As attacks targeting critical infrastructure around the world are on the increase, such as the 2021 ransomware attack on Colonial Pipeline, which forced a temporary fuel pipeline shutdown that triggered gasoline shortages across several states, or the more recent sabotage against the Nord Stream pipeline — governments around the world are taking a deeper look at critical infrastructure cybersecurity.
Two of the most notable regulatory changes this year include the implementation of the European Union’s Network and Information Systems Directive 2, known as NIS2, and the National Cybersecurity Strategy Both hope to put into motion substantial changes in the resiliency of their respective critical infrastructure.
In January, the EU entered the NIS2 Directive into force. This directive replaces and greatly expands the previous NIS Directive. It requires covered organizations to implement technical, operational, and organizational measures to manage the risks posed to the security of their network and information systems. The EU hopes to prevent, or at the very least minimize, the impact of incidents. NIS2 requires such capabilities as incident handling, business continuity, encryption, secure authentication, and security training to be in place at covered organizations.
While covered entities are yet to be fully defined, it will be up to individual EU nations to determine specifics. Covered organizations will include those defined as “essential” or “important,” as well as their digital service providers. For those industries, it will be mandatory for entities with more than 250 employees and those who meet modest financial thresholds to comply. And for specific industry sectors, entities must comply regardless of their size. The executive management of essential and important entities could be liable for non-compliance.
“NIS2 was created to provide broader authority and regulatory impact on the critical infrastructure,” explains Wim Remes, managing director at Damovo Security Services EMEA. “The previous directive wasn’t always clear on what was covered. Consider the changes in Germany under the new rule. With NIS2, there are about 40,000 entities covered, up from 4,000 with NIS1.”
The new regulation will be far-reaching into nearly every industry, including digital infrastructure providers from data centers to DNS providers, medical device, technology, and services providers. The healthcare industry includes everything from labs to research centers to hospitals. “Additionally, any supplier to a covered organization will be impacted too, That’s where a large part of the "blast radius" is,” says Remes.
Unlike EU regulations, which go directly into effect, EU directives require each member state to develop its specific requirements. State NIS2 requirements must be published by Oct. 17, 2024.
Last month, the White House decided it would try to push its vision for critical infrastructure security beyond the executive order, Improving Cybersecurity for Critical Infrastructure Control Systems, published on July 28, 2021. With its National Cybersecurity Strategy, the administration hopes to shift some of the critical infrastructure cybersecurity responsibility onto larger organizations, enhance minimum security standards for critical infrastructure, and create a common set of critical infrastructure security regulations.
While the National Cybersecurity Strategy has five “pillars,” including forging international partnerships to pursue shared goals, investing in a resilient future, using market forces to drive security and resilience, and disrupting and dismantling threat actors—it is defending critical infrastructure that defines the very first pillar of the plan.
The plan calls for performance-based regulations, increased public-private collaboration, enhanced integration of federal cybersecurity centers and capabilities, updated federal incident response plans and processes, and modernizing national cybersecurity defenses.
Will the new plan work? Depends on whom one asks. Adm. Mike Rogers commented on the National Cybersecurity Strategy in a recent Nexus Podcast. “We need to start thinking about cybersecurity much more from a risk and a public harm perspective. If you look at it through [that] lens, there should be a greater willingness on the part of the government to take a more aggressive regulatory or legal role,” Rogers said.
Some who work in the industry aren’t as sure. Brian Martin, the founder of security consultancy Liticode, contends that setting minimal cybersecurity requirements for the sector will result in industry consolidation because of the cost of compliance. “It is impossible to do these expensive things on a small budget. The result will be much confusion over the redesign of existing systems, and not much will change that isn’t already being changed by insurance and the need to protect the bottom line,” said Martin.
Despite the lack of agreement on the efficiency of regulations, most agree that more needs to be done. As NBC News reported last fall, a sizable hospital chain had services knocked offline due to a ransomware attack, leading to surgery and patient care delays. Doctor appointments had to be rescheduled across the nation.
Meanwhile, there has been a growing string of notable attacks on critical infrastructure, starting with Stuxnext through Colonial Pipeline and many others, below:
It’s a list certainly no one dependent on critical services wants to see grow. But the risks of cyber incidents involving essential infrastructure are only rising as more organizations deploy more IoT devices and the management of OT/ICS and IT systems continue to converge. By 2025, the research firm Gartner predicts that 30% of critical infrastructure companies will have experienced a security breach.
Whether increased regulatory controls make a difference in industrial control security governments hope remains to be seen. But with geopolitical tensions rising globally and the increased connectedness of these systems, steps need to be made to ensure their resiliency.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.