Over a third of national critical infrastructure organisations in the UK (39%) have not completed basic cyber security standards issued by the UK Government, according to data revealed under the Freedom of Information Act by Corero Network Security, a provider of real time DDoS defence solutions.
The fact that so many infrastructure organisations have not completed the ’Ten Steps to Cyber Security’ programme indicates a lack of cyber resilience within organisations which are critical to the functioning of UK society. It also suggests that some of these organisations could be liable for fines of up to £17m, or four percent of global turnover, under the UK government’s proposals to implement the EU’s Network and Information Systems (NIS) directive, from May 2018.
The Freedom of Information requests were sent by Corero, in March 2017, to 338 critical infrastructure organisations in the UK, including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers and transport organisations. In total, 163 responses were received, with 63 organisations (39%) admitting to not having completed the ’Ten Steps’ programme. Among responses from NHS Trusts, 42% admitted not having completed the programme.
Sean Newman, Director of Product Management at Corero, commented: “Cyber attacks against national infrastructure have the potential to inflict significant, real life disruption and prevent access to critical services that are vital to the functioning of our economy and society. These findings suggest that many such organisations are not as cyber resilient as they should be, in the face of growing and sophisticated cyber threats.”
Critical infrastructure operators ignoring DDoS threats
Modern Distributed Denial of Service (DDoS) attacks represent a serious security and availability challenge for operators of essential services. This is why DDoS protection is highlighted within the government consultation on NIS as a mechanism that critical infrastructure should consider when protecting their services and availability from disruption caused by cyber attacks.
But while most people equate DDoS with high volume attacks, like that against DNS provider Dyn in 2016 that took down large parts of America’s internet, the vast majority of today’s attacks are actually short and low volume in nature. In fact, 90% of DDoS attack attempts stopped by Corero during Q1 2017 were less than 30 minutes in duration, and 98% were less than 10Gbps in volume. Due to their small size, these stealth DDoS attacks often go unnoticed by security staff, but they are frequently used by attackers in their efforts to target, map and infiltrate a network.
Worryingly, the Freedom of Information data revealed that most UK critical infrastructure organisations (51%) are potentially vulnerable to these attacks, because they do not detect or mitigate short duration surgical DDoS attacks on their networks. As a result, just 5% of these infrastructure operators admitted to experiencing DDoS attacks on their networks in the past year (to March 2017). However, if 90% of the DDoS attacks on their networks are also shorter than 30 minutes, as experienced by Corero customers, the real figure could be considerably higher.
Sean Newman, continued: “In the face of a DDoS attack, time is of the essence. Delays of minutes, tens-of-minutes, or more, before a DDoS attack is mitigated is not sufficient to ensure service availability, and could significantly impact the essential services provided by critical infrastructure organisations.
“By not detecting and investigating these short, surgical, DDoS attacks on their networks, infrastructure organisations could also be leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber attacks. To keep up with the growing sophistication and organisation of well equipped and well funded threat actors, it’s essential that organisations maintain comprehensive visibility across their networks, to instantly and automatically detect and block any potential DDoS incursions, as they arise.”