The government has released its proposals for implementing into UK law a new EU Network and Information Systems (NIS) Directive which focuses on improving security in critical infrastructure firms.
The NIS Directive has largely been overshadowed by the GDPR, which covers consumers’ personal data, but is no less important.
It’s designed to raise security standards so that UK operators in electricity, transport, water, energy, transport, health and digital infrastructure are able to meet the challenges presented by modern cyber-threats.
As part of this, fines of up to £17m or 4% of global annual turnover – the same as the GDPR – will be levied on those providers who suffer an attack because they’ve not assessed the risks adequately, taken appropriate security measures or engaged with 'competent authorities'.
“We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber-attack and more resilient against other threats such as power failures and environmental hazards,” said digital minister Matt Hancock, in a statement.
“The NIS Directive is an important part of this work and I encourage all public and private organizations in those sectors to take part in this consultation so together we can achieve this aim.”
Industry body techUK welcomed the move to improve the resilience of CNI operators. The NHS in particular seems to be struggling with the threat from cyberspace, as evidenced by the impact of WannaCry on hospital IT systems.
“Questions remain, however, over the scope of ‘essential services’ that the Directive should cover as well as the timelines with which companies should be expected to report an incident,” argued Talal Rajab, techUK's head of program for cyber.
“techUK will be consulting with its membership in particular to see how these measures will affect digital service providers and will be providing feedback to DCMS via workshops.”
Azeem Aleem, director in RSA Security’s Advanced Cyber Defence Practice EMEA, argued that CNI firms are often dependent on legacy infrastructures into which they have little visibility.
“They are unable to correlate security events to specific business outcomes – a problem we call the ‘Gap of Grief’,” he added. “Take the recent wave of WannaCry and Petya attacks; the industry was quick to cry ‘patch’, but actually that isn’t always possible as patching systems without proper testing could actually cause more damage.”
The consultation will last until September 30.