Home » Topics » Cybersecurity » UK’s critical infrastructure ‘skipping basic cyber security checks’

UK’s critical infrastructure ‘skipping basic cyber security checks’

Avatar photoby Nick Ismail

Over a third of national critical infrastructure organisations in the UK (39%) have not completed basic cyber security standards issued by the UK government, according to data revealed under the Freedom of Information Act by Corero Network Security, a provider of real-time DDoS defence solutions.

The fact that so many infrastructure organisations have not completed the ’10 Steps to Cyber Security’ programme indicates a lack of cyber resilience within organisations which are critical to the functioning of UK society.

>See also: Ukraine’s national postal service suffers 2 day long DDoS attack

It also suggested that some of these organisations could be liable for fines of up to £17 million, or 4% of global turnover, under the UK government’s proposals to implement the EU’s Network and Information Systems (NIS) directive, from May 2018.

The Freedom of Information requests were sent by Corero, in March 2017, to 338 critical infrastructure organisations in the UK, including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers and transport organisations.

In total, 163 responses were received, with 63 organisations (39%) admitting to not having completed the ’10 Steps’ programme. Among responses from NHS Trusts, 42% admitted not having completed the programme.

>See also: The cyber security industry is losing the cyber war

Sean Newman, Director of Product Management at Corero, comments: “Cyber attacks against national infrastructure have the potential to inflict significant, real-life disruption and prevent access to critical services that are vital to the functioning of our economy and society. These findings suggest that many such organisations are not as cyber resilient as they should be, in the face of growing and sophisticated cyber threats.”

Critical infrastructure operators ignoring DDoS threats

Modern Distributed Denial of Service (DDoS) attacks represent a serious security and availability challenge for operators of essential services. This is why DDoS protection is highlighted within the government consultation on NIS as a mechanism that critical infrastructure should consider when protecting their services and availability from disruption caused by cyber attacks.

But while most people equate DDoS with high-volume attacks, like that against DNS provider Dyn in 2016 that took down large parts of America’s internet, the vast majority of today’s attacks are actually short and low volume in nature.

>See also: The security challenges with the Internet of Things

In fact, 90% of DDoS attack attempts stopped by Corero during Q1 2017 were less than 30 minutes in duration, and 98% were less than 10Gbps in volume.

Due to their small size, these stealth DDoS attacks often go unnoticed by security staff, but they are frequently used by attackers in their efforts to target, map and infiltrate a network.

Worryingly, the Freedom of Information data revealed that most UK critical infrastructure organisations (51%) are potentially vulnerable to these attacks, because they do not detect or mitigate short-duration surgical DDoS attacks on their networks.

As a result, just 5% of these infrastructure operators admitted to experiencing DDoS attacks on their networks in the past year (to March 2017).

However, if 90% of the DDoS attacks on their networks are also shorter than 30 minutes, as experienced by Corero customers, the real figure could be considerably higher.

>See also: Luxembourg state internet infrastructure hacked

Newman, continues: “In the face of a DDoS attack, time is of the essence. Delays of minutes, tens-of-minutes, or more, before a DDoS attack is mitigated is not sufficient to ensure service availability, and could significantly impact the essential services provided by critical infrastructure organisations.”

“By not detecting and investigating these short, surgical, DDoS attacks on their networks, infrastructure organisations could also be leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber attacks. To keep up with the growing sophistication and organisation of well-equipped and well-funded threat actors, it’s essential that organisations maintain comprehensive visibility across their networks, to instantly and automatically detect and block any potential DDoS incursions, as they arise.”

 

The UK’s largest conference for tech leadershipTechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Cyber Attack
Cyber Security
DDoS Attack

Related Stories

Cybersecurity

How AI will shift the security landscape in 2024

The impact of AI within cybersecurity is expected to grow significantly this year, says Alex Holland, senior malware analyst at HP

AI & Machine Learning

NCSC releases guidelines for secure AI development

New guidance from the National Cyber Security Centre (NCSC) aims to help businesses securely innovate with AI and minimise risks

Cybersecurity

3 cybersecurity compliance challenges and how to address them

Earning those trust seals can strengthen relationships with board members and prospective customers, but it sure isn’t easy.

Cybersecurity

70% of UK firms reported cyber insurance changes in past year

According to research from Databarracks, seven in 10 UK businesses have seen changes to their cyber insurance in the past 12 months, as requirements rise