OWF cybersecurity: Ineffective protection of critical infrastructure in the Republic of Poland
By Mateusz Romowicz – legal advisor, Przemysław Niewiński – lawyer. Legal Marine
It is worth emphasizing the fact that far-reaching obligations regarding ensuring cybersecurity have been transferred to operators, including: critical infrastructure, with the simultaneous lack of legislative support in this area.
It should be strongly emphasized once again that without a systemic approach to the problem of cybersecurity in the Republic of Poland, this topic will remain another sphere of both public and private life, filled with dead regulations and empty declarations, which in turn may lead to the blocking of many investments, including: in renewable energy.
Attacks in OT are not uncommon.
To mention just some of them, for example the NotPetya worm attack, which affected many companies:
the manufacturer of Oreo cookies – Mondelez International Inc, which estimated losses at a 5% drop in quarterly sales of the product;
drug manufacturer Merck & Co Inc, which had to suspend the production of some drugs due to the attack;
FedEx Corp, which slowed scheduled deliveries due to the attacks;
and other less known companies such as Reckitt Benckiser PLC or AP Moller-Maersk A/S.
Another attack that could have been disastrous was the attack on waterworks in Florida. In February 2021, there was a cyber attack on water utilities in Pinellas County. An unknown perpetrator broke into the waterworks and increased the concentration of sodium hydroxide a hundred times to 11,000 ppm. Such water parameters mean that its impact is similar (unfortunately, it would be even worse for humans) to what we know, among others. from a pipe cleaner. The attack was stopped thanks to the vigilance of an employee who additionally secured the monitoring system, which monitored, among others, above the PH of the water. It is also worth recalling the attack that took place in December 2015 in Ukraine, which was the first known successful attack on the energy network. Criminals broke into the IT systems of three energy distribution companies in Ukraine, temporarily disrupting the supply of electricity to approximately 230,000 consumers. According to the data, these people were deprived of electricity for a period of 1 to 6 hours.
Taking into account the above-mentioned incidents and the fact that, in accordance with the regulations referred to in the earlier part of this article, an obligation to report incidents was imposed, as well as increased requirements in the field of management, handling and disclosure of security vulnerabilities, testing the level of cybersecurity and the effective use of encryption, the most important is correct selection of tools and solutions aimed at reducing a potential attack to an acceptable minimum. There are many commercial solutions on the market today, but the basic principle of selecting them is to understand the technological or production process, which allows for the separation of appropriate segments and the creation of such security for the network and the devices in it that in the event of an attack, the damage would be as minimal as possible for the entire technological process and the enterprise. . The most reasonable step should be taken by operators of existing or newly constructed facilities, including: critical infrastructure of the Republic of Poland, is to first conduct an audit of the industrial network. Thanks to this, the operator will acquire knowledge about potential weak points and sources of threats, as well as the possible effects of an attack in cyberspace. With such knowledge, he will be able to select the appropriate product to ensure the most effective level of protection for production control processes.