The UK business secretary Vince Cable told a cybersecurity summit last week that Britain’s critical national infrastructure is still too vulnerable to attack by criminals and terrorists.
Banks, gas distribution, rail signalling, mobile networks – these are all areas that, if successfully attacked, would lead to significant disruptions to everyday life in the UK.
Increasing sophistication of these systems, driven by consumer demand, is directly leading to increased vulnerability. These systems depend on “having efficient, non-disruptive cyber systems operating and they are becoming more sophisticated”, he reportedly told a high-level summit of intelligence experts and industry regulators.
Organisations involved in the summit meeting, held at Britain’s GCHQ listening post, the Bank of England, the Civil Aviation Authority (CAA), the Office of the Nuclear Regulator, the energy regulator Ofgem, water regulator Ofwat and communications regulator Ofcom.
In his presentation to the group, Cable cited examples of successful cyber-attacks around the world which had caused chaos for governments, businesses and consumers.
“It is particularly important that those industries providing essential services such as power, telecommunications and banking are adequately protected to avoid disruption to our everyday lives. We can only achieve this objective through a partnership between government, the regulators and industry. Today’s event marks the next step in highlighting the important role of the regulators in overseeing the adoption of robust cybersecurity measures by the companies that supply these crucial services,” he said.
The Bank of England last week also published the results of a cybersecurity exercise known as Waking Shark 2 which simulated an attack on the financial services industry. More than 200 representatives from the banking industry took part in the four-hour long exercise, conducted in November 2013, which tested system resiliency.
Recommendations from Waking Shark 2 include:
- Consideration will be given to the identification of a single coordination body from industry to manage communications across the sector during an incident.
- The PRA and FCA will coordinate to ensure dual-regulated firms are fully aware of the regulators’ incident reporting requirements and update frequencies. The Authorities will also provide further clarification to the sector on the respective roles of the Authorities, Government agencies and the sector in responding to major cyber–events and reinforce with firms the importance of reporting major incidents to their respective regulators as soon as possible.
- The CISP platform will continue to be enhanced through close collaboration between firms and Government partners.
- Organisations will be reminded of the need to report attacks which constitute a criminal offence to the appropriate authorities, e.g. law enforcement.
- As was recommended in Waking Shark I, financial sector participants should continue to regularly review their internal cyber-incident response procedures, and ensure that they maintain engagement with the FSIE, CISP and other external information sharing groups.
The Waking Shark 2 report says considerable progress has been made since the previous exercise, Waking Shark 1, in 2011.
Bank of England deputy governor Andrew Bailey said: “It is essential for financial stability that the UK financial system and its infrastructure continues to work towards improving its ability to withstand cyber-attacks.”