In this chapter, we shall examine the various potential targets of cyber-attacks. I have tried to separate the targets into the following categories since the motives for these attacks may vary:

• individuals;
• businesses;
• critical national infrastructure;
• buildings;
• academia and research;
• manufacturing and industry.

INDIVIDUAL TARGETS

Whether we like it or not, we are all potentially the target of cyber-attacks. In the case of individuals, attack is most likely to come from cyber criminals who may not target us directly, but they will certainly do so as part of a larger plan – for instance, acquiring credit card details of thousands of individuals that they can then sell on to other criminals who will target us more directly.

This means that our personal information and, to a certain extent, we ourselves have become a commodity – a product to be bought and sold.

There is little, if anything, we can do about the criminals’ larger game plan, but we can take ownership of our individual part of the problem by securing our computers, smartphones, tablets and networks, being careful to whom we give personal information, being aware of and avoiding scams and generally being more cyber-savvy – just as we hold a bag close when walking through cities where pickpockets have a reputation for preying on tourists.

We will deal with these topics in Chapters 8 to 11, when we examine methods of improving our security.

BUSINESS TARGETS

Businesses are a major target for attackers since there are potentially rich rewards to be gained if attacks are successful.

• Where the actual target is not the business itself, the gain could be something the business has, such as a database of customers and their credit card details.
• Where the target is the business itself, potential gains could include its intellectual property – something the business has developed, like a new product or service; something the business is planning, such as the takeover of a rival organisation; or simply details of the organisation’s financial position as the object of a possible takeover, if it’s the attacker’s intention to cause immediate financial or reputational damage.

Businesses, both large and small, may be much better placed than individuals to understand cyber risks, but may often ignore them, thinking either that they’re too small or uninteresting to attract an attacker, or believing that they have nothing that might be of value to one. This is potentially a major mistake, since attackers may not target a specific business but might gain some benefit if an employee unwittingly provides them with a way into the organisation’s network.

Another example of a situation in which a business might be attacked is if the attacker perceives that the organisation had committed some offence or injustice and needs to be publicly exposed or rebuked. The media are occasionally complicit in this kind of activity since they can (and frequently do) add fuel to an already burning fire.

Businesses are not always targeted directly for actions of this kind – in recent years, dissatisfied customers and disgruntled employees have adopted the use of social media to spread the word, often resulting in damage to the organisation’s brand and reputation, loss of business and more.

While this type of action may not qualify as a direct cyber-attack, it would seem prudent for organisations to consider the possibility as part of their incident response and business continuity strategy.

CRITICAL NATIONAL INFRASTRUCTURE (CNI) TARGETS

Attacks against CNI organisations are extremely common, and may often originate not from cyber criminals but from foreign nation states, terrorist organisations or hacktivists such as Anonymous, since their objectives are usually to disrupt the target nation in as many ways as possible, as described in this book’s preface.

The UK’s Centre for the Protection of National Infrastructure (CPNI) has defined the following 13 areas of critical infrastructure, and the CNI sectors in other countries, if not identical, will be very similar:

• chemicals;
• civil nuclear;
• communications;
• defence;
• emergency services;
• energy;
• financial services;
• food;
• government;
• health;
• space;
• transport;
• water.

Chemicals

Chemical plants produce many of the items that we use in everyday life, giving us food products such as sugar, agricultural products such as fertilisers, and chemicals used both in the home, such as cleaning agents, and in industrial processes, such as acids and alkalis.

As with other areas, the impact of cyber-attacks on chemical production facilities could be highly harmful, with compounds being incorrectly mixed, resulting in poisoning of products, crops and people; or with dangerous toxic or explosive mixtures being generated, resulting in widespread pollution. Therefore, chemical manufacturing and storage remains a strong potential target.

Civil nuclear

Although we normally think of civil nuclear activities as being in the realm of power generation, there are many requirements for radioactive products used in medicine, where it is utilised in some calibration sources, radioactive drugs and bone mineral analysers; and in engineering where radioactive isotopes are used in the detection of pollution, carbon dating and the quality control of welding operations.

