Cyber rules: How regulators are containing the threat

Infra is increasingly attracting the unwanted attention of cyber-criminals. Starting with the US and taking in Europe and Australia, we offer a view of the regulatory environment in these regions.

US infra’s post-Colonial era

By Zak Bentley

In November 2018, just six months after cutting the job of the national cybersecurity co-ordinator, then US President Donald Trump signed into law the creation of the Cybersecurity and Infrastructure Security Agency after the enabling legislation had been unanimously passed by Congress.

The creation of CISA, which lies within the Department of Homeland Security, represented “real progress” and would help the department “recruit top cybersecurity talent”, Christopher Krebs, the agency’s first director, said at the time. Two years later, in the wake of the 2020 presidential election, CISA would be looking for a new director after the president fired Krebs for disputing his claims of widespread electoral fraud.

As a result, we will never know exactly how Krebs would have directed the agency to respond to the Colonial Pipeline hack. However, in a Senate hearing in May, he attacked “our seemingly pathological need to connect everything to the internet”, so perhaps he was unimpressed with the status quo.

Explaining the agency’s role in the aftermath of the ransomware attack, Bob Kolasky, director of national risk management at CISA, says: “We were ensuring the US government was doing whatever we could to mitigate the impact of short fuel supply caused by the pipeline attack. We were to support the asset response and manage the risk of long-term fuel shortage supply.”

Kolasky compares CISA’s role in the wake of an event like Colonial to that of a fire brigade, offering its services for anything requested by asset owners or operators.

“In advance of incidents, we provide information-sharing, promoting best practices,” he adds. “Often we are requested to do voluntary assessments of infrastructure. We then support overall preparedness efforts.”

Such efforts, though, will surely take a different shape after the Colonial hack and the subsequent attack on Invenergy, a Chicago-based clean energy company. Devika Kornbacher, a technology partner at law firm Vinson & Elkins who advises clients in the energy sector, does not believe these high-profile incidents will serve as a wake-up call, but rather as “a motivational event”.

“It’s the pivot from ransomware impacting information to impacting operations that’s most concerning from a national security perspective”

Bob Kolasky

“Frameworks are great, but that’s not a plan,” she believes. “This is a motivation towards an actual implementation of solutions. There’s now a focus on the threats and how to actually combat them, rather than ‘I’ve got a policy’.” Kolasky expects that this is already factored significantly into every organisation’s risk profiles. However, he also believes that the unprecedented impact of the Colonial hack will refocus some minds.

“What will make this motivational is the scale of the impact from something that people assumed could happen, but maybe [they] didn’t assume a ransomware attack on the IT systems could take down the operations of a major critical infrastructure,” he says. “It’s the pivot from ransomware impacting information to impacting operations that’s most concerning from a national security perspective.”

Public-private partnership

As is often the case with infrastructure, opinion is divided over what roles the private and public sectors should be playing.

Kornbacher, for her part, wants authorities to be more specific in what they require from owners of critical infrastructure.

“For pipelines, it was all recommendations and guidelines,” she says. “It typically takes requirements for companies to invest in the basics.”

Patrik Bless, chief information security officer at Partners Group – an owner of pipelines in the US, as well as critical infrastructure globally – offers an example of that. “Singapore tells you what the guidelines are and helps you be in line with the requirements,” he says. “What we have observed in the last months is when it’s about reactions to threats, guidance tends to become more specific to ‘upgrade this, turn this off’.”

One of the items on Kornbacher’s wish list for protecting infrastructure is a separation of IT and operational technology in assets. Instead, the two seem to be increasingly converging, making her fearful of the implications.

“If one of them gets compromised, so does the other,” she says. “This is not just a pipeline issue. It’s the same with telecoms and roads. Laying the IT over the OT is great for technological solutions, but it’s dangerous when it comes to cyber-security.”

Infra’s age problem

Although energy is not the only sector being targeted, it is true that hackers may fancy their chances more when it comes to ageing infrastructure.

In that sense, the US pipeline system certainly qualifies, with much of the network around 50 years old, according to the Pipeline and Hazardous Materials Safety Administration.

“Hackers are looking at this as an opportunity,” says Devika Kornbacher of law firm Vinson & Elkins. “It’s not been that infrastructure companies don’t care about cybersecurity. It’s about where you spend your money. Folks are finally getting the budget now to focus on these things.”

Spending that money now on upgrading ageing infrastructure certainly is not locking the stable door after the horse has bolted. However, Bob Kolasky of CISA would have hoped, if not expected, that this would already have been thought of.

“Certainly, the advice is when you do the modernisation of any infrastructure, do it with security in mind,” he says. “Too often, systems designed previously were not with security in mind from the get-go. Some degree of technological modernisation, if you can make the investment in that, that’s the first thing I would hope infrastructure companies would do.”

The EU’s improved regulation

By Kalliope Gourntis

The first EU-wide legislation aimed at regulating cybersecurity came into effect in 2016. Four years later, however, the European Commission realised it needed upgrading – partly because of the ongoing digital transformation, which it said had “intensified” during the pandemic – and drew up a proposal for a revised cyber-strategy in late 2020.

