Securing Critical Infrastructure

The impact of digital transformation continues to have a significant influence on the UK’s critical national infrastructure (CNI). Sectors such as water treatment, energy, and food production all continue to depend on operational technology (OT) systems established long before the advent of digital technologies.

By digitising these systems and integrating them with standard IT networks, operators have enhanced efficiency and introduced practices like remote working and data collection, which were previously unfeasible in an analogue setting.

However, these innovations have also heightened the exposure of critical infrastructure to cyber risks. For instance, Microsoft reported that 41% of all threat alerts issued last year targeted CNI operators.

The EU is introducing the NIS2 directive to mitigate these risks, setting stringent security guidelines for CNI providers and other essential entities. Despite its impending enforcement in October this year, this directive will not be legally binding for UK-based operators. This exclusion leaves the UK open to independently addressing what the NCSC describes as an "enduring and significant threat" to critical infrastructure independently.

The Significance Of The NIS2 Directive

The NIS2 directive aims to elevate security standards in crucial sectors and will impact global companies whose operations and supply chains crossover with the EU market. As a result, NIS2 will have a similar impact to GDPR and impact large organisations that favour uniformity in their processes due to the cost-effective nature of aligning operations and security policies. 

NIS2 promises stricter enforcement than its predecessor, the original NIS . The earlier directive suffered from ineffective compliance enforcement, with minimal penalties issued by regulators like Ofgem. NIS2, in contrast, empowers regional regulatory bodies to pursue non-compliance more aggressively.

While the UK does not currently fall under the NIS2 regulation directly, it is under consultation to draft a comparable directive. The Department for Digital, Culture, Media & Sport has proposed significant amendments focusing on the expansion and regulation of digital service providers, particularly those offering managed services. The proposal aims to broaden the regulatory scope to include managed services such as security monitoring and network management, which are crucial to the UK's economic support system and are high-value targets for cyber threats.

The proposal also addresses the need for future-proofing the UK’s cybersecurity regulations. It suggests granting ministers the power to update the NIS Regulations through secondary legislation, ensuring the framework can adapt swiftly to new technologies and emerging threats without undergoing the slow process of primary legislation.

This process, however, lacks a defined timeline. An ideal approach would be to emulate and enhance the existing directive, promoting accountability at higher management levels, a practice more commonly observed in the US. For example, the SEC recently mandated that companies disclose their boards' cyber risk oversight roles during incident reporting. This accountability is crucial for combating the complacency often found in executive circles.

Addressing Supply Chain Vulnerabilities

NIS2 places considerable emphasis on managing supply chain risks, a prevalent issue for CNI providers with extensive networks of suppliers. The responsibility lies with enterprises to assess and mitigate the risks posed by their suppliers, fostering a standard of security that hopefully permeates through the supply chain to include even second and third-tier suppliers. 

Meeting these stringent demands can prove challenging for smaller suppliers, especially those using OT technology.

Smaller suppliers can sometimes lack the robust IT departments or cybersecurity expertise that larger companies might take for granted. They also can have limited financial, technical, and human resources. This disparity can make it more challenging to implement complex security measures or stay updated with the latest cybersecurity practices and technologies.

Cyber Essentials provides a straightforward and achievable baseline for cybersecurity, which is particularly beneficial for smaller suppliers. This framework outlines clear and manageable steps that organisations can follow to protect against a wide array of the most common cyberattacks, such as phishing and brute-force attacks.

However, the absence of a tailored lightweight option for OT technologies remains a gap. Equally, organisations should seek to understand and manage the security of their own supply chains, to ensure operational resilience. 

Proactive Measures For UK Operators

UK firms should proactively seek guidelines to bolster their security despite the lack of current legal mandates. The NCSC provides robust advice, exemplified by its Cyber Assessment Framework, first introduced in 2018 and updated as recently as April 2024. This framework illustrates the requirements while being adaptable across various industries.

A common mistake among organisations is overly focusing on implementing security solutions without balancing people, processes, and technology. Most security frameworks guide back to this triad, emphasising the importance of an integrated approach.

