CHAPTER 9: FOCUSING AND PRIORITISATION
‘It is only a matter of the “when,” not the “if” that we are going to see something dramatic.’12 – Michael Rogers
The way a country categorises its critical national infrastructure into sectors varies considerably from country to country13. The categories often include energy, health and transport to name just a few. The dependence on information systems varies according to the sector and the critical infrastructure service. The dependence on information systems by different service providers is also different.
From the critical infrastructure service provider’s perspective, an organisation may provide several services and only some of them are considered critical infrastructure services. A good example of this is banks, which often have relatively large service portfolios. Cash withdrawal and payments are usually considered critical services. Many other services they provide, such as loans and leasing, investment, insurance and safety deposit boxes, are not considered critical.
However, there can also be service providers that only offer critical infrastructure services and nothing else, such as water suppliers and heat producers.
It is important for critical infrastructure service providers that the service levels of all services are determined and that the resources needed to provide them without disruptions have been allocated. The requirements arising from regulations must also be considered when service levels are determined.
From the state’s perspective, the most important thing is to determine critical infrastructure services. However, even when they have already been listed, there are still services that are more important than others. Which critical infrastructure services are very important, which are important and which are less important? It may not be easy to determine, but it should still be done. We could try dividing the services into categories of importance.
To a certain extent, critical infrastructure services should be categorised according to which services might be needed in various stages of a crisis. Depending on the country, crises of different levels could be defined from the ordinary situation up to martial law. There could be two, three, four or more levels of crisis. Irrespective of the number of levels, it would be good to know which critical infrastructure services work in various crisis situations and at which levels they should do it.
It is also necessary to define the critical infrastructure services that significantly depend on information systems. Persons dealing with cyber security issues should focus on protecting these services as they cannot work when information systems are down.
Focusing and prioritising should therefore be done at the following:
• The level of critical infrastructure services.
• The level to which a critical infrastructure service depends on IT.
• The level of providers of specific critical infrastructure services.
• Upon setting priorities and allocating resources internally in the critical infrastructure service providers.
As the resources of the state and critical infrastructure service providers are limited, it is particularly important to allocate resources to protect important services and systems.
People who deal with cyber security should not be dealing with critical infrastructure that does not depend on IT. Priorities should be set for critical infrastructure that depends on IT according to the extent of dependence, possible risks and the scale of the impact of any disruptions in providing the critical infrastructure service.
Lesson 9: Focus on more critical services and prioritise your activities.