Securing Critical Infrastructure

Uploaded on 2024-05-08 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Production-Manufacturing

The impact of digital transformation continues to have a significant influence on the UK’s critical national infrastructure (CNI). Sectors such as water treatment, energy, and food production all continue to depend on operational technology (OT) systems established long before the advent of digital technologies.

By digitising these systems and integrating them with standard IT networks, operators have enhanced efficiency and introduced practices like remote working and data collection, which were previously unfeasible in an analogue setting.

However, these innovations have also heightened the exposure of critical infrastructure to cyber risks. For instance, Microsoft reported that 41% of all threat alerts issued last year targeted CNI operators.

The EU is introducing the NIS2 directive to mitigate these risks, setting stringent security guidelines for CNI providers and other essential entities. Despite its impending enforcement in October this year, this directive will not be legally binding for UK-based operators. This exclusion leaves the UK open to independently addressing what the NCSC describes as an "enduring and significant threat" to critical infrastructure independently.

The Significance Of The NIS2 Directive

The NIS2 directive aims to elevate security standards in crucial sectors and will impact global companies whose operations and supply chains crossover with the EU market. As a result, NIS2 will have a similar impact to GDPR and impact large organisations that favour uniformity in their processes due to the cost-effective nature of aligning operations and security policies. 

NIS2 promises stricter enforcement than its predecessor, the original NIS . The earlier directive suffered from ineffective compliance enforcement, with minimal penalties issued by regulators like Ofgem. NIS2, in contrast, empowers regional regulatory bodies to pursue non-compliance more aggressively.

While the UK does not currently fall under the NIS2 regulation directly, it is under consultation to draft a comparable directive. The Department for Digital, Culture, Media & Sport has proposed significant amendments focusing on the expansion and regulation of digital service providers, particularly those offering managed services. The proposal aims to broaden the regulatory scope to include managed services such as security monitoring and network management, which are crucial to the UK's economic support system and are high-value targets for cyber threats.

The proposal also addresses the need for future-proofing the UK’s cybersecurity regulations. It suggests granting ministers the power to update the NIS Regulations through secondary legislation, ensuring the framework can adapt swiftly to new technologies and emerging threats without undergoing the slow process of primary legislation.

This process, however, lacks a defined timeline. An ideal approach would be to emulate and enhance the existing directive, promoting accountability at higher management levels, a practice more commonly observed in the US. For example, the SEC recently mandated that companies disclose their boards' cyber risk oversight roles during incident reporting. This accountability is crucial for combating the complacency often found in executive circles.

Addressing Supply Chain Vulnerabilities

NIS2 places considerable emphasis on managing supply chain risks, a prevalent issue for CNI providers with extensive networks of suppliers. The responsibility lies with enterprises to assess and mitigate the risks posed by their suppliers, fostering a standard of security that hopefully permeates through the supply chain to include even second and third-tier suppliers. 

Meeting these stringent demands can prove challenging for smaller suppliers, especially those using OT technology.

Smaller suppliers can sometimes lack the robust IT departments or cybersecurity expertise that larger companies might take for granted. They also can have limited financial, technical, and human resources. This disparity can make it more challenging to implement complex security measures or stay updated with the latest cybersecurity practices and technologies.

Cyber Essentials provides a straightforward and achievable baseline for cybersecurity, which is particularly beneficial for smaller suppliers. This framework outlines clear and manageable steps that organisations can follow to protect against a wide array of the most common cyberattacks, such as phishing and brute-force attacks.

However, the absence of a tailored lightweight option for OT technologies remains a gap. Equally, organisations should seek to understand and manage the security of their own supply chains, to ensure operational resilience. 

Proactive Measures For UK Operators

UK firms should proactively seek guidelines to bolster their security despite the lack of current legal mandates. The NCSC provides robust advice, exemplified by its Cyber Assessment Framework, first introduced in 2018 and updated as recently as April 2024. This framework illustrates the requirements while being adaptable across various industries.

