Cyberattacks caused 35% of outages at critical infrastructure organisations
Threats / 35% of outages at critical infrastructure organisations caused by cyber-attacks
2 May 2018
Around 70 percent of critical infrastructure organisations in the UK suffered from service outages, many of them due to cyber-attacks in the past two years, a Freedom of Information request by security firm Corero Network Security has revealed.
Between January and February this year, Researchers at Corero sent Freedom of Information requests to 312 critical infrastructure organisations in the UK that included fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers, transport organisations and water authorities.
35% of outages caused by cyber-attacks
Out of 221 organisations who responded to Corero’s request, 155 organisations admitted that they had suffered service outages in the last two years, with over 35% of all outages believed to have been caused by a cyber attack.
“Service outages and cyber attacks against national infrastructure have the potential to inflict significant, real-life disruption by preventing access to essential services such as power, transport, and the emergency services. The fact that so many infrastructure organisations have suffered from service outages points to an alarming lack of resilience within organisations that are critical to the functioning of UK society,” said Andrew Lloyd, President at Corero Network Security.
“Across all sectors, we are seeing a greater number of sophisticated and, when undefended, damaging cyber-attacks. Government Ministers and Agencies have reported that these attacks are increasingly believed to be the work of foreign governments seeking to cause political upheaval.
“The head of the National Cyber Security Centre has already warned that it is a matter of when, not if, the UK experiences a devastating cyber attack on its critical infrastructure. The study poses serious questions about the UK’s current capability to withstand such an attack,” he added.
In December last year, cyber security firm Huntsman Security estimated that cyber-attacks on the UK’s critical infrastructure organisations would rise by 100% over the next two years.
Peter Woollacott, CEO of Huntsman Security, said that considering how quickly critical infrastructure services are going online, there are many more opportunities for attackers to disrupt operations as well as the capability of firms to render essential services to citizens.
“Even a simple DDoS attack has brought services such as Sweden’s trains to their knees recently. There’s no way to block all of these potential attacks at the walls of an organisation, and security analysts will soon be overwhelmed by the sheer volume they face. If organisations can’t address these challenges, the danger to the public, and the harm to the organisation itself, will be unacceptable,” he said.
Possibility of huge fines under NIS Directive
According to researchers at Corero, if critical infrastructure organisations fail to prevent more cyber attacks in the future and suffer service outages as a result, they will be liable to receiving fines under the EU’s Network and Information Systems (NIS) directive which will come into force next week.
“Had the service outages occurred after this date, and all the affected organisations were deemed to have failed to protect themselves, the total fines for all affected organisations would cost the UK economy more than £2.5 billion,” they warned.
The threat of fines under the NIS directive is very real. In January, the UK government warned all organisations delivering essential services in the UK that if they fail to protect their IT systems because of poor cyber security practices, they will attract fines of up to £17 million.
“Today we are setting out new and robust cyber security measures to help ensure the UK is the safest place in the world to live and be online. We want our essential services and infrastructure to be primed and ready to tackle cyber attacks and be resilient against major disruption to services,” said Margot James, Minister for Digital and the Creative Industries.
“I encourage all public and private operators in these essential sectors to take action now and consult NCSC’s advice on how they can improve their cyber security,” she added.
To ensure that organisations in critical infrastructure sectors are able to implement the most robust defences and are able to comply with the government’s requirements, the National Cyber Security Centre has published detailed guidance based on the EU’s Network and Information Systems (NIS) directive.
“Our new guidance will give clear advice on what organisations need to do to implement essential cyber security measures. Network and information systems give critical support to everyday activities, so it is absolutely vital that they are as secure as possible,” said Ciaran Martin, chief of the NCSC.