Strengthening Europe's Critical Infrastructure: EU Publishes Report Evaluating Telecoms and Electricity Sectors

EU Member States, supported by the European Commission and ENISA (the EU Agency for Cybersecurity), recently published a report on the cybersecurity and resilience of Europe’s telecommunications and electricity sectors.

For the telecommunications sector, the top risks identified included risks to mobile and fixed telecommunications networks, risks to the internet’s core infrastructure, and risks to satellite communications. For the electricity sector, the highest identified risks concerned entities directly connected to the electricity grid (including gas infrastructure). The most salient threats were insiders who either worked for hostile actors and infiltrated organizations or were manipulated via social engineering, along with cyberattacks from the outside, where ransomware and malware were used to gain control over or otherwise disrupt operational technology relied on by gas producers and electricity generators.

Background

The Council of the EU requested the Commission, the High Representative, and the NIS Cooperation Group (NIS CG) to carry out a risk evaluation and develop risk scenarios from a cybersecurity perspective in the event of a threat or possible attack against Member States or partner countries. This report focused on two sectors: telecommunications (mobile networks, fixed networks, satellite, and core internet infrastructure) and electricity (including gas to the extent it supports the generation of electricity). The aim was to provide an EU-level overview of the cybersecurity risks for the telecommunications and electricity sectors and their interdependencies with each other and with other sectors. Further sectors will be addressed in future iterations of this exercise.

This report was based on the analysis of inputs received from Member States’ representatives in the NIS Cooperation Group and relevant EU institutions, bodies, and agencies. It was conducted by the Directorate‑General for Communications Networks, Content and Technology (DG Connect) and the NIS Cooperation Group, with the assistance of ENISA.

Electricity Sector Findings

Continued integration of IT and OT systems, plus the introduction of more and more small energy providers, increases the attack surface for the electricity sector across the EU.

Two categories of risks were identified:

1. Risks to entities directly connected to the electricity grid (including gas infrastructure)
2. Risks to market participants not physically linked to the grid

Top Risks to Entities:

1. Insider Threats: Insider threats are considered by Member States to be the most impactful. This threat can materialize through social engineering or by an employee with malicious intent. A malicious insider with a sufficient level of clearance can scan the network for vulnerabilities for long periods while going virtually unnoticed. This provides the opportunity to set up complex attacks that might be hard to detect and difficult to mitigate. Remote services greatly increase the risk of false authentication of malicious actors. There is also concern that skilled labor shortages increase the opportunity for malicious agents to be hired.
2. Ransomware Attacks: The energy sector is the third most targeted sector for ransomware attacks in the EU. Destructive malware injected into SCADA systems of the transmission system operators (TSOs) or distribution system operators (DSOs) could have a significant societal impact and could disable the distributed control systems (DCSs) of major gas producers or electricity generators. Various waves of such incidents occurred in Ukraine’s energy sector both before and after Russia’s full-scale invasion in February 2022.
3. Cyber Espionage: Espionage operations can be aimed at data exfiltration for economic or political gain and at pre-positioning for destructive attacks at a later time. Countering espionage in the energy sector relies on timely and accurate information available to electricity sector entities. The degree to which such information is available currently differs per Member State, which presents a clear risk of missing cross-border operations by Advanced Persistent Threat (APT) actors.
4. Supply Chain Compromises: Software supply chain attacks, where attackers inject malicious code into software components during their development or distribution phase or compromise the development tools themselves, give attackers a future backdoor into the software once deployed or allow them to plant logic-bomb types of malware to cause systems to malfunction at a given time or under predetermined circumstances. Hardware supply chain attacks can be used similarly but involve replacing physical components. This risk also includes third-party service attacks, where the attacker gains access through an external service provider or a cloud-based security service.

Telecommunications Sector Findings

The top risks identified in the telecommunications sector include threats to mobile and fixed networks, the internet’s core infrastructure, and satellite communications. Major concerns are:

1. Ransomware targeting sensitive databases in the mobile subsector, potentially disrupting communication services and causing spillover harm to other sectors.
2. Espionage risks from malicious insiders or pressure on 5G suppliers by hostile countries, exploiting vulnerabilities in roaming infrastructure to geolocate users, intercept communications, and conduct smishing and vishing attacks.
3. Unpatched devices connecting to the internet being compromised and used in botnets.
4. Physical sabotage of undersea cables as a primary risk for core internet infrastructure.
5. Signal jamming posing a high risk to satellite networks due to its low cost and ease.

The sector’s rapid expansion with 5G and IoT deployment increases its vulnerability. The report notes a trend of rising cyberattacks, espionage, physical sabotage, and data theft. The increasing complexity of telecommunication supply chains and the proliferation of IoT devices heighten security challenges. The shift to virtual infrastructures for 5G’s core network multiplies access points, further complicating security efforts. The EU’s risk assessment highlights ongoing risks related to dependency on single suppliers and state interference in the 5G supply chain.

