When a country’s critical infrastructure is compromised, whether through a cyber attack or otherwise, the effects can be wide-reaching and devastating. Recent examples of significant cyber incidents impacting critical infrastructure include:
- The Colonial Pipeline attack in May 2021 which impacted oil and gas delivery for millions of people;
- The Oldsmar Florida Water Treatment Facility attack in February 2021 in which a remote attacker changed the levels of sodium hydroxide in residential and commercial drinking water at a treatment facility; and
- JBS Foods, the world’s largest meat supplier, whose attack resulted in a shutdown of plants in Australia, Canada and the US, wiping out nearly one fifth of the US plants’ meat processing capacity.
This is a real and ever-present problem and one which is seemingly increasing in this age of hybrid warfare, with offensive cyber operations seen as a critical element of a State’s armoury in the current era of great power competition.
In the UK, we operate under the framework provided by the Network and Information Systems (“NIS”) Regulations which implement European Directive 2016/11481. The NIS Regulations are intended to address all threats (not just cyber) to network and information systems and they apply to:
- Digital Services Providers (DSPs)
- online marketplaces; search engines; cloud service providers
- Operators of Essential Services (OESs)
- energy and national infrastructure providers
Compliance is dependent upon DSPs/OESs identifying and taking appropriate and proportionate measures to manage risk. Risk is defined as any reasonably identified circumstance or event having a potentially adverse effect on the security of network and information systems. Measures taken by DSPs/OESs must:
- ensure level of security is appropriate to the risk posed; and,
- prevent and minimise impact of incidents.
They must also take into account:
- security of systems and facilities;
- incident handling;
- business continuity management;
- monitoring, auditing and testing; and,
- compliance with international standards.
Competent authorities have the authority to oversee NIS compliance. For DSPs, the ICO is the competent authority. It requires all DSPs to register with the ICO and it has investigatory and enforcement powers under NIS Regulations. As DSPs may also be data controllers or data processors under the General Data Protection Regulations (GDPR), they are therefore likely to have both NIS and GDPR obligations. For OESs, the competent authority is sector dependent. Energy providers generally have the Secretary of State for Business, Energy and Industrial Strategy, jointly with sector specific body, such as Gas and Electricity Markets Authority as their competent authority; however, day to day compliance is in fact overseen by the Office of Gas and Electricity Markets (OFGEM). For transportation infrastructure providers, the competent authority is generally the Secretary of State for Transport, jointly with sector specific body such as Civil Aviation Authority.
Cyber Assessment Framework
In order to structure oversight and risk management, the competent authorities utilise the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF) and work in close coordination with the NCSC to address threats and incident response activity. Whilst OES competent authorities do have enforcement powers, their activity in relation to incident response and investigation is generally focused on collaboration and proactively rectifying services. This differs to a certain extent with the mandate of the ICO in relation to DSPs.
UK Cyber Strategy
The NIS Regulations and CAF form key elements of the UK Cyber Strategy. Published in June of this year, the Strategy aims to provide a comprehensive approach to protect and promote the UK’s interests in and through cyberspace. It seeks to achieve this by strengthening cyber security in order to keep ahead of the UK’s adversaries and strengthen its ability to act in cyberspace, as well as its ability to influence and shape tomorrow’s technologies to keep them safe, secure and open.
Structured around 5 pillars, the Strategy looks to address:
- Pillar 1: Strengthening the UK cyber ecosystem, investing in our people and skills and deepening the partnership between government, academia and industry;
- Pillar 2: Building a resilient and prosperous digital UK, reducing cyber risks so businesses can maximise the economic benefits of digital technology and citizens are more secure online and confident that their data is protected;
- Pillar 3: Taking the lead in the technologies vital to cyber power, building our industrial capability and developing frameworks to secure future technologies;
- Pillar 4: Advancing UK global leadership and influence for a more secure, prosperous and open international order, working with government and industry partners and sharing the expertise that underpins UK cyber power;
- Pillar 5: Detecting, disrupting and deterring our adversaries to enhance UK security in and through cyberspace, making more integrated, creative and routine use of the UK’s full spectrum of levers.
As breach response counsel, we have seen Pillar 5 in action. In recent cyber incidents, it has become clear that regional police agencies, along with the NCSC, are taking a far more proactive and empathetic approach to engaging with organisations who have suffered cyber breaches. This has been exemplified by police providing threat analysis and keeping impacted organisations apprised of developments in their investigations.
Additionally, where large scale NIS breaches occur, or data breaches impacting public sector bodies or organisations with public sector contracts, law enforcement agencies have acted as invaluable interlocutors, coordinating communication with various agencies and government departments, each of whom will have their own particular concerns or agenda regarding a given cyber incident.
Whereas we might have been somewhat circumspect regarding law enforcement engagement in years gone by, the UK Cyber Strategy does seem to have given rise to a sea-change in the way in which the police and NCSC now appear driven by a desire to assist and support impacted entities. This development can only be seen as positive, and we will continue to forge strong working relationships with the NCSC and regional police services in providing impacted organisations with the best possible breach response management and legal support.
1Nb. The European Parliament approved NIS 2 on 10 November 2022. It is a new European directive aiming to provide greater security for entities “by implementing a system of obligations and sanctions.” This will abolish OESs, replacing them with Essential Entities and Important Entities, likely entering into force in 2024. The legislation now awaits approval from the Council of the European Union. It remains uncertain whether the UK will follow the EU in updating its own NIS Regulations.