back to article Britain may not be able to fend off a determined cyber-attack, MPs warn

Britain's critical national infrastructure is vulnerable to hackers and neither UK.gov nor privatised operators are doing enough to tighten things up, a Parliamentary committee has warned. The Joint Committee on the National Security Strategy has laid into the government for its slapdash approach to IT security, claiming that …

  1. Anonymous Coward
    Anonymous Coward

    Carp

    Severn Trent for an expample off the CNI list, £300M profit, but can't afford security.

    Centrica £782M profit first half this year, can't afford to pay for their business's security.

    Why do we elect such pillocks to form governent's and opposition?

    1. Commswonk Silver badge

      Re: Carp

      Why do we elect such pillocks to form goverments and opposition?

      (Rogue apostrophe deleted!)

      Because only pillocks stand for election in the first place. However as neither Severn Trent nor Centrica are actually "political" bodies I'm not sure that politicians can be held responsible for their shortcomings in the cybersecurity department.

      In a way it's a failure of modern capitalism; in days of old all that was necessary to maintain security was to lock the doors at night. Now, with almost everything being IT based, that approach is no longer sufficient, and with effective cybersecurity being a cost to business with no apparent corresponding return to bulk up the bottom line it should be no great surprise to discover that electronic security simply doesn't feature in the business plan.

      It doesn't seem to have occurred to them that a major cyber attack has the capacity to do far more damage to the bottom line than a bit of sensible investment would have done.

      1. Roland6 Silver badge

        Re: Carp

        >in days of old all that was necessary to maintain security was to lock the doors at night.

        ? I thought in the days of yore you had such things as moats, drawbridges and private armies - security wasn't for the masses...

        1. Teiwaz Silver badge

          Re: Carp

          >in days of old all that was necessary to maintain security was to lock the doors at night.

          ? I thought in the days of yore you had such things as moats, drawbridges and private armies - security wasn't for the masses

          You are going back to far... commenter mentioned 'days of old' not 'days of yore' former had less need of full-on fortifications generally.

    2. Andrew Commons

      Re: Carp

      I've run security at a utility subject to the sort of controls described here. You have to get your proposed budget through your management plus the external body controlling prices. In my case this was an exercise you performed every 5 years, you were bidding for 5 years money, so a lot of educated guessing was involved in the guise of 'strategic planning'. Note that the submission to the external authority includes everything the utility does so the security budget is at best a single line somewhere with external material to justify it. My modest budget was still cut internally due to overall limits on opex rather than capex. Another (more critical) utility subject to the same process had their security budget savaged by the regulator.

      I found the main problem was head count. For the size of the team we had enough money to run all the projects we could handle and we could get contractors in for project work. Getting a head count increase was a different matter entirely.

  2. Will Godfrey Silver badge
    Unhappy

    Sharks

    Keeping with the theme you beat me to it.

    Maybe, some form of lien on profits only might sharpen their focus.

  3. Alex Read

    I wonder if any government or company wcpuld truely cope with that one

  4. Rich 11 Silver badge

    Funding

    GCHQ may in fact not be able to cope with the scale of the threat if things got truly nasty

    I wondered how much GCHQ have been funded to cope, and whether that money might have been cut in line with everyone else's funding over the last eight years. It looks like they have a page describing their funding, but for some reason it throws a 404 error.

    1. Anonymous Coward
      Anonymous Coward

      Re: Funding

      a simple search will tell you that the spooks have been getting increases in funding when other gov departments were getting cuts .. at least 3 funding increases to gchq in last 8 years or so

    2. Anonymous Coward
      Anonymous Coward

      Re: Funding

      and do the yanks still pay GCHQ bigly for, well, pro-orangey or contra reasons? HeT??

      I'm all for protecting CNI, I did enough CNI attack modelling to know how many [French] nuclear power stations can be taken offline with a Sky TV analog SatRX [not joking! I even stockpiled a few Sky TV analog SatRX's just in case the bosses wanted a demo] I tried to warn the defenders around six years before the attacks that I could see coming, in this case it is now nearer 12 years ago. The interior ministry confirmed countermeasure deployment, which was nice.

