4.1. Methodologies for identification and classification of critical infrastructure
There are various methodologies for the identification of the CII including the use of a service-based approach, application of sectorial or functional criteria, as well as an assessment of stakeholders. The Guide to Developing a National Cybersecurity Strategy recommends cyber risk assessment and threat modelling to identify, designate, and protect the CI, the CII, or essential services.
- Dependencies and interdependencies: The examination of dependencies and interdependencies with other infrastructure and services is a good practice in the identification of a CI(I). A dependency is defined as ‘the relationship between two products or services in which one product or service is required for the generation of the other product or service’.
Good practice: (National And Cross-Border) Dependency Analysis
Dependencies can be recognised during the process of CI identification and risk assessments. These are CI dependencies within a nation and those of neighbouring nations and regions. Dependencies may influence the criticality of a particular national infrastructure and can be determined through stakeholder consultations.
- Risk Assessment: The identification of national CIIs should be guided by a risk assessment. A risk-based approach based on international standards is required to identify and prioritise the implementation of common baseline programmes, policies, and practises for security and resilience of the CI(I) as well as ensure their integration and interoperability.
Good practice: Develop A National Risk Profile
In developing a National Risk Profile, a country’s stakeholders would gain a common understanding of the risks, consequences, and their relative priority. The use of the EU Risk Management Capability Assessment Guidelines may be used by countries in carrying out a risk assessment.
The assessment based on a set of 51 questions on coordination, expertise, methodology, stakeholders, information and communication, equipment, and financing helps with risk identification and prioritisation, and presents the basis for the:
- risk assessment,
- risk management planning,
- implementing risk prevention and preparedness measures.
The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity helps owners and operators of critical infrastructure to identify, assess, and manage cybersecurity risks using a prioritised, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls.
- Threat modelling: This is a structured approach to threat scenarios; an engineering technique to identify possible threats, attacks, vulnerable areas, and countermeasures that could affect the product or the related environment (network, architecture, etc.). Using threat modelling methods profiles of potential attackers, including their goals and methods, a catalogue of threats can be created and the information used to inform defensive measures.
Good practice: Adopt a methodology to identify CI sectors and services systematically
A structured four-step approach to the identification of CI sectors and services is recommended in ENISA’s Methodologies for the identification of Critical Information Infrastructure assets and services for the evaluation of a sector or service that could potentially be critical:
- Apply sector-specific criteria;
- Assess the criticality;
- Assess dependencies;
- Apply cross-cutting criteria.
The most useful order of these steps depends on the information available to national policy-makers.
Resource: How to identify and classify the CI and CII
ITU 2021 Global CyberDrill Training Video: How to identify and classify critical information infrastructure assets and services.