Fines to improve UK’s energy sector cybersecurity?

Organisations that don’t implement “effective” cybersecurity measures could face hefty fines.
Published: Wed 16 Aug 2017

Organisations could be fined as much as £17m or 4% of global turnover if their cybersecurity is not up to scratch, according to the UK Government. The government is aiming to ensure that essential services like energy, water, transport, health and digital infrastructure firms are geared to handle the escalating number of cyber threats.

Companies are expected to develop strategies to cover power failures and environmental disasters, raise staff awareness and training and develop security monitoring to ensure a quick recovery following an event.

The government said that the fines will be a “last resort” and will not apply to firms that have assessed the risks adequately, taken appropriate security measures and engaged with competent authorities.

The move comes after the UK’s National Health Service (NHS) became a victim of a global ransomware attack which affected operations severely. The attack, which had infected a large number of computers across the health service, was linked to WannaCry malicious software.

Energy sector faces increasing attacks

Just last month, the UK’s National Cybersecurity Centre (NCSC) warned that the UK energy sector is likely to have been targeted and probably compromised by nation-state hackers.

The NCSC, a subsidiary of The Government Communications Headquarters (GCHQ), warned that it had spotted connections “from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors, who are known to target the energy and manufacturing sectors.”

This implies that direct connections are being made between computers in the UK’s energy sector and the attacker’s command-and-control apparatus.

During the same month, there were reports that Ireland’s Electricity Supply Board was targeted by a group with ties to the Kremlin. Meanwhile in the US, 18 energy companies were sent phishing emails attempting to steal credentials.

Security attacks have been going on for some time now and are only increasing. In 2013, security researchers were identifying major vulnerabilities in power grids that allowed a remote hacker to take control of plant control systems, while Ukraine became one of the first countries to see the physical results of such attacks in 2016, when a blackout across western Ukraine was caused by a malware called “BlackEnergy”.

UK cybersecurity strategy

The plans, part of the government’s £1.9bn investment to “significantly transform” the UK’s cyber security, are being considered as part of a consultation launched by the Department for Digital, Culture, Media and Sport.

The department says that firms which take cybersecurity seriously should already have measures in place to safeguard them against cyber attacks.

Digital Minister Matt Hancock said: “Network and information systems and the essential services they support play a vital role in society, from ensuring the supply of electricity, water and health services to the provision of passenger and freight transport. Their reliability and security are essential to economic and societal activity and the functioning of UK and European markets.

“We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber-attack and more resilient against other threats such as power failures and environmental hazards.”

Related Webinar