Critical Infrastructure: “our society relies on it - if it fails, it hurts you and me”

Writer Samira Joineau

The PwC Cybersecurity and Privacy Day came back on October 13, for its 7th edition. This year’s theme was related to Critical Infrastructure Protection, with the idea to share insightful messages, opinions, and solutions with a 300+-audience.

Koen Maris, PwC Luxembourg Partner & Cybersecurity Leader, opened the ball stating that Critical Infrastructure is an important field as “our society relies on it – if it fails, it hurts you and me”. Multiple experts came on stage to explore the Critical Infrastructure topic and discuss ideas and opinions, as well as offering potential solutions.

It is certain that, since the beginning of the Internet, no one is truly safe and hackers show creativity when it comes to attacking businesses. Through different cyberattack scenarios – occurring in the 90s, 2000s and in 2022 – Swiss Life Global Solution Divisional CISO Dalia Khader & European Investment Bank Senior Information Security Officer Donia El Kateb demonstrated that attacks remain the same, as the critical rate became stronger.

“Today when we look at our companies, the cyber ecosystem is extremely complex. You look to secure what is in your place, your cloud, your Internet of Things […]: it has become a huge complex task to look into your infrastructure” – Dalia Khader, Swiss Life Global Solution Divisional CISO

As the cyberworld grows more sophisticated (more cybersecurity-related professionals, security controls, cyberattacks,…), hackers steer organized and sharp crimes. This therefore forces businesses to invest in cybersecurity solutions, as we keep growing in a fast-evolving cyber environment. Besides, there was initially no clear legal framework in terms of cybersecurity. This eventually proves that the weakest link in this field remains cybersecurity awareness. The increasing cyber attack rate hence urged governments to adopt regulations and standards to ensure and optimize the digital space’s security.

On this note, GOVCERT.LU Managing Director Paul Rhein, following a brief presentation of himself and his work service, developed the NIS 2 Directive. To give some context, the first NIS Directive – also known as the Directive (EU) 2016/1148 – entered into force back in 2016 and was the first cybersecurity law in Luxembourg. Its aim is to establish a strong common level of network and information security across all EU Member States. In other words, it enables security and incident notification requirements for Operators of Essential Services in critical sectors – this encompasses for instance banking, financial or digital markets.

The introduction of the NIS 2 Directive presents itself as an update of the previous one. The European Parliament and the Council have revised and aligned the text sector-specific legislation, such as the Digital Operational Resilience Act (DORA). Hence, this proposal embodies the “increased digitisation of the internal market in recent years and an evolving cybersecurity threat landscape”. Although this update is yet to be approved and adopted, it is important – on top of regulations and standards adoption – to carry cybersecurity tests in order to best prevent potential threats.

Jean de Chillou, CSSF IT supervisor and regulator, presented TIBER-LU – the Threat Intelligence-based Ethical Red Teaming Luxembourg. The latter refers to a “harmonized European approach for the conduct of threat-led penetration tests that mimic the tactics, techniques, and procedures of real-life threat actors and that simulate a cyber-attack on critical functions and underlying systems of an entity”. In Luxembourg, 15 critical financial institutions have volunteered, covering fields as retail, payment services, financial market infrastructure. He further explained that the first TIBER-LU test is currently on-going, and 4 more tests are already scheduled for next year.

This demonstrates that protecting infrastructure is strongly part of a cybersecurity effort and also businesses’ preservation. While cybersecurity awareness is essential, it is also governments’ and greater institutions’ responsibility to adopt the right legal framework, ensuring a safe cyberworld for everyone.