What You Need to Know About National Cyber Risk Assessment 2022

June 23, 2023

What is the National Cyber Risk Assessment 2022?

Get ready to dive into the insightful National Cyber Risk Assessment 2022 report, the culmination of an extensive National Risk Assessment process. Completed in late 2022, this report was developed with the invaluable assistance of a diverse steering group comprising members from An Garda Síochána, the Office of Emergency Planning, the Defence Forces, the National Security Analysis Centre, the Central Bank of Ireland, the Commission for Regulation of Utilities (CRU), and the Commission for Communications Regulation (ComReg).

The report aims to shed light on the systemic cyber risks faced by critical services in the State. It explores a wide range of threats, including espionage, destructive cyber attacks by nation-states and criminal actors, and the disruptive activities of hacktivist groups. To enhance cyber resilience, the report presents three key recommendations. These recommendations have already been incorporated into strategic actions following the mid-term review of the National Cyber Security Strategy for 2019-2024. Stay informed and discover how these findings can help strengthen cybersecurity measures in our State.

Threat Landscape Overview -Cyber Risk Assessment 2022

Digital threats have become a permanent part of today’s society. Criminals, including ransomware operators, have escalated their attacks in recent years, as demonstrated by the 2021 ransomware attack on the HSE. Nation-state actors also continue to pose a significant threat to national security through disruptive cyber-attacks and espionage. Other actors like hacktivists, terrorists, script kiddies, and insiders have maintained a similar level of threat. Even unintentional acts, such as mistakes or environmental factors, can cause significant disruptions to critical services.

While high-profile cybersecurity incidents grab headlines, most threats in the cyber realm are chronic and pernicious, with the potential to disrupt businesses, public confidence, and public services.

The threat posed by an actor depends on their capability, intent, and activity. Capability refers to the knowledge and resources an actor possesses to carry out cyber-attacks. Intent relates to the actor’s specific objectives and willingness to compromise the security of systems. Activity refers to evidence of an actor engaging in malicious cyber activities. Even with little to no detected activity, an actor can still pose a threat if they have intent and capability.

Nation-State / State-Affiliated Threats:

Geopolitical tensions among major world powers have led to increased malign assertiveness in the cyber realm. State actors engage in cyber espionage and disruptive actions to achieve their geopolitical objectives. Trends among major state-sponsored actors include exploiting vulnerabilities, targeting critical infrastructure, and focusing on supply chain compromises. The EU and its member states have taken steps to attribute, denounce, and deter state-sponsored cyber activities.

Disruption and Sabotage Threats

State-sponsored groups are increasingly demonstrating their capabilities for disruptive operations. For example, destructive malware like WhisperGate and HermeticWiper were deployed before Russia’s attack on Ukraine, causing destruction of computer systems. State-sponsored actors also target satellite networks, government services, and critical infrastructure to create communication outages and disruptions.

Espionage Threats

Espionage by nation-state actors poses a significant threat to Western economies. Advanced Persistent Threats (APTs) such as APT27, APT30, APT31, Ke3chang, GALLIUM, and Mustang Panda have conducted malicious cyber activities against businesses and governments in the European Union. European Union has urged Chinese authorities to take action against malicious cyber activities linked to APT31, which targeted government institutions, political organisations, and European industries.

Financially Motivated Threats

State-backed groups and operators engage in cybercrime as a revenue-generating activity. Sanctions have been imposed on entities involved in cyber-attacks for financial gain. Certain threat actors, like APT38 or the Lazarus Group, motivated by financial gain, conduct cybercrime activities to circumvent sanctions.

Hybrid Warfare Threats

Cyber operations can occur alongside kinetic actions during hybrid warfare. State-backed actors continue to pursue their strategic objectives through cyber operations, including intelligence gathering, intellectual property theft, and pre-positioning for future conflicts. Adversaries increasingly target Industrial Control System (ICS) networks, taking advantage of less visibility and the rise of Industrial IoT and cloud connectivity.

