£17 million fines for CNI companies under proposed EU SNIS plans

News by Tony Morbin

Under an (NIS) directive being adopted by the UK, CNI providers will face fines of £17 million or up to four percent of annual turnover if they fail to protect critical infrastructure from loss of services due to cyber-attacks.



Just as commercial companies must protect loss of customer data under EU GDPR or face huge fines, now electricity, water, energy, banking, financial markets, transport and health infrastructure providers will also face the same fines  (£17 million or up to four percent of annual turnover) if they fail to  protect critical infrastructure from loss of services due to cyber-attacks.

Despite the vote to leave the EU, the UK Government signalled its intent to support the aims of the Directive the EU's Security of Network Information Systems (NIS) directive to secure the UK's essential networks and services and today UK digital minister Matt Hancock announced  the government's plans to implement the directive from May 2018 as part of a consultation by the Department for Digital, Culture, Media and Sport.

Minister for Digital Matt Hancock said the aim is to make the UK's essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards.

Under the proposals:

·  Member states preparedness by requiring them to be appropriately equipped, eg via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority. 

·  It requires cooperation among all the member states by setting up a cooperation group to support and facilitate strategic cooperation and the exchange of information. They will also need to set a CSIRT Network to promote swift and effective operational cooperation on specific cyber-security incidents and sharing information about risks.

·  A culture of security across sectors which are vital for the economy and society and rely heavily on ICTs. Businesses in sectors  identified as operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority. Key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with the security and notification requirements under the new directive.

Currently the Data Protection Act limits fines levied by The Information Commissioner's Office (ICO) to £500,000 so this is a significant increase. 

Had the directive applied when the NHS when it was hit by the WannaCry ransomware in May it would have faced heavy fines; other sectors relying on legacy systems are equally vulnerable, with NCSC CEO Ciaran Martin pointing out, “many organisations need to do more to increase their cyber security.

However the government release also says that, “fines would be a last resort, and they will not apply to operators that have assessed the risks adequately, taken appropriate security measures, and engaged with competent authorities but still suffered an attack.”

It goes on to add that operators of CNI will be required to,  “... develop a strategy and policies to understand and manage their risk; to implement security measures to prevent attacks or system failures, including measures to detect attacks, develop security monitoring, and to raise staff awareness and training; to report incidents as soon as they happen; and to have systems in place to ensure that they can recover quickly after any event, with the capability to respond and restore systems.”

Several industry commentators emailed SC to provide their perspective, with key points including the need for this change of mindset to include CNI, and CNI's general lack of preparedness due to legacy systems that fail to provide visibility of the infrastructure.

Dr. Jamie Graves, CEO, ZoneFox  makes the data/service comparison saying, “GDPR was spoken about extensively at its 'one year to implementation' as a game changer. NISD is no different and provides clear directives and repercussions for critical infrastructure - a vital area to secure in the fight against cyber crime.

“May's WannaCry attack is a clear proof point for why the NISD is much needed. The way in which businesses need to secure themselves is no different from a phone shop to the National Grid. Data is the key piece of the puzzle, or more specifically, an awareness of data. Making sure that you have network visibility of information - and those accessing it - while it is stored, on the move or taken off the network is the first line of defence against any attack or potential attack. Coupling this with a reporting system that can alert the necessary authorities as quickly as possible and a robust backup will mean essential services are kept online and are in a much stronger position to protect themselves.”

In an email to SC Azeem Aleem, director - Advanced Cyber Defence Practice EMEA at RSA Security, agrees, making the point that, “Our critical infrastructure is just that, critical. Protecting it is a matter of national security,” but he noted how it is only in recent years that old manual systems have been ‘digitised' and connected, noting, “For years prior the whole focus has been on physical security, which means these companies are often years behind those in banking and retail, per se. So they have a long way to go if they are to comply with the directive.” 

Greg Day, VP and regional chief security officer EMEA, Palo Alto Networks focussed on prevention, emailing SC to say: “A significant element of the NIS directive it its specific requirements to prevent breaches from occurring in critical services in the first place. We've seen many organisations slip into the mindset of accepting that incidents will occur, and focusing their energy on how to clean up and manage the damage after the breach has struck them. This isn't acceptable, especially when any disruption of those services would have a serious, sometime immediate, impact on society and the economy.

“Most providers of critical services are recognising this and they must continue to focus on evolving how they can prevent breaches. This consultation announcement therefore is a timely reminder of the importance of this, whilst also providing the opportunity to provide input on what is pragmatic and leverage cross industry knowledge & best practice. Organisations must start embracing state of the art cybersecurity capabilities, including automation to reduce exposure and prevent attacks in an increasingly diverse digital world.

Aleem's advice is -  visibility and context. “This means conducting a thorough risk assessment, understanding the dependencies between systems, using threat detection to monitor and alert on attacks, and contextualising results with business context in order to prioritise events.”  Though Aleem adds, that for CNI, “patching systems without proper testing could actually cause more damage.”

For Dean Ferrando, systems engineering manager (EMEA) at Tripwire the focus is on “...implementing a defence system that focuses on the fundamentals; the people, the process and the technology, enterprises can already take the necessary steps to greatly reduce the risk of suffering a cyber-attack and being fined, which could potentially put a company out of business.”

Ross Brewer, VP and MD EMEA at LogRhythm commented, “As we saw with WannaCry recently, the consequences of an attack on our critical national infrastructure are unthinkable. Cyber-crime is no longer a game involving hackers manipulating people and computer systems to get their hands on valuable data or money. The stakes are now much higher, with criminals proving they are capable of disrupting services that can effectively cripple an economy, a country's stability and, worryingly, our lives.”

