back to article Brit water firms, power plants with crap cyber security will pay up to £17m, peers told

Plans to fine Britain's national utilities and infrastructure providers £17m for shoddy cyber security will be at the forefront of industry's mind once everyone "gets over" GDPR, peers heard at a House of Lords committee. Speaking on a panel on cyber security for critical national infrastructure (CNI) yesterday, Elliot Rose, …

  1. Doctor Syntax Silver badge

    "their legacy systems increasingly interface with and are exposed to the internet."

    Simple solution: don't.

    1. Vinyl-Junkie
      Joke

      Simple solution: don't.

      But then they'd have to hire actual people!

    2. Alister

      Simple solution: don't.

      Exactly!

      Back in the days before the internet was a thing, companies used to use "private circuits" for remote management of utilities infrastructure. Essentially they were a routed, unswitched physical connection from one premises to another. Brand names for the services included Kilostream and Megastream.

      Unfortunately, when Broadband became ubiquitous, most companies identified a cost saving by switching to Internet based connectivity, but didn't factor in the security implications.

      Maybe, instead of waving around pointless fines, the government should make it a mandatory requirement of operating, set in law, that utilities and power companies must use private circuits for their infrastructure.

      1. paulf
        Thumb Up

        @Alister "Brand names for the services included Kilostream and Megastream.". Now that does take me back to my Saturday Job days in the mid 1990s at a local public transport concern. Our divisional office was blessed with a kilostream link to head office in the next town - giving us two internal lines to direct dial HO (I suppose this was before DDI became a thing). Harsh punishment was dished out to those who used PSTN for head office calls instead of the Kilostream lines.

        "...utilities and power companies must use private circuits for their infrastructure." A cursory search shows BT still provide kilostream, but only until 31 March 2020 which may hamper your proposal for mandatory private circuits (note I don't disagree with this)? The alternative is Wholesale Ethernet.

        1. Doctor Syntax Silver badge

          "A cursory search shows BT still provide kilostream, but only until 31 March 2020 which may hamper your proposal for mandatory private circuits"

          Regulations such as this could extend its life by renewing the market.

      2. Mark 85

        Back in the days before the internet was a thing, companies used to use "private circuits" for remote management of utilities infrastructure.

        There's still many companies here in the States using "private circuits" just for the security reason alone. That's just one more (or many more) doors that are closed and locked to intruders. The IT security staff is better able to focus on the customer "access" instead of being spread over more infrastructure. Seems that the "private circuit" is actually cheaper than having the costs associated with using the internet. I don't see why the power and utilities can't do the same things.

        By "private circuits", they're leasing just a line with a connection at each end and no "public" access to that line. Seems to be working from what I see.

      3. Doctor Syntax Silver badge

        "Maybe, instead of waving around pointless fines, the government should make it a mandatory requirement of operating, set in law, that utilities and power companies must use private circuits for their infrastructure."

        If your mandatory requirement was flouted what would you do? Impose fines of course. Which is just what this regulation does. The only difference is that it says what's to be done rather than how to do it.

        1. Alister

          If your mandatory requirement was flouted what would you do? Impose fines of course.

          Well actually I was thinking more along the lines of removing the company's right to operate. That might make the shareholders sit up and take notice.

          The problem at the moment is that the fines are imposed on the imprecise notion of "cyber-security" which is always open to interpretation. If there was a clearly defined mandatory requirement which stated that there should be NO Internet connectivity to any CNI and any breach would lead to an immediate loss of operating rights, then the issue is clear cut.

    3. Anonymous Coward
      Anonymous Coward

      Re: Simple solution: don't.

      Exactly.

      Why any CNI is connected to the Internet at all,ever, just boggles the mind.

    4. ElleCastillo

      I think the proposed fines are a step in the right direction, but I don't think they go far enough.

  2. wyatt
    Stop

    It's a 'margin' issue? Really? For a company run for profit that issues shares then if there's a dividend that can be paid there is money that can be invested is there not? In my perhaps naive opinion it's the board deciding between a fine or a dividend.

    1. Anonymous Coward
      Anonymous Coward

      I think the point is that if you've got a margin of £1bn, you can invest a few million in security and it not be a problem. If you've got a margin of £1m, that security investment is significantly more expensive.

      1. Anonymous Coward
        Anonymous Coward

        @disgustedoftunbridgewells

        "If you've got a margin of £1m, that security investment is significantly more expensive."

        If you can't afford to run your business securely then you can't afford to run your business and should sell up.

        If you choose to increase shareholder dividends (and director bonuses) by skimping on security you deserve to be fined, both the company and the directors.

