Organisations delivering essential services in the UK have been warned by the government that if they fail to protect their IT systems because of poor cyber security practices, they will attract fines of up to £17 million.
Organisations delivering essential services like energy, transport, water and health have been asked to implement the most robust safeguards to guard against future cyber attacks.
In a press release, the government today announced that it will appoint new regulators to assess critical industries ‘to make sure plans are as robust as possible’. The government’s decision comes not long after Ciaran Martin, the chief of the National Cyber Security Centre, said that it is only a matter of time before a catastrophic cyber-attack is launched on the UK’s critical infrastructure or election setup.
The government also said that a simple, straightforward reporting system to report cyber breaches and IT failures will also help operators in electricity, transport, water, energy, health and digital infrastructure to deal with cyber threats in the future. The new reporting system will also cover power outages, hardware failures and environmental hazards that tend to impact the productivity of operators.
‘Today we are setting out new and robust cyber security measures to help ensure the UK is the safest place in the world to live and be online. We want our essential services and infrastructure to be primed and ready to tackle cyber attacks and be resilient against major disruption to services,’ said Margot James, Minister for Digital and the Creative Industries.
‘I encourage all public and private operators in these essential sectors to take action now and consult NCSC’s advice on how they can improve their cyber security,’ she added.
To ensure that organisations in critical infrastructure sectors are able to implement the most robust defences and are able to comply with the government’s requirements, the National Cyber Security Centre has published detailed guidance based on the EU’s Network and Information Systems (NIS) directive.
The government’s consultation on the EU’s Security of Network Information Systems (NIS) was launched in August last year by the Department for Digital, Culture, Media, and Sport. While launching the programme, the government said it would incentivise operators who take adequate measures to deter cyber attacks and assess security risks effectively. Penalties against such operators would be the last resort.
With the help of the new directive, the government aims to ensure that essential services like electricity, water supply, and health services that have a direct impact on people’s lives are secured against cyber attacks seeking to disrupt their operations.
‘Our new guidance will give clear advice on what organisations need to do to implement essential cyber security measures. Network and information systems give critical support to everyday activities, so it is absolutely vital that they are as secure as possible,’ said Ciaran Martin, chief of the NCSC.
According to Azeem Aleem, Director of Advanced Cyber Defence Practice EMEA & APJ Region at RSA Security, since old manual systems in firms offering essential services have been ‘digitised’ and connected only in recent years, such firms have a long way to go if they are to comply with the directive.
‘My advice would be to face these challenges head-on and the only way to do this is by having visibility and context. This means conducting a thorough risk assessment, understanding the dependencies between systems, using threat detection to monitor and alert on attacks, and contextualising results with business context in order to prioritise events,’ he said.