Oliver Pinson-Roxburgh, EMEA director at Alert Logic  added, “its shocking that not more organisations are concerned about or talking about it (CNI protection) over or in addition to GDPR.”
Brewer continues, “As attacks on our infrastructure become more commonplace, businesses need to take these government proposals seriously. The fines are high, and are a reflection of how dangerous today's cyber criminals are and the threat they pose to our country. Unlike traditional warfare, cyber-attacks are ‘invisible' and often easy to forget until you become a victim, and they have the potential to be far more catastrophic. To avoid these fines and ensure their services are protected from modern-day and future threats, businesses must have intelligence that gives them deep, consistent visibility across their entire network so hackers can be stopped.”  

Adam Nash, EMEA Regional Manager, Webroot  emailed SC to say, “I think this shows how seriously the government is taking cyber-crime and the threat that this poses to infrastructure and critical services in the UK. We have started to see gangs of cyber-criminals launching targeted attacks to businesses holding critical systems to ransom knowing that the companies cannot function without those systems. This is no longer about haphazardly encrypting machines but about taking specific resources offline as this gives a much better chance of a ransom being paid. With state sponsored cybercriminals also targeting critical assets like power and health services these legislations have come at the right time.”

Bill Evans of One Identity suggests that, "It seems that this action is really a reaction to several changes befalling the UK recently.  First, as the UK departs the EU, it is taking proactive steps to protect information in the online world.  This means that the UK must conjure up legislation which closely mimics the EU's GDPR, which is slated to take effect next year.  At the same time, the UK was brutally hit with the WannaCry virus earlier this year negatively impacting several operators, notably the NHS. This particular piece of legislation appears to be a reaction to both of those events. “

Evans adds, In general, legislation of this type sounds great at the surface, but the “devil is in the details.”  What does it mean to take steps to prevent a cyber-induced stoppage in service?  Does it include specific technologies like multi-factor authentication and privileged management but not access governance?  Is access governance part of the base capabilities an organisation should enact?  It should be noted that the UK government is holding workshops with operators so they can provide feedback on the proposal.  Ideally this type of communication will remove the devil as the details are defined." 

Kirill Kasavchenko, principal security technologist, EMEA at Arbor Networks agrees saying, “A possible £17m fine means businesses cannot afford to be complacent about their cyber security strategy.  Businesses need to develop a formal strategy against cyber-attacks that includes a robust incident response plan – and these should be adaptable should new threats emerge. Organisations should instrument their internal networks so that they have broad and deep visibility of network traffic, threats and user behaviour. Most importantly, companies need to respect that their employees can be their biggest weakness or their biggest asset – and the key to the latter is ensuring a culture of security where staff offer an extra defence against cyber threats. Employees should keep an eye out for malicious activity and must understand best practice in minimising damage.

Talal Rajab, techUK's head of programme for cyber suggested that questions remain over the scope of “essential services” that the Directive should cover as well as the timelines with which companies should be expected to report an incident. He told SC: “techUK will be consulting with its membership in particular to see how these measures will affect Digital Service Providers and will be providing feedback to DCMS via workshops.”

In particular Rajab points out that, “The directive also adds in the new category of Digital Service Providers, which both highlights society's dependency on technology, and increases the scope of organisations that will be covered under the directive.”

Paul Farrington, manager, EMEA Solution Architects at Veracode notes the recent significant shift concerning cyber-security regulation and putting the responsibility for cyberattacks on organisations where inadequate cyber-security processes were in place. He says, “... the onus is now being placed on firms to maintain a minimum standard of cyber-security and to face severe consequences if they suffer a cyber-attack as a result of not meeting it. In a landscape of increasing cyber breaches, with the UK Government claiming that nearly half of UK firms have been hit by a cyber-attack in the last year -  this proposed legislation is very welcome. The government is providing a clear signal to firms operating within the UK, that fines relating to negligence in protecting personal data, will outstrip the cost of doing the right thing in the first place.”

Jens Monrad, senior intelligence analyst at FireEye asks how prepared the critical infrastructure industry currently is for such attacks. He notes that, “A lot of CNI is still built on a foundation of fragile infrastructure, in many cases, not originally designed to be connected to the internet. Many organisations have used solutions, bridging these systems to either company infrastructure for easier maintenance or connected directly to the internet for remote support and third party access.  In many instances, the cyber defence perspective has not been prioritised, either because of lack of understanding or lack of resources.  This becomes a huge worry with CNI, because, as we have witnessed in Ukraine, and more recently with the alleged ransomware “NotPetya”, cyber-attacks, can have real-life and economic consequences for citizens and enterprises, depending on the severity with a fatal outcome.

“This gap is widened by many organisations not having enough resources to prioritise security, to establish sufficient monitoring of critical assets or even to train personnel who operate CNI in cyber security – but with firms now required to prove their strategies, this will need to change. Today one of the biggest challenges is the lack of insight into this infrastructure. Operating critical infrastructure built on ICS requires a different skillset to your typical IT operations and because of this, there exists a gap where ICS is sometimes not instrumented and monitored by security personnel. 

Monrad  concludes, “To build an effective cyber defence program within CNI companies, they first need to address the lack of visibility and lack of data, due to the nature of how many of these systems are designed. When they have addressed these two challenges, they should move into building a programme which can address and answer these three questions:

1)    How can / do they detect threats within ICS networks? Is ICS part of the cyber security routines within the company?

2)    Do CNI companies have an adequate plan for responding to cyber threats, attacks and breaches within ICS environments?

3)    Can CNI companies contain the threat, isolate and remediate it, while making sure they are still operational?

The government consultation documents are available online.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews