No products in the cart.
This focus area investigates good practice relating to identifying and
protecting Critical Infrastructures (CIs) and Critical Information Infrastructures
(CIIs), and strengthening their resilience. The Strategy should recognise and
promote the importance of advancing the security and continuity of CI and
CII. The potential consequences of an incident impacting CI or CII can disrupt
social order, the delivery of essential services, and the economic wellbeing
of a country, and the Strategy should emphasize the importance of cyber risk
management efforts intended to reduce the likelihood of such disruptive or
destructive cyber incidents.
While there are no universally recognised definitions for the terms CI and CII,
and governments need to consider which entities and services to include
based on their own national risk assessment, for the purpose of this Guide,
these terms are defined as follows:
• Critical Infrastructures (CI) are assets that are essential to the functioning
and security of a society and economy in any given nation; and
• Critical Information Infrastructures (CII) are IT and ICT systems that
operate key functions of the critical infrastructure of a nation.
Whereas the concept of essential services may be applied in reference
to services that are essential for the maintenance of critical societal or
economic activities.
In either case, a few non-exhaustive examples of these CI, CII or essential
services include: energy (electricity, oil and gas), transportation (air, rail, water
and road), finance and banking (credit institutions, trading venues and central
counterparties), healthcare (healthcare organisations, including hospitals,
private clinics, and research institutions), utilities (water and sanitation supply
and distribution), digital and telecommunications (fixed and mobile telephone
services and provision of internet infrastructure, such as internet exchange
points (IXPs) and domain name service (DNS), among others). Definitions and
designations may ultimately depend on the geopolitical, economic, and cultural
characteristics of the national context.
5.4
Focus area 4 -
Critical
Infrastructure and
essential services42
Guide to Developing a National Cybersecurity Strategy 2nd Edition
5 – NATIONAL CYBERSECURITY STRATEGY GOOD PRACTICE
5.4.1 Establish a risk-management approach to identifying and protecting
critical infrastructure and essential services
The Strategy should address the importance of protecting CIs and CIIs from
cyber-related risks and devising a comprehensive risk-management approach in
accordance with the Principle of Risk Management and Resilience (Section 4.6).
A detailed risk assessment should guide the identification of national CIs and
CIIs and essential services, whose disruption may have a serious impact on the
health, safety, security, or economic well-being of citizens, or on the effective
functioning of government or the economy. The Strategy should include or be
accompanied by a specific list of CIs and/or CIIs and their correlation, which
can be periodically reviewed and updated as necessary.
While there exist a variety of different methodologies to identify CI and
CII, nations might consider applying sectorial or functional criteria, such as
dependencies and interdependencies with other infrastructure, service,
and scope of impact, and the relevance of the infrastructure for maintaining
a minimum service supply level. In this designation and review process,
the Strategy should envisage the early and ongoing involvement of all the
relevant stakeholders including public authorities, semi-public, and/or private
infrastructure operators.
Furthermore, a risk-based approach should be adopted to identify and
prioritise the implementation of programmes, policies, and practices
designed to protect and strengthen the security and resiliency of CIs and
CIIs. These programmes and policies should be structured so that CI and
CII meet a common baseline of security practices, while also maintaining a
level of flexibility to be consistent with their own risk assessments and risk
management priorities. In order to leverage existing best practices, enable
domestic industry to integrate with global ICT supply chains, and avoid CI/CII
interoperability issues across national borders, a risk-management approach
based on well-established international standards might also be considered.
5.4.2 Adopt a governance model with clear responsibilities
The Strategy should at a high level describe the governance structure, roles,
and responsibilities of the different stakeholders for CI and CII protection. As
stipulated in the Principle of Clear Leadership, Roles and Resource Allocation
(Section 4.8), an effective and efficient CI-protection programme requires that
stakeholders have clearly defined roles and responsibilities and establish a
coordination mechanism for managing ongoing issues.