      …but protecting CNI depends on your threat model, OK, there are a few PFY threats but really UK counter-dept is pretty good, so add-in all the autocratic no-very-far-away states, add in all the orangey run one — gone rogue, add in a lot of headchoppers — there are still not very many threats — MAD still applies even if you think that you are very clever.

      So, some of this “protecting CNI” is purely a budget grab, there remain falsely attributed self-attacks, and attacks that wouldn't have occurred unless some agency somewhere was constructively pushing them, in order to arrest the patsies, just for headlines. I suppose that is ‘business as usual’ from 450BC in China.

      patch widely & promptly, adopt a heterogeneous architecture, consult widely with peer-experts - until exit day, at least. then perhaps stop or lower the rate of throwing insults at some of the nearer autocratic states, just as valid a “protecting CNI” as a selfie-attack, and train as many PFY as you can at GCHQ, rotate them into banking, NHS, any other industries that are left, and reap some benefits from the MIC for the country. just some thoughts

  5. steelpillow Silver badge
    Holmes

    Reality check

    Name me one arm of national security that the UK government is funding adequately and could stand up to a determined attack.

    1. Ken Moorhouse Silver badge

      Re: Reality check

      The 585 page Brexit agreement would be a good place to store top secret data.

      1. Winkypop Silver badge
        Pint

        Re: Reality check

        I'll pay that one!

  6. Alister Silver badge

    They wouldn't have to invest so heavily in "cyber" security if they hadn't systematically pushed the utility companies into using the Internet for their critical infrastructure.

    Time was when electricity, gas, water, railways, nuclear etc, etc used private circuits to do all their internal telemetry and monitoring over, and you would have had to work quite hard to break into them.

    1. Commswonk Silver badge

      They wouldn't have to invest so heavily in "cyber" security if they hadn't systematically pushed the utility companies into using the Internet for their critical infrastructure.

      "They" being who, exactly? I greatly doubt if any pushing was required; the various corporate beancounters will have insisted on it anyway, with internet connections being a whole lot cheaper than Private Wires.

      That aside, you are perfectly correct in pointing out that PWs would have been a far more secure way of providing the necessary network(s).

      1. Jellied Eel Silver badge

        It gets worse.

        So blaming price controls is absolute testicles. Blaming the 'net is much the same. So in pursuit of ever increasing profits, utilities have been cutting costs. That may also mean exposing themselves to risks.

        So utilities often have a challenge of being in the posterior end of xDSL coverage maps. So SCADA may use wireless, via their own masts & network, or via Arqiva. Or they may use mobile networks, in which case they're vulnerable to same risks any mobile user would be.

        If they've cut spend on IT staff and especially security, well, that's self-inflicted, especially when they're running critical infrastructure. SSE highlights the biggest challenge as their corporate objective is to pay an annual RPI+ dividend to their shareholders, and damn the customers.

        Where it gets worse is that a small, fresh consultancy has just won a case in the ECJ challenging UK capacity auctions. The EU has ruled these are an unfair subsidy, and payments must stop. Which means energy customers who've invested in stand-by capacity or peaker generators are somewhat screwed. But not Tempus Energy-

        Our technology uses AI and smart algorithms to control and optimise when flexible assets use energy. By predicting volatility in carbon intensity and market prices we allow customers to reduce their energy costs – while simultaneously enhancing their use of renewables.

        Which is good for Enron.. I mean Tempus, not so good for customers. SSE's doubly screwed because they 'invested' heavily in wind farms, and took a big hit over summer because the wind didn't blow. But no matter, their customers can look forward to price increases due to 'rising energy costs'.. Like they did when oil was >$100, and didn't reduce when it fell below.

        The impact of Tempus's judgement hasn't been widely reported, but is potentially going to add billions to energy costs, if unchallenged.

        1. Anonymous Coward
          Anonymous Coward

          Re: It gets worse.