Although the Chernobyl incident in 1986 was not triggered by cyber means, a cyber-attack against a nuclear power station in India in 2019 was successful. Whether this was an attempt either to degrade electricity generation or to drive the reactor core into instability, resulting in a devastating explosion with radioactive material being dispersed over a wide area, it is not known, although the reports assert that North Korea was responsible. Even though it was claimed that only an administrative area of the power station’s network was compromised as opposed to the reactor control systems, it does demonstrate that such an attack is feasible.¹

Attacks on other nuclear facilities might create a significantly less dramatic impact but could result in hospitals being unable to diagnose or treat illnesses; and in major engineering projects being unable to progress.

Communications

The communications portion of the CNI consists of several different areas. The public fixed (landline) and public mobile networks are the most obvious manifestation, but some private networks are included as well, especially the Airwave network that provides communications for the emergency services and related government organisations and some non-government ones.

Attacks on the fixed and mobile public networks are normally directed at the main network signalling system (typically Signalling System number 7, or SS7 as it is more commonly known). Such attacks require a reasonably high degree of skill and knowledge to undertake, although spoofing the Calling Line Identifier (CLI) is extremely common and requires a much lower level of skill to achieve.

Although less used in the UK, satellite communications are also a part of the CNI, and these tend to be used for both public and private communications in areas where the public fixed and mobile networks do not provide complete or reliable coverage.

Last, but not least, is the internet, which, although provided nationally and occasionally locally by ISPs, is centrally connected through a number of peering points, which make the interconnections between ISPs at a national level and with ISPs in other countries.

Two particularly fragile components of the internet are occasionally subjected to cyber-attack. The first is the Border Gateway Protocol (BGP), which determines how data packets travel between one part of the internet and another. Once one gateway router is hijacked, it can, for example, advertise the fastest route as being to a malware site. The second is called domain name system (DNS) cache poisoning, in which a cyber-attacker makes changes to the domain name system to redirect traffic to another destination. Both of these types of attack require a significant level of skill.

Defence

The defence sector is made up primarily of the armed forces – nominally army, navy and air force – and also organisations providing research and development or supply services to the military.

Armed forces

Any individual or organisation that conducts a cyber-attack on the armed forces of a major nation can probably expect swift and painful retribution. However, this does not prevent nation states from trying their hand as a means of testing the strength of the opponent’s cyber security, and occasionally conducting intrusive attacks.

The majority of these attacks will almost certainly go unreported, since the victim country would not wish that news of a successful cyber-attack become common knowledge. Conversely, if one nation state was able to conduct a successful and undetected cyber-attack on another, they too would be keen to ensure that news of this was not made public so as not to alert the target nation state, so that further cyber-attacks could take place.

Some people define these attacks as acts of cyber warfare, and in part this is true, since one nation state (or terrorist group) has conducted an attack on the defence sector of another; but at the same time, since the origin of the attack may be unclear or even point to another possible attacker, a state of war does not necessarily exist between them.

Military suppliers

Cyber-attacks against military suppliers are very common, and have two fundamental purposes:

• First, they are conducted in order to steal intellectual property such as the designs of new technology used in weaponry and defence systems. An example of this is the attack (attributed to China) on Lockheed Martin, in which designs for the F-35 fighter jet were stolen.²
• Second, they may be conducted in order to change the way in which military software operates or to plant malware in weapons or defence systems. It is not difficult to imagine what might result if the engine management system of a fighter jet cut out when the pilot was making an attack run, or the effect of a radar system suddenly failing to display incoming enemy aircraft.

This might sound like fantasy, but you can be certain that many countries will have thought of the idea, and that some countries may have actually succeeded in making it happen.

The arms race that took place in the latter part of the 20th century was a serious affair. East and West spent vast sums of money in trying to develop weapons and defence systems that would allow them to defeat their enemies – often relying on the element of surprise and leaving their opponent with little or no time or capacity to retaliate, and it was eventually concluded that the end result of this could be nothing less than ‘mutually assured destruction’.

This has not prevented or even slowed down the development of both conventional and new weaponry or defence systems, but it has become clear that in the event of another worldwide conflict, conventional ground, sea and air forces would be heavily supplemented by pre-emptive cyber-attacks in an attempt to reduce the enemy’s ability to operate their command-and-control structure, as in the case of Ukraine in 2022.

