How Different Countries are Protecting Their Critical Infrastructure From Cyber Threats
The cyber threat to critical national infrastructure (CNI) is at an all-time high with a myriad of external and internal threats targeting the sector.
In April, the UK’s National Cyber Security Centre (NCSC) published an alert about emerging Russia-aligned groups threatening British CNI.
However, Russia is not the only culprit and In May the UK, the US, Australia and Canada issued a joint advisory warning against Chinese cyber activity targeting CNI networks in the US.
In addition to these external activities, insider threats are also growing. According to Bridewell, 77% of CNI organisations across the US have seen a rise in insider-driven cyber threats in the last three years.
Against this backdrop, better protecting CNI is a priority in many governments’ regulation roadmap.
Cybersecurity non-profit (ISC)2 and British think tank Royal United Services Institute (RUSI) examined the governmental approaches across several jurisdictions relating to the protection of CNI against cyber threats. The findings can be found in a comparative overview published in April.
Here are Infosecurity’s main takeaways on five of them (UK, EU, US, Canada and Japan).
UK: National Security Authority and a Post-Brexit NIS
Part of the UK’s new National Cyber Strategy, launched in December 2022, is dedicated to improving the resilience of CNI, which spans 13 sectors, including civil nuclear, healthcare and food, but not education.
The NCSC, which provides guidance and advice for CNI businesses, has introduced the ‘Industry 100,’ a new scheme to work more closely with the private sector on improving their cyber posture.
In March 2023, the updated version of the UK’s Integrated Review (IRR) announced the National Security Authority, a new government administration that “will engage with businesses and institutions to protect [the country’s] security and prosperity at home.”
The UK has also confirmed its intention to update the EU’s Networks & Information Systems (NIS) regulation, adopted in 2018 when the country was still part of the bloc.
The updated version of the legislation will seek to broaden the scope of its application to a larger number of actors, especially technology providers. For example, managed service providers (MSPs), which most organisations nowadays rely on, including CNI businesses, will be added as essential service providers, which must comply with stricter cybersecurity rules.
EU: Directive on Resilience of Critical Infrastructure and NIS 2
The security of CNI businesses in EU member states is regulated by the Directive on Resilience of Critical Infrastructure, adopted in 2020, and the revised NIS directive (NIS 2), adopted in 2023.
While the original 2018 NIS directive required CNI businesses in EU member states to implement a set of cyber-resilience measures, the Directive on Resilience of Critical Infrastructure states that EU member states have a strategy in case of disruption of critical entities that provide essential services and carry out regular risk assessments.
NIS 2 imposes strengthened NIS’s cyber requirements to cover the security of supply chains and introduce accountability of top management for non-compliance with these obligations. It has also expanded the scope of regulated organisations to more sectors. EU member states’ governments have until October 2024 to incorporate NIS 2 requirements into national law.
Looking for more infosecurity & cybersecurity insights?
Keep up to date with the latest trends and expert insights from Infosecurity Europe.
US: Finally, a Priority
In the US, five sectors (nuclear power, large energy generation, chemicals, financial services and the most prominent defence contractors) have been subject to cyber regulation since before President Joe Biden took office.
The Colonial Pipeline attack in 2021 led to the regulation of two other sectors (oil & gas, aviation & railways). While the country identifies 16 critical infrastructure sectors, less than half have been required to follow cyber regulations up to this year.
In December 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) released its first Strategic Plan for 2023-2025. ‘Reducing risk to CNI, but also increasing its resilience’ was one of its four pillars.
In January 2023, the US deputy national security adviser for cyber and emerging technologies Anne Neuberger told the Washington Post that the previous “voluntary efforts [of protecting CNI] have been insufficient.”
Three months later, defending CNI was one of the five pillars of the new US National Cybersecurity Strategy.
Several US government agencies are also involved in cooperative projects with industry actors, including CISA’s Automated Indicator Sharing Program, which aims to adopt a warning system shared between companies and public agencies.
Canada: Upcoming Bill C-26 Adoption
The Canadian government identified 10 CNI sectors. While the country’s 2023-2024 Cyber Threat Assessment acknowledged that CNI is especially vulnerable, it also concluded that “state-sponsored cyber threat actors will likely refrain from intentionally disrupting or destroying Canadian critical infrastructure in the absence of direct hostilities.”
In Jun 2022, Canada introduced Bill C-26 to increase cybersecurity measures and reporting for designated operators providing vital services, including energy, finance, transport and telecommunications.
If passed, organisations considered as operators will have to establish, maintain and review a cybersecurity programme within 90 days, report cyber incidents and maintain records of them and reported incidents and of compliance. Non-compliance will be subject to fines or even criminal penalties.
The bill could become law as soon as late 2023.
Japan: Vague Requirements
The (ISC)2 report noted that Japan had been criticised in the past, not least by the US, for its weak cybersecurity regulations.
The report noted: “The US and Japan have been working to overcome these differences through bilateral talks, including signing a Memorandum of Cooperation on Cybersecurity in January 2023.”
CNI businesses, regulated in Japan under the Basic Cyber Security Act of 2014, now range from 14 different sectors. However, these obligations are often vague, (ISC)2 has observed.
In May 2022, Japan passed an economic security bill that provides greater cyber protection for supply chains and infrastructure. For instance, it imposed CNI companies to inform the government of software updates and to “vet some equipment procurement.”
In June 2022, however, Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) launched an updated action plan, offering new guidance on safety standards and information-sharing systems. The text also recommended that CNI businesses develop risk-management procedures and set specific cybersecurity requirements.
Enjoyed this article? Make sure to share it!
Keep up to date with the latest infosecurity news and trends in our latest articles.
Stay in the know
Receive updates about key events, news and recent insights from Infosecurity Europe.
Looking for something else?