Critical Infrastructure and Cybersecurity

Cybersecurity | News | November 07, 2016

After the attacks in the United States (11-S) and in Madrid (11-M), the European Directive 2008/114/EC was approved in Europe and transmitted to the PIC law (law 8/2011) in Spain, to establish measures for the protection of critical infrastructures. This law was subsequently developed through the regulation of protection of critical infrastructure, Royal Decree 704/2011, approved on May 20th.

Which infrastructures are classified as critical? Those facilities, network systems, physical equipment and information technology systems that support essential services and whose operation is indispensable. They have no alternative and any issue or damage would cause a serious impact to the population (health, safety, social and economic welfare, etc.).

The strategic sectors covered by the PIC law, that provide essential services are twelve sectors: Administration, space industry, nuclear industry, chemical industry, research facilities, water and wastewater systems, energy systems, health facilities, information technology and communication systems (ITC), transportation systems, food industry, and financial services.

The threats considered in these infrastructures are very different but the scope of the normative of critical infrastructure protection is focused on terrorism, both physical and cyber.

The everyday use of electronic media and communication technologies has increased the risk of a cyber-attack. This type of attack is very tempting for them cyberattackers due to the potential benefits, not only economic ones, but also cyberspying, Hacking, jihadism, denial of service (DoS), etc.

But, what is a cyber-attack? You can define it as an action produced in cyberspace (IT infrastructures, communication networks and information systems) which compromises the availability, integrity and confidentiality of information through unauthorized access, modification, degradation or destruction of information systems and telecommunications or even the infrastructures that support them.

According to CCN-CERT (National Cryptologic Center - Computer Emergency Response Team) during 2015 in Spain, a total of 18.232 cyber-incidents were detected in the public administration and in strategic companies. This number represents an increase of the 41,45% with respect to the 2014. This upward trend has been maintained since 2009, as shown in the following figure.

Evolution of cyber-incidents in Spain managed by the CNN-CERT

Source: Executive Summary Cyber Threats 2015 / Trends 2016. CCN-CERT

In addition, according to data from the Ministry of the Interior, cyber-attacks against critical infrastructures in Spain have also increased since 2013, registering 17 in 2013, 53 in 2014 and 134 in 2015. The forecast of the Ministry of the Interior was about 300 cyber threats to critical infrastructures during the year 2016, but in reality, 118 incidents had been recorded already in the first four months of the year.

That growing increase of cyber-attacks is due, first, to the low cost and easiness to run those attacks, to be performed from any place on the earth (even from points very far from the attacked place), with a very high impact. And secondly, that the essential services companies, most of them private ones, have overcome initial reluctance to make public communication of the suffering threats or incidents, caused by the loss of reputation and business, so today they do it very often.

Many of the cyber-attacks happen due to inadequate software updates safety management, due to the use of obsolete software on computers, servers and mobile devices, due to the slow reaction of the PC manufacturers and service providers to address the vulnerabilities detected (done almost always a posteriori), due to attacks through APT (Advanced Persistent Threats) or malicious emails attacks (phishing attacks), due to the interconnection of industrial environment systems (SCADA), due to infiltrated staff, human errors, by demotivated employees and of course by the existence of more and more specialized attackers.

The growing use of information and communication technologies (ICT) makes the industrial control systems exposed to the same risks. In 2015, there have been cases of general failures in the entire production systems, due to ransomware, spyware or spear phishing.

In order to manage the risks generated by physical and logical threats in critical infrastructures, first of all, it is required to detect, identify, and be prepared for threats, reduce vulnerabilities of critical assets, systems and networks and mitigate the consequences in order to recover the essential service provided as soon as possible. Among the main measures that can be taken to prevent, mitigate or reduce the consequences of these new technological threats we can indicate the following ones:

  1. Implement and maintain a Security policy with the involvement of all the organizational structure, including high management.
  2. Analyse risks to assets (people, facilities, information systems, networks, etc.), they may be subjected to various threats, both physical and logical.
  3. Apply Security normative and standards (ISO 27000, ISO 27002, ISO 27005,…)
  4. Implement physical security measures, like:
    • Personnel and materials access control
    • Install surveillance cameras in vulnerable or critical zones
    • Restrict access to public networks
    • Record and monitor access
    • Restrict and control access to critical assets
    • Testing of systems and processes by simulation and audits
  5. Implement logical safety measures:
    • Install and maintain firewall configuration to protect data (secure network)
    • Do not use system passwords and other security parameters provided by suppliers
    • Users data protection
    • Encrypt confidential information when it is transmitted by public or unsafe networks.
    • Use and update antivirus software (desktop and server).
    • Develop and maintain secure applications and systems (software of patching, service alert on the internet, delete user accounts by
      default, …)
    • Restrict and control access to confidential information according to need to know.
    • Registration of access and management of logs.
    • Avoid the use of wireless networks or protect them adequately.
    • Assign an unique ID to each person for access to computers or networks.
    • Test systems and processes of security (drills / audits)

In order to be effective, all measures taken have to be supported by training and awareness plans, and they have to be integrated inside the business and contingency plans , in evacuation and emergency management plans, in recovery and reconstruction plans, in health and safety plans, in risks prevention plans, etc. An effective follow-up to measure the effectiveness of measures taken to reduce the risk of these threats in the organization is needed.

Mª José Mateo del Horno
Security Consultant