It's now "impossible" to protect critical UK infrastructure from cyber attack

Parliamentary committee warns that mitigating the effects of successful attacks is becoming a 'new normal'

Image of construction workers representing UK infrastructure

MPs and Lords have warned it's "impossible" to completely protect the UK's infrastructure from a WannaCry-scale cyber attack, with mitigation quickly-becoming a new normal'.

Several factors stand in the way of fully securing the UK's critical national infrastructure (CNI), including an increasingly complex security landscape, and the government's failure to define what it considers to be critical, according to the Joint Committee on the National Security Strategy (JCNSS).

In a report assessing the scale of threat the UK faces, the Parliamentary committee also said laws stemming from EU-wide regulations have been useful, but do not go far enough.

"'Critical' national infrastructure is, by definition, a priority for the Government and industry. However, as the economy becomes more interconnected, it is increasingly difficult to determine which elements are truly critical," the JCNSS report said.

Advertisement
Advertisement - Article continues below

"Fast-changing threats and the rapid emergence of new vulnerabilities make it impossible to secure CNI networks and systems completely.

"Continually updated plans for improving CNI defences and reducing the potential impact of attacks must therefore be the 'new normal' if the Government and operators are to be agile in responding to this changing environment and in taking advantage of constant technological innovation."

The committee raised concerns that the expectations for the National Cyber Security Centre (NCSC), formed to provide cyber training and leadership for UK organisations, is outrstripping its resources.

NHS Digital deputy chief executive Rob Shaw revealed in evidence that he had expected an "army" of experts to support the NHS through 2017's WannaCry attack, but soon learned the NCSC lacked staffing to help out on the ground.

JCNSS said it had concerns about the NCSC's capacity to meet growing demand for services and expertise, and that its effectiveness will be limited in future unless it can recruit at the appropriate scale.

The government must also publish a ten-year plan for the institutional development of the NCSC, setting out the resources and staffing levels it expects the organisation to need.

The committee made several further recommendations for the government and for businesses, including instigating a cultural change among CNI-linked organisations, and for politicians and ministers to take initiative in making cyber resilience a priority.

Private sector companies overseeing CNI, as well as firms comprising the supply chain, should consider cyber security as another business risk, and proactively manage threats. This is especially true where "commercial interests may not always align with the demands of national security".

Moreover, the government needs to appoint a cabinet office minister charged with overseeing the resilience of CNI, instead of patchwork of multi-ministerial oversight that exists currently.

Under the current structure, each department would have a different approach to overseeing cyber security in its constituent sectors, with occasional overlap.

Advertisement
Advertisement - Article continues below

A more focused and proactive leadership from central government is needed to ensure cyber security is handled in a more consistent way, the report continued, and blasted the status quo of ministers only occasionally checking-in as "wholly inadequate".

"It's vital that that short-term memories and political distractions such as Brexit do not derail focus from these important initiatives," said Mimecast's cyber resilience expert Pete Banham

"Private sector businesses today need a risk and security champion in the boardroom; likewise, it's time Government had a cyber tsar in the Cabinet.

"Minimising the impact of attacks should be top priority as a defence-only strategy is doomed to fail. This should include regular fire drills' for all employees to respond to and recover to cyber-attacks.

"We've seen a growing number of CNI organisations, including the NHS, make determined moves to adopt more resilient postures in the last two years. WannaCry helped focus attention and budget allocation but still more needs to be done."

Stuart McKenzie, FireEye's vice president for EMEA, meanwhile warned much of the technology used within CNI remains fragile and relies on outdated standards of security.

"The threats facing CNI have constantly evolved, meaning that today's threat is something that wasn't imaginable when many of the systems were originally designed, leaving them increasingly vulnerable," he said.

"These are not quick problems to solve, but they are not insolvable. We would recommend that CNI organisations conduct a mapping exercise to understand their exposure and risk and put in place some controls to protect the most critical threats.

"With breaches becoming inevitable, organisations need to not only to set defences and identify attacks, but crucially to have a really clear understanding of what to do in the event of a breach - every organisation needs to have a really clear incident response plan that's well tested and regularly rehearsed."

Mandatory policy decisions should also be implemented, the report recommended, including a plan to roll-out penetration-testing for CNI-linked organisations, and continued membership in key EU groups and information-sharing schemes following Brexit.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354252/huawei-takes-the-us-trade-sanctions-into-its-own-hands
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019
Visit/mobile/mobile-phones/354273/pablo-escobars-brother-launches-budget-foldable-phone
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019