Lessons Learned: Critical Information Infrastructure Protection
eBook - ePub

Lessons Learned: Critical Information Infrastructure Protection

How to protect critical information infrastructure

  1. 92 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Lessons Learned: Critical Information Infrastructure Protection

How to protect critical information infrastructure

About this book

"I loved the quotes at the beginning of each chapter – very interesting and thought-provoking.I also enjoyed the author's style and his technical expertise shone through."
Christopher Wright, Wright CandA Consulting Ltd

Understand how to protect your critical information infrastructure (CII).

This book comes with 23 key lessons, including how to:

  • Describe the critical infrastructure service and determine its service level;
  • Identify and analyse the interconnections and dependencies of information systems;
  • Create a functioning organisation to protect CII; and
  • Train people to make sure they are aware of cyber threats and know the correct behaviour.

Billions of people use the services of critical infrastructure providers, such as ambulances, hospitals, and electricity and transport networks. This number is increasing rapidly, yet there appears to be little protection for many of these services.

IT solutions have allowed organisations to increase their efficiency in order to be competitive. However, do we even know or realise what happens when IT solutions are not working – when they simply don't function at all or not in the way we expect? This book aims to teach the IT framework from within, allowing you to reduce dependence on IT systems and put in place the necessary processes and procedures to help protect your CII.

Lessons Learned: Critical Information Infrastructure Protection is aimed at people who organise the protection of critical infrastructure, such as chief executive officers, business managers, risk managers, IT managers, information security managers, business continuity managers and civil servants. Most of the principles and recommendations described are also valid in organisations that are not critical infrastructure service providers. The book covers the following:

  • Lesson 1: Define critical infrastructure services.
  • Lesson 2: Describe the critical infrastructure service and determine its service level.
  • Lesson 3: Define the providers of critical infrastructure services.
  • Lesson 4: Identify the critical activities, resources and responsible persons needed to provide the critical infrastructure service.
  • Lesson 5: Analyse and identify the interdependencies of services and their reliance upon power supplies.
  • Lesson 6: Visualise critical infrastructure data.
  • Lesson 7: Identify important information systems and assess their importance.
  • Lesson 8: Identify and analyse the interconnections and dependencies of information systems.
  • Lesson 9: Focus on more critical services and prioritise your activities.
  • Lesson 10: Identify threats and vulnerabilities.
  • Lesson 11: Assess the impact of service disruptions.
  • Lesson 12: Assess the risks associated with the service and information system.
  • Lesson 13: Implement the necessary security measures.
  • Lesson 14: Create a functioning organisation to protect CII.
  • Lesson 15: Follow regulations to improve the cyber resilience of critical infrastructure services.
  • Lesson 16: Assess the security level of your information systems yourself and ask external experts to assess them as well.
  • Lesson 17: Scan networks yourself and ask external experts to scan them as well to find the systems that shouldn't be connected to the Internet but still are.
  • Lesson 18: Prepare business continuity and disaster recovery plans and test them at reasonable intervals.
  • Lesson 19: Establish reliable relations and maintain them.
  • Lesson 20: Share information and be a part of networks where information is shared.
  • Lesson 21: Train people to make sure they are aware of cyber threats and know the correct behaviour.
  • Lesson 22: If the CII protection system does not work as planned or give the desired output, make improvements.
  • Lesson 23: Be prepared to provide critical infrastructure services without IT systems. If possible, reduce dependence on IT systems. If possible, during a crisis, provide critical services at reduced functionality and/or in reduced volumes.

Author

Toomas Viira is a highly motivated, experienced and results-orientated cyber security risk manager and IT auditor. He has more than 20 years' experience in the IT and cyber security sectors.

In 2005, Toomas managed the creation of CERT (Computer Emergency Response Team) Estonia, and in 2007 he was a member of the team that protected Estonia from large-scale cyber attacks. He is one of the main authors of the first Estonian Cyber Security Strategy and in 2009 was appointed head of the Critical Information Infrastructure Protection department at the Estonian Information System Authority.

