‘Large part of vital sector vulnerable to cybercriminals’
A large part of the companies and organizations that are active in the critical infrastructure are unnecessarily vulnerable to hackers and cybercriminals. Forty-three of the hundred companies surveyed did not optimally protect their e-mail system against phishing, spoofing and ransomware. These include banks, energy producers and drinking water companies.
This is apparent from research by the television program Zembla and the Internet Cleanup Foundation, a non-profit organization that maps the state of cybersecurity of Dutch authorities.
Nuclear safety not at stake
One of the companies that do not secure its e-mail system properly is the nuclear power plant in Borssele. A spokesperson for the operator of the exchange (EPZ) acknowledges that the e-mail system is not optimally secured, but says that it is “well able to resist cybercrime and to monitor it permanently”. At the same time, he says that the nuclear power plant’s safety measures are ‘more robust’ than the screening of Zembla and the Internet Cleanup Foundation shows. The security of the e-mail system has now been tightened.
Furthermore, the spokesperson emphasizes that no vital control system of the exchange is connected to the internet. “Controlling the nuclear process and operating the reactor is done with analogue technology, which is insensitive to digital disturbances. Disruption of ICT systems around the nuclear power plant, therefore, has no influence on the availability of the operating instruments. After all, these are completely separate from ICT management,” says EPZ. The nuclear safety of our country is not at risk, in their own words
Aviation sector in ‘final phase’ to improve email system
The aviation sector also scores poorly. Cyber security is not in order at KLM, Schiphol and Air Traffic Control the Netherlands. And that while there have been concrete attempts by cybercriminals to hack into computer systems. KLM continuously monitors security risks and tries, for example, to prevent, detect and, where possible, immediately mitigate cyberattacks, (spear) phishing, CEO fraud, spoofing and malware aimed at or on behalf of KLM. of the airline.
KLM and Air Traffic Control the Netherlands say they have taken measures to improve the security of the e-mail systems. The final steps are currently being taken to realize this: the implementation is in the ‘final phase’. Schiphol is looking at whether the e-mail system can be further refined.
A lot of work to be done in the safety regions
When asked by Zembla, the security regions say that they are part of the national crisis structure, but that they do not formally belong to the vital sector. They say that they give priority to information security on their own initiative: the regions have set up the information security department for this purpose. In Brussels, legislation is currently being drawn up to make the security regions part of the vital infrastructure.
The security regions have stated that they have been giving top priority to cybersecurity for a number of years, but that they are often confronted with a complex ICT landscape’. Research by Zembla and the Internet Cleanup Foundation shows that there is still a lot of work to be done. Of the twenty-five security regions in our country, thirteen have not properly secured their e-mail against phishing and other digital threats. “Improvement takes time”, according to the safety regions. Additional security measures will be taken in the short term.
Energy sector focuses on training employees
TenneT, the national grid operator of the high-voltage grid, says that they monitor its systems and the grid 24/7 and check for any threats. All five thousand employees are actively trained to make the company more resilient against cybercriminals. “In practice, we also have to deal with the fact that a wrong link is clicked or that an infected file is opened,” acknowledges the network operator. The company says it has well-secured systems, sound security processes and well-trained people so that outside attacks do not lead to further damage.
Vattenfall acknowledges that the security of its e-mail system is not optimal, but says that it is busy with this. In response, the energy company says it uses ‘advanced systems and protocols to protect the organization against phishing attacks.
About the importance of proper email system protection
The results of the research by Zembla and the Internet Cleanup Foundation are important. Email phishing is one of the main weapons hackers and cybercriminals use to install ransomware. Since the companies in the study are part of the critical infrastructure, it is essential that the protection of their e-mail systems is in order. If not, Dutch society could be seriously disrupted, the National Coordinator for Security and Counterterrorism (NCTV) warned in the report Cyber Security Assessment Netherlands 2021 last spring.
Broadly speaking, companies and organizations can take three main measures to protect their email systems. Sender Policy Framework (SPF) is used to authenticate the sender of an email. It tells whether a mail server is authorized to send emails for a specific domain. DomainKeys Identified Mail (DKIM) is an email authentication technique that prevents emails from being forged. Domain-based Message Authentication, Reporting and Conformance (DMARC) is an authentication protocol that protects email domains from unauthorized use. Thirty-four of the forty-three companies where e-mail security is not in order, promise to tighten the protection towards Zembla and the Internet Cleanup Foundation.
In addition to the sector, the government is also doing its best to increase the cyber resilience of the business community. Former State Secretary for Economic Affairs and Climate Policy Mona Keijzer has made an amount of three million euros available for the coming three years. Both vital and non-vital companies and organizations can submit ideas on how they think they can increase digital resilience in their sector. An amount of 200,000 euros is available for each plan. The Digital Trust Center (DTC) manages and distributes the funds.
Catch up on more articles here
Follow us on Twitter here