In a handbook from the Joint Research Centre brings together scientists, experts and academia for a book that dives deep into how open public spaces can be planned and built in a more secure way, through security by design.
“Security by Design: Protection of public spaces from terrorist attacks” introduces the concept and practical implementation of building security in the design and redesign of public spaces. It does so while providing information on terrorism risk assessment, project planning and management. It proposes innovative technical solutions for the protection of public spaces against terrorist attacks. Security by design is built upon the principles of proportionality, multi-functionality, sustainability, accessibility and aesthetics. It is the complete opposite of the creation of urban fortresses.
Public spaces are vulnerable because they are open, easily accessible and attract a great number of people. They are often referred to as « soft targets ». Their vulnerability lies in the fact that they usually lack specialised protective measures and can then be attacked using simple tactics. Such targets are often chosen by terrorists willing to maximise casualties, attain media coverage and inflict fear in the population. Independent of the rarity of such attacks, their psychological, economic and political impact on society can be disproportionally high. In recent years, public spaces such as shopping centres, markets, places of worship, public transport and entertainment venues have become the target of terrorist attacks across Europe.
The action plan to support the protection of public spaces set out a concrete list of measures to pave the way for effective EU Member State cooperation in the protection of public spaces, while the 2020 Counter-terrorism Agenda for the EU focused on the support to Member States in better anticipating, preventing, protecting and responding to the terrorist threats.
In the Counter-Terrorism Agenda, the book is mentioned as a virtual architectural book on urban design, which can assist authorities in incorporating security aspects in the design or renovation public spaces. While the handbook is not legally binding it does contains relevant information and expert advice. It aims to help address practical concerns of integrating security measures for project teams, security operators, urban planners and anyone involved in public space projects. It will help readers answer questions whether and, if yes, to what extent they may wish to implement protective solutions through design.
You can read the handbook to find out more on how to make public spaces not only safer but also multifunctional, sustainable, beautiful and accessible for all people.
More risk data is produced every day. However, new findings often don't make it out of the scientific silos to the broader public. In the face of false information, it is essential to find new ways of making risk information accessible to everyone.
Risk information should provide scientifically sound information, tailored to the everyday concerns of society.
Science, private sector, governments, and media need to understand each other’s interests and qualities.
A whole-of-society approach calls for all parties to communicate clearly and listen carefully.
Different stakeholders may have different priorities and angles around risk . For example, public leaders may prefer a responsive angle on manifested disasters for strategic reasons, while private developers may not want to stress risks to prevent them from raising a lot of attention.
Establishing collaboration requires dialogues between institutions. This is easily hindered by unclear distribution of responsibilities or language and jargon barriers.
5 ways to enable an all-of-society approach
To create a holistic conversation around risk, stakeholders need to develop strategies for closer collaboration. Here are five enablers that support these dialogues and facilitate effective communication:
1. Building trust
People are willing to collaborate on risk communication when strong relationships are in place. Long-standing partnerships between universities and municipalities, for example, benefit from knowing each other's objectives and differences to build trust and understand each other’s priorities.
2. Clear communication
Clear communication is key when bringing together the private sector, governments, and civil society. Only when all parties understand the different risk scenarios and risk reduction options, can they develop solutions that serve the community. "Knowledge brokers", knowledgeable in various fields, can play an important role in "translating" across sectors and aligning conversations.
3. Financing innovative collaborations
Informative, unbiased risk communication requires independent funding for thorough research and reviewing. Finance for collaboration on risk communication is increasingly important, at a time when independent media are financially constrained by the economic downturn.
4. Understanding each other's needs
Effective collaboration with the media and creative sectors is enabled if all parties understand each other’s needs. For instance, scientists who approach media with interesting stories, written in simple language, show an understanding of media timeframes and requirements. RSuch stories can give insight into how DRR issues affect audiences' everyday lives.
5. Creating incentives
Collaborations can flourish if they clearly benefit all practitioners and rule out reasons for mistrust. Hence, underlining the proactive position of risk communication and the increase in credibility are among the most important steps.
