The security, economic prosperity and social wellbeing of the nation depend on the reliable functioning of increasingly complex and interdependent infrastructures. These include energy systems (electric power, oil, and natural gas), telecommunications, water supply systems, transportation (road, rail, air, and water), banking and finance, and emergency and government services. In the new economy, these interconnected infrastructures have become increasingly fragile and subject to disruptions that can have broad regional, national and global consequences.
The potential for a terrorist organisation to target, for example, a power station, either by means of a physical attack, or through the use of cyber weaponry, is critical. However, the interdependency of the power station, the water treatment plant that it powers and the hospital reliant upon clean water makes the same attack catastrophic. In order to address this situation, there has to be a robust means of assessing the risk, realising the impact and then arriving with appropriate prevention and mitigation strategies.
New breed of terrorist
The attacks against targets in New York and London on 11 September 2001 and 7 July 2005 re-focused the way the world views terrorism, in as much as there is now recognition of a new breed of terrorist who is quite prepared to carry out operations of mass murder, and kill themselves in the process. There is fear of, and potential for, battle hardened Jihadists returning from Syria and Iraq, with the intention of attacking a country they see as being a natural enemy of Islam. It is not beyond the bounds of logical thinking that they may identify critical infrastructure as the most effective means of attacking an enemy.
The United Kingdom is globally influential in terms of political persuasion, economic strength and military capability. It is also a very sophisticated and advanced nation state reliant on telecommunications superiority, and the interdependency of its critical infrastructures. For a variety of reasons, it is very attractive to disparate global terrorist organisations.
What we depend on
The UK’s national infrastructure is defined by the Government as: “Those facilities, systems, sites and networks necessary for the functioning of the country and the delivery of the essential services upon which daily life in the UK depends.” The national infrastructure is categorised into nine sectors: communications; emergency services; energy; financial services; food; government; health; transport; and water.
There are some cross-sector themes such as technology wherein there may be infrastructure which supports the delivery of essential services across a number of sectors.
Infrastructure is categorised according to its value or ‘criticality’ and the impact of its loss. This categorisation is achieved by using the Government’s ‘criticality scale’, which assigns categories for different degrees of severity of impact. However, not everything within a national infrastructure sector is ‘critical’. Within the sectors there are certain critical elements of infrastructure, the loss or compromise of which would have a major detrimental impact on the availability or integrity of essential services, leading to severe economic or social consequences or to loss of life. These critical assets make up the nation’s critical national infrastructure (CNI) and are referred to individually as ‘infrastructure assets’. Infrastructure assets may be physical (sites, installations, pieces of equipment) or logical (information networks, systems).
The gravest threat
The Government of the United Kingdom relies on the Centre for the Protection of National Infrastructure (CPNI) to offer effective advice in relation to a number of threats that, if carried out successfully, will impact critical national infrastructures, with terrorism being accepted as one of the gravest threats facing the UK today. Of course, not all sectors of the national infrastructures, such as the government and the emergency services, are potentially easy targets, but communications, energy, food and water may be very vulnerable to a terrorist attack if not protected effectively.
There are proven physical means of defending against the terrorist who intends to attack the power station, the food supply chain and the UK’s water supply. In the main, this line of defence and deterrence will be supported by such strategies as defence in depth and integrated physical and electronic security systems, the idea being to deter, detect, delay and respond.
Equally, an attack against a power station may be mitigated by ensuring that there is an immediate pick up of power supply from other power stations in the National Grid. There are probably adequate food supplies in the UK to supplement any areas that are subject to a terrorist attack, and water replenishment can be gained from other areas of the UK, or perhaps from the EU and further afield.
However, the greatest concern the government of the United Kingdom must have relates to a successful terrorist attack against the country’s information communications and technology (ICT) infrastructure. Cyber crime is a concern, but a successful cyber terrorist attack would have the potential to be catastrophic.
Writing about cyber-attacks in Professional Security Magazine (Oct 2014), Richard Horne, Cyber Partner at PwC argues: “In our connected world, it’s not just big banks and traditional elements of critical national infrastructure that need to take this seriously – all organisations need to manage the risk.”
In the UK Government’s national security strategy ‘A Strong Britain in an Age of Uncertainty’ hostile attack upon UK cyber space is classified as a tier one attack (being the highest level of threat on a scale of one to four), accompanying threats such as international terrorism, a major accident or natural hazard requiring a national response and an international military crisis between states.
The thought of a terrorist organisation carrying out a successful cyber-attack against the UK’s internet and telecommunications capability, now referred to as the fourth utility, is of major concern; but could it occur, and what would the impact be?
Likelihood of a successful cyber attack
It is declared in the national security strategy that the Government, the private sector and citizens are under sustained cyber attack today, from both hostile states and criminals.
On 14 July 2014, Prime Minister David Cameron pledged £1.1 billion to fight cyber terrorists, stating: “The Armed Forces must adapt to deal with ‘unseen enemies’, and that... terrorist plots hatched thousands of miles away threaten to cause harm on our streets.”
History is littered with examples of successful cyber attacks; emanating from aggressors ranging from high school student hackers to nation states attempting to complete a ‘denial of service’ against another country. There is no reason to believe that the Prime Minister of a technically-advanced country such as the United Kingdom would make a significant financial pledge without evidence of the capability of the today’s terrorist.
The planning command of Al Qaeda did not calculate their 9/11 ‘martyrdom operation’on a wing and a prayer. They must have been in possession of sufficient internet generated intelligence to give them the confidence to carry out the attack. Therefore, it may be argued that the likelihood of a terrorist cyber attack is very high indeed.
If, through the due process of risk assessment, it is believed that the likelihood of an attack is high, the next step in the procedure is to ascertain what the impact of such an attack would be.
As discussed earlier in this article, an attack against a critical asset and the interdependent consequential impact on other sectors has the potential to be catastrophic.
Cyber terrorism is not science fiction; it is likely to be within the capabilities of a number of organisations to carry out this form of attack against the UK’s CNI.
Published results of the National Risk Assessment in 2010 discussed the likelihood and impact of a cyber-attack against the UK CNI, with the authors stating: “Attacks in cyberspace can have a potentially devastating real-world effect. Government, military, industrial and economic targets, including critical services, could feasibly be disrupted by a capable adversary. ‘Stuxnet’, a computer worm discovered in June 2010, was seemingly designed to target industrial control equipment. Although no damage to the UK has been done as a result, it is an example of the realities of the dangers of our inter-connected world.”
Islamic State influence is growing at an alarming rate since the group took control of the Iraqi central city of Falluja in 2013, and then in June 2014, overran the northern city of Mosul, before advancing southwards towards Baghdad. The terrorist group has proven time and again that it has no moral principles, and is quite prepared to take the offensive to its enemies.
By far, one of the most frightening scenarios imaginable would be for Islamic State or its sympathisers to be in a position to attack one of the United Kingdom’s CNI. Using the internet to attack the UK’s energy distribution and support systems, or perhaps the National Air Traffic Services (NATS), with the ensuing chaos and potential loss of life does not bear thinking about.
To arrogantly ignore this form of threat to the Critical National Infrastructures of the United Kingdom would not only be foolish, it could be a catastrophe that may be impossible to recover from.