Nation states have therefore invested heavily in developing cyber weapons and cyber defences, and there is a distinct possibility that another major war could actually be conducted without a single shot being fired.

Emergency services

The next CNI area is that of the emergency services. This covers not only the police, fire and rescue and ambulance services, but also mountain rescue and the Maritime and Coastguard Agency.

People who do not necessarily intend to commit cybercrime, but who intend to undertake some other form of criminal activity, can try to attack the networks and systems of the emergency services. They may realise that by causing some form of distraction they are able to carry out their intrusion, robbery, or whatever, and feel that it is perfectly within their right to do so. Whether undertaking a DDoS attack (see Chapter 2) on the website of any branch of the emergency services would aid them is uncertain.

Alternatively, they may hold some form of grudge against one of the services and feel that a cyber-attack is a perfectly justified response.

The principal target of such an attack is most likely to be the police, but none of these services would be immune to a determined attacker.

The fact that a cyber-attack might potentially cost someone their life might not even occur to an attacker. Fortunately, however, the incidence of this type of attack appears to be very low.

Energy

Next, we move to the energy sector, which is split into three distinct areas, each of which has slightly different arrangements:

• electricity;
• gas;
• oil.

Electricity

The electricity sector consists of three separate components – generation, which may be from a variety of sources; fossil fuels, including coal, oil and gas, and nuclear, all of which are non-renewable sources; and renewable resources such as hydropower, biomass, biofuels, wind, solar and geothermal.

The second component of the electricity sector is the transmission of power from the generation point through the National Grid to the various distribution network operators (DNOs) around the UK, although some industries, such as steelworks, require large quantities of electricity and may be connected directly to the National Grid with whom they have a direct contract rather than with a distribution network operator.

Finally, the distribution network operators then sell the electricity to homes, businesses and industry.

Just about everything we do on a personal, business, commerce and especially critical infrastructure level depends ultimately on the supply of electricity, so cyber-attacks are most likely to target the electricity generation facilities since there are many of them and therefore there is a chance that some may not have as strong a cyber security management process as others. The transmission management centres, however, would come a close second, since considerably more damage might theoretically be achieved with just one attack.

Gas

Supplies of gas come from natural (non-renewable) resources below ground, known as onshore resources, and beneath the oceans, offshore resources, and, increasingly, gas is imported from overseas.

The transmission and distribution work in much the same way as electricity, with a central body delivering the supply to DNOs who then sell the gas to homes, businesses and industry, but the onshore gas storage facilities are likely to be the major targets.

At the time of writing, it is believed that hackers supporting Ukraine have been attacking Russia’s gas production and distribution capability, among other facilities such as banks and corporations.⁴

Oil

Oil has similar beginnings to gas – indeed, the acquisition of the raw product uses almost identical techniques, but that is where the similarity stops, since crude oil must be refined and turned into useable products such as heating oil, petrol and diesel.

On leaving the refineries, as with gas, much of it is delivered by underground pipes to storage depots from which distribution is either by road or rail, or again sometimes by underground pipes as in the case of distributing aviation spirit to major airports.

Although it did not result from a cyber-attack, the explosions in December 2005 at the Buncefield oil storage depot at Hemel Hempstead in the UK resulted in considerable disruption to the fuel supply as well as to local residents and businesses.⁵

Offshore oil production platforms and smaller onshore production facilities are likely targets as well as the storage and distribution sites.

It is worth adding at this point a brief note about a technology used in the energy, water, civil nuclear and chemicals sectors of critical infrastructure known as Supervisory Control and Data Acquisition (SCADA), which is widely used both to monitor the state of elements of the generation and production distribution systems, and to control their operation.

The generation and distribution networks themselves tend not to have actual connections to the internet, but the SCADA systems that monitor and operate them frequently do. Hence, attacks against these sectors may well commence with an attack on the SCADA systems. This is discussed in greater detail later in this chapter.