Foreign Information Manipulation and Interference (FIMI) Threats

Foreign Information Manipulation and Interference threaten universal values, integrity of government procedures, and political processes. Misinformation and disinformation are intentionally spread false or misleading information. Information operations exploit societal divisions, undermine trust, and polarise societies. Hack-and-leak operations, where unlawfully obtained information is leaked, are now a common tactic.

Criminal Threats

The threat posed by criminals has escalated in recent years, especially with the increasing organisation and sophistication of ransomware groups. These groups have engaged in activities known as “Big Game Hunting,” targeting Operators of Essential Services and causing significant damage to society. Cybercriminals are rapidly catching up to nation-states in terms of hacking capabilities, making attribution more challenging. The impact of cybercrime extends beyond eroding trust in digital society, with societal and economic consequences reaching the level of national security incidents. For instance, the attack on the Costa Rican government ministries by the Conti Ransomware group led to the declaration of a national emergency. Similarly, the ransomware attack on Colonial Pipeline, a critical infrastructure provider, resulted in a state of emergency declaration by President Joe Biden.

Terrorists/Hacktivists/Script Kiddies

Following a decline in activity during the 2010-2015 period, terrorists, hacktivists, and script kiddies have witnessed a resurgence in the past two years. These actors, often operating in small groups or as individuals, initially focused on regional events and specific organisations. Their tactics primarily revolved around DDoS attacks, defacements, releasing sensitive data, and account takeovers. However, recent developments have shown a rise in hacktivist activities targeting institutions in response to social and political issues. For example, hacktivist groups have targeted US institutions over the Supreme Court’s revocation of the legal right to abortions. Additionally, the Russian-Ukrainian conflict has given rise to potent new hacktivist groups on both sides, employing offensive cyber capabilities such as large-scale DDoS attacks, ransomware, and exploiting zero-day vulnerabilities.

Unintentional Acts

While intentional threats receive significant attention, unintentional acts remain a significant risk to critical systems. These acts, which do not involve malicious intent, can cause service outages and disruptions. Human errors, hardware and software failures, and natural hazards are common root causes of critical system failures. The interconnectedness and complexity of systems exacerbate the impact of such acts, as failures in one system or network can cascade into others. Lack of proper cybersecurity measures and backup systems further contribute to the vulnerability. It is important to recognise and address these unintentional acts as they can have substantial consequences for the availability and reliability of essential services.

Rise of Supply Chain Attacks and Their Devastating Impact

Supply chain attacks are on the rise, posing a significant threat to organisations. These attacks exploit vulnerabilities in the supply chain, especially when third-party software or managed services suppliers have privileged access to an organisation’s operations. Such attacks have become increasingly attractive to threat actors, with investigations confirming that advanced persistent threat (APT) groups, often state-sponsored, conducted more than 50% of the attributed supply chain attacks between 2020 and 2021. These attacks have reached new levels of sophistication and impact, as demonstrated by the SolarWinds supply chain compromise. In this attack, the threat actors compromised widely used software, providing them with an entry point to numerous organisations, including government systems, critical infrastructure operators, and highly sensitive networks. The SolarWinds attack affected approximately 18,000 SolarWinds customers, highlighting the widespread consequences of a successful supply chain attack.

Understanding Systemic Cyber Risk: Navigating Interconnected Threats for Resilience

In an increasingly interconnected world, the evolution of cyber risks has become a pressing concern. Reports from the World Economic Forum (WEF) have highlighted the need for a resilient approach to mitigate the constantly evolving threat landscape. Cyber risks have transformed from isolated attacks on individual companies to system-wide breaches with the potential for widespread consequences. Understanding the complex interdependencies within digital operations is crucial for organisations to identify and manage these risks effectively.

