1、Protecting the cybersecurity of critical infrastructures and their supply chainsICC Working PaperJuly 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|2Executive summaryProtecting the cybersecurity of critical infrastructures and their supply ch

2、ains is crucial for the simple reason that these systems power our daily livesfrom electricity and water to healthcare and transportation.A cyber incident disrupting the functioning of these vital services can cause widespread chaos,endanger lives,and cripple economies.As cyber threats grow increasi

3、ngly sophisticated and pervasive,ensuring the resilience and security of these critical systems is not just a technological necessity but a fundamental safeguard for the well-being and continuity of modern life.This paper explores the complexities of protecting these systems stemming from multiple f

4、actors:Many of these services were not originally designed as essential services,leading to outdated technologies and structural vulnerabilities.The integration of digital components with physical systems amplifies risks due to the combined vulnerabilities of both realms,especially taking into accou

5、nt the rapid spread of new and emerging technologies.The increasing complexity and interdependence of supply chains expand the attack surface,making it essential to address third-party risks.Furthermore,the interdependence of these services with non-critical infrastructures complicates the establish

6、ment of clear boundaries and appropriate investment.Limited resources and budgets across both public and private sectors also hinder the implementation of robust security measures.Strong security practices,public-private collaboration,and international cooperation are crucial to safeguarding these v

7、ital systems,ensuring global economic stability,and maintaining trust in the digital economy.The distributed nature of digital capabilities requires global cooperation,yet there is a lack of international consensus and incentives.The definition of critical infrastructure varies globally,complicating

8、 international cooperation and coordination.Cross-border impacts and shared dependencies necessitate harmonised global efforts and aligned standards as well as sector-specific frameworks to mitigate risks effectively.In providing a taxonomy and strategic recommendations to address these challenges t

9、he paper analyses the current state of cybersecurity for critical infrastructures and their supply chains,evaluates existing frameworks,policies,and technologies,assessing their strengths and weaknesses and identifying best practices as well as areas in need of enhancement.The paper demonstrates how

10、,in response to cyber threats,the private sector bolsters resilience and recovery by adopting comprehensive security measures,including embracing the principles of cybersecurity by design,maintaining robust asset inventories,developing incident response plans,implementing strong data backups,ensurin

11、g up-to-date systems with the latest security patches and zero-trust architectures,as well as a sound supply chain policy.It showcases best practices and existing industry standards that can be scaled up and more widely adopted.At the same time,while business investment in prevention and defensive c

12、apabilities is essential,the private sector alone is unable to deter,prevent,or shield itself(and the communities it helps sustain)from the destructive effects of cyberattacks.Cybersecurity is a shared responsibility between the private and public sectors,and both must work together to mitigate risk

13、s and curb cyber threats.This is all the more important in the case of critical infrastructures where the roles and responsibilities of private and public sector actors are closely intertwined.This paper calls for a close,continuous and joined-up relationship between critical infrastructure provider

14、s and governments to ensure effective responses to cyber threats.It offers concrete recommendations for policymakers in domestic and international contexts alike,as well as suggestions for building effective public-private partnerships.July 2024|ICC Working Paper:Protecting the cybersecurity of crit

15、ical infrastructures and their supply chains|3Table of contentsIntroduction.41.Varying approaches to defining critical infrastructure and essential services.62.Challenges in protecting critical infrastructure.83.Protecting critical infrastructure and supply chains where are we now?.154.Towards bette

16、r protection of critical infrastructures and increased supply chain security.23Annex I:Overview of national and regional approaches on the cybersecurity of critical infrastructures and essential services.27July 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their

17、 supply chains|3July 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|4Introduction While jurisdictions across the world have varying views of what specifically falls under this designation,critical infrastructure generally refers to the fundame

18、ntal systems and assets,both physical and virtual,that are indispensable for the functioning of a society,its economy,and its essential services.Critical infrastructure is traditionally seen as a strategic element,facility,equipment,network or system,or part thereof,that cannot be replaced in order

19、to provide an essential service.Such infrastructures are seen as crucial for the well-being and for preserving the public order and security of nations,thus their disruption could have significant consequences.They cannot be replicated or easily replaced in the short term and are therefore deemed to