CIs and CIIs are often not owned or controlled by the government, and CI and
CII protection efforts generally exceed the capabilities and mandate of any
single agency in a government. Thus, appointing an overall coordinator for CI
and CII (cyber-)security, such as an interagency committee, can greatly assist
in efforts to protect critical infrastructure.
The governance model for CI and CII protection should include the identification
of government entities in charge of specific verticals, the responsibilities
and accountability of operators of CIs and CIIs, as well as the communication 43
channels and cooperation mechanisms between public and private agencies to
ensure the operation and recovery of critical services and infrastructures.
The governance model should include mechanisms that ensure coordination
and alignment across government entities with overlapping missions. The
governance should also ensure that sectoral regulators create clear and
consistent security requirements that avoid duplication of tasks and streamline
important compliance efforts across both public and private sector entities.
5.4.3 Define minimum cybersecurity baselines
The Strategy should either highlight the existing or propose the development
of new legislative and regulatory frameworks outlining minimum cybersecurity
baselines for CI and CII operators, among others. Security baselines
should address a range of high-level risk management priorities as well as
more specific cybersecurity practices, such as identifying cyber risks and
establishing risk management governance structures; protecting data and
systems via access management protocols and other measures; monitoring
digital environments and detecting potential anomalies or events; and
responding to and recovering from incidents. When developing such baselines,
internationally-recognised standards and best practices should be considered
to ensure better security outcomes and greater efficiencies. Baselines that
are relevant across sectors should be developed as a starting point, enabling
greater interoperability and consistency of sector-specific practices and
streamlined compliance for cross-sector functions.
The Strategy should also highlight that cybersecurity baselines should be
outcome-focused to ensure greater agility over time as the risk landscape
and technology continue to rapidly evolve. Articulating what organisations
should aim to achieve (e.g., “control logical access to critical resources”),
rather than how organisations should implement security (e.g., “utilise two
factor authentication”), can allow government and industry to benefit from
continuous security improvements. In addition, an outcome-based approach to
the development of these baselines can be complemented by sector-specific
implementation or “how to” guidance, which provides options to inform and
integrate enterprise practices.
In addition to addressing a range of high-level risk management priorities,
cybersecurity baselines should also include procurement requirements to ensure
that ICT suppliers have adequate and auditable security measure in place.
The Strategy should support the establishment of a resilient CI and CII national
environment, and prepare stakeholders to respond, mitigate, and recover
from potential cybersecurity incidents. The risk management approach should
encourage the adoption of crisis management processes, business continuity
measures, and recovery plans.
5.4.4 Utilise a wide range of market levers
The Strategy should consider a wide range of policies to ensure that all
organisations and individuals are indeed incentivised to fulfil their individual
cybersecurity responsibilities, commensurate with the risks they face, in 44
accordance with the principle of comprehensive approach and tailored priorities
(Section 4.2).
Identifying gaps between what the markets can and should drive and what
the risk environment requires is a crucial step towards determining when and
how to leverage the range of incentives and disincentives available to improve
security. To encourage the uptake of cybersecurity standards and practices
across CIs and CIIs, the Strategy should indicate that the government will
consider a range of policy options and market levers at its disposal.
5.4.5 Establish public private partnerships
The Strategy should encourage the creation of formal public-private
partnerships to increase the security of CIs and CIIs. Public-private
partnerships are a cornerstone of effectively protecting critical infrastructure
and managing security risks in both the short- and long-term. They are essential
for boosting trust amongst and between industry and the government.
However, establishing sustainable partnerships requires that all of the
participating stakeholders have a clear understanding of the goals of the
partnership and the mutual security benefits that stem from working together.
Some of the areas could include: developing cross-sector and sector-specific
cybersecurity baselines, establishing effective coordinating structures and
information-sharing processes and protocols, building trust, identifying and
exchanging ideas, approaches and best practices for improving security, as well
as improving international coordination.
Further references available on page 67.
