Critical infrastructure suppliers are failing to follow basic cyber security best practice, leaving providers vulnerable to attack, according to CERT-UK and the Department for Work and Pensions (DWP).
CERT-UK director Chris Gibson made the claim during a panel discussion at Infosec, warning that many businesses still have woefully low security protection in place.
"If someone is in the supply chain of national infrastructure we have an interest in what happens to them," he said.
"At the moment the supply chain is not where it needs to be. Many firms are still vulnerable to attack. We know this is dangerous. We saw this with Target, which very clearly was not following best practice.
"They need to do work. We'd like companies to bring Cyber Essentials on board and push these through their supply chain."
The Target breach is believed to have occurred between 27 November and 15 December 2013 and saw hackers break into the company's systems and steal customers' credit and debit card numbers, card expiration dates and debit card PINs.
The hackers also stole and published online as many as 70 million customers' names, phone numbers and email and postal addresses.
Cyber Essentials is a government backed scheme launched in 2014 that offers basic security guidance to businesses.
Gibson said that following the guidance allows companies to deal with most common security incidents.
"Cyber Essentials, proper patching, monitoring - the basics - would solve a lot of the problems we face and get rid of most of the work I do," he said.
Jon Townsend, head of cyber intelligence and response at the DWP, agreed and said that businesses should learn from other firms' mistakes.
"It's vital that every time we have an incident we're able to learn from it from an intelligence perspective and improve our security posture. We're working with CERT-UK and partners to test that we're ready [for attacks]," he said.
"Learning as part of the response process is vital and, by making it so as and when incidents arrive, we can create new controls and processes so that we're prepared next time.
"You need to think: am I being an intelligent customer and asking the right questions? Do I have the people in place that are doing the checks and making sure that, if a supplier isn't doing what you want, you work with them to do it right?"
The news follows reports that targeted attacks on non-government entities are rising. GCHQ said at an earlier keynote at Infosec that businesses should begin working with the agency to combat the threat.
Gibson explained that, as well as sharing information with the government through initiatives like the Cyber Security Information Sharing Partnership, companies should learn from security strategies like GCHQ's.
"Know what your crown jewels are and make sure the stuff you care about isn't generally connected or vulnerable," he said.
"If possible keep it off the internet. If not keep it difficult to get to and contained. This sounds simple but I've seen no-one but government do this. Make sure people don't have a means to the centre."
The experts' comments follow the uncovering of several targeted attacks on critical infrastructure.
Researchers at Panda Security reported in May about a cyber campaign targeting the maritime oil transport industry with cyber attacks that are undetectable by most defence tools.
Morphisec discovered malware compromise first, claims Avast, not Cisco
Fabes has held senior IT positions for over 30 years
Can Alienware's latest and greatest topple the mighty ASUS ROG Zephyrus as the most powerful gaming ultrabook we've seen?
Jacky Wright takes over from interim CDIO Mike Potter