ENISA’s Skritaite addresses cybersecurity advancements, compliance efforts in critical infrastructure in 2023

The European Union Agency for Cybersecurity (ENISA) played a key role in 2023 in addressing cybersecurity challenges within the critical infrastructure sector, as the agency emphasized the implementation of robust cybersecurity measures. Jurgita Skritaite, a cybersecurity expert at ENISA pointed out how the NIS directive has increased the overall level of cybersecurity maturity of critical infrastructure companies. 

Industrial Cyber reached out to ENISA on the notable advancements in cybersecurity that have been implemented by the critical infrastructure industry in 2023 to protect its digital infrastructure across Europe. Also, when it comes to compliance, Skritaite addresses the efforts that have been undertaken by critical infrastructure companies to adhere to existing regulations and their preparations for upcoming directives.

“In November 2023, ENISA published the fourth NIS investments report1 which provides historical dataset and insights on how critical infrastructure companies (CIOs) comply with the requirements of the NIS Directive, and what impact the NIS Directive has had on these operators,” Skritaite said.  “The survey revealed that there is a very strong correlation between management involvement in cybersecurity and an organisation’s cyber risk management maturity and incident detection and response capabilities.” 

Furthermore, Skritaite added that organizations whose leadership is active in cybersecurity are more than twice as likely to score above the basic level in both risk management and incident detection and response. “In 2022, 45% of the organisations declare having good or mature cyber risk management capabilities.”

She also detailed that in 2022, leadership attended dedicated cybersecurity training for 50 percent of CIOs and was involved in approving cybersecurity risk management measures for 81 percent of critical infrastructure companies. “It’s worth flagging that these leadership requirements will become mandatory with NIS2, and therefore currently are not yet mandatory in all Member States.”

Addressing how existing regulations, such as the Cybersecurity Act and the NIS Directive, have helped shape cybersecurity practices across the European critical infrastructure sector, Skritaite pointed out that ENISA’s NIS investments report shows that “45% of the organisations declare having good or mature cyber risk management capabilities, and 23% declare having limited to none such capabilities.” 

She added that the sectors declaring the most mature incident detection and response capabilities are healthcare, banking, telecoms, transport, and energy, with more than 50 percent of organizations self-assessing their capabilities as good or mature.

Skritaite highlighted that CIOs invest more in information security. “Every year critical infrastructure companies earmark higher IT investments for Information Security. The survey data indicates that median IT spending is highest within the Energy sector (40 M€), followed by Banking (30 M€), Healthcare (20 M€), and Transport industries.”

Furthermore, Skritaite mentioned that information security will see an increase in funding for 70 percent of the surveyed CIOs, showing that it is a crucial priority for most European CIOs. “Information security, business intelligence/data analytics (BI/DA), and cloud platforms remain the top technology areas for new or increased spending among CIOs in Europe. More information security personnel are hired. 51% of organisations plan to hire information security personnel in the next 2 years. 

Skritaite identified that cybersecurity operations come out as the security domain with the most anticipated hires (56 percent), followed by IT security architecture and engineering (42 percent) and cybersecurity governance and risk (36 percent). “However, cyber talent recruitment and retention continue to be pain areas for most organisations. 83% of the surveyed organisations claim recruitment difficulties in at least one information security domain,” she added.

Furthermore, Skritaite noted that 70 percent of the organizations are engaged in collaboration or information-sharing initiatives. “EU ISACs and the industry associations are the most used channels for organizations engaged in information-sharing initiatives.”

In terms of regulatory frameworks, Skritaite looks into the improvements or adaptations of critical infrastructure asset owners and operators hoping in 2024 to better address emerging cyber threats. 

She highlights that ENISA Foresight 2030 has identified 10 significant cyber challenges that are expected to shape the landscape for critical infrastructure companies over the next few years.

“For instance, supply chain compromise of software dependencies is ranked No 1 threat which is likely to emerge by 2030,” according to Skritaite. “The evolving EU cybersecurity policy rules, such as the Cyber Resilience Act (CRA) include some provisions to tackle the cyber threats. It is expected that CRA can help mitigate the challenges posed by software dependencies and insecure products in general.”

Skritaite also noted that ENISA’s NIS investment report shows that 77% of the organizations surveyed are preparing to address the emerging cyber threats and have already a policy related to supply chain cybersecurity risk management from third parties. “The effectiveness of new cyber rules in mitigating these threats could be the area of focus for future ENISA work.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.