Resumen

The term “Critical Information Infrastructure Protection” (CIIP), is used internationally to refer to the mechanisms, processes, policies, and technologies that are implemented in order to protect CII from being exploited.

This thesis has already highlighted that CII is under constant threat from both internal and external sources, as discussed in this chapter. A proliferation of access and advancement of technologies is the primary factor which influences CIIP, yet implementing effective CIIP is a difficult task.

CIIP has a wide range of definitions across the problem domain, and as such, this thesis refers to CIIP in the following manner:

• For this thesis, CIIP refers to those mechanisms, processes, policies, and technologies which are implemented to protect CII within the context of an organisation, both internally and externally.

25 | P a g e From an organisational perspective, CIIP consists of mechanisms which are put in place to avoid or mitigate the exploitation of any known or potentially unknown vulnerability of CII.

Examples of typical CIIP mechanisms include firewalls, proxies, anti-virus software and ISG plans and policies (Ellefsen & von Solms; 2012; Pattabiraman et al., 2017; Schmidt, 2014;

van Niekerk & Ehlers, 2016; IXIA, 2017). Implementing CIIP is unfortunately not an easy task, as there is no all-encompassing solution geared towards its effective and efficient

implementation. It is also not financially feasible for any organisation to protect their CII against every possible threat. CII operates in a dynamic environment, where the only

constant element is change. Every single organisation has to assess their appetite for risk, by performing an RVA (Flammini, 2012; Huang, Farn & Lin, 2014; Langer Skopik, Smith &

Kammerstetter, 2016).

2.4.1 Providing continuity to the organisation’s CII

Most organisations are reliant on their CII to drive and support business operations. If CII cannot operate normally within the organisational threshold, it can potentially have a severe negative impact on the organisation, not just from a financial point of view. It is thus logical that CIIP primarily focuses on three broad core aspects (Jarvis et al., 2017; Sumra, Hasbullah & AbManan, 2015; von Solms, Thomson & Maninjwa, 2011):

• Confidentiality;

• Integrity; and

• Availability.

The Confidentiality aspect is concerned with ensuring that only authorised entities can obtain access to certain sets of information (Sudarsan, Jetley & Ramaswamy, 2015), which is crucial when a company’s CII contains large sets of information ranging from customer order details to confidential organisational secrets and patents. It is imperative that no

unauthorised access to any information be allowed. Integrity refers to the processes and mechanisms which are put in place to prevent any unauthorised changes to information within CII (El Hassani, El Kalam, Bouhoula, Abassi & Ouahman, 2014; Ellefsen & von Solms, 2012). The Integrity aspect focuses on ensuring that information is authentic and

unchanged. The third aspect, Availability, addresses the processes which ensure that CII is readily available when they are required (Subashini & Kavitha, 2011).

To ensure continuity within the organisation’s CII, it is important to understand that implementing effective and efficient CIIP is not a one-off process. Furthermore, CIIP is also not a one-dimensional process with only one set of role players delegating the

implementation. Before effective CIIP can be implemented, an effective IS, and ISG plan must be put in place. Although this thesis is primarily concerned with the implementation of a CIIP model which only forms part of an ISG plan, it is important to discuss and grasp the higher-level processes that influence CIIP within an organisation. Figure 2.4 shows an ISG model.

26 | P a g e Figure 2.4: ISG Model (von Solms et al., 2011)

CIIP should be a continual process, whereby all levels of employees provide input and feedback on a continual basis. Implementing CIIP should start at a very high level, where strategic management provides a set of directives to be delegated down the chain of command (von Solms et al., 2011). The idea is to provide more technical aspects to the directives the lower down the management level it goes. This same process should then be executed and measured on a continual basis, providing feedback to management, and establishing an organisational learning culture. This high-level process is depicted in Figure 2. 4.

Protecting CII starts with the strategic management of an organisation establishing a set of directives whereby they formally acknowledge that CII must be protected. This set of directives can also be used to indicate their appetite for risk for certain subsets of CII.

Establishing a comprehensive ISG plan as the first step towards ensuring CIIP can be a daunting task, but fortunately the International Standards Organisation (ISO) provides a set of documents to be used as guidelines to start the process (Calder, 2017; Donaldson, Siegel, Williams & Aslam, 2015; Sahibudin, Sharifi & Ayat, 2008). Two examples include the

ISO27001 and ISO27002 documents, which respectively describe high-level IS and ISG plans

Control Direct

Execute

Strategic Level Tactical

Level Operational

Level

27 | P a g e and policies. Section 2.4.2 looks at some conventional CIIP protection approaches within an organisation.

