INTRODUCTION

The way organisations operate and provide services has changed considerably over the past decades. Their capability to produce something has also grown significantly. This has become possible largely due to information technology solutions, which have become indispensable and a natural part of business. Those who try to manage without them achieve only limited performance and functionality. It often seems that doing things without IT solutions is plain impossible. Information plays an important role in management decisions and in business processes. IT solutions have allowed organisations to increase their efficiency in order to be competitive. However, do we even know and realise what happens when IT solutions are not working – when they simply don’t function at all or not in the way we expect them to?

People and organisations consume electricity generated by various types of power plants: nuclear, hydroelectric, thermal, wind, solar and others. We consume the services of communications service providers, such as voice telephony and data communication. We cannot get by without transport service providers – we need companies that operate in aviation, marine transport or on railways. We need operational water supply companies to get water from the tap. Hospitals, clinics and ambulance crews must work to provide medical help to people. Financial service providers must be operational so we can withdraw money from ATMs or make bank transfers. Most of these companies use information systems to provide their services. It wouldn’t be possible without them.

However, these systems must be very well protected against cyber attacks. Cyber attacks¹ could interrupt² all or part of critical infrastructure services for several hours or days, bringing health, safety, economical, environmental and reputational consequences³.

Risks should also be minimised in terms of technological faults and human error. Are the systems that provide critical infrastructure services protected? How well are they protected? Considering today’s threats and attack capabilities, it feels like many of these systems are not adequately protected.

Billions of people use the services of these companies, and this number is increasing rapidly. There are fewer and fewer places where people don’t consume any services provided with the help of IT solutions.

But how is it possible that services consumed by so many people are provided using relatively vulnerable systems? In many instances, even the most basic security measures have not been implemented.

I have been working in the field of protecting CII since 2005 and organised the relevant activities in a country where the use of e-services and dependence on information technology is among the highest in the world. People often ask me the same questions: How is CII protected in Estonia and what have you learned?

The current weak protection of CII, the threats and attack capabilities lurking in cyberspace, and the questions people have asked prompted me to write this book. My goal is to help you be as successful as possible in protecting your CII, and do so as quickly and with as little effort as possible, irrespective of whether you work for a critical infrastructure service provider, a company that organises the provision of critical infrastructure services, a company that provides services to a provider of critical infrastructure or somewhere else.

The book is aimed at people who organise the protection of critical infrastructure, such as chief executive officers, business managers, risk managers, IT managers, information security managers, business continuity managers, and civil servants from ministerial level to analyst level. Most of the principles and recommendations I describe are also valid in organisations that are not critical infrastructure service providers.

There are several hyperlinks throughout the book. If you are reading the print version, please visit www.ciipunit.com/lessonslearned where you will find an online library for easier access to the links. On the same website, I have also provided links to several CII incident pages and CII audit checklists, and will regularly update the website with content related to the book.