Political figures as well as scientists benefit from early on communication, rewarding them with greater credibility and confidence.
Incentives targeting the private sector may aim at openly informing the greater public about potential risks and in return tailoring their products to meet the consumers' needs.
Within the media and creative sectors, creative and engaging programming that helps audiences feel informed and empowered to act can attract other stakeholders.
Risk communication that serves society
Risk communication should support informed decision-making. Available data needs to be translated into information and actionable knowledge.
Therefore, practitioners of diverse backgrounds need to find new ways of collaboration that highlight shared perspectives, bring together visions, and foster creativity.
Disaster risk is ultimately linked to people's everyday lives and therefore can be explored through a wide range of programming and formats. This is where all stakeholders come together; in providing scientifically sound information, tailored to the everyday concerns of society.
The National Security Agency (NSA), CISA, and the Office of the Director of National Intelligence (ODNI), published Potential Threats to 5G Network Slicing. This guidance—created by the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and CISA—presents both the benefits and risks associated with 5G network slicing. It also provides mitigation strategies that address potential threats to 5G network slicing.
Building upon the work published in the Enduring Security Framework’s Potential Threat Vectors to 5G Infrastructure, the Enduring Security Framework1 (ESF) established a working panel comprised of government and industry experts and conducted an in-depth review of network slicing, a key component of 5G infrastructure. This working panel assessed the security, risks, benefits, design, deployment, operations, and maintenance of a network slice.
For this guidance, a network slice is defined as an end-to-end logical network that provides specific network capabilities and characteristics for a user.
As with any emerging technology, with increased benefits come increased risks. This guidance intends to introduce 5G stakeholders to the benefits associated with network slicing and introduce perceived risks and management strategies that may address those risks.
The guidance builds upon ESF’s Potential Threat Vectors to 5G Infrastructure, published in 2021.
An estimated 90 per cent of the goods traded around the world travel by sea. Vital commodity flows, as well as seafarer safety, hinge on ever more sophisticated maritime communication networks.
Much of the world’s commerce would simply not be possible without the plethora of technologies making up today’s maritime communications ecosystem. These include ship stations (meaning radiocommunication equipment on board commercial, passenger or patrol vessels, etc.); coast stations that support ships at sea; as well as radar services, automatic identification, and maritime distress systems.
Although the International Maritime Organization (IMO) develops regulations for shipping, ensuring safe maritime communication largely falls to the International Telecommunication Union (ITU).
ITU Recommendations, Reports, Regulations, and databases – along with giving seafarers vital information – help safeguard the frequency bands that vessels use to navigate safely, as explained by ITU’s German Medici.
Modernizing the GMDSS
Distress, safety, and emergency maritime communications are coordinated through the Global Maritime Distress and Safety System (GMDSS), which uses terrestrial communication and satellite systems (such as those operated by Inmarsat and Iridium) to connect ships and coast stations. Discussions currently underway at ITU aim to make the GMDSS more flexible in terms of maritime safety information distribution, which in turn should open the door to new technology applications in this area, said Medici.
The GMDSS continues to evolve to improve and enhance maritime communications and safety. Satellite EPIRBs operating at 1.6 gigahertz (GHz) and using very high frequency (VHF) systems for DSC will no longer be part of the GMDSS. However, the IMO may soon allow an existing geostationary satellite system to become a new GMDSS satellite service provider, explained Medici.
In the future, seafarers will increasingly rely on communications services, such as e-navigation, which IMO defines as “the harmonized collection, integration, exchange, presentation and analysis of marine information on board and ashore by electronic means to enhance berth-to-berth navigation and related services for safety and security at sea and to protect the marine environment”. High-speed broadband connections will keep ships and shore facilities continuously updated and let mariners follow real-time data displays on the bridge.
Ships will increasingly use VHF data exchange systems that integrate data exchange, application-specific messaging, and automatic identification capabilities in the same VHF maritime band, Medici added.
