The threat posed by hackers to critical infrastructure in Britain is increasing, leaving a “widening gap” between the potential for harm and the collective ability to defend against it, the country’s cybersecurity agency warned on Wednesday.
In its latest attempt to sound the alarm about that threat, the National Cyber Security Centre (NCSC) again stressed that Britain was underestimating the severity of the risk from cyberattacks and provided updated guidance to infrastructure operators to protect themselves.
Despite these repeated warnings, there are continuing delays from both the government and the private sector in taking action to drive forward even basic levels of security. As the agency’s chief complained earlier this year, many organizations still fail to follow the NCSC’s cybersecurity guidance and advice.
The government itself is now several years late in introducing cybersecurity legislation intended to improve resilience across critical national infrastructure sectors, despite the NCSC’s calls for a strategic policy agenda to tackle shortcomings.
The agency published on Wednesday an updated version of its Cyber Assessment Framework — a collection of guidance intended to help “essential services, in sectors such as energy, healthcare, transport, digital infrastructure and government.”
The update calls on organizations to keep pace with the evolving attack methods being deployed by threat actors to protect themselves, and to be prepared to respond and continue to operate if an attack does get through.
“Threats can come from many sources, both from within and external to an organisation. A good understanding of the threat landscape and the vulnerabilities that may be exploited is essential to effectively identify and manage risks,” the NCSC said.
“Such information may come from sources including NCSC, information exchanges relevant to the organisation’s sector, and reputable government, commercial, and open sources, all of which can inform the organisation’s own risk assessment process. Organisations may contribute to the understanding of threats and vulnerabilities in their sector by participating in relevant information exchanges and liaising with authorities as appropriate.”
Beyond their own owned-and-operated systems, critical national infrastructure (CNI) operators are being asked to understand those of their suppliers and sub-contractors who might potentially offer attackers a sneaky way into the CNI systems, or whose failure could impact the CNI system in a substantial way.
While all organizations in Britain are continuing to experience cyberattacks, officials are particularly concerned about the cascading effects that a single attack on critical national infrastructure (CNI) sectors could have. The British government has not recently disclosed any such attacks, but they have been identified across the world in the United States, the Netherlands and Singapore.
Although the framework is not a regulatory document, the NCSC acknowledges it was developed with the expectation it would be used to support regulation. The government has said it will introduce new regulations for critical infrastructure through the Cyber Security and Resilience Bill later this year.
Recorded Future
Intelligence Cloud.
