Protecting vital services with cyber legislation

Imagine if, in the depths of winter, a whole country’s gas supply was switched off and held to ransom by determined hackers out for a quick pay-off

In today’s digital world, it is impossible to be fully secure. And when an organisation’s services play a vital role in society, such as critical national infrastructure, it is not just businesses that lose out in a cyberattack, but the entire economy.

From companies ensuring the supply of electricity and water, to providing healthcare and passenger and freight transport, their reliability and security are pivotal to everyday activities, according to the National Cyber Security Centre.

These players, known as operators of essential services or OESs, have over recent years experienced high-​profile outages as they increasingly become targets for cybercriminals, such as the 2017 WannaCry ransomware attack that took down NHS systems and the attacks on utility networks in Ukraine and the United States in 2015 and 2016.

In a bid to limit such attacks, the Network and Information System (NIS) Directive was approved by the European Union in August 2016. The legislation became enforceable in the UK from May 10 2018, the same month as the much-​publicised General Data Protection Regulation (GDPR) was launched, with 20 other EU member states working within similar timelines.

The NIS Directive aims to ensure that OESs – where compliance is overseen by the sector regulator and/​or responsible government departments acting as the competent authorities – are prepared to deal with the increasing numbers of cyberthreats.

While concerning a loss of service rather than loss of data, which falls under the GDPR, the penalties can still be just as punishing. Operators that fail to implement effective cybersecurity measures, as outlined by the directive, could be fined as much as £17 million-​plus. In addition, they could fall foul of double jeopardy if the incident also relates to a breach of personal data, so it is possible they will be fined, under the GDPR, up to 4 per cent of their global turnover or £20 million, whichever is greater.

But would the NIS directive have prevented the attacks? “In today’s digital world, there is no such thing as 100 per cent secure,” says Nik Whitfield, chief executive of Panaseer, a London-​based organisation that claims to monitor some of the world’s most prominent companies’ technology estates. “It’s always easy, with the 20/​20 vision you have when looking back, to say things could be prevented in a perfect world.

“The fact is there is the perfect world and then there is the real world. In the real world, there are limited budgets and resources, which get in the way of best practice. If you are to stand a genuine chance of combating threats successfully and addressing myriad compliance issues facing all industries, you need a different playbook.”

Mr Whitfield says organisations must move from “firefighting” to “fireproofing”: preparing and protecting against cyberthreats instead of simply detecting, monitoring and responding to them.