Critical National Information Infrastructure (CNII)
(The views are of the author and all issues related to the contents be addressed directly to the Author)
Critical National Information Infrastructure (CNII) is defined as those assets (real and virtual), systems, and functions that are vital to the nations that their incapacity or destruction would have a devastating impact on:
- National economic strength; Confidence that the nation’s key growth area can successfully compete in the global market while maintaining favorable standards of living.
- National image; Projection of national image towards enhancing stature and sphere of influence.
- National defense and security; guarantee sovereignty and independence whilst maintaining internal security.
- Government capability to functions; maintain order to perform and deliver minimum essential public services.
- Public health and safety; delivering and managing optimal health care to the citizen.
Critical information infrastructure makes or breaks the national economy. As the network is massive, the points of attack can be hard to determine.
- National Defence & Security
- Banking & Finance
- Information & Communications
- Health Services
- Emergency Services
- Food & Agriculture
CNII reminds governments to put in place necessary laws or policies to ensure that each sector identified as critical infrastructure be sufficiently protected. On top of that, it also solicits further research on assessing and analyzing the existing legal landscape that aims to protect the critical information infrastructure.
The promotion of IT security must be at the national and international levels. This promotion built-in the Critical National Information Infrastructure (CNII) program can combine the initiative at the level of organization, national and international cooperation. About 70-90% of the projects are funded by the European Commission which includes the initiatives like Online Frauds Cyber Centre and Expert Network (OF2CEN), Security of Energy System (SoES), Distributed Energy Security Knowledge (DEnSeK), and many more.
The table below shows the trend analysis that with the increase in the estimated internet population worldwide, the total number of devices used will also change which in turn will lead to an increased contribution of the Information and Communication Technology sector towards the Global GDP.
CNII Threats and Challenges
It is very clear that the increasing number of threats in the world of cybersecurity will surely impact critical infrastructures too. Currently, the energy sector in the US is the biggest target for cyber-attacks. According to the DHS-ICS-CERT Monitor Report 2013, there were 111 cyber incidents (53% of the total attacks) in the first half of the fiscal year 2013 as compared to 81 attacks reported in the preceding 12 months. Today the sophisticated hacker teams are even well-organized and the full malware package/ services are readily available on the darknet. Today we need to follow the new trend in the protection of Critical infrastructures by meeting the below-mentioned challenges:
- Better Perimeter and Service knowledge by all stakeholders.
- Defining a proper patch management cycle (including notification, prioritizing deploying).
- Reduce the complexity of networks, applications, OS to reduce “Surface Area” for attacks.
- Strengthen the internal collaboration by avoiding conflicts between business units
- Increase Education and Training.
- Use of Honeypots.
- Use of false intellectual properties and data –Disinformation or Deception.
- Start to think like a hacker yourself.
- Strengthen the integration and data traffic analysis.
Threats, Risk, vulnerabilities, Risk Culture to CNII
Critical infrastructure may be exposed to various threats which must be included both in risk and threat analyses. The overall spectrum of threats may be described as follows:
|Natural events||Technical failure/|
|Extreme weather events|
storms, heavy precipitation,
drops in temperature, floods,
heat waves, droughts
insufficient or excessive complexity
of planning, defective hardware
and/or software bugs
|Forest and heathland fires||Negligence||Sabotage|
|Seismic events||Accidents and emergencies||Other forms of crime|
|Epidemics and pandemics|
in man, animals, and plants
|Failures in organization|
shortcomings in risk and
crisis management, inadequate coordination
meteorites and comets
These events and incidents – which are due to very different causes – may impair, cause massive damage to, or destroy the infrastructure facilities which are vital to society and the population in general. Disruptions or failures may entail so-called domino effects and cascade effects which potentially can paralyze sectors of society and, in addition to the immediate damage caused to affected persons, can result in enormous damage to the national economy and in loss of confidence in a society’s political leadership.