Financial services

The finance sector has to be one of the most serious targets. Cyber thieves who can find ways of extracting funds from banks and financial services companies stand to make a killing. Finance organisations therefore take cyber security extremely seriously, since a successful security breach could cause them to go out of business, regardless of any potential fines levied by the Financial Conduct Authority (FCA).

Before internet-based financial transactions were commonplace, bank robbers targeted the bank buildings themselves. Now, in the 21st century, although the money is still largely under the control of the banks, thefts by cyber-attack can be undertaken at considerably less risk and can be infinitely more profitable for the criminals.

The various sectors in the financial service sector include:

• banks (including credit unions);
• building societies;
• insurance companies;
• stock exchanges.

Increasingly, banks are making use of two-factor authentication such as one-time passkey generators and text messages in order to secure access to customers’ bank accounts. The passkey has a short useful life, usually measured in minutes, after which it becomes useless and another passkey must be generated. This greatly lessens the risk to the customer unless the attacker can either manipulate the system and conduct a ‘man-in-the-middle’ attack, discussed later, or can persuade the customer to part with both the card and PIN or mobile phone.

DoS attacks against financial institutions are also on the increase. According to cyber resilience supplier UpGuard, attacks against financial services organisations increased by 238 per cent in the first half of 2020 with an average of almost US $6 million in 2021.⁶ The implication of this is that not only would customers be unable to access their accounts, but in a worst-case scenario, inter-bank transfers could be affected. While this might appear unimportant to many people, recent instances of banks making changes to their (often legacy) IT systems have resulted in services being badly affected for days at a time; property purchases failing because monies are not transferred in time; salaries and accounts unpaid; and much more.

Food

Cyber-attacks on organisations in the business of growing, importing, producing, distributing and retailing food are not particularly frequent, but occasionally we read of situations in which an activist group decides to take on a multinational organisation related to food, whether this is to cause denial of service or to steal.

Government

Government departments and agencies have always been a target for attackers. Fortunately, in the UK a government department, a part of GCHQ called the National Cyber Security Centre (known simply as the NCSC),⁹ has responsibility for providing guidance to all government departments – national, regional and local – and also to official government websites such as the Driver and Vehicle Licensing Agency (DVLA).

The NCSC brings together and replaces CESG (the former name of the information security arm of GCHQ), the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT-UK) and the cyber-related responsibilities of CPNI.

Its purpose, outlined on its website, is to:

support the most critical organisations in the UK, the wider public sector, industry, SMEs as well as the general public. When incidents do occur, we provide effective incident response to minimise harm to the UK, help with recovery, and learn lessons for the future.

The NCSC’s Certified Cyber Security Consultancy (CCSC) acts as the accreditation agency for government Certified Cyber Professionals (CCPs). The scheme is outsourced to three private certification bodies and CCPs offer their services via a CCSC unless they are employed directly in a government department.

Government departments and agencies operate their own cyber security standards and processes, and the NCSC also provides highly useful advice and guidance to private sector organisations through its website.

Another government organisation that has a significant input into the UK’s Cyber Security Strategy is the CPNI,¹⁰ which maintains strong links with all the sectors described in this part of the chapter.

Health

The health sector deals primarily with public-facing services – hospitals, health centres and general practitioner (GP) surgeries – but also ties in closely with the need for medical research, investigating all health matters and researching new medicinal and surgical treatments for patients.

Hospitals, health centres and GP surgeries

Why would anyone want to attack a hospital? Well, it seems that some attackers simply don’t care who their targets actually are. In March 2016, the Medstar group, which runs ten hospitals in Washington DC and Maryland, was the subject of a ransomware attack that blocked staff access to many of the group’s IT systems.¹¹ Several other hospitals in the US have also reported this kind of attack, and some pundits have speculated that there is also the possibility of an attacker taking control of life-critical systems, which puts an entirely different perspective on the issue of cyber security.

There is another potentially sinister aspect to this area – that of internet-connected health-related devices. It is not difficult to imagine that the administration of some drugs and medicines could be achieved remotely, and that mechanisms could be connected to the internet to enable this. Delivery of too much or too little medication could be life-threatening, and if we ever reach the stage where heart pacemakers become part of the Internet of Things (IoT), security will have to be absolute.

