Securing Critical Infrastructure

The impact of digital transformation continues to have a significant influence on the UK’s critical national infrastructure (CNI). Sectors such as water treatment, energy, and food production all continue to depend on operational technology (OT) systems established long before the advent of digital technologies.

By digitising these systems and integrating them with standard IT networks, operators have enhanced efficiency and introduced practices like remote working and data collection, which were previously unfeasible in an analogue setting.

However, these innovations have also heightened the exposure of critical infrastructure to cyber risks. For instance, Microsoft reported that 41% of all threat alerts issued last year targeted CNI operators.

The EU is introducing the NIS2 directive to mitigate these risks, setting stringent security guidelines for CNI providers and other essential entities. Despite its impending enforcement in October this year, this directive will not be legally binding for UK-based operators. This exclusion leaves the UK open to independently addressing what the NCSC describes as an "enduring and significant threat" to critical infrastructure independently.

The Significance Of The NIS2 Directive

The NIS2 directive aims to elevate security standards in crucial sectors and will impact global companies whose operations and supply chains crossover with the EU market. As a result, NIS2 will have a similar impact to GDPR and impact large organisations that favour uniformity in their processes due to the cost-effective nature of aligning operations and security policies. 

NIS2 promises stricter enforcement than its predecessor, the original NIS . The earlier directive suffered from ineffective compliance enforcement, with minimal penalties issued by regulators like Ofgem. NIS2, in contrast, empowers regional regulatory bodies to pursue non-compliance more aggressively.

While the UK does not currently fall under the NIS2 regulation directly, it is under consultation to draft a comparable directive. The Department for Digital, Culture, Media & Sport has proposed significant amendments focusing on the expansion and regulation of digital service providers, particularly those offering managed services. The proposal aims to broaden the regulatory scope to include managed services such as security monitoring and network management, which are crucial to the UK's economic support system and are high-value targets for cyber threats.

The proposal also addresses the need for future-proofing the UK’s cybersecurity regulations. It suggests granting ministers the power to update the NIS Regulations through secondary legislation, ensuring the framework can adapt swiftly to new technologies and emerging threats without undergoing the slow process of primary legislation.

This process, however, lacks a defined timeline. An ideal approach would be to emulate and enhance the existing directive, promoting accountability at higher management levels, a practice more commonly observed in the US. For example, the SEC recently mandated that companies disclose their boards' cyber risk oversight roles during incident reporting. This accountability is crucial for combating the complacency often found in executive circles.

Addressing Supply Chain Vulnerabilities

NIS2 places considerable emphasis on managing supply chain risks, a prevalent issue for CNI providers with extensive networks of suppliers. The responsibility lies with enterprises to assess and mitigate the risks posed by their suppliers, fostering a standard of security that hopefully permeates through the supply chain to include even second and third-tier suppliers. 

Meeting these stringent demands can prove challenging for smaller suppliers, especially those using OT technology.

Smaller suppliers can sometimes lack the robust IT departments or cybersecurity expertise that larger companies might take for granted. They also can have limited financial, technical, and human resources. This disparity can make it more challenging to implement complex security measures or stay updated with the latest cybersecurity practices and technologies.

Cyber Essentials provides a straightforward and achievable baseline for cybersecurity, which is particularly beneficial for smaller suppliers. This framework outlines clear and manageable steps that organisations can follow to protect against a wide array of the most common cyberattacks, such as phishing and brute-force attacks.

However, the absence of a tailored lightweight option for OT technologies remains a gap. Equally, organisations should seek to understand and manage the security of their own supply chains, to ensure operational resilience. 

Proactive Measures For UK Operators

UK firms should proactively seek guidelines to bolster their security despite the lack of current legal mandates. The NCSC provides robust advice, exemplified by its Cyber Assessment Framework, first introduced in 2018 and updated as recently as April 2024. This framework illustrates the requirements while being adaptable across various industries.

A common mistake among organisations is overly focusing on implementing security solutions without balancing people, processes, and technology. Most security frameworks guide back to this triad, emphasising the importance of an integrated approach.

