Nine cyber attacks in the last three years affecting the UK transport sector have been missed by the UK’s mandatory reporting laws. These attacks were only disclosed to the Government for Transport on a voluntary basis.
This is because the mandatory thresholds for reporting cyber incidents across the energy, transport, health, water and digital infrastructure sectors are so high that few cyber attacks actually get reported.
The Lacking Mandatory Thresholds for Reporting Cyber Attacks
These attacks follow a law introduced three years prior that was intended to bolster the UK’s ability to defend itself against cyber attackers – whether criminal hackers or foreign states. However, the high threshold set for reporting cyber attacks in many industries, not just transport, meant that few were reported under the legislation.
The thresholds are based on the impact an attack has on the operational output, or business continuity, of service. For instance, public transport movement, or the supply of water or energy. However, the continuity doesn’t actually provide an indication of the security capabilities of the sector, but instead just the hackers’ malicious activity once inside the network. That means malicious software can live within a system ‘spying’ on the activity, but wouldn’t need to be reported until the moment of disruption.
The impact of this lack of reporting means that government departments, such as the UK’s transport sector, have very little idea about how secure their sector is from cyber attacks, and are heavily reliant on the voluntary disclosing of such attacks to make more informed decisions.
On the nine cyber attacks reported to the Department for Transport, Sky News requested comment from the department who said that none of the disclosures “relate to reportable incidents as required under the Network and Information Systems (NIS) Regulations 2018”.
What’s Covered by the NIS Regulations?
The NIS Regulations cover the following:
- Drinking water (supply and distribution).
- Energy (gas, electricity, oil).
- Health services.
- Transport (air, maritime, road, rail).
- Digital infrastructure (domain services, exchange operators).
- Digital services (cloud, search engines, marketplaces).
This issue isn’t just for the transport sector, with not a single report from the gas and electricity sectors, despite the government confirming Russian hackers had successfully infiltrated the computer systems of the UK’s energy grids.
The government’s review of the NIS Regulations, unfortunately, stated “it is still too early to judge the long term impact” of the law. The review went on to say it “identified several areas of improvement to the NIS Regulations requiring policy interventions from the government, which would enhance their overall efficiency”, however, amendments raised last year don’t include a reporting obligation covering network compromise.
Sky News has previously been told by a government spokesperson: “The UK’s critical infrastructure is extremely well protected and over the past five years we have invested £1.9bn in the National Cyber Security Strategy to ensure our systems remain secure and reliable.” However, a formal review of NIS Regulations is due to take place within the next 12 months. What’s apparent is that without stronger reporting laws, informed decisions and general cyber security awareness is going to be continually difficult.