Over a third of critical infrastructure (CNI) outages in the UK over the past year were down to cyber-attacks, according to a new Freedom of Information request.
Corero Network Security received responses from over 200 CNI organizations including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy companies, water authorities and transport bodies.
It found that 70% had suffered a service outage over the past two years, with 35% of these disruptions down to cyber-attacks.
Part of the reason for this high level of disruption could be down to ineffective patching. Some 11% of respondents said they don’t ensure that security patches for critical vulnerabilities are routinely patched within 14 days.
A new EU law, the NIS Directive, will land next week that could levy GDPR-level fines on CNI organizations which fail to put in place adequate security.
Corero claimed that had maximum fines been levied on all cyber-incidents causing service outages over the past two years, it could have cost the economy a staggering £2.5bn.
On the plus side, 98% of CNI organizations polled said that they are following the national Cyber Security Centre’s 10 Steps to Cybersecurity best practice guidelines.
Although Corero president, Andrew Lloyd, argued that the guidelines are too reactive, the NCSC has released detailed guidance on how to meet the requirements of the NIS Directive going forward.
“Across all sectors, we are seeing a greater number of sophisticated and, when undefended, damaging cyber-attacks. Government ministers and agencies have reported that these attacks are increasingly believed to be the work of foreign governments seeking to cause political upheaval,” Lloyd continued.
“The head of the National Cyber Security Centre has already warned that it is a matter of when, not if, the UK experiences a devastating cyber-attack on its critical infrastructure. The study poses serious questions about the UK’s current capability to withstand such an attack.”