While cybersecurity has grown into a prime sustainability concern for industries and organizations in recent years, the ongoing events in Ukraine have brought it into sharp focus around the world. Cyber activity attributed to the conflict is proliferating, with the knowledge there is more to come. This is a real and present threat to governments, businesses and institutions who now find themselves on the frontline of this cyber conflict.
This edition of our cybersecurity newsletter gives you an insight into the new European Cyber Resilience Act launched in September 2022, and what it is likely to mean for your business. We have also taken the opportunity to include a snapshot of the cybersecurity projects RHEA is working on to keep our clients and partners safe.
The New European Cyber Resilience Act – What Does It Mean For Your Business?
The European Union (EU) has long taken measures to combat cybercrime and is generally more advanced than anywhere else in the world. The new Cyber Resilience Act seeks to protect consumers and the market from cyber incidents, and is the latest move along the EU's path towards realizing its digital transformation by 2030.
The new regulation includes two guidelines: one on networks and information systems (NIS), which aims to enhance Member States' cybersecurity capabilities and promotes information sharing; and the Cybersecurity Act, which came into effect in 2021 and defined the responsibilities of the European Union Agency for Cybersecurity (ENISA).
In the regulation, it is possible to identify several essential requirements for hardware manufacturers, software developers, distributors and importers who market digital products or services in the EU. The requirements include:
An ‘appropriate’ level of cybersecurity
A ban on selling products with known vulnerabilities
Security-by-default configurations
Protection from unauthorized access
Limitation of attack surfaces
Minimizing the impact of incidents.
The initial reaction from the market to this proposed Act has generally been positive. The Act also opens new business possibilities for cybersecurity companies. A call for feedback on this legislation is open until 15 November 2022.
We strongly suggest all businesses dedicate some time to consult the Act and determine if they are compliant. If not, then they should understand what steps must be taken to reach the compliance. Specialized companies such as RHEA can help bridge the gap, improving an organization’s cybersecurity posture and, at the same time, limit the cost of compliance (or the potentially much larger cost of non-compliance).
In late 2023, RHEA will be opening its European Cybersecurity Centre of Excellence (ECCE), which will offer the full range of cybersecurity services in a purpose-built, highly secure building to protect the critical infrastructures and assets of Europe’s economic, institutional and governmental organizations.
RHEA has recently signed a contract with ESA’s Directorate of Telecommunications and Integrated Applications (D/TIA) for a specific Study related to the ESA accelerator for ‘Rapid Resilient Response to Crises (R3)’.
The R3 Study will act as an enabler for identifying the main use cases and requirements that a future integrated system will encompass in order to ensure efficient prevention and management of societal, environmental and industrial crises. It will combine multiple sources of data, both space and ground-based, and turn it into relevant and accurate information available to the crisis’s intervention teams and stakeholders.
In this R3 Study, RHEA, together with its partners, is focusing on real-life cases that are critical from the perspective of the end-users who need timely information to adequately intervene in case of a crisis. Environmental, humanitarian, industrial and chemical ‘Seveso’ crises are therefore the focus. RHEA’s partners in the Study are Euroconsult, the Bavarian Red Cross, Centre Spatial de Liège, Public Safety Communication Europe (PSCE), VOCsens, Hellas Sat and Solvay.
RHEA System Luxembourg is leading a 3-year programme to develop and demonstrate international use cases for quantum key distribution (QKD) in operational IT environments. Supported by ESA, the consortium for the international cybersecurity project on End-to-End International Use Cases for Operational QKD Applications and Services (INT-UQKD) will use hybrid space and terrestrial fibre networks to field a testbed capability, deploying five pilot use case demonstrations between sites in Luxembourg, Belgium, Singapore, Canada and the UK.
RHEA will manage the INT-UQKD project and act as system integrator, working with POST Luxembourg, University of Luxembourg SnT, HITEC Luxembourg S.A., evolutionQ Inc. (Canada) and SpeQtral Pte Ltd (Singapore). The project is being funded through ESA’s ARTES programme and by Singapore’s Office for Space Technology & Industry.
