European Regulatory Framework
The national effort towards the protection of Critical Infrastructures (CI) is essential for all that concerns each Country space. Likewise, a European-level approach is crucial for managing common threats affecting EU countries. A common approach to the threat guarantees a coordinated and so rapid and more effective response. The European framework doesn’t replace the national one: “the primary and ultimate responsibility for protection European Critical Infrastructures falls on the Member States and the owners/operators of such infrastructures”1. The European debate on the protection of Critical Infrastructure started in the early 2000s, especially after the terrorist attacks against the subway in Madrid (2004) and London (2005), which highlighted the vulnerability of Cis to the terror threat. In the wake of the increase of cyber-attacks, in 2013 the European Commission and the High Representative of the European Union for Foreign Affairs and Security Policy published a “Strategy for an Open, Safe and Secure Cyberspace”. This “strategy” aims to ensure a safer online environment in order to protect citizens and countries from cyber threats2. At the same time, the strategy proposed the adoption of a Directive of the European Parliament and of the European Council with the aim to ensure a high common level of network and information security (NIS). At the same time, the directive proposed the establishment of cyber emergency response teams (CERT) in each member state3.
Until 2013, the legal framework concerning protection against cyber attacks was mainly focused on private data protection (Directive 2002/58 / EC “Directive on privacy and electronic communications). On 6 August 2016, the European Parliament adopted the directive on the security of systems of information networks, NIS (Directive 2016/1148), thus making effective the provision of the 2013 “Strategy”. This Directive obliges Member States to comply with the provisions contained. It calls for adoption of a national strategy on the security of networks and information systems and the creation of cooperation groups that foster the exchange of information between Member States4.
Italian Legal Framework
In 2011, Italy implemented the 2008 Directive (114/2008) with the Legislative Decree 61/2011 which contains the guidelines for the identification of the European Critical Infrastructures, defines a Safety Plan for the Operators of the European Critical Infrastructures and establishes the Inter-ministerial Unit Situation and Planning (NISP). NISP has the task of identifying and designating the European IC and is integrated within the Ministries responsible for energy and transport sectors and NISP acts as a national point of contact for the protection of ICE with the other Member States and with the European Commission.
The Decree of the President of the Council of Ministers (DPCM, January 24th 2013) defines “the institutional architecture dedicated to the protection of national security in relation to critical material and immaterial infrastructures, with regard to cybernetic protection and national IT security”. This act formally recognises the importance of guaranteeing protection against cyber threats, which are able to put the country’s system at risk5.
After the approval of the Decree, a Cybersecurity Working Group was created, which operates under the Committee of the Security of the Republic and is chaired by the Department for Intelligence and Security (DIS).
In 2013, the Working Group published the National Strategic Framework for Cyberspace Security, that identifies all the main threats to cyber security (including computer espionage, cyber terrorism, hacking) and proposes tools and procedures to strengthen the capacity of defence of the country system6.
The GDPR issued by the European Data Protection Authority has had an echo similar to the one that had the millennium bug (Y2K) in 1999: as then there was a general awareness raising and companies that had never faced the problem of cyber security are suddenly being plunged into this new dimension. Obliged by the fear of the sanction (or even before the most probable denunciation by “unsatisfied” users of the processing of their data), public and private bodies, large and small companies, up to very small, are making a kind of “big jump”, just as in 1999 (a jump that then involved the happy outcome of the passage of date, recorded in history as “accident-free”): some act as then “starting from scratch”, i.e. trying to redesign all of its IT context from the perspective suggested by the regulation itself, that is according to the “by default” methods regarding the procedures, and “by design”, which concern the design of software and firmware. Someone proceeds to “leopard spot”, subjugated by excessive costs, and tries to heal the “holes”; finally, someone claims to make a “risk management”, that is to wait for the first penalty and then decide how much to invest to avoid the second. In any case, the first mode is taking hold, and this allows you to look with optimism at this sort of great manouvre. Obviously, it will then be the task of the National Guarantor to make all these companies perceive the “goodness” of the actions made according to the first modality and the “non-goodness” of the non-actions undertaken according to the “wait-and-see” point of the third modality: contrariwise, in the absence of sanctions imposed or implemented measures prevailing, there is a perception of “correctness” of the waiting method. Finally, a transversal aspect that all the actors involved will have to face will be the need to redefine their approach to risk, and then update their technical, organisational and procedural measures, from a perspective that is not confined to the protection of assets alone, but which puts the risk for the rights of those concerned at the centre.
In this regard, in the national context the activity carried out by the National Anti-Crime Center for the Protection of Critical Infrastructures (C.N.A.I.P.C) is decisive.
Main Statistical Data about the Cyber Attacks Hitting Italy
In 2018, CNAIPIC reported a five-fold increase regarding alerts issued in 2016 because of immediate threats and risks to critical infrastructures.
In this context, the Center has managed monitoring of the networks that have involved sensitive structures of national importance.
