Public sector attacks

Over the last couple of years, public sector organisations have increasingly been the target of cyber attacks, and at the beginning of this month Transport for London (TfL) announced that it had faced a cyber incident. Thankfully, the attack did not disrupt transportation for the millions of Londoners who rely on TfL systems to travel. 

It did, however, affect internal systems, and while TfL initially assured customers that there was no evidence of data compromise, it later confirmed that customer data, including names, phone numbers, email address and bank account details, had been stolen. Employee email addresses, job titles and employee numbers were also taken. 

TfL managed the attack by shutting down its systems, which limited customer access to services such as refunds and processing of new Oyster Card applications, and made it difficult for staff to work as they had no access to email and web communications. It also asked its roughly 30,000 employees to make in-person appointments to verify their identities and reset their passwords following the attack.

The attack vector is yet to be confirmed, but the National Crime Agency (NCA) reported in mid-September that it had detained a 17-year-old boy from Walsall on suspicion of Computer Misuse Act offences related to the TfL attack.

Considering the potential for devastation, the impact of the attack was somewhat limited. The incident highlights the importance of ensuring that organisations providing critical services such as transport remain prepared for and resilient to cyber attacks. It also, along with attacks on other public institutions such as the National Health Service and the Ministry of Defence, demonstrates the range of threat actors targeting these services, from nation states to insider threats and amateur hackers. 

The foundational cyber security measures in the National Cyber Security Centre’s 10 Steps to Cyber Security, such as effective access management and having a tested incident response plan, remain key to preventing and responding to cyber attacks.

In the King’s Speech in July, 40 new bills were proposed, including a new Cyber Security and Resilience Bill to strengthen the UK’s cyber defences, and ensure that critical infrastructure and the digital services companies rely on are secure. You can hear more about the new government’s priorities for cyber security at the ICAEW Annual Cyber Lecture in October where the opening address will be delivered by the Department for Science, Innovation and Technology’s Director of Cyber Security and Digital Identity.

Data centres now Critical National Infrastructure

In the first CNI designation in almost a decade, the UK government announced that it has classed UK data centres as Critical National Infrastructure (CNI), putting the sector on an equal footing with water, energy and emergency services systems. 

The designation means that data centres will receive greater support from the government in recovering from and anticipating critical incidents, for example by receiving prioritised access to security agencies including the National Cyber Security Centre and coordinated access to emergency services should an incident occur.

In today’s interconnected world, data centres are important for the security and operations of many organisations in various industries and sectors, including accountants who use many cloud-based accounting applications and packages, as well as productivity and collaboration tools such as Microsoft Office 365. The Crowdstrike IT outage in July impacted Microsoft systems, which in turn highlighted how many organisations rely on the same interconnected services and applications. Supply-chain risk has been a recurring cyber security issue for accountants, and it is hoped that this move to improve the resilience of data centres will lead to improved resilience across the UK economy. 

The announcement came as a private data company announced its plans to invest £3.75bn to build Europe’s largest data centre in the UK. The UK government expects that the recognition of data centres as CNI will provide reassurance and encouragement for companies to build more data centres in the UK, supporting sustained economic growth.

A Chinese botnet

The National Cyber Security Centre (NCSC) has made an announcement referring to a joint advisory issued alongside partners in the United States, Australia, Canada and New Zealand, warning about a China-based, Chinese government-linked company which has managed a botnet of over 260,000 compromised devices around the world. 

The advisory noted that 8,500 (3.2%) of those devices are in the UK. These include network devices such as routers and firewalls, as well as internet-connected devices like webcams and CCTV cameras. Threat actors can use the compromised devices to deliver attacks such as malware and distributed denial of service (DDoS) attacks, which can impact the availability and security of critical business operations.

The advisory provides indicators of compromise, to help identify signs of device takeover. It also provides mitigation advice to prevent the exploitation of vulnerabilities which provide a way to take over the device. These include recommendations on disabling unused services and ports, segmenting the network, replacing default passwords, applying patches and updates, and replacing end-of-life systems. 

Legacy systems and unpatched systems have long been a challenge for accountants, with many finding it difficult to migrate onto new applications and systems. However, these remain a critical part of good cyber hygiene and the NCSC has developed guidance on device security including keeping devices and software up to date and guidance on reducing risks from obsolete products. These provide a good reference for accountants on how to mitigate the risks and address the challenges. 

Want to learn more about cyber security?

Visit the ICAEW cyber security web pages.

Got an interesting cyber story for us? Email techfac@icaew.com