To explain this concern we can recall that current national and European cyber security legislation classifies the networks that distribute electricity, gas and water as critical infrastructure and requires severe security requirements for the ICT/OT networks that supervise and control these infrastructures. The reason is fairly obvious, a successful attack against the control network can have huge impact and also loss of human life is possible. As an example, NIS, Network and Information Security is an European Directive approved in 2016 that requires the adoption of a shared set of security measures for ICT networks and systems. Member States had to transpose the Directive into their national laws by 9 May 2018 and identify operators of essential services by 9 November 2018. The Directive provides legal measures to boost the overall level of cyber security in the EU. In the US the protection of critical infrastructure is assigned to a federal agency, the Critical infrastructure Security Agency, CISA.
No one doubts of the importance of critical infrastructure. The problem is how many infrastructures are critical. As an example, the CISA states that “There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof”.
Unluckily in a world where ICT is pervasive the number of infrastructures CISA believes are critical may be wrong. As an example, some weeks ago, Microsoft Corp alerted one of Democratic presidential candidate Joe Biden’s main election campaign advisory firms that it had been targeted by suspected Russian state-backed hackers, according to four people briefed on the matter. The target here is the ICT infrastructure of advisory firm that is not a critical infrastructure according to any definition. However, it is obvious that the goal of the attacker is to influence the election result, something any democracy wants to defend and protect at least as water and power distribution.
Another important attack is the one only of a couple of months ago against Twitter. Among other the accounts of Joe Biden and of Barack Obama have been hacked and it is rather obvious what could happen if in an election day some of these accounts sends a fake tweet. Again, Twitter ICT infrastructure is not a critical one.
Hence, several ICT infrastructures have to be protected even if NIS or CISA do not classify them as critical, because successful attacks against them may have a huge impact on our society. If software is eating the world, every company is a software company. This does not imply that every company sells software product but that services and products in every field are becoming increasingly driven and powered by software. In other words, cybersecurity should be practiced in enterprises of all types and most infrastructures are becoming critical ones.
The news that an unplanned ransomware attack to a German hospital resulted in the death of a woman has produced a large