This focus area investigates good practice relating to identifying and
protecting Critical Infrastructures (CIs) and Critical Information Infrastructures
(CIIs), and strengthening their resilience. The Strategy should recognise and
promote the importance of advancing the security and continuity of CI and
CII. The potential consequences of an incident impacting CI or CII can disrupt
social order, the delivery of essential services, and the economic wellbeing
of a country, and the Strategy should emphasize the importance of cyber risk
management efforts intended to reduce the likelihood of such disruptive or
destructive cyber incidents.
While there are no universally recognised definitions for the terms CI and CII,
and governments need to consider which entities and services to include
based on their own national risk assessment, for the purpose of this Guide,
these terms are defined as follows:
• Critical Infrastructures (CI) are assets that are essential to the functioning
and security of a society and economy in any given nation; and
• Critical Information Infrastructures (CII) are IT and ICT systems that
operate key functions of the critical infrastructure of a nation.
Whereas the concept of essential services may be applied in reference
to services that are essential for the maintenance of critical societal or
economic activities.
In either case, a few non-exhaustive examples of these CI, CII or essential
services include: energy (electricity, oil and gas), transportation (air, rail, water
and road), finance and banking (credit institutions, trading venues and central
counterparties), healthcare (healthcare organisations, including hospitals,
private clinics, and research institutions), utilities (water and sanitation supply
and distribution), digital and telecommunications (fixed and mobile telephone
services and provision of internet infrastructure, such as internet exchange
points (IXPs) and domain name service (DNS), among others). Definitions and
designations may ultimately depend on the geopolitical, economic, and cultural
characteristics of the national context.
5.4
Focus area 4 -
Critical
Infrastructure and
essential services42
Guide to Developing a National Cybersecurity Strategy 2nd Edition
5 – NATIONAL CYBERSECURITY STRATEGY GOOD PRACTICE
5.4.1 Establish a risk-management approach to identifying and protecting
critical infrastructure and essential services
The Strategy should address the importance of protecting CIs and CIIs from
cyber-related risks and devising a comprehensive risk-management approach in
accordance with the Principle of Risk Management and Resilience (Section 4.6).
A detailed risk assessment should guide the identification of national CIs and
CIIs and essential services, whose disruption may have a serious impact on the
health, safety, security, or economic well-being of citizens, or on the effective
functioning of government or the economy. The Strategy should include or be
accompanied by a specific list of CIs and/or CIIs and their correlation, which
can be periodically reviewed and updated as necessary.
While there exist a variety of different methodologies to identify CI and
CII, nations might consider applying sectorial or functional criteria, such as
dependencies and interdependencies with other infrastructure, service,
and scope of impact, and the relevance of the infrastructure for maintaining
a minimum service supply level. In this designation and review process,
the Strategy should envisage the early and ongoing involvement of all the
relevant stakeholders including public authorities, semi-public, and/or private
infrastructure operators.
Furthermore, a risk-based approach should be adopted to identify and
prioritise the implementation of programmes, policies, and practices
designed to protect and strengthen the security and resiliency of CIs and
CIIs. These programmes and policies should be structured so that CI and
CII meet a common baseline of security practices, while also maintaining a
level of flexibility to be consistent with their own risk assessments and risk
management priorities. In order to leverage existing best practices, enable
domestic industry to integrate with global ICT supply chains, and avoid CI/CII
interoperability issues across national borders, a risk-management approach
based on well-established international standards might also be considered.
5.4.2 Adopt a governance model with clear responsibilities
The Strategy should at a high level describe the governance structure, roles,
and responsibilities of the different stakeholders for CI and CII protection. As
stipulated in the Principle of Clear Leadership, Roles and Resource Allocation
(Section 4.8), an effective and efficient CI-protection programme requires that
stakeholders have clearly defined roles and responsibilities and establish a
coordination mechanism for managing ongoing issues.
CIs and CIIs are often not owned or controlled by the government, and CI and
CII protection efforts generally exceed the capabilities and mandate of any
single agency in a government. Thus, appointing an overall coordinator for CI
and CII (cyber-)security, such as an interagency committee, can greatly assist
in efforts to protect critical infrastructure.
