Securing Critical Infrastructure

The impact of digital transformation continues to have a significant influence on the UK’s critical national infrastructure (CNI). Sectors such as water treatment, energy, and food production all continue to depend on operational technology (OT) systems established long before the advent of digital technologies.

By digitising these systems and integrating them with standard IT networks, operators have enhanced efficiency and introduced practices like remote working and data collection, which were previously unfeasible in an analogue setting.

However, these innovations have also heightened the exposure of critical infrastructure to cyber risks. For instance, Microsoft reported that 41% of all threat alerts issued last year targeted CNI operators.

The EU is introducing the NIS2 directive to mitigate these risks, setting stringent security guidelines for CNI providers and other essential entities. Despite its impending enforcement in October this year, this directive will not be legally binding for UK-based operators. This exclusion leaves the UK open to independently addressing what the NCSC describes as an "enduring and significant threat" to critical infrastructure independently.

The Significance Of The NIS2 Directive

The NIS2 directive aims to elevate security standards in crucial sectors and will impact global companies whose operations and supply chains crossover with the EU market. As a result, NIS2 will have a similar impact to GDPR and impact large organisations that favour uniformity in their processes due to the cost-effective nature of aligning operations and security policies. 

NIS2 promises stricter enforcement than its predecessor, the original NIS . The earlier directive suffered from ineffective compliance enforcement, with minimal penalties issued by regulators like Ofgem. NIS2, in contrast, empowers regional regulatory bodies to pursue non-compliance more aggressively.

While the UK does not currently fall under the NIS2 regulation directly, it is under consultation to draft a comparable directive. The Department for Digital, Culture, Media & Sport has proposed significant amendments focusing on the expansion and regulation of digital service providers, particularly those offering managed services. The proposal aims to broaden the regulatory scope to include managed services such as security monitoring and network management, which are crucial to the UK's economic support system and are high-value targets for cyber threats.

The proposal also addresses the need for future-proofing the UK’s cybersecurity regulations. It suggests granting ministers the power to update the NIS Regulations through secondary legislation, ensuring the framework can adapt swiftly to new technologies and emerging threats without undergoing the slow process of primary legislation.

This process, however, lacks a defined timeline. An ideal approach would be to emulate and enhance the existing directive, promoting accountability at higher management levels, a practice more commonly observed in the US. For example, the SEC recently mandated that companies disclose their boards' cyber risk oversight roles during incident reporting. This accountability is crucial for combating the complacency often found in executive circles.

Addressing Supply Chain Vulnerabilities

NIS2 places considerable emphasis on managing supply chain risks, a prevalent issue for CNI providers with extensive networks of suppliers. The responsibility lies with enterprises to assess and mitigate the risks posed by their suppliers, fostering a standard of security that hopefully permeates through the supply chain to include even second and third-tier suppliers. 

Meeting these stringent demands can prove challenging for smaller suppliers, especially those using OT technology.

Smaller suppliers can sometimes lack the robust IT departments or cybersecurity expertise that larger companies might take for granted. They also can have limited financial, technical, and human resources. This disparity can make it more challenging to implement complex security measures or stay updated with the latest cybersecurity practices and technologies.

Cyber Essentials provides a straightforward and achievable baseline for cybersecurity, which is particularly beneficial for smaller suppliers. This framework outlines clear and manageable steps that organisations can follow to protect against a wide array of the most common cyberattacks, such as phishing and brute-force attacks.

However, the absence of a tailored lightweight option for OT technologies remains a gap. Equally, organisations should seek to understand and manage the security of their own supply chains, to ensure operational resilience. 

Proactive Measures For UK Operators

UK firms should proactively seek guidelines to bolster their security despite the lack of current legal mandates. The NCSC provides robust advice, exemplified by its Cyber Assessment Framework, first introduced in 2018 and updated as recently as April 2024. This framework illustrates the requirements while being adaptable across various industries.

A common mistake among organisations is overly focusing on implementing security solutions without balancing people, processes, and technology. Most security frameworks guide back to this triad, emphasising the importance of an integrated approach.

