As NIS2 Approaches, How Can Organisations Mitigate Life-Threatening Cyber-Attacks?
Table Of Contents:
NIS2 will be transposed into law across all EU member states in three months. It mandates enhanced baseline security, incident response, supply chain security, and much more to make operators of essential services more cyber-resilient. If organisations were in any doubt as to why such regulations are necessary, look no further than the latest NHS ransomware catastrophe.
Fortunately, industry best practices can go a long way to both streamlining NIS 2 compliance and reducing the chances of a life-threatening cyber incident.
Healthcare Under Fire
In the end, the ransomware attack that had such a catastrophic impact on NHS patients was targeted at a little-known healthcare supplier of pathology services and at the time of writing, it had caused over 800 planned operations and 700 outpatient appointments to be cancelled and rearranged, including some potentially life-saving procedures. Those figures relate to the two most affected NHS Trusts – King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust – and only for June 3-9, so the actual disruption will likely be even higher.
In addition to the cancellations, the NHS was forced to appeal for blood donors and volunteers in the wake of the incident. Although the supplier in question, Synnovis, is planning to restore some IT functionality “in the weeks to come,” it warned that “full technical restoration” would take longer, and disruption is likely for “months.”
Ransomware actors target healthcare with increasing frequency, and every time they do so, there’s a potential for service disruption to have a potentially life-threatening impact on patients. In Alabama in 2021, the mother of a nine-month-old filed a lawsuit against the hospital where her daughter was born, claiming that it didn’t disclose that it had suffered a ransomware attack at the time. Because the cyber-attack disrupted critical operational technology (OT) devices, doctors weren’t able to monitor the child’s condition properly, according to the mother. Sadly, she was left with severe brain injuries and passed away nine months later.
A 25% Chance of Fatalities
Of course, healthcare is just one of many critical national infrastructure (CNI) sectors where cyberattacks could have fatal repercussions. The government’s National Risk Register 2023 report estimates that a serious cyberattack on CNI has a 5–25% chance of happening over the succeeding two years. It claims that this could result in fatalities of up to 1000 people and casualties of up to 2000.
In many such organisations, it’s the use of OT and IoT technology which could expose them to attacks with dangerous kinetic effects. This can be seen in the water treatment industry, where a 2016 attack resulted in threat actors altering the level of chemicals in drinking water four times before the attack was flagged.
According to Anton Shipulin, cybersecurity evangelist at OT security specialist Nozomi Networks, conducting targeted life-threatening cyberattacks is challenging but feasible.
“It requires several conditions for the threat actor, including process knowledge, time, money, personnel, and a vulnerable target,” he tells ISMS.online.
“However, when life-critical or hazardous processes heavily depend on digital technologies, even untargeted attacks or technology malfunctions can jeopardise these systems, potentially causing deaths or injuries. This is particularly true in sectors such as healthcare, industrial robotics, and chemicals.”
Sean Tufts, managing partner for critical infrastructure at Optiv, agrees that ransomware is still the most potent threat to CNI, given the sheer number of groups at large and the ease with which many can exploit gaps in protection.
“A hacker blowing up a substation or refinery is not impossible, but very hard. You would need a very advanced hacking organisation combined with a team that knows how power plants work,” he tells ISMS.online.
“The more likely scenario is a low-level hacker puts a commodity ransomware package on a system and halts a physical process. If that process is a conveyor belt, oil pump, electrical breaker, or rollercoaster control system, things can literally spin out of control. Our industry’s current motto is ‘cybersecurity is safety. Safety is cybersecure’. We want the equipment near our technician’s fingers to be under their control.”
Repelling Threats and Saving Lives
All of these factors raise the stakes considerably for cybersecurity leaders operating in such industries. The question then becomes, how can they enhance cyber-resilience to the point where the risk to life is adequately managed?
“CISOs should think about how they would be able to continue emergency service provision in the event of a prolonged network outage and incorporate this into an incident response plan,” advises S-RM associate for incident response, James Tytler.
“They should also conduct regular tabletop exercises to make sure all relevant parties are aware of their roles and responsibilities ahead of time,” he tells ISMS.online.
According to Optiv’s Tufts, NIS 2 will provide a useful set of security best practices to work towards.
“NIS2’s focus on setting a cybersecurity baseline that companies can grow into is vitally important to release budget from historically low margin businesses,” he argues.
However, given the UK’s departure from the EU, the regulation won’t apply to all organisations. Yet NIS2 isn’t the only game in town, according to Nozomi Networks’ Shipulin.
“Almost all critical infrastructure industries that utilise cyber-physical systems are governed by local regulations or international standards addressing the security of these systems,” he explains. “Therefore, the best approach is to begin by reviewing the cybersecurity guidelines provided by the industry regulator or sector-specific international associations.”
Best practice standards like ISO27001 and IEC 62443 can also help. The former will mitigate security issues in IT systems that could be exploited by ransomware actors, and the latter is particularly useful as it’s designed specifically for OT environments such as industrial control systems.
“This standard was built by practitioners, not regulators. Its applicability is very high and custom to our industry needs,” says Optiv’s Tufts.
With the stakes so high, CISOs in CNI sectors must get back on the front foot.
