Proposed £17m fines would make infrastructure cybersecurity a ‘costs centre’
The debate over the chances of a serious cyber-attack taking down a major part of the country’s national critical infrastructure is now more intense than ever. Because, when it comes to our national infrastructure, cyber risks aren’t limited to damaging a company’s reputation or losing customer data, but could seriously endanger people’s lives.
After all, if an attacker was to take control of the purification process in a water plant, an entire water supply could be made unfit to drink. Or, if a successful attack was launched on an electricity grid, swathes of the country could be left in darkness and cold, for extended periods of time.
As a result, protecting our critical infrastructure from cyber-attacks has become a top government priority, and recently prompted its proposal to issue fines of up to £17 million to providers of infrastructure services that fail to protect against cyber-attacks on their networks, says Sean Newman, director at Corero Network Security.
It’s both welcome to see and critical that the Government prioritises the issue of cyber security by forcing operators of essential services to become more resilient. Despite the significant risks involved, there seems to be a culture of complacency around the dangers of cyber-attacks within some critical infrastructure organisations.
This probably stems back to the way these organisations were set up – with industrial control systems completely isolated from other computers and network devices, incapable of connecting physically or wirelessly – and therefore considered to be exempt from the risks of cyber-attacks. But, as these systems have become more connected to the Internet, for reasons of efficiency and effectiveness, it has also increased the potential attack surface for damaging cyber-attacks, such as Distributed Denial of Service (DDoS).
To investigate this issue, we carried out a Freedom of Information study earlier this year, which found that over a third (39%) of UK critical infrastructure operators have not completed the basic cyber security standards issued by the UK government (the ’10 Steps to Cyber Security’ programme).
Alarmingly, the requests also found that 51% of critical infrastructure organisations are potentially vulnerable to stealth DDoS attacks – those of short duration and low volume – due to failures to deploy technology which can detect or mitigate such attacks. Modern DDoS attacks represent a serious security and availability challenge for infrastructure operators because even a short amount of downtime or latency can significantly impact the delivery of essential services.
Given our interest in this issue, and our experience as a cyber security company which specialises in keeping organisations online, we decided to take part in the Government’s open consultation on its proposals and offer our views about how they could work. Overall, we are highly supportive of the broad approach and the high-level principles but, as our research shows, there is still some way to go.
While it’s clear that some infrastructure operators need a ‘push’ in terms of improving their cyber security postures, the problem with implementing fines is that it risks making organisations view cyber security simply as a cost centre, rather than thinking about protecting themselves against the full spectrum of problems caused by a service outage – in this case, not just financial loss, but the dangers to citizens of having their essential services suspended. The culture of fines encourages organisations to consider the fine itself as the main risk.
It also encourages them to choose cheaper and less effective solutions, based solely on avoiding the risk of incurring a fine. This is particularly likely, given the Government’s assertion that any fines would be a last resort, and would not apply to firms which had put safeguards in place, but still suffered an attack.
In order for the UK to be truly world-class in the Digital Economy, and remain a safe place to live and work, cyber security cannot continue to be belittled in this way. For a long time now, organisations have been too focussed on the compliance tick box, rather than looking for the security coverage required to maintain service availability and protect data.
To really bring about change, organisations need to take a serious look at their own operating model and the corresponding risk profile, and build robust protection. It is not acceptable that service and data loss should be excused under any circumstances when the technology and services to provide proper protection is available today.
The author of this blog is Sean Newman, director at Corero Network Security