Dr Ian Buffey, Technical Director Cyber Resilience, Atkins
The organisations that run our critical national infrastructure (CNI) must protect their assets from cyber-attack, whether the risks stem from their own company or from within their supply chain. The UK’s cyber-security regulations make CNI owners and operators accountable for the ongoing provision of essential services – for example, water or energy – even if some aspects of delivery are outsourced to a third party.
Regulators are primarily concerned with operational technology (OT) – that is, the control systems that manage and monitor our CNI. It’s not uncommon for operators to call on vendors for onsite or remote support, or to perform system upgrades. But how do you know if their technologies and processes are secure?
Cyber-security experts fear it’s a question of when, not if, an attack will be made on our critical infrastructure. And as operators boost their own defences to mitigate the threats, determined cyber-attackers will search for a weaker link. The complex supply chain that surrounds OT will be an attractive target.
For this reason, organisations responsible for delivering essential services must raise their awareness of cyber-security so they can demand best practice from their suppliers. Key steps to take now include:
• Identifying a security champion: one person operating at the most senior level within an organisation should be responsible for cyber-security, and be willing to drive change.
• Ensure cyber-security practices are embedded throughout the organisation: they must be co-ordinated and consistent.
• Be prepared to spend time, and if necessary money, on becoming a more resilient organisation: there is no quick-fix.
• Engage with your suppliers: ensure they understand what they need to do, and why.
• Build cyber-security requirements into contracts: strong security requirements will help to reduce the likelihood of a vendor being the cause of a malicious or accidental cyber-incident.
Secure your assets and organisation – contact Atkins and let us help you achieve cyber resilience.