View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

FOI Request Rings Alarm Bells on Critical Infrastructure Security

FOI reveals vulnerability of critical infrastructure ahead of NIS

By CBR Staff Writer

With just eight days to go until the EU’s Network and Information Systems (NIS) Directive becomes legally enforceable, a Freedom of Information (FOI) request to 312 critical infrastructure providers across the UK is ringing industry alarm bells.

The FOI requests, submitted by DDoS attack solutions provider Corero Network Security, found that 70% of these institutions – ranging from police forces to NHS trusts, energy suppliers and water authorities – have had service outages in their IT systems within the last two years; many blamed on cyberattacks.

The implication for these institutions under the new directive would be the enforcement of hefty fines. Under the NIS directive – which aims to raise levels of the overall security and resilience of network and information systems across the EU – these outages need to be reported and addressed.

Penalties Could be Severe

Failure to do so could result in financial penalties of up to £17 Million being imposed. Corero estimates that if the NIS directive was in place two years ago the financial penalties faced by critical UK infrastructure would have amounted to over £2.5 billion.

Out of the 221 critical infrastructure organisations that responded to the FOI, 155 reported that they had suffered a downtime in their IT network leading to loss of services in the last two years. Worryingly over a third of the reported incidents are suspected to be caused by cyber-attacks.

However due to the nature of these critical institutions the real concern is the loss of services to the public and the state.

Andrew Lloyd President of Corero Network Security who undertook the FOI request stated that: “Service outages and cyber-attacks against critical infrastructure have the potential to inflict significant, real-life disruption by preventing access to essential services such as power, transport and the emergency services. The fact that so many infrastructure organisations have suffered from service outages points to an alarming lack of resilience within organisations that are critical to the functioning of UK society.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Not a Just a Tick Box Exercise

This information comes on the back of the National Audit Office’s investigation into the WannaCry cyber-attack last year which attacked NHS organisations. The investigation found that much of the damage by the ransomware attack could have been negated if a software patch available two months prior to the attack had been implemented into NHS IT systems.

Corero fears that only the basic NIS requirements will be enacted to ensure compliance. Andrew Lloyd said: “As things stand, there is genuine risk that the legislation may be viewed as a mere ‘tick-box’ exercise which requires the bare minimum to be done, rather than fulfilling its promise for the UK to set world-leading standards in this area.”

In the UK the National Cyber Security Centre is the lead contact point for EU partners on NIS, and is acting as a key source of technical expertise. Its guidance on NIS compliance can be found here.

See also: NHS Digital has just 20 “Suitably Skilled” Cybersecurity Staff

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.