Cybersecurity in Italy has been making big strides forward and the month of June will mark a milestone. The first test on the security levels of networks, information systems and IT services of strategic organisations for the country will go live, commencing on 23 June. This is the first step to define and test models that will later be rolled out to other companies.
The test is part of a plan for defining the ‘National Cyber Security Perimeter’, an initiative defined in Decree no. 105, 2019. The perimeter calls for a high security level of information systems and IT services, through a series of measures designed to ensure the implementation of adequate security standards and thus reduce exposure to cyber risk.
To start with, large organisations operating in the telecommunications, energy, economic and financial fields, welfare and labour, transport, defence, internal security, space, high technology and public administration are involved in the initiative.
These organisations in these critical have been chosen because if they suffer damage or some type of malfunction in their information systems, it could lead to serious problems for the entire national grid.
It is planned that the list may be expanded in the future to include, for example, health facilities and research centres. Hospitals are often the target of cyberattacks and, to ensure their protection, the Italian government has included them in the European cyber defence rules pursuant to the European Union Network and Information Security (NIS) Directive.
Cybersecurity is currently of prime importance in Italy, as elsewhere in Europe, following a rise in attacks during the pandemic.
According to Clusit, the Italian association for cybersecurity, cyberattacks rose globally by 12% in 2020, compared to the previous year. The growth in attacks has risen steadily during the last four years and serious attacks have surged by 66% since 2017.
To date, the number of strategic companies identified by the government as participants in the first test amounts to about 100. During the next six months, they will have to prove they can respond adequately in the event of damage or cyberattacks.
The National Cyber Security Perimeter identifies the main areas of intervention as follows:
- The preparation of a list of all critical ICT assets, including architecture and components, its transmission to the relevant bodies, and a risk analysis
- A review of the management of suppliers and third parties, with information on the supply of ICT goods and services, and an assessment of the related risk
- The communication of incidents, within a predefined timeframe, to the Computer Security Incident Response Team, entrusted – within the NIS Directive – with supporting public and private organisations in the prevention and management of cyber risks
- The application, within six or 24 months, of cybersecurity measures in line with those envisaged in the National Framework for Cyber Security and Data Protection.
The test, slated to be rolled out in June and lasting six months, involves the census of critical ICT systems and the analysis of the related cyber risk. The adoption of measures for IT protection and the reporting of accidents is also planned.
Once the system is fully operational, the law imposes, in the event of non-compliance, administrative fines (from €200,000 up to €1.8m) and penalties that include jail time ranging from one to five years. To facilitate compliance operations, sanctions have been suspended until January 2022.
The test results will provide a benchmarking model for all public and private companies, in particular for the manufacturing and service sector. It is thought that the latter sectors have adopted specific cyber risk management methods but have not attained adequate levels of security, compared with banks for example.
Enrico Ferretti, managing director of the Italian operation of Protiviti, a global audit, risk and consulting firm that is supporting some organisations ahead of the June test, believes there are still many businesses with little ability to analyse and manage cyber risk.
“The reason lies in technological obsolescence of plants or in consolidated and inadequate operating conditions. Often, in these enterprises, the control systems are old-fashioned, technologically outdated or developed for environments with little or no exposure to attacks. The very nature of these systems often makes them incompatible with many of the standard cybersecurity measures, preventing immediate response actions,” he told CRE Italia.