The UK's critical national infrastructure facilities are at risk of facing a large number of cyber-attacks in the next two years, aided by the fact that there are very few cyber security experts to tame the threat from hackers.
Cyber attacks on critical national infrastructure in the future will lead to economic chaos, disruption of essential services, and injury or death to citizens.
Earlier this year, data obtained by security research firm Corero through a Freedom of Information request revealed that as many as 39% of critical national infrastructure organisations in the UK, including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers, and transport organisationsm had not completed the the government-mandated '10 Steps to Cyber Security’ programme, thereby affecting their preparedness for cyber-attacks.
The firm added that short-term or low-volume DDoS attacks are frequently being used by hackers to target, map and infiltrate networks as they are harder to detect because of their shorter duration and low bandwidth. Hence, the inability of critical infrastructure organisations to detect or mitigate them presents a serious threat to their operations as well as data management.
“By not detecting and investigating these short, surgical, DDoS attacks on their networks, infrastructure organisations could also be leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber attacks," said Sean Newman, Director of Product Management at Corero.
Corero' findings have been echoed by cyber security firm Huntsman Security who estimated that cyber-attacks on the UK's critical national infrastructure would rise by 100% over the next two years.
'With the ISACA predicting a global shortage of two million cybersecurity jobs by 2019, there simply aren’t enough security analysts in the UK, or even the world, to cope with the growing threat that critical infrastructure faces.
'National agencies are already reporting a significant increase in reported attacks, let alone those that pass undetected,' says Peter Woollacott, CEO of Huntsman Security.
He added that considering how quickly critical infrastructure services are going online, there are many more opportunities for attackers to disrupt operations as well as the capability of firms to render essential services to citizens.
'Even a simple DDoS attack has brought services such as Sweden’s trains to their knees recently. There’s no way to block all of these potential attacks at the walls of an organisation, and security analysts will soon be overwhelmed by the sheer volume they face. If organisations can’t address these challenges, the danger to the public, and the harm to the organisation itself, will be unacceptable,' he said.
Considering the wide-ranging threat faced by critical national infrastructure firms, the government is working towards implementing the EU’s Security of Network Information Systems (NIS) in the UK to ensure the security of critical infrastructure firms.
According to the government, the new law would incentivise operators who take adequate measures to deter cyber attacks, assess security risks effectively and engage with competent authorities. Penalties against such operators for suffering cyber attacks despite taking such measures would be a last resort.
However, organisations who fail to implement adequate measures against cyber threats and suffer cyber attacks in the process would be fined a maximum of £17m or up to 4% of their annual turnover. The NIS Directive, which will take effect from next year, will only cover the loss of service as a result of cyber attacks instead of loss of data and will be part of the government's £1.9 billion National Cyber Security Strategy.
'We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards,' said Minister for Digital Matt Hancock.
With the help of the new directive, the government aims to ensure that essential services like electricity, water supply, and health services that have a direct impact on people's lives are secured against cyber attacks seeking to disrupt their operations.