Beacon detection and response
Cospas-Sarsat, a satellite-aided, treaty-based search and rescue initiative that has been operational since 1985, is now developing a second-generation beacon and medium-Earth orbit search and rescue system (MEOSAR), in which repeaters are placed on global navigation satellite system (GNSS) satellites.
The initiative brings together 45 nations and agencies to collaboratively detect and locate radio beacons activated by aircraft, vessels or people in distress.
This Cospas-Sarsat development will enable near-time global coverage of beacon localization and distress message transmission, said Medici. A new “return-link-service” (RLS) will give users a confirmation that their message was received.
Autonomous vessels on the waves
Maritime autonomous surface ships (MASS) are also on the horizon. These are ships that can operate independently (to varying degrees) of human interaction.
“In April 2022, IMO began work on the development of a regulatory framework for Maritime Autonomous Surface Ships,” Medici noted. The work aims to integrate new and advancing technologies in its regulatory framework – balancing the benefits derived from new and advancing technologies against safety and security concerns, the impact on the environment and on international trade facilitation, the potential costs to the industry, and their impact on personnel, both on board and ashore.
For the moment, these “autonomous vessels” lack specified spectrum requirements. But that may change as MASS communications requirements are identified. “The development of MASS may be supported by future ITU studies, including potential determination of their spectrum needs, and the publication of associated ITU Recommendations and Reports,” Medici concluded.
The USA's 16 critical infrastructure sectors rely on internet-connected devices and systems to deliver essential services, such as electricity and health care. These sectors face increasing cybersecurity threats—an issue on our High Risk list.
Federal agencies that have leadership roles in 3 sectors we reviewed have taken some steps to manage the cybersecurity risks posed by internet-connected devices and systems. But they've not assessed risks to the sectors as a whole. Without a holistic assessment, the agencies can't know what additional cybersecurity protections might be needed.
Cyber threats to critical infrastructure IoT and OT represent a significant national security challenge. Recent incidents—such as the ransomware attacks targeting health care and essential services during the COVID-19 pandemic—illustrate the cyber threats facing the nation's critical infrastructure. Congress included provisions in the IoT Cybersecurity Improvement Act of 2020 for GAO to report on IoT and OT cybersecurity efforts.
This report (1) describes overall federal IoT and OT cybersecurity initiatives; (2) assesses actions of selected federal agencies with a lead sector responsibility for enhancing IoT and OT cybersecurity; and (3) identifies leading guidance for addressing IoT cybersecurity and determines the status of OMB's process for waiving cybersecurity requirements for IoT devices. To describe overall initiatives, GAO analyzed pertinent guidance and related documentation from several federal agencies.
To assess lead agency actions, GAO first identified the six critical infrastructure sectors considered to have the greatest risk of cyber compromise. From these six, GAO then selected for review three sectors that had extensive use of IoT and OT devices and systems. The three sectors were energy, healthcare and public health, and transportation systems. For each of these, GAO analyzed documentation, interviewed sector officials, and compared lead agency actions to federal requirements.
GAO also analyzed documentation, interviewed officials from the selected sectors, and compared those sector's cybersecurity efforts to federal requirements. GAO also interviewed OMB officials on the status of the mandated waiver process.
The nation's critical infrastructure sectors rely on electronic systems, including Internet of Things (IoT) and operational technology (OT) devices and systems. IoT generally refers to the technologies and devices that allow for the network connection and interaction of a wide array of “things,” throughout such places as buildings, transportation infrastructure, or homes. OT are programmable systems or devices that interact with the physical environment, such as building automation systems that control machines to regulate and monitor temperature.
Figure: Overview of Connected IT, Internet of Things (IoT), and Operational Technology
To help federal agencies and private entities manage the cybersecurity risks associated with IoT and OT, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have issued guidance and provided resources. Specifically, CISA has published guidance, initiated programs, issued alerts and advisories on vulnerabilities affecting IoT and OT devices, and established working groups on OT. NIST has published several guidance documents on IoT and OT, maintained a center of cybersecurity excellence, and established numerous working groups. In addition, the Federal Acquisition Regulatory Council is considering updates to the Federal Acquisition Regulation to better manage IoT and OT cybersecurity risks.
