European Union to regulate IT security of critical infrastructures

In the past decade, several cyberattacks targeting critical infrastructures came to light. Cybercriminals are no longer seeking to steal personal information only, like credit card details from private individuals, but attempt to hinder or debilitate the operation of online infrastructures that can cause serious upheaval in real life, and is a matter of national security.

Before digging deeper into this phenomenon and discovering how the EU intends to regulate IT security in this regard, let’s start at the beginning, and explore what critical infrastructures really are.

What are critical infrastructures?

Critical infrastructures are the physical and cyber systems and assets of a country or region that are so fundamental to its fluid operation that their incapacity or destruction would have a devastating impact on our physical or economic security or public health or safety.

These systems are for instance; nuclear facilities, power grids, hospitals, oil and gas facilities, banks or drinking water supplies.

Even though these cyberattacks are less widespread than other malevolent attacks, security professionals are showing concern about the increasing cyber-risks of these infrastructures due to the widespread utilization of IoT devices.

What are the critical factors that make them susceptible to cybercrime?

1. They are usually based on real-time requirements: Some systems are required to react so fast to incoming requests that standard security measures such as authentication of a command or verification of a digital signature cannot be applied, as this slight delay can have negative effects on the service itself.
2. Domino effect: As these services are supplying the resources for the seamless functioning of our modern society, they are heavily reliant on each other, and interconnected within the country, or the European Union. As a result, a problem with a power grid or oil and gas facility in one country can result in blackouts and power outages in another one.
3. Old systems are combined with new technologies: Many critical infrastructures’ legacy systems were developed well before the implementation of state-of-the-art IoT solutions. Inserting new smart devices into a critical system introduces a significant risk for the whole organization. Networked devices and smart metering devices use technology that exponentially increases the attack surface of the system. The lack of proper IT and OT security measures present vulnerabilities which open the door for cyberattacks and compromise of the system.

How the EU regulates IT security?

There have been many attempts from the European Union to put in place IT regulations within its borders. To support cyber resilience, the European Commission presented the new Cybersecurity Strategy in 2020 consisting of 4 pillars, which are designed to bolster the EU’s online safety against cybercriminals.

The 4 pillars of the strategy are:

1. A future-proof security environment
2. Tackling evolving threats
3. Protecting Europeans from organized crime and terrorism
4. A strong European security ecosystem

Image source: https://ec.europa.eu/info/strategy/priorities-2019-2024/promoting-our-european-way-life/european-security-union_en

“The strategy covers the security of essential services such as hospitals, energy grids, railways, and the ever-increasing number of connected objects in our homes, offices, and factories. The strategy aims to build collective capabilities to respond to major cyberattacks. It also outlines plans to work with partners around the world to ensure international security and stability in cyberspace. Moreover, it outlines how a Joint Cyber Unit can ensure the most effective response to cyber threats using the collective resources and expertise available to Member States and the EU.” - The Cybersecurity strategy

The German KRITIS to regulate critical infrastructures

Apart from the EU’s comprehensive attempts to tackle cybercrime, certain countries have taken the matter in their own hands. In 2011, Germany created its own Cyber Security Strategy, called KRITIS, to control the security of its own critical infrastructures. Its objective is to thoroughly protect the networked systems, while not creating obstacles for taking advantage of the opportunities and benefits of the cyberspace.

How can CCLab help your organization comply with regulations?

At CCLab our mission is to make the world a more secure place and to radically decrease the global cost of cybercrime. In case of critical infrastructure, we help organizations comply with the IEC 62443 international standard, which has become the leading cybersecurity standard for plants, facilities and other infrastructures across industries.

IEC 62443 is a set of security standards that provides a thorough and systematic set of cybersecurity recommendations that can be applied to build cybersecurIty that takes into account the infrastructures’ specification, integration, operation, maintenance, and decommissioning. Complying with this standard signifies the robustness, trustworthiness, and coherence of the system and provides an internationally recognized certificate that proves the achieved high level of cybersecurity.

Thanks to our demonstrated experience with critical infrastructure security and certification, our team at CCLab can assist your organization throughout the process, starting from the analysis and conformity assessment until the validation of the certification.

‍