Why are one in three CNI organisations skipping cybersecurity checks?

This article was a joint effort between Mike GIllespie, MD of Advent IM, and Ellie Hurst, the company’s communications manager.

Some elements of our critical national infrastructure (CNI) are failing in their cybersecurity practices, a report has revealed following a Freedom of Information Request from security technology company Corero.

The responses have revealed some surprising and worryingly incomplete cybersecurity practices in some parts of essential services, including health, energy, transport and water.

Over a third of infrastructure organisations in the UK had not completed basic cybersecurity standards issued by the UK government, known as the ’10 Steps to Cyber Security’.  When CNI take risks like this, they are taking risks for all of us, but what is at the root of this kind of failure? Is it governance, complexity, assumption of security or a combination?

When it comes to cybersecurity, a lot of the most serious problems come from mistaken assumptions. How many times do people question the security of an app, a device or a piece of equipment?

Frequently it is assumed that the everyday items and systems we use are basically secure when we buy them, but nothing could be further from the truth. Unfortunately, we are not yet in position to rely on a kite mark-style system on equipment to tell us if something has been built using cybersecure components and sold in a responsible way and in a secure state.

No governmental scrutiny

Alongside the assumptive position, there is the complex, convoluted nature of CNI itself. Some elements of these crucial services are in the private sector and although they are quasi-public sector, they operate in their own way and are not subject to governmental scrutiny.

Not only is some of this infrastructure in the private sector, it is sometimes non-UK owned

There are guidelines but up to now there has been no mandatory requirements – more of this later. And not only is some of this infrastructure in the private sector, it is sometimes non-UK owned, so you start to see the complex nature of trying to exercise genuine governance over cybersecurity in our CNI.

Now think about all the physical systems  operated over the web as well as the complex networks that handle the more standard information assets we are used to cyber-securing and you have a more complete picture of the challenge.

Those systems may not even be in the scope of the cyber risk register. So risk-assessing these systems may well be carried out by non-cyber professionals but it still needs to be in scope of cybersecurity teams and in-line with cyber-risk appetite.

For decades many of these systems enjoyed ‘security by obscurity’; they were not web-enabled and were effectively air-gapped systems that would be hard to access.

But this is no longer the case and is set to increase as ‘smart’ management of systems is required to control cost and increase efficiency. Smart technology is web-enabled and needs protecting too, regardless of who manages and runs it.

GDPR for CNI

As we are talking about cost, then this might be a good time to raise the impending shadow (or sunbeam, depending on your perspective) of the Network and Information Systems Directive (NIS) which is due to be adopted by the UK next May alongside the General Data Protection Regulation (GDPR). This EU proposal became a directive over a year ago and member states were given 21 months to embed the NIS Directive into their respective national laws.

Companies or organisations deemed Operators of Essential Services (OES) or Competent Authorities (CAs) are those primarily impacted by this directive, so quite clearly we are talking CNI. The idea of the directive is to raise standards across this sector and build in greater resilience and regulation of processes, checks and procedures.

A bit like the  GDPR is a move on or improvement on the Data Protection Act, NIS is seeking to raise the game of cybersecurity practices in these essential infrastructure areas in an enhancement of the ‘10 Steps’ approach, in a more focused way.

The Department for Culture, Media & Sport is currently considering proposals for fines of up to £17m or 4% of global turnover for serious failures

Back to cost, the Department for Culture, Media & Sport (DCMS) which is responsible for the successful adoption and implementation of NIS, is considering proposals for fines of up to £17m or 4% of global turnover for serious failures. However, the department is at pains to reassure that this would be a last resort ( very similar to the Information Commissioner talking about GDPR) and would not apply to operators who had assessed risk adequately, taken appropriate security measures and engaged with competent authorities even if they suffered an attack.

Given that we are seeing the overall growth of ransomware and also the introduction of ransomware designed for physical systems, such as Industrial Control Systems (ICS) and Supervisory Command and Data Acquisition Systems (SCADA), found all over areas of our CNI, getting to grips with securing these systems cannot come too quickly.

The last time we experienced a wide scale set of malware that had physical impact was Stuxnet, and much of this new ransomware is designed to attack the same components in these systems that sit all over the world…

So the risks facing CNI seem to be expanding rapidly and comprehensively, the issue of governance is being addressed by new regulation which should be embraced and used to create genuine improvement in CNI. It is worrying though as the ‘10 Steps’ approach is clearly not wholly effective if a third of organisations are already skipping some security checks and causing risk for everyone.

When it comes to risk and CNI we need to be aware that yes, there is risk to CNI from cyberspace, but there is also risk from CNI as we all enjoy connected systems for ease of management, communication and information transfer.

If vital security measure are being skipped then that means the risk could be moving our way as well as the potential loss of essential services, due to cyber-attack. Perhaps the possibility of fines will provide sufficient motivation to handle security well and the NIS will provide the framework for real progress.