20、 need special physical and digital protections.This may include sectors like energy,water,heating,transportation,finance,or communication.Most of these systems rely heavily on computer networks,control systems,and digital technologies,making them susceptible to cyber threats.The concept of essential

21、 services is of particular relevance when designating an infrastructure critical,and refers to the maintenance of vital societal functions,economic activities,public health and safety or the environment.This is all the more important as these services,their development or delivery becomes increasing

22、ly digital.In order to ensure the effectiveness of protection measures and legal certainty,this concept is often bound by a specific list of services deemed essential by policymakers.1 Ensuring trust in the digital economy requires the protection of the availability,integrity,confidentiality of thes

23、e most essential infrastructures and services to ensure resilience.Digital and physical security go hand in hand to consolidate the operational resilience of organisations and the essential services they provide.Any failure in digital or physical security can lead to a serious incident in the disrup

24、tion of service delivery and organisational reputation.Efforts should be focused on improving both the digital and physical security of services and increasing the resilience of critical assets against natural,accidental,or intentional events.Central to these efforts is the development of an appropr

25、iate and robust risk management framework,from identifying sources of risk to communicating incidents to stakeholders.The purpose of this paper is to address cyber resilience measures,including collaboration mechanisms,private sector voluntary measures and,if needed,the balance between regulation an

26、d the sustainability of controls,for the protection of critical infrastructure and essential services,i.e.the ability of a critical entity to prevent,protect,respond,resist,mitigate,absorb,adapt and recover in the event of a cyber incident.While digital and physical protection measures need to be co

27、nsidered in a synchronised and increasingly coordinated manner,this paper focuses solely on the digital component.This is without prejudice to the need to consider other natural phenomena,human error,or misconfiguration outside the scope of this document when securing critical infrastructure or esse

28、ntial services.While business investment in prevention and defensive capabilities is essential,the private sector alone is unable to deter,prevent,or properly shield itself(and the communities it helps sustain)from the destructive effects of cyberattacks.1 US:www.cisa.gov/topics/critical-infrastruct

29、ure-security-and-resilience/critical-infrastructure-sectors Europe:www.digital-strategy.ec.europa.eu/en/policies/nis2-directive List of Essential Services:www.eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ%3AL_202302450 July 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastruct

30、ures and their supply chains|5Cybersecurity is a shared responsibility between the private and public sectors,and both must work together to mitigate risks and curb cyber threats.Governments are primarily responsible to protect their citizens,civil society and business from foreign and domestic,affi

31、liated and unaffiliated threat actors with both political and criminal objectives,which also applies in cyberspace.Decisive action from governments to styme cyber threats and broad multistakeholder collaboration will help bolster economic confidence,prevent disruptions in global trade,and ensure a m

32、ore secure cyber environment where businesses and communities can thrive.As set out in ICC Cybersecurity Issue Brief#2,enhancing multistakeholder cooperation to counter cybercrime and implementing rules for responsible state behaviour are essential to reduce cyberattacks,and thus increase security.2

33、This paper seeks to comprehensively address the multifaceted challenges surrounding the protection of critical infrastructure and essential services in the face of evolving cyber threats.By examining diverse perspectives on defining critical infrastructure and identifying the various actors,motivati

34、ons,and impacts of cyber threats,we aim to underscore the urgency of a harmonised approach.Furthermore,by assessing the current state of protection efforts and highlighting areas for improvement,this paper advocates for a coordinated approach involving private sector engagement,policy enhancements,i

35、nternational cooperation,and strengthened public-private partnerships.Ultimately,our recommendations strive to bolster the resilience of critical infrastructure and essential services,as well as their supply chains,safeguarding them against emergent cyber risks in an increasingly interconnected glob

36、al landscape.2 ICC Cybersecurity Issue Brief#2:Implementing norms and rules for states and international cooperationJuly 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|61.Varying approaches to defining critical infrastructure and essential ser

37、vicesCritical infrastructures form the backbone of the worlds functionality and resilience.These essential systems and assets are the lifeblood of society.Disruptions to their security and proper functioning can have severe repercussions,affecting public safety,economic stability,and national securi

38、ty.We have seen the physical impact of critical infrastructure security around the world across varying sectors.One example is Costa Ricas response to significant cyberattacks against public institutions in 2022,declaring a State of National Emergency in the public sector,highlighting the need for i

