Nine cyber attacks on UK’s transport sector missed by mandatory reporting laws

Technology

Nine cyber attacks affecting the British transport sector were missed by the UK’s mandatory reporting laws and were only disclosed to the government on a voluntary basis, Sky News has learnt.

A law introduced three years ago was intended to boost Britain’s ability to defend itself from foreign state and criminal hackers by obliging critical infrastructure organisations to report incidents.

However, the thresholds set for reporting incidents across the energy, transport, health, water, and digital infrastructure sectors are so high that no reports are being made under the legislation.

These thresholds are based on the impact hackers have on the continuity of service – for instance water and energy supply, or freight movement – but this continuity isn’t an indication of the sectors’ security capabilities, just of the hackers’ activity when inside the network.

The nature of an implant within a computer system means that it can be used both for spying on the system’s workings and to potentially disrupt them, but up until the moment of disruption the fact an organisation has been hacked wouldn’t meet the threshold for reporting.

The lack of reports being made under Britain’s mandatory reporting laws risks leaving government departments under-informed about their sectors’ security outside these voluntary disclosures, which potentially do not cover the full range of hostile activities taking place.

In response to a request made under the Freedom of Information Act, the Department for Transport (DfT) has confirmed to Sky News that it received nine voluntary disclosures about cyber incidents in the past three years.

More on Cyberattacks

The department said that none of these disclosures “relate to reportable incidents as required under the Network and Information Systems (NIS) Regulations 2018” in the FOI response.

A spokesperson for DfT declined to comment.

What is covered by the NIS Regulations?

  • Drinking water (supply and distribution)
  • Energy (electricity, gas, oil)
  • Digital infrastructure (domain services, exchange operators)
  • Health
  • Transport (air, maritime, road, rail)
  • Digital services (cloud, marketplaces, search engines)

Earlier this year, Sky News reported that the same mandatory reporting regulations hadn’t resulted in a single report from the gas and electricity sectors, despite the government stating Russian hackers had successfully penetrated the computer networks of the UK’s energy grids without disrupting them.

The government has completed a review of the NIS Regulations which found “it is still too early to judge the long term impact” of the law, which introduced a range of security standards.

The review “identified several areas of improvement to the NIS Regulations requiring policy interventions from the government, which would enhance their overall efficiency”, but amendments proposed last year do not include a reporting obligation covering network compromise.

A government spokesperson previously told Sky News: “The UK’s critical infrastructure is extremely well protected and over the past five years we have invested £1.9bn in the National Cyber Security Strategy to ensure our systems remain secure and reliable.”

They added that a formal review of the impact of the NIS Regulations will take place within the next 12 months.


If you would like to contact Alexander Martin, you can email him at aj.martin@sky.uk or contact him securely using the private messaging app Signal on +44 (0)7970 376 704

Products You May Like