Focus area 4 – Critical Infrastructure and essential services

This focus area investigates good practice relating to identifying and

protecting Critical Infrastructures (CIs) and Critical Information Infrastructures

(CIIs), and strengthening their resilience. The Strategy should recognise and

promote the importance of advancing the security and continuity of CI and

CII. The potential consequences of an incident impacting CI or CII can disrupt

social order, the delivery of essential services, and the economic wellbeing

of a country, and the Strategy should emphasize the importance of cyber risk

management efforts intended to reduce the likelihood of such disruptive or

destructive cyber incidents.

While there are no universally recognised definitions for the terms CI and CII,

and governments need to consider which entities and services to include

based on their own national risk assessment, for the purpose of this Guide,

these terms are defined as follows:

• Critical Infrastructures (CI) are assets that are essential to the functioning

and security of a society and economy in any given nation; and

• Critical Information Infrastructures (CII) are IT and ICT systems that

operate key functions of the critical infrastructure of a nation.

Whereas the concept of essential services may be applied in reference

to services that are essential for the maintenance of critical societal or

economic activities.

In either case, a few non-exhaustive examples of these CI, CII or essential

services include: energy (electricity, oil and gas), transportation (air, rail, water

and road), finance and banking (credit institutions, trading venues and central

counterparties), healthcare (healthcare organisations, including hospitals,

private clinics, and research institutions), utilities (water and sanitation supply

and distribution), digital and telecommunications (fixed and mobile telephone

services and provision of internet infrastructure, such as internet exchange

points (IXPs) and domain name service (DNS), among others). Definitions and

designations may ultimately depend on the geopolitical, economic, and cultural

characteristics of the national context.

5.4

Focus area 4 -

Critical

Infrastructure and

essential services42

Guide to Developing a National Cybersecurity Strategy 2nd Edition

5 – NATIONAL CYBERSECURITY STRATEGY GOOD PRACTICE

5.4.1 Establish a risk-management approach to identifying and protecting

critical infrastructure and essential services

The Strategy should address the importance of protecting CIs and CIIs from

cyber-related risks and devising a comprehensive risk-management approach in

accordance with the Principle of Risk Management and Resilience (Section 4.6).

A detailed risk assessment should guide the identification of national CIs and

CIIs and essential services, whose disruption may have a serious impact on the

health, safety, security, or economic well-being of citizens, or on the effective

functioning of government or the economy. The Strategy should include or be

accompanied by a specific list of CIs and/or CIIs and their correlation, which

can be periodically reviewed and updated as necessary.

While there exist a variety of different methodologies to identify CI and

CII, nations might consider applying sectorial or functional criteria, such as

dependencies and interdependencies with other infrastructure, service,

and scope of impact, and the relevance of the infrastructure for maintaining

a minimum service supply level. In this designation and review process,

the Strategy should envisage the early and ongoing involvement of all the

relevant stakeholders including public authorities, semi-public, and/or private

infrastructure operators.

Furthermore, a risk-based approach should be adopted to identify and

prioritise the implementation of programmes, policies, and practices

designed to protect and strengthen the security and resiliency of CIs and

CIIs. These programmes and policies should be structured so that CI and

CII meet a common baseline of security practices, while also maintaining a

level of flexibility to be consistent with their own risk assessments and risk

management priorities. In order to leverage existing best practices, enable

domestic industry to integrate with global ICT supply chains, and avoid CI/CII

interoperability issues across national borders, a risk-management approach

based on well-established international standards might also be considered.

5.4.2 Adopt a governance model with clear responsibilities

The Strategy should at a high level describe the governance structure, roles,

and responsibilities of the different stakeholders for CI and CII protection. As

stipulated in the Principle of Clear Leadership, Roles and Resource Allocation

(Section 4.8), an effective and efficient CI-protection programme requires that

stakeholders have clearly defined roles and responsibilities and establish a

coordination mechanism for managing ongoing issues.

CIs and CIIs are often not owned or controlled by the government, and CI and

CII protection efforts generally exceed the capabilities and mandate of any

single agency in a government. Thus, appointing an overall coordinator for CI

and CII (cyber-)security, such as an interagency committee, can greatly assist

in efforts to protect critical infrastructure.