2.4.2 Protection mechanisms and limitations

As discussed in section 2.4.1, CIIP starts by defining a set of policies within the organisation where buy-in needs to be obtained from all relevant parties. This is followed by more specifics the further down the ISG model it goes, as depicted in Figure 2.4. It is important to note that the mechanisms discussed in this section do not operate in isolation but in

conjunction with one another as complementary mechanisms, which attempt to provide effective CIIP.

2.4.2.1 Protection by policy

Organisational policies define processes, tasks, and directives that define the organisation’s approach with regard to CIIP. These policies are often high-level overview-based

instructions used as general guidelines, but they need to convey the organisation’s appetite when performing an RVA on their CII (Armando et al., 2016; Dunn, 2005; Ellefsen, 2014;

Trim & Upton, 2016). These policies are often readily available within organisations, but a common issue persists (Luiijf, Klaver & Nieuwenhuijs, 2011; Trim & Upton, 2016).

Different levels of employees require varying levels of details within the scope of CIIP. These policies should be well defined throughout, with compliance checks put in place (Herrera et al., 2017; von Solms & von Solms, 2008). Alignment between various policies and

organisational processes must occur to ensure that policies provide the desired level of protection, and more importantly, do not hinder employees from performing their daily tasks (Herrera et al., 2017; Luiijf et al., 2011; Žaklina, 2014).

The most prominent limitation that exists by applying the protection by policy methodology is user awareness (Bulgurcu, Cavusoglu & Benbasat, 2010; Tabansky, 2016). Employees need to be trained to create an organisational culture where knowledge and best practice sharing can occur. This is imperative to ensure that the same organisational mistakes are not

repeated (Abawajy, 2014; Andoh-Baidoo, Osatuyi & Kunene, 2014; Tabansky, 2016).

The next step in a typical CIIP process is technical implementations of mechanisms such as a firewall or proxy, which are discussed in the following section.

2.4.2.2 Protection by hardware and technical means

Within the context of a typical organisation’s CII, the organisational assets can be configured in one of various network topologies (Farouk, 2017; Frantz, Cataldo & Carley, 2009; Rosato, Issacharoff, Tiriticco, Meloni, De Porcellinis & Setola, 2008; van Niekerk & Ehlers, 2016).

Larger organisations can also have CII that spans multiple geographical locations, creating a complex fundamental challenge when CIIP mechanisms are implemented. Typically, CII would be protected by making use of a firewall, a Virtual Private Network (VPN), a proxy, or an IDS. Figure 2.5 illustrates a basic CII layout by utilising a mesh-topology.

28 | P a g e Figure 2.5: A typical CII layout (Bendigo Telco, 2017)

As depicted in Figure 2.5, the purpose of any hardware or technical protection mechanism is to create a layer of abstraction between different networks, especially in the case of

external networks (Herrera et al., 2017; Sophos, 2015). Each of the technical and hardware related solutions mentioned earlier, operate in a technical dimension whereby access to specific ports, content, websites, sub networks and network communications is monitored and regulated (Ardagna, Asal, Damiani & Vu, 2015; Bessani, Sousa, Correia, Neves &

Veríssimo, 2009; Jarvis et al., 2017; Pattabiraman et al., 2018).

Although these conventional protection mechanisms are effective to a certain extent, some limitations do exist. CIIP using hardware and technical means are static, referring to their inability to adapt to dynamic threats as and when they occur (Ardagna et al., 2015; Kolbe &

Williams, 2008; Langer et al., 2016). This concern is further supplemented by the possibility that a multi-layered approach might also result in hardware and technical mechanisms working against each other (Ardagna et al., 2015; Bygstad, 2010).

A user-based protection also exists within the context of CIIP. This is discussed next.

2.4.2.3 Protection by means of software

Application level CIIP mechanisms utilise anti-virus and anti-malware software in order to provide a level of security on CII, more specifically, at a device level. Application-based CIIP mechanisms are effective at preventing common issues such as malware and Trojans from spreading, but these applications need to be regularly updated and require continual processing power to run effectively.

29 | P a g e Prevention only takes place in the form of passive scanning, as on-demand checks are utilised to check for common threats. The pitfall of this approach occurs when Zero-day exploits occur for which the software does not provide protection, potentially exposing CII (Bilge & Dumitras, 2012; Gai, Qiu, Tao & Zhu, 2016). Although software-level protection is a key requirement from a user’s perspective, application software has proven to be inefficient in a dynamic environment where threats can occur both internally as well as externally (Bilge et al., 2016; Sophos, 2015). Section 2.5 discusses the consequences of poor CIIP within the context of an organisation.