Toomas has managed several national-level CII projects, such as mapping, risk analysis and operators' penetration tests, and state-level emergency risk analysis and response plan development. He holds the following certifications: CISSP®, CISA®, CISM®, CRISC™, ISO 27001 CIS LI and ITIL® Foundation. Toomas is the fou

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Lessons Learned: Critical Information Infrastructure Protection by Toomas Viira in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
ITGP
Year
2018
Print ISBN
9781849289573
eBook ISBN
9781849289597
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science
PART 1: CRITICAL INFRASTRUCTURE

CHAPTER 1: CRITICAL INFRASTRUCTURE SERVICES

‘The next Pearl Harbor we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems. ’4 – Leon Panetta
People have a variety of needs in their daily lives: water, food, clean air, a home and electricity. We also consume many other benefits such as transport services, communication services, television and radio programmes, medical services and banking services. Without some of them, we probably wouldn’t survive – not for long, anyway. Some services are more important to different people at different times – transport connections, communications and medical services may be more or less essential, depending on your circumstances. A common understanding of primary needs is relatively easy to achieve, but when pinpointing vital services we may often end up with different opinions. Defining such services depends on geographic location, climate, season, people’s way of life and other factors. There are services that people have become used to over decades, and their absence causes uncertainty or puts our security at risk. Mobile communication is a good example of this: it is important for people to be in contact with their loved ones, but 30 years ago we managed just fine without mobile phones. We’ve become increasingly used to them and our dependence on them has grown. Many of us feel like we can’t live without social networks.
The lines between vital, socially important and other services consumed by us cannot be clearly and unequivocally defined. From the viewpoint of protecting critical infrastructure, it is important that such services are defined and written down somewhere. Every country should have a specific law that regulates this field. Defining critical services is bound to lead to discussions and possibly arguments about whether or not a specific service is critical, or why one service is critical and another is not. Preparing the list of services is still in its early stages in terms of the entire process of protecting critical infrastructure and CII, and there is still a lot to do. The law can be amended if an important service was left out or a service that was deemed critical shouldn’t actually be regarded as such.
These critical services must be operational:
• power supply
• oil and gas supply
• water supply and sewerage
• harbours
• rail traffic
• air traffic
• data telephony
• data communication
• settlements and cash withdrawals
• law enforcement
• medical assistance.
The list is not final, and the circumstances, characteristics and needs of each country should be taken into account.
Lesson 1: Define critical infrastructure services.
4 www.huffingtonpost.com/2011/06/13/panetta-cyberattack-next-pearl-harbor_n_875889 .html