The governance model for CI and CII protection should include the identification
of government entities in charge of specific verticals, the responsibilities
and accountability of operators of CIs and CIIs, as well as the communication 43
Guide to Developing a National Cybersecurity Strategy 2nd Edition
5 – NATIONAL CYBERSECURITY STRATEGY GOOD PRACTICE
channels and cooperation mechanisms between public and private agencies to
ensure the operation and recovery of critical services and infrastructures.
The governance model should include mechanisms that ensure coordination
and alignment across government entities with overlapping missions. The
governance should also ensure that sectoral regulators create clear and
consistent security requirements that avoid duplication of tasks and streamline
important compliance efforts across both public and private sector entities.
5.4.3 Define minimum cybersecurity baselines
The Strategy should either highlight the existing or propose the development
of new legislative and regulatory frameworks outlining minimum cybersecurity
baselines for CI and CII operators, among others. Security baselines
should address a range of high-level risk management priorities as well as
more specific cybersecurity practices, such as identifying cyber risks and
establishing risk management governance structures; protecting data and
systems via access management protocols and other measures; monitoring
digital environments and detecting potential anomalies or events; and
responding to and recovering from incidents. When developing such baselines,
internationally-recognised standards and best practices should be considered
to ensure better security outcomes and greater efficiencies. Baselines that
are relevant across sectors should be developed as a starting point, enabling
greater interoperability and consistency of sector-specific practices and
streamlined compliance for cross-sector functions.
The Strategy should also highlight that cybersecurity baselines should be
outcome-focused to ensure greater agility over time as the risk landscape
and technology continue to rapidly evolve. Articulating what organisations
should aim to achieve (e.g., “control logical access to critical resources”),
rather than how organisations should implement security (e.g., “utilise two
factor authentication”), can allow government and industry to benefit from
continuous security improvements. In addition, an outcome-based approach to
the development of these baselines can be complemented by sector-specific
implementation or “how to” guidance, which provides options to inform and
integrate enterprise practices.
In addition to addressing a range of high-level risk management priorities,
cybersecurity baselines should also include procurement requirements to ensure
that ICT suppliers have adequate and auditable security measure in place.
The Strategy should support the establishment of a resilient CI and CII national
environment, and prepare stakeholders to respond, mitigate, and recover
from potential cybersecurity incidents. The risk management approach should
encourage the adoption of crisis management processes, business continuity
measures, and recovery plans.
5.4.4 Utilise a wide range of market levers
The Strategy should consider a wide range of policies to ensure that all
organisations and individuals are indeed incentivised to fulfil their individual
cybersecurity responsibilities, commensurate with the risks they face, in 44
Guide to Developing a National Cybersecurity Strategy 2nd Edition
5 – NATIONAL CYBERSECURITY STRATEGY GOOD PRACTICE
accordance with the principle of comprehensive approach and tailored priorities
(Section 4.2).
Identifying gaps between what the markets can and should drive and what
the risk environment requires is a crucial step towards determining when and
how to leverage the range of incentives and disincentives available to improve
security. To encourage the uptake of cybersecurity standards and practices
across CIs and CIIs, the Strategy should indicate that the government will
consider a range of policy options and market levers at its disposal.
5.4.5 Establish public private partnerships
The Strategy should encourage the creation of formal public-private
partnerships to increase the security of CIs and CIIs. Public-private
partnerships are a cornerstone of effectively protecting critical infrastructure
and managing security risks in both the short- and long-term. They are essential
for boosting trust amongst and between industry and the government.
However, establishing sustainable partnerships requires that all of the
participating stakeholders have a clear understanding of the goals of the
partnership and the mutual security benefits that stem from working together.
Some of the areas could include: developing cross-sector and sector-specific
cybersecurity baselines, establishing effective coordinating structures and
information-sharing processes and protocols, building trust, identifying and
exchanging ideas, approaches and best practices for improving security, as well
as improving international coordination.
Further references available on page 67.