2013 Italian Cyber Security Report : critical infrastructure and other sensitive sectors readiness : December 2013

This work gives a break down of the Italian standpoint in the context of the protection of national critical infrastructure and other sensitive sectors from cyber attacks from the legal and technological viewpoints. In particular Chapter 1 discusses the notion of critical infrastructures and cyber security in the US and the EU. It goes on to discuss the evolution and the number of cyber attacks sector by sector reported in the world and in Italy and to provide some number related to the cost of cyber crime in Italy. In Chapter 2 the Italian scenario is introduced in terms of the legislative landscape and of regulatory changes in the last decade. The chapter then analyzes the current situation of the Computer Emergency Response Teams (CERT) present in Italy. Chapter 3 gives an overview, from both a legislative and operational perspective, of the level of maturity of some developed countries (namely, France, the UK, Germany and the USA.) in protecting their critical infrastructure and other sensitive economic sectors. From this comparison, it seems Italy lags behind other developed countries in terms of implementation of cyber security strategy. Italy still lacks a clear operational directive for the creation of a national CERT which makes difficult, on one hand, assessing the exposure of Italy to cyber attacks and, on the other hand, quick and coordinated deployment of countermeasures, in particular, when advanced persistent threats are discovered. In order to conduct a deep analysis of the Italian cyber security situation, we sent an anonymous questionnaire to the four main sectors of the Italian economy i.e. public administration, utilities, large industries - sensible to the intellectual properties theft - and financial sector. Chapter 4 discusses the results of this exercise. Among other observations, the study points out that some sector is not fully aware to be a sensitive sector for cyber attack and that a breach in its information system could cause an economic/technical problem at national or EU level, that the defense measures (already employed) neglect advanced persistent threats, but that organizations have, on the average, good recovery capability. Finally, chapter 5 presents a set of recommendations for a national cyber security strategy. These recommendations span all the phases of the risk management process. In this preface it is worthwhile highlighting that the following are considered priorities: the realization of a national CERT (with a clear role and mission), cooperation among operators in the same sector and with the best sectors of academia, the conceivability of a national cyber security agency and a nationwide methodology for classifying threats. The interested reader can go through the complete list for details.