Cybersecurity: Critical infra catching up, but "risk zone" grows

Contents

In its NIS360 report published on Thursday, the European cybersecurity agency Enisa paints an optimistic but nuanced picture of Europe's digital resilience. The widespread implementation of the EU directive on network and information security, dubbed NIS2, is showing its effects and driving investments in critical infrastructures (Kritis) across industries. Nevertheless, a dangerous gap still remains between the real threat landscape and the actual crisis resilience in many systemically relevant areas.

To make the maturity level measurable, Enisa evaluated the entire ecosystem of industries for the study. This ranges from the quality of laws and the preparedness of companies to the effectiveness of supervisory authorities. In contrast, it measures societal criticality, which is determined by the degree of digitalization and the fatal cascading effects of a failure for citizens.

Dynamics of the Risk Zone and the Troubled Space Sector

Based on the relationship between dependency and security level, Enisa derives a “risk zone” for sectors whose maturity is below the EU average. As the general level has risen, the official experts have fully moved rail transport and the supply of drinking water and wastewater disposal into this danger zone. The criticism is that both areas are not keeping pace with the market. A glimmer of hope is the gas supply, which has managed to escape the risk zone thanks to more intensive information exchange.

According to the analysis, the situation in the space sector remains concerning, characterized by enormous quality differences. The digital society is increasingly heading towards a dependency on satellite data for navigation, financial trading, and climatology, it states. This key role makes the sector a target for geopolitical cyberattacks, for example via GPS jamming, which has been causing problems in the Baltic Sea for several years. Since NIS2 currently only covers parts of the supply chain, there is an imbalance: aviation giants are excellently protected. Smaller suppliers, on the other hand, are dragging significant security deficiencies with them.

Unequal Defense Capabilities

The development in the transport sector is similarly varied. Aviation shines overall as a model student. However, rail transport is increasingly coming under fire due to its importance for military logistics. Attackers are focusing on outdated operational and signal box technologies. This is a serious issue, as aging radio systems and control center bases are extremely difficult to patch. They offer attackers the possibility, for example, to stop trains remotely.

In the maritime economy, cyberattacks on networked port sectors even threaten to destabilize global supply chains. The increasing networking of port cranes and ship systems with the cloud opens up entry points. National port authorities often acutely lack IT expertise.

In the midfield, the healthcare sector and IT service providers are battling structural barriers. Hospitals suffer from budget and staff shortages, making them the ideal target for ransomware extortionists under the pressure of patient care. IT service providers, in turn, serve as strategic launchpads for cyber attackers to hijack hundreds of customer networks simultaneously via maintenance access.

Government administrations are also lagging behind. The public sector primarily lacks cybersecurity expertise at the management level, which is why security updates typically take months and government portals regularly fall victim to successful phishing and denial-of-service attacks.

Threats of Tomorrow

Traditionally highly regulated sectors such as banking, telecommunications, and electricity supply are proving to be a rock in the surf, according to the analysis. Financial market infrastructures and trust services are new to this top group of high cybersecurity maturity. Driven by the financial market regulation Dora, security has been successfully anchored there as a business risk in top management.

Looking ahead, Enisa sees three megatrends shaking the security fabric: the rapid advancement of AI, which provides attackers with new tools like deepfakes, highly complex software supply chains, and geopolitical upheavals. Critical sectors must therefore urgently transition from a purely bureaucratic compliance culture to a lived, resilient practice.

(vbr)