A successful attack on National Health Service (NHS) systems could allow an attacker to obtain details of our medical history, which could potentially be sold to an interested party – an insurance company or a drug manufacturer for example. We normally consider these types of organisation in the UK to be beyond reproach, but those overseas might not be so honest. Additionally, if an attacker were able to access our medical records, they could alter the content either to improve or worsen our history, the results of investigations and tests, recommendations for treatment and the prognosis.

Finally, if a hospital’s systems were compromised as part of a larger physical terrorist attack, the result would certainly be panic among the general population, and this could severely reduce the hospital’s ability to treat patients, especially those requiring emergency treatment.

Medical research

One of the areas in which there is massive scope for cyber-attacks, especially where the theft of intellectual property is concerned, is that of medical research. The amount of time, effort and money that pharmaceutical organisations invest in the development of new drugs and medicines is enormous, and this goes some way to explaining the cost of new medical treatments as the developers try to make a return on their investment.

If attackers were able to steal the formula for a new cancer drug, for example, they could potentially sell this to less honest manufacturers who would naturally undercut the developer’s selling price.

In an even worse scenario, between the testing of a new drug and its final production an attacker could potentially alter the list of ingredients or change the process by which the drug is manufactured. The result could at the very least be contamination, and could bring about serious side-effects or threaten lives.

Space

The UK is not normally the first country that springs to mind when we talk about space, but in fact we are one of the leading countries that design and manufacture satellites for communications and research, and we were an active partner in the European Space Agency.

Similar cyber-attacks to those discussed in the air transport section of this chapter, below, are not beyond the bounds of possibility, and although there are no officially confirmed incidents in which one nation state has attacked the space technology of another, it remains a real possibility, especially if viewed as being part of cyber warfare. A cyber-attack that alters the orbital characteristics of a satellite might, for example, move it into or across the orbit of another country’s satellites (or even a space station such as the International Space Station (ISS)), causing catastrophic damage. The 2013 science fiction film Gravity illustrated what might happen under similar conditions.¹³

Transport

The transport sector covers commercial air transport, road, rail and merchant shipping for both passengers and cargo.

Air

Increasingly, commercial aircraft are fitted with monitoring systems (especially for jet engines) that allow maintenance teams to see in real time how they are performing, and to understand when to have spare parts delivered to an airport, often before a problem has actually manifested itself. There is no value to an airline in keeping an aircraft on the ground when it could be earning its keep filled with passengers or cargo.

Fortunately, current standards do not permit control of commercial aircraft from the ground (unlike drones), and it is to be hoped that the events of 11 September 2001 (9/11) will dissuade manufacturers from combining control with monitoring, since the prospect of the more frequent use of civil airliners as a weapon of mass destruction is too horrible to contemplate.

Another aspect of cyber targets in the transport area of critical infrastructure would be that of the infrastructure that supports air traffic control. At any one time, there are thousands of civil aircraft in the skies, each one of which relies on an air traffic control centre to direct it out of the flight path of other aircraft by ensuring physical separation both horizontally and vertically. If this infrastructure were to be successfully attacked, it could turn aircraft into weapons of mass destruction without the need to target individual aircraft.

However, a major IT systems failure in March 2022 caused British Airways to suspend all flights for a period of several days until the issue had been resolved.¹⁵ This illustrates that an attack on an airline’s IT infrastructure can have a major impact on its operational capability, resulting in travel cancellations and chaos for thousands of passengers, spreading the financial cost much wider than just the airline itself.

Road

The European Commission placed a requirement that by March 2018, manufacturers of all vehicles sold in the EU must be provided with a system known as eCall,¹⁶ which automatically alerts the emergency services in the event that the vehicle is involved in a collision. On the surface, this appears to be a highly noble undertaking, since faster response to an accident could save lives. Many vehicle manufacturers pre-empted the requirement, and in addition to eCall systems installed event data recorders (EDRs) in their vehicles.

The EDR has the ability to store a large number of parameters, including location, speed and direction of travel, throttle position and cornering data. The driver has no knowledge of exactly what data is being collected, or what might be done with it. While this would be helpful to insurance companies and to the police investigating an accident, it follows also that the vehicle manufacturer is likely to be using that data to help in developing better vehicles – again, a positive development.

