Cybercrime attacks not only computers and, but also industrial plants and infrastructures. The NIS Directive ¹ qualifies, in art. 5 paragraph 2, operators of essential services:
a) an entity provides a service that is essential for the maintenance of fundamental social and / or economic activities;
b) the provision of this service depends on the network and information systems;
c) an accident involving an operator of essential services would have a material adverse effect on the provision of that service.
For the purposes of determining the significance of the aforementioned negative effects, in art. 6 paragraph 1 the competent NIS authorities consider the following intersectoral factors:
a) the number of users who depend on the service provided by the interested party;
b) the dependence of other sectors referred to in Annex II on the service provided by that subject;
c) the impact that accidents could have, in terms of extent and duration, on economic and social activities or on public safety;
d) the market share of said entity;
e) the geographical spread relating to the area that could be affected by an accident;
f) the importance of the subject for maintaining a sufficient level of service, taking into account the availability of alternative tools for the provision of this service.
Industrial Control Systems (ICS) are devices, systems, networks and controls used to automate the industrial processes present in almost every sector: oil and gas, power plants and power grids, highways, ports, airports, railway stations, that is precisely the critical infrastructures listed by the NIS Directive. The ICS communicate with the SCADA systems that provide data for the supervisory and control activities in process management.
However, SCADA systems, despite being IT systems in all respects, suffer from intrinsic vulnerabilities due to the fact that these have been designed with an eye for simplicity, reliability and accessibility, but not with an approach of security by design.
SCADA systems were born in the 1950s as isolated systems and not connected to IP networks, therefore immune from cyber threats. When, in more recent times, these were connected to IP networks and the
internet, together with the undeniable advantages in terms of monitoring and control, the connected risks for their security appeared and, often given the operational contexts, also for the human one (safety).
It is therefore from the 2000s, with the convergence of IT with OT (Operational Technology), that an interminable series of attacks on the latter began. He started with SQL Slammer in 2003, passing through BlackEnergy in Ukraine in 2015, to get close to us in 2017 with the Maschio Gaspardo S.p.A. case, to Luxottica S.p.A. and Carraro S.p.A. in these days.
As anticipated, ICS networks were born as isolated systems, then connected to the internet.
The NIS Directive places the emphasis on these vulnerabilities, leading ICS systems to be considered on a par with any other IT system with regards to security aspects.
Enrico Netti, in his article “Cybercrime, costs and defenses of a company under attack” in the Sole24 of 29 January 2018, estimates the damage to be faced by an average manufacturing company with 120 million in revenues, victim of a malware attack that completely blocks all activity.
First of all, it involves eliminating the attacker and then restoring the platforms and systems of the 4.0 plant, from the sensors of the machinery to the numerical control machines², to the administration with customer and supplier accounting and ending with the research and development department. Here the theft of data becomes very dangerous because it could be oriented towards the theft of patents and projects. With the entry into force of the GDPR ³ , companies that do not report data leaks are sanctioned with a fine that can reach 4% of turnover or 20 million. It is therefore mandatory to take out insurance policies to manage the risk associated with cybersecurity.
The company finds itself having to warn its customers and suppliers of the blocking of the activity and having to manage the crisis at a cost of thousands of euros per day.
Customers and suppliers can open the legal front of non-compliance disputes by making claims for damages that can range from a few tens of thousands of euros to more than hundreds of thousands.
Among entrepreneurs, sensitivity towards cyber security is often very low and far too far exceeds the threshold of mere concern to invest in contrast.
It is basically a small technological step, but a great cultural step.
¹ The Directive on the security of network and information systems of the Union (NISUE Directive 2016/1148) aims to achieve a high common level in the area of network and information system security across the EU. Italy has transposed the NIS Directive into national law with Legislative Decree no. 65 of 18 May 2018 which entered into force on 26 June 2018. The Italian decree does not extend the scope of application, unlike other Member States, to sectors other than those envisaged by the Directive.
² CNC (Computer Numerical Control) machines represent the evolution of CN machines, because they allow direct numerical control from an external computer.
³ The General Data Protection Regulation, officially Regulation (EU) no. 2016/679, is a European Union regulation on the processing of personal data and privacy, adopted on 27 April 2016, published in the Official Journal of the European Union on 4 May 2016 and entered into force on 24 May of the same year and operational starting from 25 May 2018. With this regulation, the European Commission aims to strengthen the protection of personal data of citizens of the European Union and residents of the European Union, both inside and outside the borders of the European Union (EU).