Bosses of Britain’s most critical industries are being warned to boost their cyber security regimes or face hefty fines for leaving themselves vulnerable to attack. Energy, transport, water and health firms could be fined up to £17 million if they fail to have the most robust safeguards in place.
New regulators will be able to assess critical industries to make sure plans are as robust as possible. A simple, straightforward reporting system will be set up to make it easy to report cyber breaches and IT failures such that they can be quickly identified and acted upon. This will ensure UK operators active in the electricity, transport, water, energy, transport, health and digital infrastructure spheres are prepared to deal with the increasing number of cyber threats. It will also cover other threats affecting IT such as power outages, hardware failures and environmental hazards.
Under the new measures, recent cyber breaches such as WannaCry and high-profile systems failures would be covered by the Network and Information Systems (NIS) Directive.
These incidents would have to be reported to the regulator who would then assess whether appropriate security measures were in place. The regulator will have the power to issue legally-binding instructions to improve security and – if appropriate – impose financial penalties.
Margot James, the Government’s Minister for Digital and the Creative Industries, said: “We are setting out new and robust cyber security measures to help ensure the UK is the safest place in the world to live and be online. We want our essential services and infrastructure to be primed and ready to tackle cyber attacks and be resilient against major disruption. I encourage all public and private operators in these essential sectors to take action now and consult the National Cyber Security Centre’s (NCSC) advice on how they can improve their cyber security posture.”
Detailed National Cyber Security Centre guidance
The UK’s ‘centre of cyber excellence’, the NCSC was established last year and has now published detailed guidance on the security measures designed to help organisations comply. These are based around 14 key principles set out in the Government’s consultation and response, and are aligned with existing cyber security standards.
NCSC CEO Ciaran Martin outlined: “Our new guidance will give clear advice on what organisations need to do in order to implement essential cyber security measures. Network and information systems give critical support to everyday activities, so it’s absolutely vital that they’re as secure as possible.”
The new measures follow the consultation held last year by the Department for Digital, Culture, Media and Sport seeking views from industry on how to implement the NIS Directive from 10 May this year. Fines would be a last resort and will not apply to those operators who’ve assessed the risks adequately, taken appropriate security measures and engaged with regulators, but still suffered an attack.
Following the consultation, incident reporting arrangements have been simplified, with operators reporting to their ‘Competent Authority’. Penalties will be fixed at a maximum of £17 million. The new legislation will be made clearer for companies to know whether they have to comply with the NIS Directive.
The NIS Directive is an important part of the Government’s five-year £1.9 billion National Cyber Security Strategy designed to protect the nation from cyber threats and make the UK the safest place in which to live and work online. It will ensure essential service operators are taking the necessary action to protect their IT systems.
Response from (ISC)²
Adrian Davis, EMEA managing director at (ISC)², stated: “With the NIS directive on the horizon, organisations deemed ‘essential services‘ will have begun implementing the necessary changes and practices outlined in the UK Government’s guidance on the EU legislation. Responsible organisations that have followed this guidance should have more clarity and understanding of their security processes. For example, communicating a cyber breach has always been an issue for firms. There has never been a clear enough process to determine what has happened and whose responsibility it is to manage it. The new legislation includes a cyber incident reporting system which will go a long way towards addressing this grey area of communication.”
Davis continued: “Ultimately, this may look like yet another costly exercise and piece of legislation, but the value to firms in a business sense is enormous for those that get it right. Protecting against increasing digital threats has the potential to save firms hundreds of thousands of pounds in mitigating cyber attacks and breaches.”
According to Davis, foreign interference from state actors is a growing issue. “However, the greatest threat to organisations comes from within. A lack of cyber security skills and awareness among employees leaves firms vulnerable to the kinds of attacks used by state actors. Improving cyber security skills at all levels, from grass roots education through to the workplace itself is critical to providing UK business with the means to defend itself.”
Davis feels that technology can only go so far when it comes to protecting an organisation and should be used to enhance existing security procedures. “As well as targeting vulnerable systems, cyber criminals are now duping or tricking individuals into compromising systems through spear phishing attacks. Focusing on cyber security skills and practices across the organisation such that employees can readily recognise everyday cyber threats will enhance a firm’s security almost instantly.”
In conclusion, Davis told Risk UK: “Many critical infrastructure firms are embracing Industry 4.0 and introducing Internet-connected devices into their operations. Sadly, security is rarely a priority for the manufacturers of these devices and, as a result, a whole new vector of attack has opened for cyber criminals. Before implementing Internet of Things devices, such as electronic sensors and monitoring equipment, firms should look at how this impacts their security. Many industrial control systems run on outdated SCADA systems which can be vulnerable to attack. Organisations should adopt security approaches that are proactive and predictive rather than reactive.”
CREST welcomes 100th corporate member
CREST, the not-for-profit accreditation body representing the technical information security industry, has announced its 100th member. UK-based Sec Ops Ltd (Twisted Fish Ltd) has successfully passed the demanding assessment required to offer CREST-accredited penetration testing services.
CREST’s global membership has increased by 43% over the last 12 months. This reflects growing international recognition for CREST accreditation and the need for organisations to have trust and confidence when purchasing penetration testing, cyber incident response and threat intelligence services.
“I’m delighted that Sec Ops Ltd has achieved CREST membership, which recognises the company’s commitment to delivering the highest level of professional security services to its customers,” said Ian Glover, president of CREST. “Reaching our 100th company member is a major milestone for CREST. It demonstrates our commitment to small and large service suppliers as well as domestic and international markets. It’s clear the work we’ve done to structure and professionalise the industry in the UK and new global markets is making a real and tangible difference.”
As a CREST member company, Sec Ops Ltd offers a demonstrable level of assurance when providing its penetration testing services. All CREST members sign up to a strict and enforceable Code of Conduct and buyers can be confident that work will be carried out by competent experts with up-to-date skills and knowledge. All CREST members must also demonstrate that they have suitable policies, processes and procedures in place.
Ben Woodhouse, managing director at Sec-Ops Ltd, said: “We’re thrilled to be awarded membership of CREST and also find out that we’re the 100th member. Being part of an organisation that’s so selective in its membership is a true reflection of the high standards imposed and enforced by Twisted Fish Ltd. The driving factor behind our application for CREST membership was to demonstrate to current and future customers alike that we take protection of their data seriously and that our standards are rigorous and robust. We’re certain that having CREST accreditation will help us to achieve some of our long-term objectives.”