**6.1 Trends and developments in CIIP**

CIIP is an ongoing challenge for governmental policymakers and political leadership. Effective CIIP requires a constant assessment of future technological developments and keeping track of the dynamics in the ICT and OT domains. The increasing use of ICT and (embedded) OT to monitor and control critical and complex cyberphysical systems means that most CI have CII components or are slowly transforming into CII. Meanwhile, the cyber security of OT is lagging far behind that of ICT despite specific cyber security good practices and standards [32, 55]. However, the IEC 62443 framework on Security for industrial automation and control systems has recently been extended with a part on RA [31].

Developments in ICT and OT and their interrelationships continuously alter the nature of CI and CII, for instance big data, smart energy grids, autonomously driving vehicles, 5G, e-health monitoring, and remote robotic surgery. Keeping track of the dynamically changing cyber risk landscape for CI and CII is therefore a challenge. Chapter 6 of [56] states that the "*continuous developments in digital technology require states to keep track of the changing risk landscape and to review CIIP policy accordingly*". Moreover, Chapter 4 of [11] states that "*Horizon scanning strengthens CIIP policy as it enables nations to proactively signal and assess developments in technology, and to act when new technology reaches the potential to become part of the national CII.*"

Nevertheless, it is difficult to recognize developments in the criticality of information infrastructures due to the hyper-connectivity of modern technologies which suddenly may alter existing dependencies and introduce new dependencies within CIIs and between CII and CI. Dependencies may shift in unforeseen ways due to unanticipated adoption of traditional or seemingly unimportant information infrastructure elements. Such changes may cause other information infrastructure services to become critical to a state on the one hand and to cause the criticality of other CII elements to disappear over time on the other hand [57].

Similarly, company policy changes unexpectedly may affect CI/CII incident response and recovery plans for ICT and OT operations. Consider the organization's green policy to replace all vehicles by e-vehicles. The existing incident response and recovery plans which dispatches repair trucks and their crews over long distances during a long power disruption will fail when no special provisions for recharging during non-normal modes of operation are made and will delay the recovery of CIs/CIIs.

Mass adoption and integration of new technologies such as internet of things (IoT), industrial internet of things (IIoT), internet-of-medical-things (IOMT), robotics and artificial intelligence may, besides changing the nature of CI and CII, also increase the risk of cyber and hybrid attacks to CII [34, 35]. Ecosystems of not well-secured, hundreds of thousands, if not more, of internetted devices may fall victim of cyber criminals. Their combined power may be used to attack CI, CII and life-essential devices, e.g. by denial of service attacks and spreading malware [58]. CI/CII operators and states shall be aware of this risk in time and take precautionary actions. For instance, smart grid technologies are fundamentally changing the

energy sector and may introduce new CII elements at the national level. With the advancements in sensory, actuator and wireless technologies as well as the global internet, the usage of OT expands rapidly towards IIoT. The need for cyber security by design in new technological developments such as robotics and AI most often is an afterthought. This increases the cyber risk to CI, CII and humans, e.g. the use of robotic equipment such as vehicles and as human assistants in dangerous CI environments [59]. Moreover, new technologies enter the organization via the backdoor and is part of CI/CII services before the cyber risk is assessed and mitigated in a proper way.

#### **6.2 Laws and regulations**

The global cyber risk makes that states develop strategies, laws and regulations to get more grip on the cyber security risk to their state. Apart from the European general data protection regulation (GDPR) that became fully into effect in all EU Member States on May 25, 2018 [60], CI and some CII operators may be designated as operator of essential services (OES) or DSP as a result of the national law and related regulations which implement the EU NIS directive [13]. Whether one is designed as an OES or DSP depends on the service(s) provided, size of the operations, number of customers, area, and the level of criticality as laid down in national ruling. One requirement is that the OES or DSP shall notify the competent authority or the CSIRT with national authority without undue delay of any incident having a substantial impact on the provision of services. Moreover, national law may oblige notification by an OES to the 'CI stovepipe' responsible ministry or regulator. In case personal data is involved, the GDPR notification is required as well. Non-compliance with the law may result in a huge fine.

Reporting cyber incidents may lead to more transparency on the actual level of the cyber risk and may lead that to more awareness with operators and policymakers on the risk that cyber threats and vulnerabilities pose for society.

### **7. Conclusions**

Analyzing the cyber risk in CI and CII, firstly requires the identification of CII using a set of (nationally) established criteria. RA for CI and CII may take place at multiple levels: by the organization of the CI/CII operator, by the CI/CII sector, nationally across all CI/CII sectors, and along the critical and essential service supply chains. This chapter provided insight to the OT risk, identifies the need for RA across organizations, and describes some RA models to address the cyber risk across multiple organizations and for service supply chains.

In assessing the cyber risk to CI/CII at the operator level, both ICT and OT should be considered. There exist many CI/CII sector-specific security control standards which can be mapped on common structures or frameworks as has been shown by e.g. NIST and ENISA. Although many standards and control measures exist, the OT risk at the governance, socio-technical, and operational-technical layers is often less understood and addressed by organizations. Recent advisories by government agencies show that the need to address the OT risk has become more urgent since the number of malicious attacks on OT as well as hybrid threats are growing while disruptions of the OT may have a large impact on the physical CI processes.

