What is in the standard
This is a basic shared policy which outlines responsibilities for the government and guidance for operators of critical infrastructure concerning the protection of critical information infrastructure. Its purpose is to give instruction to stakeholders to protect critical infrastructure by reducing the risk of IT outages and ensure prompt recovery after an event. It outlines basic safety principles, information sharing, incident response, risk management and continuous improvement of critical information infrastructure protection. The policy does not acknowledge or recommend any specific type of technology and maintains that the most current and robust technology be leveraged.
The unique and unusual part of this standard is in the annexes at the end of the document. As the goal of the document is to “prevent serious effects on the public welfare and socioeconomic activities due to IT outages”, Annex 1 lists all of the specific categories of CII sectors, the applicable operators, the critical control systems and examples of IT outages. Annex 2 goes a step further with “CII Service and Maintenance Levels”. In it, certain maintenance levels and standards are to be maintained at all times. Certain failures in control systems due to IT outages are not allowed to take place. The level of failures is extremely strict, making it seemingly impossible to have any interconnection between control systems and enterprise systems. For example, for electric power supply services “no supply problem incidents of over 10 minutes for supply power of 100,000 kw or more should occur”, and for gas supply services, “no supply problem incidents effecting supply to 20 or more houses should occur as a result of IT outages”. For water systems it is even more strict: “no interruption or decrease of water supply, abnormal quality water supply or serious problems in systems should be caused for supply of water as a result of suspended IT failures”. These stringent standards of service maintenance levels go on for each CII industry sector.
It would be interesting to see how the authors of this policy would go about answering the question of how to ensure these service maintenance levels through different cyber security technology options. For service maintenance levels as strict as these, unidirectional gateway technology would be an appropriate solution.