Is Europe ready to defend critical infrastructure?

Richard Piggin | 12 Jan 2016 | Comments

Prominent malicious attacks have brought the importance of robust UK cyber security to the attention of both the Government and the public. With a respected European agency recently publishing recommendations on how countries can better protect critical national infrastructure from cyber-attack, how does the UK measure up against these?

In November 2015, Chancellor George Osborne announced plans for a £1.9 billion investment in cyber security and the creation of the National Cyber Centre. In his speech he highlighted the need to protect our critical infrastructure; in particular those systems used to control physical entities, often now referred to as operational technology (OT). Following the recent Chatham House report into cyber security in the nuclear sector, the  European Union Agency for Network and Information Security (ENISA) has now published its report on control systems security. Titled “Is Europe ready to protect SCADA?” it focuses on Industrial Control Systems (ICS) Cyber Security Maturity Levels across Europe. The research describes national security postures and makes high level recommendations for improving OT security practices. Four 'maturity profiles' of Member States were identified within the study, including:

  • Leading: with strong legislation and supporting mechanisms dedicated to ICS cyber security improvement
  • Proactive Supporters: focused on strong Critical Infrastructure operator support and driving ICS cyber security improvement
  • Reactive Supporters: with a  focus on lessons learned and reactive means of improving ICS cyber security
  • Early Developers: in the process of developing legislation and supporting systems to protect ICS in critical infrastructure.

Individual Member States were not identified against a particular profile, however, the UK position is leading in support, given the history of developments that largely already correspond to the major recommendations outlined in government policy on cyber security. The UK has stopped short of specific regulation to date, instead favouring a risk-based voluntary approach. The UK Government is working with industry to promote and align best practices and standards with the US National Institute of Standards and Technology Cybersecurity Framework.

The study made six major recommendations to improve ICS cyber security maturity:

1. Align ICS efforts with national cyber security strategies and Critical Information Infrastructure Protection (CIIP) effort.

Currently the research showed ICS cyber security was not aligned to national strategies in some states, though the UK clearly leads the way here.

2. Develop good practices specific to ICS cyber security.

Some Member States do actively promote industry good practice, and again the UK leads with the recently published Security for Industrial Control Systems. It makes sense to utilise existing good practice across Europe, but, the issue for operators or asset owners will be navigating the plethora of guidance already available and dealing with the challenges of national compliance where mandated.

3. Standardise information-sharing among critical sectors and Member States.

This includes the recommendation to have a single platform and process, citing the US ICS-CERT example for incident reporting and focal point for good practice. An overarching national or EU-wide ICS CERT could be the focal point for sharing of best practice, threat and vulnerability warnings.

4. Build ICS cyber security awareness.

The recommendation is for a more reactive approach to promote continuous improvement for policy developers as well as asset owners. Focus provided by a local ICS-CERT could provide a platform for building local knowledge and growing awareness.

5. Foster expertise with ICS cyber security training and educational programmes.

This recommendation focused upon the common misunderstanding of IT security considerations being similar to OT environments leading to security, operational and potentially, safety flaws. The report recognises the scarcity of people that have a deep understanding of ICS systems and cyber security, and the need to develop programmes and facilities for training to fulfil the current and inevitable short fall as awareness grows.

6. Promote and support ICS cyber security research and test-beds by involving ICS experts and vendors in addressing current and future threats, whilst supporting innovation and encouraging security by design.

More Member States are working on legal instruments to mandate minimum security requirements.

As previously suggested by Andrew Cooke in Angles in November, no one really advocates increasing regulation. Our experience has shown that regulation can stifle innovation and good practice development, whilst affording a false illusion of security through compliance, which may not address the specific risks to an organisation. Indeed, given the disparate and distributed nature of operational technology it is hard to see how such regulation might be successfully enforced.

Experience tells us that excessive regulation can lead to increasingly ingenious circumvention. Therefore, a rational approach could be the continued development and promotion of international cyber security standards for control systems. The link between safety and security is never more apparent than in the area of OT where the impacts of a cyber-attack can be to affect safety and safeguarding measures, leading to significant hazards.

A risk-based approach to cyber security and the use of standards can encourage organisations to take a pragmatic approach and encourage greater adoption.