Selected federal agencies with a lead role have reported various cybersecurity initiatives to help protect three critical infrastructure sectors with extensive use of IoT or OT devices and systems.
Title: Sector Lead Agencies' Internet of Things (IoT) or Operational Technology (OT) Cybersecurity Initiatives
Sector (Lead Federal Agency)
Examples of IoT or OT Initiatives
Energy (Department of Energy)
Considerations for OT Cybersecurity Monitoring Technologies guidance provides suggested evaluation considerations for technologies to monitor OT cybersecurity of systems that, for example, distribute electricity through the grid.
Cybersecurity for the Operational Technology Environment methodology aims to enhance energy sector threat detection of anomalous behavior in OT networks, such as electricity distribution networks.
Healthcare and public health (Department of Health and Human Services)
Pre-market Guidance for Management of Cybersecurity identifies issues related to cybersecurity for manufacturers to consider in the design and development of their medical devices, such as diagnostic equipment.
Post-market Management of Cybersecurity in Medical Devices provides recommendations for managing cybersecurity vulnerabilities for marketed and distributed medical devices, such as infusion pumps.
Transportation systems (Departments of Homeland Security and Transportation)
Surface Transportation Cybersecurity Toolkit is designed to provide informative cyber risk management tools and resources for control systems that, for example, function on the mechanics of the vessel.
Department of Homeland Security's Transportation Security Administration's Enhancing Rail Cybersecurity Directive requires actions, such as conducting a cybersecurity vulnerability assessment and developing of cybersecurity incident response plans for higher risk railroads.
Source: GAO analysis of agency documentation │ GAO-23-105327
However, none of the selected lead agencies had developed metrics to assess the effectiveness of their efforts. Further, the agencies had not conducted IoT and OT cybersecurity risk assessments. Both of these activities are best practices. Lead agency officials noted difficulty assessing program effectiveness when relying on voluntary information from sector entities. Nevertheless, without attempts to measure effectiveness and assess risks of IoT and OT, the success of initiatives intended to mitigate risks is unknown.
The Internet of Things Cybersecurity Improvement Act of 2020 generally prohibits agencies from procuring or using an IoT device after December 4, 2022, if that device is considered non-compliant with NIST-developed standards. Pursuant to the act, in June 2021 NIST issued a draft guidance document that, among other things, provides information for agencies, companies and industry to receive reported vulnerabilities and for organizations to report found vulnerabilities. The act also requires the Office of Management and Budget (OMB) to establish a standardized process for federal agencies to waive the prohibition on procuring or using non-compliant IoT devices if waiver criteria detailed in the act are met.
As of November 22, 2022, OMB had not yet developed the mandated process for waiving the prohibition on procuring or using non-compliant IoT devices. OMB officials noted that the waiver process requires coordination and data gathering with other entities. According to OMB, it is targeting November 2022 for the release of guidance on the waiver process. Given the act's restrictions on agency use of non-compliant IoT devices beginning in December 2022, the lack of a uniform waiver process could result in a range of inconsistent actions across agencies.
FEMA has obligated $10.28 million in flood resilience projects through the Flood Mitigation Assistance Swift Current initiative. This is the first FEMA initiative funded through President Biden’s Infrastructure Investment and Jobs Act, also known as the Bipartisan Infrastructure Law.
The initiative allocates a total of $60 million to Louisiana, Mississippi, New Jersey and Pennsylvania—all states affected by Hurricane Ida—to equitably expedite mitigation grants to disaster survivors with repetitively flooded homes. The application period opened April 1, and by Aug. 1, the funding requested exceeded the amount made available through the Swift Current Initiative by over $9 million. FEMA continues to review all other subapplications submitted to the Flood Mitigation Assistance Swift Current initiative and will announce further selections in the upcoming months.
Selections include acquiring 31 flood-prone properties in New Jersey and converting land to open space while two properties in Louisiana will be reconstructed to better withstand flooding. More information about these and other selections is available on FEMA.gov.