National Cyber Risk Assessment and Systemic Cyber Risk Definition: This National Cyber Risk Assessment adopts the WEF’s definition of Systemic Cyber Risk, which refers to the potential cascading consequences of a cyber event within critical infrastructure ecosystems. It encompasses delays, breakdowns, disruptions, or losses that impact not only the originating component but also related ecosystem components, resulting in significant adverse effects on public health or safety, economic security, and national security. Systemic cyber risks have characteristics such as widespread consequences, impacts on entire systems, cascading and unexpected effects, and cumulative effects over time.

Challenges and Dependencies: Reliance on highly connected technology creates vulnerabilities, including single points of failure, concentrated dependencies on dominant vendors, and complex dependencies and interdependencies between infrastructures. Identifying and prioritising these dependencies is crucial for effective risk management, allowing organisations to allocate resources and mitigate operational risks. Taking a structured approach to mapping and understanding interdependencies provides a foundation for resilience and effective risk mitigation strategies.

Transitioning to a Proactive Risk Management Approach: To overcome the inherent complexity of dependencies, organisations must adopt a structured approach to risk management. By mapping and prioritizing dependencies within their operational environment, they can focus resources on effectively mitigating and managing risks. This proactive approach empowers organisations to move from a reactive stance to a resilient posture, ensuring they can withstand and mitigate the evolving cyber threat landscape.

National Cyber Risk Assessment - Interdependencies in an Industrial System

Financial Services Sector

The Importance of Payment, Clearing, and Settlement Arrangements

Payment, clearing, and settlement arrangements play a crucial role in the functioning of the financial system and the economy at large. Disruptions to these transactions can have far-reaching effects, such as impacting payroll processing, trade, and the importation of essential commodities. The consequences can extend to social unrest. Major risks in this sector include credit risk, liquidity risk, and market/business risk. Potential patterns of cyberattacks range from targeting specific institutions to coordinated attacks on global financial networks.

Transport Sector

Risks and Vulnerabilities in Transportation

The transportation sector encompasses various modes of transportation, including aviation, motorways, maritime, mass transit, freight rail, and shipping. The growing reliance on cyber-based control systems and communication networks makes this sector vulnerable to cyber threats. Potential risks include manipulation of air traffic control systems, loss of trust in road transportation due to vehicular accidents caused by hacks, accidents resulting from tampered traffic control systems, and disruption to freight movement. Systemic failures in logistics and financial payment systems can also have severe implications for the transportation sector and the wider economy.

Healthcare Sector

Cyber Risks in the Healthcare Ecosystem

The healthcare sector faces significant risks due to the production of critical patient information and reliance on key clinical infrastructure. Cybercriminals target not only patients but also healthcare providers, insurers, pharmaceutical manufacturers, and distributors. Methods of entry include phishing, laptop theft, human error exploitation, and social engineering. The 2021 Ransomware attack on the HSE highlighted the interconnected nature of the healthcare ecosystem and the vulnerabilities in critical healthcare systems. The attack disrupted day-to-day operations, leading to manual administration and clinical procedures. The long-term impact on patient outcomes is still unknown.

Energy Sector

Criticality of a Secure Energy System

A secure energy system is vital for modern societies, as it underpins the functioning of critical infrastructure across all sectors. The energy sector’s vulnerabilities, including cyber-attacks on the Ukrainian electricity grid, pose risks to the reliable supply of electricity and can have cascading effects. Industrial control systems, which control electricity and gas grids, are increasingly networked and automated. Malicious interference can disrupt energy supply, damage equipment, and cause industrial accidents. With the rise of the industrial internet of things and 5G networks, the energy system becomes more exposed to cyber threats. Specialised cybersecurity measures are necessary due to real-time requirements, the mix of advanced and legacy technologies, and the potential for cascading disruptions affecting various critical services.

