Beyond Physical Threats: Cyber-attacks on Critical Infrastructure as a Challenge of Changing Security Environment – Overview of Cyber-security legislation and implementation in SEE Countries
- SEE countries,
- NIS directive,
States, organizations and individuals are becoming targets of both individual and state-sponsored cyber-attacks, by those who recognize the impact of disrupting security systems and effect to people and governments. The energy sector is seen as one of the main targets of cyber-attacks against critical infrastructure, but transport, public sector services, telecommunications and critical (manufacturing) industries are also very vulnerable. One of most used example of cyber-attack is the Ukraine power grid attack in 2015 that left 230,000 people without power for up to 6 hours. Another most high profile example of a cyber-attack against critical infrastructure is the Stuxnet computer virus (first used on Iranian nuclear facility) which could be adapted to attack the SCADA systems (industrial control systems) used by many critical infrastructures in Europe.
Wide range of critical infrastructure sectors are reliant on industrial control systems for monitoring processes and controlling physical devices (sensors, pumps, etc.) and for that reason, physical connected devices that support industrial processes are becoming more vulnerable. Not all critical infrastructure operators in all sectors are adequately prepared to manage protection (and raise resilience) effectively across both cyber and physical environments. Additionally there are few challenges in implementation of protection measures, such as lack of collaboration between private and public sector and low levels of awareness on existence of national key legislation.
From supranational aspect, in relation to this papers topic, the European Union has took first step in defense to cyber threats in 2016 with „Directive on security of network and information systems“ (NIS Directive) by prescribing member states to adopt more rigid cyber-security standards. The aim of directive is to improve the deterrent and increase the EU’s defenses and reactions to cyber attacks by expanding the cyber security capacity, increasing collaboration at an EU level and introducing measures to prevent risk and handle cyber incidents. There are lot of other „supporting tools“ for Member States countries, such as European Union Agency for Network and Information Security – ENISA (which organize regular cyber security exercises at an EU level, including a large and comprehensive exercise every two years, raising preparedness of EU states); Network of National Coordination Centers and the European Cybersecurity Industrial, Technology and Research Competence Centre; and Coordinated response to major cyber security incidents and crises (Blueprint) with aim to ensure a rapid and coordinated response to large-scale cyber attacks by setting out suitable processes within the EU.
Yet, not all Member States share the same capacities for achieving the highest level of cyber-security. They need to continuously work on enhancing the capability of defense against cyber threats as increased risk to state institutions information and communication systems but also the critical infrastructure objects. In Southeast Europe there are few additional challenges – some countries even don't have designated critical infrastructures (lower level of protection; lack of „clear vision“ of criticality) and critical infrastructures are only perceived through physical prism; non-EU countries are not obligated to follow requirements of European Union and its legislation, and there are interdependencies and transboundary cross-sector effects that needs to be taken in consideration. Critical infrastructure Protection (CIP) is the primary area of action, and for some of SEE countries (like the Republic of Croatia) the implementation of cyber security provisions just complements comprehensive activities which are focused on physical protection.
This paper will analyze few segments of how SEE countries cope with new security challenges and on which level are they prepared for cyber-attacks and threats: 1. Which security mechanisms they use; 2. The existing legislation (Acts, Strategies, Plan of Action, etc.) related to cyber threats in correlation with strategic critical infrastructure protection documents. Analysis will have two perspectives: from EU member states and from non-EU member states point of view. Additionally, for EU member states it will be analyzed if there were any cyber security legislation before NIS directive that meets same aims. The aim of research is to have an overall picture of efforts in region regarding cyber-security as possibility for improvement thorough cooperation, organizational measures, etc. providing also some recommendations to reduce the gap in the level of cyber-security development with other regions of EU.
Barbu, Viorel (2019) Crisis management for Cyber issues: going it alone or in a coalition? Romanian Cyber Security Journal 2(1): 47-57, URL: https://rocys.ici.ro/documents/fall2019/article_6.pdf, acessed: 14 March 2020
Brnetić, D., et.al. (2013) Criminal forensic protection of critical national infrastructure against cyber threats. In: Antoliš, Krunoslav (ed.) New security threats and critical national infrastructure (pp. 34-45). Zagreb: Ministry of the Interior, Police Academy (Croat.)
Klaić, A., Perešin, A. (2012) The Impact of the National Information Security Regulation Framework on Cyber Security in Global Environment. Ljubljana: International scientific conference “Days of Corporative Security”
Klaić, A., Perešin, A. (2011) The Concept of a Regulatory Framework for Information Security, Velika Gorica: Book of papers, 4th International Conference “Crisis Management Days” University of Applied Sciences Velika Gorica (pp. 678-707), (Croat.)