      2. hplasm
        Holmes

        If you've got a margin of £1m, that security investment is significantly more expensive

        No, buit the profits are reduced...

        1. Anonymous Coward
          Anonymous Coward

          Re: If you've got a margin of £1m, that security investment is significantly more expensive

          A few million is nothing if you have a margin of billions. It's more expensive to you if you have a margin of millions.

          The sterling figure is the same, the affordability is different.

          I'm not defending them, I'm pointing out the bleeding obvious.

  3. Anonymous Coward
    WTF?

    What?

    Severn Trents results for 2017.

    "The FTSE 100 water group, which serves 4.4m customers in the Midlands and mid-Wales,......after pre-tax profits boomed to £543.7m in the year to March 31, compared to £504.4m the year before."

    https://www.telegraph.co.uk/business/2017/05/23/severn-trent-raises-dividend-jump-profits/

    And they can't afford a security expert?

    How much is this years backhander costing.

  4. Voland's right hand Silver badge

    Fine is a cost of doing business

    Without criminal responsibility for the C-suite to accompany the fine it will become a classic case of threatening a dog with a salami stick.

    1. }{amis}{
      Go

      Re: Fine is a cost of doing business

      LOL Threatening a dog with a salami stick I haven't heard that one before.

  5. Dodgy Geezer Silver badge

    For any practical monopoly....

    ...as most of the infrastructure services are, there's a simple answer.

    Raise prices.

    Even if it's a private company, fines benefit no victim, and they just help the Government, who are the ones who get paid. And they don't harm the companies.. Fines for Civil Servant Departments are particularly pointless, but even a fine for a competitive private company removes some element of competition from the market place. The only loser is the consumer...

    If it were up to me, I would stop fining public bodies, who just pay in taxpayers own money, and start fining the managers personally. Or, better still, jail them....

    1. Nick Kew

      Re: For any practical monopoly....

      Raise prices?

      Regulator raises eyebrow. Explain yourself! You're paying what to some IT geeks?

      Regulator says "no" - or effectively imposes that on you by retaliating with a new set of requirements.

  6. Anonymous Coward
    Anonymous Coward

    The most simple and practical solution is outsource all this "security" work to Asian or Eastern European countries. It's obviously the way to go.

    1. Anonymous Coward
      Anonymous Coward

      There's a story today that security software is one of North Korea's successful exports. The country has been selling a range of security products under bland names and fake front companies to countries all around the world, including the US and Europe:

      https://www.nonproliferation.org/wp-content/uploads/2018/05/op36-the-shadow-sector.pdf

  7. adam payne

    Rose added that a lot of these organisations - including water, electric and telecoms organisations – are facing challenges, as their legacy systems increasingly interface with and are exposed to the internet

    There should be no legacy systems anywhere near the internet, that's just standard best practice.

    1. Anonymous Coward
      Meh

      Legacy

      There should be no legacy systems anywhere near the internet, that's just standard best practice.

      "Legacy" is a word invented by salesmen who want to sell you some expensive new bit of crap. "Older than something I'm selling" is not a justification on its own for replacing something.

      1. Mark 85

        Re: Legacy

        So Win 95 and some 10 year old routers aren't legacy?

      2. Doctor Syntax Silver badge

        Re: Legacy

        Legacy is the really valuable stuff that's running the business that's earning the money to pay you to develop new stuff which will probably prove ephemeral. It's not broken, don;t fix it.

        1. DavCrav

          Re: Legacy

          "It's not broken, don;t fix it."

          ...is what is said right up until something breaks.

      3. Nick Kew

        Re: Legacy

        Legacy has a bit more meaning than that. How about "no longer supported"?

        1. Anonymous Coward
          Anonymous Coward

          Re: Legacy

          ...or maybe "not vulnerable to all the **** that the current version contains "

          (Says someone who once had windows advise me to update to the vulnerable version, so it could fix it)

      4. adam payne

        Re: Legacy

        Then we have differing views on what legacy really is.

        A legacy system to me as a system that is out of extended support and is no longer supported by the developer.

  8. John Smith 19 Gold badge
    WTF?

    "But, but that would mean less profits to our (overseas) owners" Boo hoo.

    Note that HMG doesn't mind all UK water companies being foreign owned, or that some of them are owned by government operated foreign utilities.

    Just as long as they aren't on the hook for any EU water quality directives caused by decades of (government) under funding.

    Note that dividends over security or dividends over asset security is a Board choice.

    You want to use the internet instead of private leased lines? This is the price you pay.

