It is in a context of strong geopolitical tensions where cyber threats and cyber attacks constitute real risks for nations, that on Thursday November 10 the European Parliament voted in favor of the adoption of the new directive, Network and Information Security, or NIS2 .
In May 2021, Colonial Pipeline, the largest refined petroleum products pipeline system in the United States, suffered a devastating cyberattack. This attack is still in everyone’s memory, as it paralyzed the company concerned. The breach, due to a vulnerable VPN password, effectively shut down the business for several days, causing oil shortages on the East Coast. This is just one example of the devastating effect an attack on a vital industry can have.
13 sectors are grouped under the generic term “critical infrastructure”, namely: chemicals, civil nuclear, communications, defence, emergency services, energy, finance, food, utilities, health, space, transport and water. All of these companies that provide essential services to the day-to-day running of society are anthills of extremely sensitive and confidential data that malicious cyber actors can easily monetize on the dark web, thus fostering cybercrime and disruption.
This high risk has already been felt around the world, as various national and public bodies have been targeted, from the governments of Cuba and Peru to water companies such as South Staffordshire Water, to the largest operator Denmark Rail and the NHS, which was hit by a supply chain attack. Given the current political tensions around the world, the risk of another attack on our critical infrastructure is not only concerning, but also very likely. So let’s take a look at what the current threat landscape looks like and how businesses, as well as government agencies, can better protect themselves.
Why is critical infrastructure more at risk?
The focus on critical infrastructure is intentional. Cybercriminals are well aware of the impact that the slightest disruption has on vital services, not only financially, but also on public trust. For example, we cannot imagine people being deprived of electricity or water. This means companies are more likely to pay for ransomware. Hackers are also very shrewd and strike during times of trouble and take advantage of the current energy crisis, for example, to launch phishing or man-in-the-middle attacks.
Another common risk factor for critical infrastructure companies is that they all have a high level of interconnected technologies. These can be old devices that may not be used every day but are still active, or equipment that is essential to business operations but only works with old software that cannot not be patched. A large part of this asset, although present on our managed networks, does not depend on our specialized digital and security teams. It is true that some industries are more dependent than others, such as utilities, but all sectors have their own battle to fight.
Without a coherent understanding of their technology base, these industries find it much more difficult to implement an overall security strategy and leave the field open to hackers who want to access the entire network.
Is the problem due to increased connectivity?
The situation has worsened with the introduction of IoT devices, which are incredibly complex to manage and rarely designed with security in mind. The more data companies collect and expand their network infrastructures, the more attractive they become to hackers, and the harder it is for them to defend against threats.
It is essential not to forget past experiences such as the Colonial Pipeline, but to use them to prepare the measures to come. While increased connectivity expands the attack surface and makes it more difficult to manage, technologies are available to secure these connected devices against new threats and facilitate this transition.
It is therefore essential not to block technological progress. In the transport sector, when boarding a plane, how do you know if it is a pilot who is controlling the aircraft or if it is on automatic pilot? But that doesn’t change our intention to travel and vacation with confidence. It is possible to establish the same level of confidence when it comes to developments in unmanned cars, despite their high level of connectivity and reliance on computing. To do this, it is essential that manufacturers build security into these products. And, if security is considered in the design, then the chances of breaches are less. This is a message for all sectors, but especially critical infrastructure.
OIVs are thus real flashing lights that attract cybercriminals all over the world. The threat level continues to grow, and the consequences are only getting worse. It is time to act and prevention should be at the heart of all the measures they take to better protect themselves. May this beginning of the year see the implementation of real cyber strategies within companies.