Infrastructure Cybersecurity: A European Perspective
Q. What are some of the greatest cyber threats facing the world today, and how can standards help combat them?
A. The greatest cybersecurity threats, in my opinion, are the ones that target our critical infrastructure and essential services, along with the very low level of cyber-hygiene applied by humans in technology use. We all tend to heavily underestimate the risks coming from weak passwords, factory configurations, or online
data overexposure. Easily hackable accounts and the availability of all sorts of data and information fertilize the soil for the growth of cybercrimes and lead to more frequent and successful cyberattacks.
In this domain, standards can provide very effective support by delivering detailed guidance, procedures, and instructions on how to address cyber threats, from general to very specific, including the phases of response and recovery. The latter issues, more specifically, need to be further addressed, since things can always go wrong, and we need to be prepared.
READ MORE: Taking a Bite Out of Cybercrime
Q. What involvement have you had in supporting the European Programme for Critical Infrastructure Protection (EPCIP) promoted by the European Commission?
A. I served the European Commission from 2010 to 2019 as a member of the ERNCIP team, the European Reference Network for Critical Infrastructure Protection (EPCIP’s flagship project). Together with my colleagues, I have provided support to European Union (EU) member states and operators of critical infrastructures in the implementation of the programme, including Directive 114/08/EC on the protection of the so-called European critical infrastructures. [The full title of Directive 114 is the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.] I’ve collected some of the lessons learned in the book, European Critical Infrastructures, published by Springer in 2014.
What follows is one of the findings that’s worth reassessing eight years later: “Given the fact that the 28 member states have many different national languages, this factor has heavily affected the understanding and interpretation of the technical annexes of the Directive 114/08/EC, whose terms may assume different meanings if translated in other languages. This variable has clearly unveiled the lack of a common ‘EU vocabulary’ of technical terms pertaining to the CIP.” This was true indeed in 2013, when the book was written.
The current state of play shows a much improved situation in which one of the limits — the lack of a common EU vocabulary for CIP — has become one of the points of strength. The EU member states, having worked for more than 14 years under the umbrella of the EPCIP, have now developed a CIP-specific terminology that is widely recognized by civil servants, subject matter experts, academicians, first responders, police forces, and security officers.
This achievement has come to life thanks to the combined actions of the availability of an overarching framework (the EPCIP) and the consequent development of standards and guidance produced to specifically address various aspects and challenges of critical infrastructure protection. The “harmonized EU CIP vocabulary” is even recognized and used beyond the borders of the EU, since neighboring and allied countries are looking at the EPCIP and Directive 114 for establishing their respective national frameworks.
Q. What notable projects do you have currently underway? How will their results be useful to the EU?
A. A cybersecurity certification community has grown around EU cybersecurity and resilience programs, which are promoted by the European Commission and the EU Cybersecurity Agency (ENISA). Together with this community, we are developing a set of specific schemes to be implemented in the union starting next year (for example, information and communications technology, cloud, industrial control systems). The schemes will be launched and implemented under the umbrella of the Cybersecurity Act, which has established the European Framework for Cybersecurity Certification (www.enisa.europa.eu/topics/standards/certification).
This domain is highly standards-driven, since the cybersecurity evaluation schemes that are being developed rely on reference standards. In the long term, I expect the Cybersecurity Act to make a sort of “EU cyber shield” arise with the consequence that technology deployed, integrated, or used by citizens or in highly sensitive contexts (e.g., critical infrastructures) will have passed tests and evaluations with a level of severity that is adequate for its intended use.
Another project that I’m involved in is the Center for Interdisciplinary Research on Critical Infrastructure Security and Resilience (CRISR). CRISR was established in 2017 at the department of engineering for innovation, part of the University of Salento in Italy. Together with the scientific committee of the CRISR, we are coordinating a series of activities and projects that aim to deliver better and more focused courses on critical infrastructure protection in response to the increasing demand of qualified security experts and sector-specific researchers.
We are collaborating with a number of foreign universities, governments, and centers of excellence to make sure that students can have multidisciplinary and multifaceted experiences that will enhance their maturity and comprehension of the complexity of modern critical infrastructures and key resources. Summer and winter schools are also projects currently in the pipeline. The aim of these projects is to bring together experts from the international security community so that they can start passing the baton to the next generation.
Q. How did you become involved with ASTM International and the standards work in the exoskeletons and exosuits committee (F48)? What is your particular interest in the work of the security and information technology subcommittee (F48.05) and its draft now underway?
A. I’ve worked with William Billotte (director of global exo technology programs at ASTM) since 2016 on joint U.S./EU projects. We both share a keen passion for and interest in standards. When I learned that ASTM had established a subcommittee on security and information technology, I expressed my interest in contributing to this initiative.
I’m convinced that the assessment of the cybersecurity of exoskeletons and exosuits is important to guarantee the safety of the user and the people in close vicinity to the areas of operation. These technologies are increasingly important in the lifecycle of our society, and they will improve our lives, safety, and security.
Together with the committee, we are currently working on an initial draft of a guide for effective cybersecurity management for exoskeletons. This implies the understanding of scenarios of operations, potential risks associated with such use, and mitigation measures to be implemented. The scope of the draft will cover safety-related issues, and an extension on the avoidance of property damage is already foreseeable. ■
Alessandro Lazari, Ph.D., is a senior key account manager at F24 AG, a global solutions provider for incident and crisis management, and emergency notification. He is also director of the south-Mediterranean Region of the International Association Critical Infrastructure Protection Professionals, and he is involved with other infrastructure cybersecurity work and groups. Lazari joined the exoskeletons and exosuits committee (F48) this year.