The proposed revision of the Directive on Security of Network and Information Systems (NIS2) has substantial differences to the current strategy. These include broadening the scope of companies deemed essential service providers and adding a second category of important entities. Which companies are considered essential is no longer left to member states to decide, so a uniform definition applies across the bloc. Such companies are now required to report any breaches of cybersecurity within 24 hours and issue a comprehensive final report within a month.

“If a regulator finds that a company systematically underinvested in cybersecurity,
the board will be held liable”

Filip Van Elsen
Allen & Overy

One of the main “novelties” of the proposed directive is governance, according to Filip Van Elsen, a technology and cyber-partner at Allen & Overy and co-head of the law firm’s global TMT practice.

“There is an explicit obligation for companies – both essential and important – to ensure that the board and the management teams of these companies approve the cybersecurity measures adopted and that they supervise their implementation,” he says. “So if, for instance, a regulator finds that a company systematically underinvested in cybersecurity, the board will be held liable.”

The difference between ‘essential’ and ‘important’ lies in how a company is supervised. “The essential entities can be audited at any time, and that includes on-site inspections, regular audits, security scans,” says Van Elsen. “The regulator can ask for information to assess their cybersecurity measures. They can ask for evidence related to an incident. So, the regulators have extensive powers to investigate essential entities and they have a wide portfolio of sanctions they can impose, ranging from warnings to binding instructions.”

Important entities, on the other hand, are only subject to supervision in the event of a breach. NIS2 is currently being reviewed by the European Parliament. Once approved by the parliament and the EU Council of Ministers, member states will have 18 months to transpose the directive into national law. Although it may take around two years for NIS2 to become law, its effect is expected much sooner.

Van Elsen says: “Just announcing this draft, putting forth the risk of sanctions, of penalties, which would be the higher of a maximum of at least €10 million or up to 2 percent of a company’s total worldwide annual turnover at the group level; indicating that regulators will have extensive investigative powers, sends a message. Companies understand that, from a governance point of view, they will need to have the right remedies in place.”

Australia’s ‘evolving’ approach

By Daniel Kemp

Australia’s government, like those in many other jurisdictions, is working to ensure that the country’s economy is resilient in the face of an increased number of cyberattacks. Changes to what is defined as ‘critical infrastructure’ will form the central pillar of how the country’s cybersecurity is managed and policed.

“I think Australia is probably among the better prepared countries, because of our smaller population and a generally high level of sophistication in business and technology,” says Minter Ellison partner Paul Kallenbach.

The Security Legislation Amendment (Critical Infrastructure) Bill 2020, which is making its way through parliament, aims to expand the scope of the Security of Critical Infrastructure Act 2018.

The current act considers electricity, gas, water and ports to be sectors as critical infrastructure. However, under the amended legislation the definition will encompass 11 more sectors, including data storage, healthcare, higher education and agribusinesses.

Owners of these assets will be compelled to register them with the federal government for security reasons and comply with certain security obligations, such as having risk management methodologies in place. The assets’ owners will be able to access government assistance if an incident occurs that poses a threat to national security or the country’s economic stability.

“The amendments broaden security of critical infrastructure to include cyber, as the original act didn’t include that, recognising it alongside supply chain risk, physical security risk and personnel risk as one of the four pillars of security and resilience,” says PwC Australia cybersecurity partner Robert Di Pietro. “And the definition of what is considered critical infrastructure will now be very broad, to signify that our communities are relying on more of these critical services every day.”

Di Pietro says the Australian government is trying to take a lead from nations that have introduced cyber-regulations already, but is taking a less prescriptive approach than places such as the US.

“The government here is trying to adopt a more risk-based approach [focused on] resilience, with cyber fitting in as one piece of the puzzle,” he says. “Going very broad with our definitions of critical infrastructure allows the opportunity to raise the baseline across the board… and we will be more resilient as a whole because of that.”

“You often find a board is typically a very pragmatic composition of people from that industry, and the knowledge of cybersecurity is none”

Thomas Fikentscher

Information sharing is seen as a key requirement to boost resilience across different sectors and types of assets.

Thomas Fikentscher, a cybersecurity expert and regional director of enterprise security firm CyberArk, says the Australian Cyber Security Centre, the government’s lead agency on cybersecurity, is playing an “important role” in this regard.

“The centre has more funding, with more people actively involved in collecting data on incidents and advising organisations in a predictive manner about potential attacks,” he says.

However, he adds there may not yet be enough preparation to mitigate the risks, and that more collaboration between the public and private sectors, and more education of those in boardroom positions, is required. “I don’t think they’re very well prepared and, frankly, they are a little bit naive in many ways,” he says. “You often find a board is typically a very pragmatic composition of people from that industry, and the knowledge of cybersecurity is none.

“They delegate it to the IT department, which uses technical language that no one understands, which leads to underinvestment and not really having risk-mitigation policies in place.”

This is where Australia’s evolving regulatory environment will sharpen minds and ensure that those who are not already taking the threat seriously will have to reconsider.

“The government wants to collaborate with the industry and regulators, without just slapping down laws that it expects everyone to adopt,” Di Pietro says. “There are existing regulations and state-based laws, so the government wants to avoid additional compliance burdens or overheads.

“It will be principles-based and tell you what you need to achieve – but how you go about doing that, the government is not too worried about.”