39、nternational cooperation.3 This led to the creation of a General Emergency Plan,enhancing resources and administrative processes to address the issue.While these measures improved the response to attacks,the country recognised the need for a more comprehensive approach and is currently in the proces

40、s of developing the National Cybersecurity Strategy 2023-2027,aiming to strengthen governance,adapt the legal framework,enhance infrastructure protection and national resilience,and foster cooperation in the digital environment.The strategy aligns with national strategic approaches and provides guid

41、ance for decision-making4.It also recommends prioritising the security of critical infrastructure by precisely defining national critical infrastructure,both in the public and private sectors,and outlining essential protection mechanisms.Additionally,the strategy emphasises the importance of strengt

42、hening risk management through the identification and prioritisation of critical assets,periodic cybersecurity risk assessments,and the allocation of resources to maximise the return on investment in terms of economic and social benefits.Major incidents affecting critical infrastructure have had sig

43、nificant adverse impact across the globe and in multiple sectors over the past decades.Some illustrative examples of major incidents affecting critical infrastructure include:In Europe,attacks on Estonian organisations including the Parliament,banks,ministries,newspapers,and others as early as 2007

44、were a wake-up call helping the country improve their cyber-defence tools.5 In 2008,Georgia experienced major distributed denial of services attack on its critical infrastructure,including government services,the banking sector and various websites,with reportedly over 70%of Georgian websites affect

45、ed.6 A large number of similar threats were reported in the 2008-2014 period.7 Most recently a number of attacks were reported in Ukraine(such as wiper ransomware)following the conflict with Russia.8 In the US in 2013,hackers breached the Bowman Avenue Dam in New York and gained control of the flood

46、gates.Oil rigs,ships,satellites,airliners,airport,and port systems were all thought to be vulnerable,and media reports suggest that breaches have occurred.9 In May 2021,the Colonial pipeline ransomware attack forced all business operations to stop.10 In Central and South America in January 2024,the

47、Trigona attack on Claro operations caused over a week of disruption to services.11While security of digital components in critical infrastructure serving essential services is key to safeguard resilience,the combination of digital capabilities and physical components as in Internet of Things(IoT)or

48、Operational Technology(OT)brings an explosion of potential new risks deriving from the joint effect of digital 3 Executive Decree No.43542-MP-MICITT 2022 4 www.micitt.go.cr/el-sector-informa/avanza-proceso-de-implementacion-de-la-estrategia-nacional-de-ciberseguridad 5 6 www.ccdcoe.org/uploads/2018/

49、10/legalconsiderations_0.pdf 7 www.ccdcoe.org/uploads/2018/10/Ch08_CyberWarinPerspective_Weedon.pdf 8 9 11 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|7vulnerabilities and the complexity of the physical world.One example of this was the cas

50、e of Stuxnet,12 by which a specialised malware was able to impair Irans nuclear program through a digital attack to change physical parameters in Iranian nuclear SCADA systems.These incidents highlight the potential destabilising effect of an attack on critical infrastructure and underscore the impo

51、rtance of strong security practice and collaboration among stakeholders to deter,protect and deal with cyber threats.Furthermore,in an increasingly interconnected world,the significance of critical infrastructure protection extends across borders to a global scale.With shared dependencies and potent

52、ial cross-border impacts,a breach in one region can impact another.Cross-cutting cyber incidents that can be named range from the widespread Wannacry worm that affected all regions of the world,13 to diverse vulnerabilities and attacks on the software and digital services supply chain,affecting orga

53、nisations in different countries.One example is an incident that occurred in 2017,when the shipping giant Maersk,based in Copenhagen,Denmark became a victim of the NotPetya ransomware attack.14 Maersk is one of the largest transportation companies in the world,responsible for one-fifth of the worlds

54、 shipping.As a consequence of the attack,Maersks freight operations in four different countries were affected,causing delays and disruptions that lasted weeks,while also costing the company over$200 million to remediate.Other recent examples are Log4shell,15 SolarWinds,16 and Ivanti.17Harmonised eff

55、orts to set a baseline to protect critical infrastructure are crucial for fostering international collaboration,resilience against emerging threats,and ensuring the stability of the interconnected systems that underpin the modern world globally.By implementing globally aligned minimum protection mea