Swift Current seeks to substantially speed up the award of Flood Mitigation Assistance funding after a flooding event and reduce the complexity of the application process. Its goal is to obligate flood mitigation dollars for repetitively and substantially flood damaged properties insured through the National Flood Insurance Program as quickly and equitably as possible after a disaster event.
The program recognizes the growing flood hazards associated with climate change, and of the need for flood hazard risk mitigation activities that promote climate adaptation, equity and resilience to flooding. These hazards are expected to increase in frequency and intensity.
The European Union Agency for Cybersecurity publishes the latest report on Network and Information Security Investments in the EU providing an insight on how the NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors.
The report analyses data collected from Operators of Essential Services (OES) and from Digital Service Providers (DSP) identified in the European Union's Directive on Network and Information Security Systems (NIS Directive). The analysis seeks to understand whether those operators have invested their budgets differently over the past year in order to meet the new requirements set by the legislative text.
EU Agency for Cybersecurity, Executive Director, Juhan Lepassaar, declared: “The resilience of our EU critical infrastructures and technologies will highly depend on our ability to make strategic investments. I am confident that we have the competence and skills driving us to achieve our goal, which is to ensure we will have the adequate resources at hand to further develop our cybersecurity capacities across all economic sectors of the EU."
Contextual parameters framing the analysis
The report includes an analysis reaching more than 1000 operators across the 27 EU Member States. Related results show that the proportion of Information Technology (IT) budget dedicated to Information Security (IS) appears to be lower, compared to last year's findings, dropping from 7.7% to 6.7%.
These numbers should be conceived as a general overview of information security spending across a varied typology of strategic sectors. Accordingly, specific macroeconomic contingencies such as COVID19 may have influenced the average results.
What are the key findings?
The NIS Directive, other regulatory obligations and the threat landscape are the main factors impacting information security budgets;
Large operators invest EUR 120 000 on Cyber Threat Intelligence (CTI) compared to EUR 5 500 for SMEs, while operators with fully internal or insourced SOCs spend around EUR 350 000 on CTI, which is 72% more than the spending of operators with a hybrid SOC;
The health and banking sectors bear the heaviest cost among the critical sectors in case of major cybersecurity incidents with the median direct cost of an incident in these sectors amounting to EUR 300 000;
37% of Operators of Essential Services and Digital Service Providers do not operate a SOC;
For 69% the majority of their information security incidents are caused by vulnerabilities in software or hardware products with the health sector declaring the higher number of such incidents;
Cyber insurance has dropped to 13% in 2021 reaching a low 30% compared to 2020;
Only 5% of SMEs subscribe to cyber insurance;
86% have implemented third-party risks management policies.
Key findings of Health and Energy sectors
From a global perspective, investments in ICT for the health sector seem to be greatly impacted by COVID-19 with many hospitals looking for technologies to expand healthcare services to be delivered beyond the geographical boundaries of hospitals. Still, cybersecurity controls remain a top priority for spending with 55% of health operators seeking increased funding for cybersecurity tools.
64% of health operators already resort to connected medical devices and 62% already deployed a security solution specifically for medical devices.Only 27% of surveyed OES in the sector have a dedicated ransomware defence programme and 40% of them have no security awareness programme for non-IT staff.
Oil and gas operators seem to prioritise cybersecurity with investments increasing at a rate of 74%. Energy sector shows a trend in investments shifting from legacy infrastructure and data centres to cloud services.
However, 32% of operators in this sector do not have a single critical Operation Technology (OT) process monitored by a SOC. OT and IT are covered by a single SOC for 52% of OES in the energy sector.
Parliament and EU member states’ negotiators have agreed on new rules to make the EU’s essential infrastructure more resilient.
Negotiating teams from the European Parliament and the Council of the EU reached a deal on the resilience of essential infrastructure. The new rules would establish harmonised minimum rules to ensure that different member states classify the same providers as essential, and risk assessments for essential infrastructure to boost its resilience in the face of disruptions and hazards. The scope would be expanded to eleven sectors in total, including energy, transport, banking, financial market infrastructures, health, drinking water, waste water, food, digital infrastructure and space. At Parliament’s request, public administration was also included in the scope of the rules.