Buying more tools often seems like the solution to security issues, but the challenge lies in integrating these tools into useful systems. This problem is particularly acute in OT security, where IT and OT tools rarely integrate seamlessly, requiring specialised intervention.

Moreover, a robust security culture is vital. Internal security teams face uphill battles without buy-in from leadership and the broader workforce.

Traditional IT security programs often order the famous CIA triad (Confidentiality, Integrity and Availability) with a focus on sensitive data Confidentiality above Integrity and Availability. However, in OT areas, this order is often flipped, with a core operational focus on system Availability over Integrity and Confidentiality. These different viewpoints often need to be managed for effective collaborative cyber security programmes.

While awaiting the UK government's direction regarding the NIS2 directive, CNI operators should not delay enhancing their security measures. Aligning with NIS2 now provides a competitive advantage over firms that react only when mandated. Improving security resilience is imperative, particularly when safeguarding critical infrastructure.

In summary, while the UK deliberates on its regulatory approach to align with or surpass the NIS2 directive, proactive engagement with existing guidelines and frameworks remains crucial for enhancing the security resilience of critical infrastructure operators.

Gareth Pritchard is CTO at Sapphire

Image: gorodenkoff

You Might Also Read:

Protecting OT With MDR:

DIRECTORY OF SUPPLIERS - Critical Infrastructure Security:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

« Notorious Cyber Criminal Sentenced
Combatting Foreign Interference »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Evidian

Evidian

Evidian, a Bull Group company, is the European leader and one of the major worldwide vendors of identity and access management software.

IPVanish

IPVanish

IPVanish has its roots in over 15 years of network management, IP services, and content delivery services. Now we're bringing these finely honed skills to VPN.

XBOSoft

XBOSoft

XBOSoft is a software QA and testing company. We cover the entire QA and testing life cycle including software and application security.

Riverside Research

Riverside Research

Riverside Research is a not-for-profit organization chartered to advance scientific research in areas including Trusted & Resilient Systems.

Vintegris

Vintegris

Vintegris are a Certification Authority and manufacturer of innovative systems and applications for the full cycle of digital identity.

Fingerprint Cards

Fingerprint Cards

Fingerprint Cards develops and produces biometric components and technologies that verify a person’s identity through the analysis and matching of an individual’s unique fingerprint.

ITU Arab Regional Cyber Security Center (ITU-ARCC)

ITU Arab Regional Cyber Security Center (ITU-ARCC)

ITU-ARCC acts as ITU’s cybersecurity hub in the Arab Region localizing and coordinating cybersecurity initiatives.

Infodas

Infodas

Infodas provides Cybersecurity and IT consulting / system integration services as well as a range of innovative Cybersecurity products to public sector and commercial clients.

Charterhouse Müller UK

Charterhouse Müller UK

Charterhouse Müller UK are a leading service provider for end of life IT services including data erasure and secure IT asset disposal.

CYRail

CYRail

CYRail project will analyse threats targeting Railway infrastructures and develop innovative attack detection and alerting techniques.

QGroup

QGroup

QGroup has been re-designing the consultancy industry since 2012. We're a rapidly expanding group of consulting companies that deliver bespoke IT services including cybersecurity.

ConnectSecure

ConnectSecure

ConnectSecure (formerly CyberCNS) is a global cybersecurity company that delivers tools to identify and address vulnerabilities and manage compliance requirements.

CyberCatch

CyberCatch

CyberCatch provides an innovative cybersecurity Software-as-a-Service (SaaS) platform designed for SMBs.

Sure Valley Ventures

Sure Valley Ventures

Sure Valley Ventures is an entrepreneur led venture capital fund focused on helping software entrepreneurs grow and scale businesses that will have a global impact.

Sekoia.io

Sekoia.io

Sekoia.io is a European cybersecurity company whose mission is to develop the best protection capabilities against cyber-attacks.

Bitdefender Voyager Ventures (BVV)

Bitdefender Voyager Ventures (BVV)

Bitdefender Voyager Ventures is an early-stage investment vehicle focused on cybersecurity, data analytics and automation startups.