back to article UK infrastructure failing to meet the most basic cybersecurity standards

More than a third of national critical infrastructure organisations have not met basic cybersecurity standards issued by the UK government, according to Freedom of Information requests by Corero Network Security. The FoIs were sent in March 2017 to 338 organisations including fire and rescue services, police forces, ambulance …

  1. Prst. V.Jeltz Silver badge

    details!

    so wheres the results? I want to know what the responses were. Or is that now commercially sensitive information that this security company dont want want their competitors to have? damn! I'll have to FoI all 338 myself...

  2. 0laf Silver badge

    Hmmm having been on the end of these FOIs on many occasions I'd read the results with a very large pinch of salt.

    If you were to ask me "Have you completed the gov 10 steps..." the answer would be 'no'.

    But it's no becasue the 10 steps are aimed at SMEs not major parts of the CNI and most of the public sector already accredits to multiple standards all much higher than those requirements so why would we bother with that basic one?

    Keep peddling the snake oil boys

  3. Anonymous Blowhard

    "In the event of a breach, critical infrastructure organisations could be liable for fines of up to £17m, or 4 per cent of global turnover, under the government's proposals to implement the EU's Network and Information Systems (NIS) directive from May 2018."

    This makes no sense whatsoever; how would fining the NHS improve security? The fine is paid for using the same taxes we need them to spend on saving lives, and would only be triggered in the event of something going wrong.

    How about being proactive and empowering a separate body to review and improve cyber-security for critical infrastructure organisations? This would fall under the defence budget and should probably be implemented, or at least overseen, by GCHQ**; failure to cooperate should result in jail time for senior management from the critical infrastructure organisations rather than meaningless fines from the public purse.

    ** This should be one of GCHQ's primary roles anyway if they're supposed to be the UK's primary organisation for cyber-security. It might also keep them too busy to indulge in snooping on the UK public.

    1. Aitor 1 Silver badge

      Morale

      the beatings will continue until morale improves

      There, that is how fines will help the NHS.

      The problem is.. who is guilty really?

    2. amanfromMars 1 Silver badge

      Something to Keep Everyone Engaged and Busy as Can Be....

      How about being proactive and empowering a separate body to review and improve cyber-security for critical infrastructure organisations? This would fall under the defence budget and should probably be implemented, or at least overseen, by GCHQ**; failure to cooperate should result in jail time for senior management from the critical infrastructure organisations rather than meaningless fines from the public purse.

      ** This should be one of GCHQ's primary roles anyway if they're supposed to be the UK's primary organisation for cyber-security. It might also keep them too busy to indulge in snooping on the UK public.

      I second those Sterling Stirling eMotions, Anonymous Blowhard. MI5, Palace Barracks, Holywood could surely easily host mentoring and monitoring of all manner of Grand Virtual Master Pilot Programs with live working test beds in UKGBNI, the proving ground of Perfectly Provided Product for Global Distribution via Advanced IntelAIgent Means with Virtual Memes/SMARTR Agencies.

      It is not as if they have not already been dabbling wildly in what is a really ancient art now graced with fantastic technologies to deliver an overwhelming leading edge leaving opposition and competition in their wakes. ........... although failure to achieve that is unquestionably an in-house problem caused by a lack of necessary intelligence supply.

      New Untested Supply = Other Different Problems and/or Alternate Solutions. It would certainly not be just more of the same to continue the Status Quo.

      You can be sure that there are myriad nations/administrations with just the same problem for resolution with Perfectly Provided Product for Global Distribution via Advanced IntelAIgent Means with Virtual Memes/SMARTR Agencies ........ and thus is the Supply Extremely Valuable.

  4. steelpillow Silver badge

    10 Steps is just a primer you throw at pointy-haired managers who think they don't have a problem. Mind you, there are more than a few in the NHS who need it personally ramming up their jackzi.

    But most uk govs are doing their best in impossibly underfunded circumstances. They deserve credit for what they have achieved, not slagging off for imaginary slips.

