Firms involved in critical infrastructure including the military need to be willing to share knowledge and collaborate on best practice to fend off modern cyber threats, a report has urged.
The Cyber Resilient Infrastructure report, by consultancy Atkins, said supply chains that do not have a clear set of standards throughout might be left “open to attack through the weakest link”.
“The old adage ‘we are all in it together’ is applicable here,” it said, as threats could come from any one firm.
In a review of the UK’s critical infrastructure, including energy, water, telecommunications and defence, Atkins said there was a growing concern the number of cyber threats were increasing and that keeping attackers out was becoming “practically impossible”.
It said owners and operators of critical infrastructure needed to improve the way they collect and analyse information about the integrity of their own systems; improve the physical resilience of infrastructure; and develop a “holistic” defence plan that incorporates the design and engineering of infrastructure as well as the training and education of staff and operators.
A survey conducted as part of the review showed the biggest cyber security risk as perceived by senior managers came from personnel, either in the form of a direct inside threats or through a lack of staff understanding about the role they play in protecting both information and access.
The report said supply chains carried the second biggest risk and were singled out by more than half of senior industry figures as vulnerable to cyber security.
“Although people were confident in the security protecting their own organisation, it was considered to be much more difficult to protect information assets and intellectual property once it entered a wider supply chain,” it said.
It added that broad supply chains often include manufacturers and contractors that “may not have security at the forefront of their minds”.
“These companies may hold sensitive environmental or contract information which, if compromised, could cause significant reputational damage throughout the supply chain,” it said.
It recommended buyers carry out appropriate maturity assessment to evaluate where the strengths and weaknesses are in their supply chains, but added: “Maturity is not all about how an organisation complies with a standard but also how they learn and share experiences.
“Collaboration is a good way of improving how the organisation addresses the cyber risk, and through collective experience, that learning has the potential to be accelerated, increasing the maturity of the sector.”
The report predicted in the future, improved access to technology will make it easier for actors to “innovate and attack infrastructure” and create a reality where everyone will be hacked at some point. “As a result we must be prepared and have proven plans in place to deal with this eventuality,” it said.
However, despite technological advances, the report predicted the greatest factor in cyber defence would remain an organisation’s personnel. “As such, an increased focus on creating a better educated, more cyber-aware culture will be crucial. Key to this will be emphasising personal, rather than organisational, accountability to help drive the right behaviours,” it said.
☛ Want to stay up to date with the news? Sign up to our daily bulletin.