Traditional information security practices often fall short in Critical National Infrastructure (CNI) environments, and throughout this blog series I’ll share my insights as to why these distinctions are important.
Some key differences include:
- Prioritisation of availability
- Unique regulatory requirements
- Threat landscape
- Incident response strategies.
What is Critical National Infrastructure?
You may or may not have heard the term Critical National Infrastructure (CNI). In most cases Critical National Infrastructure refers to the people, networks, processes, facilities, systems and sites which are necessary for ensuring the functioning of the country and which daily life depends on.
One simple example is water. Water is an amenity which we as humans cannot live without - to my knowledge humans can’t survive more than four days without water (please don’t try this at home). If water supply is disrupted for even a few hours, daily life is quickly impacted. Therefore a water supplier would be included as Critical National Infrastructure.
Confidentiality, integrity and availability
Immediately after I started working on a CNI project, I noticed how the words ‘information security’ were being used. The term ‘Information Security Management System (ISMS)’ was being used across the organisation and it felt as if the traditional information security norms were being applied to CNI organisations. In reality, this may not be the most appropriate approach, as the traditional security CIA (Confidentiality, Integrity and Availability) triad has some relevance but with a different meaning.
For example, a typical ISMS would ensure the integrity of customer data is kept. However, for a CNI organisation, although the customer data is important, the integrity of configurations must be prioritised. Any small changes of configurations to systems, including Operational Technology, can cause major chaos for the CNI’s ability to provide services.
In a traditional company, the availability of data and systems is vital to ensure customers are satisfied. On the flip side, it is the availability of the service that is important in a CNI organisation, not only to satisfy the customer but also to ensure critical services in a person’s everyday life can be continued.
Therefore, it could be argued that the traditional mindset of applying information security to CNI organisations should evolve to provide cyber security.
Information security aims to ensure that information is kept secure throughout all stages of the information lifecycle, from creation all the way to deletion. However cyber security aims to secure systems and their configurations. Therefore, due to the prioritisation of Operational Technology (OT) and its systems, replacing information security with cyber security would ensure CNI organisations are in the correct frame of mind to work towards achieving the security required for their organisation.
This shift in terminology may seem minor, but it represents a fundamental change in mindset. Individuals within CNI organisations would be able to think differently for their approach towards protecting their systems. Instead of protecting the information they hold, they’ll be able to think ‘outside the box’ and protect the systems and their configurations.
In addition to this, the Cyber Security Management System (CSMS) has a heavy focus on protecting organisations which have significant exposure to cyber crimes. While this needs its own discussion, the cyber threat landscape for CNI organisations is much greater in comparison to the traditional company. Therefore, creating a framework and management system which prioritises cyber security is vital.
The key principles in a CSMS are usually to protect, identify, control and respond. This approach works extremely well for organisations which provide vital services. CNI organisations would be able to proactively plan and test all scenarios which may occur to ensure the continuity of their service. Although an ISMS still has this element, a CSMS aims to delve further and prepare organisations for all stages, with a heavy focus on ensuring the ‘response’ stage is efficient and there’d be minimal disruption to the availability of the service.
Overall, adapting a CSMS approach in CNI organisations allows for a deeper understanding of what needs protecting and works to ensure vital services are continued. A CSMS also allows organisations to work towards meeting and aligning with regulatory requirements such as the Cyber Assessment Framework. Regulatory compliance is another critical factor for CNI organisations, which will be something I’ll delve into in my next blog.
Photo by Scott Webb on Unsplash
Robin Oldham
Andrei Draghiciu
Nicolas Aristegui
Penny Yap