In addition, in particular, the Operating Room of the Center has managed:
- 1032 cyber attacks on Internet services relating to institutional sites and critical IT infrastructures of national interest;
- 83 requests for cooperation within the “High Tech Crime Emergency” circuit. Among the investigative activities carried out, in this context, there were 72 investigations launched in 2017 for a total of 34 people reported and the arrest of 2.
Among the most significant activities, the “EyePyramid” operation was reported following the association composed of the Occhionero brothers being stopped; both were arrested, and devoted themselves to political-institutional and industrial informatic espionage and the “Andromeda” operation, following a botnet network being dismantled.
With reference to the financial cybercrime, the ever more advanced hacking techniques, through the use of malware inoculated through phishing techniques, widen the attackers to a great extent, especially in the context of commercial relations. In fact, the purpose of criminal organisations is to interfere in commercial relations between companies by diverting sums to the current accounts of criminals. The BEC (business compromised e-mail) fraud or CEO (Chief Executive Officer) fraud is the modern application of the attack technique called “man in the middle”. The sums fraudulently evaded are difficult to block and recover, mainly because they are sent to countries outside Europe (China, Taiwan, Hong Kong). However, the OF2CEN platform (On Line Fraud Cyber Center and Expert Network) high-skilled in analysis and advanced contrast of the frauds in the sector, in 2017 blocked at the source €20,839,576 on a movement of €22,052,527; moreover, €862,000 were recovered from the residual part relating to the already arranged transfers. The platform in question, the result of specific agreements, passed through ABI with large parts of the banking world, allowing one to intervene in near-real time on the report blocking the sum before it is pulverised in various rivulets of nominees.”
According to the 2018 CLUSIT7 report on ICT security in Italy, due to a lack of great portions of data caused by the fact that many attacks were not reported by organisations, cyber activity against national organisations or infrastructure cannot be exactly estimated. Though, if compared to USA and UK data collected between 2016 and 2018 and regarding the cost of malicious cyber activity, because of the high the number of successful cyber-attacks, with regard to Italy, it is possible to envisage 10 billion euros as the total amount of losses resulting from cyber criminal activities.
In 2017, an attack growth trend was registered, around 11% compared to 2016, particularly in the case of malware as they now deploy more and more sophisticated techniques, among which ransomware and miners are the ones most commonly used. As regards cyber attacks techniques, 2017 saw an increase in: Ddos, with 9.362 attacks (more than 25 attacks per day) carried out and Hit & Run or Pulse Wave attacks.
Conclusions
The greatest vulnerabilities are hidden in the human component: it is no coincidence that our adversaries are investing more and more in social engineering tools, which enables the attacks to move inside the structures using the weaknesses, even psychological ones, of the operators to violate a context deemed reliable and secure. As for prevention, there is no need for alarm but awareness: it is wise to be prepared for the unexpected, always taking into account all the variables in the field, including the human factor that is certainly the most vulnerable.
As for the next threat trends, we will face increasingly targeted and sophisticated attacks. Consequently, defence must move on the attacker’s plain, learning to anticipate the moves and always being ready to face new forms of “imaginative” solutions.
In terms of prevention, however, we insist on the importance of training and, more specifically, we think we should take care of three aspects: first of all, to train highly skilled technicians from high school, and for tactical and operational roles; at the same time, continue to specialize the “high” educational offers (university and post-graduate) dedicated to the creation of strategic operators. It would be highly useful, then, to provide intermediate figures working as “interpreters” between technicians and others, to build a common lexicon that denotes vehicles’ complex contents in a natural language and thus help the public – often confused by the sector language – to approach these issues. We cannot all become hackers, but everyone should be able to use the technology; just as we all learn to drive a car even if we do not aspire to become Formula 1 drivers and we know that we have to go to the mechanic when there are problems with the operation.
REFERENCES
- //eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:345:0075:0082:EN:PDF
- //ec.europa.eu/digital-single-market/en/news/communication-cybersecurity-strategy-european-union-%E2%80%93-open-safe-and-secure-cyberspace
3file:///Users/GiuliaLodi/Downloads/2ProposalforaDirectiveoftheEuropeanParliamentandoftheCouncilconcerningmeasurestoensureahighcommonlevelofnetworkandinformationsecurityacrosstheUnion-COM201348final-722013-EN.pdf
- //eur-lex.europa.eu/legal-content/IT/TXT/PDF/?uri=CELEX:32016L1148&from=IT
- “Direttiva recante indirizzi per la protezione cibernetica e la sicurezza informatica nazionale” //www.sicurezzanazionale.gov.it/sisr.nsf/wp-content/uploads/2013/03/dpcm-24-01-2013.pdf
- //www.sicurezzanazionale.gov.it/sisr.nsf/wp-content/uploads/2014/02/italian-national-strategic-framework-for-cyberspace-security.pdf
- CLUSIT, Italian Association for Computer Security