    Historically only BT offered leased lines (IIRC) but maybe now it's something other providers might y'know provide? "Thames water telemetry. Brought to you by Sky" ?

  9. steviebuk Silver badge

    Its not just that...

    ...when they say "Because of difference in margins, in my experience it is more difficult for a water company, say, to hire a top cyber security team than it is for a bank. There is that industry challenge."

    Its also because some companies like to cut cost for greed. And they see IT as a blocker so outsource it instead. Then big the cheapest option.

    1. steviebuk Silver badge

      Re: Its not just that...

      If only my phone had grammer and spell checking.

  10. Destroy All Monsters Silver badge
    Paris Hilton

    Can someone activate the A-Ark?

    By focusing on skills from computer science and STEM, the government and industry are narrowing their pool for general diversity.

    So they want the bizzaredly specific "cyber security geek" (best brown, female, LBQT) but think such peoiple can be had from the near infinite pool of literary types, sportsy jokers and rappers?

  11. Daggerchild Silver badge

    Blue Peter

    Hark, is that the sound of another of the country's essential systems expensively trying to reinvent a wheel that other people already invented over a thousand times before?

    If tests prove they can't do it, and they don't have the resources/expertise to do it, and tasering them is (fun, but) a total waste of everyone's time, but you *need* it to be done right, then TAKE IT OFF THEM and have them rent it back, from people whose job it is to ensure the country's infrastructure isn't embarrassingly insecure shit.

    How many times do people need to reinvent an SSL armoured REST API, with a test suite, staging area, and monitoring? It's not like the Internet Protocol is different for a sewage worker and a financial trader.

  12. handleoclast
    Coat

    Smart Meters

    Perhaps they'll also penalize the idiots who insisted on foisting insecure "smart meters" on us.

    1. John Smith 19 Gold badge
      Unhappy

      "Perhaps they'll also penalize the idiots who insisted on foisting insecure "smart meters" on us."

      Starting with the Peer who inserted the relevant clauses-for-cash in the necessary Bill.

      This is not an EU requirement.

      It is driven by Tony Blair wanting to stuff up Gordon Brown.

      Nothing else.

      1. EnviableOne

        Re: "Perhaps they'll also penalize the idiots who ...

        Please See Directive (EU) 2016/1148

        http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC

        The majority of its content is now codified in UK law through the DPA2018

  13. Claverhouse Silver badge

    "“The Initiative to introduce coding into primary schools, which we welcomed in principle, may have fallen into some difficulties in practice," he said. "For one, it not obvious that initiative has included cyber security into its curriculum. Secondly, I'm not sure it's inspiring people into the profession."

    MacWillson noted that currently just 7 per cent of of cyber security staffers are women, making up just 4 per cent of his own institute's ranks."

    '

    And 40% of all human effort and monies devoted to getting kiddies --- or anyone else --- to code, or do anything in the world, will be committed to achieving an equality of sex and ethnicity amongst those who finish.

    For we are, above all, a moral people.

  14. Anonymous Coward
    Terminator

    Legacy systems exposed to the Internet

    "a lot of these organisations .. are facing challenges, as their legacy systems increasingly interface with and are exposed to the internet."

    The solution being to build a distributed VPN network running on embedded hardware, providing end-to-end encryption and authentication. The Raspberry Pi could do the job.

    1. David Roberts
      Windows

      Re: Legacy systems exposed to the Internet

      Was going to post much the same.

      Upstream was the proposal to mandate private networks.

      Everything these days is "virtual" so a Virtual Private Network should meet the security requirements; that is, transported over a common carrier (the Internet) without any access to the Internet. I am not surprised that Kilostream is being phased out. There is an overhead in maintaining dedicated physical circuits plus a lack of resilience to physical damage. You need discreet physical routes all the way for your minimum two circuits, instead of doubled up connections to your nearest two network nodes. You need to manage the whole network not just the end points. You are limited to one supplier.

      As far as I can tell the main problem is people wanting to have access to and from the network to the Internet. Just say no!

      1. Anonymous Coward
        Anonymous Coward

        Re: Legacy systems exposed to the Internet

        > As far as I can tell the main problem is people wanting to have access to and from the network to the Internet. Just say no! ..

        YES!

  15. ElleCastillo

    I think the proposed fines are a step in the right direction, but I don't think they go far enough. The UK's critical infrastructure is vital to the country's functioning, and any vulnerabilities in that infrastructure could have devastating consequences. I think the fines should be much higher to reflect the potential severity of the consequences of a cyber attack on critical infrastructure. Also, I think that the big companies should do it once a year a penetration testing Brisbane. This will discover all the vulnerabilities in their security system.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like