HomeTechnologyVital protection of essential facilities

Vital protection of essential facilities

New laws set guidelines for preparing, protecting and responding to an increase in cyber attacks or natural disasters affecting construction sites

The socioeconomic and geopolitical environment has seen a significant increase in security risks on a global scale: from climate change to pandemics or the increasing threat of cyber warfare. In a technology-dependent, interconnected world, this context assumes a very important dimension when it comes to protecting critical infrastructures that support the functioning of a State.

Companies in basic sectors such as electricity, water and gas always have to guarantee their activities against these dangers. Therefore, cybersecurity becomes an inevitable priority not only to protect the integrity of operations, but also to maintain public trust.

The reaction from Europe is reflected in the CER and NIS2 regulations adopted in December 2022. As José Luis Pérez Pajuelo, director of the National Center for the Protection of Critical Infrastructures, points out, these regulations “represent the latest step in a long journey.” It started in 2004 when the European Commission decided to prioritize the protection of critical infrastructures in Member States. A concept evolving towards resilience, that is, critical assets have the ability to resist, absorb, adapt and recover from events; and to support a collective response to them in conjunction with the aim of guaranteeing a common level of cybersecurity within the entire European Union.”

Faced with this, as Marcos Gómez, director of Information Security at the National Cybersecurity Institute (INCIBE) and deputy director of INCIBE CERT, points out, “digitalization has increased the number of connected companies and administrations, which requires a focus on cybersecurity of the entire supply chain.”


Within the scope of these desires to strengthen the cyber resilience of critical facilities, identification and authentication stand out as key elements in their protection. As Pajuelo puts it, “ensuring that only authorized individuals can access sensitive areas or essential systems becomes a key element of any security system and, of course, those seeking to avoid threats, including internal threats.”

This is even more so given the proliferation of remote working across organisations; and even devices like “ smart phones José María Rico, head of Redeia’s Corporate Security department, explains: “We are in a context in complete evolution where security and accessibility are increasingly dynamically intertwined.” This shift has a double meaning, which, as Rico points out, “technology provides new tools to prevent fraud and corruption, but also new ways to commit crimes and achieve higher levels of sophistication in cyber attacks.”

Therefore, among the tools that should be part of a comprehensive identity security strategy, this specialist includes the protection of logical and physical access through monitoring, the use of VPNs, the implementation of policies that guarantee the security of passwords, as well as the following: Two- or three-factor authentication systems for email surveillance . On the other hand, in line with resilience, it emphasizes the importance of establishing effective policies to protect against vulnerabilities, as well as procedures for recovery of operations detailed in business continuity plans.

Without forgetting compliance with the obligations set in different regulations and specific security and quality standards, including privacy policies. Looking ahead, Rico notes, we are again focusing on “the use of AI in both offensive and defensive strategies, drones and cloud applications, in the face of an alarming shortage of security professionals globally.”

In practice, currently available tools more than meet the needs of any verification system; But as David Corral, deputy director of Cybersecurity Architecture at Repsol, points out, there is a problem that “in critical installations, it is common to find systems based on legacy technologies where it is difficult to implement all the security measures that will be used.” in traditional IT environments.” . We see a clear example of this in the United States, where until 2019 the computer systems in their nuclear arsenal operated on floppy disks, a technology dating back to the 1970s.

Spain, benchmark in digital resilience

In Spain, the fruit of the EU’s first directive on this subject was the directive known as the PIC Law (Law 8 of 2011), which forms the basis of the National System for the Protection of Critical Infrastructures. An effort that continues to evolve with later advances, positioning the country “no longer in the leading vehicle, but I dare to lead Europe,” says Francisco Javier García Carmona, a consultant and formerly responsible for information security. Energy sector like Iberdrola. García Carmona highlights the “firm belief shared by all parties involved” as one of the success factors.
Opinion shared by Redeia’s José María Rico: “Spain is a reference for many other countries thanks to our experience in the fight against terrorism. But we cannot relax, as the current geopolitical context, especially the Russia-Ukraine and Middle East wars, puts the West in general, and Europe in particular, in the crosshairs of potential attacks; “We do not ignore that cybercrime targeting companies, including SMEs, is increasing exponentially.”

Source: El Pais



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments