Last month, the UK’s National Cyber Security Centre (NCSC) issued a warning to critical national infrastructure organizations about an emerging threat from state-aligned groups that have stated an intent to launch “destructive and disruptive attacks.” The threat, which has been emerging for the last 18 months, comes from groups sympathetic to Russia’s invasion of Ukraine. Because these groups are neither motivated by financial gain nor controlled by the state, their actions are expected to be both broader and less predictable than those of traditional cyber criminals.
The NCSC’s warning notes that critical national infrastructure organizations are prime targets due to their role in providing essential services to the public. The warning mentioned DDoS attacks in particular, since these are the most likely form of attack in the near future.
In this blog post, we’ll cut through the noise around the NCSC’s warning and explain what it means. We’ll also explain the implications for critical national infrastructure organizations, and we’ll explore some measures that companies can take to protect against DDoS attacks.
Who is the NCSC’s warning directed towards?
The April 2023 alert is directed towards critical national infrastructure (CNI) organizations in the United Kingdom. The CNI designation includes the systems that are crucial for the everyday functioning of the UK’s economy, security, and public health and safety.
Specifically, the UK’s critical national infrastructure includes 13 key sectors:
- Chemicals
- Civil Nuclear
- Communications
- Defense
- Emergency Services
- Energy
- Finance
- Food
- Government
- Health
- Space
- Transport
- Water
Because these CNI organizations are crucial to the everyday functioning of life in the UK, they are particularly attractive targets for cybercriminals, including attackers funded by nation-states.
What are the top cyber threats to critical infrastructure?
The NCSC’s warning focused on DDoS attacks, website defacements, and the spread of misinformation, which it said were the most likely short-term attack vectors. But it also made clear that some attackers were seeking more destructive long-term effects through other forms of attack. Here, we’ve outlined a few of the top cyberthreats that pose imminent risks to infrastructure organizations.
Ransomware attacks: Ransomware attacks involve encrypting an organization’s data, refusing to release the decryption key, and sometimes even threatening to publish sensitive information unless a ransom is paid. These attacks can result in significant downtime, loss of critical data, regulatory fines, and lost revenue. CNI organizations are particularly vulnerable to ransomware attacks, as they cannot afford to have their systems and services compromised without disrupting essential services.
Insider threats: Insider threats refer to attacks perpetrated by employees, trusted individuals, or third-party vendors with access to an organization’s systems. Insider threats can be intentional (think malicious leaks of information) or unintentional (think sensitive data being accidentally sent to the wrong recipient). These threats can cause significant harm to CNI organizations when sensitive data about their operations is leaked to criminals.
Advanced persistent threats (APTs): APTs are sophisticated and targeted attacks that involve gaining unauthorized access to an organization’s systems and then remaining undetected. APTs can be used to exfiltrate sensitive data, disrupt operations, or compromise vital systems — all of which are particularly concerning for critical infrastructure organizations. These attacks can be stealthy, persistent, and highly damaging.
Why did the NCSC flag DDoS attacks?
One of the top threats highlighted in the NCSC’s report was distributed denial of service (DDoS) attacks. That’s because, the agency warned, any short-term activity from the threat actors they’ve identified is likely to come in the form of DDoS attacks.
DDoS attacks are a particularly concerning cyberthreat that can cause severe disruptions in companies of all sizes, including CNI organizations. They work by flooding networks with malicious traffic, making critical websites, systems, and services unavailable to their users. The scale and complexity of these attacks has increased over the years, with attackers now employing more sophisticated techniques to launch massive, hard-to-defend attacks.
The NCSC’s April 2023 warning highlights the pressing need for CNI organizations to take proactive measures to protect against these DDoS attacks. After all, going offline can have massive implications for critical infrastructure systems.
For instance, a successful DDoS attack on an energy company could disrupt power grids, cause widespread power outages, and shut down hospitals, schools, and defense systems. An attack on traffic management systems could impede transportation, shipping, and safety, and an attack on water plants could shut down vital water and wastewater processing.
How can infrastructure organizations protect themselves from DDoS?
Given the NCSC’s warning and the increasing complexity of DDoS attacks, it’s crucial for CNI organizations to secure their systems and networks. Here are some proactive steps that organizations can take to bolster their DDoS protection:
Develop a robust incident response plan: CNI organizations should have a well-defined incident response plan for not only DDoS attacks but also for all cyberthreats. The plan should outline the roles and responsibilities of team members, define escalation procedures, and include contact information for relevant stakeholders like law enforcement.
Recognize all forms of DDoS activity: Large, high-volume DDoS attacks are not the only form of DDoS activity. Short duration, low-volume attacks are becoming increasingly common and they can give cybercriminals valuable information about a company’s security vulnerabilities. It’s important that infrastructure organizations understand their network traffic patterns so they can catch these smaller attacks.
Beware of smokescreens: Small, sub-saturating DDoS attacks can also be used to distract IT security staff from more nefarious network infiltrations, such as ransomware. Such attacks typically last only a few minutes, which means that they can easily slip under the radar of legacy traffic monitoring and DDoS protection systems. Given the threat actors’ stated intent to cause destruction and not just disruption, even small attacks like this should be regarded with extreme caution.
Consider Corero’s real-time DDoS protection solution
For stronger protection against a wide range of attacks, consider Corero’s real-time, automatic DDoS protection platform. Our solution identifies DDoS traffic as it happens and immediately removes attacks of all sizes. This eliminates the need for manually analyzing events and rerouting traffic, shrinking the response timeline to seconds.
With Corero’s solution, companies can respond more quickly and agilely to DDoS attacks of all sizes. That includes critical infrastructure organizations, which are facing threats that legacy solutions cannot fully meet.
To learn more about Corero’s DDoS protection solution, visit our solutions page or schedule a demo with us today.