Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Regulation, Standards and Compliance
Reports
Risk & Compliance
Technology & Solutions
Threat Landscape
Vulnerabilities

Microsoft works on protecting critical infrastructure from cyberattacks, both nationally and internationally

July 29, 2022
Microsoft works on protecting critical infrastructure from cyberattacks, both nationally and internationally

Microsoft announces the publication of two reports that provide valuable insights to underscore the importance of protecting critical infrastructure against cyberattacks. The research builds on the legislative frameworks put forward by the European Union, which made this area a priority through the revised Network and Information Security (NIS) Directive that was agreed upon earlier this year. The reports go beyond legislation and bring in the perspectives of technology providers that are protecting their customers from sophisticated cyber criminals on a daily basis. 

One of the two reports focuses on protecting critical infrastructure against cyber threats while the second focuses on the healthcare sector. The reports bring in the perspectives of individuals working for critical infrastructure providers – those who may see cybersecurity as a burden – and identify ways to drive understanding and create buy-in across these organizations.

“Much more needs to be done to deter behavior that violates the spirit of international agreements and to foster collaboration and exchange of learnings on how to implement these agreements at the national level in a manner that is effective, secure, and can stand the test of time,” Kaja Ciglic, senior director for digital diplomacy at Microsoft and Nikolas Ott, project manager of European Governmental Affairs at Microsoft, wrote in a company blog post. “We are grateful that the governments of Slovenia and the Czech Republic have taken a leadership role in partnering with the multistakeholder community to begin developing recommendations in this space.” 

The executives also said that with critical infrastructure providers relying increasingly on technology to manage operations and deliver services, Microsoft is committed to partnering with governments to advance discussions around the importance of establishing international cybersecurity norms and working with our customers to strengthen the security of their systems. “This could include leveraging artificial intelligence that proactively monitors the threat landscape and detects patterns that can provide early warnings about potential threats,” they added.

The Microsoft reports have been released to coincide with the United Nations Open-Ended Working Group (UN OEWG) on cybersecurity, which convened this week in New York to discuss existing and emerging online threats, norms for responsible state behavior in cyberspace, how international rules apply online and how to make progress on implementing them.

The recommendations propose that cybersecurity must be understood as a continuous process. There will always be important systems in need of protection against malicious actors with harmful intentions and sophisticated capabilities. Risk management needs to be at the heart of any approach taken. The cybersecurity field is still maturing. technology continues to evolve, and attackers are innovating their techniques as well. Cybersecurity is a rapidly adjusting field and it is likely to remain so for some time, needing continuous good practices and improved regulatory frameworks consistently. While focusing on the outcome, critical infrastructure installations need to constantly assess the right path towards getting there.

Microsoft also said that harmonization of approaches is required. Cyberattacks can have cross-sectoral effects. “While we investigated individual critical infrastructure sectors, we recognize that not only do these often rely on the same technologies, but attacks against them can also spill over. Harmonization of good practices is required to ensure we do not do more harm than good with regulatory approaches,” the executives said.

Cybersecurity responsibilities are distributed among many regional, national, and industry actors. Often these entities do not talk outside their sector or country. However, attackers do not care for those boundaries, and we need increased information exchange as it relates to good practices, cyberattacks, and related defensive actions. Furthermore, the cybersecurity ecosystem must be based on trust. CERTs, ISACs, and national competent authorities dealing with cybersecurity will likely have their responsibilities increase in the coming years. To ensure they are successful, creating an environment of collaboration, trust, and information exchange between public and private actors early on is key. 

Microsoft advised that capacity building is required for further collaboration and trust building. Its workshops echoed the call of the recent UN reports on cybersecurity that focus on a clear cybersecurity skills gap and more capacity building is desperately needed. The Global Forum on Cyber Expertise (GFCE) and other platforms can play a critical role in further advancing these efforts, domestically and internationally. 

Existing international cybersecurity norms need to be implemented. Governments in 2015 agreed on a set of international cybersecurity norms at the UN and these must be implemented. Certain countries have already begun highlighting how they are approaching their commitment, but more work needs to be done.

Additionally, international law applies to cyberspace. Recent discussions at the UN have made it clear that international law applies to cyberspace in its entirety. Nevertheless, this is an emerging area of law and further work is needed to reach a common agreement as to how international law applies to cyberspace. National statements, as well as work at the European Union (EU) level, and examples of practical discussions, such as those under the Oxford Process can help clarify its applicability.

The report also said that attribution in cyberspace is a multidimensional tool that needs to be utilized. Attribution has technical, political, and legal dimensions. Our technical ability to attribute cyberattacks has improved, both in terms of accuracy and speed. Legal frameworks have also been strengthened. However, given the political dimension involved, attribution remains a sensitive act. There must be consequences for malicious actors. Attacking critical institutions and services is still relatively risk-free when compared to other criminal endeavors. Attackers are rarely identified and punished. This needs to change in both the domestic and international contexts.

The second report identified attacks on the healthcare sector as attacks on people. These attacks, whether perpetuated by cyber or kinetic means, are attacks that hamper delivery and access to essential services with potentially devastating humanitarian consequences. Earlier, the healthcare sector has been severely impacted by major cyber incidents such as WannaCry, NotPetya, and countless others. Unfortunately, the volume of cyberattacks affecting the healthcare sector has increased dramatically since the start of the COVID-19 pandemic. 

“Medical staff and healthcare facilities, already under immense pressure due to the enormous medical needs generated by the pandemic, had to also deal with a surge of sophisticated and opportunistic cyberattacks at a time when societies needed the sector the most,” the report said. In a number of cases, this had a direct impact on patients, whose treatments were delayed or postponed, it added. 

The report also recognized that in the present interconnected world, no one is safe until everyone is safe. Recognizing this, the multistakeholder community issued a Call to Governments during the COVID-19 pandemic to put an end to cyberattacks against healthcare. The need to protect this sector has also been highlighted by the United Nations (UN) where states unanimously agreed to increase the protection of the healthcare sector from cyber harm by implementing norms of responsible state behavior in cyberspace. 

However, the global interdependence of the healthcare sector requires decisive multistakeholder action, spanning diplomatic, operational, policy, and capacity-building initiatives, as well as ensuring accountability for perpetrators of cyberattacks, the report added.

“The unique value of the reports comes from the diversity of perspectives they reflect, identifying trends and commonalities, the linkages between technology, regulation, and international frameworks, and potential paths forward,” Ciglic and Ott wrote in their post. “They hold important lessons to help organizations and governments create relevant frameworks for inclusive multistakeholder engagement at a global level, and strengthen a culture of cybersecurity across industries. We look forward to discussing the findings and potential next steps as part of this process,” they added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation