Operational resilience for critical infrastructure

Infrastructure is getting smarter as it becomes more connected to IT systems, remote sensors and AI. This increases its utility but exposes it to new cyber and operational risks. The UK's proposed Cyber Security and Resilience Bill (CSRB) will increase the obligations on those who fail to secure infrastructure facilities. This article considers the flow down impact on building owners, developers and the construction industry.

NIS regulations

The Network and Information Security Regulations ("NIS Regulations") have been in force since 2018. The NIS Regulations require that providers of critical national infrastructure – like power, water, and transport – maintain "appropriate technical and operational measures" to protect their IT systems. This are often misunderstood as being only about cyber security and the prevention of hacking, but the obligation is much broader. The NIS Regulations require operational resilience against a wide range of events that could disrupt IT systems: this includes fire, flood, extreme weather, power failures, telecoms disconnections, staff illness, and vandalism. 

A critical part of securing this operational resilience is maintaining a reliable supply chain. The failure of a third-party data centre or IT vendor could interrupt the operation of a piece of infrastructure. There have been several notable examples of supply chain attacks in recent years, such as the cyber-attack against Advanced Software which disrupted critical services like NHS 111 and resulted in Advanced Software being fined £3m by the ICO for security failures ^[1]. Again, the obligation under the NIS Regulations is wider than pure cyber-security: suppliers to infrastructure providers need to consider the physical and operational risks that could impact the continuity of infrastructure IT systems.

The Cyber Security and Resilience Bill

The proposed CSRB looks to update and strengthen the NIS Regulations.

• Increased maximum penalty of up to 4% of global turnover (from the current maximum of £17m)
• Expanded list of critical infrastructure providers to include electricity load controllers, data centres and managed IT service providers
• Regulators will have the power to identify critical suppliers to infrastructure providers and apply the NIS Regulations directly to those suppliers. This extends beyond IT services – the supplier of any goods or services that are essential to the operation of critical infrastructure IT systems may be caught
• Quicker and wider incident notification requirements. Initial incident notifications will be required within 24 hours. They will also extend any incident that is "capable" of having an adverse effect on the operation of an IT system (when previously notifications were only required for "actual" incidents)
• Enhanced enforcement powers to allow regulators to conduct investigations and take firmer enforcement action
• More prescriptive guidance on what amounts to "appropriate" measures to secure IT systems.

To date, there has not been a published penalty under the NIS Regulations with regulators taking a light touch approach, but the CSRB is expected to usher in a stricter enforcement regime as the risks of disruption to critical services grow. This is in line with increased regulatory enforcement across all areas of cyber and operational risk with more and larger penalties being imposed.

The CSRB is currently going through Parliament, with the expectation that it will progress quickly and with minimal political resistance. 

Resilient buildings

Increasing sophistication of hackers means that they are now looking to cause not just losses of information but physical disruption. Cyber-attacks on entry and exit controls, remote building monitoring systems, and HVAC services can render a building inoperable causing significant losses to building owners and occupiers. Sometimes the most innocuous connected system can be a risk. In 2017, a vulnerability in a smart thermostat in a fishtank was used to hack into a Las Vegas casino and steal a high-roller database. 

For most construction companies and property developers, the risk comes from installing and operating smart technologies within a building. Infrastructure suppliers are likely to insist that building technologies meet their cyber security standards, which will have been designed to comply with the NIS Regulations. They may also look to flow down their NIS Regulatory requirements in their contracts with building owners, who may then flow down to property managers and construction companies.

Where smart building technologies are being considered at the design and procurement phases, construction companies should make clear in their contracts who is responsible for selecting the appropriate technology and verifying its security. They also need to make sure that those technologies are securely installed – many cyber-attacks stem from weaknesses introduced during the adoption of new IT and automated control systems, when normal security defences sometimes need to be temporarily lower and adjusted in order to connect new services.

For construction companies that are major suppliers to infrastructure providers, they should consider whether their goods or services are essential to the operation of that IT systems behind that infrastructure. This will be more likely where they are the sole or primary supplier, where the loss of those goods or services are likely to cause an immediate disruption, and where the supplier could not be easily replaced with an alternative provider. This will allow construction companies to determine whether they might be at risk of being designated as a critical supplier. More guidance on the criteria for designating critical suppliers is expected in due course.

The CSRB is currently going through Parliament, with the expectation that it will progress quickly and with minimal political resistance. In many areas, the existing NIS Regulations will apply today and with the increased political and regulatory focus on operational resilience, they are expected to play an increasing important role in protecting the UK critical infrastructure.

Footnotes

[1] Although this penalty was under the General Data Protection Regulation, the security obligation is similar to that found in the NIS Regulations, with the two regimes designed to work alongside each other.