Buying more tools often seems like the solution to security issues, but the challenge lies in integrating these tools into useful systems. This problem is particularly acute in OT security, where IT and OT tools rarely integrate seamlessly, requiring specialised intervention.

Moreover, a robust security culture is vital. Internal security teams face uphill battles without buy-in from leadership and the broader workforce.

Traditional IT security programs often order the famous CIA triad (Confidentiality, Integrity and Availability) with a focus on sensitive data Confidentiality above Integrity and Availability. However, in OT areas, this order is often flipped, with a core operational focus on system Availability over Integrity and Confidentiality. These different viewpoints often need to be managed for effective collaborative cyber security programmes.

While awaiting the UK government's direction regarding the NIS2 directive, CNI operators should not delay enhancing their security measures. Aligning with NIS2 now provides a competitive advantage over firms that react only when mandated. Improving security resilience is imperative, particularly when safeguarding critical infrastructure.

In summary, while the UK deliberates on its regulatory approach to align with or surpass the NIS2 directive, proactive engagement with existing guidelines and frameworks remains crucial for enhancing the security resilience of critical infrastructure operators.

Gareth Pritchard is CTO at Sapphire

Image: gorodenkoff

You Might Also Read:

Protecting OT With MDR:

DIRECTORY OF SUPPLIERS - Critical Infrastructure Security:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

« Notorious Cyber Criminal Sentenced
Combatting Foreign Interference »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

360Logica

360Logica

360Logica is a software testing company offering numerous kinds of testing services to improve the quality and performance of your software and IT systems.

Crypta Labs

Crypta Labs

Crypta Labs is an Award Winning IOT Security startup that is developing a quantum-based encryption chip to secure the Internet of Things.

National Cybersecurity Hub - South Africa

National Cybersecurity Hub - South Africa

The mission of the National Cybersecurity Hub is to be the central point of collaboration for cybersecurity incidents in South Africa.

Romanian Accreditation Association (RENAR)

Romanian Accreditation Association (RENAR)

RENAR is the national accreditation body for Romania. The directory of members provides details of organisations offering certification services for ISO 27001.

CyPhyCon

CyPhyCon

CyPhyCon is an annual event exploring threats and solutions to cyber attacks on cyber-physical systems such as industrial control systems, Internet of Things and Industrial Internet of Things.

Finosec

Finosec

Finosec's mission is to change the way information security and cybersecurity are managed in banking.

Razorpoint Cybersecurity

Razorpoint Cybersecurity

Razorpoint’s world-class security experts have provided advanced, effective cybersecurity expertise to corporate and public-sector organizations around the world.

SafeStack Academy

SafeStack Academy

SafeStack Academy is an online cyber security and privacy education platform. Our content is designed by experts to suit small businesses, growing companies, and development teams.

National Security Services Group (NSSG)

National Security Services Group (NSSG)

National Security Services Group (NSSG) is Oman's leading and only proprietary Cybersecurity consultancy firm and Managed Security Services Provider.

eCapital

eCapital

eCAPITAL is a leading venture capital firm that provides early to growth stage funding to technology companies in fields including software & information technology, cybersecurity and industry 4.0.

Dimension Data

Dimension Data

Dimension Data is a leading African born technology provider operating in the Middle East and Africa, offering a portfolio of services including intelligent security solutions.

PatchAdvisor

PatchAdvisor

PatchAdvisor core services include Vulnerability Assessments/Penetration Testing, Application Vulnerability Assessments, and Incident Response.

Arakyta

Arakyta

Arakÿta specializes in business strategy, work flow process and IT systems for organizations.

Brightworks Group

Brightworks Group

BrightWorks Group offer comprehensive technology operations and security operations consulting services, tailored to meet your specific needs.

Btech

Btech

Btech is the market leader in providing affordable managed IT security services for credit unions.

Trium Cyber

Trium Cyber

Trium Cyber - Expert Cyber Underwriting and Claims Management. Based in the US and UK. Backed by Lloyd’s of London.