The measures outlined in the government consultation paper on the implementation of the Network and Information Systems (NIS) Directive have been welcomed by representatives of the cyber security and legal community.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Providers of essential services that fail to implement effective cyber security measures could be fined as much as £17m or 4% of global turnover under measures being considered by government.
“The very considerable fines echo the penalties for serious breaches set out in the EU’s General Data Protection Regulation (GDPR), which the UK has undertaken to implement pre- and post-Brexit,” said Mark Lubbock, technology partner at law firm Ashurst.
“They reflect the government’s commitment to tackle cyber crime and the real threat to national security posed by criminals and rogue states in an increasingly linked-up world,” he said.
IT industry body TechUK said it is looking forward to responding to the consultation paper. “To protect the UK’s digital economy, we agree that operators of essential services need to be resilient to the growing cyber threat,” said Talal Rajab, TechUK’s head of programme for cyber.
“This includes putting in place effective security measures, such as security monitoring and the training of staff, and developing policies to respond to a cyber incident,” he said.
However, Rajab said questions remain over the scope of “essential services” to be covered by the measures, as well as the timelines with which companies should be expected to report an incident.
He said TechUK will be consulting with its membership about how these measures will affect digital service providers in particular, and will be providing feedback to government.
Awareness of data is key
Jamie Graves, CEO of security firm ZoneFox, said the GDPR was spoken about extensively at its “one year to implementation” date as a game changer, and the NIS Directive is no different.
“The directive provides clear directives and repercussions for critical infrastructure – a vital area to secure in the fight against cyber crime,” he said.
The global WannaCry ransomware attack in May 2017, said Graves, is clear proof for the need for the NIS Directive.
However, he said the way in which businesses need to secure themselves is no different from a phone shop to the national power grid.
“Data is the key piece of the puzzle or, more specifically, an awareness of data. Making sure that you have network visibility of information – and those accessing it – while it is stored, on the move or taken off the network is the first line of defence against any attack or potential attack,” he said.
“Coupling this with a reporting system that can alert the necessary authorities as quickly as possible and a robust backup will mean essential services are kept online and are in a much stronger position to protect themselves.”
Fines ‘ensure CNI providers are answerable’
James Chappell, CTO and co-founder of security firm Digital Shadows, said that when the UK voted to leave the European Union (EU), one of the concerns in the cyber security industry was that it would choose not to enact the regulatory commitments the country really needs to toughen up its cyber defences.
“In fact, the opposite has been the case. The UK interpretation of the NIS Directive has put forward equivalent fines to those mandated by the GDPR, and today’s announcement pertaining to critical national infrastructure goes further than is required by the EU under the NIS Directive,” he said.
Chappel points out that the UK’s critical national infrastructure is a mix of public and privately owned assets, which is both a strength and a weakness.
“This diversity is a strength, in that it would be tougher to take it down in its entirety, but it is also a weakness as it’s fragmented and harder to enforce uniform standards across disparate systems and teams,” he said.
Chappel said while it is hoped that the threat of large fines would never need to be enforced, he believes it will help coalesce thinking and ensure that CNI providers are answerable to their shareholders as well as the public at large when thinking about their cyber security measures.
“The proposed scale of fines demonstrates that UK government takes the cyber security of critical national infrastructure seriously,” he said.
CNI protection suffers from lack of cyber resources
Jens Monrad, senior intelligence analyst at FireEye, said a lot of CNI is built on a foundation of fragile infrastructure and, in many cases, is not originally designed to be connected to the internet.
“Many organisations have used solutions, bridging these systems to either company infrastructure for easier maintenance or connected directly to the internet for remote support and third-party access,” he said.
In many instances, Monrad said the cyber defence perspective has not been prioritised, either because of lack of understanding or a lack of resources.
“This becomes a huge worry with CNI, because, as we have witnessed in Ukraine, and more recently with Petya/NotPetya, cyber attacks can have real-life and economic consequences for citizens and enterprises, depending on the severity with a fatal outcome,” he said.
According to Monrad, this gap is widened by many organisations not having enough resources to prioritise security, to establish sufficient monitoring of critical assets or to train personnel who operate CNI in cyber security.
“But with firms now required to prove their strategies, this will need to change. Today one of the biggest challenges is the lack of insight into this infrastructure,” he said.
“Operating critical infrastructure built on industrial control systems [ICS] requires a different skillset to your typical IT operations and, because of this, there exists a gap where ICS is sometimes not instrumented and monitored by security personnel.”
To build an effective cyber defence program in CNI companies, Monrad said they first need to address the lack of visibility and lack of data, due to the nature of how many of these systems are designed.
When they have addressed these two challenges, he said, CNI providers should move into building a program which can address and answer these three questions:
- Is ICS part of the cyber security routines in the company and how can/do they detect threats in ICS networks?
- Do they have an adequate plan for responding to cyber threats, attacks and breaches in ICS environments?
- Can they contain the threat, isolate and remediate it, while making sure they are still operational?