Plans to fine Britain's national utilities and infrastructure providers £17m for shoddy cyber security will be at the forefront of industry's mind once everyone "gets over" GDPR, peers heard at a House of Lords committee.
Speaking on a panel on cyber security for critical national infrastructure (CNI) yesterday, Elliot Rose, cyber security head at PA consulting, warned: "We've all been preoccupied with GDPR, but the [EU Network and Information Systems] directive [will carry] significant fines."
Rose added that a lot of these organisations - including water, electric and telecoms organisations – are facing challenges, as their legacy systems increasingly interface with and are exposed to the internet. He said that was "a particular area of concern" – citing one example of airports introducing remote control towers to manage traffic.
Critical infrastructure firms will be required to show they have a strategy to cover power outages, hardware failures and environmental hazards
He added: "I do think that will play out more once we get over GDPR."
Digital minister Margot James said earlier this year the measures would come into force next May. They will also cover other threats affecting IT such as power outages, hardware failures and environmental hazards. Critical infrastructure firms will be required to show they have a strategy to cover such incidents.
Britain's CNI appears to be an increasingly attractive target for hostile state actors. Last year Ciaran Martin, chief exec of the National Cyber Security Centre, revealed hackers acting on behalf of Russia had targeted the UK's telecommunications, media and energy sectors.
Now that's taking the p... Sewage plant 'hacked' to craft crypto-coinsREAD MORE
Alastair MacWillson, chair of the Institute of Information Security Professionals, said CNI companies faced problems attracting talent against higher-paying organisations.
"Because of difference in margins, in my experience it is more difficult for a water company, say, to hire a top cyber security team than it is for a bank. There is that industry challenge."
On the subject of a lack of skills, Rob Crook, managing director of cyber security and Intelligence at Raytheon, noted 30 per cent shortfall in the number of vacancies it would like to fill, a proportion he said was representative across industry.
“The Initiative to introduce coding into primary schools, which we welcomed in principle, may have fallen into some difficulties in practice," he said. "For one, it not obvious that initiative has included cyber security into its curriculum. Secondly, I'm not sure it's inspiring people into the profession."
MacWillson noted that currently just 7 per cent of of cyber security staffers are women, making up just 4 per cent of his own institute's ranks.
Part of the problem is the approach to targeting schoolchildren to come into the profession. By focusing on skills from computer science and STEM, the government and industry are narrowing their pool for general diversity. Attempts should be made to broaden the net, he said. ®