A freedom of information request by Corero Network Security has revealed that there is a potential lack of cyber resilience among the providers of UK critical national infrastructure. Data shows that 39% of CNI organisations have not completed the government’s 10 Steps to Cyber Security programme, with 42% of NHS Trusts who responded admitting they had not completed the programme. Edgard Capdevielle, CEO at Nozomi Networks commented below.
Edgard Capdevielle, CEO at Nozomi Networks:
“With attacks on critical infrastructure increasing, and the potential impacts – imagine large-scale outages of electricity or water treatment – cyber resiliency needs to be a top risk management priority.
“This report emphasizes the impact of DDoS attacks and how they are often used as a cover to distract security teams while infecting systems with malware or stealing data. Such initiatives are often the first step in “low and slow” attacks that provide the perpetrators with the information and access they need to carry out system disruptions. Examples of this are the Ukraine power outages of 2015 and 2016, both of which involved cyber attacks which persisted for many months before culminating in shutdowns.
“In light of this information, CNI organisations should give a high priority to re-assessing their cyber security programs, evaluate where they are in relation to government recommendations, and inform themselves about current technologies available for protection.
“Today, there are cyber security and operational visibility solutions available that are safe to install on industrial networks and that rapidly detect unusual network communications or process variable changes. Such changes can indicate the presence of malware or the existence of a “low and slow” attacks. Once detected, actions can be taken to immediately to thwart or contain any damages. The right approach is to both shore up defenses and be able to quickly respond when attacks do occur.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.