Government Implements Tough Rules To Protect Critical Infrastructure

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

New rules come into force and mean critical infrastructure providers must implement “robust safeguards” against cyber attack or face stiff fines

The British Government has warned that its “tough new rules to protect the UK’s critical infrastructure” have come into force on Thursday 10 May.

The Government announcement essentially means that bosses of firms in health, water, energy, transport and digital infrastructure, have to ensure they have “robust safeguards in place against cyber threats.”

And these firms now have to report breaches and network outages to regulators within 72 hours or they face fines of up to £17 million.

Tough rules

The new law, announced by Digital Minister Margot James, is intended to help reduce the number of damaging cyber attacks affecting the UK.

It comes amid growing recognition by authorities of the need to safeguard critical infrastructure such as power stations, water treatment facilities, manufacturing etc from cyber exploitation by hostile nations.

The government said that GCHQ’s National Cyber Security Centre has already responded to more than 950 significant incidents, including WannaCry.

The new rules will also give new regulators powers to assess critical industries and make sure plans are in place to prevent attacks. The regulator will apparently have the power to issue legally-binding instructions to improve security, and – if necessary – impose significant fines.

The legislation will also cover other threats affecting IT such as hardware failures and environmental hazards.

“It’s vital that we put in place tough new measures to strengthen the UK’s cyber security and make sure we are the safest place in the world to live and be online,” said Margot James, Minister for Digital and the Creative Industries.

“Organisations must act now to make sure that they are primed and ready to stop potential cyber attacks and be resilient against major disruption to the services we all rely on,” she added.

It is understood that fines would be a last resort and will not apply to operators which have assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack.

But incidents must be reported directly to the appropriate regulator.

“These new measures will help to strengthen the security of the UK’s infrastructure,” said Ciaran Martin, Chief Executive of the NCSC.

“By acting on the National Cyber Security Centre’s expert technical advice and reporting incidents, organisations can protect themselves against those who would do us harm,” he said. “The UK government is committed to making the UK the safest place to live and do business online, but we can’t do this alone. Every citizen, business and organisation must play their part.”

Tough ask

But at least one expert believes that it is going to be a tough ask to strengthen the cybersecurity of the country’s critical infrastructure.

Skybox Security, a cybersecurity management specialist has said in a new report that in 2017 there had been a 120 percent increase in new vulnerabilities specific to operational technology (OT) compared to the previous year.

It said that this spike is particularly concerning as many organisations have poor or non-existent visibility of the OT network, especially when it comes to vulnerabilities as active scanning is generally prohibited.

“OT is too often in the dark, and that means security management isn’t getting the full picture of cyber risk in their organisation,” said the report’s author Marina Kidron, senior security analyst and group leader of the Skybox Research Lab, Skybox Security.

“Even when patchable vulnerabilities are identified, OT engineers are understandably hesitant to install the update, as it could disrupt services, cause equipment damage or even risk life and limb,” said Kidron.

“Organisations with OT networks need to have strategies in place not just for OT vulnerability assessment and patching prioritisation, but also to unify such processes with those in the IT network to truly understand and manage risk,” said Skybox’s Kidron.

Government pressure

For the government, this decision to enforce this tough new rules has been a long time coming.

Earlier this year the British Government urged critical industries to do more to protect themselves from the growing threat of cyber attacks.

It appointed sector-specific regulators to ensure that essential services are protected, and warned organisations that they risk fines of up to £17 million if they do not have effective cyber security measures in place.

Last year the US government warned of ongoing cyber attacks against critical industries such as energy, nuclear and manufacturing, some of which had been successful.

Do you know all about security? Try our quiz!

Read also :