The security of critical infrastructure has been high on the agenda in 2023, with cyberattacks and other risks posing a persistent threat to the technologies and systems relied upon for essential services such as energy, food, electricity, and healthcare.
Research from cybersecurity services firm Bridewell assessed the current state of critical national infrastructure (CNI) threats in the UK and the US, warning that global economic downturns, geopolitical tensions, nation-state actors, and ransomware are all contributing to increasing threats faced by organisations and suppliers in the CNI space.
In April, it was revealed the hacking group responsible for the significant supply-chain attack targeting VoIP company 3CX also breached two critical infrastructure organisations in the energy sector, with one located in the US and the other in Europe.
Meanwhile, the UK National Cyber Security Center (NCSC) issued an alert about a new class of Russian cyber adversary threatening the UK’s critical infrastructure. In March, the White House’s National Cybersecurity Strategy reclassified ransomware as a tier-one national security threat following a series of attacks hitting CNI services like food suppliers, hospitals, and schools.
In response, multiple initiatives, programs, guidance, and standards have been launched this year to enhance the cybersecurity of critical systems and tackle the growing risks that threaten CNI.
Vendors, governments, industry bodies, and nonprofits have all contributed, with information-sharing and collaboration a key theme of many efforts to increase cyber resilience across the CNI spectrum. Here are 10 notable examples from the year so far.
UK introduces Product Security and Telecommunications Infrastructure Act
In December 2022, the Product Security and Telecommunications Infrastructure (PSTI) Act was introduced into UK law, with organisations granted the duration of 2023 as a grace period to achieve compliance with its new rules.
The act sets out provisions about the security of internet-connectable products and products capable of connecting to such products and electronic communications infrastructure.
Products covered by existing legislation (including healthcare monitoring products and smart meters) or products that are complex and may one day have their own legislation (for example autonomous cars) are not covered by the PSTI Act.
Three key areas require compliance:
- Clear information on support periods stating exactly how long manufacturers will continue to provide updates.
- Default passwords are not permitted which means users will need to be supplied with unique product passwords upon first use, which then need to be changed.
- Information on where anyone who finds a vulnerability can inform the manufacturer and for the manufacturer to inform its customers of vulnerabilities and provide a fix in a timely manner.
EU NIS2 Directive sets out new standards for essential entities
In January, the Network and Information Security Directive (NIS2) came into force in the EU, introducing a new regulation component that extends to critical infrastructure.
Under NIS2, organisations classed as “essential entities” such as providers of energy, transport, and healthcare will be subject to the strictest requirements and most comprehensive regulatory oversight – including (potentially) on-site inspections and targeted, independent, security audits.
NIS2 replaced the NIS directive that took effect in the EU in 2018 and EU countries must meet the updated rules by October 2024.
With the changes implemented through NIS2, EU regulators are recognising the increasing risk of cyberattacks on critical infrastructure and their web of third parties.
“Notably, the revised legislation encompasses a broader spectrum of organisations and businesses, imposing a mandatory obligation to promptly notify relevant authorities within 24 hours of a cyberattack and sets a minimum baseline security standard to be upheld by these entities,” says Tim Callan, chief experience officer at Sectigo.
NATO, EU launch critical infrastructure resilience task force
In January, NATO and the EU agreed to create a task force on resilience and critical infrastructure protection. In the wake of Russian President Vladimir Putin’s weaponisation of energy and the sabotage of the Nord Stream pipelines, the pair said that the task force’s focus is on making critical infrastructure, technology, and supply chains more resilient to potential threats and taking action to mitigate vulnerabilities.
The following month, senior officials from NATO and the EU met to officially launch the NATO-EU Task Force on Resilience of Critical Infrastructure. The initiative brings together officials from both organisations to share best practices and situational awareness, along with developing principles to improve resilience.
The task force began with a focus on four sectors: energy, transport, digital infrastructure, and space.
In December 2022, NATO experimented with AI’s ability to protect critical infrastructure, with findings indicating that it can help significantly in identifying critical infrastructure cyberattack patterns/network activity and detecting malware to enable enhanced decision-making about defensive responses.
International task force combats ransomware national security threats
In January, 36 governments and the EU launched the International Counter Ransomware Task Force to combat ransomware attacks that pose national security threats, particularly those that impact businesses in the CNI sector.
Led by the Australian government, the coalition aims to enable sustained and impactful international collaboration designed to disrupt, combat, and defend against increasing ransomware threats through information and intelligence exchanges, sharing best practice policy and legal authority frameworks, and collaboration between law enforcement and cyber authorities.
The International Counter Ransomware Task Force has great potential to have an immediate effect compared to other industry initiatives, says Craig Jones, vice president of security operations at managed detection and response provider Ontinue.
“This is due to its international focus on ransomware, the most formidable global threat to businesses and infrastructure as a whole.”