QKD technology is expected to be the next major step in provision of cyber-secured connectivity and end-to-end applications, with the efficacy of traditional cryptographic techniques being threatened by the emergence of quantum computing. The use of quantum keys makes it possible to verify the integrity of digital communications but requires specially equipped fibre networks and hybrid satellite-terrestrial networks for long-distance communications.
Why Cyberattacks on Space Systems are a Threat to Us All
In recent years, space and cybersecurity experts, such as RHEA, have noted a resurgence and increase in complexity of cyber threats in the space sector.
The acceleration of the digitalization of space systems, the expansion of the attack surface – i.e. the sum total of vulnerabilities accessible to a cyber attacker – and the increase in cyberattacks, have led the space sector to elevate the cybersecurity of space systems to the rank of a major priority, for both the resilience of the sector and the services that depend on it.
A cyberattack on a space system is a hostile act that undermines the security of the information provided by it – that is, the availability, integrity or confidentiality of the data it produces. A cyberattack therefore directly affects the essential mission of a space system and potentially deprives users of the ‘continuity’ of the service that the system provides.
The multiplicity of actors in the entire lifecycle of a programme are all sources of vulnerabilities that can be exploited by attackers, whether they are state, terrorist or mafia. And as in any sector, the human factor is often the weakest link in the cybersecurity of any organization.
But unlike conventional cyberattacks, a cyberattack targeting space systems would have a major direct impact on society, given the increasing use of space technologies in our daily lives.
Rethinking cybersecurity ‘by design’
The profound transformation of the space sector's business models in recent years, with the arrival of new approaches and new players, is an opportunity to rethink cybersecurity ‘by design’. The space sector has opened up to private investment in recent years, leading to the emergence of ‘New Space’ start-ups whose disruptive codes are challenging the traditional space industry. With developments that are often more agile, more dynamic and more ‘connected’, these New Space players are also more exposed to cyber threats and often more vulnerable.
The current transformation of the industry may therefore be the saving grace that will allow players to rethink cybersecurity by integrating it into any space mission from its early conception – a necessary paradigm shift to allow the industry to fully seize the opportunities offered by digitalization while limiting the risks of a cyberattack.
Assessing Global Supply Chain Cybersecurity for UK Government
Earlier in 2022, RHEA in the UK was selected by the UK Government’s Department for Business, Energy and Industrial Strategy (BEIS) to examine how other governments provide support to industry on cyber resilience by addressing supply chain risks, with a specific focus on the energy, chemicals and space sectors. In the Supply Chain International Best Practice Research Project, RHEATECH was also requested to investigate what is considered best practice in terms of both voluntary and regulatory measures implemented globally.
Cybersecurity is one of the UK Government’s top national security priorities. BEIS works with the UK space industry, plus other government departments and agencies, and industry partners, to ensure related risks are understood and to build resilience and establish appropriate mitigations. This 4‑month project was to support this work by providing a better understanding of supply chain cybersecurity measures taken globally, including codes of practice.
RHEATECH used its knowledge and expertise in cybersecurity and supply chain management to develop a series of outputs including recommendations of best practice and case studies. Both the intermediate and final outputs of the research will be used by BEIS to inform the Department’s partnership building initiatives. It will also enable BEIS to support development of supply chain policy in the three focus sector areas and contribute to cross-government supply chain initiatives in the UK.
RHEA Cybersécurité France is exhibiting at the 7th edition of European Cyber Week taking place in Rennes, France, from 15 to 17 November 2022.
European Cyber Week assembles a French and European ecosystem of excellence and provides a forum for discussion of the operational and strategic challenges of cybersecurity. Industry experts from EU institutions and commercial organizations will discuss the new European cybersecurity policy framework.
RHEA Cybersécurité France is a joint venture between RHEA Group and Amarante, one of Europe’s leading security providers. The importance of digital technology in companies and the increase in digital threats have made cybersecurity a real issue of governance within organizations. Physical infrastructures, which are increasingly intelligent and communicating, now require cyber protection in line with new standards. Based on an end-to-end security approach, RHEA Cybersécurité France services cover every cybersecurity part of the target systems lifecycle, providing ongoing cybersecurity protection to organizations including monitoring, detection, response and investigation.