20 April 2016
This article was posted prior to the rebrand of Lockheed Martin to Leidos on Wednesday 17th August 2016.by Andy Madge
Cyber Resiliency in Society: Why Should We Care?
We recently published a new study in partnership with the Cambridge Centre for Risk Studies (CCRS), part of the University of Cambridge’s Judge Business School. The report, Integrated Infrastructure: Cyber Resiliency in Society, models the potential impact of a coordinated and sustained cyberattack on one of the UK’s regional power distribution networks and the likely short and long term costs to the UK economy.
Together with the CCRS team we engaged with many facets of government, industry, power network operators and regulators to understand the quantifiable financial risk associated with a ficticious, let plausible, cyberattack on London’s sub-stations. Applying the CCRS GDP@Risk methodology we are able to estimate an attack of this nature would cost the UK economy upwards of £50bn in the most conservative estimates.
But why do we care? What role does industry and private entities such as Lockheed Martin have to gain by encouraging collaboration on strategy, protection, reaction and remediation of large-scale cyber incidents?
We are increasingly connected through, and reliant on, digital infrastructure to drive innovation, expedite efficiency and fuel better decisions. Information security is a critical focus for Lockheed Martin’s sustainability efforts - The Science of Citizenship. The digital age has accelerated the threat of cyber disruptions and increased the available attack surface of critical assets, networks and systems that sustain a nation’s safety and prosperity.
Understanding the consequences to such critical infrastructure from a severe cyber hazard represents a shared responsibility among national and local entities, public and private owners and operators, and the IT hardware and service providers in their value chains. What’s needed is an intelligence-driven defence, and this research endeavours to contribute to that knowledge-base.
The scenario and associated impacts detailed in this report suggest the network effect of two dimensions of cyber resiliency that are particularly relevant to containing disruptions to business and daily life. We focused on infrastructure resiliency that requires a heightened level of security; a level which brings intelligence analysis of both physical and cyber assets to the forefront. With many pieces of rogue hardware in place and a faithful insider threat ring, multiple power substations can be simultaneously disabled using mobile devices and cut power to a significant number of electricity users.
The report illustrates why traditional security postures and protocols are insufficient to address the threat landscape we face today, characterised by advanced persistent threats (APTs), sometimes involving nation-state backing or coordination. We only have to look at the Ukraine BlackEnergy for the immediate impact it can have on the population, never mind the months of effort to understand how the attack succeeded.
Critical national infrastructure owners and operators will recognise the criticality of the depth of human and technical resources allocated to ICT system security, including identifying critical power distribution substations.
Certainly, hyper-connectivity is a powerful development tool and, in the case of energy infrastructure, presents an opportunity for governments, business, and individuals alike - a tool that enables a smarter, more efficient power grid. The challenge lies in our ability to balance and manage a complex set of cyber risks for the foreseeable future.
How we measure progress, apply critical intelligence, train skilled analysts, share information and model infrastructure independencies will determine our cyber preparedness when it matters most. Whatever the case, this is not a problem that lies with network operators, government, industry or private companies alone. We must all collaborate and contribute to a more cyber-secure future.