Means of transport and electricity and water networks are the most frequent targets in Spain
Cold and dark. That was what more than 80,000 people felt in Ukraine for more than six hours on December 23, 2015. A year later the same thing happened again, but on this second occasion there were 250,000 affected households. In 2017, the problem was extended to a greater number of basic services: the Kiev airport, the Government, the uranium level meter of the Chernobyl plant or the country’s banks, among other infrastructures, were harmed. Ukraine is undoubtedly the most emblematic case of how a cyberattack on critical infrastructure can disturb a country.
Ukraine is just one of the many cases in which the tricks of a hacker have ended up affecting the infrastructure of a country. The British health system, the South Korean winter games, the Japanese Ministry of Defense or several nuclear power plants in Iran have been some of the targets of attacks that have been made public. But what role does Spain play in this reality? Miguel Thomas, partner responsible for cybersecurity at Everis Aerospace and Defense, states that the country ranked third for cyber attacks received in 2018, second only to the United States and the United Kingdom.
“With the issue of Catalonia we are living a peak of intensity, especially in the websites of the ministries and in the Central Administration,” says Javier Antón, regional director of cybersecurity at Fujitsu. The National Center for Critical Infrastructure Protection (CNPIC) has quantified between January and August a total of 4,707 cyber incidents. Throughout 2018 the number was 4,728. Meanwhile, the National Cybersecurity Institute (Incibe) received 228 warnings of vulnerabilities related to the industrial sector in 2018, 29 more than in 2017. 33% were considered critical, the highest level of severity, and a 43% level tall. The most affected sectors were transport, water and energy.
“Aena, Metro or Renfe have a high level of risk within the national scheme. The blocking of terminals and control systems can cause major collapses, ”says Antonio Villaverde, head of security at Atos. And although the number of attacks may seem high, Everis believes that the reported incidents are less than reality. “Like there will be attacks that are occurring and not being detected,” adds Thomas.
“Companies avoid making these actions public, not only because of the reputational risk that a vulnerability can cause in their organization, but also because of the alarmism and insecurity they can cause in citizens,” Villaverde explains. And he gives as an example the answer that would cause to know that a hacker has taken control of a robot in a hospital operation or in insulin pumps. Something that, he says, has not happened in Spain, but in other countries.
Experts blame this increased risk on the introduction of the industrial world and critical infrastructure, previously separated from cyberspace, in the field of internet-based technologies. Being able to benefit from prediction, cost savings or increased productivity encourages companies to digitally transform their business. A situation that the CNPIC also reports.
Given this situation, the companies responsible for key infrastructures are investing great efforts to protect their assets. “We know that we can be in the spotlight of international terrorism or be victims of sabotage. Therefore, a close collaboration with the State Security Forces and Corps is essential for us ”, they point out from Iberdrola. The energy firm is in permanent contact with Incibe and the CNPIC. The group claims to receive attacks every day, but believes that the important thing is to “be prepared to detect them immediately and to avoid relevant consequences in the continuity of our facilities and services.”
But what are hackers looking for with these punches? If with the attacks on systems their objective is monetary, when they direct their efforts against industrial assets the motivations can be from geopolitical, economic or ideological, “to simple fun, revenge or competition between them”, says Rafael Núñez, ethical hacker, who is as experts who enter networks are known to look for security flaws and reveal them to companies, without harming. Núñez gained notoriety in 2001 for having broken into the website of the US Air Force. In his opinion, private firms, like the Administrations, are not prepared for cyber attacks, largely because of their increase in complexity and volume.
The greatest vulnerability comes from the human factor. “Hackers use social engineering to get relevant information and credentials that give access to systems,” explains Everis partner.
Thomas reveals that computer systems are designed to leave traces of attackers, but that when the offense is committed with credentials it is much harder to detect. That is why in cybersecurity it is essential to act in a transversal way, training people. Without forgetting, as you remember from Schneider, act with transparency and collaboration.