    1. Anonymous Blowhard

      @steelpillow

      I agree that most people in these organisations want to do as good a job as possible; my point was that, rather than fine healthcare experts or gas-supply experts for being crap at cyber-security, we should be making use of government cyber-security experts to help them. I'm pretty sure that increasing GCHQ's budget to cope with the extra load will be more effective than throwing NHS money at external consultants, like Capita, to solve the problem; it might even be cheaper than what we're paying for already if we pool the budgets of the various critical infrastructure organisations into a single pot.

      1. steelpillow Silver badge

        @Anonymous Blowhard.

        I wasn't really commenting on your post, just having my own ramble.

        I suspect that the extent of involvement by government cyber-security experts may be masked in the many orgs who refused to comment fully for reasons of national security. Mind you, who's to say that GCHQ's instinct would not be to throw the extra cash and workload straight at Crapita because even they can not easily magic up a new task force of experienced cyber-security professionals out of their pool of low-paid career bureaucrats. IR35 has a lot to answer for.

        1. Anonymous Blowhard

          @steelpillow

          I think your point about cyber-professionals is valid, but this is a national security issue that will be with us as long as we're using IT in critical infrastructure; so it's worth investing in long-term solutions like a dedicated unit within GCHQ. It will take time to build the skills, but it's the difference between a nation having it's own army and paying for the loyalty of mercenaries.

          1. amanfromMars 1 Silver badge

            Hot Station XSSXXXX Stuff and No NonSense

            so it's worth investing in long-term solutions like a dedicated unit within GCHQ. ... Anonymous Blowhard

            Surely what is needed is not another wayward bastard child like NCSC but a Colossal Bletchley Park type Operation dispensing and tendering Secret AIMissions.

            Are military chiefs responsible for that program failure if it isn't live and a reality for presenting the future to the past ....... although perhaps they could be excused and defended and found innocent if they be in full ignorance of NEUKlearer HyperRadioProActive IT Systems ready, willing and able to enable the above ...... however then would they be proven guilty of a lack of intelligence and gross negligence in office whenever aware of such OtherWorldly Field Developments.

            'Tis a major catastrophic problem most everywhere nowadays ...... It is quite difficult to find the right prime staff to server and protect premium product in a world of sub-prime garbage ..... and one wouldn't want to be terrifying the natives with the telling of fantastical tales which are extremely sensitive and best reserved for competent Advanced IntelAIgent leaders. They struggle and fail miserably to deal with the Present Madness and Administered Mayhem fed to them currently every day.

            Many would tell you that continuation and continuity of that global struggle and systems failure is the Past Grand Masters' Master Plan but it sure as hell aint no Great Game Play and has now run its course. New Players AIMastering Grand Plans are out and about testing Novel Fields for Live Operational Virtual Environments with NEUKlearer HyperRadioProActive IT.

            cc .... Air Chief Marshal Sir Stuart Peach GBE KCB ADC DL, Chief of the Defence Staff :-) Blow that full ignorance away

  5. B*stardTintedGlasses

    I can honestly say this is almost exactly what I would have guessed if someone had asked me to estimate how "Secure" the Critical National Infrastructure is as a whole.

    It's an absolute joke how little investment has been put into securing it and educating its various staff, from PHB to users. I know a couple of IT bods working in the various industries involved, and they all have the same story; basically any mention of security is immediately shot down.

    The poor b*ggers are struggling to get any traction at all with management to do desperately needed patching etc, but they have no funds/backing and certainly are not allowed the down-time they need.

    It's only now that various regulations that have some teeth (GDPR et al) are coming into play that the various managers are adopting panic mode and screaming at the techies to "do something".

    *Sigh*

    "plus ça change, plus c'est la même chose"

  6. John Smith 19 Gold badge
    Unhappy

    Naturally all of these questions were answered in a completely honest way.

    Really?

    Sure about that?

    Because only roughly 1/2 of the organizations could even be bothered to answer the FoIA request.

    Is that legal?

    Or did 1/2 of them say "It's tooooo expensive to answer your question."

    That looks more like an excuse than a reason every time I see it.

    1. shifty_powers

      Re: Naturally all of these questions were answered in a completely honest way.

      Legal? Yes. But morality, ethics and what is truly in the public interest are not necessarily the same as legal.

    2. Anonymous Coward
      Anonymous Coward

      Re: Naturally all of these questions were answered in a completely honest way.

      " "It's tooooo expensive to answer your question."

