The UK’s critical infrastructure organisations are skipping basic cybersecurity checks

Almost 40% of the UK’s national critical infrastructure organisations haven’t completed basic government-issued cybersecurity standards.

Freedom of Information requests sent by DDoS protection vendor Corero revealed that 39% of the organisations that responded – including NHS trusts, energy suppliers, fire and rescue services and transport organisations – have not completed the government’s “10 Steps to Cybersecurity” programme. According to Corero, this could expose them to millions of pounds in fines when the EU’s Network and Information Systems directive (NIS) comes into force in May 2018.

Corero Director of Product Management Sean Newman said cyber attacks against critical infrastructure “have the potential to inflict significant, real-life disruption” and that the vendor’s findings suggest many organisations “are not as resilient as they should be in the face of growing and sophisticated cyber threats.”


Operation overload

Distributed Denial of Service (DDoS) attacks are a widely used mode of assault on critical services. High profile, lengthy incidents affecting Ukraine’s national power and postal services are indicative of the consequences but Newman says short, sharp attacks can be just as dangerous, as they’re often used by cybercriminals to map and infiltrate target networks.

51% of organisations surveyed by Corero said they had nothing in place to detect or mitigate DDoS attacks – and 90% of those that detect attacks of under 30 minutes ignore them. Newman says that such oversight leaves critical infrastructure organisations open to “malware or ransomware attacks, data theft or more serious cyber attacks.”

Cybercriminals and state-sponsored actors are increasingly focusing on critical infrastructure targets – and using a variety of methods to carry out attacks, from the simplest phish to more sophisticated, stealthy Advanced Persistent Threats (APTs). In May this year, Britain’s NHS was just one of many critical service providers worldwide to be hit by the WannaCry ransomware attack. In July, Ireland’s Electricity Supply Board (ESB) revealed that its senior engineers were targeted with spear-phishing attacks in an attempt to steal credentials.

The UK’s Department for Digital, Culture, Media and Sport is currently seeking input from infrastructure providers and other interested parties on how best to legislate for – and enforce – cybersecurity standards.


The “10 Steps to Cybersecurity” programme is available here.

The UK’s Security of Network and Information Systems consultation document for NIS is available here.