Securing Critical Infrastructure

The impact of digital transformation continues to have a significant influence on the UK’s critical national infrastructure (CNI). Sectors such as water treatment, energy, and food production all continue to depend on operational technology (OT) systems established long before the advent of digital technologies.

By digitising these systems and integrating them with standard IT networks, operators have enhanced efficiency and introduced practices like remote working and data collection, which were previously unfeasible in an analogue setting.

However, these innovations have also heightened the exposure of critical infrastructure to cyber risks. For instance, Microsoft reported that 41% of all threat alerts issued last year targeted CNI operators.

The EU is introducing the NIS2 directive to mitigate these risks, setting stringent security guidelines for CNI providers and other essential entities. Despite its impending enforcement in October this year, this directive will not be legally binding for UK-based operators. This exclusion leaves the UK open to independently addressing what the NCSC describes as an "enduring and significant threat" to critical infrastructure independently.

The Significance Of The NIS2 Directive

The NIS2 directive aims to elevate security standards in crucial sectors and will impact global companies whose operations and supply chains crossover with the EU market. As a result, NIS2 will have a similar impact to GDPR and impact large organisations that favour uniformity in their processes due to the cost-effective nature of aligning operations and security policies. 

NIS2 promises stricter enforcement than its predecessor, the original NIS . The earlier directive suffered from ineffective compliance enforcement, with minimal penalties issued by regulators like Ofgem. NIS2, in contrast, empowers regional regulatory bodies to pursue non-compliance more aggressively.

While the UK does not currently fall under the NIS2 regulation directly, it is under consultation to draft a comparable directive. The Department for Digital, Culture, Media & Sport has proposed significant amendments focusing on the expansion and regulation of digital service providers, particularly those offering managed services. The proposal aims to broaden the regulatory scope to include managed services such as security monitoring and network management, which are crucial to the UK's economic support system and are high-value targets for cyber threats.

The proposal also addresses the need for future-proofing the UK’s cybersecurity regulations. It suggests granting ministers the power to update the NIS Regulations through secondary legislation, ensuring the framework can adapt swiftly to new technologies and emerging threats without undergoing the slow process of primary legislation.

This process, however, lacks a defined timeline. An ideal approach would be to emulate and enhance the existing directive, promoting accountability at higher management levels, a practice more commonly observed in the US. For example, the SEC recently mandated that companies disclose their boards' cyber risk oversight roles during incident reporting. This accountability is crucial for combating the complacency often found in executive circles.

Addressing Supply Chain Vulnerabilities

NIS2 places considerable emphasis on managing supply chain risks, a prevalent issue for CNI providers with extensive networks of suppliers. The responsibility lies with enterprises to assess and mitigate the risks posed by their suppliers, fostering a standard of security that hopefully permeates through the supply chain to include even second and third-tier suppliers. 

Meeting these stringent demands can prove challenging for smaller suppliers, especially those using OT technology.

Smaller suppliers can sometimes lack the robust IT departments or cybersecurity expertise that larger companies might take for granted. They also can have limited financial, technical, and human resources. This disparity can make it more challenging to implement complex security measures or stay updated with the latest cybersecurity practices and technologies.

Cyber Essentials provides a straightforward and achievable baseline for cybersecurity, which is particularly beneficial for smaller suppliers. This framework outlines clear and manageable steps that organisations can follow to protect against a wide array of the most common cyberattacks, such as phishing and brute-force attacks.

However, the absence of a tailored lightweight option for OT technologies remains a gap. Equally, organisations should seek to understand and manage the security of their own supply chains, to ensure operational resilience. 

Proactive Measures For UK Operators

UK firms should proactively seek guidelines to bolster their security despite the lack of current legal mandates. The NCSC provides robust advice, exemplified by its Cyber Assessment Framework, first introduced in 2018 and updated as recently as April 2024. This framework illustrates the requirements while being adaptable across various industries.

A common mistake among organisations is overly focusing on implementing security solutions without balancing people, processes, and technology. Most security frameworks guide back to this triad, emphasising the importance of an integrated approach.

