Critical Infrastructure Organisations Could Face Huge Fines Under NIS Directive

This week sees the NIS Regulations (the UK’s implementation of the EU NIS Directive) take effect. Consequently, operators of essential services and industrial control systems need to up their game to be resilient to today’s cyber-threats.

Earlier this year, Corero surveyed over 300 critical infrastructure organisations in the UK, under the Freedom of Information Act. The survey revealed that more than two thirds of organisations (70%) have suffered from service outages on their IT networks in the past two years; leaving them potentially vulnerable to receiving fines under the new NIS Regulations.

What is the EU NIS Directive’s Purpose?

The implementation of the EU’s Network and Information Systems (NIS) Directive aims to raise levels of security and resilience of network and information systems and offers a golden opportunity to improve the UK’s cyber-security posture. Indeed, after the legislation is implemented into UK law, critical infrastructure outages would have to be reported to regulators, who have the power to impose financial penalties of up to £17 million where operators of essential services have failed to protect themselves against loss of service. With 432 UK organisations falling within the NIS remit, these fines represent a potential liability measured in £ billions.

Critical Infrastructure Attacks Are on the Rise

In the last few years, there have been a greater number of sophisticated and damaging cyber-threats across all parts of critical national infrastructure (CNI). Keeping CNI systems secure greatly reduces the risk of a catastrophic outcome that risks public safety, service disruption and/or regulatory fines.

A successful attack on critical systems can cause widespread disruption. For example, last October’s DDoS attack on the Swedish Railways took out their train ordering system for 2 days causing travel chaos. Similarly, last May’s Wannacry ransomware attack caused many NHS systems to be unavailable causing operations to be cancelled.

Previous reports have also highlighted the dangers of infrastructure attacks, such as last year’s attack on a Saudi Arabian petrochemical plant and Russia’s wide-ranging cyber-assault on the US energy grid. In addition, Ciaran Martin, the head of the National Cyber Security Centre (NCSC) warned in January that he expects the UK to suffer a major, crippling cyber-attack against its critical infrastructure within the next two years.

Mitigating the Cyber Threat

Despite the huge fines and multiple warnings, 11% of the critical infrastructure organisations that responded to the Corero study admitted that they do not always ensure that patches for critical vulnerabilities are routinely patched within 14 days, as recommended within the Government’s 10 Steps to Cyber Security guidance. Paradoxically, almost all the organisations that responded to the study (98%) are following government advice about network security, by adhering to the Network Security section of the 2012 guidance.

Operators of essential services need to invest in proactive cyber-security defences to ensure that their services can stay online and open for business during a cyber-attack. Hopefully, the arrival of the NIS Regulations and updated National Cyber Security Centre (NCSC) guidance will be the spur for that.

The NCSC guidance is heavily weighted on procedural frameworks and reactive attack reporting rather than advising organisations on how to proactively defend themselves. As things stand, there is genuine risk that the NIS Regulations may be viewed as a mere ‘tick-box’ exercise which requires the bare minimum to be done, rather than fulfilling its promise for the UK to set world-leading standards in this area.

For more information, please contact us.