However, the driver has no control whatsoever over the data, and there is also the potential that the vehicle manufacturer could be selling it to insurance companies. The potential for abuse has yet to be fully debated, since one could reasonably argue that the data was collected without the agreement of the driver.

Motorways and some trunk roads in England, Wales and Scotland have overhead gantries on which display signs are mounted. These can warn of incidents, impose speed restrictions, and indicate the estimated journey time to junctions further along the motorway. They are managed by the Highways Agency in England and Wales, and by Traffic Scotland. If an attacker was able to gain access to the systems that control this signage, traffic could be brought to a halt or diverted down smaller connecting roads, causing complete chaos. Fortunately, there appear to have been no reported incidents of this type.

Rail

Although driverless trains are something of a rarity, they do exist. On the London Transport system, there are driverless trains on the Victoria Underground line and on the Docklands Light Railway. Rather less obvious examples exist at airports such as Gatwick, where driverless trains shuttle passengers between the north and south terminals.

Railways rely totally on electronic signalling to control the movement of trains, and should the infrastructure become internet-connected, one could imagine that considerable chaos, financial loss, damage and potentially loss of life could ensue.

More recently, railway companies in a number of European countries have been installing train monitoring systems that can report information on passing railway stock about weight distribution, wheel loading, wheel defects and noise emission. Identification of the type of rolling stock is carried out by measuring the distance between axles.

Water

Cyber-attacks against water companies do not appear to be too widespread, but it has been reported that in 2016 a hacktivist group associated with Syria attacked a water treatment works in the USA.¹⁹ Although their exact motivation is unknown, it appears to be that the group wanted to alter the balance of chemicals added in the drinking water treatment process, with the aim of contaminating the supply.

Fresh water distribution and wastewater treatment both make use of industrial control systems similar if not identical to those used in other sectors, and therefore exhibit the same vulnerabilities.

Similar attacks could take place against treatment works for wastewater, in which an attacker could again conceivably alter the balance of chemicals used in the treatment process, rendering the resulting output harmful to human and animal life alike, or could release untreated sewage into rivers and water courses.

In 2017, Defra, the Department for Environment, Food and Rural Affairs, produced a cyber security strategy for the UK’s water industry, which among other things recommended that the information technology and operational technology systems should each be completely isolated to ensure that no virus infections could spread from one to the other. Likewise, the strategy recommended that the cyber security monitoring systems should be similarly separated but should operate under a single set of policies.²⁰

BUILDING TARGETS

One does not always think of the potential for buildings to be targets for cyber-attacks, but they are becoming increasingly internet-connected for the purposes of management, mainly for heating, ventilation and air conditioning (HVAC), where the management of systems is outsourced to suppliers who are better equipped to control them centrally and only send out an engineer when something cannot be fixed remotely.

Access to a building’s HVAC systems would permit an attacker to raise or lower internal temperatures to unacceptable levels, causing staff to have to leave or causing the temperature of critical environments to exceed operational requirements – an entire data centre could be taken out of service in this way.

Also, an attacker might be able to gain access to the building’s access control system, allowing doors to be locked or unlocked, preventing staff from entering or leaving, or providing the attacker with the opportunity for physical ingress.

The types of building that might be attacked in this way include:

• factories, such as car manufacturing plants where an attacker might take control of an assembly line;
• warehouses and distribution centres, especially where high value goods are stored;
• transport hubs, such as airport terminals and railway stations;
• operational buildings, such as call centres, telephone exchanges and air traffic control installations;
• office buildings;
• hotels, where an attacker could lock or unlock guests’ doors at will;
• sports and recreation buildings, with the potential to access scoring systems as well as HVAC;
• retail properties, including shops, shopping malls, petrol stations and restaurants.

Private houses

There has been much recent interest in home automation, with the ability to connect to a central heating system online from an application on a smartphone; to control blinds, curtains and windows; and also for manufacturers of white goods to receive alerts of potential failure of appliances.

Unfortunately, the manufacturers of home automation systems hardware are not always as skilled as they should be in writing secure code (discussed in greater detail in Chapter 4). As the market for home automation devices continues to grow, attackers are ideally placed to target well-publicised vulnerabilities in these systems.

