Critical infrastructure and related essential services lie at the core of our societies. They increasingly rely on digital services to improve their operational efficiency and to bring services closer to citizens. However, online connectivity also exposes them to nefarious elements of cyberspace, including criminal and state actors.
These can exploit, and have in the past exploited, cyberspace to cause mischief, collect intelligence, demand ransom, and purposefully destroy or disrupt services. When it comes to critical infrastructure, these attacks could result in a serious crisis or even lead to a kinetic conflict. As a result, both providers and users must rethink security features, protocols, and relevant regulations.
The Faculty of Social Sciences, University in Ljubljana, Government Information Security Office of the Republic of Slovenia, Euro-Atlantic Council of Slovenia, and Microsoft came together in the spring and summer of 2021 to examine the cyberthreats targeting critical infrastructure and to identify how to strengthen resilience. To this end, four webinars were organized between April and July 2021 to explore cybersecurity in the water sector (April 21), the electric power sector (May 12), the healthcare sector (June 2) and the financial sector (July 7). These were selected because of a series of cyberattacks that highlighted risks and vulnerabilities in these sectors. Since the workshops the number of attacks on these critical sectors have only multiplied.
Each of the workshops was organized around three sessions, focusing on:
• cyber threats and risks to the sectors,
• resilience and regulation, and
• the role of international law and norms.
A common framework for all the discussions ensured that similar questions were posed across the different critical infrastructure sectors, allowing us to identify similarities and extrapolate recommendations that could be applicable more broadly.
For example, key concerns that emerged included:
• increases in frequency and sophistication of cyberattacks, as well as the expanding attack surface;
• the potential for far reaching consequences of cyberattacks, given the interconnectedness of
• the lack of accountability for malicious actors, criminal or state-sponsored.
This report goes beyond the concerns to reflect practical perspectives, findings, and lessons from the
seminars. In the first part, we provide ten overarching recommendations, while the rest of the document
contains numerous sector-specific lessons and good practices. The authors of this report sought to collect
tangible outcomes and specific recommendations, but refrain from endorsing any of those in a particular