Critical infrastructures under daily attack – ERNCIP head Georg Peter

How significant is the problem that we are facing?

‘Critical infrastructure is a very attractive target for terrorist attacks because of the potential for large loss of life, for example rupturing of a dam, poisoning drinking water or the air, or destabilising large parts of society, such as with a large-scale electricity blackout.

‘Critical infrastructures around the world, not just in Europe, are constantly being targeted by cyber attacks, as are many other systems used by society which are internet-connected. Every day, European vital services and infrastructures have to be able to resist many types of cyber attacks.

‘Attackers may try to achieve a denial of service (where servers are overwhelmed by the number of requests for information), or probe systems to find whether they suffer from a given vulnerability, or prepare for future unauthorised access to a system, or execute a complex attack that aims at disrupting the functioning of the critical infrastructures in order to impact the lives of citizens.’

What’s exactly meant by critical infrastructure?

‘Critical infrastructures are all these infrastructures which our society depends on in daily life. So it is not only transport and not only energy, it is also IT and there are many other sectors which could be included in that.’

What kinds of people are mounting these attacks, is it teenagers in their bedrooms?

‘There are a wide range of attackers, from kids up to state-sponsored, big teams which are hacking into, for instance, electricity delivery systems. The classic example is what happened in Ukraine (in 2015) when they brought a power plant down. This was probably a state-sponsored action involving a large group of experts.’

How could these risks evolve in the future?

‘The risk of attacks against such infrastructures is expected to continue to increase in the future as society becomes increasingly dependent on (the infrastructures) and particularly as they become more and more interconnected and interdependent. It will always be attractive for people with malicious intentions to attack infrastructure because of the high visibility of the consequences.

‘Without the implementation of appropriate security measures, it may become easier to attack these infrastructures because of the increase of accessibility via the internet for convenience or to enhance efficiency, with devices such as smart meters for measuring energy consumption or the internet of things (where everyday objects are equipped with web-connected sensors).’

How does the ERNCIP help in the task of fighting against attack?

‘The protection of infrastructure, critical or not, is the responsibility of the Member States. Therefore, the European Commission neither protects infrastructures, nor tells Member States which infrastructures to protect and how.

“

‘Critical infrastructure is a very attractive target for terrorist attacks because of the potential of large loss of life.’

‘However, the EU has defined how European critical infrastructures should be identified in the energy and transport sectors. According to this, each Member State has to identify those European critical infrastructures in these sectors that, if disrupted, would have a significant impact on more than one Member State, conduct a risk assessment, and implement appropriate counter measures.’

What else are you doing to help, for example hasn’t the ERNCIP implemented an inventory of testing facilities?

‘If you want to define standards, then you have to have the capability to test these standards. For example, if you develop a standard about how resistant a surface structure is against explosives, you must then have a facility which can test this. These facilities are very specialised and very costly, so not every Member State has one of these in every location. So the idea was to have a kind of inventory of all such existing facilities all over the Member States to make sure that if a company wants to develop a product according to a certain standard, they also can easily identify in which facility they can test their products against the standard.

‘Over recent years, the ERNCIP has actively undertaken (these) pre-standardisation activities in thematic areas concerned with chemical, biological, radiological, nuclear and explosives threats, as well as proposing a certification framework for the cybersecurity of industrial automation and control systems, improving the availability of protective security solutions.’

So the ERNCIP is focused on all sorts of threats to infrastructure, not just cyber threats?

‘Cybersecurity is certainly a very important aspect, and while it is not the major focus of the ERNCIP, we do also address cyber threats. In particular now, for instance, we have a project where we are looking at how we can certify IT components used in industrial environments to make sure that they match a certain security level, because you know every chain is as strong as its weakest link. If you have insecure elements within a system, and you can substitute them with elements that are certified to a common standard, then the whole system will become more secure.’

If you liked this article, please consider sharing it on social media.