Abstract
States, organizations and individuals are becoming targets of both individual and state-sponsored cyber-attacks, by those who recognize the impact of disrupting security systems and effect to people and governments. The energy sector is seen as one of the main targets of cyber-attacks against critical infrastructure, but transport, public sector services, telecommunications and critical (manufacturing) industries are also very vulnerable. One of most used example of cyber-attack is the Ukraine power grid attack in 2015 that left 230,000 people without power for up to 6 hours. Another most high profile example of a cyber-attack against critical infrastructure is the Stuxnet computer virus (first used on Iranian nuclear facility) which could be adapted to attack the SCADA systems (industrial control systems) used by many critical infrastructures in Europe.Wide range of critical infrastructure sectors are reliant on industrial control systems for monitoring processes and controlling physical devices (sensors, pumps, etc.) and for that reason, physical connected devices that support industrial processes are becoming more vulnerable. Not all critical infrastructure operators in all sectors are adequately prepared to manage protection (and raise resilience) effectively across both cyber and physical environments. Additionally there are few challenges in implementation of protection measures, such as lack of collaboration between private and public sector and low levels of awareness on existence of national key legislation.From supranational aspect, in relation to this papers topic, the European Union has took first step in defense to cyber threats in 2016 with „Directive on security of network and information systems“ (NIS Directive) by prescribing member states to adopt more rigid cyber-security standards. The aim of directive is to improve the deterrent and increase the EU’s defenses and reactions to cyber attacks by expanding the cyber security capacity, increasing collaboration at an EU level and introducing measures to prevent risk and handle cyber incidents. There are lot of other „supporting tools“ for Member States countries, such as European Union Agency for Network and Information Security – ENISA (which organize regular cyber security exercises at an EU level, including a large and comprehensive exercise every two years, raising preparedness of EU states); Network of National Coordination Centers and the European Cybersecurity Industrial, Technology and Research Competence Centre; and Coordinated response to major cyber security incidents and crises (Blueprint) with aim to ensure a rapid and coordinated response to large-scale cyber attacks by setting out suitable processes within the EU.Yet, not all Member States share the same capacities for achieving the highest level of cyber-security. They need to continuously work on enhancing the capability of defense against cyber threats as increased risk to state institutions information and communication systems but also the critical infrastructure objects. In Southeast Europe there are few additional challenges – some countries even don't have designated critical infrastructures (lower level of protection; lack of „clear vision“ of criticality) and critical infrastructures are only perceived through physical prism; non-EU countries are not obligated to follow requirements of European Union and its legislation, and there are interdependencies and transboundary cross-sector effects that needs to be taken in consideration. Critical infrastructure Protection (CIP) is the primary area of action, and for some of SEE countries (like the Republic of Croatia) the implementation of cyber security provisions just complements comprehensive activities which are focused on physical protection.This paper will analyze few segments of how SEE countries cope with new security challenges and on which level are they prepared for cyber-attacks and threats: 1. Which security mechanisms they use; 2. The existing legislation (Acts, Strategies, Plan of Action, etc.) related to cyber threats in correlation with strategic critical infrastructure protection documents. Analysis will have two perspectives: from EU member states and from non-EU member states point of view. Additionally, for EU member states it will be analyzed if there were any cyber security legislation before NIS directive that meets same aims. The aim of research is to have an overall picture of efforts in region regarding cyber-security as possibility for improvement thorough cooperation, organizational measures, etc. providing also some recommendations to reduce the gap in the level of cyber-security development with other regions of EU.
Highlights
From supranational aspect, in relation to this papers topic, the European Union has took first concrete step in defense to cyber threats in 2016 with „Directive on security of network and information systems“ (NIS Directive) by prescribing Member States to adopt more rigid cyber-security standards
It is important to emphasize that the security system includes physical protection, and protection of data and information systems and full implementation of adequate information security policies, as well as the protection of the cyber space in which they originate and transmit different types of data
There is a call for proposal under the Horizon 2020 Programme, called “Prevention, detection, response and mitigation of combined physical and cyber threats to critical infrastructure in Europe“ where SEE countries already participate in projects: SATIE - Security of Air Transport Infrastructure of Europe (Croatia), InfraStress - Improving resilience of sensitive industrial plants & infrastructures exposed to cyber-physical threats (Slovenia) which is especially interesting because of open testbed stress-testing system as a concrete activity under project implementation
Summary
Referring to the document of the Government of the Republic of Croatia from the introductory part of this chapter (which assesses the current situation (state -of-play) and presents the basic issues that need to be regulated by law), and which was made shortly before the adoption of the Act on the Cyber Security of the Key Service Operators and Digital Services Providers that implemented the NIS directive, it is evident that the importance of the European legislative framework has been understood with the full intention of implementation. It identifies eight IT critical infrastructure sectors and brings critical information and technology infrastructure definition, as the „information systems whose disruption or destruction could jeopardize life, health, safety of citizens and state functioning or from whose functioning depends public activities“ (Government of the Republic of Montenegro, 2017:14) It includes provisions on: Modern risks, threats and challenges; Retrospect (from the first Cyber Security Strategy until today); National organizational structure; National cyber defense, including cyber capabilities, critical IT infrastructure, inter-institutional cooperation, data protection, education, public-private partnership, regional and international cooperation; and Monitoring. Since the law is newly adopted, we can conclude that the system of critical infrastructure is still under the development in Montenegro, and the applicability of presented framework could not be analyzed – procedures for CIP yet needs to be evolved
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