SANS Institute releases ICS Cybersecurity Field Manual volumes 2 and 3
The SANS Institute released two new volumes of its Industrial Control Systems (ICS) Cybersecurity Field Manual, providing ICS cybersecurity professionals and risk managers new insights into incident response, vulnerability management, defender skillsets, team management, and security tools/ protocols to defend systems.
Volume 2 was published in January, while Volume 3 was published in May.
“The SANS ICS Cybersecurity Field Manual series is an essential tool for all ICS security professionals,” says ICS expert, field manual author, and certified SANS instructor, Dean Parsons.
“It should find a home on the desk of every control system operator, critical infrastructure cyber defender, and ICS/OT risk manager, in all industrial control system sectors globally.”
CISA updates Cross-Sector Cybersecurity Performance Goals
In March, the US Cybersecurity and Infrastructure Security Agency (CISA) updated its Cross-Sector Cybersecurity Performance Goals (CPGs) to help establish a common set of fundamental cybersecurity practices for critical infrastructure.
The CPGs are a prioritised subset of IT and OT cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques.
Version 1.0.1 reordered and renumbered the CPGs to align more closely with the NIST Cyber Security Framework. The update included new guidance relating to phishing-resistant multi-factor authentication (MFA) and incident recovery planning.
Cybersecurity firms form the Elite Cyber Defenders Program
In April, global cybersecurity firms Accenture, IBM, and Mandiant joined the Elite Cyber Defenders Program – a new, collaborative initiative led by Nozomi Networks and designed to help secure critical infrastructure. The program aims to provide global industrial and government customers access to strong cybersecurity defense tools, incident response teams, and threat intelligence.
Each participant in the program will offer custom-designed incident response and assessment programs for joint customers, along with committing to working with Nozomi Networks Labs on shared threat intelligence and joint security research focused on identifying novel malware and new TTPs employed by threat actors.
OT giants collaborate on ETHOS early threat, attack warning system
In April, a group of OT security companies that usually compete with one another announced they were setting aside their rivalries to collaborate on a new vendor-neutral, open-source, and anonymous OT threat warning system called ETHOS (Emerging Threat Open Sharing).
Formed as a nonprofit, ETHOS aims to share data on early threat indicators and discover new and novel attacks threatening industrial organisations that run essential services, including electricity, water, oil and gas production, and manufacturing systems.
It has already gained US CISA endorsement, a boost that could give the initiative greater traction. All organisations, including public and private asset owners, can contribute to ETHOS at no cost, and founders envisage it evolving along the lines of open-source software Linux.
ETHOS community and board members include some of the top OT security companies 1898 Co., ABS Group, Claroty, Dragos, Forescout, NetRise, Network Perception, Nozomi Networks, Schneider Electric, Tenable, and Waterfall Security.
“This is a community effort,” says Marty Edwards, deputy chief technology officer for OT and IoT at Tenable. “We’re hoping that we can get a technology-neutral third party [to stand up ETHOS] and whether that’s a government entity, an information sharing and analysis center, or quite frankly, whether we have to stand up our own entity under the nonprofit organisation.”
UK NCSC announces Principles Based Assurance framework
In April, the UK NCSC announced that it was establishing the Principles-Based (PBA) framework to measure and certify the cyber resilience of products and systems that, if compromised, could cause a significant impact on people’s lives.
This includes CNI, which faces significant cyber threats and attackers with resources, skill, and time working in a targeted way, the NCSC said.
The PBA will have a three-layered process. The first, foundational layer is the philosophy of a risk-based rather than a compliance-driven approach.
The second stage is developing a consistent method that can be followed, along with documentation and templates to be used.
The final stage is how the method can be deployed and accessed as a service in the marketplace by both vendors and buyers in a consistent and trusted way.
The NCSC will be publishing the PBA method when it is available so that people can start using it. Work is underway on the service layer to design a way to scale the PBA philosophy and method through industry partners.
By next year, the NCSC plans to have an embryonic network of approved Cyber Resilience Test Facilities.
UK launches Secure Connected Places cybersecurity playbook
In May, the UK government published the “alpha” version of Secure Connected Places: Cybersecurity Playbook to support local authorities in improving the security of their connected places, including critical infrastructure and utilities such as smart energy systems that reduce pressure on the grid.
It was designed in collaboration with six local authorities and comprises several cybersecurity resources covering topics including governance, procurement and supply chain management, and how to conduct good threat analysis.
Connected places present an opportunity for local authorities to enhance the quality of living for their citizens, the playbook says.
However, without the necessary protection in place, the diversity and interconnectedness of technologies needed to operate connected places also makes them vulnerable to cyberattacks. “These attacks can lead to reputational damage, the loss of sensitive data, and the damaging of physical infrastructure that residents rely on.”