More than two-thirds of critical infrastructure firms have suffered service outages within the last two years, with 35% of these down to cyber-attacks.
70% of CNI firms, including fire and rescue services, police forces, NHS trusts and energy suppliers, have suffered from IT service outages in the past two years, according to a study by Corero Network Security.
Subject to the European Union’s Network and Information Systems (NIS) Directive, which comes in to force on the 10th of May, these outages leave firms potentially vulnerable to receiving fines of up to £17 million. Unlike GDPR which relates to personal data, the NIS Directive relates to loss of service by IT networks.
The UK government cited this directive as an important part of their five-year £1.9 billion National Cyber Security Strategy and they hope it will make the UK the safest place to live and work online. This strategy also included opening the National Cyber Security Centre (NCSC) which offers free online advice as well as training schemes to help businesses protect themselves.
Despite the government’s efforts, the figures show that if maximum fines were imposed against all these CNI organisations, it would cost the UK economy more than £2.5 billion.
The Corero Network Security study was conducted through a series of Freedom of Information requests sent to 312 critical infrastructure organisations in the UK.
The study also revealed that over a third of the service outages reported in the study (35%) were believed to have been caused by cyber attacks, while 11% of CNI organisations admitted that they still don’t always implement patches for critical vulnerabilities within 14 days, as recommended by the NCSC.
The NCSC recognised this as a key factor of last year’s WannaCry ransomware outbreak on the NHS.
Andrew Lloyd, President at Corero Network Security, comments: “Service outages and cyber attacks against national infrastructure have the potential to inflict significant, real-life disruption by preventing access to essential services such as power, transport and the emergency services. The fact that so many infrastructure organisations have suffered from service outages points to an alarming lack of resilience within organisations that are critical to the functioning of UK society.
“Across all sectors, we are seeing a greater number of sophisticated and, when undefended, damaging cyber-attacks. Government Ministers and Agencies have reported that these attacks are increasingly believed to be the work of foreign governments seeking to cause political upheaval. The head of the National Cyber Security Centre has already warned that it is a matter of when, not if, the UK experiences a devastating cyber attack on its critical infrastructure. The study poses serious questions about the UK’s current capability to withstand such an attack.”
The National Audit Office’s official investigation into last year’s WannaCry ransomware outbreak concluded that all the NHS organisations affected by the malware fell victim because they failed to apply patches to their systems that had been available for more than two months before the attack.
Yet in spite of this stark warning, 11% of the critical infrastructure organisations that responded to the Corero study admitted that they do not always ensure that patches for critical vulnerabilities are routinely patched within 14 days, as recommended within the Government’s ’10 Steps to Cyber Security’ guidance.
Furthermore, almost all the organisations featured in the study (98%) are following government advice about network security, by adhering to the Network Security section of the 2002 ’10 Steps to Cyber Security’.
Lloyd added: “The NIS Regulations offer a golden opportunity to make UK infrastructure more resilient against cyber-attacks; delivering on the UK Government’s strategy to make the UK the safest place in the world to live and work online. But more rigorous guidance is urgently needed so that our essential services can remain available during all but the most extreme cyber-attack.
“This data proves that blindly following outdated guidance is insufficient to repel today’s cyber-attacks. While further guidance is still expected from the National Cyber Security Centre, the current advice is heavily weighted on reactive attack reporting rather than advising organisations on how to proactively defend themselves. As things stand, there is a genuine risk that the legislation may be viewed as a mere ‘tick-box’ exercise which requires the bare minimum to be done, rather than fulfilling its promise for the UK to set world-leading standards in this area.”