Critical national infrastructure firms failing on cyber defence

Security experts have called for greater technological innovation from critical national infrastructure (CNI) organisations, after a new Chatham House report published on Wednesday warned that best practice cyber defence among these firms is patchy at best.

The think tank's report, Cyber Security and the UK's Critical National Infrastructure, refers to a "patchwork of knowledge, capabilities, processes and attitudes", warning that the "quality and effectiveness of cyber security management" varies dramatically from one sector to the next.

Chatham House argues that, rather than a centralised policy informed by an environment of "mutual self-help", current motivations seem to revolve around "short-term self-interest".

"Where cyber security is concerned, the CNI is characterised by organisations doing the best they can," the report explained.

"But in many cases they lack the skills or knowledge to identify and mitigate the harm caused by a wide variety of emerging threats in cyber space, and this is compounded by their systemic dependency on other vulnerable actors in the environment."

The government has done well to recognise the importance of cyber defence at a CNI level, but individual CNI firms need to take more responsibility for improving security, and senior business leaders must take a lead in the formulation of policy, it added.

Henry Harrison, technical director at consultancy BAE Systems Detica, warned that cyber protection at this level is crucial as CNI companies are at the front line when it comes to attack.

"This sort of risk is high impact but low probability, which is very difficult to deal with," he told V3. "There has only been one instance of cyber warfare - as opposed to cyber espionage - to date, which was the Stuxnet incident."

Harrison called for greater innovation among CNI firms to increase security while retaining a degree of flexibility in their environments.

"In the end security is about a trade off between how much security you want versus the impact on overall total cost of ownership, whether that is direct cost or business efficiency," said Harrison.

"Where we desperately need innovation is in improving the trade off so you can use a tighter security approach without incurring costs. There are things that can be learned from the military, but you certainly shouldn't assume their techniques can be dropped into an organisation."

Mark Darvill, director at AEP Networks, argued that a balance needs to be struck to avoid hysteria when educating about cyber threats.

"There needs to be a proactive approach to security that encompasses a continued education programme. Security does not stand still, so it cannot simply be a one-off programme," he told V3.

"The government and critical infrastructure providers need to work with the security industry to make sure the highest levels of security solutions are being deployed to protect the heart of our national infrastructure."

The government is due to make a significant announcement on cyber security funding allocation later this week, when V3 will have the breaking news as it happens.