Under the new rules, critical service-providers would have to carry out risk assessments of their own and report disruptive incidents. Also, Member States would be required to adopt national strategies for boosting resilience and carry out regular risk assessments. National authorities should have the possibility to conduct on-site inspections of critical infrastructure, and introduce penalties in case of non-compliance.
To harmonise communication, each member state should designate a single point of contact to act as liaison and ensure functioning cross-border cooperation.
MEPs pushed for broader scope
In the negotiations, MEPs wished to widen the definition of essential services to also include the environment and public health and safety, which were adopted. They also managed to include consideration of rule of law in the context of resilience against threats and risks. The directive will therefore also address possible threats affecting the functioning of national systems that safeguard the rule of law.
To smoothen cross-border co-operation, MEPs wanted to lower the threshold of recognising service providers as having “European significance”. In the end, it was agreed that the threshold be lowered from ten or more member states (in the Commission proposal) to six or more, which will cover several hundreds of critical entities of the European significance across the Union. At the same time, MEPs wanted to ensure coherence between the present directive and the NIS2 directive on cybersecurity.
After the vote, rapporteur Michal Šimečka (Renew, SK) said: “Against the backdrop of the pandemic and Russia’s war in Ukraine, securing Europe’s critical infrastructure has become a top priority. Today’s agreement will boost the resilience of critical entities, and as the Parliament’s lead negotiator, I pushed to include in the scope of the regulation new and vital sectors, including food production and distribution and public administration. I’m also satisfied that we retained a key provision that will allow Member States to develop a common understanding of what services are essential in any crisis scenario. We, as the Parliament, must not let fragmentation and divergence in national rules stand to weaken the resilience of European societies from increasingly frequent physical and hybrid threats.”
In the previous directive on critical infrastructures, only energy and transport were within the scope of common rules. The European Parliament called for the revision of previous directive in a resolution on the findings of the Special Committee on Terrorism in 2018. On 16 December 2020, the European Commission published its proposal for a new directive on the resilience of critical entities.
The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the U.S. Department of State and the Spanish Ministry of the Interior, announced a joint project to develop a capacity-building tool to help countries utilize public-private partnerships (PPPs) to combat ransomware. This project was developed as part of the Second International Counter Ransomware Initiative (CRI) Summit, which was convened in Washington, D.C. The CRI is a global coalition of 36 partner nations and the European Union dedicated to confronting the scourge of ransomware.
The CRI’s Public-Private Partnership (P3) Working Group, chaired by Spain, has focused on the essential need for close collaboration between governments and the private sector to address the challenges posed by ransomware. This tool will provide much needed guidance to nations around the world seeking to develop or deepen such public-private partnerships.
“Building capacity across the world is an essential aspect of our fight against ransomware,” said Brandon Wales, CISA Executive Director. “By learning from each other—public and private sector alike—and sharing that knowledge more broadly, we can effectively protect the critical infrastructure necessary to sustain not only American society, but the global institutions and networks upon which it relies.”
“Spain has the strong conviction that this project will contribute in a decisive manner to expose the most innovative state of the art of PPP best practices to fight against ransomware, said Guillermo Ardizone Garcίa, Political Director of the Ministry of Foreign Affairs. “Thereby, all multi-stakeholders and partners involved in the CRI will be benefited from this line of action. Spain will actively encourage state and non-state stakeholders to join in this project poised to broadly share the PPP best practices, including creative financing schemes.”
When completed, the tool will feature a series of case studies of PPPs that have been used in the counter-ransomware fight, including those pioneered by members of the CRI P3 Working Group. The tool will highlight the features that made these efforts successful and will be designed to provide practical guidance to countries looking to implement their own PPPs as part of their national counter-ransomware efforts.
To develop the tool, the United States and Spain are partnering with the Global Forum on Cyber Expertise (GFCE), a global leader in cyber capacity building that will commission experts to deliver the tool. Other CRI members have been invited to provide additional financial and practical support to the project.
