It is not only in Europe that the risks of digitization and the linking of systems have long been recognized. Laws and strategies are developed and implemented around the world to guarantee the security of critical infrastructures.
Nowadays, hacking is no longer limited to just one device or system. Such an attack is now able to compromise the entire infrastructure of an operator or a company. Thanks to the increasing level of connectivity between networks and devices, intrusion into a system means that not only espionage is a distinct possibility, but also the manipulation and impairment of all systems. Not only does this have a drastic impact on a particular site, but it can also have a negative impact on the health, safety and security of a population, along with entire economic systems.
A brief view on critical infrastructures in the world
USA
In America, efforts to protect critical infrastructure have been pursued since 1996. In 1998, a presidential directive was issued, classifying certain areas as critical for national security and the economy. The Patriot Act, passed in 2001, extended the definition of critical infrastructure to include systems and facilities, both physical and virtual, which are important to the country. The NIST Cybersecurity Framework was published in 2014, which contains numerous guidelines relating to critical infrastructures.
In the United States, CISA is responsible for protecting the country’s critical infrastructure from physical and digital threats. It is responsible for ensuring effective coordination and collaboration between a wide range of companies and areas. CISA’s National Cybersecurity and Communications Integration Center (NCCIC) provides round-the-clock analysis, incident response, security assessment, and cyber-response capabilities to the federal, state and municipal governments, as well as the private sector and international partners.
Switzerland
In 2012, the Swiss Federal Council adopted a national strategy for the first time to protect critical infrastructures. It listed 15 measures aimed at strengthening Switzerland’s resilience with regard to critical infrastructures. On December 8, 2017, the Federal Council adopted a new version of the 2018 – 2022 national strategy to protect critical infrastructures.
The spectrum of critical infrastructures comprises a total of nine areas, divided into 27 sectors. The inventory identifies individual critical infrastructure elements that are of strategic importance. In principle, all elements such as operating companies, IT systems, facilities, buildings, etc., are considered part of the critical infrastructure providing services in one of the 27 sub-sectors, regardless of their criticality. On the one hand, these are important buildings and facilities, such as central junctions for the supply of electricity, telecommunications (Internet), or the national road network. On the other, new items should include important IT systems, such as those for managing the power grid or rail traffic, as well as important operating companies that are identified and recorded in the inventory. What is classified as critical infrastructure is only accessible to authorized bodies (federal state, cantons and operators) as a basis for planning and prioritization in respect of risk management and event management.
Israel
Israel pursues a centralized regulatory approach to critical infrastructure that defines critical infrastructure and stipulates requirements. As early as 2002, Israel began developing and implementing a national policy within the framework of a resolution of the National Security Ministerial Committee, which listed certain computer-assisted systems considered essential as having a protective or monitoring value. This meant that the country had developed a unique legal and regulatory model to protect critical infrastructures. The Israeli approach also allows for cooperation between the public, security, academic and private sectors.
The Israel National Cyber Directorate is responsible for all aspects of cyber security, from policy formulation and technology building to operational defense and improving resilience. The department also offers advice for critical infrastructures and for the Israeli economy. Regulated entities include ministries, government agencies, exchanges and banks, selected defense industries, gas, energy and water companies, hospitals, communications service providers, and national transport companies. There are binding information security and cyber security guidelines for critical infrastructures, but these are not published.
Japan
As Japan prepares for the Tokyo 2020 Olympic and Paralympic Games, more attention has been paid to cyber security in view of the increased number, frequency and complexity of cyber attacks. This was taken as an opportunity to pay more attention to the security of infrastructure areas and data-dependent networks, as well as the Internet of Things, IoT.
Japan’s critical infrastructure is divided into 14 areas that can have a serious impact on the lives of the population and their socio-economic activities if they fail. These include information and communication services, energy, finance, government, logistics, and healthcare.
The government-run IPA (Information Technology Promotion Agency) founded the Industrial Cyber Security Center of Excellence (ICSCoE) in April 2017. The aim is that, by 2020, it should have strengthened Japan in such a way that critical infrastructures can be effectively protected. Japan is thereby attempting to close a security gap, as there have so far been no serious security solutions in place to protect industrial management systems. In order to protect critical infrastructures against attacks in the best possible way, the IPA is divided into research and active prevention.
Potential threats, attacks or failures must be reported to the NISC, the National Center of Incident Readiness and Strategy for Cybersecurity.
Canada
Canada’s national strategy is based on the principles of the Emergency Management Framework for Canada, which sets out the various interest groups of the Canadian emergency management system that must be involved in order to improve security for the population.
The National Strategy and Action Plan for Critical Infrastructure sets out a risk-based approach to strengthening the resilience of Canada’s critical infrastructure, such as our food supply, power grids, transportation, communications, and public security systems. As the risk environment is constantly evolving, the security strategies are also adjusted and adapted accordingly. For example, the action plan is regularly expanded to include ever-changing threat scenarios, known vulnerabilities, and possible avoidance strategies. Public Safety Canada is working to promote the protection of critical infrastructure in accordance with what is required by law. Canada has identified ten sectors as being important for the country’s critical infrastructure. In view of the ever-advancing level of networking among critical infrastructure, implementing the measures not only involves government and interest groups, but also owners and operators, law enforcement agencies, and research and development institutions. Building on this approach, Public Safety Canada works with its partners to manage risks, reduce vulnerabilities, and strengthen the resilience of critical infrastructure.
Australia
Australia reviewed its critical infrastructure protection arrangements as early as 2009. The review showed that there was a need to improve resilience and risk management in these areas in order to be able to continue providing essential services in the future.
Australia has set up its own Critical Infrastructure Centre in the Ministry for Home Affairs and, in 2018, passed the Security of Critical Infrastructure Act including compliance strategies. The dedicated Critical Infrastructure Centre coordinates the management of complex national security risks for Australia’s critical infrastructure. The focus here is on the risks of sabotage, espionage, and coercion in the areas of telecommunications, electricity, gas, water, and ports. Critical infrastructure is considered to be any physical facilities, supply chains, information technologies, and communications networks that support the functioning of the Australian society and economy and are an integral part of the nation’s prosperity. This includes the provision of basic services such as food, water, transport, healthcare, energy, communications, transport, and banking. The strategy for protecting critical infrastructure is based on experiences gained to date and on international best practices.
The Critical Infrastructure Centre works with owners, operators, and government and territorial regulators to identify and mitigate threats posed to the most high-risk assets. In 2020, both the strategy and its success will be subject to a comprehensive review to evaluate the measures implemented to date.
Assessing OT risks
The security risks critical infrastructures face are becoming increasingly complex and continue to evolve. The ever-increasing degree to which critical infrastructures are networked, along with the growing dependence on global supply chains, are also increasingly becoming the focus of attention.
How individual countries determine what is critical infrastructure often varies only to the extent of the details provided. However, many experts still complain that, although the risks and susceptibility are recognized, the protection provided for Operational Technology in particular is hardly ever implemented. For this, a best practice approach would be ideally suited to determine OT cyberrisk tolerance and measure performance against it. Raising general levels of awareness, providing training, and exchanging information as regards threats and technical information are also on the agenda.
There is also a need to prioritize resources in order to focus on security and implement appropriate measures. After all, the greater the advantage that attackers have, the greater the threat.