In psychological terms, resilience is the human ability to adapt to adverse conditions. Resilience comes from Latin, from “resilio”, which means “to come back” and it was used to refer to people who, despite suffering stressful situations, were not affected psychologically.
The term resilience has evolved along the history until today, nowadays, in cybersecurity environments, talking about cybernetic resilience refers to the ability of a company to adapt and keep business after suffering a cybernetic attack. In addition, it refers to how to act and how the situation has to be managed to affect minimally to their general operation.
In a hyperconnected world, where technology plays a more and more significant role, security to be prevented from attacks and the ability to adapt and recover after suffering an attack are fundamental to companies. Not only because it can affect to their general functioning, but also because it can origin information leaks that may compromise assets’ confidentiality that can ultimately affect the company credibility, resulting in large economic losses. Therefore, the term cybernetic resilience is getting greater importance for companies around the whole world.
But cybernetic resilience becomes even more important when it is associated to companies or organizations that are essential for the development of our life in society, as is the case of critical infrastructures.
Critical infrastructures are those without which our society cannot maintain the pace of current life. The resilience capacity, in this cases, is fundamental to guarantee our development and our survival; the world depends enormously on computers, and consequently, on their security.
For example, a drop in the power supply can cause terrible consequences. A recent sad example are the blackouts that have been happening since March in Venezuela, with 31.5 million people affected and billions of dollars spent. However, beyond the economic figures, the great amount of human losses in hospitals is more shocking because the machines that kept the patients alive had no electric supply.
Thus, critical infrastructures must include in their list of priorities the protection and resistance against cyber-attacks, and yet, we find that until now the implementation of security has not been effective for different reasons.
One of the reasons for the lack of security in critical infrastructures is that, so far, this kind of attacks had not played an important role and their consequences were not well known, and therefore they focused mainly on mitigating physical attacks against its infrastructure. Nevertheless, after cases like the BlackEnergy in 2015, when a Trojan was able to leave without electricity for hours to about one million people in Ukraine, energy companies and governments have begun to give security the importance it deserves.
Another reason is that in electrical world we find an ecosystem that was already interdependent, and that the future assures us that it will be even more due to the introduction of the IoT and especially the industrial IoT (IIoT). In addition, the habits of citizens are changing at a high speed, for example, sales of electric vehicles have increased by 60% in 2018 compared to the previous year; and 2019 is conceived as a key year for the promotion of electric car because of the advantages it offers. Due to the increases in sales of electric cars, energy companies have been forced to increase the number of charging points to meet the changing needs of society.
Undoubtedly, new social habits have led to the introduction of new technologies by electricity companies, and this in turn has generated new problems that must be approached from the perspective of cybersecurity. Increasing the public charging points makes the attack surface greater, so the installation of insecure chargers can introduce a weak link in the chain formed by the entire electrical environment, leading to a possible chain reaction that ends causing a total system fall.
According to the European Network for Transmission System Operators – Electricity (ENTSO-E), the continental European power system synchronized area has been designed to withstand a maximum power imbalance of three gigawatts (GW). Although, in some areas it is even lower. The consequences of a power imbalance could induce to a total system blackout.
Currently, the chargers of electric cars that are being developed have the objective of reducing the load times, and for this, they need an increase in the power they can handle. Introducing insecure car chargers not only make the attack surface increase, but also, as the new chargers handle more power, the number of chargers that should be attacked to cause a total system blackout is decreasing.
Consequently, and because social habits change faster than legislation in this regard does, it is essential that electricity companies have a security perspective in order to ensure their own ecosystem and the development of society, instead of complying with the legislation and standards.
Companies should consider security as a holistic aspect that affects all departments equally, a culture of collaboration must be facilitated with the aim of ensuring a quick communication between teams to give a faster response to incidents.
Leaders and managers from companies should move from being supervisors to having an active role in this performance. In addition, in some way, the obstacles that companies find when it comes to approach this issue must be ended, we should try to end the stigma of suffering an attack so that companies’ credibility is not compromised anymore. Likewise, it is necessary that different companies from different sectors establish communication channels to stay up to date about new threats and protection techniques, in order to be ready against possible risks unknown to date.
Sadly, as we have seen, due to the difficulties that arise it is not carried out with the efficiency that is desired. One way to streamline and facilitate the inclusion of security in the priorities of a company is by obtaining a security certification.
In examples such as the aforementioned, security certifications offer companies the possibility of securing their assets against real attacks. An adequate use of them would allow to protect both systems, with certifications already recognized by the industry such as ISO-27001 or ENS in the case of Spain (always applied seeking excellence and not only compliance, including both regular vulnerability analysis and network teaming); as products, with certifications like Common Criteria or some of the new light certifications that are the source of much talk in Europe, as is the case of LINCE in Spain. The reliable third party model ensures impartiality in the conduct of evaluations while the use of a proven and recognized methodology guarantees its quality.
Increasingly, certification in cybersecurity is postulated as a response to the problem of security both in companies and critical infrastructures. While it does not guarantee infallibility, it is an essential step to walk in the direction of total security.
