It's time to get proactive on the UK's critical national infrastructure (CNI) security -- but where to start?
The critical national infrastructure that underpins the UK has undergone a tremendous amount of digital transformation in recent years. Areas like water treatment, energy and food production are still heavily reliant on operational technology (OT) systems that were often designed and implemented long before the digital revolution.
Digitizing these systems and connecting them to standard IT networks has allowed operators to boost efficiency and bring in practices like remote working and data collection that weren’t possible in an analogue environment.
However, these same innovations have also exposed critical infrastructure to a growing level of cyber risk. Threat actors are increasingly exploiting this connectivity to launch sophisticated attacks -- reports that 41 percent of all threat alerts it sent out last year involved CNI operators.
In an effort to counter the threat, the EU created the NIS2 directive to establish strict security guidelines for CNI providers and other essential organizations. However, the law will not apply to UK-based operators when it comes into enforcement in October this year. With the NCSC highlighting an “enduring and significant threat to the UK’s infrastructure, organizations must take their security into their own hands”.
Why the NIS2 directive is making waves
NIS2 has the general aim of raising the bar for security in critical fields, and it has had a significant impact on global companies, even those operating outside of the EU. When large organizations make process changes, they want them to be as replicable and uniform as possible, so it’s generally more cost effective to bring all their operations in line with a new regulation. GDPR compliance demonstrated this, where large global enterprises saw the benefit of updating their policies around the world so that everything was aligned.
The original NIS took a clever approach by designing a more comprehensive framework and making this visible to businesses. Previous applications of frameworks like ISO 27001 could be difficult to implement because it was hard for some organizations to pinpoint what to do in the context of their operational environments. Having a more prescriptive framework tailored to the needs of the business makes it easier for firms to know where to start and establish a good baseline of security.
However, NIS didn’t see the widespread actions being taken against organizations that failed to comply. There were only some fairly lightweight fines from regulatory bodies like Ofgem, meaning that non-compliance came with minimal consequences. NIS2 looks closer to the mark in this regard -- although it will be down to individual regulatory bodies in different regions to pursue non-compliance and implement fines.
The UK’s answer to NIS2 is currently under consultation, with no timeline for drafting and implementing a matching directive. While the UK doesn’t fall under NIS2, the government should hopefully at least copy the law as a starting point or, ideally, take the opportunity to improve it.
One issue we sometimes see with regulations is that there can be a lack of focus on accountable individuals. Having specific decision makers being made accountable can help to ensure that the right decisions are made at the top -- this is something the US is often more familiar with. For example, the SEC last year adopted rules that require details of the cyber risk oversight and management role of a company’s board of directors when reporting a cyber incident. Individual accountability can help address the “it will never happen to me” mindset, which can still be present in some boardrooms.
Of course, this is only fair and effective if those decision makers have the right support and resources to make the changes they need to. If COOs, CIOs and CISOs and other positions are exposed to risk without the necessary resources and culture transformation needed, this doesn’t solve the root cause.
Tackling CNI supply chains
NIS2 puts a significant focus on understanding the risks around supply chain connections. This is a common issue for CNI providers which often have an expansive network of suppliers.
While the onus is on enterprises to understand the risks their suppliers represent, we will hopefully see a trickle down effect of organizations holding their third-party providers to the same standards they are holding themselves to. For now, enterprises are mostly focusing on their internal operations, but eventually, this will travel through their wider supply chain, including second and third tier suppliers.
Meeting regulatory needs, such as conducting in-depth risk assessments, may be difficult for smaller suppliers with limited resources. The demands need to be manageable, enough to deliver improved security without being so onerous they could be tempted to bury their heads in the sand.
Guidelines like Cyber Essentials provide an effective and achievable baseline, but it may become more challenging for smaller firms operating with OT technology as there is no effective, lightweight option for transferring the principles to their needs.
Large organizations can also not necessarily audit every single supplier in their web -- especially in fields like manufacturing and food production, where hundreds of small, interconnected suppliers may be involved. So, organizations will need to find a balance between expanding resources, meeting their obligations, and having a reasonable view of supply risk.
What should UK operators be doing?
Regulations and frameworks generally focus on enforcing a foundational level of security, encouraging enterprises to support effective security hygiene. Ideally, businesses should be proactively seeking out these guidelines themselves, and many do. But it continues to be apparent that some organizations will not unless required to.
Although there is no legal obligation to do so for now, UK firms should still pursue opportunities to improve their security resilience.
Fortunately, there is a lot of good guidance out there. The NCSC, in particular, has a strong track record as a voice for sound advice and practical guidance. For example, back in 2018 it launched the Cyber Assessment Framework to help organizations work with the original NIS. The CAF has continued to receive updates, with the most recent in April 2024. It’s also a great example of guidance as it clearly outlines the requirements while also being generic enough to apply across multiple industries.
One of the biggest mistakes we see is organizations focusing too heavily on implementing security solutions. Truly effective security is all about balancing people, processes, and technology (PPT). It’s a three-legged stool -- if you just have two, it will inevitably fall over. Most frameworks like Cyber Essentials are pathways back to PPT, so following these guidelines will help address the issue.
Why culture makes a difference
There’s a tendency to try and solve security problems by buying more tools. But most organizations already have plenty of solutions in place -- the issue is getting them to be useful for the business. Large organizations sometimes have close to 100 different solutions in place -- a huge suite that will be very difficult to get working together properly.
This is especially problematic for OT security, as IT and OT security tools often don’t work together without specialist intervention. This can lead to two tiers of security efforts that aren’t always in sync There is a shortage of people with a deep understanding of both cybersecurity and operational security to lead OT efforts effectively in-house.
A lack of security culture is a prevalent challenge. If leadership and the wider workforce aren’t invested in security as a priority, it’s very difficult for security teams internally. It really needs a strong individual to lead the push.
As with the tools, IT and OT security teams can work on different wavelengths, not intersecting with each other or approaching the same problems from two different perspectives. Threat actors exploit the connection between the two sets of technology, creating a dangerous gap in security. One approach that we have seen deliver strong results is to merge IT and OT teams into a single unit.
Security teams should look to other fields for guidance -- for example, different risk management teams in finance or development, security, and operations forming DevSecOps. This can be tough to achieve due to experience and culture clashes, but creating a single unified team can lead to more streamlined and effective security.
While the UK government will hopefully match or exceed the NIS2 directive’s requirements, CNI operators should not wait to see which way it jumps before acting. Even if an organization doesn’t have a European footprint to align with, aiming to comply with NIS2 now will put them ahead of those firms that do not act until further guidance is issued. And regardless of legal obligation, any improvements to security resilience can only be a good thing -- especially when critical infrastructure is on the line.
Photo Credit: Olivier Le Moal / Shutterstock
Gareth Pritchard is CTO at Sapphire. Gareth, who previously served as the Technical Director at NCC Group, has extensive experience in developing complex solutions to address clients' cyber challenges. He achieved this through an end-to-end service delivery model that involved people and technology transformation. Gareth has worked in technical roles within Defence and the Civil Service. He is passionate about the positive impact that skilled cyber professionals, technology, and processes can have when working in harmony