When the Nord Stream pipeline was sabotaged in September 2022, it set off a chain of events. The incident showed how fundamentally fragile the renewable energy system is and highlighted that the relatively immature green energy provision would need to be supplemented by other means, such as nuclear or natural gas imports, to be stable, resilient and cost-efficient. Today, the solution remains to backup renewable energy with gas.
As a result, it became apparent that Critical National Infrastructure (CNI) is highly complicated and interconnected, compelling the sector to bolster defences and become more resilient to attack. At the same time, we saw the impetus grow to replace the National Information Security directive with NIS2, which aimed to improve the sharing of threat intelligence and make the authorities far more effective in detecting and mitigating attacks.
NIS2 came into effect across the European Union in October, but as the national regulations are not prescriptive and most have still to be transposed, they are seen as open to interpretation, causing some confusion. The directive focuses on the need to implement risk management and incident reporting processes to enable disclosure of an incident within 24 hours. It also introduces the notion that responsibility lies with the board and that senior management can be held accountable for failing to execute those responsibilities adequately. This is causing some consternation in the industry, but realistically, it was always going to be on the cards.
If we look at the United Nation’s Sustainable Development Goals (SDGs), Industry, Innovation and Infrastructure (SDG 9) specifically refers to the need to build resilient infrastructure, while Peace, Justice and Strong Institutions (SDG 16) refers to the need to build effective and, importantly, accountable institutions. We’ve also seen other jurisdictions lead the way in making senior personnel accountable, with the Securities and Exchange Commission (SEC) in the US revising its disclosure requirements in July 2023 to require details on the level of oversight of the board and management’s role in assessing and managing risks from cybersecurity threats.
Bridging the divide
So, the board will need to get its hands dirty. But can they successfully bridge the gap between the operational technology (OT) and information technology (IT) factions within the business that usually seldom overlap
OT processes remained largely siloed until the digitalisation of SCADA (Supervisory Control and Data Acquisition), a control system architecture designed to centralise remote control. The exposure of these systems then saw them become susceptible to attack for the first time, leading to the potential for the disruption of services, redirection, and manipulation of operational data. It was only then that IT and OT teams needed to really speak with one another, and they rapidly found out they didn’t speak the same language, with OT concerned with RTUs and PLCs while IT was preoccupied with firewalls and technical controls.
Establishing common ground is, therefore, going to be key to achieving resilience. Thankfully, it may now be possible due to Generative AI. If the organisation can identify its assets and the threat environment and ascertain its risk posture, it can then map these to create a framework compatible with NIS2. This can give the executive team the degree of confidence needed to sign-off on controls.
Once up and running, it then becomes possible to assess how well those controls are functioning, whether the business is able to report any incidents within the required 24 and 72 hour timeframes, and AI can be used to translate that very technical jargon from the OT and IT teams into the full report required a month later.
AI will prove invaluable in helping CNI organisations documenting what they have and explain what they can see as an attack manifests. In this respect, it has the power to become very specific to the business, and that’s super exciting because once you’ve got a technology that is hyper localised to a company, it extends the realm of the possible. Up until this point, we’ve been thinking of cybersecurity problems within the scope of what can be solved. But armed with AI, we can get that individual insight that was missing.
Filling in the gaps
Most organisations have the tools they need. That’s not the problem. The problem is connecting what they have in order to see the gaps that might be caused by how they are set up and used in terms of processes.
Following the detection of a possible attack, for example, AI can be used to determine where the attack is in the kill chain to establish how far it has progressed by supplementing that data with contextual information, such as Threat Intelligence Feeds that identify associated indicators of a compromise or the behaviour of threat actors. Armed with this knowledge, the AI can then determine what part of the network is likely to be impacted, not in general terms but specific to the organisation. Such deductive reasoning would previously have required expert knowledge, something organisations are now struggling to both afford and acquire due to the skills shortages in cybersecurity, but it becomes attainable with AI.
In the CNI sector, there’s little doubt that the cyber threat is growing. We saw this recently with the attack against American Water in October. While the company was quick to take action, immediately triggering its incident response plan and calling on third parties to contain and investigate the breach, the attack illustrates how these organisations remain a prime target for nation state actors and ransomware gangs. What’s heartening is that the emphasis on resilience and the autonomy afforded by AI could well shift the balance. The technology has the power to free the security team from having to think along the same tram lines as everybody else, transforming threat detection and response into a tailor-made solution.
Christian Have
Christian Have is CTO at Logpoint, a European cybersecurity company specialising in threat detection, incident response, and compliance solutions for mid-market organizations and MSSPs. With a background in network security, Christian has held roles as a hospital Security Specialist and Head of Network Security for the Danish National Police.