The governance model for CI and CII protection should include the identification

of government entities in charge of specific verticals, the responsibilities

and accountability of operators of CIs and CIIs, as well as the communication 43

Guide to Developing a National Cybersecurity Strategy 2nd Edition

5 – NATIONAL CYBERSECURITY STRATEGY GOOD PRACTICE

channels and cooperation mechanisms between public and private agencies to

ensure the operation and recovery of critical services and infrastructures.

The governance model should include mechanisms that ensure coordination

and alignment across government entities with overlapping missions. The

governance should also ensure that sectoral regulators create clear and

consistent security requirements that avoid duplication of tasks and streamline

important compliance efforts across both public and private sector entities.

5.4.3 Define minimum cybersecurity baselines

The Strategy should either highlight the existing or propose the development

of new legislative and regulatory frameworks outlining minimum cybersecurity

baselines for CI and CII operators, among others. Security baselines

should address a range of high-level risk management priorities as well as

more specific cybersecurity practices, such as identifying cyber risks and

establishing risk management governance structures; protecting data and

systems via access management protocols and other measures; monitoring

digital environments and detecting potential anomalies or events; and

responding to and recovering from incidents. When developing such baselines,

internationally-recognised standards and best practices should be considered

to ensure better security outcomes and greater efficiencies. Baselines that

are relevant across sectors should be developed as a starting point, enabling

greater interoperability and consistency of sector-specific practices and

streamlined compliance for cross-sector functions.

The Strategy should also highlight that cybersecurity baselines should be

outcome-focused to ensure greater agility over time as the risk landscape

and technology continue to rapidly evolve. Articulating what organisations

should aim to achieve (e.g., “control logical access to critical resources”),

rather than how organisations should implement security (e.g., “utilise two

factor authentication”), can allow government and industry to benefit from

continuous security improvements. In addition, an outcome-based approach to

the development of these baselines can be complemented by sector-specific

implementation or “how to” guidance, which provides options to inform and

integrate enterprise practices.

In addition to addressing a range of high-level risk management priorities,

cybersecurity baselines should also include procurement requirements to ensure

that ICT suppliers have adequate and auditable security measure in place.

The Strategy should support the establishment of a resilient CI and CII national

environment, and prepare stakeholders to respond, mitigate, and recover

from potential cybersecurity incidents. The risk management approach should

encourage the adoption of crisis management processes, business continuity

measures, and recovery plans.

5.4.4 Utilise a wide range of market levers

The Strategy should consider a wide range of policies to ensure that all

organisations and individuals are indeed incentivised to fulfil their individual

cybersecurity responsibilities, commensurate with the risks they face, in 44

Guide to Developing a National Cybersecurity Strategy 2nd Edition

5 – NATIONAL CYBERSECURITY STRATEGY GOOD PRACTICE

accordance with the principle of comprehensive approach and tailored priorities

(Section 4.2).

Identifying gaps between what the markets can and should drive and what

the risk environment requires is a crucial step towards determining when and

how to leverage the range of incentives and disincentives available to improve

security. To encourage the uptake of cybersecurity standards and practices

across CIs and CIIs, the Strategy should indicate that the government will

consider a range of policy options and market levers at its disposal.

5.4.5 Establish public private partnerships

The Strategy should encourage the creation of formal public-private

partnerships to increase the security of CIs and CIIs. Public-private

partnerships are a cornerstone of effectively protecting critical infrastructure

and managing security risks in both the short- and long-term. They are essential

for boosting trust amongst and between industry and the government.

However, establishing sustainable partnerships requires that all of the

participating stakeholders have a clear understanding of the goals of the

partnership and the mutual security benefits that stem from working together.

Some of the areas could include: developing cross-sector and sector-specific

cybersecurity baselines, establishing effective coordinating structures and

information-sharing processes and protocols, building trust, identifying and

exchanging ideas, approaches and best practices for improving security, as well

as improving international coordination.

Further references available on page 67.