Publication

The GFCE-MERIDIAN Good Practice Guide on Critical Information Infrastructure Protection for Governmental Policy-Makers

About

Publication date: 2017

Author: Global Forum on Cyber Expertise (GFCE) Foundation

Type

Critical Information Infrastructure Protection (CIIP) is a complex but important topic for nations. Societies at large critically depend on the proper functioning of their Critical Infrastructure (CI) services such as energy supply, telecommunications, financial systems, drinking water, and governmental services. In turn, these CI often critically depend on the proper functioning of Critical  information Infrastructures (CII). CII comprises both the critical information and communication infrastructures (e.g. mobile telephony and internet services) and critical information and  communication systems that are part of each of the CI. These include control systems that monitor and control critical cyber-physical processes (e.g. remote operation of oil pipeline valves) as well as administrative and logistic systems.

The need for CIIP is becoming increasingly prominent. The risk to society due to insufficient protection and measures increases by the day. As information and communication infrastructures become globally interwoven, a nation’s CII may be a target for malware, hackers, hacktivists and adverse state operations. At the same time, the nation’s CII can become a means for attacking other nation’s CII. Via the threatened CII the proper and undisturbed functioning of the CI may be at risk and through that one’s society, economy, and daily life could also be at risk. Moreover, the global interconnectivity of CII means that a vulnerable CII may become the weakest link and thereby a risk to the CII of all other nations of the world.

A number of nations are on the path of Critical Infrastructure Protection (CIP) but have difficulties in progressing with CIIP. Other nations are at the very start of their combined CIP – CIIP journey. A set of nations already progressed on that path and may have experienced pitfalls and developed good practices. In order to raise the protection barriers and to progress on the CIIP path, the Meridian Process and the Global Forum on Cyber Expertise (GFCE) jointly took the initiative to develop this good practices guide on CIIP for national CI and CII policy-makers. Moreover, these good practices may be of use to nationally and internationally operating CI operators. This guide is intended to assist nations which are at the very start of their journey, but also nations whose journeys are underway. We realise that each nation has a different legal and regulatory structure, a different style of governance over CI and CII, a different adaptation level of information and communication technologies (ICT), a different culture, and so on. These good practices are not chiselled in stone. They are meant to inspire the reader. In the application of a good practice, there may be a need to tune the approach to fit each national need.