Preparing for new EU cybersecurity rules and regulations
Recently, the European Parliament signed off on its first ever set of cybersecurity rules. The Network and Information Security (NIS) Directive spells the end of more than three years of political bickering and requires critical national infrastructure operators, such as banks, healthcare, transportation, energy and digital service providers, to ramp up their security measures and report major data breaches.
The directive is poised to establish the first set of baseline cyber-security and breach reporting responsibilities in the European Union and will specifically require the implementation of measures that are proportionate to today’s cyber risks and will minimise the impact of modern-day security incidents.
This will work in tandem with the EU’s General Data Protection Regulation (GDPR), which will also force companies to tighten up their security with the threat of hefty fines and the small breach disclosure window. However, while the GDPR requires notification of a breach only when there is a risk to personal data, the directive takes things one step further, mandating operators to notify authorities whenever there is an impact on the provision of its service. The directive ultimately aims to improve security defences and knowledge sharing of today’s cyber threats.
It’s fair to say that hackers are using much more sophisticated techniques to gain access to data, which is making it much harder for companies to defend themselves. APTs, ransomware and stolen credentials are becoming increasingly common ways for hackers to get their hands on confidential information. Furthermore, there’s the insider threat to consider as people from within an organisation continue to pose a risk to network security, whether malicious or unintentional. It is generally agreed that no organisation is safe and threats will find a way onto the network, but they can be stopped before any damage has been done.
A big problem within the critical national infrastructure industry is that much of its infrastructure was developed and implemented prior to the proliferation of the internet. As such, many SCADA devices used by critical national infrastructure industries employ very basic, easily defeated authentication methods, transmitting data in clear text, with many cyber assets operating on old and vulnerable code bases. Examples of just how vulnerable SCADA systems are to attack include the recent Ukrainian power grid hack, which led to the first large-scale electricity outage, and the attack on a Ukrainian airport, in which suspicious malware was found on a computer at Kiev’s main airport, Boryspil.
Stuxnet and Flame are also two highly infamous forms of malware that have been used to hack into SCADA systems. These attacks highlight the growing threat to critical national infrastructure and SCADA systems, but also just how determined and capable hackers can be.
Gaining control of a SCADA system could, potentially, have a hugely damaging impact on a country and the increasing connectedness of infrastructure finds control systems being even more vulnerable to cyber-attacks, but also increases the knock-on effect an attack can have on other infrastructure sectors and capabilities. The situation is not likely to improve – as hackers will continue to target systems that require little effort on their part, yet have a large widespread impact.
What we often find is that those managing critical national infrastructure are relying on security strategies that are out of date and becoming increasingly obsolete. It is a dangerous misconception to think that using point-based perimeter tools, such as anti-viruses and firewalls are sufficient, especially when it comes to these industries that have such a huge impact on a country’s economic stability and development.
Today’s hackers are becoming increasingly persistent in their approaches and using extremely sophisticated tactics to exploit existing vulnerabilities. Sticking with basic security solutions may have worked in the years before cyber-attacks became one of – if not, the – biggest threat to national security, but this is no longer sufficient.
If hackers are finding new, innovative ways to get into IT systems, then logic would dictate that companies need to find new, innovative ways of protecting their IT systems. Unfortunately, avoiding a breach completely is unrealistic, but there are ways to take control and mitigate any subsequent damage.
Given the notion that computing environments may already be compromised, the critical national infrastructure industry needs to move their processes and priorities towards detecting when compromises occur, and responding to them as quickly as possible. While that does not mean that threat prevention itself is obsolete, it simply means these defences cannot be relied upon to protect against determined hackers. The time between detection and response is when systems are at their most vulnerable, and without a strategy in place to effectively and efficiently deal with the problem, the consequences could be far reaching.
Critical national infrastructure needs security intelligence, which ensures that all systems are continuously monitored so any type of compromise can be identified and dealt with as soon as it arises. Indeed, critical national infrastructure operators tend to be controlled across a variety of geographic locations, therefore, having a centralised system that can provide full visibility across all IT network activity in real-time is vital for the management of security.
Critical national infrastructure will continue to be a top target for hackers, and we cannot afford to have any sector not know if they can stay safe. Only by taking an approach capable of monitoring and analysing network activity in real-time can sophisticated attacks attempting to control critical national infrastructure and, more specifically, SCADA systems, be effectively detected, remediated and correctly mitigated before any significant damage is done.