Infrastructure firms face tough fines for slack security

The idea of crippling a location by attacking its infrastructure is nothing new. In fact, it’s been going on in one way or another for thousands of years, but up until relatively recently, you had to be physically close by to do it.

Over recent decades, there has been a growing awareness of the possibility of destroying infrastructure through the (mis)use of technology, which is why the EU introduced the Network and Information Systems (NIS) Directive, which comes into effect on 9th May 2018. While it has arguably been rather overshadowed by GDPR, which has a much wider-ranging impact, it is still a very significant piece of legislation.

Data security breaches can have a devastating impact on their victims, but damage to infrastructure has the potential to kill. Electricity, for example, powers much of the equipment the emergency services need to do their jobs from police radios to life-support machines in hospitals. While electricity (and other key utilities) provide the power and resources to make essential services work at all, these days, it’s IT systems which control them and it’s, therefore, vital that those IT services are well protected.

In the UK, the infamous WannaCry virus is probably best known for the devastation it caused in the NHS.

It actually left a trail of chaos across the world, disrupting major companies including FedEx and Deutsche Bahn. Barely was this under control than the NotPetya virus disrupted a Ukranian nuclear power station.

NotPetya also claimed TNT (as in the logistics company) and Maersk (ditto) amongst its scalps. Now, the EU has decided that enough is enough and, as the UK is still an EU member for the moment, it has implemented the directive.

Fines of up to £17 million await infrastructure companies that are found to have been lacking effective cybersecurity measures. That’s hopefully enough to make even the biggest behemoths take notice.

Fines of that magnitude will only be applied in the very worst cases, where firms have clearly been negligent and/or uncooperative, however, it is entirely possible that smaller fines could be levied for behaviours that currently may go either unpunished or be more lightly punished, such as instances of mismanagement leading to environmental damage.

Infrastructure firms do not have long to get their businesses in order to comply with this directive, and larger firms, in particular, may find they have a lot of work to do to avoid being in breach of the new law.

Understanding precisely what is required of different types of business is essential, so putting a specific person in charge of compliance would be a smart move for most companies. Realising, too, that this move will benefit the company as well as comply with the law will be a motivation for many firms, where improved cyber security is always a positive step, whether mandated or not.