It is in a context of intense geopolitical tensions, where cyber threats and cyber attacks pose a real risk to countries, that on Thursday, November 10, the European Parliament voted to adopt the new Network and Information Security Directive, or NIS2.
In May 2021, the Colonial Pipeline, the largest refinery pipeline system in the US, suffered a devastating cyberattack. This attack is still in everyone’s memory, as it paralyzed the affected company. A breach due to a vulnerable VPN password effectively brought business to a halt for several days, causing an oil shortage on the east coast. This is just one example of the devastating effect an attack can have on a vital industry.
The 13 sectors are grouped under the umbrella term “critical infrastructure”, namely: chemicals, civil nuclear, communications, defense, emergency services, energy, finance, food, utilities, healthcare, space, transportation, and water. All these companies that provide necessary services for the daily life of society are anthills of extremely important and sensitive data that attackers can easily monetize on the dark web, thus contributing to cybercrime and destruction.
This high risk is already being felt around the world as various national and government bodies have been targeted, from the governments of Cuba and Peru, to water companies such as South Staffordshire Water, to Denmark’s largest operator, Rail, and the National Health Service, which has been hit. by attacking the supply chain. Given the current political tensions around the world, the risk of another attack on our critical infrastructure is not only worrying, but highly likely. So let’s take a look at what the current threat landscape looks like and how businesses, as well as government agencies, can better protect themselves.
Why is critical infrastructure more at risk?
The emphasis on critical infrastructure is deliberate. Cybercriminals are well aware of the impact of the slightest disruption on vital services, not only financially, but also on public trust. For example, we cannot imagine people without electricity or water. This means companies are more likely to pay for ransomware. Hackers are also very perceptive and strike in hard times and take advantage of the current energy crisis to launch phishing or man-in-the-middle attacks, for example.
Another common risk factor for critical infrastructure companies is that they all have a high level of interconnected technology. These can be old devices that are not used every day but are still active, or equipment that is required for business operations but only works with old software that cannot be patched. Much of this asset, while present on our managed networks, is independent of our dedicated digital and security teams. It is true that some industries are more dependent than others, such as utilities, but all sectors have their own struggles.
Without a clear understanding of their technology base, it is much more difficult for these industries to implement an overall security strategy and leave the field open to hackers who want to gain access to the entire network.
Is the problem related to the increase in the number of connections?
The situation has worsened with the advent of IoT devices, which are incredibly difficult to manage and rarely designed with security in mind. The more data companies collect and expand their network infrastructures, the more attractive they become to hackers and the more difficult it is for them to protect themselves from threats.
It is important not to forget past experiences, such as the colonial pipeline, but to use them to prepare future measures. While enhanced connectivity expands the attack surface and makes it more difficult to manage, technologies are available to protect these connected devices from new threats and ease this transition.
Therefore, it is important not to block technological progress. In the transport sector, when you get on a plane, how do you know if the plane is being piloted or is on autopilot? But this does not change our intention to travel and vacation with confidence. One can establish the same level of confidence when it comes to self-driving car developments, despite their high level of connectivity and reliance on computing. To do this, it is important that manufacturers build protection into these products. And, if the design takes into account security, then the chances of hacking are less. This is a message for all sectors, but especially for critical infrastructure.
Thus, OIVs are real flashers that attract cybercriminals from all over the world. The threat level continues to rise, and the consequences are only getting worse. It’s time to act, and prevention must be at the center of all the measures they take to better protect themselves. Let this start of the year see the implementation of real cyber strategies in companies.