**2. CI, CII, and the cyber risk**

#### **2.1 What is CI and how does that relate to CII?**

The Council of the European Union has defined a CI as: "*an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions*" [1]. Currently, many states on the globe have defined a subset of their infrastructure services as CI using similar definitions for CI. Their aim is to guarantee the wellbeing of their population and economy by safeguarding the undisturbed functioning of the society under all hazards. A list of national definitions for CI can be found at [2].

To determine their set of national CI sectors, states use methodologies such as a national risk assessment (NRA) method [3, 4] or a risk-based approach in combination with a set of criteria [5]. CI are deemed critical at the national level if e.g. the number of casualties or the economic loss caused by disruptions exceed certain thresholds [6]. Most states recognize energy, telecommunications and internet, drinking water, food and health as CI sectors [7]. Within these CI sectors, states identified critical processes, products, and services at the *national level.* Depending on its economic structure, historic developments, cultural, and other factors, states may recognize other sectors as CI, e.g. social services, monuments and icons as shown by the webpage 'critical infrastructure sector' on [2].

In line with CI, CIIs comprise those ICT-based elements for which the disruption or destruction may – according to defined criticality criteria - have a serious impact on a state's society and its economy. CII is therefore defined by [8] as "*those interconnected information and communication infrastructures, the disruption or destruction of which would have serious impact on the health, safety, security, or economic well-being of citizens, or on the effective functioning of government or the economy*". Nevertheless, many states, which have defined their CI sectors, struggle in defining and accepting the concept of CII although the cyber risk to society extends beyond the classical set of CI sectors. Section 2.2 outlines the identification of CII and highlights why CIIs may extend beyond the currently identified national 'classical' sets of CI sectors.

#### **2.2 Identifying CIIs**

Alike the protection and resilience of CI, the protection and resilience of CII also starts with identifying CII. Many critical and essential services of our societies largely depend on the undisturbed functioning of underlying ICT and OT. According to [9], OT is "*the technology commonly found in cyber-physical systems that is used to manage physical processes and actuation through the direct sensing, monitoring and or control of physical devices*". The overarching term OT replaces many earlier notions for process control technologies to monitor and control cyber-physical processes (CPS): industrial control systems (ICS), distributed control systems (DCS), energy management systems (EMS), supervisory control and data acquisition (SCADA) systems, industrial automation and control systems (IACS), and process automation (PA) [10]. To mention a few applications of OT: the generation, transport and distribution of various modes of energy, refinery processes, building

**169**

**Figure 1.**

*Critical information infrastructure (source: [11]).*

*Analyzing the Cyber Risk in Critical Infrastructures DOI: http://dx.doi.org/10.5772/intechopen.94917*

beyond these established domains. According to [11], CII comprise:

of view.

automation systems (air-conditioning, elevators, fire alarm system), physical security access (locks, gates, cameras), laboratory analysis systems, tunnel safety

CII elements tend to be more interwoven and tend to hide within a CI, in cyber-physical processes, and in stacks of information-based services. The speed of innovation and uptake of new digital technologies in processes that evolve into critical processes to the society is high. Obviously this is complex as the critical ICTand OT-based functions and services hide themselves (1) in the IT-sector (telecommunication and internet), (2) classical sector-specific CIs (**Figure 1**), and (3) even

1.Critical elements and services of the ICT sector, for example mobile telecommunication data services, internet exchange points, domain name services, certificate infrastructures, and Global Navigation Satellite Systems such as Galileo, BeiDou, and GPS for Position, Navigation and Timing (PNT) services.

2.Critical information, communication, and operational infrastructure elements- ICT and OT- in each of the CI. This may include e.g. critical financial transaction systems in the financial sector, critical logistic information systems, and OT which monitor and control critical cyber-physical systems such as in

3.The products and services of manufacturers, vendors and system integrators which are used across multiple CI sectors, nationally and internationally, whose vulnerability or common cause failure may negatively impact the proper func-

gas transport, harbors, railways, healthcare, and refineries.

tioning of CII and the CI that they are a critical element of.

