The critical infrastructure is commonly defined as the systems and networks that provide basic services necessary to preserve a standard of living. In today’s interconnected high-technology world, protecting the critical infrastructure has gained growing attention. Increasing threats and a changing geopolitical environment are giving us reasons to reconsider how we define and protect these vital systems. In this blog post we look at how the scope of what is critical infrastructure is being transformed, and how expanded coverage is changing what organizations must do to protect their growing assets and capabilities. We’ll examine how interconnectivity and increasing dependence on digital technologies has resulted in this expanded definition, and how new regulations in the European Union (EU) are affecting the way public and private entities must protect their operations.
A look back
Critical infrastructure traditionally included essential services such as electricity, water and sewer, roads, and the banking system that sustains the economy. As digital technologies have made their way into so many facets of our daily lives, so too has our dependence on these technologies for their continued reliable operation. It’s surprising that the critical infrastructure in the context of national security was not formally defined in many countries until the 1990s in preparation for the year 2000 (Y2K) event that was expected to wreak havoc across systems of the time. Fast forward to 2023 and increasing threats and a changing geopolitical environment have given us good reasons to reassess how we define and how we protect critical infrastructure to mitigate risks and ensure its uninterrupted operation.
Expanding the scope of what is considered critical infrastructure, the list of services now goes well beyond electricity, water and sewer, roads, and banking. Services today extend to a wide spectrum of financial services, industrial technologies, communications, healthcare, and education. With digital technologies such as cloud-based data storage and processing now forming part of many vital services, the need to ensure their security and resiliency has become paramount. According to the 2023 IBM Cost of a Data Breach Report, 82% of breaches involved data stored in public or private cloud environments. On average these breaches amount to USD 4.45 million cost per incident. With critical infrastructures being primary targets, the cost of breaches across the sector exceeds USD 5 million and has been growing year on year.
Geopolitical events and increasing malware attacks on utilities and public services are also causing concern at national security levels. The use of new technologies in warfare is raising alarms for the urgent need to strengthen the reliability and robustness of the expanded set of services that now comprise the critical infrastructure.
The need for resilience
To address these threats, new and updated regulations in the EU will come into effect in the next few years. The new Digital Operational Resilience Act (DORA) and the updated Network and Information Systems (NIS2) component of the Directive on Measures for a High Common Level of Cybersecurity across the Union establish procedures for identifying and designating critical infrastructures, and a common approach for assessing the need to improve their protection. As EU-wide initiatives, DORA and NIS2 are aimed to become part of each member state’s domestic legislation process and law.
The focus of DORA is to enhance the operational resilience of the financial sector within member states. Its primary objective is to ensure that financial institutions and the infrastructure they use and depend on can withstand and recover from cybersecurity incidents and disruptions. Covering a wide range of aspects including cybersecurity, IT systems, outsourcing, and incident reporting, DORA emphasizes robust oversight of third-party service providers.
NIS2 expands earlier EU-wide cybersecurity legislation aiming to strengthen the protection of critical infrastructure areas. The regulation establishes response teams to coordinate incidents across member states. Most notably, NIS2 expands the scope of critical infrastructure, effectively bringing more organizations under the regulatory umbrella. Among industries now covered under the expanded definition, mobile network operators now play a vital role in the critical infrastructure. Focused on fifth-generation (5G) networks that are being deployed to modernize telecommunications for the next decade, mobile network operators are required to only use components from trusted sources.
Both DORA and NIS2 call for the establishment and maintenance of a skilled cybersecurity workforce that can continuously identify and assess system weaknesses and implement solutions to mitigate risks. The regulations also set auditing requirements and severe fines for non-compliance that can amount up to 2% of a company’s worldwide sales. The combination of DORA’s focus on the financial sector and NIS2’s broader coverage will ensure that critical sectors collaborate and learn from each other’s best practices, enhancing overall resilience against cyber threats.
The way forward
While DORA and NIS2 are crucial steps toward a safer and more resilient digital landscape in the EU, compliance with these regulations can pose challenges for organizations. DORA and NIS2 promulgate the use of innovative technology including state-of-the-art encryption and key management to protect sensitive and private data end-to-end. Compliance with these directives is not just a legal obligation but also a vital step toward building a safer and more prosperous digital ecosystem.
With the right security strategy and solutions, organizations can enhance their security posture and facilitate the process to ensure compliance. End-to-end data protection requires effective management of the keys and secrets that encrypt and control access to critical data assets. Entrust offers a complete suite of innovative cryptographic solutions that provide a unique centralized/decentralized security approach to facilitate regulatory compliance. Paired with support for post-quantum-ready algorithms, along with a world-class Cryptographic Center of Excellence (CryptoCoE) and professional services, customers using Entrust solutions can not only protect their deployments today but also future-proof them, to facilitate ongoing compliance as threats and requirements change.
To learn more about Entrust’s complete suite of digital security solutions and how they can help your organization stay compliant and protect an expanding critical infrastructure, check out Entrust KeyControl for comprehensive cryptographic key lifecycle management and Entrust nShield hardware security modules (HSMs) for establishing a certified root of trust.