Most UK IT Security Leaders Fear CNI Attack
Over half of organizations believe the UK is heading for a major attack on critical infrastructure (CNI) this year, with siloed teams causing dangerous security gaps between IT and OT functions, according to Infosecurity Europe.
The region’s leading information security event polled over 12,000 social media followers and its community of CISOs to better understand the challenges facing organizations in CNI sectors.
Some 59% agreed that a CNI attack was imminent in 2019, echoing National Cyber Security Centre (NCSC) boss Ciaran Martin, who said last year that the nation’s first category one (C1) attack was a matter of “when, not if.” WannaCry was rated a C2 incident.
Of equal concern is the fact that organizations seem ill-prepared to deal with such an attack.
Over two thirds (68%) of respondents claimed that security teams in charge of physical and digital systems never collaborate. These siloes can be particularly damaging as IT and OT converge, for example with the proliferation of IoT in heavy industry.
“The increasing convergence of cyber and physical environments is inevitable, but managing them in a cohesive way will strengthen enterprise security,” argued Just Eat CISO, Kevin Fielder.
“Those intent on accessing money, information or IP will often find it easier to do so from the inside – and we’re moving to a world where this can mean immediate impact on life. Hacking a building’s management systems, for example, could suppress a fire alarm or sprinkler system, or prevent people leaving.”
The poll also revealed that just 16% of respondents were aware of the NIS Directive, an EU law now in force which aims to improve baseline security among firms in CNI sectors. Non-compliance could incur fines as high as the GDPR.
“I can’t believe that any cybersecurity leader in a sector impacted by the NIS Directive would be unaware of its implications for their business,” argued Nigel Stanley, CTO of TÜV Rheinland.
“Lack of commitment to secure critical infrastructure is the worst sort of negligence. Forget what the regulators demand — organizations should take the initiative and secure assets based on a proportionate cybersecurity and business-led risk assessment.”
Infosecurity Europe will take place at London Olympia in Hammersmith from June 4-6, 2019.
Source: Information Security Magazine