Buying more tools often seems like the solution to security issues, but the challenge lies in integrating these tools into useful systems. This problem is particularly acute in OT security, where IT and OT tools rarely integrate seamlessly, requiring specialised intervention.

Moreover, a robust security culture is vital. Internal security teams face uphill battles without buy-in from leadership and the broader workforce.

Traditional IT security programs often order the famous CIA triad (Confidentiality, Integrity and Availability) with a focus on sensitive data Confidentiality above Integrity and Availability. However, in OT areas, this order is often flipped, with a core operational focus on system Availability over Integrity and Confidentiality. These different viewpoints often need to be managed for effective collaborative cyber security programmes.

While awaiting the UK government's direction regarding the NIS2 directive, CNI operators should not delay enhancing their security measures. Aligning with NIS2 now provides a competitive advantage over firms that react only when mandated. Improving security resilience is imperative, particularly when safeguarding critical infrastructure.

In summary, while the UK deliberates on its regulatory approach to align with or surpass the NIS2 directive, proactive engagement with existing guidelines and frameworks remains crucial for enhancing the security resilience of critical infrastructure operators.

Gareth Pritchard is CTO at Sapphire

Image: gorodenkoff

You Might Also Read:

Protecting OT With MDR:

DIRECTORY OF SUPPLIERS - Critical Infrastructure Security:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

« Notorious Cyber Criminal Sentenced
Combatting Foreign Interference »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSR Privacy Solutions

CSR Privacy Solutions

CSR Privacy Solutions is a leading provider of privacy regulatory compliance programs for small and medium sized businesses.

SharkGate

SharkGate

SharGate provide a cloud-based website security solution to protect websites from being hacked.

Quadron  Cybersecurity Services

Quadron Cybersecurity Services

Quadron Cybersecurity Services is a specialist in digital security, data and system protection.

Odyssey

Odyssey

Odyssey is an ISO 27001 certified, Cyber -Security, Infrastructure and Risk Management Solutions integrator and a Managed Security Services Provider.

FRSecure

FRSecure

FRSecure is a full-service information security management company that protects sensitive, confidential business information from unauthorized access, disclosure, distribution and destruction.

KeyXentic

KeyXentic

KeyXentic Inc. is a professional mobile and data security service provider. We are devoted to design convenient and strong security for user’s data protection and privacy without any compromise.

UK Research & Innovation (UKRI)

UK Research & Innovation (UKRI)

UKRI works in partnership with universities, research organisations, businesses, charities, and government to create the best possible environment for research and innovation to flourish.

Sectra Communications

Sectra Communications

Sectra successfully develops and sells cutting-edge solutions in the expanding niche segments of medical IT and cybersecurity.

DataFleets

DataFleets

DataFleets is a privacy-preserving data engine that unifies distributed data for rapid access, agile analytics, and automated compliance.

Camel Secure

Camel Secure

Camel Secure is a company specialized in the development of products for information security and technology risk management.

AnaVation

AnaVation

AnaVation is a trusted partner delivering high-value, cost-effective solutions that solve the most complex technical and analytical problems for our customers.

FoxTech

FoxTech

FoxTech is an independent, friendly and deeply specialised cyber security company in the UK, with expertise spanning decades of Public Sector and Government services.

Easy Dynamics

Easy Dynamics

Easy Dynamics is a leading technology services provider with a core focus in Cybersecurity, Cloud Computing, and Information Sharing.

Private Client Cyber Security (PCCS)

Private Client Cyber Security (PCCS)

PCCS provides enterprise-grade cybersecurity consulting and services to professional practices, executives, athletes, and high net worth families.

Cybernatics

Cybernatics

Cybernatics is inspired by bringing together best-in-class innovations around Cybersecurity and Analytics. We offer tailored enterprise solutions to safeguard your organisations best interests.

CliffGuard Cybersecurity

CliffGuard Cybersecurity

CliffGuard Cybersecurity deliver comprehensive services designed to protect your organization from the ever-evolving landscape of cyber threats.