56、sures,we can safeguard these fundamental assets against diverse threats,including national disasters,cyberattacks,and deliberate harm.However,divergent global definitions of critical infrastructure and essential services,and contradictory requirements pose challenges for international cooperation an

57、d coordination to decrease cyber threats and to develop effective risk mitigating solutions.Misalignment can hinder effective communication and collaboration during cross-border crises.For an overview of various jurisdictions take on critical infrastructure see Annex I.The first step towards finding

58、 common agreement on terminology how to manage risks for critical infrastructure is convergence in using globally recognised,widely utilised international standards.For example,ISO Standards,the NIST Cyber Risk Framework,3GPP in case of mobile infrastructure,and in case of the financial services sec

59、tor the Cyber Risk Institutes Profile can be utilised for complying with global financial regulations.Utilising such common standards helps ensure proper risk management with a high bar for security and privacy.At the same time,critical infrastructure owners and operators are dependent on a web of t

60、hird-party relationships to function.Therefore,supply chain and third-party risks are an extension of essential services.The rapid expansion of the digital economy in recent years,has exponentially increased the number of third parties in our ecosystems.As supply chains grow more complex,interdepend

61、ent,and interconnected,risk exposure also grows.The attack surface increases,and the likelihood of an incident and the resulting cascading impacts becomes more challenging to predict,identify,and mitigate for critical infrastructure owners and operators.Third parties are generally not designed to co

62、pe with such criticality in mind,either in terms of their technical and operational controls or their financial sustainability,which raises the dilemma of their feasibility to serve the purpose of such critical infrastructure and essential services.The security of critical infrastructure is fundamen

63、tal to our global economic security and the protection of trust in our shared digital economy.Convergence on definitions,alignment of global standards and frameworks,and strong third-party risk management approaches can help raise the bar for security.12 www.spectrum.ieee.org/the-real-story-of-stuxn

64、et 13 NotPetya Ransomware Attack Cost Shipping Giant Maersk Over$200 Million().15 16 17 www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b July 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|82.Challenges in protecting critical infras

65、tructure Given its paramount importance for the functioning of societies and economies,safeguarding critical infrastructure stands as principal challenge that requires a comprehensive understanding of the diverse landscape of cyber threats.The digital threats faced by critical infrastructure and ess

66、ential services are not fundamentally different than those facing any other digital capabilities,services,or processes.The difficulty of adequate protection of critical infrastructures derives from several factors:Many of these essential services have not been deployed as such and have ended up taki

67、ng on an essential relevance for society later.Thus,they were not conceived with a resilience criterion at the level of relevance they have ended up having.This could imply both a culture of protection below what is at present required and design problems that may affect how they can be protected no

68、w.An example is the very design of the Internet architecture where there are multiple structural risks that are difficult to patch without a root change(DNS structure,BGP decentralised protocols,insufficient levels of encryption and protection in protocols and services,insufficient roots of trust in

69、 encryption capabilities etc.)The interdependence of essential services and their corresponding critical infrastructures with other infrastructures or services that are not defined as such,makes it very difficult to determine the boundaries for the application of strict criteria,adequate investment,

70、collaboration mechanisms,etc.The very distributed nature of digital capabilities makes it complex to be able to apply local policies without an adequate agreement between all countries,where there is a lack of global incentives or dissuasions to achieve a minimum of agreement on what should be prote

71、cted,on the contrary,there is a risk of escalating aggressiveness between nations and blocs.The lack of knowledge and global vision of the nature of risks in both the public and private sectors makes it difficult to achieve standards beyond the need to protect all digital capabilities.The dispersion

72、 in complex digital supply chains also makes it difficult for public and private bodies to focus on simple criteria,making the problem extensive and dispersed.Some critical infrastructure components still rely on outdated and unsupported technologies,making them more vulnerable to cyber threats as s

73、ecurity patches and updates may not be available.Many critical infrastructure organisations have limited resources and budgets allocated to cybersecurity,making it challenging to implement robust security measures and keep up with evolving threats.In the following,we provide a structured analysis th

74、at encompasses the various dimensions of these threats,including the actors involved and their motivations,the various forms of threats,their impact,and complexities in responding to such threats.This taxonomy serves as a foundation for constructing effective cybersecurity strategies tailored to the

