These days, many companies provide services which are vital and strategic for those who run a country. So, any perturbation or destruction to these services would have a serious impact on the essential services delivered to the inhabitants. The Spanish PIC law (Protection of Critical Infrastructure) 8/2011 from April 28th classifies as critical the sectors of Administration, Chemical Industry, Information Technology and Communications (ITC), Energy, Financial and tax systems, Food supplies, Health, Investigative systems, Nuclear Industry, Space, Transport and Water. Thus, the companies that manage infrastructures relating to these sectors play a vital role, since they have the responsibility for protecting them.
So far this year, the Security and Industry CERT has reported more than 90,000 cyberattacks until September, doubling the number of incidents in 2015. Two years ago, only 18,000 cases were detected. We can all recall cases such as that of Ivano-Frankisk, on 23 December 2015 in south-east Ukraine, when a power outage was caused by a cyberattack affecting the main electricity companies in the region, leaving 600,000 without power for several hours.
Other notable cases in 2016 are the security breach at Saint Francis Health System in Oklahoma, in which some cyber-criminals stole 6,000 names and addresses of patients at the Saint Francis Hospital, or that of the Thailand ATMs infected by malware.
Could an attack of this kind happen in Spain? No-one today would deny the need for better cyber-security capabilities for our critical infrastructures. When we ask what these capabilities are, however, the responses are somewhat vague.
Protecting a company is no trivial matter. There are many factors involved in this responsibility. However, in recent times, cyber-resilience, defined as the ability to anticipate, resist, recover and evolve to overcome adverse conditions (such as attacks on information or technology resources) is emerging as one of the most important factors required to maintain the necessary level of protection for a business. The first step to improve protection is to know the level of cyber-resilience our organisations have.
The Security and Industry CERT (INCIBE-CERT), operated by INCIBE and coordinated by CNPIC and INCIBE, has been promoting an ambitious consultation plan to help major Spanish companies to measure their cyber-resistance capability to deal with threats. A pilot study was run last year, a pioneer in the community, which provided some useful data on the level of cyber-resilience in the companies that took part. For instance, no matter what sector or environment they were in, one of the least mature metrics was that of vulnerability management. This result demonstrates the problems most companies have in correcting security breaches, even when they have been identified. One of the main and most often repeated recommendations in this area was to undertake regular security analysis of systems, particularly with regard to the date register where vulnerability can be detected and corrected.
Participation in the 2016 cyber-resilience survey, in which more than 100 companies take part, exceed that of the survey the previous year. This fact shows the level of responsibility felt by companies in improving their protection. Generally speaking, the aim of the survey is to help companies understand their own cyber-security better. In particular, the annual survey has a dual objective:
- On the one hand, to consolidate the process of undertaking this kind of survey, giving companies a sound basis on which to improve their cyber-resilience within the sector and environment to which they belong.
- On the other hand, providing companies that took part in the previous year’s survey with a snapshot of the way their efforts to improve cyber-resilience have worked.
From a practical point of view, the 2016 cyber-resilience consultation will ask the companies taking part to complete an anonymous questionnaire of 46 items relating to the essential service they provide. The questions or metrics will be grouped into a hierarchy of categories or functional domains (e.g. risk management, continuous monitoring, management of external branches, etc.), which in turn are grouped according to a goal or objective (anticipation, resistance, recovery and evolution).
The companies can also indicate if they belong to a TIC or OT environment (also known by other names such as industrial technology, SCADA or ICS).
After analysing these data, the Security and Industry CERT will provide companies with a customised report (i) comparing its results with those of its sector or environment and (ii) providing an action plan based on the recommendations most useful to assist them to maintain or improve the level of cyber-resilience they require.
Finally an annual report will be produced for 2016, on the level of cyber-resilience in the Spanish critical infrastructure companies, which will thus help to provide a response to the question whether the strategic companies in our country are prepared to resist a cyber-attack, and take the necessary steps to make our country cyber-resilient.