A secure new year? Keeping buildings safe from cyber attack

Cyber security is seen as a dark art but is essential in a virtual world says Hywel Davies

The National Cyber Security Centre (NCSC) is the UK’s technical authority for cyber security and is a part of Government Communications HQ (GCHQ). Opened by HM Queen Elizabeth in 2016, its goal is ‘to make the UK the safest place to live and work online’. 

NCSC’s seventh annual report was published in November 2023, highlighting key milestones in the year ending August 2023. The report also looks ahead to future challenges.

In 2023, we witnessed growing interest in artificial intelligence (AI) and the rise of ChatGPT (other AI tools are available). Such systems have the potential to bring many benefits to society, but there are also some broad, dystopian predictions of how AI will affect almost every aspect of our future lives.

The field of AI is much broader than large language models (LLMs) such as ChatGPT, presenting a range of cyber threats. The NCSC has focused on understanding the cyber-security challenges and opportunities of AI for many years. 

While much debate around AI focuses on broader existential risks, its rapid development also brings many immediate security concerns. As this technology develops further, ongoing cyber research aims to understand its vulnerabilities and keep track of how our adversaries are seeking to exploit AI irresponsibly and unethically, often for malign ends. The NCSC is working with industry, academics and international partners to provide clear guidance to help us all understand and manage these risks. 

While the risks of AI are significant, it is basically a type of software – and while it creates new challenges, we have learned many lessons from previous generations of cyber-security practice that can be used to secure this rapidly developing technology. 

AI also presents the cyber-security sector with significant opportunities to develop new and innovative defences against hostile actors.

On 1 and 2 November 2023, the UK hosted the first AI Safety Summit at Bletchley Park, with governments, leading technology organisations, academia and civil society coming together to consider rapid national and international action in response to AI development. The resulting ‘Bletchley Declaration’ acknowledges the need for inclusive and collaborative action to address risks around the most advanced and cutting-edge ‘frontier’ AI.

AI has the potential to bring many benefits to society, but there are also some dystopian predictions of how it will affect every aspect of our future lives

The summit emphasised the importance of a ‘secure by design’ approach to cyber security in AI development. This is the key principle behind the new Guidelines for secure AI system development, published by the NCSC, the US Cybersecurity and Infrastructure Security Agency, and 21 other international agencies at the end of November. 

The guidelines are primarily for providers of AI systems, but are also relevant to stakeholders who are using AI within systems to enable informed decisions to be made about their design, development, deployment and operation. They make recommendations about the considerations and mitigations that will reduce risk in organisational AI-based systems development.

AI is not the only consideration, however. Last month, the NCSC met representatives of the UK cultural sector to discuss protection of institutions’ online collections, which pool millions of digital records and increase public accessibility to materials with unique social and cultural value. This makes the cultural sector an attractive target for opportunistic threat actors looking to exploit and disrupt these assets through ransomware, causing a loss of income not only for the organisation concerned, but also for society at large.

Even closer to our sector, the NCSC and US recently issued guidance to address active and malicious exploitation of Unitronics programmable logic controllers in the water, energy, food and healthcare sectors. Key messages include the need for multifactor authentication and use of unique strong passwords, and not defaults. This is but one example of the threat to UK national infrastructure posed by cyber operations.

I wish readers a secure new year and encourage you all to check in with the NCSC website soon.

Relevant links:

  • NCSC website – www.ncsc.gov.uk
  • The Bletchley Declaration – bit.ly/BLDEC23
  • Culture sector cyber summit – bit.ly/NCSCSum23
  • IRGC-affiliated cyber actors exploit plcs in multiple sectors, including US water and wastewater systems facilities’, US Cybersecurity & Infrastructure Security Agency (IRGC is the Iranian Revolutionary Guard Corps) – bit.ly/Cybthr23