Attacks and Vulnerabilities
Critical infrastructure
News
Regulation, Standards and Compliance
Risk & Compliance
Threat Landscape

Sharp rise in cyberattacks on EUIBAs, as level of preparedness does ‘not commensurate with the growing threats’

March 30, 2022
Sharp rise in cyberattacks on EUIBAs, as level of preparedness does ‘not commensurate with the growing threats’

The European Court of Auditors disclosed in a report that the number of cyberattacks on EU institutions, bodies, and agencies (EUIBAs) is increasing sharply, urging these entities to step up their level of cybersecurity preparedness. 

As EUIBAs are strongly interconnected, weaknesses in one can expose others to security threats, while also exposing their varying levels of cybersecurity maturity. Due to the sensitive information they process, EUIBAs are attractive targets for potential attackers, especially groups capable of executing highly sophisticated, stealth attacks, such as advanced persistent threats (APTs) for cyber espionage and other purposes. 

“The level of cybersecurity preparedness within EU bodies varies and is overall not commensurate with the growing threats,” the European Court of Justice said on Tuesday. Successful cyber-attacks against EUIBAs can have significant political implications, harm the overall reputation of the European Union (EU), and undermine the trust in its institutions. The agency is the external auditor of the EU.

Apart from finding that EUIBAs are not always well protected against cyber threats, the European Court of Justice report said the agencies do not approach cybersecurity consistently. Essential controls and key cybersecurity good practices are not always in place, and cybersecurity training is not systematically provided. The report also said that the allocation of resources to cybersecurity varies widely, and a number of EU bodies are spending considerably less than comparable peers. 

Although differences in cybersecurity levels “could theoretically be justified by the different risk profiles of each organisation and the varying sensitivity levels of the data they handle, the auditors stress that cybersecurity weaknesses in a single EU body can expose several other organisations to cybersecurity threats,” it added.

“EU institutions, bodies and agencies are attractive targets for potential attackers, particularly groups capable of executing highly sophisticated stealth attacks for cyber-espionage and other nefarious purposes,” Bettina Jakobsen, the ECA member who led the audit, said in a media statement. “Such attacks can have significant political implications, harm the overall reputation of the EU, and undermine trust in its institutions. The EU must step up its efforts to protect its own organisations.”

The European Court of Auditors calls for improving the cybersecurity preparedness of all EUIBAs through common binding rules and increased resources for the Computer Emergency Response Team (CERT-EU). It also advised for further synergies among EUIBAs in selected areas, and increasing CERT-EU’s and European Union Agency for Cybersecurity (ENISA)’s focus on less mature EUIBAs.

Currently, there is no legal framework for information security and cybersecurity in EUIBAs, the European Court of Auditors pointed out. “They are not subject to the broadest EU legislation on cybersecurity, the 2016 NIS directive, or to its proposed revision, the NIS2 directive. There is also no comprehensive information on the amount spent by EU bodies on cybersecurity,” it added. 

The European Court of Auditors also said that the common rules on cybersecurity for all EU bodies are included in the communication on the EU Security Union Strategy for the 2020-2025 period, published by the Commission in July 2020. In the EU Cybersecurity Strategy for the Digital Decade, published last December, the Commission undertook to propose a regulation on common cybersecurity rules for all EU bodies. It also proposed the establishment of a new legal basis for CERT-EU to reinforce its mandate and funding, it added. 

Cybersecurity incidents in EU bodies increased more than tenfold between 2018 and 2021, the report revealed. Remote working considerably increased the number of potential access points for attackers. Significant incidents are generally caused by complex cyberattacks that typically involve the use of new methods and technologies, and can take weeks if not months to investigate and recover from, it added. 

One example was the cyberattack on the European Medicines Agency, where sensitive data was leaked and manipulated to undermine trust in vaccines, the European Court of Auditors said in its report. 

The ENISA, CERT-EU, and the chair of CERT-EU’s Steering Board “welcome the European Court of Auditors’ special report on the cybersecurity of EUIBAs, which comes at a very timely moment to address the level of preparedness of EUIBAs as a whole,” they said in a separate document. The report clearly notes the central roles that ENISA and CERT-EU can play in this field. It also outlines the need for further resources and concrete actions specifically targeted toward improving the cybersecurity posture of EUIBAs.

“With this understanding, ENISA, CERT-EU, and the Chair of CERT-EU’s Steering Board support the key observations and recommendations of the report, which are also aligned with the European Commission’s legislative proposals in the areas of cybersecurity and information security for EUIBAs,” the document added.

“The observations arrive just as the European Commission has proposed a regulation on measures for a high common level of cybersecurity at the EU institutions, bodies and agencies,” the ENISA said in a statement on Wednesday. “The regulation aims to establish common cybersecurity measures to boost the resilience and response capacities against cyber threats and incidents,” it added.

The European Commission said in its statement that it “agrees that when observing the level of spending by EUIBAs on cybersecurity it is important to take into account threats and risks.” 

Similarly, with regards to the human resources aspect, the stability of EUIBA staffing is influenced by a number of factors, the EU statement added. “The market for the recruitment of specialized cybersecurity experts is increasingly complex. In many cases, human resources rules are not adapted to specialised profiles (recruitment, career development, training). Moreover, the generalized pressure on staffing levels across the EUIBAs by the budgetary authority means that emerging areas of high priority such as cybersecurity remain under-supplied by posts, notably in internal operational services,” it added.

The European Court of Auditors report comes as the Federal Bureau of Investigation (FBI) confirmed an increase in Russian cyber scanning of U.S. networks amid a spate of warnings from security officials about potential disruptive activity impacting critical infrastructure and major energy corporations.

Bryan Vorndran, assistant director of the FBI’s Cyber Division, told the House Judiciary Committee on Monday that “instances of Russian scanning have increased” within the last month, indicating Russia-based computers have been probing U.S. networks for vulnerabilities, while potentially planning a wave of cyberattacks.

Last week, U.S. President Joe Biden implored critical infrastructure owners and operators to improve domestic cybersecurity and bolster national resilience. The latest warning comes in the wake of ‘evolving intelligence’ that the Russian government is exploring options for potential cyberattacks. As most of the nation’s critical infrastructure is owned and operated by the private sector, it is for these environments ‘to act to protect the critical services on which all Americans rely.’

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation