Last week, the UK government announced an additional step to create clear sanctions against companies running critical assets if they fail to take necessary precautions to minimise cybersecurity risks. These sanctions will be in the form of fines of up to £17 million. The government plans to appoint a regulator responsible for issuing these fines in each of the key sectors that are subject to the legislation, namely electricity, transport, water, energy, health and digital infrastructure. It is not clear who these regulators are going to be, although they are likely to be existing bodies.
These fines will not apply if companies acted appropriately to protect themselves against attacks, but suffered an attack anyway, and will only be used as a last resort. This is an implicit recognition that it is impossible (or at least prohibitively expensive) to protect against all cyberthreats all the time. But it will hopefully be enough to encourage utilities and other critical infrastructure operators to invest more in securing their IT and communications systems.
One of the most important aspects of the Government’s announcement is the plan to create a system for reporting cyberattacks and IT system failures, which should help enhance the knowledge of the types of risks facing the UK and formulate an effective response to them.
Some of the key threats highlighted are fundamentally issues relating to the energy and utilities sectors. These threats include attacks resulting in power outages or damage to critical transmission and generation equipment, or attacks on the water supply, or environmental hazards caused by infrastructure failures.
The UK has been trying to develop a more effective response to the growing cybersecurity threats to its critical infrastructure. These efforts led to the creation of the National Cyber Security Centre (NCSC) in 2017, which has a key role in developing cybersecurity policies and responding to emerging threats.
The Network and Information Security (NIS) Directive is the key piece of legislation making these fines possible. Interestingly (given the current debate around Brexit), the NIS is actually an EU piece of legislation that was agreed in 2016. The UK government has adopted enthusiastically so far, and sees it as an integral part of its £1.9 ($2.6) billion National Cyber Security Strategy.
Increasingly, the UK is taking a more structured approach to managing cybersecurity threats to is infrastructure, and aligning itself to countries like the US and Germany. This is due to the increasingly sophisticated nature of cyberthreats, and the growing connectivity and processing capabilities across critical infrastructure, which manifested itself in a number of attacks on critical infrastructure, such as the two targeting the Ukranian power grid in recent years. A further reason for the renewed emphasis on cybersecurity, is the UK’s effort to make its digital economy a more prominent part of the economy, something that requires robust cybersecurity and a perception of safety.