Is UK critical national infrastructure properly protected?

About 80% of UK critical national infrastructure (CNI) is owned and run by the private sector, so how is government ensuring that it is protected from cyber attacks?

About 80% of UK critical national infrastructure (CNI) is owned and run by the private sector, so how is government ensuring that it is protected from cyber attack?

In the absence of any central point of control or laws requiring operators of CNI to conform to minimum security standards, can we be sure of adequate protection?

The UK's Centre for the Protection of National Infrastructure (CPNI) is charged with doing just that, but given that it has relatively limited resources, how well is it doing?

The UK is doing well and getting better all the time, according to Richard Nethercott, head of Logica's global security practice and member of the CPNI's risk-management advisory group.

"We saw an increase in activity ahead of and in parallel with the Strategic Defence and Security Review in October to push greater co-operation between government and CNI operators," he says.

This is consistent with what Tony Dyhouse, cyber security director of the Digital Systems Knowledge Transfer Network told Computer Weekly back in 2009.

Be prepared 

For some years, the UK has been working on preparations for cyber attacks and is more prepared than most people realise, he said, with co-operation between government and industry to put appropriate protection in place for CNI, he said.

In the past two years, in particular, there has been a great deal of activity behind the scenes of government engaging with private sector organisations, especially telecommunications companies, says Nethercott.

The CPNI has recognised, he says, not only that it needs to extend its reach to all organisations that operate parts of the CNI, but also that it can't do that alone.

The CPNI is instead developing tighter relationships with all FTSE 100 companies and around half a dozen businesses, including system integrators and consultancies, that understand what needs to be done and can communicate those requirements to all the organisations that make up their supply chains.

In the past two years, there has been a much more focused programme of engagement, says Nethercott, to extend reach to as many organisations as possible through the supply-chains of a much smaller number of key suppliers involved in running CNI.

Individual awareness

The biggest challenge at all levels in improving protection of the UK's CNI, he says, is the security awareness of all the people who work at organisations that support the CNI.

When government spending picks up again at the start of the financial year in April, Nethercott expects to see a fairly large proportion of £650m allocated by government to cybersecurity over the next five years channelled into security awareness training.

"Senior executives at organisations that support the CNI need to be made aware that they may be targeted and therefore need to be clear on what security measures they should take as individuals, particularly when working away from their home networks," he says.

Sharing information about threats and mitigation techniques with CNI-supporting organisations and other governments is likely to be another area of significant government investment, according to Nethercott.

Government is well tuned-in to the technical side of cyber threats to CNI, he says, and is, for example, keen to work with organisations on better ways of identifying anomalous behaviour on their networks because it recognises that signature-based detection methods are no longer able to cover the full range of threats.

At the year-old Cyber Security Operations Centre at Government Communications Headquarters (GCHQ) in Cheltenham, the aim is to achieve real-time exchange of data between business and government on cyber attacks.

The idea is that this information exchange will give the government early warning of cyber attacks that could bring down CNI, while giving private sector companies access to government expertise.

While there is already an exchange of information about threats, says Nethercott, it is an area government is working on improving.

International perspective

Although the UK is looked to as an example of good practice by other countries, the UK aspires to be more like Norway, he says, where cyber defences are more joined-up.

There a combination of low-cost connectivity, stronger legislation and less private or foreign ownership of CNI-supporting organisations has resulted in a less complex environment.

"This means Norway can inform and update CNI organisations on the latest threats that have been detected very efficiently," says Nethercott.

There will always be areas that can be improved upon, he says, but government is concentrating on the areas it sees as being under the greatest threat.

While highly visible attacks aimed at shutting down water and electricity supplies are what people usually think of in relation to CNI, the real threat tends to be an economic one, which is practically invisible, says Nethercott.

"Cyber attackers are more likely to be interested in stealing money through fraudulent utility bills than putting such services out of commission," he says.

Nethercott believes that the UK's defences of its CNI against cyber attack are as good as any other country's, but says new investment from government will help to raise the level of sharing collective intelligence, increase security awareness training where required, and focus on the more insidious economic attacks on the UK's CNI.

Read more on IT risk management