Beyond their titles, the two frameworks share striking structural similarities — each built around five pillars. Their core themes echo each other too. Both strategies argue that end users currently carry too much of the cybersecurity burden. They call on major technology companies, data owners, and technology providers to step up. Both also agree that public-private partnerships must be strengthened.
Setting cybersecurity requirements
Both strategies discuss the need for new or improved standards in cybersecurity for critical infrastructure. This effort includes using secure-by-design principles in developing, testing and finding vulnerabilities in code and extending requirements to the cloud service providers that hold data.
As to who will set these standards, the U.K. document focuses on CNI operators, who must raise their standards and manage risk more proactively. The U.S. document takes a top-down approach, with the Federal government using “authorities” to set requirements based on performance, cybersecurity frameworks and voluntary standards and guidance.
Investing in cybersecurity
Strengthening cybersecurity requires financial investment by different stakeholders. The U.K. strategy cites planned investment by the national government of £2.6 billion in cyber and legacy IT over the coming three years. To enable critical infrastructure sectors to manage increased costs, the U.S. policy targets incentives for cybersecurity implementation and regulations to level the playing field and avoid under-provisioning of security measures due to competitive pressures.
Improving resilience
The ability of critical infrastructure to repel threats and recover quickly from cyber attacks is an increasing concern as incidents escalate.
— A ransomware attack against the Irish Health Service Executive (HSE) disrupted Irish healthcare IT networks and hospitals for over 10 days.
— San Francisco’s Municipal Light Rail (MUNI) system was breached by ransomware actors, forcing the company to shut down the ticketing systems for four days.
— The Colonial Pipeline, one of the largest fuel pipelines in the U.S., was hit by a ransomware attack, forcing a complete shutdown that led to gasoline shortages.
— A DDoS attack targeted the Port of London Authority, forcing its website to go offline.
In the U.S. strategy, the Federal government plays a leading role in all aspects of critical infrastructure resilience, from facilitating collaboration among operators, government agencies and vendors “at speed and scale,” to strengthening its own systems through an emphasis on a zero trust framework and IT modernization.
As one example of a government initiative to improve resilience, a new U.S. Federal program, run by the Cybersecurity and Infrastructure Security Agency, will warn critical American companies that their systems are vulnerable to ransomware attacks before the hackers can successfully strike.
The U.K. strategy calls for better incident planning and regular exercising on the part of CNI operators. Specifically, the U.K. will set clear requirements for exercising and testing or adversary simulation across CNI operators.
CNI operators can become more resilient with better testing
Critical infrastructure operators use the Synack Platform to meet their security testing and vulnerability management goals. Synack pairs the expert, vetted Synack Red Team with continuous scanning, reporting, and patch verification — all in one place. Any organization — not just critical infrastructure — can use Synack to find vulnerabilities and address their root causes.
