Critical Infrastructure Firms ‘Skip’ Basic Security Checks

More than one-third of critical infrastructure organisations have admitted to skipping basic IT security precautions, according to findings by Corero Network Security.

The firm found 39 percent of the organisations who responded to its freedom of information (FOI) requests said they hadn’t completed the ’10 Steps to Cyber Security’ programme issued by the UK government.

Critical infrastructure threat

Amongst the NHS trusts who responded the figure was higher, at 42 percent.

The findings indicate many of the organisations designated as critical national infrastructure could be open to fines of up to £17 million or 4 percent of their global turnover under recent government proposals to implement the EU’s Network and Information Systems (NIS) directive from May of next year.

Corero sent requests in March of this year to 338 organisations including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers and transport organisations. It received 163 responses, with 63 saying they hadn’t completed the recommended programme.

The firm said the responses suggest critical infrastructure organisations could be doing more to protect themselves.

“These findings suggest that many such organisations are not as cyber resilient as they should be, in the face of growing and sophisticated cyber threats,” stated Corero director of product management Sean Newman.

NIS directive

The government launched a consultation on the NIS directive earlier this month, saying the measure is aimed at dealing with an increasingly hostile online environment.

“The NIS directive will help make sure UK operators in electricity, transport, water, energy, transport, health, and digital infrastructure are prepared to deal with the increasing numbers of cyber threats,” the government stated at the time. “It will also cover other threats affecting IT – such as power failures, hardware failures, and environmental hazards.”

Corero said its findings also indicate most critical infrastructure organisations (51 percent of respondents) aren’t monitoring low-level distributed denial-of-service (DDoS) attacks, those that are short in duration. That suggests they could be vulnerable to the malware infection attempts that often accompany such attacks, Corero said.

Analytics firm Neustar found that 42 percent of European organisations polled in May said DDoS attacks were accompanied by malware infections, up 10 percent from the previous year.

‘Challenging’ implementation

Industry observers have noted that awareness of the NIS directive is signficantly lower than that of the General Data Protection Regulation (GDPR), also set to take effect in the UK in May 2018.

James Castro-Edwards, partner and head of data protection law at Wedlake Bell, said in a recent research note that compliance with the NIS directive was “more challenging since the final details have not been specified yet”.

While the GDPR applies broadly to organisations that handle personal data, the NIS directive only targets ‘operators of essential services’ in the energy, transport, banking, financial market infrastructures, health sector, water and digital infrastructure sectors.

Do you know all about security in 2017? Try our quiz!