Designing a Security Audit Plan for a Critical Information Infrastructure (CII)

Designing a Security Audit Plan for a Critical Information Infrastructure (CII)

Eduardo E. Gelbstein (Webster University, Geneva, Switzerland)
DOI: 10.4018/978-1-4666-2659-1.ch011
OnDemand PDF Download:
No Current Special Offers


Critical Information Infrastructure Infrastructures (CII) have been recognized as potential targets for cyber-attacks since the late 1990s and many have already been successfully attacked since then. The attacks that took place on September 11, 2001 have increased the concerns of the impact such attacks could have and many governments, professional bodies, and vendors have put in place advisory and coordination mechanisms to share and encourage such good practices. Critical infrastructures are monitored and controlled by information systems, and this makes it increasingly difficult to distinguish a Critical Infrastructure from a Critical Information Infrastructure. It is also acknowledged that such information systems are complex, interdependent, and convergent as they share components that use a small number of products and standards. All of these systems and the products with which they are built are known to have known and unknown vulnerabilities that could be exploited by attackers.
Chapter Preview

1. Context: Ciis In 2012

There are many ways to define what is a Critical Information Infrastructure (CII). For example the European Network and Information Security Agency (ENISA)1, part of the European Union, states that a CII are:

Those interconnected systems and networks, the disruption or destruction of which would have a serious impact on the health, safety, security, or economic well-being of citizens, or on the effective functioning of government or the economy.

For the purpose of this paper, the specific and essential characteristics of a CII are that:

  • It operates 7 days a week, 24 hours a day AND

  • Their operations require information systems and networks, sensors and other mechanisms for data acquisition.

  • CIIs frequently are required to operate physical devices ranging from cash dispensers (ATM) to motors (such as to switch a railroad track) and robotic systems (for example in manufacturing).

  • It is part of a supply chain – failure to operate propagates to other entities that may also be CIIs.

This definition applies to many areas of activity. To list just a few, they include utilities (electricity, gas, water), transportation (air traffic control, airport operations, railways), all continuous manufacturing (oil refineries, glass and paper processing), defense and law enforcement (army, air force, police), banking (ATM networks and online), telecommunications (fixed line and mobile telephony, internet service providers) and many more.

Around the mid 1990s, before the Internet and the World Wide Web became established, all these critical infrastructures were confronted with the rollover of the date management in computer systems from 1999 to 2000, the so called Y2K problem.

While these days many consider that this was an artificial crisis and that the problem was hyped beyond its potential impact, much effort and investment around the world went into addressing it. This required all organizations, particularly CIIs to fully understand what IT systems they had and the extent of their exposure to the Y2K problem. In the event, there was no disruption.

Complete Chapter List

Search this Book: