UK cybersecurity standards not implemented by more than a third of critical national infrastructure operators, according to new data

Out-Law News | 30 Aug 2017 | 2:43 pm | 2 min. read

More than a third of organisations that operate critical national infrastructure in the UK (39%) have not implemented the UK government's '10 steps' guidance on managing cyber risks, according to a provider of cybersecurity services.

Corero Network Security said that fact "indicates a lack of cyber resilience within organisations which are critical to the functioning of UK society". It said its finding stems from disclosures made by 163 operators of critical infrastructure in the UK, including organisations in the health, energy and transport sectors.

The government's '10 steps' guidance was first introduced in 2012 and sets out 10 steps firms can take to reduce their vulnerability to cyber attacks. It has since been supplemented by other government-backed frameworks designed to bolster cybersecurity at UK organisations, including the cyber essentials scheme.

Corero Network Security said that operators of critical national infrastructure in the UK that have not implemented the 10 steps guidance could be at risk of being fined under new UK legislation the government is currently consulting on.

Earlier this month, the UK government set out its plans for implementing the      EU's Network and Information Security (NIS) Directive into national law. UK operators of 'essential services' such as energy, health, transport or water could face fines of up to £17 million if they fail to adhere to cybersecurity standards mandated under the new laws.

Corero Network Security also raised concerns about the ability of operators of critical national infrastructure in the UK to identify and stop disruption to their networks caused by distributed denial of service (DDos) attacks.

DDoS attacks typically involve attackers using malware-infected computers to take remote control of those machines and bombard systems with such large amounts of traffic that the systems cease to function. It can involve, for example, hundreds of thousands or even millions of machines being used to request access to the same web-page at the same time.

Corero Network Security said just 5% of operators of critical national infrastructure in the UK admitted to experiencing a DDoS attack on their networks in the year to March 2017. It said responses received to its FOI requests revealed that 51% of the operators are "potentially vulnerable" to short, low volume DDoS attacks.

"Due to their small size, these stealth DDoS attacks often go unnoticed by security staff, but they are frequently used by attackers in their efforts to target, map and infiltrate a network," Corero Network Security said.

According to the company, 90% of the DDoS attacks it foiled in the first quarter of this year lasted less than 30 minutes and in 98% of the cases, the volume of the attacks were less than 10Gbps.

Sean Newman, director of product management at Corero Network Security, said: "In the face of a DDoS attack, time is of the essence. Delays of minutes, tens-of-minutes, or more, before a DDoS attack is mitigated is not sufficient to ensure service availability, and could significantly impact the essential services provided by critical infrastructure organisations."

"By not detecting and investigating these short, surgical, DDoS attacks on their networks, infrastructure organisations could also be leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber attacks," he said.