Improving the cybersecurity of Critical National Infrastructure

Power line pylons during sunset with beautiful blue sky.

EPSRC IAA funding has enabled Dr Tania Wallis from the School of Computing Science to launch a Supply Chain Expert Group (SCEG). This group of thought leaders is assisting operators of Critical National Infrastructure (CNI) to enhance their supplier assurance processes and engage their supply chains in preparing for and responding to cyberattacks.

The challenge

Cybersecurity attacks on Critical National Infrastructure, such as energy and water supply, transportation, health and telecommunications, are on the rise. Attackers increasingly use supply chains as ways to enter these systems. Notable examples include the SolarWinds attack, which compromised 18,000 organisations, and the Kaseya ransomware attack, which impacted 60 direct customers and 1,500 downstream businesses. Devices used in critical infrastructure are vulnerable due to the use of open-source software with security flaws, often no longer supported with updates.

These cybersecurity events have highlighted the importance of a collaborative, coordinated and consistent approach to counter threats. The concern is international, given that countries depend on global supply chains and use similar equipment in their infrastructures. In the UK, Security of Network & Information Systems (NIS) Regulations place expectations on operators of Critical National Infrastructure to take responsibility for the cybersecurity of their supply chains, especially where there is potential impact on the essential services they provide to society.

As a result, it has become increasingly important for suppliers to provide cybersecurity assurance – ensuring that systems and data are protected through robust security measures both during procurement and throughout the lifecycle of a product or service. It is also crucial that we increase our understanding and awareness of the potential impacts of cybersecurity events on cyber-physical systems. Given their reliance on extensive supply chains, managing these assurance processes is costly for both operators and suppliers.

The response

Dr Tania Wallis launched the Supply Chain Expert Group (SCEG), within the National Cyber Security Centre's (NCSC) Industrial Control System Community of Interest (ICS-COI), to guide the implementation of cybersecurity improvements across Critical National Infrastructure supply chains by providing illustrations of best practice applicable to Operational Technology (OT).

This group is giving a voice to operators of Critical National Infrastructure, enabling practical experiences to be shared and co-producing guidance on supplier assurance. These collaborative activities aim to effectively enhance the overall cybersecurity of this infrastructure.

Outcomes

SCEG has grown into a strong network of 40 members who are actively contributing to this challenge. SCEG members come from the energy, transport, water, health and food sectors, and include operators, manufacturers, systems integrators, consultants and solution providers. The outputs produced by SCEG reflect and synthesise the experiences and expertise of the sectors represented by the members.

  • SCEG is co-producing guidance to assist cybersecurity process improvements within and across Critical National Infrastructure organisations.
  • SCEG is encouraging cross-fertilisation between sectors. Progress viewed in one sector inspires other sectors to find a path towards improving their cybersecurity.
  • SCEG is working in parallel with and shares knowledge with the government’s National Cyber Security Centre on supply chain cybersecurity activities.
  • SCEG actively developed partnership principles that enabled the Department of Energy Security to launch a Code of Practice & Partnership (CoPP) in collaboration with BEAMA, the UK trade association for providers of energy infrastructure representing more than 200 supplier companies. The energy CoPP was launched to enhance preparations with the energy supply chain. Bringing together operators, suppliers, and integrators, the CoPP seeks to create open and transparent relationships, improve the joint understanding of cyber security requirements and challenges, and draw on best practice to collectively make energy sector cyber security improvements.
  • The Future Water Association’s new cyber resilience working group is leveraging tools and approaches from SCEG to guide their roadmap for working with suppliers in the water sector.
  • The rail sector asked us to provide supply chain input to IEC 63452, which sets cybersecurity management standards for the railway sector. All our comments were included in the Rail Safety and Standards Board’s submission to the British Standards Institution.

Experience of the SCEG formation, leadership and outputs has been presented to:

  • NCSC Industrial Control Systems Community of Interest.
  • IET Cyber Security for Critical Industries event in Sept 2023. 
  • KPMG International Information Integrity Institute I-4 in March 2024.
  • SmartGridTech Week in March 2024, Amsterdam.

This IAA project has laid the foundations for SCEG to continue building a body of knowledge with active stakeholders and guide the implementation of OT cybersecurity improvements across critical infrastructure supply chains.