Critical Infrastructure Security, Network Security

Failure to comply with U.K. gov’t directive to bolster cybersecurity, infrastructure firms could face stiff fines

The British government Sunday warned the heads of firms in the country's most critical industries to bolster their cybersecurity efforts to avoid fines.

If they don't make the necessary moves to ratchet up cybersecurity and invest in proper safeguards, the newly appointed special-sector regulators could fine energy, transport, water and health companies as much as £17 million, according to a release by the Department for Digital, Culture, Media & Sport, which had published the results of its consultation.

“We want our essential services and infrastructure to be primed and ready to tackle cyberattacks and be resilient against major disruption to services,” Margot James, minister for digital and the creative industries, said in the release.

In addition to appointing regulators to ensure that essential services are shielded from attack, the government boasted a new reporting system that it says will be both simple and straightforward so that companies can more easily disclose cyber breaches and IT failures so they can be quickly identified and acted upon.

The National Cyber Security Centre also published guidance centered around 14 key principles that the Department for Digital, Culture, Media and Sport laid out in its consultation last year and which are in accordance with the country's existing cybersecurity standards.

“Our new guidance will give clear advice on what organizations need to do to implement essential cybersecurity measures,” National Cyber Security Centre CEO Ciaran Martin said in the release. “Network and information systems give critical support to everyday activities, so it is absolutely vital that they are as secure as possible.”

Noting that “security in infrastructure services in most countries is not generally excellent” and concentrate on . “state-sponsored attacks which aren't overly common for services like water, sanitation, or even energy, transportation and others,” Terry Ray, CTO at Imperva, called “enhanced security around infrastructure…a good move.”

Some services such as electric or health “may have regulations requiring data protection and some may not,” said Ray, who believes the quickest way to bolster security is to better monitor activity on all systems. “Regardless of industry specific regulations, here the government is saying security could be better, and it better be.” 

Tim Erlin, vice president of product management and strategy at Tripwire, explained that “critical Infrastructure has become a more common target with the rise in nation-state sponsored attacks,” adding that “unfortunately, audits and fines have proven the most effective means of ensuring a common baseline of capabilities” because “critical infrastructure organizations don't invest consistently or effectively without oversight.”

While “it's easy to forget about the massive efforts required to ensure” that electricity, water, transportation and the like ‘just work,'” Erlin stressed that “defending against cyberattacks is part of the reliability equation. We cannot ignore the potential impact any longer.”  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.