UK critical infrastructure providers could be liable for fines of millions of pounds if they do not improve their cyber defences and resilience of their IT infrastructure, a study reveals.
More than two-thirds of UK critical infrastructure organisations (70%) have suffered from service outages on their IT networks in the past two years, freedom of information (FoI) requests have revealed.
If their cyber defence capability is not improved soon, these organisations could face fines under the new UK rules which come into force soon, according a study by Corero Network Security.
After 9 May 2018, when the European Union’s (EU’s) Network and Information Systems (NIS) Directive is implemented into UK law, such outages would have to be reported to regulators, which have the power to impose financial penalties of up to £17m where infrastructure operators have failed to protect themselves against loss of service.
Had the service outages reported in the past two years occurred after the new legislation is introduced, and all the affected organisations were deemed to have failed to protect themselves, the total fines for all affected organisations would have been in excess of £2.5bn.
The FoI requests were sent by Corero, in January and February 2018, to 312 critical infrastructure organisations in the UK, including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers, transport organisations and water authorities.
In total, 221 responses were received, with 155 admitting to having suffered a service outage on their networks in the past two years. In addition, more than a third (35%) of the service outages reported in the study were believed to have been caused by a cyber attack.
Andrew Lloyd, president at Corero Network Security, said service outages and cyber attacks against national infrastructure have the potential to inflict significant, real-life disruption by preventing access to essential services such as power, transport and the emergency services.
“The fact that so many infrastructure organisations have suffered from service outages points to an alarming lack of resilience in organisations that are critical to the functioning of UK society,” he said.
According to Lloyd, there is a growing number of sophisticated and, when undefended, damaging cyber attacks across all sectors.
“Government ministries and agencies have reported that these attacks are increasingly believed to be the work of foreign governments seeking to cause political upheaval,” he said.
“The head of the National Cyber Security Centre, Ciaran Martin, has already warned that it is a matter of when, not if, the UK experiences a devastating cyber attack on its critical infrastructure. The study poses serious questions about the UK’s current capability to withstand such an attack.”
Mitigating the cyber threat
The National Audit Office’s official investigation into 2017’s WannaCry ransomware outbreak concluded that all the NHS organisations affected by the malware fell victim because they failed to apply patches to their systems that had been available for more than two months before the attack.
Yet in spite of this stark warning, 11% of the critical infrastructure organisations that responded to the Corero study admitted that they do not always ensure that patches for critical vulnerabilities are routinely patched within 14 days, as recommended in the government’s 10 steps to cyber security guidance.
However, almost all the organisations that responded to the study (98%) are following government advice about network security, by adhering to the network security section of the 10 steps to cyber security programme, which was first published in 2012.
“The NIS regulations offer a golden opportunity to make UK infrastructure more resilient against cyber attacks, delivering on the UK government’s strategy to make the UK the safest place in the world to live and work online. But more rigorous guidance is urgently needed so that our essential services can remain available during all but the most extreme cyber attack,” said Lloyd.
“This data proves that blindly following outdated guidance is insufficient to repel today’s cyber attacks. While further guidance is still expected from the NCSC, the current advice is heavily weighted on reactive attack reporting rather than advising organisations on how to proactively defend themselves.
“As things stand, there is genuine risk that the legislation may be viewed as a mere ‘tick-box’ exercise which requires the bare minimum to be done, rather than fulfilling its promise for the UK to set world-leading standards in this area.”
In a whitepaper, Corero Network Security states that distributed denial of service (DDoS) attacks are a significant security and availability threat that target UK essential services.
The new measures, which relate to loss of service by IT networks and information systems, will be introduced around the same time as new UK data protection legislation that will also provide for fines of up to £17m for failure to take adequate measures to protect personal data.