75、 intricate challenges posed by threats to critical infrastructure.2.1 Actors and their motivationRanging from nation-states to cybercriminal organisations and insider threats,each actor is driven by distinct motivations that can extend beyond financial gains,encompassing geopolitical influence or ev

76、ent ideological pursuits.July 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|9State-nexus threat groups or advanced persistent threatsState-nexus threat groups are typically backed and directed by their military,intelligence,or other governmen

77、t departments.Unlike other groups mentioned in this context,they are generally well-funded and capable of conducting long-term plans to execute large-scale,advanced operations.Their main objectives could be revenue generation,espionage or destructive attacks,and they target both other countries and

78、private organizations to obtain sensitive data,funding,or military strategies.18 While the state sponsorship of some of them is still disputed,examples of such threats were claimed to include Stuxnet mentioned above,GhostNet reported to have compromised the devices of political,economic,and media ta

79、rgets in nearly 103 countries19,Helix Kitten whose major targets included organisations in aerospace,energy,financial,government,hospitality,and telecommunications,mostly in the Middle East20 or the more recently identified Flax Typhoon21 claimed to gain and maintain long-term access to organisation

80、s networks with minimal use of malware,relying on tools built into the operating system,along with some normally benign software to quietly remain in these networks.Insider attacksAn insider attack refers to malicious acts carried out by an individual or a group of individuals who are associated wit

81、h or employed by the target.22 As actors are frequently engaged as either employees or independent contractors of critical infrastructures,they may be inclined to exploit deficiencies in critical infrastructures monitoring systems rather than directly attacking the system from the outside.These insi

82、ders may either be direct employees of the impacted organisation or from a third party serving the essential service provider in its supply chain and frequently less subject to security controls and clearance.For example,in 2020,credentials of two Marriott employees were exploited to hack an applica

83、tion the company used as part of their guest services exposing the records of over 5 million guests.23Hacker groupsHacker groups frequently employ malware,phishing,or other hacking methods to attack critical infrastructures.They tend to infiltrate and disrupt the operations of critical infrastructur

84、es and engage in extortion tactics against governments or critical infrastructure providers.24 It is worth mentioning that certain hacker groups,instead of directly engaging in cyberattacks,distribute ransomware to smaller groups or individuals,thus a part of a larger and complex ecosystem of very s

85、pecialised cybercriminal organisations,more resilient to takedowns and prosecution.This trend has led to a significant rise in the number of criminals utilising ransomware and the overall magnitude of cybercrimes these days.25 Examples include the Lazarus Group behind the WannaCry ransomware attack2

86、6,REvil mostly known for the Kaseya attack and reportedly responsible for 37%of ransomware attacks in 202127 or Lapsus$pursuing attacks against companies and government agencies with social engineering tactics.28HacktivistsUnlike the aforementioned attackers,hacktivists are usually motivated more by

87、 political or social views rather than financial interest.Most of the hacktivists engaged in cyberattacks do so with the intention of seeking alternative means to influence policy and bring about societal changes.It is important to note that their primary motivation is not personal gain.Nevertheless

88、,this ideological aspect poses a potential challenge for providers of critical infrastructure services,as the attacks cannot be resolved through monetary solutions alone.For example,Anonymous has claimed responsibility for disabling prominent Russian government,news and corporate websites and leakin

89、g data.2918 www.enisa.europa.eu/publications/enisa-threat-landscape-2023/download/fullReport19 20 www.enisa.europa.eu/publications/enisa-threat-landscape-2020-insider-threat/download/fullReport23 24 www.ncsc.gov.uk/whitepaper/ransomware-extortion-and-the-cyber-crime-ecosystemhttps:/www.ncsc.gov.uk/w

90、hitepaper/ransomware-extortion-and-the-cyber-crime-ecosystem26 28 29 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|102.2 Threats and their impactThe types of threats posed to critical infrastructure,span from sophisticated malware and supply

91、chain attacks to physical intrusions and denial-of-service assaults.While the methods used by malicious actors to disrupt the functioning of critical infrastructures are oftentimes similar to cyber threats in general,their potential to cause widespread and severe consequences is significantly more p

92、ronounced.Cyber threats to critical infrastructure can lead to widespread disruption in essential services,affecting large populations.This can include power outages,transportation disruptions,water supply issues,and more,impacting public safety and the economy.They may pose direct threats to human

