NCSC warns of “enduring and significant threat” to UK’s critical infrastructure

These sectors – collectively known as the Critical National Infrastructure – include those that provide the country with safe drinking water, electricity, communications, transport and financial networks and Internet connectivity.

Across the past 12 months, the NCSC has observed the emergence of a new class of cyber adversary in the form of state-aligned actors, who are often sympathetic to Russia’s further invasion of Ukraine and ideologically (rather than financially) motivated. 

In May this year, the NCSC issued a joint advisory revealing details of the ‘Snake’ malware, which has been a core component in Russian espionage operations carried out by Russia’s Federal Security Service for nearly two decades now.

The NCSC is now reiterating its warning of an “enduring and significant threat” posed by states and state-aligned groups to the national assets that the UK relies on for the everyday functioning of society.

More broadly, the UK Government remains steadfast in its commitment to safeguarding democratic processes. Recent milestones include the implementation of digital imprint rules under the Elections Act to foster transparency in digital campaigning, fortifying defences against foreign interference through the National Security Act and advancing online safety measures as a result of implementing the Online Safety Act.

Significant evolution

NCSC CEO Lindy Cameron said: “The last year has seen a significant evolution in the cyber threat posed to the UK, not least due to Russia’s ongoing invasion of Ukraine, but also from the availability and capability of emerging tech.”Cameron continued: “As our Annual Review shows, the NCSC and its partners have collectively supported Government, the public and private sectors, citizens and organisations of all sizes across the UK to raise awareness of the cyber threats and improve our collective resilience.”

Further, the NCSC’s CEO noted: “Beyond the present challenges, we are very well aware of the threats on the horizon, including rapid advancements in tech and the growing market for cyber capabilities. We’re wholly committed to facing those head on and keeping the UK at the forefront of cyber security.”

Defending democracy

The Annual Review highlights a new trend of malicious actors targeting the personal e=mail accounts of high-profile and influential individuals involved in politics. Rather than a mass campaign against the public, the NCSC warns that there’s a “persistent effort” by attackers to specifically target individuals whom they believe to hold information of interest.

The NCSC assesses that personal as opposed to corporate accounts are being targeted as security is less likely to be managed in depth by a dedicated team. In response, earlier this year the NCSC launched a new opt-in service for high-risk individuals to be alerted if malicious activity on personal devices or accounts is detected and to swiftly advise them on steps to be taken to protect themselves.

The Annual Review also highlights how the next General Election will be the first to take place against the backdrop of significant advances in Artificial Intelligence, which will itself enable and enhance existing challenges.

More specifically, the NCSC assesses that large language models will almost certainly be used to generate fabricated content, that hyper-realistic bots will make the spread of disinformation easier and also that deepfake campaigns are likely to become more advanced in the run-up to the next nationwide vote, which is scheduled to take place by January 2025.

Further, the NCSC assesses that democratic events, such as elections, almost certainly represent attractive targets for malicious actors. That being so, organisations and individuals need to be prepared for threats old and new.  In response, the Annual Review highlights the work of the NCSC and wider Government in weaving resilience into the fabric of the UK’s democratic processes ahead of the next General Election, which includes the establishment of the dedicated Joint Election Security Preparedness unit.

Sophisticated capability

As part of broader risks posed to the UK’s cyber security, the Annual Review highlights that the NCSC continues to see evidence of China state-affiliated cyber actors deploying sophisticated capability to pursue strategic objectives, which threaten the security and stability of UK interests.

In May, the NCSC and international partner agencies issued a joint advisory highlighting how recent China state-sponsored activity had targeted critical infrastructure networks in the US and could be applied worldwide.In response to the ongoing challenge from China, the NCSC has called for continued collaboration with allies and industry to further develop its understanding of the cyber capabilities threatening the UK.

The Annual Review also highlights how Russia continues to be one of the most prolific actors in cyberspace, dedicating substantial resources towards conducting operations around the globe and continuing to pose a significant threat to the UK.

The NCSC has continued to observe cyber activity targeting Ukraine by Russia and Russia-aligned actors, though these appear to be opportunistic in nature rather than strategic.

Overall, the impact on Ukraine hasn’t been as severe as many expected, in part due to well-developed Ukrainian cyber security and support from industry and international partners, which includes the UK’s own cyber programme.

Elsewhere, Russian language criminals operating ransomware and Ransomware-as-a-Service models continue to be responsible for the most high-profile cyber attacks perpetrated against the UK.The ransomware model continues to evolve, with a sophisticated business model facilitating the proliferation of capabilities through the aforementioned Ransomware-as-a-Service model. This is lowering the barriers to entry and smaller criminal groups are adopting ransomware and extortion tactics, which are exerting a huge impact.

Threat from Iran

While less sophisticated than Russia and China, Iran continues to use digital intrusions to achieve its objectives, including through theft and sabotage.

In September last year, the NCSC and international partners issued a cyber advisory highlighting that actors affiliated with Iran’s Islamic Revolutionary Guard Corps targeted known vulnerabilities to launch ransomware operations against multiple sectors, including Critical National Infrastructure organisations.

In January this year, the NCSC warned of the threat from targeted spear-phishing campaigns against UK organisations and individuals carried out by cyber actors based in Iran. Spear-phishing involves an attacker sending malicious links, for example via e-mail, to specific targets in an attempt to induce them into sharing sensitive information.

The attacks were not aimed at the public, but rather targets in specified sectors, including academia, defence, Government organisations, NGOs and Think Tanks as well as politicians, journalists and activists.

Industry comment

Nick Smith, security expert at Genetec UK and Ireland, commented: “The convergence of physical and cyber security threats should come as no surprise to security teams managing Critical National Infrastructure. They have been on high alert in response to heightened geopolitical tensions with China and Russia, especially so as the necessary tools for maintaining physical security of these sites, namely CCTV, access control and perimeter monitoring, etc have become increasingly interconnected with the move to cloud computing and the Internet of Things.”

Smith continued: “It is pivotal that, at a time of increased risk, physical and cyber vulnerabilities are addressed in a single and unified plan. Regular and comprehensive reviews of Internet of Things devices to check for errors in set-up, inadequate maintenance or outdated network design should be implemented to close off any vulnerabilities to hackers. Security teams should also take into account the supply chain surrounding their physical security devices. For their part, manufacturers, integrators and operators must all exist inside a network of trust where vulnerabilities are identified and communicated honestly such that they can be rectified. Each individual must have a clear understanding of their responsibility to maintaining the highest standards of cyber hygiene.”

In conclusion, Smith noted: “The NCSC is right about these risks. The hope must be that the organisaion is currently working on more specific guidance for Critical National Infrastructure providers and local authorities. We currently have a situation whereby security cameras that are already banned from central Government sites on national security grounds continue to be deployed across the wider UK public sector.”

*View the NCSC’s 16-page Annual Review 2023 online