With the geopolitical context giving rise to cyberwarfare and hacktivism, alarming cyber operations and malignant cyberattacks have altered the trends of the 10th edition of the Threat Landscape report released by the European Union Agency for Cybersecurity (ENISA).
The ENISA Threat Landscape 2022 (ETL) report is the annual report of the EU Agency for Cybersecurity on the state of the cybersecurity threat landscape. The 10th edition covers a period of reporting starting from July 2021 up to July 2022.
With more than 10 terabytes of data stolen monthly, ransomware still fares as one of the prime threats in the new report with phishing now identified as the most common initial vector of such attacks. The other threats to rank highest along ransomware are attacks against availability also called Distributed Denial of Service (DDoS) attacks.
However, the geopolitical situations particularly the Russian invasion of Ukraine have acted as a game changer over the reporting period for the global cyber domain. While we still observe an increase of the number of threats, we also see a wider range of vectors emerge such as zero-day exploits and AI-enabled disinformation and deepfakes. As a result, more malicious and widespread attacks emerge having more damaging impact.
EU Agency for Cybersecurity Executive Director, Juhan Lepassaar stated that “Today's global context is inevitably driving major changes in the cybersecurity threat landscape. The new paradigm is shaped by the growing range of threat actors. We enter a phase which will need appropriate mitigation strategies to protect all our critical sectors, our industry partners and therefore all EU citizens."
Prominent threat actors remain the same
State sponsored, cybercrime, hacker-for-hire actors and hacktivists remain the prominent threat actors during the reporting period of July 2021 to July 2022.
Based on the analysis of the proximity of cyber threats in relation to the European Union (EU), the number of incidents remains high over the reporting period in the NEAR category. This category includes affected networks, systems, controlled and assured within EU borders. It also covers the affected population within the borders of the EU.
Threat analysis across sectors
Added last year, the threat distribution across sectors is an important aspect of the report as it gives context to the threats identified. This analysis shows that no sector is spared. It also reveals nearly 50% of threats target the following categories; public administration and governments (24%), digital service providers (13%) and the general public (12%) while the other half is shared by all other sectors of the economy.
Top threats still standing their grounds
ENISA sorted threats into 8 groups. Frequency and impact determine how prominent all of these threats still are.
- 60% of affected organisations may have paid ransom demands Malware:
- 66 disclosures of zero-day vulnerabilities observed in 2021 Social engineering:
- Phishing remains a popular technique but we see new forms of phishing arising such as spear-phishing, whaling, smishing and vishing Threats against data:
- Increasing in proportionally to the total of data produced Threats against availability:
- Largest Denial of Service (DDoS) attack ever was launched in Europe in July 2022;
- Internet: destruction of infrastructure, outages and rerouting of internet traffic. Disinformation – misinformation:
- Escalating AI-enabled disinformation, deepfakes and disinformation-as-a-service Supply chain targeting:
- Third-party incidents account for 17% of the intrusions in 2021 compared to less than 1% in 2020
Contextual trends emerging
- Zero-day exploits are the new resource used by cunning threat actors to achieve their goals;
- A new wave of hacktivism has been observed since the Russia-Ukraine war.
- DDoS attacks are getting larger and more complex moving towards mobile networks and Internet of Things (IoT) which are now being used in cyberwarfare.
- AI-enabled disinformation and deepfakes. The proliferation of bots modelling personas can easily disrupt the “notice-and-comment” rulemaking process, as well as the community interaction, by flooding government agencies with fake contents and comments.
Shifting motivation and digital impact are driving new trends
An impact assessment of threats reveals 5 types of impact; damages of reputational, digital, economical, physical or social nature. Although for most incidents the impact really remains unknown because victims fail to disclose information or the information remains incomplete.
Prime threats were analysed in terms of motivation. The study reveals that ransomware is purely motivated by financial gains. However, motivation for state sponsored groups can be drawn from geopolitics with threats such as espionage and disruptions. Ideology may also be the motor behind cyber operations by hacktivists.