‘Unprecedented’ warning over cyber threat to UK critical national infrastructure

Cyber risk specialist Stuart Davey of Pinsent Masons was commenting after the UK National Cyber Security Centre (NCSC) warned that such cyber criminals are intent on achieving “a more disruptive and destructive impact against western critical national infrastructure (CNI), including in the UK”.

The NCSC’s alert was issued on the first day of its CYBERUK conference in Belfast where UK government minister Oliver Dowden, the Chancellor of the Duchy of Lancaster, identified the particular threat posed by “Russian-aligned groups sympathetic to Putin’s invasion of Ukraine”. He said those groups’ primary motive is not financial or to uncover secret information but to “disrupt or destroy our infrastructure”.

Dowden said: “Disclosing this threat is not something that we do lightly. This is an unprecedented warning for businesses. We have never publicly highlighted the threat from these kinds of groups attempting such attacks before. And I should stress that we do not think that they currently have the capability to cause widespread damage to our infrastructure in the UK. But we do believe it is necessary at this point in time, if we want companies to understand the current threat they currently face and to take action to defend themselves and the country against such attacks.”

Davey, who was in Belfast at the CYBERUK event to hear Dowden’s speech, said: “Today’s announcement emphasises the importance of cyber preparedness for all organisations. This is particularly the case for those organisations key to CNI. Organisations should be considering the cyber resources available to them, take steps to improve their resilience to cyber threats, and prepare for how they would respond to an incident.”

“Dowden’s announcement follows recent proposed changes to the Network and Information Systems Regulations 2018 which would make amendments to the regime currently regulating operators of essential services. Given the priorities emphasised today, it will be interesting to see whether time is made in the current parliament to bring these proposed changes onto the statute book.”

In his speech, Dowden said that the UK government intends to set “specific and ambitious cyber resilience targets for all critical national infrastructure sectors to meet by 2025”. He added that he is also “actively examining plans to bring all private sector businesses working in critical national infrastructure within the scope of cyber resilience regulations”. He further announced a new scheme, ‘GovAssure’, designed to assess and improve cyber resilience within government departments.