Identifying the ICT- and OT-based services that are critical for a state proves to be complex. Most states struggle in clearly understanding and defining the information infrastructure components of critical processes to the state and its population. CII elements and services are notoriously more difficult and complex to demarcate and define than CI, both technically, organizationally, and from a governance point

systems, harbor cranes, and automatic guided vehicles (AGV).

### *Analyzing the Cyber Risk in Critical Infrastructures DOI: http://dx.doi.org/10.5772/intechopen.94917*

*Issues on Risk Analysis for Critical Infrastructure Protection*

**2.1 What is CI and how does that relate to CII?**

**2. CI, CII, and the cyber risk**

This chapter concludes with the conclusions in Section 7.

hazards. A list of national definitions for CI can be found at [2].

shown by the webpage 'critical infrastructure sector' on [2].

supply chains. Section 6 provides an outlook at new technological and regulatory developments and their possible impact on the cybersecurity risk for CI and CII.

The Council of the European Union has defined a CI as: "*an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions*" [1]. Currently, many states on the globe have defined a subset of their infrastructure services as CI using similar definitions for CI. Their aim is to guarantee the wellbeing of their population and economy by safeguarding the undisturbed functioning of the society under all

To determine their set of national CI sectors, states use methodologies such as a national risk assessment (NRA) method [3, 4] or a risk-based approach in combination with a set of criteria [5]. CI are deemed critical at the national level if e.g. the number of casualties or the economic loss caused by disruptions exceed certain thresholds [6]. Most states recognize energy, telecommunications and internet, drinking water, food and health as CI sectors [7]. Within these CI sectors, states identified critical processes, products, and services at the *national level.* Depending on its economic structure, historic developments, cultural, and other factors, states may recognize other sectors as CI, e.g. social services, monuments and icons as

In line with CI, CIIs comprise those ICT-based elements for which the disruption or destruction may – according to defined criticality criteria - have a serious impact on a state's society and its economy. CII is therefore defined by [8] as "*those interconnected information and communication infrastructures, the disruption or destruction of which would have serious impact on the health, safety, security, or economic well-being of citizens, or on the effective functioning of government or the economy*". Nevertheless, many states, which have defined their CI sectors, struggle in defining and accepting the concept of CII although the cyber risk to society extends beyond the classical set of CI sectors. Section 2.2 outlines the identification of CII and highlights why CIIs may extend beyond the currently identified national 'classical' sets of CI sectors.

Alike the protection and resilience of CI, the protection and resilience of CII also starts with identifying CII. Many critical and essential services of our societies largely depend on the undisturbed functioning of underlying ICT and OT. According to [9], OT is "*the technology commonly found in cyber-physical systems that is used to manage physical processes and actuation through the direct sensing, monitoring and or control of physical devices*". The overarching term OT replaces many earlier notions for process control technologies to monitor and control cyber-physical processes (CPS): industrial control systems (ICS), distributed control systems (DCS), energy management systems (EMS), supervisory control and data acquisition (SCADA) systems, industrial automation and control systems (IACS), and process automation (PA) [10]. To mention a few applications of OT: the generation, transport and distribution of various modes of energy, refinery processes, building

**168**

**2.2 Identifying CIIs**

automation systems (air-conditioning, elevators, fire alarm system), physical security access (locks, gates, cameras), laboratory analysis systems, tunnel safety systems, harbor cranes, and automatic guided vehicles (AGV).

Identifying the ICT- and OT-based services that are critical for a state proves to be complex. Most states struggle in clearly understanding and defining the information infrastructure components of critical processes to the state and its population. CII elements and services are notoriously more difficult and complex to demarcate and define than CI, both technically, organizationally, and from a governance point of view.

CII elements tend to be more interwoven and tend to hide within a CI, in cyber-physical processes, and in stacks of information-based services. The speed of innovation and uptake of new digital technologies in processes that evolve into critical processes to the society is high. Obviously this is complex as the critical ICTand OT-based functions and services hide themselves (1) in the IT-sector (telecommunication and internet), (2) classical sector-specific CIs (**Figure 1**), and (3) even beyond these established domains.

