What are the reasons behind this and what are the implications for cybersecurity departments?

What current threat scenarios and attacks do cybersecurity professionals need to be prepared for in order to protect the ongoing digitalization in their company?

For this interview, we spoke with Roman Haltinner, Partner and Cybersecurity Competency Leader at EY in Switzerland.

Why is critical infrastructure increasingly becoming a target of cyber attacks?

The number of cyber incident reports received by the National Cyber Security Centre NCSC, which has a special focus on critical infrastructure, is currently at a high level, averaging 700 reports per week. With regard to our customers in critical infrastructure sectors, we attribute this development to increased cyber attack detection capabilities, but we also fundamentally perceive an increase in cyber attacks. Furthermore, we notice that actors are innovating and using ever new attack scenarios and vectors to achieve their ultimate goal: the highest possible profit with the least possible effort, whether through extortion, by selling information or simply by generating attention.

Which sectors are most exposed to cyber attacks, authorities, companies or private individuals?

The focus of cyber criminals is basically everyone who is not sufficiently protected and offers entry gates due to vulnerabilities, regardless of whether the target is a public authority, a company or a private individual. However, in order to be able to protect and respond appropriately, it is basically necessary to distinguish and understand which actors have which motivation and possibilities to successfully carry out a cyber attack.

In addition to the quantity of attacks, has the quality also changed?

There is the issue of asymmetric attacks. Simply put, cybersecurity has to protect the entire company, while attackers focus on one or more vulnerabilities. The attackers also know how to take advantage of technological progress and thus increase their advantage. It is therefore becoming more and more difficult for defenders to keep up with growing cyberattacks and take the effective measures. Cybersecurity must think comprehensively and in a networked way about how it can protect the interests of employees, customers, suppliers and partners.

What does this mean in concrete terms for critical infrastructures in our country?

Critical infrastructures do not only manage information with conventional IT, they also operate production facilities and manage supply chains that are that must be viewed and protected in technologically different ways. As a result, the attack surface increases and involves a complexity that in some cases requires new cyber capabilities to implement their concepts.

What role do political motives play in connection with critical infrastructures, and to what extent is Switzerland affected by such attacks?

Switzerland is and has always been interesting for foreign intelligence services. Their activities have shifted strongly into cyberspace over the years. Just think of the financial center, international organizations and the defense industry. Let us take the example of the announcement that the Ukrainian President would address the Parliament. In response, pro-Russian hackers tried to paralyze the websites of the Parliament and the Federal Administration in order to further fuel the debate about the right stance for Switzerland.

But what makes Switzerland interesting in a possible geopolitical scenario is its central location in the heart of Europe. In the medium term, geopolitical scenarios should be considered in terms of the power grid, transport network, etc., as explained in the latest reports from the Federal Intelligence Service.

The latest EY study on the subject shows that cyber executives today are not satisfied with their cybersecurity. Why is that?

For many companies digitization has only just begun. These are struggling with visibility into existing business processes, infrastructure and legacy issues. From a cybersecurity perspective, ongoing digitization means constant change to the existing system landscape. The impression of not being able to keep up with this accelerating development is causing frustration among cyber executives. Today’s defensive measures are often designed in such a way that, in the event of an attack, they cannot even be managed with the available resources and it is often the case that a cyber incident is a trigger towards more cyber security in a company.

Are companies thinking broadly enough about how to protect the interests of employees, customers, suppliers and partners?

Some companies live cyber security from the very beginning. But there can still be gaps in their defense mechanism. The reason is often a supplier who has not implemented the same security standards as the company. Cyber security has not yet been fully thought through in most companies. Effective cyber defense includes employees, customers, suppliers and partners.

How do you effectively protect against active attackers?

One of the most important security skills is recognizing that an attack is taking place. The goal is to quickly identify what exactly is happening and to take measures to limit the damage. Today, it is generally assumed that attackers will succeed in penetrating a network. Therefore, it is important to secure as good as possible all areas that require special protection. Moreover, it is also important to be able to restore or repair these areas as quickly as possible.  It is a matter of creating a fundamentally existing resilience in the system, of bringing resilience to the infrastructure. And that requires new, comprehensive concepts that extend far beyond cybersecurity and cover different areas of the company to achieve reliability.

Can a well-managed security incident foster trust?

Especially in critical infrastructure it is always assumed that security incidents lead to negative publicity and a loss of trust. However, if security incidents are handled with full transparency and communicated to the public – along with published mitigation plans and quick action – values such as transparency, adaptability and resilience can be added to promote trust and perception, rather than suffering long-term bad press and political debates. Security will never be 100% effective, and society is beginning to accept this fact and respond positively to a security breach if it is handled in the right way.