The criteria and process of designation of infrastructure as ‘critical’ are guided by the provisions of the national strategy, policy or law. The role of designation differs between countries and ranges from the President, Minister or head of the institution responsible for the protection of critical infrastructure.
u003cstrongu003eCase studyu003c/strongu003e: u003cemu003eHow Critical Infrastructure is designated? u003c/emu003e
In South Africa, the Critical Infrastructure Protection Act 8 of 2019 provides that the Cabinet Minister responsible for policing may declare infrastructure as ‘critical’ based on the recommendation of the Critical Infrastructure Council, the application for declaration of infrastructure as critical infrastructure, and any other relevant information.
In Tanzania’s Cybercrime Act of 2015, the Minister may designate a computer system as critical information infrastructure, by order published in the Gazette. The order may prescribe guidelines or procedures for the registration, protection, management of critical information infrastructure, management and storage of associated data, disaster recovery plans, and audit.
In Kenya’s Computer Misuse and Cybercrimes Act, 2018, the Director, who is the secretary to the National Computer and Cybercrimes Coordination Committee (NC4), shall designate a system as a critical infrastructure if it meets the definition of critical infrastructure and is in line with a critical infrastructure framework.
In Nigeria’s, the Cybercrimes (Prohibition, Prevention, etc) Act, 2015, the President may, on the recommendation of the National Security Adviser, by order published in the Federal Gazette, designate certain computer systems, and/or networks as constituting Critical National Information Infrastructure if they would, when incapacitated or destroyed, debilitate national or economic security, public health, and safety.
In reference to the definition, designation, and classification of the CII, a country may develop a National Critical Information Infrastructure Register. An accurate and up-to-date register of all assets and locations declared as critical infrastructure should be maintained by the entity charged with the management and protection of critical infrastructure.
Countries may consider implementing an Infrastructure Visualization Platform (IVP) similar to that of the US. The IVP is a data collection and presentation medium that enhances planning, protection and response of critical infrastructure using a combination of immersive imagery, geospatial information, and hypermedia data of critical facilities and surrounding areas to enhance planning, protection, and response efforts.
u003cstrongu003eCase studyu003c/strongu003e: u003cemu003eDesignated CII sectors u003c/emu003e
Ghana’s Cybersecurity Act, 2020 (Sections 35) has designated 13 CII sectors: National Security and Intelligence, Information and Communications Technology (ICT), Banking and Finance, Energy, Water, Transportation, Health, Emergency Services, Government, Food and Agriculture, Manufacturing, Mining, and Education.
The Botswana National Cybersecurity Strategy has identified the following sectors as national critical infrastructure sectors with regard to cybersecurity: finance, communications, energy, water, emergency services, food, public safety, health, public services, and e-government.
Kenya’s Director, National Computer and Cybercrimes Coordination Committee (NC4), in a Gazette Notice ( effective 20 January 2022), designated as Critical Infrastructure the following sectors: Telecommunications, Electoral, Judicial, Education, Health, Food, Water, Land, Energy, Transport and Industry, Banking, Finance, Defence, Security, and Public safety.
The Mauritius National Cybersecurity Strategy identifies the critical sectors as financial services, Tourism, electricity, water, ICT and Broadcasting, Health, Government Services, Manufacturing, Transport and Logistics, Sugar and Customs.
Resource: Video Cybersecurity and Critical Infrastructure Protection
The University of Fairfax Webinar discusses:
Critical infrastructure sectors,
Resource: CII Sectors in other countries
The United States of America has 16 CI sectors: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Material, and Waste; Transportation Systems; and Water and Wastewater Systems.
The European Union (EU) Directive on Security of Network and Information Systems (NIS Directive) mandates that member State adopt a national strategy on the security of network and information systems defining the strategic objectives and appropriate policy and regulatory measures covering at least the seven CI sectors: Energy, Transport, Banking, Financial Market, Health, Drinking Water Supply and Distribution, and Digital Infrastructure.
The Report from the Commission to the European Parliament and the Council assesses the consistency of the approaches taken by the Member States in the identification of operators of essential services (OES) in accordance with Article 23(1) of Directive 2016/1148/EU on the security of network and information systems.
The CIIP law in France adopted in December 2013 and the framework for the ‘security of activities of vital importance’ established in 1998 identifies more than 200 critical operators (called ‘operators of vital importance’) in 12 sectors including: Food, Health, Water, Telecom and Broadcasting, Space and Research, Industry, Energy, Transport, Finance, Civilian administration, Military activities and Justice. By law, these operators are required to identify their ‘critical information systems’ that is, those systems ‘whose unavailability could strongly threaten the economic or military potential, the security or the resilience of the Nation’.
The UK’s Centre for the Protection of National Infrastructure (CPNI) has designated 13 national infrastructure sectors: Chemicals, Civil Nuclear, Communications, Defence, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport, and Water. Several sectors have defined ‘sub-sectors’; Emergency Services, for example, can be split into Police, Ambulance, Fire Services, and Coast Guard.
Reflection point
Based on the national, regional, and international examples of definition, identification and classification of critical infrastructure discussed, using your country as an example: