Peer Reviewed

Cyber Security for Critical National Infrastructure

This article discusses the UK critical national infrastructure (CNI), its exposure to cyber risk, the measures and arrangements currently in force to address that risk and suggests some alternative and additional measures to which consideration might be given.

Go to the profile of Henrik Kiertzner
Oct 31, 2016
6
2

Please sign in or register for FREE to view this content

Register to E&T Cyber Security Hub

E&T Cyber Security Hub brings together engineers and cyber security specialists to share practical know-how. With content created ‘by engineers, for engineers,’ it provides peer-reviewed technical information, real-world insights, lessons learnt and case studies, as well as tools for networking and knowledge-sharing, profiles of experts and the opportunity for companies to showcase their expertise.

Register

2 Comments

Go to the profile of Jon Longstaff
Jon Longstaff 8 months ago

Hi Henrik

Great article. So do you think the UK government is getting the balance right between regulation and advice for commercially owned CNI assets?

If we do need more intervention to address the societal risks of CNI do you have any views on what is the best approach?

Go to the profile of Henrik Kiertzner
Henrik Kiertzner 8 months ago

@John Longstaff; thanks for the kind words, first of all. In response to your question, no, I think that, unless the government can actually offer substantive assistance to the commercial CNI operator in justifying security spend - perhaps with a 'sponsored' threat and risk assessment by sector, perhaps with tailored strong advice on means, approaches and controls, the operator will continue to find it hard to draft a compelling business case for a level of investment which might seem high to the average commercial board. The alternative would be greater regulation, which of course would have its own risks - of greater bureaucracy, 'box-ticking', inflexibility and the treatment of the regulating authority as a business risk in itself - see here the compliance industry.

Substantive assistance and articulation by government of the need, based on a sponsored threat and risk assessment, shared freely with commercial operators, strikes me as the 'least worst' option.