Nine cyber attacks on UK transport sector missed

By Laura Berrill
Nine cyber attacks on the British transport sector have been missed by mandatory reporting laws

The attacks were only disclosed to the government on a voluntary basis, despite the reporting laws, according to a story revealed today by Sky News.

It is thought the reason for this is that the thresholds set for the mandatory reporting of cyber incidents across the energy, transport, health, water, and digital infrastructure sectors are so high, that few, if any, incidents are actually being reported to the government.

A law introduced three years ago was intended to boost Britain's ability to defend itself from foreign states and criminal hackers by obliging critical infrastructure organisations to report such cybercrime incidents.

High reporting thresholds in the sector based on service continuity

However, as the thresholds set for reporting incidents across the energy, transport, health, water, and digital infrastructure sectors are so high, this means no reports are being made under the legislation.

The thresholds are based on the impact hackers have on the continuity of service. For instance, in water and energy supply, or freight movement, but this continuity isn't an indication of the sectors' security capabilities, only of the hackers' activity once inside the network.

The nature of an implant within a computer system means that it can be used both for spying on the system's workings and to potentially disrupt them, but up until the moment of disruption the fact an organisation has been hacked wouldn't meet the threshold for reporting.

Risk of ill and under informed security

The lack of reports being made under Britain's mandatory reporting laws risks leaving government departments under-informed about their sectors' security outside these voluntary disclosures. This means they potentially do not cover the full range of hostile activities taking place.

In response to a request made under the Freedom of Information Act, the Department for Transport (DfT) confirmed that it received nine voluntary disclosures about cyber incidents in the past three years.

The department in the FOI response said that none of these disclosures "relate to reportable incidents as required under the Network and Information Systems (NIS) Regulations 2018". At the time of reporting, a spokesperson for DfT declined to comment.

Earlier this year, it was also reported that the same mandatory reporting regulations hadn’t resulted in a single report from the gas and electricity sectors, despite the government stating Russian hackers had successfully breached the computer networks of the UK's energy grids, but without disrupting them.



Featured Articles

Building Cyber Resilience into ‘OT in Manufacturing’ webinar

Join Acronis' webinar, Building Cyber Resilience into ‘OT in Manufacturing’, 21st September 2023

Google at 25: From a Search pioneer to AI breakthroughs

Technology Magazine explores how the tech giant went from being based in a California garage to a pioneer in technologies from AI to quantum computing

McKinsey: Nine actions for CIOs and CTOs to embrace gen AI

McKinsey identifies nine actions to help CIOs and CTOs create value, orchestrate technology and data, scale solutions, and manage risk for generative AI

OpenAI ChatGPT Enterprise tier drives digital transformation

AI & Machine Learning

Sustainability LIVE: A must-attend for technology leaders

Digital Transformation

VMware and NVIDIA to unlock generative AI for enterprises

AI & Machine Learning