The UK government now deems the risk of cyber attacks to be more severe than that presented by small-scale chemical, biological, radiological, or nuclear (CBRN) attacks, such as the Salisbury poisoning.
That’s according to its latest National Risk Register (NRR) report for 2023 which assigns severity scores to various scenarios that could have a substantial impact on the safety and security of the UK at a national level.
Cyber attacks on infrastructure were given an impact rating of 3 out of 5 or ‘moderate’, alongside risks such as severe storms brought on by climate change and terrorist attacks on transport. Small-scale CBRN attacks were rated 2 or ‘limited’, in comparison.
This represented an escalation in severity since the 2020 NRR, which had classified cyber attacks as a ‘minor’ risk that would affect essential services for less than 12 hours and cause only tens of millions of pounds in damage.
Scores of 4 or 5 indicated a ‘significant’ or ‘catastrophic’ impact. Risks deemed ‘catastrophic’, associated with tens of billions of pounds in damages and more than 1,000 fatalities, included pandemics, nuclear accidents, and large-scale CBRN attacks.
In the latest edition, it now believes major cyber attacks could lead to much more serious consequences which, in some cases, could take months to recover.
Cyber attacks on UK energy infrastructure including nuclear systems, fuel supply, health and social care systems, the transport sector, and telecommunications were assessed as part of a widespread government analysis of the greatest threats facing the UK.
The threat of cyber attacks on critical national infrastructure (CNI) has always been real and one the cyber security industry has seen on a number of occasions.
One of the most notable of recent years was REvil's ransomware attack on Colonial Pipeline in 2021. The attack saw fuel distribution throughout the east coast of the US ground to a halt, causing immense disruption.
That was a freak, rare occurrence and it's why it sticks in the memory of those in the field. However, throughout this year national security experts have raised the alarm over the threat of attacks to CNI.
The ongoing conflict in Russia has prompted the UK's NCSC to advise CNI operators to 'expect' attacks from Russia-aligned adversaries.
The former leader of the NCSC Ciaran Martin also told ITPro earlier this year that he expects CNI to be the next big target for ransomware outfits.
Attacks such as those on critical national infrastructure were considered through the lens of both cyber and conventional attacks.
The report concluded that although a sophisticated cyber attack on electricity infrastructure could be quicker to remedy than an attack on the same target using conventional weapons, it may have a larger effect on other critical services.
Though cyber attacks as a whole were deemed ‘moderate’ in impact, an attack that led to the total failure of the National Electricity Transmission System, for example, was considered ‘catastrophic’ in impact due to the knock-on effect it would have on telecoms, water, sewage, and fuel.
Experts across areas including cyber, climate, terrorism, and state threats consulted with the government to inform the results. Historical events were used to place some risks in context.
For example, the WannaCry incident was cited in the government’s analysis of the potential risks of a cyber attack on UK health and social care systems, an event which it deemed would have immediate effects.
Other risks lacked specific detail, which the government stated was necessary in order to provide transparency while protecting national security and commercial secrets.
In all, the government assessed 89 risks that could have a substantial impact on the safety and security of the UK at a national level if they came to pass as part of its latest NRR.
Each of the 89 risks was placed on a matrix grouped by likelihood, ranging from less than 0.2% for a worst-case scenario to occur within a set period, to a greater than 25% chance. Malicious risks were considered over a two-year period, versus a five-year period for non-malicious risks.
Top 10 ways to anticipate, eliminate, and defeat cyberthreats like a boss
Discover the top ten ways you can manage risk and cyber security with a modern, integrated, cloud-based platform approach.
While non-malicious risks were assessed by relevant government departments and expressed with a percentage value to represent their likelihood, malicious risks underwent a three-part risk consideration. This took into account the vulnerability of targets, the intent of threat actors, and their ability to conduct a successful attack.
All cyber attack risks were grouped together to form an average risk assessment on the matrix and were overall found to represent a moderate risk and be between 5-25% likely to occur.
Risks were also scored on severity from minor, which could result in millions of pounds in damage and 1-8 fatalities, to catastrophic which would result in tens of billions of pounds of damage and more than 1,000 fatalities.
The full range of risk groups assessed in the document were:
- Terrorism
- Cyber
- State threats
- Geographic and diplomatic
- Accidents and system failures
- Natural and environmental hazards
- Human, animal, and plant health
- Societal
- Conflict and instability