Buying more tools often seems like the solution to security issues, but the challenge lies in integrating these tools into useful systems. This problem is particularly acute in OT security, where IT and OT tools rarely integrate seamlessly, requiring specialised intervention.

Moreover, a robust security culture is vital. Internal security teams face uphill battles without buy-in from leadership and the broader workforce.

Traditional IT security programs often order the famous CIA triad (Confidentiality, Integrity and Availability) with a focus on sensitive data Confidentiality above Integrity and Availability. However, in OT areas, this order is often flipped, with a core operational focus on system Availability over Integrity and Confidentiality. These different viewpoints often need to be managed for effective collaborative cyber security programmes.

While awaiting the UK government's direction regarding the NIS2 directive, CNI operators should not delay enhancing their security measures. Aligning with NIS2 now provides a competitive advantage over firms that react only when mandated. Improving security resilience is imperative, particularly when safeguarding critical infrastructure.

In summary, while the UK deliberates on its regulatory approach to align with or surpass the NIS2 directive, proactive engagement with existing guidelines and frameworks remains crucial for enhancing the security resilience of critical infrastructure operators.

Gareth Pritchard is CTO at Sapphire

Image: gorodenkoff

You Might Also Read:

Protecting OT With MDR:

DIRECTORY OF SUPPLIERS - Critical Infrastructure Security:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

« Notorious Cyber Criminal Sentenced
Combatting Foreign Interference »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Beta Systems Software

Beta Systems Software

Beta Systems automate IT-based business processes, control access rights, monitor processes, secure the network and optimize the infrastructure management of corporate IT.

Cyacomb

Cyacomb

Cyacomb (formerly Cyan Forensics) provides digital forensics software to help police forces find evidence on computers many times faster than before.

Circadence

Circadence

Circadence offer the only fully immersive, AI-powered, patent-pending, proprietary cybersecurity training platform in the market today.

Infosistem

Infosistem

Infosistem is a Croatian ICT company with extensive expertise and experience in enterprise and SMB ICT projects and solutions.

ShieldIOT

ShieldIOT

ShieldIOT delivers a complete AI-powered security solution across any IoT device, application and network.

Evanston Technology Partners (ETP)

Evanston Technology Partners (ETP)

ETP provides services and solutions to enable and transform businesses in the areas of cybersecurity, data protection, and efficient operations practices.

Y-PARC

Y-PARC

Y-PARC is a center of excellence for cybersecurity, precision industries and medtech, fostering innovation and development and support for startups.

Verificient Technologies

Verificient Technologies

Verificient Technologies specializes in biometrics, computer vision, and machine learning to deliver world-class solutions in continuous identity verification and remote monitoring.

Abu Dhabi Gov Digital

Abu Dhabi Gov Digital

Gov Digital (formerly Abu Dhabi Digital Authority - ADDA) enable, support and deliver a digital government that is proactive, personalised, collaborative and secure.

Protect AI

Protect AI

Protect AI is a cybersecurity company focused on AI & ML systems. Through innovative security products and thought leadership in MLSecOps, we help our customers build a safer AI powered world.

Endure Secure

Endure Secure

Endure Secure is a managed cyber security & information security consultancy. Our passion for IS and our understanding of the threat landscape is reflected in the services that we provide.

Sardine

Sardine

Sardine is a leader in financial crime prevention. Using unparalleled device intelligence and behavior biometrics, Sardine applies machine learning to detect and stop fraud before it happens.

Internet Watch Foundation (IWF)

Internet Watch Foundation (IWF)

Since the early days of the internet, our job has been to help child victims of sexual abuse by hunting down and removing any online record of the abuse.

Infrassist Technologies

Infrassist Technologies

We're Infrassist - a trusted white label Managed IT & Professional Services partner for MSP businesses.

VPNBlade

VPNBlade

VPNBlade is your go-to resource for expert reviews and advice on VPN services.

CirrusHQ

CirrusHQ

CirrusHQ are a Specialist AWS Advanced Consulting Partner with a focus on Cloud Management, DevOps, Migration and Consulting Services for the private and public sectors.