          The impact of Tempus's judgement hasn't been widely reported, but is potentially going to add billions to energy costs, if unchallenged.

          Widely reported and very well understood by industry. I've no sympathy for Tempus who in my humble opinion are an attention grabbing bunch of self publicists, keener to turn up and spout at any venue that will have them than run their own business. Having said that the policy concerned was always a botched solution to the ongoing car crash that was wider government energy policy, and a direct response to the poorly managed introduction of renewable power sources. There's a similar problem brewing as a result of other government interventions, including where a number of energy suppliers haven't been able to pay their Renewables Obligation bill to Ofgem - which usually means they'll go bust, and the rest of industry will have to pony up the missing cash to pay over-generous renewable subsidies to wealthy asset owners, AND they'll additionally have to pay to restore any customer credit balances if those suppliers go bust.

          UK energy policy is a bizarre f***ing mess, in which well run, financially secure suppliers are forced to pay the costs of the poorly run, risk takers who go bust, and where every policy measure seems to beget a new problem that requires yet more complex regulation and new subsidy arrangements. Any "market" operation is under ruthless and repeated attack by regulators and politicians, both disliking how markets work, and also trying to cover the tracks of their own feckless stupidity. And in a few days time, the NAO will release a very critical report on the smart meter programme, which has been a hugely expensive, pointless farce dreamt up by idiots, and those government idiots still cling to the burning wreckage, claiming that smart meters will save the planet, and cut bills (despite a total programme cost of the order of £20bn).

          Go back a few years, and a chap called Peter Atherton wrote a paper for a company called Liberium Capital, and he predicted that energy policy had descended into madness and chaos, and it was almost certain to unravel badly. Government and many industry leaders pooh-poohed his views, but he looks as though he may have the last laugh this winter. With the ill conceived retail price cap the idiots of Ofgem have made most energy suppliers instantly unprofitable as of January next year, and those without strong (expensive) hedging will find themselves crushed by rising wholesale costs and that price cap. And as above, the costs of that will be added to all other suppliers costs.

          1. Jellied Eel Silver badge

            Re: It gets worse.

            Yup. The people behind Tempus are dangerous. So Bryony Worthlngton, creator of Ed Milliband's Climate Change Act. I strongly suspect they're being bankrolled by Jeremy Grantham to create their alternative trading system that channels even more into renewables.

            SSE's experience with no wind for a long period should have been a wake-up call to the futility of intermittent generation in a market that expects a stable supply. And their solution seems to be adding more costs via grid-scale batteries. CCGT or OCGT seem a better solution, but the subsidy farmers don't like gas.. But then there's been some fun in the US with a big swing on oil & gas prices that have hammered some energy traders and speculators.

        2. IceC0ld Bronze badge

          Re: It gets worse.

          T otal

          I nability

          T o

          S top

          U nwanted

          P robing

          I KNOW I said the last one was the last one, but come on :o) and I have formatted it differently too

      2. veti Silver badge

        Private wires would probably be more secure, yes. But there's a reason why they were abandoned, y'know - it wasn't an evil conspiracy to sell out the national infrastructure to The Enemy, it was an attempt to save money.

        The UK gov't needs to decide whether it wants private, competitive utilities or public, monopolistic ones. If the latter, then regulate prices but also mandate spending and services. If the former, then regulate competition and let the market sort out prices - that's how it works. But don't do this neither-fish-nor-fowl bollocks that's been wreaking havoc since the 1990s.

      3. DCFusor Silver badge
        Joke

        @Commswonk:

        So much so that even Bruce Schneier was quite late to the game, thinking that all critical infrastructure was still on things like T1 lines long after it'd gone to internet, even while those few of us public online were still in dialup mode....having read his blog since those days - and even having called him out on that one, it's been an interesting evolution, not all evenly applied. This of course was so long ago it'd take serious searching in his archives to even find it. Pre "911".

