Attacks on critical national infrastructure are growing in number and sophistication. So how big is the UK’s risk?
The shift from physical to cyber-warfare has seen a surge in attacks on critical infrastructure. In 2010, the now infamous Stuxnet worm was discovered after it ravaged an Iranian nuclear facility. More recently, the first known malware to target electrical grids, Industroyer, is thought to have been orchestrated in a 2016 attack on the Ukraine’s national grid.
Meanwhile in November this year, National Cyber Security Centre chief Ciaran Martin, confirmed the Kremlin had ordered a cyber-assault on the UK’s major power companies in a bid to disrupt international order.
Also in the UK, the WannaCry ransomware cryptoworm that hit the NHS – blamed on out-of-date Windows XP systems – was a wake-up call. Although not specifically targeted, it showed what can happen when a critical organisation is brought to a standstill.
It is with this devastation in mind that the European Parliament’s network and information security (NIS) directive last year introduced minimum standards on critical infrastructure operators. The energy, transport, water, banking and healthcare sectors are included in its definition of such “essential services”.
Among its aims, the directive wants to step up cooperation among EU countries and service providers to help prevent attacks on interconnected infrastructure. Under NIS, organisations could be liable for fines of up to £17 million or four percent of global turnover if they suffer a breach.
However, experts are warning that the UK’s critical infrastructure is at risk from distributed denial of service (DDoS) attacks. This is due to a failure to carry out basic security defence work, according to data obtained by Corero Network Security PLC (LON:CNS) under the Freedom of Information Act. Corero’s research revealed that 39 percent of respondents to a survey had not completed the government’s ’10 Steps to Cyber Security’ programme, which was first issued in 2012.