70% of UK critical infrastructure organisations could be liable for fines under the NIS Directive

According to data revealed under the Freedom of Information Act, more than two thirds of UK critical infrastructure organisations have suffered from service outages on their IT networks in the past two years. If these failures are repeated then these organisations would potentially liable to receiving fines under the new NIS Regulations which come into force next week.

70% of UK critical infrastructure organisations could be liable for fines under the NIS Directive

If maximum fines were imposed, it could cost the UK economy more than £2.5 billion

 

London, UK – May 1, 2018 – More than two thirds of UK critical infrastructure organisations (70%) have suffered from service outages on their IT networks in the past two years, leaving them potentially vulnerable to receiving fines under the new NIS Regulations which come into force next week, according to data revealed under the Freedom of Information Act by Corero Network Security (LSE: CNS), a leading provider of real-time DDoS defence solutions.

After 9th May 2018, when the EU’s Network and Information Systems (NIS) Directive is implemented into UK law, such outages would have to be reported to regulators, who have the power to impose financial penalties of up to £17 million where infrastructure operators have failed to protect themselves against loss of service.  Had the service outages occurred after this date, and all the affected organisations were deemed to have failed to protect themselves, the total fines for all affected organisations would cost the UK economy more than £2.5 billion.

The Freedom of Information requests were sent by Corero, in January and February 2018, to 312 critical infrastructure organisations in the UK, including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers, transport organisations and water authorities.  In total, 221 responses were received, with 155 admitting to having suffered a service outage on their networks in the past two years. In addition, over a third (35%) of the service outages reported in the study were believed to have been caused by a cyber attack.

Andrew Lloyd, President at Corero Network Security, comments: “Service outages and cyber attacks against national infrastructure have the potential to inflict significant, real-life disruption by preventing access to essential services such as power, transport and the emergency services. The fact that so many infrastructure organisations have suffered from service outages points to an alarming lack of resilience within organisations that are critical to the functioning of UK society.  

"Across all sectors, we are seeing a greater number of sophisticated and, when undefended, damaging cyber-attacks.  Government Ministers and Agencies have reported that these attacks are increasingly believed to be the work of foreign governments seeking to cause political upheaval. The head of the National Cyber Security Centre has already warned that it is a matter of when, not if, the UK experiences a devastating cyber attack on its critical infrastructure. The study poses serious questions about the UK’s current capability to withstand such an attack.”

Mitigating the cyber threat

The National Audit Office’s official investigation into last year’s WannaCry ransomware outbreak concluded that all the NHS organisations affected by the malware fell victim because they failed to apply patches to their systems that had been available for more than two months before the attack.

Yet in spite of this stark warning, 11% of the critical infrastructure organisations that responded to the Corero study admitted that they do not always ensure that patches for critical vulnerabilities are routinely patched within 14 days, as recommended within the Government’s ’10 Steps to Cyber Security’ guidance.

However, almost all the organisations that responded to the study (98%) are following government advice about network security, by adhering to the Network Security section of the ’10 Steps to Cyber Security’ programme, which was first published in 2012.   

Andrew Lloyd, President at Corero Network Security, continued: “The NIS Regulations offer a golden opportunity to make UK infrastructure more resilient against cyber-attacks; delivering on the UK Government’s strategy to make the UK the safest place in the world to live and work online. But more rigorous guidance is urgently needed so that our essential services can remain available during all but the most extreme cyber-attack.

"This data proves that blindly following outdated guidance is insufficient to repel today’s cyber-attacks. While further guidance is still expected from the National Cyber Security Centre, the current advice is heavily weighted on reactive attack reporting rather than advising organisations on how to proactively defend themselves. As things stand, there is genuine risk that the legislation may be viewed as a mere ‘tick-box’ exercise which requires the bare minimum to be done, rather than fulfilling its promise for the UK to set world-leading standards in this area.”

Additional information on how infrastructure operators can comprehensively protect against DDoS attacks and maintain service availability in the face of cyber attacks can be accessed here.

 

###

Notes to Editors

Corero sent Freedom of Information requests in January and February 2018 to 312 critical infrastructure organisations in the UK, including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy organisations, water authorities and transport bodies. 221 responses were received across all groups while many others withheld information in the interests of national security.

When asked ‘Have you suffered from any service outages on your network in the last two years?’, 155 organisations (70%) responded ‘yes’.

When asked ‘Is it possible that any service outages you have suffered in the last two years was caused by a cyber attack’, 53 organisations (24%) responded ‘yes’ (representing 35% of all the service outages reported).

When asked ‘Do you ensure that security patches for critical vulnerabilities are routinely patched within 14 days’, 25 organisations (11%) responded ‘no’.  

When asked ‘Does your organisation adhere to the Network Security guidance outlined by the National Cyber Security Centre, within its 10 Steps to Cyber Security’, 217 organisations (98%) responded ‘yes’.

 

About Corero Network Security

Corero Network Security is the leader in real-time, high-performance DDoS defense solutions. Service providers, hosting providers and online enterprises rely on Corero’s award winning technology to eliminate the DDoS threat to their environment through automatic attack detection and mitigation, coupled with complete network visibility, analytics and reporting. This industry leading technology provides cost effective, scalable protection capabilities against DDoS attacks in the most complex environments while enabling a more cost effective economic model than previously available. For more information, visit www.corero.com.

 

Corero Media Contacts

Dulcie McLerie / Elizabeth Nikolova

Eskenzi PR (for Corero)

020 7183 2837 / 0203 696 5822

dulcie@eskenzipr.com / elizabeth@eskenzipr.com