UK explains likelihood of catastrophic cyberattacks — and its response plans
The British government has published a new National Risk Register that for the first time is “based directly on the government’s internal, classified National Security Risk Assessment,” including several scenarios covering the impact of cyberattacks on critical sectors.
The good news is that the most likely risks are not the most impactful, and the most impactful risks are not very likely. But the document details how exposed Great Britain is to malicious actions by hostile states, terrorists and financially motivated criminals.
In his foreword to the 192-page report, published August 4, Cabinet Secretary Oliver Dowden said the government wanted to provide “as much information as possible” so businesses and organizations could plan and prepare their responses to emergencies and know what to expect of the government. The document excludes some information from the classified version, for the purposes of national security and commercial confidentiality.
So what are the most impactful?
Only five “catastrophic” scenarios were recorded in the risk assessment, and the least likely would be either a civil nuclear accident — an incident at one of the country’s nuclear power stations — or the release of radiation from an overseas nuclear site, both of which were considered to have a less-than 0.2% chance of happening.
Somewhat more possible with a 1-5% chance — and equally catastrophic — were a larger-scale CBRN attack (chemical, biological, radiological and nuclear) or a failure of the National Electricity Transmission System (NETS) which could occur as a result of a cyberattack.
“Great Britain has never experienced a nationwide loss of power and the likelihood [of a NETS failure] is low, however similar events have occurred internationally,” cautions the register, referencing an incident affecting Argentina and Uruguay in 2019 caused by a wildfire taking down crucial power lines.
The most likely catastrophic risk in the register was of course a pandemic, given a 5-25% chance of happening within the next four years in the wake of COVID-19, associated with more than 200,000 deaths in the United Kingdom.
What are the cyber risks?
Cyberattacks affecting different critical infrastructure sectors were all aggregated as having the potential for a “moderate” impact on society — compared to the deaths and economic disruption of a pandemic or radiation incident — although some of the scenarios the register describes could be more damaging, and many involve secondary effects.
Fortunately, the officials believe such cyberattacks are unlikely over the next two years, receiving a probability score of between 5-25%. They were also not as potentially impactful as conventional attacks on infrastructure, and notably were less likely to occur than an accidental technological failure impacting critical financial market infrastructure — something which had a greater-than 25% chance of occurring.
An attack on the country’s National Electricity Transmission System (NETS) — which as described “may involve encrypting, stealing or destroying data upon which critical systems depend or disruption to operational systems leading to the failure of the NETS” — could amount to something catastrophic.
The worst-case scenario would be an attack that leads to a total failure of the system, causing all electricity consumers without backup generators to lose their supply instantaneously and without warning — as happened in South America in 2019.
Although the risk register aggregates all cyberattacks on different infrastructure sectors as having a “moderate” impact, the separate scenario of a NETS failure is considered “catastrophic” and would have secondary impacts across other critical utilities networks “including mobile and internet telecommunications, water, sewage, fuel and gas” leading to “significant and widespread disruption to public services provisions, businesses and households, as well as loss of life.”
The document, which often says what preparations are in place for particular scenarios, says preparations need to be in place for a NETS failure “to support wider recovery and the continued operation of multiple sectors,” including resilient communications systems, humanitarian assistance, and victim support.
The percentage scores given to these risks use the Professional Head of Intelligence Assessment (PHIA) yardstick — a tool developed by the head of intelligence analysis for the whole of the British intelligence community.
It aims to translate percentage scores into more understandable language (such as “remote chance” for 0-5%, “highly unlikely” for 5-25%, through to “almost certain” for 95-100%) although the risk register itself does not break down percentages above 25%, stating they are all relatively low likelihood events.
Gas is the primary way homes are heated in the United Kingdom. The worst-case scenario for a cyberattack specifically targeting gas infrastructure, for instance a transmission system, would be a significant loss of gas supplies throughout the country.
This could occur if an operational system was disrupted by specially designed malware, or — similar to the NETS scenario — if data which critical systems depended on was encrypted, stolen or destroyed by hackers.
“There would be casualties and fatalities as a result of a lack of heating, lack of access to necessary medical treatment, exacerbation of an existing condition, or limited ability to safely use gas- fired cookers. However, impacts would depend on the scale of disruption," said the risk register.
To address this potential threat to life — especially if the attack took place in the winter — the government could impose emergency procedures which would involve stopping supply to large industrial users, including power stations.
Disconnecting the gas supply to electric power stations could cause a shortfall in electricity generation, which might force the government to introduce rolling power cuts lasting three hours at a time just to balance supply and demand. Details on those procedures are published in the National Emergency Plan for Downstream Gas and Electricity.
