Securing Europe’s critical infrastructure: A Year-in-Review and strategies for cyber resilience

Critical infrastructure in Europe has faced major cybersecurity challenges in 2023, with adversaries deploying sophisticated ransomware attacks on critical systems, potentially disrupting train operations and exploiting vulnerabilities in maritime networks, posing significant operational risks to navigation and safety. European governments and organizations took steps to enhance cybersecurity measures, collaboration, and regulatory frameworks to address these evolving threats and protect essential infrastructure.

Reducing critical vulnerabilities and increasing resilience is one of the EU’s key objectives. Adequate protection must be ensured and the negative effects of violence on the community and the citizen must be limited to the extent possible. Cybersecurity efforts were shaped by existing and future directives, such as regulations, that incentivized organizations to strengthen security and comply with guidelines such as the NIS Directive and the EU Cybersecurity Act. However, compliance across industries remained a challenge, requiring constant efforts to increase adoption and remediation. 

Some of the measures adopted in the region include the European Programme for Critical Infrastructure Protection (EPCIP), which helps set the overall framework for activities aimed at improving the protection of critical infrastructure in Europe – across all EU States and in all relevant sectors of economic activity. The Commission has developed a Critical Infrastructure Warning Information Network (CIWIN) that provides an internet-based multi-level system for exchanging critical infrastructure protection ideas, studies, and good practices. 

A European Reference Network for Critical Infrastructure Protection (ERN-CIP) has also been created by the Commission to ‘foster the emergence of innovative, qualified, efficient and competitive security solutions, through networking of European experimental capabilities’. It aims to link together existing European laboratories and facilities, to carry out critical infrastructure-related security experiments and test new technology, such as detection equipment.

The U.K. government has set out proposals that concern all organizations within the scope of the Network and Information Systems (NIS) regulations. These measures seek to address through a comprehensive set of interventions that will act as a response to the gaps and threats, particularly within the NIS regulations, and will mature into a longer-term vision for the protection of the U.K.’s essential services, critical national infrastructure, and the increase of wider cyber resilience across the economy.

To address ongoing threats, heightened collaboration between public and private entities remains essential, apart from fostering information sharing and joint response mechanisms. Appropriate capital investments, prioritized innovations to stay ahead of evolving cyber threats, and comprehensive training programs were crucial to enhancing the cybersecurity posture of organizations within critical sectors.

Looking ahead to 2024, the European critical infrastructure sector needs further refining of its regulatory frameworks to address emerging challenges, adaptability to evolving threats, and foster a culture of cybersecurity resilience. Continued international cooperation remains vital, along with a focus on developing standardized practices to ensure interoperability and collective defense against cyber threats across European critical infrastructure sectors.

Industrial Cyber has collaborated with experts from the critical infrastructure, rail, and maritime sectors across Europe to analyze the significant cybersecurity advancements implemented by the industry in 2023 to safeguard its digital infrastructure.

Ongoing cybersecurity challenges in Europe’s critical infrastructure industry 

Gennady Kreukniet, senior OT security consultant at Applied Risk, a DNV company, analyzed advancements in cybersecurity that have been implemented by the critical infrastructure industry in 2023 to protect its digital infrastructure across Europe. When it comes to compliance, he assessed how critical infrastructure companies have navigated existing regulations, and what preparations are being made for upcoming directives.

“Companies in the critical infrastructure industry recognize the importance of the EU NIS2 directive. They understand the increased scope of the soon-to-be-implemented requirements and they are paying attention, particularly as the Directive assigns management accountability for failing to comply,” Kreukniet told Industrial Cyber. “The increase in scope is most notable in requiring companies to implement a risk management framework for cyber security and to implement best practices to ensure their organization’s cyber hygiene and to manage vulnerabilities at their organization and in the supply chain.”

Kreukniet pointed out that incoming stricter regulation is set to unlock budget and resources for CISOs and cyber security managers to implement stronger measures. “In DNV’s Cyber Priority research, for example, we see that professionals in the energy and maritime industries expect regulation to be the greatest driver of cyber security investment in their organizations in 2024. This shows how the certainty of the NIS2 implementation deadline of October 2024 is supporting a greater focus on cyber security in industries operating critical infrastructure.”

