90% of critical infrastructure providers have fallen victim to a cyber attack since 2017

Critical infrastructure providers have been deluged by cyber attacks in the past two years, according to a Ponemon Institute study.

Cybersecurity in Operational Technology: 7 Insights You Need to Know found that 90% of respondents from the UK, US, Germany, Australia, Mexico and Japan had been breached since 2017, with many organisations revealing they’d fallen victim to multiple attacks.

The anonymous survey covered the utility, energy, health and transport sectors – industries renowned for keeping their activities secret because they store highly sensitive information and are responsible for essential services.

It found that these sectors are subject to “relentless and continuous” attacks that threaten the confidentiality of information and endanger countries’ critical infrastructure.

The risk is real

The survey’s respondents said about half of successful attacks resulted in downtime. This includes incidents where essential services were knocked out as part of the attack, and where operators had to turn off systems to rectify the damage.

Eitan Goldstein, the senior director of strategic initiatives at Tenable, which commissioned the report, told the BBC: “These are multiple, successful attacks on the physical world using cyber-technologies.

“That is a really big change and that’s why the risk isn’t just theoretical any more.

“We believe the reason behind it is increased connectivity to industrial control systems.

“Today we want to be able to do analytics and predictive maintenance in our power plants, but the proliferation of smart devices and sensors and IoT is really increasing our cyber-exposure to attack.

“In many cases, organisations don’t even know what is connected to the internet and what can be accessed by hackers.”

Professor Alan Woodward, from the University of Surrey’s Cyber Security Centre, said: “Not only are elements of critical infrastructure being attacked, they are being ‘successfully’ attacked: these attacks are having a tangible impact, sometimes on multiple occasions.

“The data also reveals worrying themes, such as a lack of skilled staff or appropriate incident response plans to mitigate the attacks.”

He added: “When you think what critical infrastructure is, it’s something that we simply must invest in protecting.”

NIS Regulations

Critical infrastructure providers’ investments should be in line with the requirements of the NIS (Network and Information Systems) Regulations.

The legislation has largely flown under the radar because it came into effect in the same month as the GDPR (General Data Protection Regulation), which has dominated most discussions about cyber security regulations in the past year.

But whereas the GDPR addresses data protection and privacy, the NIS Regulations focus on the security of OES (operators of essential services) and DSPs (digital service providers). These organisations are expected to:

  • Take appropriate technical and organisational measures to secure their network and information systems;
  • Keep track of the latest developments in the cyber security landscape and consider potential risks facing their systems;
  • Take appropriate steps to prevent and minimise the impact of security incidents to ensure service continuity; and
  • Notify the relevant supervisory authority of any security incident having a significant impact on service continuity without delay.

There is also specific guidance for OES (outlined in the National Cyber Security Centre’s 14 principles) and DSPs (outlined in the Commission Implementing Regulation).

Ponemon Institute’s survey implies that organisations aren’t meeting their notification requirements, and the scale of the threat suggests that they aren’t meeting their defence requirements either.

Failure to comply with the NIS Regulations could lead to fines of up to £17 million, but so far regulatory bodies across the EU have done a poor job enforcing the rules – some countries are yet to transpose the Directive (on which the NIS Regulations are based) into national law.

We expect that to change as regulators get to grips with the increased workload. A similar thing happened with the GDPR, with months of inaction turning into a steady tide of investigations over time.

Most GDPR investigations have been launched off the back of public complaints. However, the NIS Regulations’ requirements generally relate to organisation’s internal practices, so competent authorities don’t enjoy the luxury of having the public alert them to the shortcomings of the organisations they oversee.

Nonetheless, the scale of the threat facing critical infrastructure means regulators must take a firmer stance. The NIS Regulations were enacted for this very reason, and their requirements ensure that OES and DSPs are doing everything necessary to stay secure. This is vital not only for regulatory compliance but also to ensure continuity of society’s essential services.

Want NIS Regulations compliance advice?

Discover how to meet the NIS Regulations’ requirements in simple terms by reading our free compliance guides. They include tailored advice for OES and DSPs and further recommendations for how to stay secure: