Is The British Government Doing Enough To Combat Cyberattacks Against Critical Infrastructure?

Uploaded on 2024-10-25 in GOVERNMENT-National, FREE TO VIEW

The threat level against critical infrastructure remains high, driven by the expansion of digital systems and geopolitical tensions, such as the conflict between Russia and Ukraine.

For threat actors, critical infrastructure is a logical and attractive target. Firstly, these services are vital to society, and disruptions can have severe consequences. Attacks on power grids or healthcare systems, for example, can lead to widespread chaos and potentially even the loss of life.

Additionally, such entities aren’t always well protected. In the UK, publicly funded critical infrastructure can operate on tight budgets, resulting in limited investment in security and IT modernisation. For this reason, threat actors are regularly able to use relatively well-trodden attack paths to continually and successfully inflict damages against critical services.

It is owing to this troubling combination of factors that we have seen a growing wave of attacks. In early September, for example, TfL faced an incident that disabled its online and digital services for over a week, while Tewkesbury Borough Council was also forced to shut down its systems for an extended period due to a cyberattack.

These recent examples are part of a broader pattern affecting various sectors, from the Colonial Pipeline incident in the US that disrupted critical fuel distribution, to an attack that impacted 17 ports and oil terminals in Western Europe. Looking through a local lens again, the British Library and the NHS have also experienced significant disruptions from cyberattacks in recent times.

To address these threats more effectively, a proactive approach is crucial. And here, the role of the UK Government is worth looking at.

Critically, the government’s primary role should not be to respond to every attack, but to create robust policy guidelines and support organisations with their own preparedness. While several useful guidelines and resources already exist, many of these largely serve as introductory tools. The next step is for the government to offer more targeted support and guidance to help organisations advance their cybersecurity measures.

It is, therefore, promising to hear discussions about a new Cybersecurity and Resilience Bill, signalling the government’s commitment to continually improve digital protection measures across the country. However, the effectiveness of this initiative remains uncertain. It may simply reflect a push to adopt successful European models like NIS2 and DORA on a national scale, and that would be no bad thing. However, in the context of critical infrastructure in the UK, it is also important to focus on those areas that should be addressed with urgency.  

While the government has largely been affective at educating individuals in the basics of avoiding phishing scams and general fraud awareness, the existing guidance becomes insufficient when addressing organisational needs. Within the context of the growing threat against critical infrastructure, there is a clear need for improved and more comprehensive support for organisations.

This could become especially crucial in the context of the impending Autumn Budget. If funding is to be scrutinised, cut or reduced, many critical services will need to look at optimising their use of taxpayer money, working to sustain effective security levels as finances become constrained.

To meet these challenges, entities will likely need to modernise their ageing IT infrastructure, conduct thorough reviews of their cybersecurity spending, and critically evaluate their investments for effectiveness. It will be a complex process - one that organisations will again require guidance to navigate effectively.

In light of these challenges, it would be beneficial to consider the following actions as a means of more effectively managing and mitigating the growing tide of attacks on critical infrastructure:

1. Provide clear guidance on cybersecurity fundamentals: The government should develop and deliver clear, actionable guidance for organisations focused on essential practices such as asset identification, vulnerability assessment, risk management, and regular updates. Organisations need straightforward, practical advice on how to implement these fundamentals effectively.

2. Centralise cybersecurity management: Currently, cybersecurity responsibilities are dispersed across various government departments, including the NCSC, DCMS, Services, Cabinet Office, ICO, and NCA. Centralising these responsibilities into a single function could help to reduce confusion, enhance clarity and improve accountability by consolidating policy and guidance under a single authority.

Critically, as digital systems continue to expand and global tensions intensify, it’s clear that the focus must shift from reactive measures to forward-looking policies and targeted support for the essential organisations that keep the country running.

More practical, clearer cybersecurity guidance provided by a centralised body can only help to strengthen resilience. And with economic pressures mounting, the need to modernise outdated IT systems and make smarter security investments will only become even more crucial moving forward.
 
Dan Lattimer is Area Vice President, UK & Ireland at Semperis

Image:  XtockImages

You Might Also Read: 

The UK Needs To Reevaluate Its Cybersecurity Strategy:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Building Secure Workflows: Using LCNC Platforms For Automating Cybersecurity Tasks
BRICS Summit: Russia's Foreign Ministry Attacked »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Bulletproof Cyber

Bulletproof Cyber

Bulletproof offer a range of security services, from penetration testing and vulnerability assessments to 24/7 security monitoring, and consultancy.

CERT-UG/CC

CERT-UG/CC

CERT-UG/CC is the national Computer Emergency Response Team for Uganda, operating under the National Information Technology Authority (NITA-U)

Consult Hyperion

Consult Hyperion

Consult Hyperion is an independent strategic and technical consultancy specialising in digital identity and secure electronic transactions.

High Sec Labs (HSL)

High Sec Labs (HSL)

High Sec Labs develops high-quality, cyber-defense solutions in the field of network and peripheral isolation.

ISARA Corp

ISARA Corp

ISARA Corporation is a security solutions company specializing in creating class-defining quantum-safe cryptography for today's computing ecosystems.

TUV Rheinland Group

TUV Rheinland Group

TUV Rheinland Group is a testing services company with nearly 145 years of technological experience. We help you to protect your systems comprehensively, proactively and permanently.

Cyber Security Jobs

Cyber Security Jobs

Cyber Security Jobs was formed to help job seekers find jobs and recruiters fill cyber security job vacancies.

ThreatSwitch

ThreatSwitch

ThreatSwitch a software platform for cleared federal contractors to get and stay compliant with NISPOM and Conforming Change 2.

Highland Capital Partners

Highland Capital Partners

Highland Capital Partners is an early stage venture capital firm focused on category-defining businesses in consumer and enterprise technology, including cybersecurity.

Strike Graph

Strike Graph

The Strike Graph GRC platform enables Security Audits & Certifications.

Speedinvest

Speedinvest

Speedinvest is one of Europe’s most active early-stage investors with a focus on Deep Tech, Fintech, Industrial Tech, Network Effects, and Digital Health.

Technisanct

Technisanct

Technisanct works with Governments, especially Law Enforcement and Defence agencies, helping them in monitoring threats, managing their data and resolving their forensic needs.

Data Protection Commission (DPC)

Data Protection Commission (DPC)

The Data Protection Commission (DPC) is the national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected.

SoftwareONE

SoftwareONE

SoftwareONE is a leading global provider of end-to-end software and cloud technology solutions.

Omdia

Omdia

Omdia is a technology research and advisory group. Our deep knowledge of tech markets combined with our actionable insights empower organizations to make smart growth decisions.

Netia

Netia

Netia is a Polish telecommunications company providing a range of business services including network solutions, communications, data centre and cloud, and cybersecurity.