However, Kreukniet mentioned that as most Member States haven’t yet transposed the Directive into national law, there are still many factors that aren’t certain, and it is difficult for companies to fully understand what they will need to do to comply. “Clarity on implementation is needed for CISOs and companies in the critical infrastructure industry to make the most of this regulation-driven opportunity to implement new security measures.”

Furthermore, mature organizations understand that a risk-based approach will bring them the most value, Kreukniet added. “They are designing security programs or acquiring security tools with a focus on their most critical processes and systems. If a company takes a risk-based approach, it’s expected that this will cover the security measures described in the NIS2 Directive, because those are the bare minimum of what critical infrastructure companies need to do to protect their systems.”

On how existing regulations, such as the Cybersecurity Act and the NIS Directive, shaped cybersecurity practices across the European critical infrastructure sector, Kreukniet noted that the new regulation allows for a stronger, unified cyber security posture for member states and operators of critical infrastructure. “Previously, there has been quite some diversity in requirements between member states. This has led to inconsistencies in the implementation of cyber security measures, which has created issues.”

“First, in connected systems such as power transmission grids, these systems are connected to each other. In this sense, it can be possible for attackers to find the weakest link in the grid and target the company with the lowest security posture to bring down the whole grid,” according to Kreukniet. “Second, increased cybersecurity investments made in one Member State to comply with regulation should not lead to a competitive disadvantage, which could drive operators of critical infrastructure to not operate, invest, or innovate in a country due to the higher cost.”

Third, the new regulation will better enable scalable security operations, Kreukniet said. “Even though one size will still not fit all, regulation and standardization that will result from it will make it more efficient for security roles to roll out a European baseline across an organization.”

Kreukniet also flagged that the new regulation allows the EU Agency for Cybersecurity (ENISA) to take a stronger role. “Larger organizations operating in multiple countries are looking for guidance to know what is required of their security operations, and new regulation empowers organizations like ENISA, together with the critical infrastructure industry and other partners, to develop standards, frameworks, and recommended practices.”

On the issue of regulatory frameworks, Kreukniet examined the improvements or adaptations that critical infrastructure asset owners and operators are hoping for in 2024 to better address emerging cyber threats.

Kreukniet said that part of the NIS2 Directive requires companies to better report incidents, performing root cause analysis. “There is a great opportunity to learn from the industry as it shares that information. The SektorCert report, for example, provided valuable insight into what happened during a coordinated attack against the Danish energy industry, including the coordinated response from the Danish industry. 

Organizations operating critical infrastructure are aware of the constantly evolving threat landscape, but they benefit from being constantly reminded about the possible attack vectors that they are exposed to,” he added.

Kreukniet also highlighted that information sharing in the form of incident reporting should go both ways, and asset owners and operators are looking for useful threat intelligence for their industry. “It should not only be in security fora amongst industry peers that this is shared. The competent authorities for each industry should also be active in distributing threat intelligence to better protect critical infrastructure.”

The industry can take significant steps to improve its supply chain security by adding security requirements in procurement processes, Kreukniet mentioned, adding that asset owners and operators currently define their own set of security requirements based on internal frameworks. “This leads to excessive bureaucracy because vendors and service providers deliver products and solutions to numerous customers each with their own set of security requirements.” 

Furthermore, Kreukniet indicated that “the extra time it takes for vendors and providers to map the requirements of asset owners and operators to internal standards such as IEC62443 and ISO27001 adds to the bill for the customer. This contributes to most asset owners and operators only reviewing their direct suppliers currently. To increase efficiency, stakeholders in the supply chain should use international standards that have review, audit, and certification mechanisms in place,” he added.

Rail sector to increase focus on cybersecurity, protect digital infrastructure

Andrzej Bartosiewicz, CEO and president at CISO #Poland Foundation highlighted the significant strides made by the rail industry across Europe in 2023 to enhance cybersecurity measures and safeguard its digital infrastructure. “The recent case (November 2023) involving the modification of the source code of NEWAG trains in Poland showed that there is no control over the process of manufacturing, delivery, and acceptance of solutions on the railway market, and the existing certification process does not keep up with technological changes.” 