        The old game of the attacker and defender keeps evolving endlessly, and not always linearly or evenly. For quite some time there was a mixture of private lines and even total lack of remote control! Things were "safe" that way, but at the cost of no remote control, someone reasonably competent had to be present and on duty. And hopefully not sleeping. Most industry never adopted the equivalent of the one legged stool used in nitroglycerin plants to ensure the operator stayed awake.

        Now because that's no longer required, the trend is to simply have no one competent available at all, or so it seems.

        Which even includes most of the attackers, so we're safe, surely. Shirley?

      4. EBG

        who, exactly ?

        It is for government to be on top of this and regulate to restrict the use of technology for cost saving if it leaves the system wide open. .gov has gone down the oposite route and has swallowed the "digital economy" line totally and uncritically. It would help if the various regulators were brought back "in-house" and not at arms-length to government, so that there was direct accountability, not the current deniability.

    2. Voland's right hand Silver badge

      Time was when electricity, gas, water, railways, nuclear etc, etc used private circuits

      And how is this safer in the age of MPLS or programmable optical multiplexing and programmable optical interconnects? Not that it was particularly safe in the days when it was copper mux either. Private line in the UK has not been particularly "private" for 50-odd years. Even in less civilized abodes like Eastern Europe it was not "private" as recently as the 80-es for anything but local circuits.

      If all that is being relied upon is the "privacy" of the line, then you just break into the service provider and the entire infrastructure is 100% unprotected.

      Moving it to the Internet +/- VPN infra over the internet is actually better in the longer term because it forces fixing the defences and the security of the installations.

    3. ForthIsNotDead

      Who's "they"? Nobody pushed anyone to do anything. The internet was selected as the back-bone because it is a fuck-ton cheaper than all of those leased lines, private wires, ISDN, GPRS links et al. that utility companies pay millions for each year. It's a natural outcome of cost-saving. In addition, some technologies such as PSTN are on the obsolescence path, so there's not much choice (if you want to keep costs down).

      That and... well... What is the internet for if it's not for sending data between places? We're not doing it 'out in the open'. We have VPNs and other security measures. For our mobile communications we run our own private APN. It's actually fairly secure. It's the end-points that are less secure, mainly due to aging assets. Some of our SCADA assets (outstations) are 30 years old. Securing them is hard.

      The government need to give more freedom on budget handling within CNI organisations. They dictate how much profit we can make (I work in water CNI), and they dictate how much we are to invest. We're left with what's left. We're between the devil and the deep blue sea. We make our budgets in 5 year blocks (AMP periods). This year, we've put in for more than £30 million for RTU upgrades over the next five years. The directors have been put on notice that with new regulations such as NIS, we're not carrying the can for them if they refuse our budget for replacing aging RTU assets.

      We'll see what happens.

  7. Dabooka Silver badge

    Are they taking the piss?

    The cap on ripping customers off means there's not enough left in the post (after bonuses) for security? No problem, we'll remove their licences then, that'll focus the collective minds.

    Seriously, what a bunch of piss poor disengaged amateurs they must be to link the two.

  8. Voland's right hand Silver badge

    Without a more flexible approach to price controls

    Bollocks. Most are cost + fixed margin with the cost auditable. Security is just one more cost which nobody bothers to take into account because there is no economical driver to add it. There is no obligation by a central authority like for example in Israel or no criminal liability for the CXX suite for failing to comply like in let's say Russia.

    It will be immediately taken into account 5 minutes after the Parliament makes cyber-security unpreparedness of a national infrastructure provider a criminal offence for the CXX suite.

    Just copy the other boy (the one from a country with better STEM education) homework and be done with it.

  9. amanfromMars 1 Silver badge

    Honest Declaration ..... Alien Vested Interest

    Cyber Security is a Hearts and Minds Great Game for Real, is it not? With that and/or those at Peace with Themselves and Others on the Higher Ground in More Exalted Spaces, Exercising a Remote Virtually Autonomous Command and Relatively Anonymous Practical Control of SCADA Administration Systems.

    Such is not something to Battle Against for Defeat, it is an Advanced IntelAIgent ProgramMING Project for Engagement and Deployment ...... Free Open Secret Source Facilitation and Universal Utilisation.

