Industries running critical infrastructure could face fines of up to £17 million if they do not have effective cyber security measures, the UK government announced, in a decision that has been widely trailed.
The penalties are to apply to energy, transport, water and health firms if they fail to have safeguards in place against cyber-attack.
The government also said that new regulators will assess critical industries, making sure cyber-security setups are as ‘robust as possible’. It said that a simple, straightforward reporting system will be set up to make it easy to report cyber-breaches and IT failures so they can be quickly identified and acted upon. It added that this would ensure UK operators in electricity, transport, water, energy, transport, health and digital infrastructure “are prepared to deal with the increasing numbers of cyber threats”.
These incidents would have to be reported to the regulator who would assess whether appropriate security measures were in place. The regulator will have the power to issue legally-binding instructions to improve security, and – if appropriate – impose financial penalties.
The government said that fines would be a last resort and will not apply to operators “which have assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack”.
“Today we are setting out new and robust cyber-security measures to help ensure the UK is the safest place in the world to live and be online,” said Margot James, Minister for Digital and the Creative Industries in a press statement.
“We want our essential services and infrastructure to be primed and ready to tackle cyber- attacks and be resilient against major disruption to services. I encourage all public and private operators in these essential sectors to take action now and consult NCSC’s advice on how they can improve their cyber security.”
The National Cyber Security Centre also published new advice for industry on cyber-security. It is based around 14 key principles set out in its consultation and government response and is aligned with existing cyber-security standards.
National Cyber Security Centre chief executive Ciaran Martin said in a press statement, “Our new guidance will give clear advice on what organisations need to do to implement essential cyber security measures.
“Network and information systems give critical support to everyday activities, so it is absolutely vital that they are as secure as possible.”
Rob Norris VP head of enterprise & cyber security EMEIA at Fujitsu, told SC Media UK that in light of recent attacks, which highlighted the enormous cost of a major security breach, “it’s promising to see new guidance published in order to ensure organisations are doing their bit to bolster cyber-security”.
“Although organisational awareness of potential attacks is on the rise, online criminals are finding new and creative ways to dupe people into compromising sensitive financial and personal data. This means that “unusual behaviour” is getting harder to detect and might not seem unusual at all. With employees on the front line of this battle, upskilling employees and making them more cyber aware is one of the most cost-effective ways of reducing the probability and impact of human error,” he said.
Talal Rajab, head of programme, Cyber and National Security at Tech UK said that it is important that the UK’s critical infrastructure remains resilient to the growing cyber-threat.
He added that more work still needs to be done, “particularly with the 10 May deadline looming large, including the need for further details on the resources being made available to the various Competent Authorities and their respective legislative powers”.
“However, we are particularly pleased to see that detailed guidance has already been published by the NCSC on the security measures that organisations’ need to adopt in order to comply,” he said.
“Operators of essential services must act now and take heed of this guidance, ensuring that the essential services that we rely on are cyber-resilient and secure.”
In an email to SCMediaUK Rodney Joffe, SVP and fellow, Neustar and chairman of Neustar International Security Council (NISC) commented, “The Russians have been surveying and prepositioning themselves on power networks throughout the globe for some time now – but unlike before, their abilities coupled with their intent has given them the unique opportunity to build out their cyber-capability to unmatched levels over the past few years.
“And this is incredibly alarming – they now have the resources and knowledge to remotely attack critical infrastructures in a way that was once only possible through military force.
“As a result, it comes as no surprise that some of Britain’s most critical industries have been ordered to strengthen their cyber-defences amid fears of an attack. This is especially relevant for the energy sector, which is extremely vulnerable in comparison to other industries. This vulnerability is a direct result of its dependence on legacy systems, which are based on old-fashioned IT infrastructure and are constantly connected to the internet, leaving them wide open for attacks.
“It is essential that these industries put an emphasis on cyber-security and are prepared to tackle threats, because today’s hackers – from Russia to North Korea and beyond – have the ability to not only take down critical infrastructures, but could potentially cause unmatched disruption globally.”
Steve Malone, director of security product management at Mimecast commented: “We welcome the NIS Directive as a clear risk-based approach to building cyber resilience around the essential services that keep UK citizens safe and productive. WannaCry was a wakeup call and highlighted the disruptive power and scale cyber-attacks can have our critical national infrastructure.
“This legislation clearly signals the move away from pure protection-based cybersecurity thinking. Robust business continuity strategies have never been more important to ensure organisations can continue to operate during an attack and get back up on their feet quickly afterwards.
“It’s only a matter of time before we see a category 1 attack and we need to be prepared.
“GDPR compliance stole many of the headlines last year but the NIS Directive is most important deadline in May for the future protection of the nation.”
The announcement about fines follows last week’s comments from UK Defence Secretary Gavin Williamson who said that Russia could launch cyber-attacks against the UK’s critical infrastructure that would kill thousands of people.
“The plan for the Russians won’t be for landing craft to appear in the South Bay in Scarborough, and off Brighton Beach,” he told the Telegraph on Friday. “They are going to be thinking, ‘How can we just cause so much pain to Britain?”
Williamson warned that the cyber-active nation state could hurt the UK by executing cyber-attacks to “damage its economy, rip its infrastructure apart, actually cause thousands and thousands and thousands of deaths, but actually have an element of creating total chaos within the country.