Organisation & Compliance

Cyber security for critical infrastructures

The digitalization of operational value creation chains comes with considerable benefits for analysis, process optimization, and automation.

At the same time, the connection makes OT infrastructures and critical infrastructures vulnerable, enabling users of the connected IT network and third parties with physical or remote access to OT net-works to access previously isolated ICS and SCADA systems.

Digitalization also makes devices of critical infrastructures or the OT vulnerable to attacks from the Internet. Experts believe that more than a third of industrial locations have at least one direct connection to the Internet, with a full three-quarters of industrial locations having at least one device accessible via the Internet. This means that the IT infrastructure can provide a gateway deep into the heart of an operation and even as far as the OT. Malware and ransomware are therefore extremely serious threats even for OT areas.

The best-known examples were WannaCry, which caused significant damage to OT systems by exploiting a vulnerability in an outdated and unsupported version of Windows, and NotPetya, which paralyzed companies around the world and affected about 25 percent of all oil and gas companies. Botnets targeting SCADA systems in particular have also been recently discovered. Attacks on Internet of Things (IoT) devices continue to be popular.

Challenges when protecting critical infrastructure

A variety of critical infrastructure or OT networks are made up of legacy devices originally designed as perimeter protection including an air gap against unsafe networks. Over the past few years, however, a large proportion of these have been connected to the rest of the corporate infrastructure, creating a seamless link between OT, IT, IIoT, the Industrial Internet of Things, and the Internet.

There are many vulnerabilities in the system components, including unencrypted communication. This means that traditional standard security mechanisms are only applicable up to a point, as software and security updates have much longer cycle times or no patches are available at all. Many sets of infrastructure use devices with a long service life and obsolete systems for which no technical support is available from the manufacturer. There may even be systems developed in-house that are in use and which pay virtually no regard to security at all.

Installing and testing updates is time-consuming and expensive, and carries the risk of critical systems failing. This means that many details are important and have to be considered when protecting critical infrastructure. This includes physical security and building protection such as access restrictions and controls. Perimeter protection, whitelisting of certain applications and anomaly detection (unusual data traffic and access) are also included here.

Security for critical infrastructure is part of the reliability, security and availability of the network and systems. The failure of a single system can have serious consequences, such as causing a blackout throughout an entire city.

The EU NIS Directive 2016/1148 of the European Parliament and of the Council of Europe concerning measures for a higher common level of security of networks and information systems across the Union came into force in November 2018. The aim of the Directive is to increase and bolster security in the EU. The NIS Directive imposes obligations on both Member States and the EU.

Specifically, it sets out several obligations for the Member States:

  • Creation of a national strategy for the security of networks and information systems and the definition of security and reporting obligations for operators and suppliers
  • Designation of responsible national authorities, central contact points and CSIRTs with tasks related to the security of networks and information systems

For the EU, further instructions mean to set up a cooperation group to support and facilitate strategic cooperation and information exchange between Member States and to develop trust between them. A network of Incident Response Teams (CSIRT network) is also to be set up to strengthen cooperation between the Member States, and ensure rapid and effective operational cooperation.

The NIS Directive applies to digital service providers and operators of critical infrastructure. These organizations do not have to be domiciled in the EU, but provide services in the EU. Critical infrastructure includes companies that provide a service that is essential for maintaining critical societal and economic matters. Furthermore, providing these services depends on the network and information systems, and a security incident would have a significant impact on essential services. The Directive identifies seven areas of critical infrastructure, outlines regulatory requirements and national supervision to be implemented.

This applies to providers and operators in the following areas:

• Energy: electricity, oil and gas
• Transport: air, rail, water and road
• Banking: credit institutions
• Financial market infrastructures: trading venues, central counterparties
• Healthcare: hospitals and medical care
• Water: drinking water supply and distribution
• Digital infrastructure: internet exchange points, domain name system service providers, top level providers and domain name registries

Put simple, this means:

The majority, a total of 16 EU Member States, have established a central contact point for all sectors of the economy concerned. Ten states have created several contact points, depending on the respective industry. The remaining countries have not yet reported any actions or contact points. The European Union is playing an increasingly important role in regulating and defining technological standards and the security of these.

The most important steps for operators of critical infrastructure:

  1. Identify and analyze critical systems and processes
  2. Define and implement roadmaps and goals to comply with directives and laws
  3. Ongoing monitoring, reassessing risks to comply with regulations
  4. Minimize the effects of security threats