It's now "impossible" to protect critical UK infrastructure from cyber attack

Image of construction workers representing UK infrastructure

MPs and Lords have warned it's "impossible" to completely protect the UK's infrastructure from a WannaCry-scale cyber attack, with mitigation quickly-becoming a new normal'.

Several factors stand in the way of fully securing the UK's critical national infrastructure (CNI), including an increasingly complex security landscape, and the government's failure to define what it considers to be critical, according to the Joint Committee on the National Security Strategy (JCNSS).

In a report assessing the scale of threat the UK faces, the Parliamentary committee also said laws stemming from EU-wide regulations have been useful, but do not go far enough.

"'Critical' national infrastructure is, by definition, a priority for the Government and industry. However, as the economy becomes more interconnected, it is increasingly difficult to determine which elements are truly critical," the JCNSS report said.

"Fast-changing threats and the rapid emergence of new vulnerabilities make it impossible to secure CNI networks and systems completely.

"Continually updated plans for improving CNI defences and reducing the potential impact of attacks must therefore be the 'new normal' if the Government and operators are to be agile in responding to this changing environment and in taking advantage of constant technological innovation."

The committee raised concerns that the expectations for the National Cyber Security Centre (NCSC), formed to provide cyber training and leadership for UK organisations, is outrstripping its resources.

NHS Digital deputy chief executive Rob Shaw revealed in evidence that he had expected an "army" of experts to support the NHS through 2017's WannaCry attack, but soon learned the NCSC lacked staffing to help out on the ground.

JCNSS said it had concerns about the NCSC's capacity to meet growing demand for services and expertise, and that its effectiveness will be limited in future unless it can recruit at the appropriate scale.

The government must also publish a ten-year plan for the institutional development of the NCSC, setting out the resources and staffing levels it expects the organisation to need.

The committee made several further recommendations for the government and for businesses, including instigating a cultural change among CNI-linked organisations, and for politicians and ministers to take initiative in making cyber resilience a priority.

Private sector companies overseeing CNI, as well as firms comprising the supply chain, should consider cyber security as another business risk, and proactively manage threats. This is especially true where "commercial interests may not always align with the demands of national security".

Moreover, the government needs to appoint a cabinet office minister charged with overseeing the resilience of CNI, instead of patchwork of multi-ministerial oversight that exists currently.

Under the current structure, each department would have a different approach to overseeing cyber security in its constituent sectors, with occasional overlap.

A more focused and proactive leadership from central government is needed to ensure cyber security is handled in a more consistent way, the report continued, and blasted the status quo of ministers only occasionally checking-in as "wholly inadequate".

"It's vital that that short-term memories and political distractions such as Brexit do not derail focus from these important initiatives," said Mimecast's cyber resilience expert Pete Banham

"Private sector businesses today need a risk and security champion in the boardroom; likewise, it's time Government had a cyber tsar in the Cabinet.

"Minimising the impact of attacks should be top priority as a defence-only strategy is doomed to fail. This should include regular fire drills' for all employees to respond to and recover to cyber-attacks.

"We've seen a growing number of CNI organisations, including the NHS, make determined moves to adopt more resilient postures in the last two years. WannaCry helped focus attention and budget allocation but still more needs to be done."

Stuart McKenzie, FireEye's vice president for EMEA, meanwhile warned much of the technology used within CNI remains fragile and relies on outdated standards of security.

"The threats facing CNI have constantly evolved, meaning that today's threat is something that wasn't imaginable when many of the systems were originally designed, leaving them increasingly vulnerable," he said.

"These are not quick problems to solve, but they are not insolvable. We would recommend that CNI organisations conduct a mapping exercise to understand their exposure and risk and put in place some controls to protect the most critical threats.

"With breaches becoming inevitable, organisations need to not only to set defences and identify attacks, but crucially to have a really clear understanding of what to do in the event of a breach - every organisation needs to have a really clear incident response plan that's well tested and regularly rehearsed."

Mandatory policy decisions should also be implemented, the report recommended, including a plan to roll-out penetration-testing for CNI-linked organisations, and continued membership in key EU groups and information-sharing schemes following Brexit.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.