Recent research on RA for CI emphasizes on taking CI dependencies into account. This proves to be even more urgent and complex for CII. RA for CIIs and their dependencies is complex due to the highly dynamic nature of advances in and use of IT and OT, the often hidden nature of technological dependencies, think e.g.

**183**

**Author details**

Marieke Klaver1

\* and Eric Luiijf<sup>2</sup>

2 Luiijf Consultancy, Zoetermeer, The Netherlands

provided the original work is properly cited.

\*Address all correspondence to: marieke.klaver@tno.nl

1 TNO Defence, Safety and Security, The Hague, The Netherlands

© 2021 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium,

*Analyzing the Cyber Risk in Critical Infrastructures DOI: http://dx.doi.org/10.5772/intechopen.94917*

trust and willingness of all organizations involved.

about PNT services, and inclusion of embedded systems. Several RA approaches and methods exist to assess the cyber risk across organizations. However, assessing the cyber risk to the CI/CII service supply chains proves to be complex as it requires

And last not but least, organizations need to consider the cyber risk of future technologies before such technologies creep in via the backdoor and are an essential part of their critical services and business operations. The introduction of these new technologies can be planned (e.g. in the case of smart grids), which allows for an upfront analysis of the security risk involved, even when this risk is not always fully considered. New technologies, e.g. IoTs and dependencies may also be introduced in a more haphazard way into traditionally well-separated environments of CI/CII operators. Managing this additional risk is a major challenge for the operators.

#### *Analyzing the Cyber Risk in Critical Infrastructures DOI: http://dx.doi.org/10.5772/intechopen.94917*

*Issues on Risk Analysis for Critical Infrastructure Protection*

proper way.

**7. Conclusions**

**6.2 Laws and regulations**

energy sector and may introduce new CII elements at the national level. With the advancements in sensory, actuator and wireless technologies as well as the global internet, the usage of OT expands rapidly towards IIoT. The need for cyber security by design in new technological developments such as robotics and AI most often is an afterthought. This increases the cyber risk to CI, CII and humans, e.g. the use of robotic equipment such as vehicles and as human assistants in dangerous CI environments [59]. Moreover, new technologies enter the organization via the backdoor and is part of CI/CII services before the cyber risk is assessed and mitigated in a

The global cyber risk makes that states develop strategies, laws and regulations to get more grip on the cyber security risk to their state. Apart from the European general data protection regulation (GDPR) that became fully into effect in all EU Member States on May 25, 2018 [60], CI and some CII operators may be designated as operator of essential services (OES) or DSP as a result of the national law and related regulations which implement the EU NIS directive [13]. Whether one is designed as an OES or DSP depends on the service(s) provided, size of the operations, number of customers, area, and the level of criticality as laid down in national ruling. One requirement is that the OES or DSP shall notify the competent authority or the CSIRT with national authority without undue delay of any incident having a substantial impact on the provision of services. Moreover, national law may oblige notification by an OES to the 'CI stovepipe' responsible ministry or regulator. In case personal data is involved, the GDPR notification is required as

Reporting cyber incidents may lead to more transparency on the actual level of the cyber risk and may lead that to more awareness with operators and policymak-

Analyzing the cyber risk in CI and CII, firstly requires the identification of CII using a set of (nationally) established criteria. RA for CI and CII may take place at multiple levels: by the organization of the CI/CII operator, by the CI/CII sector, nationally across all CI/CII sectors, and along the critical and essential service supply chains. This chapter provided insight to the OT risk, identifies the need for RA across organizations, and describes some RA models to address the cyber risk across

In assessing the cyber risk to CI/CII at the operator level, both ICT and OT should be considered. There exist many CI/CII sector-specific security control standards which can be mapped on common structures or frameworks as has been shown by e.g. NIST and ENISA. Although many standards and control measures exist, the OT risk at the governance, socio-technical, and operational-technical layers is often less understood and addressed by organizations. Recent advisories by government agencies show that the need to address the OT risk has become more urgent since the number of malicious attacks on OT as well as hybrid threats are growing while disruptions of the OT may have a large impact on the physical CI processes. Recent research on RA for CI emphasizes on taking CI dependencies into account. This proves to be even more urgent and complex for CII. RA for CIIs and their dependencies is complex due to the highly dynamic nature of advances in and use of IT and OT, the often hidden nature of technological dependencies, think e.g.

well. Non-compliance with the law may result in a huge fine.

multiple organizations and for service supply chains.

ers on the risk that cyber threats and vulnerabilities pose for society.

**182**

about PNT services, and inclusion of embedded systems. Several RA approaches and methods exist to assess the cyber risk across organizations. However, assessing the cyber risk to the CI/CII service supply chains proves to be complex as it requires trust and willingness of all organizations involved.

And last not but least, organizations need to consider the cyber risk of future technologies before such technologies creep in via the backdoor and are an essential part of their critical services and business operations. The introduction of these new technologies can be planned (e.g. in the case of smart grids), which allows for an upfront analysis of the security risk involved, even when this risk is not always fully considered. New technologies, e.g. IoTs and dependencies may also be introduced in a more haphazard way into traditionally well-separated environments of CI/CII operators. Managing this additional risk is a major challenge for the operators.
