Critical national infrastructure: the Government warns business again

Storm warning

Inside the Enterprise: As waves and wind lashed the south west of England, the Government convened its COBRA emergency committee to organise a response this week. But elsewhere in Whitehall, another group of senior officials met to discuss another, potential, disaster: a cyber attack on the UK's national infrastructure.

The summit, hosted by Business Secretary Vince Cable, and the director general of GCHQ, Sir Ian Lobban, brought together the industry regulators for telecoms, energy, water and nuclear power, the Civil Aviation Authority, and the Bank of England.

The regulators were briefed on what ministers, and the security services, believe is a growing threat not just to government bodies, but commercial firms too.

A well-targeted cyber attack could cripple the UK's banking, finance and utility sectors or, at the very least, cause a lot of public inconvenience. The fact that, in critical infrastructure, private firms and government are so closely intertwined means that the failure of a commercial company due to an online attack has an impact far beyond its own shareholders.

This is not the first time that the Government has warned business about the cyber threat, and its role in combatting it. But it is the first time that regulators have been brought in to discuss cyber risks.

The regulators are, of course, responsible for maintaining supply, as well as areas such as competition and pricing. And they do have powers to require the companies they regulate to up their game, when it comes to protecting their networks. And that includes the cyber threat.

GCHQ will be encouraging businesses in the critical infrastructure sector to follow its 10 Steps to Cyber Security, which was issued last year. But GCHQ and government security advisers also want commercial firms to share more information about threats, and how they tackle them, as well as to carry out more cyberdefence exercises.

The financial services sector has recently carried out a number of such tests, led by the Bank of England.

A Cyber Task Force, led by the Cabinet Office and the ICAEW, the chartered accountants' body, recently issued separate guidance for organisastions involved in corporate finance transactions, on how they could improve their information security, and so maintain the City of London's reputation as a safe place to do business. The Government has also contacted the heads of UK listed companies, to give them advice on cybercrime protection.

But the real concern among ministers and, it is easy to suspect, the specialists at GCHQ, is around Government-led or government-backed attacks on the UK. This is where critical national infrastructure comes into play.

An attack on an investment bank or a law firm would be an embarrassment, and a nuisance for its clients. An attack that turned off the water pumps, or the ATMs, could lead to chaos. Security specialists have long worried that commercial firms represent a soft target.

That, though, is changing: commercial firms, or at least those in the CNI field, are starting to take cyber risk more seriously. According to Etienne Greeff, CEO of SecureData, a consultancy, business leaders are starting to ask about the 10 Steps document, and ask if they are doing enough. That, at least, is a step in the right direction.

Stephen Pritchard is a contributing editor at IT Pro.