According to [11], CII comprise:


**Figure 1.** *Critical information infrastructure (source: [11]).*

4.Critical ICT- and OT-elements and services beyond the established CI domains mentioned under (1) to (3) above. Such elements are often operated by organizations outside the classical ministerial supervision and/or regulation, may be physically located outside a state and or operated by foreign operators.

The extent of the nationally identified CII largely depends on the maturity and critical use of digital technologies by and in states (**Figure 2**). As a basis, essential CII elements include the ICT-based elements of the classical CI services such as electricity generation or drinking water. Digitally more advanced states have defined CIIs which have major elements outside the classical set of CIs. Due to the international nature of CII, the governance of CII protection and resilience extends beyond national borders and relies on international collaboration. Due to the increased role of ICT and OT in almost all other CI (e.g. cloud services, smart cities, smart grids), defining the CII requires cyclic updates to capture the dynamics inherently linked to ICT- and OT-based systems and networks. This process is complex due to the dynamics of the dependencies, and also to the sometimes-hidden nature of these dependencies, think e.g. on the dependency of electricity networks on the availability of precise timing and communication networks [12].

The EU, for instance, recognizes the need to secure both CI and CII in its European directive on security of network and information systems (NIS) [13]. The directive requires a higher level of cyber security by the operators of specific CI services in the energy (electricity, oil, and gas), transport (air, rail, over water, and road), banking, financial markets, health, drinking water supply and distribution, and digital infrastructure sectors. The non-classical CI 'digital infrastructure' comprises internet exchange points (IXs), domain name service providers (DNS), and top-level domain (TLD) name registries. EU Member States require by law that other national CI operators adhere to the same security requirements as well. Moreover, the NIS directive recognizes another set of CII operators: the digital service providers (DSPs). DSPs operate online marketplaces, online search engines, and cloud computing services when their operations exceed a certain size.

#### **Figure 2.**

*Critical information infrastructure protection (CIIP): All activities aimed at ensuring the functionality, continuity, and integrity of CII to deter, mitigate and neutralize a threat, risk or vulnerability or minimize the impact of an incident. (source: [11]).*

**171**

*Analyzing the Cyber Risk in Critical Infrastructures DOI: http://dx.doi.org/10.5772/intechopen.94917*

in the governance structures of states.

or OT application, software, or equipment.

increases due to:

operators.

infrastructure.

capability and capacity.

Moreover, the EU implicitly recognizes electronic identification and trust services for electronic transactions as CII in [14]. However, it should be noted that most EU states do not recognize their key registers on population, land, addresses

The USA recognizes as life critical embedded systems as CII beyond the classical CI sectors: medical devices, internet-connected cars, and OT [15]. Other states,

The high dynamics of technological developments and subsequent societal use of ICT- and OT-based services, makes the identification of CII complex. What seems to be a new toy may become embedded in critical societal processes shortly. On the other hand, earlier critical services such as text messaging phase out while being replaced by newer mechanisms such as Whatsapp. Risk analysis and mitigation may be complex given (1) the ICT- and OT-technological dynamics, (2) the continuous shifts in the threat spectrum, and (3) new CII services often operated by new, non-traditional operators (e.g. cloud services) which do not fit automatically

The most feared phenomenon by states is the cascading effect due to dependencies between CIs and CIIs. When one CI or CII is disrupted or destroyed, cascading disruption(s) may occur through the dependency of other (critical) infrastructure(s). Another important risk factor to CI and CII is a common cause failure: "*a failure where the function of multiple infrastructures is disrupted or destroyed by the same cause or hazard affecting these infrastructures at the same location or area in the same time frame*" [2]. Common cause failures may for instance be triggered by extreme weather, flooding, wildfires, and common use of the same vulnerable ICT

In modern societies, the (cyber) risk to society and the economy due to inadvertent and deliberate CI/CII disruptions and cascading and common cause phenomena

• The diminishing governmental control over classical CIs and CIIs due to

• A more economic-based risk approach by CI and CII operators aiming for improved efficiency, productivity, and organization performance, as compared to a more societal risk-based approach by the earlier public CI/CII

• The fast appearance of new ICT-based services that are perceived essential or even critical by society even before government considers them as being CII.