There have been cases where baby video monitors have had little or no security software included, resulting in unauthorised people being able to watch and communicate with a child remotely.²¹

Ironically, some security systems are also vulnerable. CCTV systems that make use of a digital video recorder to capture images may allow an attacker to gain access to an organisation’s data network through backdoors in the recorder, and smart TVs equipped with a camera and microphone can also present a means of an attacker gaining access.

We are being made increasingly aware of the IoT and how it has the power to transform our lives. Many of the interconnected devices already being sold in the area of home automation have been implemented with little or no security, thus presenting an attacker with almost unlimited opportunity to cause mayhem and render our homes vulnerable to burglary.

Smart meters are now being installed by energy companies around the UK. However, it has been discovered that there are a number of fundamental flaws in the design, rendering the meters susceptible to cyber-attack and also vulnerable as an entry point to private domestic networks. It could also be possible for a cyber-attacker to under- or over-report the usage of energy, or to remotely shut off the power to the building.²²

In a similar vein, if not protected against unauthorised access, home central heating control systems could be vulnerable to attack. Systems such as Hive and Google Nest make use of a private home’s Wi-Fi system to allow communication between the thermostat and the control system itself. It is not difficult to imagine the impact if a home’s heating was turned down or off, possibly resulting in frozen pipes (or occupants), or turned up, resulting in sky-high fuel bills.

Additionally, the Google Nest Protect system allows carbon monoxide and smoke detectors to be connected into the same smartphone application, which could remove the homeowner’s ability to receive alerts in the event of problems.

This also raises potential issues with other smart devices such as doorbell/camera combinations that, on the face of it, are eminently sensible security measures, but again, if hacked, could allow an intruder to be aware when a property was unoccupied with a view to gaining entry, having disabled the camera and alerting function.

Finally, there are the smart home devices, such as the Amazon Alexa and Google Dot, both of which allow the home user to access all kinds of information by voice command; to control home products such as those described above; and to contact others who use the same sort of device. The amount of data these devices collect is incredible and can include all spoken commands as well as internet search Uniform Resource Locators (URLs). However, it is possible to delete this data.

ACADEMIA AND RESEARCH TARGETS

Many universities have been the victim of cyber-attacks. In March 2021, a major DDoS attack was launched against the University of Northampton, resulting in much-reduced network and telephone connectivity that lasted for almost a whole week.²³ Since then, the NCSC has issued an alert to the UK’s education sector regarding ransomware attacks by cyber criminals.²⁴

Academic networks present tantalising opportunities for attackers. Many networks (or network segments) are poorly secured, due partly to the spirit of openness that exists in the academic world, and partly through the enthusiastic efforts of students to secure unauthorised network access off campus as well as on.

Additionally, academic networks frequently have links into organisations that conduct commercial research and to government or military organisations, meaning that they can be used as a stepping stone to rich pickings.

As a result of this attack, the Defense Advanced Research Projects Agency (DARPA) funded the establishment of the Computer Emergency Response Team/Coordination Centre (CERT/CC) at Carnegie Mellon University.

MANUFACTURING AND INDUSTRY TARGETS

Industrial systems, whether involved in planning and design, development or actual manufacturing, have been a target for cyber-attacks for many years. Some attacks are used to conduct industrial espionage, while others are designed to cause disruption to industrial processes.

Manufacturing and industrial control systems

SCADA is one of the most commonly used methods of monitoring and controlling industrial processes. It was developed to permit the monitoring and control of diverse manufacturers’ hardware in the form of programmable logic controllers by a single management system using standardised automation protocols.

SCADA systems consist of five discrete levels:

• Level 0, containing the devices to be controlled, such as sensors and control valves;
• Level 1, containing the input/output modules that report the sensor readings and control valves referred to above;
• Level 2, containing the computer systems that integrate the sensor readings, generate alerts and apply control instructions;
• Level 3, containing the production monitoring and targeting systems;
• Level 4, containing the production scheduling systems.