A common mistake among organisations is overly focusing on implementing security solutions without balancing people, processes, and technology. Most security frameworks guide back to this triad, emphasising the importance of an integrated approach.

Buying more tools often seems like the solution to security issues, but the challenge lies in integrating these tools into useful systems. This problem is particularly acute in OT security, where IT and OT tools rarely integrate seamlessly, requiring specialised intervention.

Moreover, a robust security culture is vital. Internal security teams face uphill battles without buy-in from leadership and the broader workforce.

Traditional IT security programs often order the famous CIA triad (Confidentiality, Integrity and Availability) with a focus on sensitive data Confidentiality above Integrity and Availability. However, in OT areas, this order is often flipped, with a core operational focus on system Availability over Integrity and Confidentiality. These different viewpoints often need to be managed for effective collaborative cyber security programmes.

While awaiting the UK government's direction regarding the NIS2 directive, CNI operators should not delay enhancing their security measures. Aligning with NIS2 now provides a competitive advantage over firms that react only when mandated. Improving security resilience is imperative, particularly when safeguarding critical infrastructure.

In summary, while the UK deliberates on its regulatory approach to align with or surpass the NIS2 directive, proactive engagement with existing guidelines and frameworks remains crucial for enhancing the security resilience of critical infrastructure operators.

Gareth Pritchard is CTO at Sapphire

Image: gorodenkoff

You Might Also Read:

Protecting OT With MDR:

DIRECTORY OF SUPPLIERS - Critical Infrastructure Security:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

« Notorious Cyber Criminal Sentenced
Combatting Foreign Interference »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Identity Theft Resource Center (ITRC)

Identity Theft Resource Center (ITRC)

ITRC is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime.

Technology Association of Georgia (TAG)

Technology Association of Georgia (TAG)

TAG's mission is to educate, promote, influence and unite Georgia's technology community to stimulate and enhance Georgia's tech-based economy.

TestingXperts

TestingXperts

TestingXperts is a specialist software QA and testing company.

Research Institute in Trustworthy Industrial Control Systems (RITICS)

Research Institute in Trustworthy Industrial Control Systems (RITICS)

RITICS is one of three Research Institutes formed as part of the UK National Cyber Security Strategy.

Professional Information Security Association (PISA)

Professional Information Security Association (PISA)

PISA is an independent and not-for-profit organization for information security professionals, with the primary objective of promoting information security awareness and best practice.

Communications Authority of Kenya

Communications Authority of Kenya

The Authority is responsible for facilitating the development of the information and communications sectors including; broadcasting, telecommunications, electronic commerce and cybersecurity.

IdentityIQ

IdentityIQ

IdentityIQ is a US-based identity theft and credit protection company designed to help users stay on top identity thieves and data breaches.

Brookcourt Solutions

Brookcourt Solutions

Brookcourt Solutions delivers cyber security, network monitoring technologies and managed security services to help secure and protect your organisation’s critical infrastructure.

Darkbeam

Darkbeam

Darkbeam provides a unified solution to protect against security, brand and compliance risks across your digital infrastructure.

MalwareFox

MalwareFox

MalwareFox is an advanced, yet simple-to-use anti-malware solution for Windows computers. We provide aggressive detection capabilities and an effective malware removal tool to keep your systems safe.

Orbus Software

Orbus Software

Orbus develops, markets and sells enterprise software which helps large, blue chip and government organisations across the globe to achieve digital transformation outcomes.

Alea Consulting

Alea Consulting

Alea Consulting is a global risk mitigation and investigative consulting firm, which helps organizations reduce reputation and operational concerns.

ProCheckUp

ProCheckUp

ProCheckUp is a London-based independent provider of cyber security services, including IT Security, Assurance, Compliance and Incident Response.

Swish Data Corp.

Swish Data Corp.

Swish delivers when the problems are complex, requirements are difficult, and the mission is absolutely critical.

Accelerynt

Accelerynt

Accelerynt was founded with a singular purpose: help teams like yours build cybersecurity resilience.

Noma Security

Noma Security

Noma Security's mission is Application Security for the Entire Data & AI Lifecycle.