Project Spotlight: The challenges posed by software vulnerabilities in critical national infrastructure

Characterising software failure and the consequences of software failure for critical national infrastructure resilience
Project Spotlight: The challenges posed by software vulnerabilities in critical national infrastructure
UKCRIC Communications, Marketing and Events Manager (UCL)

UKCRIC Limited applied for a grant from the Business Continuity Institute (BCI) to carry out research to explore the challenges posed by software vulnerabilities in critical national infrastructure (CNI), examine their potential consequences, and outline strategies for enhancing digital resilience. The proposed project was ranked top in that round of BCI grant applications.

CNI encompasses essential services that are foundational for societal and economic stability, including sectors such as energy, water, transportation, communication, and public services. As digitalisation transforms these sectors through technologies like Internet of Things (IoT), big data analytics, and artificial intelligence, the efficiency and adaptability of infrastructure operations have significantly improved. However, the integration of digital systems within CNI has also introduced new complexities and vulnerabilities, particularly around cyber threats and software resilience.

The UK government classifies infrastructure as CNI based on the severity of disruption it would cause if compromised, with many systems increasingly interconnected through expansive digital networks. The Parliamentary Office of Science and Technology (POST) highlighted the exponential rise in attempted cyber-attacks on UK infrastructure, emphasizing that market forces have not sufficiently driven proper risk management practices. The evolving threat landscape necessitates proactive and collaborative measures to strengthen the cyber and software resilience of CNI.

Relevant work at BCS, The Chartered Institute for IT and the IT Leaders Forum titled Elephant in the Room (2022) identified the need to prepare against disruptions caused by software failures and build national preparedness, hence its interest also to the National Preparedness Commission (NPC).

The UKCRIC Ltd research combined an analysis of academic literature with other technical reports and case studies about software resilience and vulnerabilities in CNI, and stakeholder engagement through structured workshops. The workshops, designed and developed by the UCL research team, facilitated discussions about key vulnerabilities, emerging risks, and potential mitigation strategies. The workshops enabled cross-sector collaboration and ensured that diverse perspectives were incorporated, acknowledging the complexity of digital threats and the multifaceted nature of resilience-building efforts. Having validated the five key types of software failure (security and resilience, intrinsic software, data-driven, software-hardware interface, human-computer interface) workshop participants then underscored the severe societal and economic consequences of software failures in CNI and developed a set of possible strategies to enhance software resilience.

View a summary of the project findings.