      That looks more like an excuse than a reason every time I see it."

      Lady at desk near me answers these. She says most of the time its companies doing market research asking stupid questions like "Please give it spend split by desktop / tablet / laptop" , which apparently is tricky for us to do .

    3. Anonymous Coward
      Anonymous Coward

      Re: Naturally all of these questions were answered in a completely honest way.

      Not it's not legal for them not to answer and you have the right to review and after that to go to the ICO or SIC although that will not fit with journalistic timescales.

      As a small local authority we dealt with approximately 1400 FOI requests last year and are on target for 1600 this year. It takes a significant amount of time and money to deal with those requests. I am aware of staff going off on sickness due to the stress caused by dealing with FOI.

      It's not a surprise that a request from a journalist may not be prioritised over the day job. For example I can review the safety of my nuclear reactor or I can answer the 3 FOIs that have built up on my desk. Which task will cause the most bother if not completed (i.e. will anyone die) and which will I get roasted for not doing?

      Understandably the day job usually wins. As the cutbacks continue don't expect your FOIs to get any further up in anyone's list.

      I do understand that your request is important to you. But If I've had 60 others that day from political wonks, students wanting us to do their research for them, businesses fishing for leads, ambulance chasers and vengeful locals (usually obsessed with dog turds or their neighbours) then it's just another bit of paper on the pile.

      1. Anonymous Coward
        Anonymous Coward

        Re: Naturally all of these questions were answered in a completely honest way.

        This week I've spent over 10 hours so far answering FOIs from tech journalists and businesses touting for manager names etc.

        FOI is getting out of control. I can't get on with my actual job and we have TWO full time members of staff handling FOIs now because we get so many (3000/year and increasing).

        1. Anonymous Coward
          Anonymous Coward

          Re: Naturally all of these questions were answered in a completely honest way.

          We provide outsourced IT for a number of organisations who get FOI requests regularly. Often these involve lengthy search / collate / retrieval from email / servers, so naturally they get logged as a support ticket.

          The first few were painful but we got them completed, but when they started coming in 2 or 3 requests a week we started to say that these would incur 'out of contract' charges' as they tied up our technicians on admin when they should be fixing stuff. No client complained about this - it gave them the chance, if they wished, to counter the request with 'too expensive and / or time consuming to fulfil'.

  7. Sirius Lee

    Must be true because...

    There's money to had writing a report that concludes: "Everything is just fine.".

  8. Roland6 Silver badge

    Corero - What a surprise, not!

    "Corero provides DDoS protection and mitigation against a wide range of DDoS attacks for hosting and internet service providers, and enterprises."

    https://www.corero.com/

  9. Halfmad

    Dial it back a bit

    "not having completed the 10 steps"..

    That doesn't mean they wouldn't comply with them if they did. Does national infrastructure need to comply with every standard and recommendation going even when that would literally be impossible as many contracted each other in minor or major ways?

  10. Roland6 Silver badge

    DDoS Attacks

    The findings suggest that many key organisations are not as resilient as they should be in the face of growing and sophisticated cyber threats. Corero's questions revealed that by not detecting and investigating brief DDoS attacks, organisations could be "leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber attacks".

    When asked "Have you suffered Distributed Denial of Service (DDoS) cyber attacks on your network in the last year?", just eight organisations (5 per cent) responded "yes".

    These statement don't really add up.

    Firstly, only 8 out of 338 organisations (less than 5%) admit to having suffered a DDoS attack ie. an attack of sufficient scale that it triggered an event that was identified as being caused by a DDoS. This is an interesting fact as it would seem full-scale DDoS attacks are relatively rare.

    Secondly, there is the presumption that 'brief' or attempted DDoS attacks aren't being detected and dealt with, either by an organisation or by ISP's. For example, I don't know how many attacks I've experienced today - I suppose I could go into the logs, but why? My security suite protects' against many attacks by blocking certain access behaviours associated with attacks and I've not noticed any degradation in my internet service to warrant investigation.

    As for Corero's questions, well we only have their word, this press release is all I can find on their website:

    https://www.corero.com/company/newsroom/press-releases/uks-critical-infrastructure-skipping-basic-cyber-security-checks-and-ignoring-ddos-threats-/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019