Following Last Friday’s (28 January) BBC report on the NCSC’s advice to UK organisations to review and bolster their cyber resilience in the wake of recent cyber attacks against Ukrainian government institutions, Tarquin Folliss, Vice Chair of cyber security specialist firm, Reliance acsn, urges businesses to heed the NCSC’s message to ensure basic security measures are in place.
“The recent BBC report speculates on how compromised our critical national infrastructure is to hostile state interference and whether the Russians will up the ante by targeting the UK directly, in response to any Western-imposed sanctions. The former is hard to prove but the assumption is, as the BBC suggests, that our CNI is compromised. Less clear however is Russian (or any other nation’s) intent to damage our vital services. To have the capability is one thing, to use it quite another, a point Professor Ciaran Martin, former CEO of NCSC put so succinctly. In military parlance this is doctrine and understanding it is key.
“It is important to point out, as the BBC does, the key NCSC caveat that it ‘is not aware of any current specific threats to UK organisations in relation to events in and around Ukraine …’. There is no intelligence therefore to suggest that the UK is being targeted by Russian agencies for an attack, in the event of a conflict between Russia and Ukraine. The NCSC advice is precautionary as well as prudent. Ukraine has suffered a great number of cyber attacks since 2015, largely attributed to the Russian special services, and on occasion the impact has spilt out beyond Ukraine, in the case of NotPetya to devastating effect. The NCSC advises organisations to ensure basic cyber security is in place in order to reduce their chances of becoming collateral damage.
“We only have to look at the chaos caused by last year’s ransomware attack on Colonial Pipeline to understand the impact a cyber disruption of our critical services can have on society. Some have argued that increased reliance on digital technology and the deployment of IoT sensors with limited to no security functionality make the West more vulnerable to an attack than Ukraine, where older technology is still prevalent in the infrastructure. We may not be able to emulate the Ukrainians by sending technicians to flip analogue switches physically when the lights go out or the heating ceases. Which begs the question – how resilient is our infrastructure and how can we make it more so? The Russian state may not need to deploy its sophisticated capability if we are vulnerable to the most basic attacks by cyber criminals. Food for thought.”