Add Thesis

Critical Infrastructure Information Security Model

Written by M. Schlüter

Paper category

Master Thesis


Computer Science




3. Literature review 3.1 Cyber ​​risk To understand the term cyber risk, it is necessary to start with the traditional risk curve (Figure 7), which relates the probability of occurrence to its potential impact. The traditional risk management of the enterprise puts its risk mitigation focus group on the risks with high probability and more or less impact. In this case, it can be called "information security risk" (Barzilay 2013). The characteristic of cyber risks is that they are usually classified as unlikely to occur unless they have occurred recently (Barzilay 2013). According to Barzilay (2013), new and rapidly changing cyber risks are called advanced persistent threats; namely (1) specially designed malware, (2) manipulated hardware and firmware, (3) use of stolen certificates, (4) spies and informants, (5) exploiting vulnerabilities in outdated hardware or (6) attacking third-party service providers. The focus group of the risk curve (Figure 7) must be adjusted to address the new focus group that has a very high impact risk. These risks are called cybersecurity risks, which may not be possible, but they may have a large impact. Barzilay (2013) defines cyber risk as part of "information security risk", so the former term "information security risk" is renamed "traditional security risk" in Figure 8. In order to avoid disaster interruption or unrecoverable damage to information, these risks should be defined and considered. “Most companies respond immediately when they become targets of attackers,” said Koch, a security expert at PricewaterhouseCoopers (Barandun 2013). This seems to be the case for cybersecurity risks, because the probability of occurrence is usually considered low, but after they occur, the chances of these risks remaining on the risk radar will increase, and a budget will be provided to mitigate these risks (Schneider 2014) . According to Lütz (2014), the attack scenario of cyber attacks is one of the biggest challenges, and specially designed cyber attacks against enterprises or individual employees are the increasing risks mentioned by Schneider (2014). 3.2 Critical Infrastructure The Swiss government has identified CI's reference department in this study. These infrastructures are different from other companies and are vital to the Swiss community. This section is the basis, especially for research objective RO1 (explained in section 1.3). It defines what CI is and provides a short excerpt of past outage cases and a list of current programs in the CI protection field. Several definitions of CI exist and use different words to define CI, but they have similar meanings. This section outlines two definitions to establish a common understanding of the term. The choice of definition is based on the relevance and scale of the existing EU and US CIP programs.. The critical infrastructure protection strategy CIP is nothing new, but in order to better coordinate and consolidate work in this area across departments, FOCP assigned a task to the CIP working group to prepare a basic CIP strategy. The Federal Council finally approved the CIP strategy in 2009. Its main goal is to determine common strategic goals, related principles, and measures that must be taken in the CIP field. (FOCP 2009b) In the first step, the document describes the goals and objectives of CIP as: "The goal of critical infrastructure protection is to reduce the likelihood of occurrence and/or the degree of damage caused by interruption, failure or destruction. The country Critical infrastructure at all levels and minimize downtime. These measures are an effective contribution to protecting people and their livelihoods.” (FOCP 2009a, p.3) Principles focus on overall risk management, all disaster methods, resilience, maintenance Proportionality and assistance. It outlines the responsibilities of the private sector where 80% of CIs are located. According to the strategic document, public authorities are mainly responsible for protecting their own CI and additionally supporting CI operators in the private sector. In addition, it also pointed out that the CIP strategy follows all hazard methods including all related risks and does not focus on specific risks. These risks must then be assessed through a common threat and risk assessment, and measured in the areas of prevention, preparation, intervention, repair and reconstruction. (FOCP 2009a, p.4) FOCP is responsible for coordinating activities between the authorities, states, and CI operators. Communication and information between these stakeholders, briefing the Swiss Federal Council or chairing the CIP working group are essential. (FOCP 2009a, p.6) clearly pointed out that there is no higher-level legal framework for comprehensive implementation measures, and the laws and regulations of individual departments only cover some aspects of CIP issues. Where possible, the existing foundations should be used as much as possible. If they are not sufficient, the following tools can be used (FOCP 2009a, p. 7): • Directives: (in legal terms) on achieving and verifying agreed protection goals Binding regulations. • Incentives: Promote measures designed to encourage CI operators to voluntarily achieve protection goals. • Public-Private Partnership (PPP): Promote cooperation between public authorities and CI private operators. The PPP project takes into account the needs of operators and the country to achieve joint solutions. Read Less