    The System as is, is not totally unaware of such tremendous progressive strides, or certainly should not be if we are to be led to believe and take comfort in the fact that national and international and international security services are up to the task of protecting the future from the ravages and ravishes of the past and the present, for there is no shortage of evidence in all manner of messages in media, sharing news and views on the changed nature of reality and the ease of its manipulation with the simplest of global communications tools instantly connecting and infecting listening networks.

    And this simple sentence shared earlier in NEUKlearer HyperRadioProACTive IT .... for Going Forwards* .... Lone Ranger Renegade Rogue Style. ...

    And yes, that is a Genuine Proposal for Mindful Consideration of The House of Commons Science and Technology Committee Inquiry. .... El Reg Thu 26 Jul 17:25 [180727]
    ..... is probably better served servered to The Joint Committee on the National Security Strategy and the National Cyber Security Centre and SMARTR Military Units of Fully Protected Assets ..... for as has been admitted in the article, have things changed more than just significantly and considerably.

  10. Anonymous Coward
    Anonymous Coward

    You're assuming utilities know what equipment they have, what firmware they have installed, and how it is networked. The reality is very different. 50+ years of installations all built to the standards of their date of origin, and therefore wildly different. Sticky plasters and patches to keep things going or add new functions. Add into that the inability to change equipment in service without adding to already overloaded outage plans, nor meaningful standards or specifications as to what one should build. Maybe also throw some staff cuts into the mix "because shareholder profit s are more important than retaining skills". It's a recipe for disaster, but nobody will believe until we have a Ukraine style shutdown. Anonymous for o vious reasons, and equally obvious which utilities I am referring to.

  11. John Smith 19 Gold badge
    Thumb Up

    "..immediately taken into account 5 minutes after..Parliament makes cyber-security

    unpreparedness of a national infrastructure provider a criminal offence for the CXX suite.

    Exactly.

  12. Anonymous Coward
    Anonymous Coward

    > CNI was defined as comprising 13 market sectors: chemicals;

    > civil nuclear communications; defence; emergency services; energy;

    > finance; food; government; health; space; transport and water.

    They forgot Twitter.

    But seriously, “space”? What’s that referring to?

    1. Binraider666

      GPS amongst other things. Very easy to interfere with.

    2. tfb Silver badge
      Big Brother

      Space

      Apart from GPS there's quite a lot of stuff in space which was put there for non-science reasons, such as Skynet (not that Skynet, although perhaps actually that Skynet).

  13. Anonymous Coward
    Anonymous Coward

    "But seriously, “space”? What’s that referring to?"

    That mystical region between an MP's ears.

  14. 0laf Silver badge
    Facepalm

    I find it hard to take anyone seriously when they bang on about cyber security being so important then in the next sentence sign off yet more cuts to the IT department that does the majority of the work.

    If you want resilience and response you can't get it by paying overyone off.

    My own organisation's IT guys are now starting to cut corners becasue they have so little resource to deliver when they are being told to do. Point out the risks and all you get is an exasperated shrug and senior managers who paste on a smile and swear everything is wonderful.

  15. Anonymous Coward
    Anonymous Coward

    More hypocrisy here......

    Quote: ".....Hostile states are becoming more aggressive in their behaviour...."

    Yup....including the hostile state which runs GCHQ.

    https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/

    https://www.theguardian.com/uk-news/2018/sep/21/british-spies-hacked-into-belgacom-on-ministers-orders-claims-report

    1. amanfromMars 1 Silver badge

      No hypocrisy here. Just Raw Grunt

      Both hostile and friendly states and the likes of a GCHQ operation have both pirate and private security and military contractors to compete with or oppose, given the overwhelming leverage and clear advantage expertise in the field delivers to principals.

      And there be more than just a few to choose from if in the market for delivery of overwhelming leverage and clear advantage expertise ..... https://www.securitydegreehub.com/most-powerful-private-security-companies-in-the-world/

  16. Disgruntled of TW
    Facepalm

    What do MPs understand?