He added that despite the passage of time, the ‘MCAS’ Boeing 737 MAX case may well repeat itself in the railway area, either in terms of signaling or onboard systems.

The requirements for rail companies currently operating in Europe are largely based on the requirements defined in tenders, Bartosiewicz told Industrial Cyber. “Legal regulations barely impacted technical requirements because the NIS Directive did not provide significant support in building cybersecurity posture. In many countries, critical processes in the rail industry (like signaling and the on-board systems) were not adequately covered by NIS (NIS-1) transposition into the local (national) laws.”

He added that the situation is expected to change due to NIS2 implementation, which will force the implementation of basic technical and process security measures, from risk analysis to incident reporting.

By Oct. 17, 2024, member states must adopt and publish the measures necessary to comply with the NIS 2 Directive, while by Apr. 17, 2025, member states shall establish a list of essential and important entities as well as entities providing domain name registration services. Additionally, member states shall review and, where appropriate, update that list regularly and at least every two years thereafter.

Analyzing how existing regulations, such as the Cybersecurity Act and the NIS Directive, have shaped cybersecurity practices across the European rail sector, Bartosiewicz said that the Cybersecurity Act and NIS (NIS1) had (almost) no impact on the security of the rail sector in Europe.

“Only the requirements in the tenders and local regulations enforcing partial implementation of cybersecurity controls in the delivered systems or components (signaling and on-board) are the driving force in changing the cybersecurity landscape,” Bartosiewicz said. “We can expect that only if the legal requirements (NIS2 transposed into national law) are supported by industry standards (European Rail Traffic Management System, EuLynx) as well as CENELEC 50701 supported by 50126/50128/50129, and this will be enforced in tenders, the adequate and expected level of cybersecurity will be reached.”

In terms of regulatory frameworks, Bartosiewicz examined the desired enhancements or adjustments that rail operators are seeking in 2024 to effectively tackle the evolving cyber threats.

“It is expected that the implementation of the NIS2 directive will slowly support the adaptation of security norms and standards, especially IEC 62443 / CENELEC 50701, which will ultimately become a standard in the protection of rail infrastructure from a cybersecurity point of view and the common ‘language’ between suppliers (service providers, supply chain) and customers,” Bartosiewicz said. “Currently, only in some countries (e.g. Germany) such requirements are partially enforced by the infrastructure managers (IM) and railway undertakings (RU).”

The CENELEC TS 50701 railway applications – cybersecurity is a key milestone for the rail sector as it applies to all sub-systems, including infrastructure, signaling (trackside and on-board), power supply, and the rolling stock.

Additionally, Bartosiewicz said that the EULYNX standard requires the implementation of cybersecurity architecture, and controls and achieving adequate security levels referring to the above standards (IEC/CENELEC). “In EULYNX the European Infrastructure Managers define an internationally standardized signaling system, focusing on common interfaces. EULYNX can be a driving force when it comes to addressing cybersecurity requirements,” he added.

Maritime cybersecurity advances, plans for future enhancements

Addressing the advancements in cybersecurity that have been implemented by the maritime industry in 2023 to protect its digital infrastructure across Europe, Natasha Brown, head of Public Information Services at the International Maritime Organization (IMO) told Industrial Cyber that the IMO has adopted recommendatory Guidelines on cyber risk management which were updated last year.  

“These guidelines provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities and include functional elements that support effective cyber risk management,” Brown said. “The recommendations can be incorporated into existing risk management processes and are complementary to other IMO safety and security management practices.”

Brown added that their further revision and identification of the next steps to enhance maritime cybersecurity will be discussed when the Maritime Safety Committee meets in May 2024 for its 108th session. 

Additionally, in 2017, Brown noted that the IMO’s Maritime Safety Committee adopted Resolution MSC.428(98) – Maritime Cyber Risk Management in Safety Management Systems which encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the International Safety Management Code) no later than the first annual verification of the company’s Document of Compliance after Jan. 1, 2021.