Significant disruptions to critical infrastructure services caused by cyberattacks are fortunately very rare. That’s why incidents like the Colonial Pipeline attract press and media attention and political engagement at the highest level: they have scarcity value.
Since these outages are rare, it seems reasonable to say that critical infrastructure and services are highly protected against cyber threats that can lead to significant service outages. Thus, the vulnerabilities that were exposed in the Colonial Pipeline case are not typical of other critical infrastructure elements.
The validity of the above proposition could be easily questioned when we think about what is actually meant by the “critical infrastructure” phase, or if we think about the potential levels of resilience that critical infrastructure might need. to display in a radically changed environment. For example, if we step outside the narrow (and arguably artificial) confines of current critical infrastructure categorizations, then we might realize that other truly critical services are more susceptible to the outages and changing threat levels that we currently recognize. Or if we imagined an all-out “cyberwar”, what would our risk look like?
What is Critical Infrastructure?
So what is a “critical infrastructure”? One of the reasons why this question arises is provided by the example of the incident affecting the Royal Mail. Are postal services part of critical infrastructure? What is the regulatory scheme that applies to cybersecurity in this sector?
In the UK, there are 13 critical infrastructure sub-sectors, but postal services are not one of them, nor do they fall within the scope of the Cybersecurity Regulations (“NIS”). It is also debatable whether cybersecurity in postal services falls within the scope of sectoral regulation overseen by Ofcom, in the sense that achieving the universal service requirement for postal services requires cybersecurity as condition.
The position is clearer in the EU: postal services can fall within the scope of cybersecurity legislation, even if they do not fall under the new list of critical infrastructure sub-sectors.
Defense against cyber weapons
When we look at the issue of critical infrastructure resilience in a different way – that is, rather than taking the absence of widespread major outages in areas that have been officially designated as critical infrastructure as the main criteria of resilience – we can observe that despite the immensity of the cyber threats we face, most of the western world is currently not formally at war with its adversaries. So maybe we are not feeling the full power of the cyber weapons Ukraine is facing and therefore our cyber defenses are not tested to their limits. Another argument is that threat actors only need to be lucky once, whereas critical infrastructure defenses need to be successful all the time, at least when it comes to failover protection. serious. The 2018 attack on the NotPetya wiper program is a case study in the destructive capacity of cyber weapons.
We should also keep Black Swan events in mind. Before the financial crisis and the pandemic, we had lost confidence in our levels of resilience in these areas, then events took over and we realized the hard way that we were not in a good position. Cybersecurity should probably be considered in the same way.
Of course, the critical infrastructure security community is made up of highly skilled and highly motivated professionals who have a clear eye for the responsibilities they take on. There is a dynamic and proactive philosophy of intelligence sharing and cooperation in this community and in countries like the UK they are backed by very strong public authorities (CERTs and CSIRTs). And going back to the opening comments of this article, the security community can rightly point to a strong track record of success in areas that fall within the scope of the formal definition of critical infrastructure.
Checks and balances
The need for checks and balances is widely recognized. These derive from activities such as penetration testing, internal audits, certifications and peer review, supplemented by independent regulation.
Yet a quick look at the regulatory system that oversees critical infrastructure in the UK reveals what appears to be a lack of commitment. Thus, the challenges could be even greater than determining what should or should not fall within the scope of cybersecurity regulation. A review of the websites of regulators responsible for overseeing UK cybersecurity regulations (“NIS”) will show you content, but almost nothing on actual regulatory engagement and almost nothing on enforcement. Does this mean there is a risk that checks and balances will be inadequate, even for the few sectors of the UK economy that have been brought into the scope of cybersecurity regulation?
Part of the answer could be that there is active engagement behind the scenes and there is no need for enforcement because cybersecurity controls are strong. Both of these arguments might be legitimate, but to allay any reasonable doubt they should be accompanied by active regulatory transparency, otherwise we simply don’t know.
Trust in regulation
Being uncertain about the scope and effectiveness of cybersecurity regulations is not ideal. Indeed, regulatory uncertainty was likely a symptom of the environment that failed to predict and respond to the previously mentioned black swan events: if no one really knows what is going on in the regulations, there is a risk that no one has ultimate responsibility or accountability.
Royal Mail is a wake up call. Whether or not cybersecurity in postal services falls under critical security infrastructure legislation, or part of related legislation for universal postal service, this is exactly the kind of situation where we need regulatory clarity and accountability, as recognized by the EU with the entry into force of the second Cybersecurity Directive, NIS2. Therefore, it would be pointless to make the Royal Mail autopsy just about the organization itself or its leaders. It should review the overall cybersecurity regulatory regime, including what should fall within scope and how to judge its overall effectiveness. If there are gaps in cybersecurity regulation, whether due to a gap in the regulatory system or a gap in the quality of regulation, this needs to be understood so that it can be addressed.
If we are unsure of the state of regulation of critical services – regardless of their official classification – our trust levels for these services will be limited, despite the excellent work done by security professionals in these areas.