Risk Management
A new government risk report hastens the need for proactive cyber-resilience building
A lot can change in three years. That is how much time has elapsed since the last National Risk Register (NRR) was published by the British government.
Save to Folio
The document provides rare insight into the wide range of acute risks the country’s critical infrastructure (CNI) providers are facing. Since 2020, the estimated cost of serious incidents has risen from the tens of millions to billions of pounds. It’s time CNI providers revisited their cyber-resilience strategy, enhancing protective measures with more proactive detection and response.
What’s in the register?
The new NRR is based for the first time on the government’s secret National Security Risk Assessment (NSRA), a classified report developed with the help of hundreds of government risk experts. The NRR covers nine key themes, further broken down into 89 risk areas. Cyber is one of those nine, highlighting the key role it plays in society and economy.
The report details several worst-case scenarios across multiple CNI sectors; specifically encryption, theft or destruction of data and/or disruption to operational systems, which could cause chaos to:
- Gas infrastructure
- Electricity infrastructure
- Civil nuclear
- Fuel supply infrastructure
- Health and social care
- Transport sector
- Telecoms systems
- Financial market infrastructure
- Retail banks
For example, a cyber-attack causing the failure of the National Electricity Transmission System (NETS) has the potential to cause a nationwide loss of mains electricity without warning for those without backup generators, the NRR claims. It adds that secondary impacts could be felt across utilities networks—including mobile and internet communications, water, sewage, fuel and gas—causing significant disruption to society as well as loss of life.
It’s interesting to note that in 2020, the economic damage resulting from cyber events was calculated at £10-100m per incident. Today the figure stands at billions of pounds. Three years ago expected fatalities were 9-40, with a further 200-1000 individuals potentially needing to be evacuated. Today fatalities stand at an estimated 201-1000 with a further 400-2000 casualties.
How Trend can help
With those kinds of figures, CNI operators should be in no doubt of the importance of cyber-resilience planning. But is existing security posture enough? The government’s own Cyber Security Strategy 2022-2030 provides detailed guidance on managing cyber risk, deflecting attacks and detecting and containing those that get through defences. It argues that “cyber-resilience remains a cost effective and impactful lever against the cyber threat.”
But what does resilience mean? It’s not just about protecting infrastructure and services against compromise, but also getting on the front foot by detecting and responding to breaches faster. This will help IT teams not only to contain the blast radius of attacks—in order to remediate and recover before the attackers have had a chance to make an impact. It will also generate intelligence which can be used to make the organisation stronger; such as unpatched vulnerabilities or misconfigured assets that need to be fixed.
Trend Micro can help by delivering such capabilities from a single platform, enabling organisations to protect, detect and respond without missing a beat. That includes XDR which spans endpoints, servers, workloads, email, networks, cloud and identity to support highly effective attack surface risk management and threat hunting.
The acute cyber risks listed above have a 5-25% chance of happening in the next two years, according to the government’s own body of experts. Yet although being a target is a fact of life for CNI providers, being a victim is not. It may be time to reexamine those risk management strategies. Forewarned is forearmed.