**5.2 Challenges to assess the cyber risk across CI/CII chains**

In safeguarding CI and CII, cyber risk mitigation plays an important role. Cyber risk mitigation approaches comprise legal frameworks [13], the implementation of mostly non-CI/CII specific cyber security frameworks for ICT and OT [25, 29–32, 51], the sharing of cyber security information [52, 53], and a collaborative approach. The incentive for collaborative action to the cyber risk at the sector level and across service chains is clear. Resources are scarce and can be optimized by collaborating. Due to the interconnectedness of CI and CII, all organizations in a sector or service chain suffer when one weak link exists and fails, making a joint approach a necessity. Although many initiatives exist, the uptake of these initiatives is sometimes less than planned. Although there are methods available to assess the cyber risk across a CI chain, there exist challenges to apply those methods. Some of the factors that may prove a barrier in the adaptation of these methodologies are:


**181**

CIs/CIIs.

*Analyzing the Cyber Risk in Critical Infrastructures DOI: http://dx.doi.org/10.5772/intechopen.94917*

**6.1 Trends and developments in CIIP**

recently been extended with a part on RA [31].

**6. What's next?**

*national CII.*"

• *Internal barriers:* Legal departments tend to block collaboration as they regard the shareholder risk too high due to negative image when information about

CIIP is an ongoing challenge for governmental policymakers and political leadership. Effective CIIP requires a constant assessment of future technological developments and keeping track of the dynamics in the ICT and OT domains. The increasing use of ICT and (embedded) OT to monitor and control critical and complex cyberphysical systems means that most CI have CII components or are slowly transforming into CII. Meanwhile, the cyber security of OT is lagging far behind that of ICT despite specific cyber security good practices and standards [32, 55]. However, the IEC 62443 framework on Security for industrial automation and control systems has

Developments in ICT and OT and their interrelationships continuously alter the nature of CI and CII, for instance big data, smart energy grids, autonomously driving vehicles, 5G, e-health monitoring, and remote robotic surgery. Keeping track of the dynamically changing cyber risk landscape for CI and CII is therefore a challenge. Chapter 6 of [56] states that the "*continuous developments in digital technology require states to keep track of the changing risk landscape and to review CIIP policy accordingly*". Moreover, Chapter 4 of [11] states that "*Horizon scanning strengthens CIIP policy as it enables nations to proactively signal and assess developments in technology, and to act when new technology reaches the potential to become part of the* 

Nevertheless, it is difficult to recognize developments in the criticality of information infrastructures due to the hyper-connectivity of modern technologies which suddenly may alter existing dependencies and introduce new dependencies within CIIs and between CII and CI. Dependencies may shift in unforeseen ways due to unanticipated adoption of traditional or seemingly unimportant information infrastructure elements. Such changes may cause other information infrastructure services to become critical to a state on the one hand and to cause the criticality of

Similarly, company policy changes unexpectedly may affect CI/CII incident response and recovery plans for ICT and OT operations. Consider the organization's green policy to replace all vehicles by e-vehicles. The existing incident response and recovery plans which dispatches repair trucks and their crews over long distances during a long power disruption will fail when no special provisions for recharging during non-normal modes of operation are made and will delay the recovery of

Mass adoption and integration of new technologies such as internet of things (IoT), industrial internet of things (IIoT), internet-of-medical-things (IOMT), robotics and artificial intelligence may, besides changing the nature of CI and CII, also increase the risk of cyber and hybrid attacks to CII [34, 35]. Ecosystems of not well-secured, hundreds of thousands, if not more, of internetted devices may fall victim of cyber criminals. Their combined power may be used to attack CI, CII and life-essential devices, e.g. by denial of service attacks and spreading malware [58]. CI/CII operators and states shall be aware of this risk in time and take precautionary actions. For instance, smart grid technologies are fundamentally changing the

other CII elements to disappear over time on the other hand [57].

cyber vulnerabilities or incidents leaks through partners [53].

• *Internal barriers:* Legal departments tend to block collaboration as they regard the shareholder risk too high due to negative image when information about cyber vulnerabilities or incidents leaks through partners [53].