In respect of the current security philosophy, there is a conclusion to be drawn from the identified newly emerged threats, risks and serious vulnerabilities and the resultant complexity as regards prevention and proactive (preparedness) arrangements:
No one-hundred percent protection of infrastructure and its operational effectiveness can be ensured by either the state or operators. The present security mentality must be converted into a new “risk culture”. This novel risk culture is based, inter alia, on
- open risk communication among the state, companies, citizens, and the general public, taking account of the sensitivity of certain information;
- co-operation among all stakeholders in preventing and managing incidents;
- greater self-commitment by operators as regards incident prevention and management;
- greater and self-reliant self-protection and self-help capability of individuals or institutions affected by the disruption or compromise of critical infrastructure services.
Such a novel risk culture can help to make society more robust and more resistant in view of handling growing vulnerabilities.
Risk Management of National Infrastructures
Effective risk assessment methodologies are the cornerstone of a successful Critical Infrastructure Protection program. Risk assessment is indispensable in order to identify threats, assess vulnerabilities, and evaluate the impact on assets, infrastructures, or systems taking into account the probability of the occurrence of these threats. Methodologies developed for certain assets are well defined, tested, and validated and the vast majority follow the linear approach already mentioned. The second important parameter that is entering the stage for the risk assessment methodologies of networked infrastructures is the element of interdependencies. Four types of interdependencies are identified for critical infrastructures.
- Physical: The operation of one infrastructure depends on the material output of the other.
- Cyber: Dependency on information transmitted through the information infrastructure.
- Geographic: Dependency on local environmental effects that affects simultaneously several infrastructures.
- Logical: Any kind of dependency not characterized as Physical, Cyber or Geographic.
- Asset Assessment
- Threat Assessment
- Vulnerability Assessment
- Risk Assessment
- Identification of Countermeasure Options.
The conclusion is that the implementation of a national level separation program that involves the verification and validation of certain design tools in the various government agencies (with the responsibility of national infrastructure) would bring a change in the way Critical National information infrastructures are maintained and safeguarded today. These goals related to policy enforcement can be listed as follows:
- Internet Separation: Certain Critical national assets should not be made available from the internet. Formalizing the national programs fostering such a separation should be implemented. This would also require changes in the standard business practices followed in the various industries today.
- Network-based Firewalls: Infrastructure systems carrying critical national information must be encouraged to utilize the network-based firewalls especially the ones managed in a centralized group. The government agencies need to enter into high-end contracts with the network service providers to ensure 24*7 availability and operability.
- DDOS protection: This protection should be provided on a high-capacity backbone aiming at a sophisticated DDOS protection scheme.
- Internal Separation: There is a need today to incentivize a complete internal separation policy to prevent sabotage.
The bottom line is that no single separation technique is sufficient to protect the CNII systems. Hence, we need to focus on a combination of practical security measures and the spirit of working together to create a stronger defense-in-depth protection mechanism.
About the Author
Email: [email protected]
Praful Kalla is an Information Risk Management Professional currently working in Breachlock Inc Pvt Ltd as part of the Security Research and Operations division in Noida. He has two years of industry experience in Consultancy Operations, Information Security, Threat Management, and Application Security from named organizations like Aujas Networks Pvt Ltd, Protiviti, and Pyramid Cyber Security and Forensics.
He is a Certified Ethical Hacker v9 and has completed his MBA-ITBM (Systems & Information Security) from SCIT, Pune. Prior to that he did his B.E, Computer Science Engineering from Visvesvaraya Technological University, Bangalore, and is also a proud alumnus of St Joseph’s Academy, Dehradun. He aims to integrate his technical experience along with formal business education to cater to the techno-functional business needs and hence deliver value to tomorrow’s technology. Thoroughly Professional, Helpful, and Trustworthy Person who can add value to any organization
He interned under Mr Avinash Kulkarni, CEO, Blue Planet Infosolutions Pvt Ltd, PanHealth for 3 months to do a business analysis of their new and capability-oriented program (Smart Cookie) for educational institutions. He was quite appreciated by the team for his management skills as well as out of box ideas during the tenure.