    I'm sorry, but I am troubled by the need for MPs, who most likely lack the technical security knowledge, to understand the scale of a CNI attack and bring it to our attention. The financial impact they may have more of an eye on, but that quickly descends into hearsay without data and facts.

    The profits of the organisations that operate our CNI are indeed worthy targets for the MPs that hold the regulatory sticks. I believe Bruce Schneier is now a supporter of the government wielded regulatory stick, as more than two decades of carrots and goodwill has achieved very little in secure behaviours for IoT vendors, and those operating our CNI.

    Let the stick beatings begin, hopefully to a hip rhythm so the rest of us can dance safely.

    1. tfb Silver badge

      Re: What do MPs understand?

      Aren't these the people some of whom thought it was fine to share their login credentials with anyone in the office? Or was that just a particularly dim one? (Or one who was just lying, I suppose.)

  17. Boris the Cockroach Silver badge

    Strange

    after last nights blackout here... I'm surprised they invest in infrastructure , let alone cyber security

  18. Anonymous Coward
    Anonymous Coward

    Health spending

    on IT is shockingly low as a percentage of total spend. This is entirely due to it not being public facing, not being under an easy to FOI waiting time etc.

    Cyber/Info sec are underfunded as a result, it's improved since Wannacry but it still has a huge way to go. In many cases they have brought in staff but then given them no resources to work with.. training can only go so far and technical solutions are rather expensive.

    1. Anonymous Coward
      Anonymous Coward

      Re: Health spending

      Perhaps Centrica et all should try operating on the budget for a similar sized NHS trust, and realise that they actually need to STFU and be happy they have the profits from the generating arm to plow into the retail side, and can actually fund a security team, along with some Bells and whistles to keep the Likes of RSA in business.

      I cant even get the basics sorted here, Let alone the should haves....

      Your Friendly neighbourhood NHS IT Security AC

  19. Anonymous Coward
    Anonymous Coward

    Perhaps if the fines were like GDPR they'd be focussed. e.g. secure it or pay 4% of global revenue.

  20. GnuTzu Bronze badge
    Megaphone

    Dual Threat

    "...facing a dual threat of more aggressive overseas hackers and a lack of funding for cyber defences."

    O.K. everybody. It's seems we're finally getting through. Don't back off; shout even louder.

  21. Anonymous Coward
    Anonymous Coward

    Access, not funds

    Graveyard post, sorry. Much of the criticism above is about funding. Perhaps I can shed some light on why this is a problem. Establishing system access is a major headache. You can't replace mission-critical ICS without taking down mission critical equipment while you do the work. Systems are designed with redundancy in mind. System Operators don't grant permissions to operate without redundancy, therefore you need MORE redundancy!

    Now, when you are talking about redundancy for a multi-billion pound cable tunnel, or gas pipeline, that kind of redundancy requires multiple multi-billion pound systems!

    It is a circular problem that requires a complete rethink of how one builds CNI systems; unfortunately, that also means significant rebuilds of many CNI networks systems from ground up. A simple firmware upgrade here and there just isn't enough.

    There is something to be said for CNI type infrastructure to be operated strictly off-network; manual ops only inside secure compounds. Much easier to keep up to date, and only as weak a link as the personnel; which are ALWAYS going to be your biggest security risk no matter what approach you take. Of course, manual op costs more and people don't want big bills, quite rightly... So how do you strike a happy medium?

    Lovely problems to have, clearing up after 50 years of nobody caring one jot. The country, and private ownership has been living off the benefit of it's networks built under national ownership for a long time. New and very real threats come along requiring attention - low and behold the whole establishment starts pointing fingers at WHO PAYS? The answer is it's the bloody customer, that's who pays at the end of the day. One way or the other.

    Of course there is another way. We could actively decide that the cost of stupendously reliable service is too high, and accept that cutting service standards would is worth the economic damage of occasionally losing bits (or even whole) networks.

    As if it wasn't obvious, the only answer to the problem of middlemen is to bring back the CEGB. But there's no getting away from customer pays for service standards.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019