**3.1 CI, CII and risk analysis**

Risk analysis is defined by the EU as the "*consideration of relevant threat scenarios, in order to assess the vulnerability and the potential impact of disruption or destruction of critical infrastructure*". [1] The Council of Europe's European Centre of Technological Safety (TESEC) defines risk analysis as: "*the determination of the likelihood of an event (probability) and the consequences of its occurrence (impact) for the purpose of comparing possible risks and making risk management decisions*" [20]. Identifying the cyber threat scenarios and vulnerabilities related to CIs and CIIs is an important element of the sectoral, national, and wider CI and CII protection and resilience policies and frameworks [13, 5–7]. Managing the characteristics requires thorough and regular assessments of the cyber risk for CIs and CIIs, both at the level of a single CI/CII operator, across a CI/CII sector, across CI/CII chains of services, and at the national level.

Risk assessment (RA) is "*the combination of vulnerability analysis and risk analysis*" leading to the "*determination and presentation (usually in quantitative form) of the potential hazards, and the likelihood and the extent of harm that may result from these hazards*" [20].

Risk analysis, vulnerability analysis, and, subsequently, RA are therefore important elements of the CI/CII protection and resilience efforts. Moreover, the risk management (RM) process for CI and CII should not only cover the business

**173**

*Analyzing the Cyber Risk in Critical Infrastructures DOI: http://dx.doi.org/10.5772/intechopen.94917*

trust by the population in e-banking?

risk, see e.g. [3, 4, 21–23].

regulation.

perspective of the risk but should also cover the societal impact of the risk: what risk does society faces when a large-scale disruption occurs? This requires RAs at

• An operator of essential services (CI or CII) will primarily use RA to obtain an overview of possible risk factors that can harm its business objectives and profits. Legal requirements will be a mere boundary condition to this process. The cyber risk is just one aspect which is balanced with other risk aspects such as e.g. technical failure, lack of key personnel due to a pandemic, and adverse

• A RA at the CI/CII sector level will primarily focus on the resilience and

reputation of the whole sector considering the individual mitigation measures taken by the operators within the sector. E.g. what is the risk of diminished

• A RA for a specific CI or CII service which depends on a chain of intermediate services supplied by multiple service operators. The operator of the (end) service will primarily focus on the resilience of the whole service chain and the disruption risk due to failing or disruption of one or more of the intermediate services. The analysis will consider the individual resilience measures taken by

the individual operators and the residual risk for the service chain.

• A RA at the national or regional level will primarily focus on risk with societal impact and will take a wider range than just CI and CII. A national or regional RA will e.g. also consider the risk of a pandemic outbreak or a large-scale flooding and will balance the outcomes with the cyber risk to CIs and CIIs. To assess this risk, various states use a National Risk Assessment (NRA) method to establish a balanced national risk view including the cyber

Due to the importance of CIs and CIIs for societies, CI and CII sectors increasingly must analyze and assess their (cyber) risk regularly and systematically based on sector-specific regulations either imposed by the national regulator, e.g. [24], or through sector initiatives, e.g. the Basel III regulatory framework for the bank sector. The implementation of the EU NIS directive as discussed above requires CI and some of the CII operators to regularly perform RAs as a basis for their cyber security

Moreover, these CI and CII operators should be prepared to perform a quick reassessment of the cyber risk, mitigations, and the residual cyber-related risk in

The basis for the protection of CI lies in a strong RA at the operator level. For RA at the company level, including CI and CII operators, many methods and standards exist. Most of these methods are in line with the ISO 31000 series of RM standards [26]. For the IT-environment, ISO/IEC 27005 [27] provides the RM and risk mitigation background as part of the ISO/IEC 27000 series that assist organizations to implement information security management based on a set of terms and definitions [28] and security controls [29, 30]. For the OT-environment, security control frameworks with similar security control sets

measures. RM is also a key element in the NIST framework [25].

case a new cyber vulnerability or cyber threat comes to the fore.

**3.2 Assessment of cyber risk by a single CI operator**

multiple levels of aggregation, each with a different objective:

*Issues on Risk Analysis for Critical Infrastructure Protection*

CI operations.

have no plan 'B'.

vulnerability [19].

**3.1 CI, CII and risk analysis**

and at the national level.

*these hazards*" [20].

**3. Assess the cyber security risk in CI**

and -systems.

• The increased use of vulnerable ICT and OT for the monitoring and control of

• Complex dependencies of CI/CII services and the risk of cascading failures.

• The increased dependence of industries and the population on undisturbed CI and CII services. They expect and require a high level of CI/CII resilience, basically an undisturbed service 24 hours per day, all year around. Modern societies and its population cannot cope anymore with CI/CII service disruptions that affect a large area and have a long duration, citizens and businesses

• The increased level of cyber-attacks by state actors [16] and other types of actors [17] deliberately performing (cyber) attacks on CIs and CIIs in support

• Vulnerabilities in commonly used ICT- or OT-applications and systems being the source of a common cause failure, e.g. a common vulnerability in a popular application may lead to vulnerabilities in many organizations simultaneously, see e.g. the Dutch national cyber security centre (NCSC) warning for a Citrix

of their political and financial objectives. See e.g. the warning in [18].

• The high dynamics in vulnerabilities of ICT- and OT-applications

major challenges to states and their operators of essential services.

Therefore, the analysis and mitigation of the cyber risk in CIs and CIIs pose

Risk analysis is defined by the EU as the "*consideration of relevant threat scenarios, in order to assess the vulnerability and the potential impact of disruption or destruction of critical infrastructure*". [1] The Council of Europe's European Centre of Technological Safety (TESEC) defines risk analysis as: "*the determination of the likelihood of an event (probability) and the consequences of its occurrence (impact) for the purpose of comparing possible risks and making risk management decisions*" [20]. Identifying the cyber threat scenarios and vulnerabilities related to CIs and CIIs is an important element of the sectoral, national, and wider CI and CII protection and resilience policies and frameworks [13, 5–7]. Managing the characteristics requires thorough and regular assessments of the cyber risk for CIs and CIIs, both at the level of a single CI/CII operator, across a CI/CII sector, across CI/CII chains of services,

Risk assessment (RA) is "*the combination of vulnerability analysis and risk analysis*" leading to the "*determination and presentation (usually in quantitative form) of the potential hazards, and the likelihood and the extent of harm that may result from* 

Risk analysis, vulnerability analysis, and, subsequently, RA are therefore important elements of the CI/CII protection and resilience efforts. Moreover, the risk management (RM) process for CI and CII should not only cover the business

**172**

perspective of the risk but should also cover the societal impact of the risk: what risk does society faces when a large-scale disruption occurs? This requires RAs at multiple levels of aggregation, each with a different objective:


Due to the importance of CIs and CIIs for societies, CI and CII sectors increasingly must analyze and assess their (cyber) risk regularly and systematically based on sector-specific regulations either imposed by the national regulator, e.g. [24], or through sector initiatives, e.g. the Basel III regulatory framework for the bank sector. The implementation of the EU NIS directive as discussed above requires CI and some of the CII operators to regularly perform RAs as a basis for their cyber security measures. RM is also a key element in the NIST framework [25].

Moreover, these CI and CII operators should be prepared to perform a quick reassessment of the cyber risk, mitigations, and the residual cyber-related risk in case a new cyber vulnerability or cyber threat comes to the fore.
