With just eight days to go until the EU’s Network and Information Systems (NIS) Directive becomes legally enforceable, a Freedom of Information (FOI) request to 312 critical infrastructure providers across the UK is ringing industry alarm bells.
The FOI requests, submitted by DDoS attack solutions provider Corero Network Security, found that 70% of these institutions – ranging from police forces to NHS trusts, energy suppliers and water authorities – have had service outages in their IT systems within the last two years; many blamed on cyberattacks.
The implication for these institutions under the new directive would be the enforcement of hefty fines. Under the NIS directive – which aims to raise levels of the overall security and resilience of network and information systems across the EU – these outages need to be reported and addressed.
Penalties Could be Severe
Failure to do so could result in financial penalties of up to £17 Million being imposed. Corero estimates that if the NIS directive was in place two years ago the financial penalties faced by critical UK infrastructure would have amounted to over £2.5 billion.
Out of the 221 critical infrastructure organisations that responded to the FOI, 155 reported that they had suffered a downtime in their IT network leading to loss of services in the last two years. Worryingly over a third of the reported incidents are suspected to be caused by cyber-attacks.
However due to the nature of these critical institutions the real concern is the loss of services to the public and the state.
Andrew Lloyd President of Corero Network Security who undertook the FOI request stated that: “Service outages and cyber-attacks against critical infrastructure have the potential to inflict significant, real-life disruption by preventing access to essential services such as power, transport and the emergency services. The fact that so many infrastructure organisations have suffered from service outages points to an alarming lack of resilience within organisations that are critical to the functioning of UK society.”
Not a Just a Tick Box Exercise
This information comes on the back of the National Audit Office’s investigation into the WannaCry cyber-attack last year which attacked NHS organisations. The investigation found that much of the damage by the ransomware attack could have been negated if a software patch available two months prior to the attack had been implemented into NHS IT systems.
Corero fears that only the basic NIS requirements will be enacted to ensure compliance. Andrew Lloyd said: “As things stand, there is genuine risk that the legislation may be viewed as a mere ‘tick-box’ exercise which requires the bare minimum to be done, rather than fulfilling its promise for the UK to set world-leading standards in this area.”
In the UK the National Cyber Security Centre is the lead contact point for EU partners on NIS, and is acting as a key source of technical expertise. Its guidance on NIS compliance can be found here.
See also: NHS Digital has just 20 “Suitably Skilled” Cybersecurity Staff