In the early hours of 26 September, a series of blasts on two subsea pipelines connecting Russia to Germany led to four gas leaks at four locations in the Baltic Sea —two in Denmark’s exclusive economic zone and two in Sweden’s exclusive economic zone.
The leaks on the Nord Stream 1 and 2 pipelines —which might be the single largest release of methane in history— intrigued the international community, with many in Europe suspecting they were the result of an attack perpetrated by Russia.
Don’t have time to read the whole blog entry? Then watch our “Blog in 1 minute” video for a quick summary of its main points:
This event also put the vulnerability of Europe’s critical systems at the centre of political attention. On 22 November 2022, the European Parliament approved almost unanimously —with 595 votes in favour and only 17 against— legislation that aims to improve the security of physical and digital infrastructure in Europe —the so-called Directive on the Resilience of Critical Entities (CER).
The gas leaks example is just one of the regrettable events that are putting critical infrastructure security in the spotlight. So it comes with no surprise that the PwC Cybersecurity & Privacy Day, which took place in October this year, focused precisely on this timely matter. It’s also the focus of Season 6 of TechTalk, our technology podcast.
In this blog, we explain what critical infrastructure is, adding the word “protection” right after. We then examine why protecting critical infrastructure is so important, especially in the context we are living in, and finally we share some tips to better shield essential assets against cyber attacks.
What is Critical Infrastructure?
The term critical infrastructure refers to assets that are essential for the functioning of a society, a country or an economy —or all of the “above”. It could be, for instance, assets related to public health (such as hospitals), water or energy supply, telecommunications, financial services —just to name a few.
You can easily imagine the tremendous impact it could have on your daily life if one of these assets would shut down —if they fail, you might stop having water or electricity at home, for instance. Or worse, it could also have an impact on other critical infrastructures. Take the example of a power outage because an energy supplier failed: there would be hundreds of hospitals, banks and schools that would no longer be capable of serving their purpose. Thus, they are considered as critical.
But things can get even scarier. Due to the interconnection of most infrastructures nowadays, it’s very likely that this would also have an impact on other sectors or neighbouring countries.
Adding the word “protection” to critical infrastructure
Defining what should be considered as critical infrastructure was the starting point of a longer-term strategy, whose goal was, ultimately, about protection. Indeed, safeguarding critical infrastructures has become a needed movement with the digitalisation of society and organisations.
The first step in this direction was the creation of the European Programme for Critical Infrastructure Protection (EPCIP) back in 2006, which was reflected in the European Union (EU) Member States soon after.
The EPCIP’s goal goes beyond stating that these infrastructures need to be protected. It’s also about defining operator security plans to perform risk analysis based on each asset’s major threat scenarios and vulnerabilities. The final target is to delineate countermeasures to be used in times of crisis. The Haut-Commissariat à la Protection Nationale in Luxembourg, for example, was created for that purpose.
Moreover, one of the major objectives of the Grand Duchy’s National Cybersecurity Strategy (IV edition) is to strengthen the security and resilience of digital infrastructures in the country. This paper sets out the priorities for Luxembourg to achieve this objective and addresses topics such as resilience, digital sovereignty, protection against a distributed denial-of-service (DDoS) attack, among others.
The impact of cyber attacks on critical infrastructure
We can sum it up for you in two words: digital transformation. By now, we can all agree that with every great new technology comes a new cyber risk —or two. And there is no exception when it comes to critical infrastructure.
It’s probably straightforward for you to picture how technology can impact telecommunications and the financial world, but what about the health sector, for instance? It may come as a surprise, but the impact is tremendous. Hackers have targeted hospitals —more precisely, their systems and devices— and, as a result, they had to reschedule surgeries, some of them vital.
And this happened simply because of sterilisers. These appliances are usually connected to the network for traceability reasons —it’s more efficient than manually keeping track of everything that’s been cleaned. So, if the network is down due to a cyberattack, then your hands are tied.
A couple of years ago, we experienced the first ever case of a fatality directly linked to a cyberattack.
Ransomware hackers targeted a hospital in Germany, blocking the access to a patient’s information and later causing her death. While critical infrastructure protection was already a key topic, this lamentable event acted as a catalyst in the critical infrastructure sphere, which was lagging behind in terms of cybersecurity maturity compared to the financial sector.
How did we get here?
In two words: digital transformation. Historically, critical infrastructure sectors were less connected, less digital and therefore less targeted. For these sectors, cybersecurity was just a drop in the ocean compared to “security” in terms of standard physical security or “safety”. Thus, cybersecurity wasn’t really a priority in terms of investment.
But while these sectors have become more connected, the hackers also have been changing their modus operandi. A couple of years ago, they mainly targeted financial institutions, aiming at stealing information and credit card data, but they have spotted a golden opportunity in targeting organisations that can’t afford not to remain fully stable and available, that is, critical infrastructures. The goal of such attacks is simple: to undermine trust and harm existing systems.
Unfortunately, that’s the direction the world is going in. In addition to “classical terrorism,” more organised, devious and politically motivated threat actors are emerging. If you think about it, it makes sense —these attacks make it easier to mask its perpetrators, which is a great asset for intelligence agencies trying to destabilise an enemy.
