Nine cyber attacks on UK transport sector missed

By Laura Berrill
Nine cyber attacks on the British transport sector have been missed by mandatory reporting laws

The attacks were only disclosed to the government on a voluntary basis, despite the reporting laws, according to a story revealed today by Sky News.

It is thought the reason for this is that the thresholds set for the mandatory reporting of cyber incidents across the energy, transport, health, water, and digital infrastructure sectors are so high, that few, if any, incidents are actually being reported to the government.

A law introduced three years ago was intended to boost Britain's ability to defend itself from foreign states and criminal hackers by obliging critical infrastructure organisations to report such cybercrime incidents.

High reporting thresholds in the sector based on service continuity

However, as the thresholds set for reporting incidents across the energy, transport, health, water, and digital infrastructure sectors are so high, this means no reports are being made under the legislation.

The thresholds are based on the impact hackers have on the continuity of service. For instance, in water and energy supply, or freight movement, but this continuity isn't an indication of the sectors' security capabilities, only of the hackers' activity once inside the network.

The nature of an implant within a computer system means that it can be used both for spying on the system's workings and to potentially disrupt them, but up until the moment of disruption the fact an organisation has been hacked wouldn't meet the threshold for reporting.

Risk of ill and under informed security

The lack of reports being made under Britain's mandatory reporting laws risks leaving government departments under-informed about their sectors' security outside these voluntary disclosures. This means they potentially do not cover the full range of hostile activities taking place.

In response to a request made under the Freedom of Information Act, the Department for Transport (DfT) confirmed that it received nine voluntary disclosures about cyber incidents in the past three years.

The department in the FOI response said that none of these disclosures "relate to reportable incidents as required under the Network and Information Systems (NIS) Regulations 2018". At the time of reporting, a spokesperson for DfT declined to comment.

Earlier this year, it was also reported that the same mandatory reporting regulations hadn’t resulted in a single report from the gas and electricity sectors, despite the government stating Russian hackers had successfully breached the computer networks of the UK's energy grids, but without disrupting them.

 

Share

Featured Articles

Gen AI Boom Drives Nvidia Value to Overtake Microsoft

Nvidia surpasses Microsoft to become the most valuable company, with its AI and chip developments tripling stock and prompting a US$3.3tn market cap

IBM & Wimbledon: AI Is Changing the Game for Sports

IBM and The All England Lawn Tennis Club have unveiled AI features for Wimbledon that will provide real-time analysis and expanded, personalised content

Zoom: Powering EMEA with a Partner-Led Focus

We examine how Zoom is moving towards greater digital transformation via its EMEA partnership channels, inspiring the next generation of collaboration

Schneider Electric: UK&I President Grows Her Europe Presence

Digital Transformation

DTW24 Ignite: AI to Power the Next Generation of Technology

Digital Transformation

SolarWinds: IT Professionals Worry about AI Integration Risk

AI & Machine Learning