Restoring the affected gas infrastructure could take around three months, although it could potentially take longer depending on the sophistication of the attack and the damage to the system.
Unlike a conventional attack on the civil nuclear sector — which in an “extremely unlikely” worst-case scenario could result in radiological contamination off site — a cyberattack on the computer systems controlling a nuclear reactor was described as potentially requiring a controlled shutdown as a protective measure.
Although the risk register did not record any risk of radiological contamination, the disruption to energy production could be especially lengthy due to the regulatory controls around nuclear safety and security.
As set out in the U.K.'s civil nuclear cyber security strategy, the National Cyber Security Centre (NCSC) threat assessment warns that ransomware “almost certainly represents the most likely disruptive threat” to the sector — something that is likely true for the other sectors listed in the report.
Fuel supply infrastructure
Back in 2021, one of the largest oil pipelines in the United States was shut down as a result of a ransomware attack. It was a “watershed moment” according to the U.S. Cybersecurity and Infrastructure Agency, resulting in “snaking lines of cars at gas stations across the eastern seaboard and panicked Americans filling bags with fuel, fearful of not being able to get to work or get their kids to school.”
In a “reasonable worst-case scenario” in Great Britain, a similar attack could lead to the temporary loss of fuel supply to a region which might take several days to replenish. But the government has established contingency plans to manage fuel supply crises, which are detailed in the National Emergency Plan for Fuel.
Health and social care system
The WannaCry ransomware attack in May 2017 disrupted “at least 34% of [healthcare] trusts in England, leading to thousands of canceled appointments and operations” as well as forcing multiple emergency departments to turn patients away. In total it is estimated to have cost the National Health Service £92 million.
According to the risk register, a worst-case scenario today would be similar, involving “significant systemic service disruption due to ransomware moving quickly across the health and care IT estate,” forcing organizations to move to offline services.
The impact would be immediate in terms of canceled appointments and delays to medical procedures and tests, as well as ambulances and other emergencies being diverted as a result of the disruption at emergency wards.
“The second-order impacts are likely to manifest themselves increasingly over time, as the delays and cancellations would mean medical conditions worsen or are not diagnosed promptly,” warns the risk register.
Responding to this crisis would require additional staffing to handle paper records, both during and after the incident, as well as for communications staff to provide clear information to the public and to emergency responders. The recovery time could be significant, with backlogs of elective care potentially lasting years.
The government has established a Cyber Incident Response Retainer to provide additional support, and a strategy aiming to make the country’s healthcare sector “significantly hardened to cyber attack, no later than 2030.”
“There are many examples of cyber incidents impacting transport operators both in and outside the UK,” according to the risk register, noting an incident in 2021 when Northern Rail shut down its self-service ticket machines following a suspected ransomware attack.
In a worst-case scenario, an attack would hit a critical information network in the sector resulting in severe disruption to services — potentially requiring multiple days to return to normal. “The disruption to critical services and systems could result in economic and reputational damage, as well as present an increased threat to passenger safety of the affected operators within or connected to the UK,” warns the risk register.
Fixed-line and mobile communications, as well as internet infrastructure, are essential to modern life. The register warns: “A disruptive and sophisticated cyber attack against a major UK telecoms network provider would affect millions of customers.”
The impact would be felt by customers on other networks that connect and route through the impacted network, and potentially would leave customers unable to use the internet or make voice calls, meaning they couldn’t access the emergency services.
The document notes that similar disruptions could also occur for reasons other than a cyberattack, for instance “misconfiguration, accidental disruption and software failures.” “The cause and extent of network disruption may not be known immediately and it may be difficult to identify a cyber-telecoms attacker, whether it is a state threat, cybercriminal or hacktivist,” warns the document.
“Certain state actors have displayed capabilities to attack telecoms networks. Although the UK has not seen an attack at the scale described, it is plausible that under specific circumstances, state actors may demonstrate their intent to disrupt telecoms networks.”
Earlier this year, Microsoft warned that a Chinese hacking group had gained access to critical infrastructure organizations on the island territory of Guam and other parts of the United States, prompting a joint advisory from authorities in the U.S. and Great Britain.
In one case reported by the New York Times, the state-backed hackers breached telecommunications networks on Guam, a sensitive U.S. military outpost in the Pacific.
While the campaign appeared to investigators to be espionage-related, Microsoft warned that the Chinese group was likely “pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”
UK financial networks
“Financial market infrastructures (FMIs) are the networks that enable financial transactions to take place,” explains the Risk Register. They are separate networks, and so the worst-case scenario is based on an attack against a single network “carried out by a hostile state or criminal actor.”
In this scenario, there would be “significant impacts on the processing of financial transactions” potentially causing people to lose confidence in both the availability and integrity of financial data and the financial system as a whole.