The Report’s Conclusions for Areas of Improvement

For “Resilience and cybersecurity posture” the report recommends the following:

1. Human Resources and Asset Management: Exchange good practices and develop consistent guidelines across the EU for vetting and employment procedures for sensitive roles.
2. Ransomware Mitigation: Intensify efforts to share practices, monitor vulnerabilities, and coordinate vulnerability disclosures under the NIS2 Directive.
3. Synergy and Information Exchange: Enhance cooperation between CSIRTs and law enforcement, focus on tracking organized crime finances, and promote international policy coordination.
4. NIS2 Directive: Emphasize security assessments involving all relevant authorities for physical infrastructure resilience.
5. Cyber Resilience Act (CRA): Facilitate a smooth transition for energy and telecom entities to meet CRA requirements, including staff training and process implementation.
6. DDoS Mitigation: ENISA should promote the exchange of practices to mitigate large DDoS attacks.
7. Home Router Security: Develop technical guidelines for home router security in collaboration with BEREC.

For “Collective cyber situational awareness and information sharing," the report recommends the following:

1. Enhanced Situational Awareness: Improve the EU’s ability to detect and monitor cyber threats, especially in the telecoms and electricity sectors, to enable timely mitigation and minimize spillover effects.
2. Information Sharing: Increase the sharing of timely and actionable information on physical and cyber espionage activities within and among entities in the telecommunications and electricity sectors, utilizing entities like ISACs and networks like the CSIRTs Network and EU-CyCLONe.
3. Combat Cyber Influence Operations: Coordinate efforts to address rising cyber influence operations and disinformation campaigns by state-sponsored actors, identify key threats and actors, share lessons learned, and promote the EU Code of Practice on Disinformation and similar initiatives.

For “Contingency planning, crisis management, and operational collaboration," the report recommends:

1. Enhanced Communication Lines: Improving communication between sectors and cybersecurity authorities, including at the EU level, to better prepare for multisectoral crises and mitigate spillover effects through cross-sector contingency plans and collaborative exercises.
2. Strengthened Cyber Crisis Management: Ensuring EU-level cyber crisis management procedures, involving EU-CyCLONe and the CSIRTs Network, are linked to sectoral stakeholders, especially in high spillover risk sectors, to maintain effective network and information security.

For "Supply chain security," the report recommends the following:

1. Preliminary Assessment of Risks: Conduct an assessment of supply chain cybersecurity risks from dependencies on high-risk third-country providers. This should include evaluating ICT services, systems, and products against required security levels, third-party vendor lock-in, secure software development processes, and the likelihood of government interference.
2. EU Framework and Risk Assessments: Intensify efforts towards an EU framework for supply chain security and Union-wide risk assessments focusing on critical supply chains and sharing best practices.
3. 5G Toolbox Measures: Continue implementing the 5G toolbox measures to address the supply chain security of telecommunications networks, including 5G.
4. Analysis of Supply Chain Vulnerabilities: Analyze supply chain vulnerabilities in rapidly expanding areas such as wind farms, solar farms, and smart grids, leveraging groups like the Smart Energy Expert Group and its cybersecurity Working Group.
5. Enhanced Supervision: Enhance supervision of managed shared services providers and overall supply chain supervision to prevent impactful cascading effects from compromised providers, as emphasized in the Council Conclusions on ICT supply chain security.

Leveraging Industrial Defender in Light of Report Findings and Recommendations

Understanding Your OT Environment is Foundational to Security & Compliance: Industrial Defender provides comprehensive and in-depth data about all OT hardware and software in critical infrastructure environments. This level of visibility is crucial for improving the EU's situational awareness and the ability to detect and monitor cyber threats, particularly in the telecoms and electricity sectors, which are common targets for advanced persistent threats (APTs). This further enables:

• NIS2 Compliance: With detailed data on all OT assets, Industrial Defender facilitates easy assessment of compliance with the NIS2 directive. This allows organizations to assess and enhance their cybersecurity posture against the critical security controls outlined in NIS2, addressing the report's call for improved security and resilience assessments
• Insider Threat Management: Industrial Defender addresses concerns about insider threats by alerting to changes within the environment that could be made by malicious insiders or indicate weaknesses in security posture. It helps manage and identify access privileges, aligning with the report's emphasis on personnel concerns and access control policies.
• Supply Chain Security:  Industrial Defender helps organizations stay on top of vulnerable systems and know when critical patches and software updates are available.
• Information Sharing: Industrial Defender's centralized data management allows for easy reporting and sharing of information. The platform integrates with existing tools and offers an open API for additional analysis, facilitating operational collaboration.

Read the full report here, which also presents risk scenarios for use in risk preparedness exercises.

For more information on how Industrial Defender can help address these findings and recommendations, reach out for a demo.