A new perspective on our nation’s mission-critical infrastructure and its unique digital journey
Peter Clapton
The UK Government is keenly aware of the Critical National Infrastructure (CNI) sector’s importance when it comes to maintaining the safety, security, and quality of life for the citizens it serves, along with underpinning the stability and growth of the UK economy. As such, the CNI eco-system has been expanded, the new NIS directive and Cyber Resilience Bill recognising both the operators of these CNI assets, and the supply chain of organisations who support the delivery of these critical services.
As a result of this shift, myself and my colleagues across the Exponential-e Group are currently engaged in a wide range of conversations with Operators of Essential Services (OESs) across the UK who have found themselves challenged to both accelerate their investment in digital transformation, whilst ensuring their underlying infrastructure delivers the very highest standards of resilience, security, performance, and availability, in line with emerging Government’s expectations and regulatory standards.
However, with a rapidly evolving threat landscape and growing range of stringent compliance obligations, many of the OESs we engage with have found some of the legacy systems that will connect to these more digitally converged environments, are no longer fit for purpose, presenting an additional challenge. While this requires careful consideration and the support of trusted technology partners, I would argue that they also represent a unique opportunity to rethink and transform the way critical services are delivered across the county… One which OESs and their technology partners must embrace.
Technical debt – a barrier to futureproofing our nation’s critical services
As a rule, CNI projects are built as high-value investments using public and private finance, depreciated over many years, to deliver a stable long-term, return on investment (ROI). Whilst this works for bricks, mortar, and major plant, the accelerating pace of digital technologies means that, if left unchecked, there can be an overreliance on legacy assets – known as ‘technical debt’ – to support mission critical functions. Such assets frequently remain in service beyond the vendors’ intended life expectancy and can be implemented without consideration for ongoing support.
In most cases, these assets are segregated and air gapped from networked IT systems and infrastructure to ensure bad actors are unable to take advantage of security vulnerabilities created through a lack of firmware updates and patching, or use of insecure legacy protocols. As a result, as CNI operators look to converge Information Technology (IT) and Operational Technology (OT) to meet the demand for operational efficiency and data-driven decision-making, legacy assets can block progress and present a major security risk if neglected.
CNI infrastructure must evolve at pace in response to these challenges, with both the physical and the digital in mind. However, the move away from legacy systems and management of technical debt is a complex process, with even the smallest period of downtime being unacceptable, and so requires a phased migration rather than a ‘lift and shift’ approach.
Making intelligent digital investments
Technologies like AI and ML are likely to rapidly establish themselves across CNI operations in a comparatively short period, and whether intended or unintended, this journey shows no signs of slowing down. We can already see this in numerous high-profile projects, either recently built or under construction, including, factories, food production, logistic hubs, and transport.
But the excitement around these potentially transformative technologies must be focused and boundaried so as not to lose sight of the foundation of what they are required to deliver as an outcome. All too often, the assumption is that assets will become ‘connected’ straight away, with their availability, output, and efficiency optimised using edge IoT, opening the door to the real-time insights that drive effective decision-making.
However, these goals will only be achieved if OESs are ready to invest in the right foundation: converged environments that monitor and control the secure flow of data between IT and OT.
An increasingly complex, fast-paced threat landscape
Any new technology, or any integration between existing platforms, will bring with it a range of potential attack vectors, many of which will go undetected until a breach occurs. In a turbulent geopolitical landscape, CNI sites represent attractive targets to a range of bad actors. Consideration therefore needs to be given to the diverse Tactics, Techniques, and Procedures, (TTPs), and Advanced Persistent Threats (APTs) used by those intent on disrupting the availability of critical services.
In this respect, the obligations of an OES have evolved (and continue to evolve), with the IEC-62443 standard, the new Cyber Security and Resilience Bill, the NCSC NIS 2018 directive, and CAF V4 setting out minimum best practice and compliance expectations for those responsible for the security and resilience of mission-critical infrastructure.
CNI security ecosystems need a layered approach, often defined as ‘defence-in-depth'. This looks beyond the deployment of cyber products and technology as a single line of defence, considers the roles, competency, and clearance of staff and stakeholders, the security of processes and systems, the integrity of the design, criticality of the service, and identifiable risks and mitigations. This will not only help OESs avoid the dire financial and reputational consequences of a breach, but – in many cases – result in lives saved by ensuring critical services are always readily available, 24/7.
The right choice of technology partners
As an OES operating in one of the CNI verticals, you need to be confident in your choice of technology partners. In this regard, the Exponential-e Group provides a centre of excellence – focused, skilled, and experienced in the delivery of cyber-secured engineered platforms, networks, infrastructure, managed services, and 24/7 support. Do not hesitate to get in touch if you would like to discuss your own digital journey in depth.