Permanent data loss is a strong possibility, according to the risk register, and because these networks are private and independent, the possibility of using substitute networks could be extremely limited.
A “sustained outage could threaten the UK's financial stability,” warns the risk register when describing a generic technological failure at a critical FMI.
There are established response plans for a disruption to critical financial services, coordinated under the Authorities' Response Framework.
In a worst-case scenario, a state-sponsored or criminal threat actor could attack a bank's internal IT systems, effectively taking the institution completely offline and leaving customers unable to access accounts.
Customers with only one bank account would be severely impacted, and the bank could face "heightened fraud and operational losses."
"Since most systems are owned by private entities, the responsibility is ultimately on firms, though government and regulators can support in a crisis," the document states. Recovering would be the usual complicated "mixture of patching and implementing security controls, remediating and testing data and assuring systems are secure."
Total loss of transatlantic communications cables
Fiber optic submarine cables are brittle and are often accidentally broken by fishing boats, even without malicious interference, but society's dependence on internet connectivity "for global finance, telecommunications, government decision-making, and military operations make submarine cables attractive targets for intelligence collection or sabotage," as described in a threat report by The Record's parent company, Recorded Future.
The British government's risk register says the "loss of a small number of cables could result from disruption at sea, such as a major underwater landslip across several hundred kilometres," but the greatest risk facing the connectivity would be "damage to land-based infrastructure such as a cyber attack."
In a reasonable worst-case scenario, of a total loss of the subsea cables connecting to the United Kingdom, the cables themselves would be "damaged over a number hours, rendering them inoperable" disrupting internet access and impacting essential services that rely upon offshore providers.
"The internet would begin to recover within hours as networks are reconfigured. Satellite communications would only provide a fraction of the bandwidth, and there would likely be an impact on European data networks," said the document.
But repair for the cables themselves would take months at a minimum, depending on the location of the damage and the availability of both spare cables and the specialist repair ships and crews who can mend them.
Malicious drone incident
Back in December 2018, hundreds of flights were canceled at Gatwick Airport south of London after a security officer claimed to see two drones near the airport.
Some commentators have questioned whether the sightings were an incident of mass panic, although Sussex Police maintain it was a malicious attack intending to disrupt air traffic.
No evidence of drone use has ever been found, including photographs or videos, and two individuals who were arrested in connection to the incident were later awarded compensation for wrongful arrest and false imprisonment.
Despite this the scenario features in the Risk Register, with the government stating it actively plans for all "all types of potential disruption and threat that may result from negligent, criminal, or terrorist use of drones" and not just at airports. The capability to respond would vary by scenario, it added.
"For the airport disruption scenario described above: Specialised police counter-drones capabilities would be required to respond to the incident. Police work, alongside further investigative methods (for example forensic scrutiny of a downed drone), would be used to identify and apprehend malicious users," stated the register, which did not examine the failure of this police work in the Gatwick incident.
Space-based services are part of the country's critical national infrastructure, from satellite communications through to remote sensing technology used for weather monitoring and forecasting.
The reasonable worst-case scenario in the Risk Register "assumes that the collision of debris with a satellite produces a debris field that collides with and disrupts other satellites. This would cause a cascade of debris that impacts other satellites and creates further debris."
There are variations on this scenario, including "severe space weather disruption to services and a malicious attack on space infrastructure."
Responding to such an incident would require "an enhanced National Space Operations Centre" to "provide tracking and monitoring data, warnings and reports, and supporting response and recovery measures to protect government equities in the space domain." But recovery would be less clear and "depend on debris dispersal, with potential impacts on future space operations and associated businesses."
Loss of positioning, navigation and timing services
Positioning, navigation and timing (PNT) services are key for telecommunications, transport navigation and for providing precise timings. If these services were to fail "either due to technological failures or malicious activity, [they] would have catastrophic and cascading effects across the UK and globally."
According to the Risk Register, "a severe technical failure, due to either hardware failure or human error, in a Global Navigation Satellite System constellation" would "result in inaccurate position and timing data being delivered to users in space and around the world."
Variations of the scenario also involve "serious and organised crime, jamming and spoofing activities leading to a loss of PNT services, state threat to PNT services, and severe space weather disrupting satellite provision of PNT services."
Although the different scenarios would mean different responses and recoveries, the impact would largely be the same — the PNT services would have to cease operations, warns the government.
"There would be a significant disruption or complete cessation of transport (including aviation and maritime services), communications networks, financial services, energy and emergency services within a few hours of the incident taking place."
Sectors would have to revert to older technologies for ground services to resume during an extended outage, and restoration of full functionality could take weeks.
Alexander Martin is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.