CHAPTER 2: DESCRIPTION OF SERVICE AND SERVICE LEVEL

‘Critical infrastructure is vitally important to all of us because it provides the necessities: water and food; the electricity and gas; the telecommunications and broadcasting services that keep us in touch and help us to conduct our business; the health services that keep us alive; the banking and finance system that keeps our economy running; and the transport system that gets us – and the goods we need – from A to B. ’5 – George Brandis
Preparing the list of critical infrastructure services described in the previous chapter is the first step. However, the list alone is not enough for planning the activities that follow. It is also important to describe the critical infrastructure services. How and on what basis can we say that a critical infrastructure service is functioning? How do we know what a specific critical service is and what characterises it? If we don’t know what a functioning service looks like, then it’s impossible for us to objectively assess whether or not it is functioning. Does a service function as needed?
Every critical service should be described. The description of a critical infrastructure service should allow the service provider, consumers and other stakeholders to understand what can and cannot be expected from the specific service. All critical infrastructure services can be characterised with different criteria and parameters. The requirements for and service level of a critical infrastructure service should also be determined. Power coming from the grid always has the same tension and frequency, and we’re used to this. It’s possible that these parameters have been determined in regulations. Power supply companies enter into contracts with their clients. These contracts or the general conditions of services may also contain other aspects that describe the service and service level. They might contain the number to call in the event of faults, determine how quickly the company has to react to faults, how quickly faults have to be eliminated, etc. Sometimes they state the length of a power cut from which the client is not charged for the service. In these cases, we can say that a service level has been determined between the service provider and the client. However, the service level of a critical infrastructure service should be determined from the viewpoint of the state.
It’s likely that there are many services that have not been adequately described and for which the necessary service level has not been determined. Or, if a service level has been determined, it was not done in consideration of the fact that the service is a critical infrastructure service and its consumers may have higher expectations regarding the continuous operation of the service.
These parameters should be determined for every critical infrastructure service:
• maximum tolerable downtime
• recovery time objective.
Maximum tolerable downtime is the downtime that an organisation, specific sector or country can tolerate. ‘Maximum tolerable’ can be defined at business, sector or country level and these could be different. A critical infrastructure service provider should follow the shortest defined downtime.
Recovery time objective is the defined time during which systems and services should be brought up and running.
Service-specific indicators that characterise the operating level of the service must be defined for the majority of services: a minimal quantity of calls in a mobile communications network, the quantity of banknotes withdrawn from an ATM in a certain unit of time, the guaranteed minimal water pressure at specific measurement points, the minimal number of passengers served by a harbour in a certain unit of time, etc.
The above is the so-called primary requirement in the process of building a critical infrastructure protection system. We should then think about the operational needs of critical services in the event of crises of different severity and define them if possible. What are the critical infrastructure services that should definitely work in the event of a crisis and at what level should they operate?
Lesson 2: Describe the critical infrastructure service and determine its service level.
5 www.attorneygeneral.gov.au/Speeches/Pages/2014/Second%20Quarter%202014/6June2014-OpeningAddressOfTheCriticalInfrastructureResilienceConference.aspx

CHAPTER 3: PROVIDERS OF CRITICAL INFRASTRUCTURE SERVICES

‘Critical infrastructure is diverse and complex not only because of the variety of sectors it covers, from communications, emergency services, information technology to nuclear reactors and transportation systems; it is complex also due to the special nature of its ownership.’6 – Dean Thompson
Once the list of critical infrastructure services has been prepared, they have all been described and their service levels determined, the next step is to identify the providers. Critical infrastructure service providers are not only public-sector organisations. In many countries, essential elements of critical infrastructure are owned and operated by private companies. Depending on the service, market, regulations and many other factors, a service may be provided by one or several service providers. Some countries may only have one provider of a certain service if the service provider is a monopoly, or only one service provider may have the right to provide a certain service in a certain region. The number of monopolies has decreased in the past 20 or 30 years. Many countries have opened their markets in the communication and energy sectors, which in the past were often controlled by monopolies.
In the case of a monopoly when there is only one service provider on the market, this service provider must be considered the critical infrastructure service provider.
What happens when there is more than one service provider on the market? Many other factors should be considered, such as the number of clients to whom the service is provided, market share, production volume and capacity, number of clients in a certain geographic region, etc.
Which service providers will be considered critical infrastructure service providers and which ones will not? Depending on the sector, services and possible criteria for defining critical infrastructure services, as well as reaching the relevant agreements, identifying these service providers may take a lot of time.
For example, if there are many voice telephony service providers, which of them should be considered critical infrastructure service providers? There may also be situations where some providers only operate in a certain geographic region and don’t provide their service nationwide. Some of these service providers may have the biggest market share in a specific region and not provide their services in another. This means that geography must be considered when defining the criteria f...

Table of contents

  1. Cover
  2. Title
  3. Copyright
  4. About The Author
  5. Acknowledgements
  6. Contents
  7. Introduction
  8. Part 1: Critical infrastructure
  9. Part 2: Critical information infrastructure
  10. Part 3: Threats, vulnerabilities, risks, impacts
  11. Part 4: Protection activities
  12. Part 5: Protection system supporting activities
  13. Part 6: Perfecting the system
  14. Part 7: Backup plan
  15. Appendix 1: Lessons learned
  16. ITG Resources