UK emergency services are unprepared for DDoS mitigation

Two-fifths of critical infrastructure providers have not completed basic cyber security preparations

A Freedom of Information request by Corero has shown that many of the UK's critical national infrastructure (CNI) providers (such as the NHS, police and other emergency services) have not completed government-recommended cyber security preparations.

Two-fifths of the 163 providers who responded to Corero's request - 39 per cent - said that they had not completed the government's 10 Steps to Cyber Security programme, making them liable to fines under the proposed Network and Information Systems (NIS) legislation.

The NIS, which will come into effect next March, is unrelated to the GDPR - but it has equivalent sanctions. Organisations who fail to comply will be liable for fines of up to £17 million, of four per cent of annual global turnover.

Of particular concern in the FoI request was the finding that many infrastructure organisations are unprepared to respond to DDoS attacks.

DDoS attacks are highlighted within the government consultation on NIS as a serious threat to CNI operators, with recommendations that such threats should be considered when operators are protecting their services from disruption.

Corero, which works to prevent and mitigate DDoS attacks, says that the majority are not like the Dyn incident in 2016, which effected websites like Twitter, Netflix and Reddit. 90 per cent of attacks stopped by the firm in Q1 this year lasted for less than 30 minutes, and only two per cent were larger than 10Gbps.

Small DDoS attacks like these often go unnoticed by cyber security staff due to their size, says Corero. However, they can be used to infiltrate and map networks. They can also provide cover for more serious security incidents (a smokescreen), like the installation of malware, or data theft.

Corero's FoI request revealed that more than half (51 per cent) of UK CNI organisations could be vulnerable to DDoS attacks, because they do not detect or mitigate short-term incidents. Although only five per cent said that they had experienced DDoS attacks in the past year, the actual number could be much higher.

42 per cent of European firms, surveyed by Neustar in May, said that DDoS attacks are accompanied by malware infections; an increase of 10 percentage points compared to the same survey last year. Neustar found that 27 per cent of attacks were accompanied by either ransomware or extortion attempts: almost double the previous year's 15 per cent. Worldwide, that figure stood at 23 per cent (a 53 per cent increase).

"By not detecting and investigating these short, surgical, DDoS attacks on their networks, infrastructure organisations could also be leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber attack," said Corero director Sean Newman.

"To keep up with the growing sophistication and organisation of well-equipped and well-funded threat actors, it's essential that organisations maintain comprehensive visibility across their networks, to instantly and automatically detect and block any potential DDoS incursions, as they arise," he said.

Newman added, "Cyber attacks against national infrastructure have the potential to inflict significant, real-life disruption and prevent access to critical services that are vital to the functioning of our economy and society.

"These findings suggest many such organisations are not as cyber resilient as they should be in the face of growing and sophisticated cyber threats."