On a more positive note, the “good guys” aren’t crossing their arms and simply waiting —they are doing the same. The PwC Experience Center in Frankfurt, for example, built a full replica, at a smaller scale, of major industrial infrastructures —pipelines, solar panels, water pumps, among others. They tested scenarios about sabotage and “what ifs?” situations.
The idea behind is that, hopefully, the more prepared you get, the more you know the tactics and techniques of your opponent, and the better protected you are.
Can critical infrastructure sectors catch up?
They may have underestimated the risks of cyber attacks in the past, but it’s never too late to make up for lost time. According to our cybersecurity team, the gaps that they see are the same as for any other sector: lack of ownership and proper definition of roles and responsibilities, lack of training and awareness at management level as well as at employee level, lack of technical controls in place to secure the corporate environment, among others.
In fact, the only significant difference between critical infrastructure and other organisations is if it fails, society gets hit.
However, let’s not be too judgemental. To be honest, the financial sector, for example, especially in Luxembourg, has mainly improved their cybersecurity posture due to regulation. And the critical infrastructure sectors have only recently been faced with regulation, pressing organisations to make the shift. To be clear, regulatory compliance doesn’t mean security, but at least it gives the foundations required for organisations to engage themselves in the cybersecurity journey.
Tips to better protect critical infrastructure… from our Cybersecurity team
The first tip is pretty straightforward: define your business priorities, identify your cybersecurity risks, mitigate, control, increase your expectations, repeat.
It may be obvious, but you also want to implement the standard protection technologies and controls that every sane organisation should have and quickly switch your focus to detection and response.
Training is also key to success. While you can’t always reduce your exposure level and thus the probability that you will get attacked, the more you train, the lower the impact will be.
In that context, simulation is also crucial. You need to periodically simulate attacks in a very realistic way. You probably heard about penetration tests, red teaming, you name it, but that’s not enough: you have to do it, and for good reasons —such as improving your detection and response capabilities.
Let us highlight the word “realism” here. It’s a very important aspect of simulation, and it’s becoming more and more common to leverage on threat intelligence to scope exercises. If you want to protect your critical infrastructure in the energy sector, for instance, you need to know what the current threat landscape is in that sector, who the attackers are, and how they proceed.
Cybercrime is moving so fast that you can’t only rely on information that used to be true over the past months, you need to know what’s happening right now and be able to anticipate.
A word (of sympathy) to the security officer
Remember, the security officer needs to be able to address all the issues, all the gaps within their organisation, while the criminals only need one ounce of luck —an employee clicking on a link, an unpatched exposed application.
Maxime Pallez, Cybersecurity Senior Manager, who focus on Security Governance at PwC Luxembourg, couldn’t have said it better during our TechTalk episode about critical infrastructure: the security officer has to constantly “play a dangerous equilibrist game, where falling means being compromised while jungling with various sharpened knives —budget, time constraints,skills requirements, production constraints and legacy systems and proprietary technologies.”
Besides, the critical infrastructure security specialist has to deal with technologies that are quite different from the usual IT and corporate networks, devices and software. The cybersecurity solutions in this sphere have to be specific to cope with the technical requirements, and the skills and experience needed are far from the ones commonly found in the cybersecurity recruitment market.
Regulation, feared but crucial
The Network and Information Security (NIS)2 Directive aims at bringing a common level of cybersecurity in the EU for critical infrastructure. This new directive, that has yet to be adopted, will replace the first edition. Dating back to 2016, it brought key cybersecurity concepts to industries that were until then unconcerned with regulations.
More precisely, the NIS2 Directive extends the scope of impacted industries by adding new sectors —telecommunications in particular. Some of the key concepts addressed are risk management, incident management and reporting.
Similarly to a well-known privacy regulation —yes, the GDPR— it also introduces the concept of reporting the cyber incident to the local regulator within a 24-hour timeframe as well as the concept of fines. This means that entities who fail to comply with organisational and technical measures might face penalties up to 2% of their annual global turnover.
There’s probably a part of you —consciously or unconsciously— that’s in denial. “These kinds of attacks, which put people’s lives at risk, can’t be happening”. But, as the examples we shared throughout this blog entry show, they are. And unfortunately, it might only get worse from now on as critical infrastructures are at the heart of the modern conflicts.
We sympathise with your fear. A hacker disabling fire sensors on a gas pipeline? Nobody wants to go through this situation in real life. That’s why we can’t afford to take critical infrastructure protection lightly. There’s just too much at stake.
Ironically, no one dared to touch these sectors’ systems before because they were critical, now we have to strongly refactor and rethink them for the exact same reason. It’s time to think of cybersecurity as a minimum vital requirement for everything that impacts our daily life.
What we think
Critical Infrastructure is paramount in a modern society, failure of it provokes mayhem and undesired effects.
If you want to understand the impact hackers can have on critical infrastructures, you have to adopt their mindset. It’s all about financial gain, feeling of power and chaos. We have now reached a step where hacking has a tangible impact on our everyday life.