 14 principles that will increase the cyber security and resilience of OES – the 14 principles clearly set out what is required and if adhered to will certainly help to defend organisations from cyber attacks. The principles denote indicators of good practice (IGP) – these will show the organisation how well they are prepared to counter potential attackers but will also highlight areas that need to be worked upon.
When considering the points raised above, we should particularly look to the IGPs in the following principles:
- Are policies, procedures and guidance (PPG) keeping you secure?
- Do you have assurance mechanisms in place?
- Are your personnel equipped to deal with the cyber threat?
- Identity and Access Control
- Are devices listed in an up-to-date inventory?
- Are administrator accounts barred from internet access?
- Are you using multi-factor authentication?
- System Security
- Are networks appropriately designed?
- Are air gapped systems actually secure?
- Are essential systems easy to recover?
If the answers to any of these questions is ‘No’ then the organisation’s robustness can be called into question – we must strive to protect our CNI to allow Britain to succeed in the cyber age. The risk posed to CNI is real and has been leveraged in recent history, but putting in the necessary measures to deny, deflect or disrupt an attack is not as daunting as it may first sound.
If your organisation requires assistance navigating the NCSC’s CAF or needs assistance in meeting the indicators of good practice, then Arcanum Cyber Security can certainly help you. We have a wealth of experience in applying all aspects of the NCSC’s guidance and have worked with a vast array of governmental and commercial organisations. Our NCSC Certified status is not given lightly so you can be assured that Arcanum will deliver an honest and thorough service regardless of your level of cyber security preparedness.
Please note Arcanum Cyber Security are still fully operational. For more information please do not hesitate to get in touch today.
Please give us a call 01558 669140 or email email@example.com
 – The Blackberry Cylance Threat Report
 – www.mcafee.com
 – www.wired.com
 – NCSC Cyber Assessment Framework Version 3.0