The UK government is working on a new law to ensure the cyber security of critical national infrastructure like electricity, water, energy transport, and health sectors.
The government plans to implement the EU’s Security of Network Information Systems (NIS) in the UK to secure essential services from cyber attacks.
The Department for Digital, Culture, Media, and Sport launched a consultation today with an aim to implement the EU’s Security of Network Information Systems (NIS) from May next year.
The department said that it would incentivise operators who take adequate measures to deter cyber attacks, assess security risks effectively and engage with competent authorities. Penalties against such operators for suffering cyber attacks despite taking such measures would be a last resort.
Non-compliant organisations who fail to implement adequate measures against cyber threats and suffer cyber attacks in the process would be fined a maximum of £17m or up to 4% of their annual turnover. The NIS Directive, which will take effect from next year, will only cover the loss of service as a result of cyber attacks instead of loss of data and will be part of the government's £1.9 billion National Cyber Security Strategy.
'We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards,' said Minister for Digital Matt Hancock.
With the help of the new directive, the government aims to ensure that essential services like electricity, water supply, and health services that have a direct impact on people's lives are secured against cyber attacks seeking to disrupt their operations.
Along with offering cyber security guidelines and best practices, the government believes that imposing huge fines on erring organisations would deter them from treating cyber security lightly in the future.
According to Azeem Aleem, Director for Advanced Cyber Defence Practice EMEA at RSA Security, the UK's critical infrastructure services are years behind those in banking and retail in terms of cyber security. For years, their principal focus was on physical security and their old manual systems have been digitised only recently.
“My advice would be to face these challenges head on and the only way to do this is by having visibility and context. This means conducting a thorough risk assessment, understanding the dependencies between systems, using threat detection to monitor and alert on attacks, and contextualising results with business context in order to prioritise events," he says.
Back in July, a leaked report from the National Cyber Security Centre had confirmed that several industrial control systems and service organisations were breached by hackers.
"The NCSC is aware of connections from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors, who are known to target the energy and manufacturing sectors," the report said.
"NCSC believes that due to the use of wide-spread targeting by the attacker, a number of Industrial Control System engineering and services organisations are likely to have been compromised," it added.
Last year, the government unveiled its £1.9 billion National Cyber Security Strategy whose aim was to bring in increased investment in existing intelligence programmes, including the new National Cyber Security Centre. A new Cyber Security Research Institute will also see universities working together to improve the security of computers and other devices.
"Our new strategy, underpinned by £1.9 billion of support over five years and excellent partnerships with industry and academia, will allow us to take even greater steps to defend ourselves in cyberspace and strike back when we are attacked," said Chancellor Philip Hammond.