It's now "impossible" to protect critical UK infrastructure from cyber attack

Parliamentary committee warns that mitigating the effects of successful attacks is becoming a 'new normal'

Image of construction workers representing UK infrastructure

MPs and Lords have warned it's "impossible" to completely protect the UK's infrastructure from a WannaCry-scale cyber attack, with mitigation quickly-becoming a new normal'.

Several factors stand in the way of fully securing the UK's critical national infrastructure (CNI), including an increasingly complex security landscape, and the government's failure to define what it considers to be critical, according to the Joint Committee on the National Security Strategy (JCNSS).

In a report assessing the scale of threat the UK faces, the Parliamentary committee also said laws stemming from EU-wide regulations have been useful, but do not go far enough.

"'Critical' national infrastructure is, by definition, a priority for the Government and industry. However, as the economy becomes more interconnected, it is increasingly difficult to determine which elements are truly critical," the JCNSS report said.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Fast-changing threats and the rapid emergence of new vulnerabilities make it impossible to secure CNI networks and systems completely.

"Continually updated plans for improving CNI defences and reducing the potential impact of attacks must therefore be the 'new normal' if the Government and operators are to be agile in responding to this changing environment and in taking advantage of constant technological innovation."

The committee raised concerns that the expectations for the National Cyber Security Centre (NCSC), formed to provide cyber training and leadership for UK organisations, is outrstripping its resources.

NHS Digital deputy chief executive Rob Shaw revealed in evidence that he had expected an "army" of experts to support the NHS through 2017's WannaCry attack, but soon learned the NCSC lacked staffing to help out on the ground.

JCNSS said it had concerns about the NCSC's capacity to meet growing demand for services and expertise, and that its effectiveness will be limited in future unless it can recruit at the appropriate scale.

The government must also publish a ten-year plan for the institutional development of the NCSC, setting out the resources and staffing levels it expects the organisation to need.

The committee made several further recommendations for the government and for businesses, including instigating a cultural change among CNI-linked organisations, and for politicians and ministers to take initiative in making cyber resilience a priority.

Private sector companies overseeing CNI, as well as firms comprising the supply chain, should consider cyber security as another business risk, and proactively manage threats. This is especially true where "commercial interests may not always align with the demands of national security".

Moreover, the government needs to appoint a cabinet office minister charged with overseeing the resilience of CNI, instead of patchwork of multi-ministerial oversight that exists currently.

Under the current structure, each department would have a different approach to overseeing cyber security in its constituent sectors, with occasional overlap.

Advertisement
Advertisement - Article continues below

A more focused and proactive leadership from central government is needed to ensure cyber security is handled in a more consistent way, the report continued, and blasted the status quo of ministers only occasionally checking-in as "wholly inadequate".

"It's vital that that short-term memories and political distractions such as Brexit do not derail focus from these important initiatives," said Mimecast's cyber resilience expert Pete Banham

Advertisement - Article continues below

"Private sector businesses today need a risk and security champion in the boardroom; likewise, it's time Government had a cyber tsar in the Cabinet.

"Minimising the impact of attacks should be top priority as a defence-only strategy is doomed to fail. This should include regular fire drills' for all employees to respond to and recover to cyber-attacks.

"We've seen a growing number of CNI organisations, including the NHS, make determined moves to adopt more resilient postures in the last two years. WannaCry helped focus attention and budget allocation but still more needs to be done."

Stuart McKenzie, FireEye's vice president for EMEA, meanwhile warned much of the technology used within CNI remains fragile and relies on outdated standards of security.

"The threats facing CNI have constantly evolved, meaning that today's threat is something that wasn't imaginable when many of the systems were originally designed, leaving them increasingly vulnerable," he said.

"These are not quick problems to solve, but they are not insolvable. We would recommend that CNI organisations conduct a mapping exercise to understand their exposure and risk and put in place some controls to protect the most critical threats.

Advertisement - Article continues below

"With breaches becoming inevitable, organisations need to not only to set defences and identify attacks, but crucially to have a really clear understanding of what to do in the event of a breach - every organisation needs to have a really clear incident response plan that's well tested and regularly rehearsed."

Mandatory policy decisions should also be implemented, the report recommended, including a plan to roll-out penetration-testing for CNI-linked organisations, and continued membership in key EU groups and information-sharing schemes following Brexit.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/business-strategy/public-sector/354608/uk-gov-launches-ps300000-sen-edtech-initiative
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
Visit/hardware/354584/windows-10-and-the-tools-for-agile-working
Sponsored

Windows 10 and the tools for agile working

20 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020