Critical local infrastructure that supports council services, social care services and local transport in the UK is falling through the gaps in government and business planning for cyber resilience, claims Jonathan Lee, director of cyber strategy at cyber security company TrendAI.
In an interview with Computer Weekly, Lee says that municipal areas, such as London or Greater Manchester, could be at risk from multiple cyber attacks that could damage local infrastructure, causing escalating problems for residents that could add up to severe disruption.
“We need to be thinking about what would happen if multiple attacks happened at the same time across the city region – and the human impact of not being able to do your job properly, not being able to travel around and not being able to deliver public services,” he says.
The Cyber Security and Resilience Bill (CSRB), which is currently going through Parliament, aims to ensure that critical national services, such as healthcare, water, transport and energy, are protected against cyber attacks that cost the economy billions of pounds a year. But local infrastructure has been relatively neglected, claims Lee.
The National Cyber Security Centre’s (NCSC) Cyber Assurance Framework, for example, aims to help operators of critical national infrastructure (CNI) demonstrate a base level of cyber security preparedness – but it is not mandatory, and not every organisation that should implement it is implementing it.
Whole of society risk
“We need to be more stringent in making sure that people are taking this seriously and are looking not just at their own organisation, but are looking at the whole of society risk,” says Lee.
Attacks on public services, such as council-run social care, can have a catastrophic, knock-on effect on the NHS and patient care, he adds.
There is a need for more “top-down” advice for regional infrastructure providers, from organisations such as the NCSC, which is not as well known as it could be among the companies and public sector bodies that provide local infrastructure.
“The message has got to be diffused down into local levels to ensure that a consistent message is spread out, and that can also be through industry partners. That is something I feel quite strongly about,” says Lee.
The Cyber Essentials programme, which has been updated to include new requirements for organisations to use multifactor authentication (MFA), and requirements for cloud providers to patch vulnerabilities within 14 days, has helped build resilience, but only for organisations that choose to adhere to it.
Keeping the resilience score
The UK government is also intending to publish a Cyber Action Plan in the coming months, which will guide organisations to get basic security right and improve their cyber security over time.
Although there is no shortage of initiatives and action plans, there is a danger that many of these plans will be left on a shelf.
One approach is for organisations to rate themselves on a scorecard for cyber resilience, on a scale of, say, 1 to 100, and to report their progress back to board-level directors.
“We need a mechanism to measure how impactful these interventions are, whether it be things like the Cyber Assessment Framework, Cyber Essentials or legislation,” says Lee.