Lazari, A., Simoncini, M. (2014) Beyond compliance: An analysis of the experiences that maximise the implementation of the Directive 114/08/EC on European Critical Infrastructures, International Juornal of Critical Infrastructure Protection
Luiijf, E., et.al. (2013) Nineteen national cyber security strategies. International Journal of Critical Infrastructure Protection 9(1-2): 3-31, URL: https://www.researchgate.net/publication/261950643_Nineteen_National_Cyber_Security_St rategies, acessed 14 March 2020
Matika, D. (2009) Energy Security and Critical Infrastructure - A Review of Research Results, In: Matika, D., Poljanec-Borić, S. (ed) Critical Infrastructure in Croatia: Towards a New Security and Protection System (pp. 45-59) Zagreb: Institute for Research and Development of Defense Systems of the MOD, Institute of Social Sciences Ivo Pilar, (Croat.)
Mikac, R., Cesarec, I., Larkin, R. (2018) Critical Infrastructure - A Platform for Successful Development of Nations Security, Zagreb: Jesenski i Turk, (Croat.)
Mitrevska, M., Mileski, T., Mikac, R. (2019) Critical infrastructure – concept and security challenges, Skoplje: Friedrich Ebert Foundation
Perešin, A., Klaić, A. (2012) The role of cyber security in critical infrastructure protection, Velika Gorica: Book of Papers, 5th International Conference “Crisis Management Days” University of Applied Sciences Velika Gorica (pp. 335-355), (Croat.)
Perešin, A., Klaić, A. (2010) The Connection of Critical National Infrastructure and Data Protection Concepts, Velika Gorica: Book of Papers, 3rd International Conference “Crisis Management Days”, University of Applied Sciences Velika Gorica (pp. 13-29), (Croat.)
Tofan, D., et.al. (2016) The cost of incidents affecting CIIs: ENISA https://www.enisa.europa.eu/publications/the-cost-of-incidentsaffecting-ciis, accessed: 17 January 2020
Udeanu, G. 2015. Opinions regarding the new challenges to the critical infrastructures. International Conference Knowledge-based Organization 21(1):127–134. https://www.degruyter.com/view/j/kbo.2015.21.issue-1/kbo-2015-0021/kbo-2015-0021.xml, acessed: 14 March 2020.
Croatian Parliament (2018) Act on the Cyber Security of Key Service Operators and Digital Services Providers. Official Gazette (64/2018), https://narodne-novine.nn.hr/clanci/sluzbeni/2018_07_64_1305.html (Croat.), accessed: 5 February 2020
ENISA (2019) Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity, https://www.enisa.europa.eu/publications/cybersecurity-culture-guidelines-behavioural-aspects-of-cybersecurity , accessed: 10 February 2020
ENISA (2018) ENISA launches the Cybersecurity Strategies Evaluation Tool, URL: https://www.enisa.europa.eu/news/enisa-news/enisa-launches-the-cybersecurity-strategies-evaluation-tool, accessed: 10 February 2020
ENISA (2015) Status of privacy and NIS course curricula in EU Member States, https://www.enisa.europa.eu/publications/status-of-privacy-and-nis-course-curricula-in-eu-member-states , accessed: 10 February 2020
European Commision (2019) Digital Government Factsheet 2019 - Republic of North
Macedonia,https://joinup.ec.europa.eu/sites/default/files/inline-files/Digital_Government_Factsheets_North_Macedonia_2019.pdf , acessed 15 January 2020
European Commmission (2017) Joint Communication To The European Parliament And The Council Resilience, Deterrence and Defence: Building strong cybersecurity for the EU, https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A52017JC0450 , accessed: 11 January 2020
European Commision (2013) Joint Communication to the European Parliament, the Council the European Economic and Social Committee and the Committee of the regions, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace, http://eeas.europa.eu/archives/docs/policies/eu-cyber-security/cybsec_comm_en.pdf , accessed: 17 January 2020
European Court of Auditors (2019) Challenges to effective EU cybersecurity policy, URL: https://www.eca.europa.eu/Lists/ECADocuments/BRP_CYBERSECURITY/BRP_CYBER S ECURITY_EN.pdf , accessed: 13 January 2020
European Parliament and the Council of the European Union (2016) Directive 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union, EUR-Lex, Official Journal, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&from=EN , accessed: 11 January 2020
