The Cyber Factor – physical and digital interconnections

In Nightsleeper terrorists take over not just the Glasgow to London train, but also the UK’s railway infrastructure, which means they can switch points and re-route trains - ultimately at high speed into Victoria Station. The takeaway lesson is that the results of a cyber-attack can impact physical, as well as digital, infrastructure… and we may not always have an action man on board or a super nerd at the other end of a satellite phone.

Before starring in Nightsleeper the National Cyber Security Centre, in its 2023, review noted the threat to UK critical infrastructure. Energy, water, and transportation systems (among others) are intrinsically tied to real estate and physical infrastructure. However, advances in technology and digital modernisation mean that these are now more broadly interconnected with digital networks. The NCSC has rightly highlighted that a more ‘holistic’ approach needs to be taken when considering the exposures to critical infrastructure. Older paradigms that focus solely on bricks and mortar no longer hold, and digital infrastructure needs to be recognised as an intrinsic part of an organisation’s exposure.

New EU legislation and a new UK cybersecurity bill in the UK are specifically aimed at protecting critical national infrastructure so we are on the cusp of a revamped national approach to cyber regulation. Elements of this have been in the works for some years, particularly in the EU. However, the pending changes are worth reviewing through the lens of some recent real-life examples where critical infrastructure has proven vulnerable and where cyber threats have disrupted physical operations as well as impacting sensitive information.

Let’s get physical

The Colonial Pipeline supplies about 45% of the fuel consumed on the U.S. East Coast and connects oil refineries to industry markets (including airports). In 2021 it was hit by a ransomware attack and a ransom of 75 bitcoins was ultimately paid (approximately $4.4 million at the time of payment). To compound the crisis, operations had to be shut down to contain the attack which led to widespread fuel shortages and panic buying.  The US authorities declared a state of emergency.

The Colonial Pipeline attack followed soon after hackers breached a Florida water treatment plant that used aging software to monitor its operations on systems which all shared a common password. The hackers were able to access the facility and increased the sodium hydroxide levels present within the water. Fortunately, the access and attempted contamination were caught by prompt human intervention before the relative concentrations became harmful to health. 

On the other side of the Atlantic in November 2023, an unexplained computer glitch almost flooded Amsterdam after it caused the automated sluice gates running across the Dutch canal and flood prevention network to malfunction. Suspicions were only aroused when canal water levels were noted to be higher than expected. A subsequent inspection by an employee from the state water authority revealed that multiple locks were open and that seawater from the North Sea was flowing uncontrollably towards Amsterdam. By the time the problem was spotted, water levels had risen by nearly 13 inches, posing a serious risk to the city, its infrastructure and inhabitants.  

As in Florida, crisis in Amsterdam was averted by human observation and intervention (for all the focus on employees being the weak link in the cyber security chain!), but an interesting insight from the Amsterdam incident is that the network controllers were almost 20 miles away from the sluice gates themselves. Although technology can allow remote operation of key infrastructure, that same remove can generate a conceptual distance that needs to be managed when considering the physical implications of a cyber event. The technology will not always work as expected, or it is vulnerable to attack, and it cannot be solely relied upon at the expense of a real-world appreciation of the physical environment it is supporting. Following the near-miss in The Netherlands, the decision was made to relocate the operations closer to the sluice gates, in part to allow visual inspections.

The danger of distance

Operating at a physical distance can point to something of a wider conceptual distance caused by (and that we attempt to bridge with) technology. The Colonial Pipeline attack highlights our linked reliance on interconnected commercial networks operating at a remove from each other. The chain between a password to the company’s virtual private network exposed on the dark web (the root cause of the attack) and the fuel in a jet taking passengers abroad is arguably easy enough to trace (particularly in hindsight). However, supply chain disruptions are a feature of cyber attacks that, rightly, garner attention.

The interconnected nature of modern commerce is efficient but leaves organisations vulnerable. The deeper and more important the links within the supply chain are, the more exposed one organisation is to the cyber weaknesses of another. The interweaving of technical capabilities within businesses throughout the supply chain can generate real world problems.  

The property sector itself is highly networked and far from immune to supply chain disruptions caused by cyber-attacks. Real estate and construction businesses are attractive targets to cyber criminals. They are data rich, driven by urgent deadlines, and frequently see the flow of large amounts of money. Investment and managing agents hold commercially sensitive information relating to their clients’ assets and occupiers (with attendant confidentiality obligations). At a more localised level, there are obvious examples of interconnected systems within buildings – some of which will be operated by third party partners – and which can generate real-world issues. Modern building management systems are networked and particularly vulnerable to exploitation.

Upcoming changes to the regulatory landscape

The need for robust cybersecurity frameworks is self-evident and regulatory and compliance standards play a crucial role in shaping how organisations protect their data and infrastructure. Events like those highlighted have influenced global cybersecurity policies, including those in the UK, by emphasising the need for stringent regulations, rapid incident response, and international collaboration to protect critical infrastructure from cyber-attacks.

The EU Network and Information Security Directive 2 (NIS2) came into force in the EU in January 2023. From 17 October 2024 Member States must apply the directive at a national level under their local law. While the UK is only subject to the first iteration of NIS, NIS2 is designed to further strengthen the level of cybersecurity across the EU. Post-Brexit, the UK will need to contemplate its own approach.

The King’s Speech on 17 July 2024 announced the Cyber Security and Resilience Bill. It aims to strengthen the UK’s defences against the global rise in cyber-attacks and to protect the UK’s critical infrastructure. This was heralded by the NCSC as a landmark moment in tackling the growing threat from ransomware actors and we expect the Bill to update the existing NIS framework by:

• expanding the remit of the regulation to sectors beyond energy, transport, health, drinking water supply and distribution, and digital infrastructure;
• putting regulators on a strong footing to ensure essential cyber safety measures are being implemented; and
• mandating increased incident reporting to give the Government improved data on cyber-attacks.

The cost of compliance and non-compliance

If the Bill is passed, the potential cost required to comply with the proposed new legal framework will need to be factored into business planning. This will include:

• management time spent understanding the scope of the legislation and whether it applies to each organisation;
• potential costs in dealing with cyber breaches, including mandatory incident reporting; and
• upgrading IT systems and implementing more stringent risk management measures.

Investment in IT is already a key cost-driver and it will be interesting to see how the Bill develops in the coming months, so that organisations can take stock of any new requirements. It does, however, represent a necessary evolution of the current cybersecurity obligations imposed on businesses. The threat of cyber-attacks (ever present in the news cycle), the continued reliance on data and technology, and the interconnected nature of our commercial dynamics mean that there is significant exposure and cost if organisations do not apply robust risk assessments to their operations and systems.

It is increasingly difficult to separate the digital effect of a cyber event from its operational or physical impact, and the supply chain exposure compounds the conundrum (certainly in terms of how to protect against such occurrences). New legislation will hopefully provide guidance and insight… and keep the trains on the right track!

Published by Estates Gazette.