Monday, February 2, 2015

ENISA - Identifying Critical Information Infrastructure (CII)

The European Union Agency for Network and Information Security (ENISA) has published a new and interesting document entitled Methodologies for the Identification of Critical Information Infrastructure Assets and Services.  The report documents a study performed by ENISA staff to tackle the problem of identification of Critical Information Infrastructures (aka CII) in communications networks.  However, because of the broad scope of the critical infrastructure inspected for this report, there are ideas herein to help countries and large enterprises identify their critical assets.

The study of 23 Member States did reveal that a "...significant number of Member States present a low level of maturity and lack a structured approach regarding identification of Critical Information Infrastructure..." However, this report does offer an overview of methodologies in the identification of CII assets and services which may be useful to other geographic regions, nation states and even large multi-national corporations.  Some key aspects of the methodologies are summarized below.

Identification of Critical Sectors

One of the first steps listed in Section 4.3 is the identification of critical sectors.  On pages 22-24 the report identifies 14 critical sectors including critical subsectors and critical services to be considered when identifying critical assets.  The table showing this useful list is below:

Identification of Critical Services

Section 5.2 offers a suggested process of using criticality criteria in order to identify critical assets.  The report notes that criticality is the (1) level of contribution of an infrastructure to society in maintaining a minimum level of national and international law and order, public safety, economy, public health and environment, or (2) impact level to citizens or to the government from the loss or disruption of the infrastructure.

Again, ENISA offers a table (below) showing eight different criteria with an explanation:

Assessment of Dependencies

The next step in this process is to examine critical infrastructure (system) for the following types of dependencies:

  • Interdependencies within a critical sector (intra-sector)
  • Interdependencies between critical sectors (cross-sector), and, especially for CII
  • Interdependencies among communication network assets (both physical and logical connectivity)

In the United States we have some guidance when identifying critical infrastructure for the electric grid -- this guidance is mainly in the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards.  Even the US Department of Homeland Security (DHS) has identified a list of critical national sectors. However, the ENISA document would be an excellent resource for a large regional organization or nation state or even large, transnational corporation to identify the critical sectors of concern and the critical assets to be protected.

My compliments to ENISA for this document and the guidelines offered.