The Council of the European Union (2008) Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, Brussels, 2008/114/EC, EUR-Lex, Official Journal, https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:345:0075:0082:EN:PDF accessed: 13 January 2020
Goverment of Romania (2019) Law no. 362/2018 on ensuring a high common level of security of network and information systems https://www.wolftheiss.com/fileadmin/content/6_news/clientAlerts/2019/2019_Q1/19_01_23_CA_Romania_New_Law_362-2018_Bucharest.pdf , accessed: 13 January 2020
Goverment of Romania (2013) Cyber Security Strategy, https://cert.ro/vezi/document/NCSS-Ro , accessed: 13 January 2020
Goverment of the Republic of Croatia (2018) Proposal of Act on the Cyber Security of the Key Service Operators and Digital Services Providers https://vlada.gov.hr/UserDocsImages//2016/Sjednice/2018/03%20o%C5%BEujak/86%20%20sjednica%20VRH//86%20-%204.pdf , (Croat.), accessed: 5 February 2020
Government of the Republic of Croatia (2015) Croatian National Cyber Security Strategy, Official Gazette (108/2015) https://narodne-novine.nn.hr/clanci/sluzbeni/2015_10_108_2106.html, (Croat.), accessed: 10 February 2020
Government of the Republic of North Macedonia (2018) National Cyber Security Strategy of the Republic of North Macedonia (2018-2022) http://mioa.gov.mk/sites/default/files/pbl_files/documents/strategies/cyber_security_strategy_ macedonia_2018-2022_-_eng.pdf , accessed: 5 January 2020
Government of the Republic of North Macedonia (2012) Law on Protection and Rescue, Official Gazette (93/2012) http://www.slvesnik.com.mk/Issues/1F2D347B699C764F9E65C717889E74B2.pdf accessed: 15 January 2020
Government of the Republic of North Macedonia (2005) Law on Crisis Management, Official Gazette (29/2005) https://www.refworld.org/docid/5d31a0c37.html , accessed: 15 January 2020
Government of the Republic of Montenegro (2019) Law on determining and protecting critical infrastructure, Official Gazette (72/2019) https://me.propisi.net/zakon-o-odredjivanju-i-zastiti-kriticne-infrastrukture/, accessed 15 February 2020
Government of the Republic of Montenegro (2018) National Security Strategy, http://www.mod.gov.me/ResourceManager/FileDownload.aspx?rid=381268&rType=2&file=Strategy%20of%20National%20Security%20of%20Montenegro%20With%20the%20Action %20Plan.pdf , accessed: 10 January 2020
Government of the Republic of Montenegro (2017) Cyber Security Strategy 2018-2021, http://www.mju.gov.me/ResourceManager/FileDownload.aspx?rid=305198&rType=2&file= Cyber%20Security%20Strategy%20of%20Montenegro%202018-2021%20eng.pdf , accessed: 10 January 2020
Government of the Republic of Montenegro (2013) Cyber Security Strategy 2013-2017 http://www.mid.gov.me/ResourceManager/FileDownload.aspx?rid=165416&rType=2&file = Cyber%20Security%20Strategy%20for%20Montenegro.pdf , accessed: 10 January 2020
Ministry of Foreign Affairs and Trade of Hungary (2017) Joint Statement of the Ministers of Foreign Affairs of the Visegrad Group, Austria, Croatia and Slovenia, URL: http://www.visegradgroup.eu/calendar/selected-events-in-2017-170203/joint-statement-of-the-170710 , acessed: 5 February 2020
The Presidential Administration of the Republic of Romania (2015) National Defense Strategy 2015‐2019: A StrongRomania within Europe and the World, URL: https://www.presidency.ro/files/userfiles/National_Defense_Strategy_2015_-_2019.pdf, acesssed: 14 March 2020
BSA The Software Alliance (2015) EU Cybersecurity Dashboard Country Report – Romania, URL: http://cybersecurity.bsa.org/assets/PDFs/country_reports/cs_romania.pdf , accessed 13 February 2020
Marvela, Popescu and Roman (2018) New Provisions Concerning Critical Infrastructure in Romania, URL: https://www.legal500.com/developments/thought-leadership/new-provisions-concerning-critical-infrastructure-in-romania/ , accessed: 7 February 2020
Minović, et.al. (2016) Cybersecurity in the Western Balkans: Policy gaps and cooperation opportunities, Geneva: Diplo Foundation - Research report under the project "Cybersecurity Capacity Building and Research Programme for South-Eastern Europe" implemented with the support of the Federal Department of Foreign Affairs of Switzerland, URL: https://www.diplomacy.edu/sites/default/files/Cybersecurity%20in%20Western%20Balkans.p df
World Economic Forum (2017) The Global Risk Report 2017, 12th Edition, URL: http://www3.weforum.org/docs/GRR17_Report_web.pdf , accessed: 15 January 2020