The attacks, such as the Stuxnet attack described in Chapter 2, target Level 1 and Level 2 devices, so that false data is passed up from Level 1 to Level 2, and incorrect instructions are passed back down as a result. Other attacks against SCADA-based industrial control systems have been reported, but Stuxnet is the highest profile case reported thus far.

Attacks on industrial control systems can be used against any area of the CNI, such as water treatment plants, power stations, oil production platforms and the like.

In recent years, the move from largely manual construction and assembly in the manufacturing industries to automated manufacturing has been a major industry in its own right. Although some of the more delicate aspects of production still require manual (and often highly skilled manual) labour, machines are able to carry out repetitive work without tiring and often with much greater accuracy than a human.

The concept of an assembly line being hacked and aspects of the production being altered were unwittingly suggested by a Citroën car advertisement from 2012 in which the robot spray painting systems begin to make unplanned changes to the design on the production line.²⁶ While this was simply a tongue-in-cheek reference, a cyber-attack on an assembly line could easily result in locking nuts not being sufficiently tight or wiring looms being wrongly connected, either of which could cause significant rework in the factory or might not show up until the vehicles were on the road, with potentially fatal results.

There is also the possibility of a cyber-attacker making changes to the operating software of computer-based products while in production. Many devices nowadays rely on microprocessors to control their basic and more complex functions, from washing machines to cars, and from network routers to fighter aircraft. If there is no highly rigid system of control over software between initial development and deployment, these areas become an easy target for an attacker.

1. See https://arstechnica.com/information-technology/2019/10/indian-
nuclear-power-company-confirms-north-korean-malware-attack/

2. See https://freebeacon.com/national-security/nsa-details-chinese-
cyber-theft-of-f-35-military-secrets/

3. See https://www.reuters.com/world/europe/russian-hackers-tried-sabotage-ukrainian-
power-grid-officials-researchers-2022-04-12/

4. See https://foreignpolicy.com/2022/04/11/russia-cyberwarfare-us-ukraine-
volunteer-hackers-it-army/

5. See www.hse.gov.uk/comah/buncefield/buncefield-report.pdf

6. See https://www.upguard.com/blog/biggest-cyber-threats-for-financial-services

7. See https://www.fca.org.uk/news/press-releases/royal-bank-scotland-fined-£56m-failing-
properly-report-over-third-transactions

8. See https://cybersecurityguide.org/industries/food-and-agriculture/

9. See https://www.ncsc.gov.uk/guidance

10. See https://www.cpni.gov.uk

11. See https://www.healthcareitnews.com/news/medstar-attack-found-be-ransomware-
hackers-demand-bitcoin

12. See https://www.theguardian.com/technology/2017/jan/13/london-nhs-hospital-
trust-hit-by-email-cyber-attackers

13. See https://www.imdb.com/title/tt1454468/

14. See https://www.telegraph.co.uk/news/worldnews/northamerica/usa/
11611058/Cybersecurity-researcher-made-plane-climb-
after-hacking-in-flight-entertainment-system.html

15. See https://inews.co.uk/inews-lifestyle/travel/british-airways-systems-down-
ba-flights-cancelled-it-failure-heathrow-airport-1548133

16. See https://europa.eu/youreurope/citizens/travel/security-
and-emergencies/emergency-assistance-vehicles-ecall/index_en.htm

17. See https://www.kaspersky.com/blog/blackhat-jeep-cherokee-hack-explained/9493/

18. See https://www.reddit.com/r/softwaregore/comments/4s755a/
trains_in_switzerland_must_not_have_exactly_256/

19. See www.theregister.co.uk/2016/03/24/water_utility_hacked/

20. See https://assets.publishing.service.gov.uk/government/
uploads/system/uploads/attachment_data/file/602379/water-sector-
cyber-security-strategy-170322.pdf

21. See www.bbc.co.uk/news/technology-34138480

22. See www.bbc.co.uk/news/technology-29643276

23. See https://www.bbc.co.uk/news/uk-england-northamptonshire-56500434

24. See https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-
on-uk-education-sector

25. Clifford Stoll (1991) The Cuckoo’s Egg. London: Pan Books.

26. See https://www.youtube.com/watch?v=6vuZWx11RLM