NotBeingPetya: UK critical infrastructure firms face huge fines for lax security

The UK government has announced that businesses providing essential services like energy and transport could be fined as much as £17m or 4 per cent of global turnover for failing to have effective cyber security measures in place.

The proposals from the Department for Digital, Culture, Media & Sport satisfy requirements under the EU Network and Information Systems (NIS) Directive, which comes into effect next May. Critical infrastructure firms will also be required to show they have a strategy to cover power failures and environmental disasters.

The NIS Directive relates to loss of service rather than loss of data, which falls under the General Data Protection Regulations (GDPR). UK proposals would set the maximum level of fine for the most severe outages by critical infrastructure orgs as for the most strict fines imposed under the EU's General Data Protection Regulation.

Organisations that provide water, energy, transport and health services - whose vulnerabilities were exposed by the recent WannaCry(pt) and NotPetya ransomware attacks - are in the government’s line of sight. “Fines would be a last resort, and they will not apply to operators that have assessed the risks adequately, taken appropriate security measures, and engaged with competent authorities but still suffered an attack,” a government statement explains.

DCMS launched a consultation on its plans on Tuesday.

James Chappell, CTO and co-founder of threat intel firm Digital Shadows, said that UK government proposals go further than what’ll be required to achieve NIS Directive compliance.

“When the UK made its decision to leave the EU one of the concerns within the cyber security industry was that it would choose not to enact the regulatory commitments the country really needs to toughen up its cyber defences,” Chappell explained.

“In fact the opposite has been the case. The UK interpretation of the NIS Directive has put forward equivalent fines to those mandated by the General Data Protection Regulation. Today’s announcement pertaining to critical national infrastructure goes further than is required by the EU under the Network and Information Systems (NIS) Directive.”

Other vendors argue the tougher rules should be seen as a spur for organisations to improve their security policies rather than solely punitive.

“In security we talk about when not if a security breach will occur, but that does not mean organisations should not be taking all the necessary precautions to limit the potential impact of a breach," said Sarah Armstrong-Smith, ‎head continuity & resilience at Fujitsu UK & Ireland. “In fact, the fast approaching implementation of GDPR will oblige organisations to carry out thorough preparations of their systems. Organisations should also use this as an opportunity to get all of their cyber measures in place, not just their data.” ®