Telecommunications, the electricity supply and the NHS are all vulnerable to cyber attack © FT Montage/Dreamstime

Executives from Britain’s main energy companies were warned last month to tighten their scrutiny of blackouts across the country in light of the nerve agent attack on a former Russian agent in Salisbury because frequent or long periods of disruption could be the sign of a cyber attack.

Infrastructure companies say they are on constant alert for such attacks, which are relatively commonplace on operators of Britain’s infrastructure. But fears over the ability of Russia in particular to disrupt the country’s critical services — from electricity grids to telecom networks and NHS hospitals — have heightened in the wake of the US-led military strikes on Syria over the weekend.

The US and UK security services issued a joint warning in the wake of the military action that Russia was deliberately targeting critical western internet-based infrastructure and for the first time offered advice on how companies and utilities can protect themselves.

Lord Arbuthnot of Edrom, a former chair of the Commons defence committee, who now advises the Electric Infrastructure Security Council, said securing the electricity network in particular was a priority as water supplies and sewage facilities, as well as communications services, are all dependent on electrical power.

“If you take down the electricity network, you very quickly take down everything else as well,” he said. “The vulnerability is real.”

Cyber security is “one of the government’s top national security priorities”, said a spokesperson for the Department for Business, Energy and Industrial Strategy, who pointed out that there had never been a successful cyber attack on the UK energy sector that had disrupted energy supplies.

The Energy Networks Association said: “Network companies are aware of the increased threat level relating to cyber security and work closely with Government and across industry to prepare for any attack.”

Despite the reassurance, the rate of cyber attacks is only expected to rise. BT, the UK’s largest telecoms company, which controls the national broadband network, said that attacks on its network had risen a thousand-fold over the past five years. The company currently identifies or repels hundreds of attacks each day.

Telecoms companies have worked alongside the UK National Cyber Security Centre for years to monitor and combat threats. There has been a “heightened awareness on Russia with the recent rise in tension”, according to a person with direct knowledge of the situation.

Those behind the attacks include state-backed malicious actors and those engaged in organised crime. Much of the activity emanates from Russia and China, according to senior telecoms executives.

Robert Hannigan, former director of GCHQ, the surveillance arm of the UK intelligence services, said one of the key challenges was that “the infrastructure of the internet was not built with security in mind”.

“We are trying to retrofit security into it,” he said.

Telecoms companies say the nature of attacks has become more sophisticated, moving from attempts to hack people’s devices to more concerted efforts to get into the “plumbing” of the internet — the routers and servers that underpin internet access — in an attempt to access the network.

A dramatic attack aimed at disabling the UK’s digital infrastructure is less likely than these hacks into routers and servers as there is no single “internet” network for malicious actors to target, say security analysts. “Routing, by its very nature, is diverse. It is resilient,” said one cyber security expert in the telecoms sector, although he warned that a “Doomsday” event could not be ruled out.

Mark Hughes, head of security at BT, said nothing could be taken for granted. “The threat is for real.”

The advice in Monday’s joint report by the US Department of Homeland Security, the US Federal Bureau of Investigation and the UK’s NCSC focused on common problems in routers, firewalls and switches rather than so-called “zero-day” vulnerabilities that are unknown to manufacturers.

The agencies said Russians frequently target businesses that have failed to set up strong passwords, update IT software or encrypt information. The report suggested updating passwords and security systems as well as encrypting information and updating software.

Vulnerabilities commonly affect infrastructure businesses operating, for example, water plants, energy sources or ports that cannot be switched off. To update security systems, businesses need to halt services for a short period, which some cannot easily do.

“Businesses may have legacy systems in place that have not been properly configured,” said Graham Cluley, a cyber security analyst. “Some of the industrial groups would be really worried about upgrading their hardware.”

“The world has changed and intelligence agencies are having to adapt this,” said Steven Murdoch, a security researcher at University College London. “A lot of the things that are being exploited have been known for years — or even decades.”

NHS still vulnerable to cyber attack

It is almost a year since the WannaCry malware attack on the National Health Service engulfed more than a third of health trusts, forcing some to turn away all but emergency patients, and others to cancel non-urgent operations and appointments, writes Sarah Neville.

However, in a report on Wednesday the House of Commons public accounts committee delivered a highly critical assessment of the health service’s readiness to repel a future attack — including one that, unlike last year’s, may be motivated by a malicious desire to steal patient data.

The watchdog noted that in February, the health department and the two bodies that run the health service, NHS England and NHS Improvement, had issued more than 20 recommendations for strengthening the NHS’s cyber security.

However, it said “implementation plans have yet to be agreed, and the department does not know exactly how much the recommendations will cost or when they will be implemented”. Some NHS organisations still have a lot to do to improve their cyber security, it added, mentioning Barts Health NHS Trust in London, one of the largest NHS bodies affected by WannaCry.

NHS England had assured the committee that since the WannaCry attack it had “better visibility of trusts’ preparedness and which trusts it needs to be most worried about”. Yet it emerged at the committee’s evidence session that 200 trusts had failed on-site assessments to test cyber security and identify vulnerabilities at 200 trusts.

“We are told that this was because a high bar had been set for NHS providers to meet the required standard; but some of the trusts had failed the assessment purely because they had still not patched their systems — the main reason the NHS had been vulnerable to WannaCry,” the committee said.

Meg Hillier, who chairs the PAC, said it was “alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed”.

She said that the case served as a warning to the whole of government and was “a foretaste of the devastation that could be wrought by a more malicious and sophisticated attack”.

“When it comes, the UK must be ready,” she added.

Get alerts on University College London when a new story is published

Copyright The Financial Times Limited 2022. All rights reserved.
Reuse this content (opens in new window) CommentsJump to comments section

Follow the topics in this article