A SHORTAGE of expertise in cyber security could affect government plans to protect the country’s critical national infrastructure (CNI), including energy, health emergency services and defence, according to one of the industry’s leading experts.

In its latest assessment of the threats to CNI, the Cabinet Office said that the transport sector continued to face “enduringly high levels of threat from international terrorism”, while the various sectors were “core strategic interests” for foreign intelligence agencies, whose activities were likely to include espionage for economic, political, military or commercial gain.

There was also a growing cyber threat, said the National Cyber Security Centre (NCSC), with more and more devices being connected to the internet.

“With the growth of our dependence on technology comes increased risk. We know there are hostile states and cyber criminals that may seek to exploit UK organisations and infrastructure to further their own agenda and prosperity. Campaigns can be persistent, including espionage, intellectual property theft or extortion by ransoming data, or through malware.”

The Sector Security and Resilience Plans are classified documents, and the published versions give little detail – not surprisingly – about how our CNI would be protected in the event of attacks.

But Kevin Murphy, president of the Scottish Chapter of international IT professionals association ISACA, told The National the lack of expertise cast doubt on their effectiveness.

“It’s all very well having a plan, but you’ll need people to put that plan into practice, make it effective and also to update it based on the latest threats,” he said.

“Now that is very, very difficult for governmental organisations when we know across the entire cyber security industry there’s already a 60 per cent shortfall in expertise.

“So the first question is, for each respective area, who’s going to put the plans into practice.

“When you look at CNI, because the Government plays such a large part, and in the document they emphasis the NCSC – can the government agencies be effective if they don’t have the budget to give continual cyber training for their personnel.

“How can they keep the best talent to help these plans evolve? What you’ll see is the richest industries such as finance, energy and communications, will offer the highest wages and will get the best talent. They’ll offer access to the most expensive training courses.

“And because of that you will find that the defences for CNI are probably lopsided to the richest industries, and that’s not necessarily where the greatest risk is.”

Murphy – a former police officer turned international award-winning security consultant who now works for RBS – said there was a need for more cooperation between the private and public sector to address security concerns.

“We are actually doing exercises which take in a number of banks, but also on some occasions the scenario will focus on the effects of a loss of power and will take in other sectors such as emergency services.

“The government plan has to include more cross-infrastructure planning. What happens if the water supply and the electricity grid are taken out; what happens if it’s the grid and then the financial centres?

“It needs to have that aggregate risk, and it’s not clear from the document how they are thinking about it.

“They’re even talking about the NCSC with 200 employees, but there’s a discrepancy between them and the private sector in terms of salaries and training itself.”

Murphy added: “It’s not all about money – they’ll never be able to compete with the banks, so they’ll have to tell how it’s a great place to develop careers, a whole benefits package.

“Plans are just academic until they are put into place.”