InfraSec: Securing the UK’s Critical National Infrastructure (CNI)

InfraSec: Securing the UK’s Critical National Infrastructure (CNI)

It is a challenging time to be a CISO at a European utilities and transport provider. Ciaran Martin, CEO of the National Cyber Security Centre (NCSC), has openly declared he is in little doubt the UK will experience a Category 1 attack in the near future, one that causes sustained disruption to essential services and could lead to loss of life. State-sponsored attacks on public services are becoming more evident, cyber-physical risk on industrial control systems is increasingly in the spotlight, and boards are starting to ask difficult questions about cyber defences and investments. And then there is the Networks and Information Systems Directive (NIS Directive).

CyberOwl has been spending time with utilities and transport CISOs across Europe to better understand how they are managing these practical challenges. This is an investment we regularly make as we believe this to be an important part of continuously developing our technology roadmap. On 8 October, in partnership with the London Office for Rapid Cybersecurity Advancement (LORCA), we hosted InfraSec, a gathering of cybersecurity leaders and practitioners from the top UK CNI organisations, particularly from the energy, water and transport sectors. Inevitably, the practical challenges of implementing the NIS Directive were front of mind.

Brief background to the NIS Directive

The NIS Directive has been in effect since May 2018. In the UK, the NCSC has developed a Cyber Assessment Framework (CAF) consisting of 14 principles for indicators of good practice (IGPs). This includes putting in place capabilities for security monitoring and proactive security event discovery. Non-compliance incurs fines ranging up to £17 million or 4% of a company’s global turnover, similar to penalties in GDPR. In reality, there are still a lot of practical challenges to overcome in implementing the CAF. Some of these were explored during InfraSec.

Practical challenges of implementation

Achieving the right balance between security and resilience. 100% security is difficult to achieve. Resilience is a better outcome and more practical target. Currently implementation of the CAF is heading down a checklist approach, and more work is needed to align this with overall resilience, rather than point security.

Prioritising focus on business criticality. There is insufficient clarity on how the indicators of good practice will be assessed and the extent to which this aligns with prioritising business-critical assets and processes. For example, the consensus view was that a bottom-up approach to understanding and inventorying every single IT and OT asset was neither practical nor achievable and therefore not necessarily effective to achieve resilience.

Balancing resilience across both operational technology (OT) and IT domains. Different emphases were being placed, across the sectors, on application of the CAF against IT and OT environments. While there was consensus that both domains needed to be considered together, there isn’t necessarily coherence or clarity in the detail of how the assessment will be applied.

Enabling effective threat intelligence sharing, beyond just compliant incident reporting. There was consensus that for true sector- and nation-wide cyber resilience in the UK’s CNI, effective structures for threat intelligence sharing needed to be put in place. Structured in the wrong way, the incident reporting mechanisms will only give rise to “must report” compliant behaviours, rather than effective threat intelligence sharing across organisations.

Deeper collaboration within and across sectors. The NIS Directive provides a platform to build true cyber resilience across the UK’s CNI. General consensus was that further collaboration and consultation was needed between OES and CAs and across sectors to deliver implementation of the Directive that achieved this common objective.