• The perceived critical use by citizens of new stacked services which make the underlying ICT-infrastructure critical, e.g. the mobile e-payment

• Urbanization which stresses the, often aging, CIs to the limits of their design

dependencies, see for instance [12] for possible cascading effects of disruptions

• The increased dependence of CI on ICT and the hidden nature on some

of time synchronization services in electrical power networks.

and buildings, commercial companies, topology, and vehicles as CII [7].

alike Australia, are in the process of identifying their CII.

**2.3 Why considering the cyber related risk to CI and CII?**

liberalization and privatization of their operations.

*Issues on Risk Analysis for Critical Infrastructure Protection*

ity of precise timing and communication networks [12].

4.Critical ICT- and OT-elements and services beyond the established CI domains mentioned under (1) to (3) above. Such elements are often operated by organizations outside the classical ministerial supervision and/or regulation, may be

The extent of the nationally identified CII largely depends on the maturity and critical use of digital technologies by and in states (**Figure 2**). As a basis, essential CII elements include the ICT-based elements of the classical CI services such as electricity generation or drinking water. Digitally more advanced states have defined CIIs which have major elements outside the classical set of CIs. Due to the international nature of CII, the governance of CII protection and resilience extends beyond national borders and relies on international collaboration. Due to the increased role of ICT and OT in almost all other CI (e.g. cloud services, smart cities, smart grids), defining the CII requires cyclic updates to capture the dynamics inherently linked to ICT- and OT-based systems and networks. This process is complex due to the dynamics of the dependencies, and also to the sometimes-hidden nature of these dependencies, think e.g. on the dependency of electricity networks on the availabil-

physically located outside a state and or operated by foreign operators.

The EU, for instance, recognizes the need to secure both CI and CII in its European directive on security of network and information systems (NIS) [13]. The directive requires a higher level of cyber security by the operators of specific CI services in the energy (electricity, oil, and gas), transport (air, rail, over water, and road), banking, financial markets, health, drinking water supply and distribution, and digital infrastructure sectors. The non-classical CI 'digital infrastructure' comprises internet exchange points (IXs), domain name service providers (DNS), and top-level domain (TLD) name registries. EU Member States require by law that other national CI operators adhere to the same security requirements as well. Moreover, the NIS directive recognizes another set of CII operators: the digital service providers (DSPs). DSPs operate online marketplaces, online search engines, and cloud computing services when their operations exceed a certain size.

*Critical information infrastructure protection (CIIP): All activities aimed at ensuring the functionality, continuity, and integrity of CII to deter, mitigate and neutralize a threat, risk or vulnerability or minimize the* 

**170**

**Figure 2.**

*impact of an incident. (source: [11]).*

Moreover, the EU implicitly recognizes electronic identification and trust services for electronic transactions as CII in [14]. However, it should be noted that most EU states do not recognize their key registers on population, land, addresses and buildings, commercial companies, topology, and vehicles as CII [7].

The USA recognizes as life critical embedded systems as CII beyond the classical CI sectors: medical devices, internet-connected cars, and OT [15]. Other states, alike Australia, are in the process of identifying their CII.

The high dynamics of technological developments and subsequent societal use of ICT- and OT-based services, makes the identification of CII complex. What seems to be a new toy may become embedded in critical societal processes shortly. On the other hand, earlier critical services such as text messaging phase out while being replaced by newer mechanisms such as Whatsapp. Risk analysis and mitigation may be complex given (1) the ICT- and OT-technological dynamics, (2) the continuous shifts in the threat spectrum, and (3) new CII services often operated by new, non-traditional operators (e.g. cloud services) which do not fit automatically in the governance structures of states.