The Critical Importance of Undersea Fibre Cables: Global Connectivity and Security

Undersea cables, often referred to as the “world’s information super-highways,” are responsible for carrying over 95 percent of international data. These cables offer high capacity, cost-effective, and reliable connections, playing a critical role in our daily lives. With over 400 active cables spanning 1.3 million kilometers worldwide, their security is of paramount importance. Ireland, being strategically positioned as the shortest point between Europe and North America and a major data hosting location, recognises the significance of protecting these undersea cables. While there has been media attention on threats from nation-state actors, the immediate risks stem from natural events like earthquakes and hurricanes, as well as accidental physical damage from activities like dredging or commercial fishing. Vulnerabilities above sea level, such as unmanned landing stations and known cable paths, must also be managed. EU countries, including Ireland, have acknowledged the importance of submarine cables and signed a joint declaration to designate them as critical infrastructure. Efforts are underway to map data flows, identify replacement needs, and address security risks associated with these vital international connections.

Key Insights from Survey Results on Cyber Risks and Resilience

Cyber risks are intricately interconnected with other types of risks, affecting countries, economic sectors, and individuals alike. As digital services, processes, and systems form part of the global digital domain, events like the 2008 financial crisis and the 2020 COVID-19 pandemic have demonstrated their potential for rapid and far-reaching global impact. Cyber incidents, especially when occurring at a large scale and in conjunction with other incidents, can have profound consequences. Understanding these risks and ensuring robust cyber resilience is vital across all sectors.

Interdependence and Societal Impact:

The combination of the HSE cyber attack and the COVID-19 pandemic highlighted the significant consequences that large-scale cyber incidents can have. The pandemic accelerated the digitalization of commercial, educational, and social activities, ushering in unprecedented societal changes. Consequently, a widespread digital breakdown in the post-pandemic era could cause more harm than ever before, emphasizing the need for strong cyber resilience.

Dependency on ICT:

Almost all critical processes and services are now entirely reliant on information and communication technology (ICT). With a significant reduction in analog or manual alternatives, any disruption to these systems can lead to socially disruptive damage due to the absence of fallback options.

Geopolitical Developments:

Geopolitical developments play a crucial role in shaping cyber risks. Concentration of key technology production, such as 5G communications systems, Cloud Computing, Artificial Intelligence, and Semiconductors, outside the EU creates overreliance on supply chains that can be adversely affected by factors like trade sanctions, regional conflicts, or national strategic interests.

High Dependency on Limited Providers:

A considerable dependency exists on a small number of hardware and software providers, cloud service providers, and suppliers, many of whom operate outside the State. For instance, critical services in the State rely on space-based positioning, navigation, and timing services like GPS and Galileo. While these providers have measures to protect against attacks, any disruption or compromise can lead to significant impacts. Foreign or domestic providers may also be compromised by malicious actors, knowingly or unknowingly.

Electricity and Communications as Critical NCF:

Survey results indicate that most organisations rely directly on the Energy/Electricity supply and Communications to support their operations. These National Critical Functions (NCFs) are fundamental across all sectors and their disruption can have cascading impacts on other sectors.

Supply Chain Security:

Despite the criticality of Managed Service Providers (MSPs) for NCF operators, only 66% of respondents demand specific security requirements from MSPs during the procurement process. This lack of focus on supply chain/MSP security raises concerns and highlights the need for increased attention to mitigate potential risks.

C-Suite Awareness of Cyber Risks:

There is a high level of awareness of cyber risks within the C-suite, with board members and C-level executives acknowledging the potential impact on critical functions. However, 21% of respondents indicated a lack of implementation of baseline security standards and best practices, suggesting the need for greater emphasis on embedding formal cybersecurity programs.

Dependency on Non-EU Companies:

The concentrated use of technology from a single non-EU vendor, such as Microsoft, poses dependency risks. Class failures or supply chain vulnerabilities can lead to impacts across multiple sectors and operators. Additionally, a significant proportion of organisations use cloud services provided by non-EU companies like Azure and AWS, further highlighting dependency concerns.

Adoption of Novel Technologies:

Critical entities are increasingly embracing novel technologies such as Artificial Intelligence, Big Data, 5G, and IoT. Approximately 61% of respondents plan to utilize these technologies within the next 6-24 months.