93、safety.For example,disruptions to a transportation system could compromise the control of traffic signals or disturb railway operations,leading to accidents.Given the highly interconnected and interdependent nature of critical infrastructure systems,a disruption in one sector can have cascading effe

94、cts on others.For example,a power outage can impact healthcare,communication,and transportation systems.Furthermore,given the central role of critical infrastructures for the functioning of a country,disruptions to these systems can have significant national security implications.It is important to

95、emphasise that it is not only availability of these essential services which is important;in most cases,confidentiality and integrity are also affected and this is damaging society in similar or even more severe ways.For example,personal data leakage cannot be reverted once occurred and will harm pe

96、ople beyond the actual incident duration.The most common threats on critical infrastructures and essential services include:30Denial-of-service and distributed denial-of-service attacksCyber threats to critical infrastructure often include attempts to disrupt services through denial-of-service attac

97、ks(DoS),which are designed to flood a server with traffic,thereby making the website or online servers of critical infrastructure unavailable.31 Additionally,a DoS attack may be conducted by using multiple computers to flood a targeted system,known as a distributed denial-of-service(DDoS)attack.32 T

98、he focus may be on overwhelming communication networks,rendering them unable to coordinate and respond effectively.33Targeted exploitation or disruption of industrial control systemsCyber threats to critical infrastructure often involve the targeted exploitation or disruption of industrial control s

99、ystems(ICS)and supervisory control and data acquisition(SCADA)systems,used to manage and automate critical processes in sectors like energy,water,and manufacturing.Unlike typical cyberattacks that primarily focus on data theft or system disruption,attacks on critical infrastructure may aim to manipu

100、late physical processes.For example,a cyberattack on a power grid might attempt to disrupt the flow of electricity.30 31 Ibid.33 The scale of DDoS attacks has increased over time.As per the findings of Google,a massive DDoS attack they blocked was 7.5 times larger than the largest attack they had pr

101、eviously blocked in 2022.Emil Kiner&Tim April,Google mitigated the largest DDoS attack to date,peaking above 398 million rps 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|11Sophisticated malwareCyber threats to critical infrastructure often i

102、nvolve sophisticated malware and advanced persistent threats.These threats are designed to remain undetected for extended periods,allowing attackers to gather intelligence,escalate privileges,and carry out coordinated attacks with significant impact.34Exploitation of zero day vulnerabilitiesZero-day

103、 vulnerabilities are commonly gathered and exploited by the various types of malicious cyber actors.These vulnerabilities are especially serious since there is no way to know they are being exploited until some actual impact happens.The underground market for these vulnerabilities offers substantial

104、 illicit benefits to those who discover such vulnerabilities that surpass manyfold the rewards of legal bug bounty programs from the providers of the affected technologies.Social engineeringSocial engineering refers to the tactics used to exploit a human behaviour or error to gain access to internal

105、 systems.One of the most widely used tactics is phishing,where attackers adopt a false identity to send emails or text messages or make calls to unsuspecting victims.The goal is to trick them into submitting crucial information,such as bank account numbers or passwords,or unknowingly downloading mal

106、ware.35Physical access and hybrid attacksCritical infrastructure often involves physical assets like power plants,dams,and transportation systems.Threat actors may attempt to gain physical access to these facilities,either directly or through insider threats,to compromise systems from within.They ma

107、y employ hybrid attacks,combining various cyber techniques with physical actions.Multi-vector campaigns may involve cyber components alongside other forms of sabotage or disruption.Triple extorsionTriple extortion is a tactic used by ransomware attackers,where in addition to stealing sensitive data

108、from organisations and threatening to release it publicly unless a payment is made,they also target organisations customers and/or business partners and demanding ransoms from them too.This means that the attackers not only encrypt the victims data and demand a ransom for its release,but also exfilt

109、rate the data and threaten to release it publicly and launch a denial-of-service attack to further pressure the victim into paying the ransom.Supply chain attacksAttacking critical infrastructures through software supply chain is one of several possible threat vectors that attackers can exploit.Supp

110、ly chain attacks are a growing and increasingly sophisticated form of cyber threat.They target the complex network of relationships between customer organisations and their suppliers,vendors,and third-party service providers vital to the supply chain.36 One supply chain attack taxonomy has been prop

111、osed by the European Union Agency for Cybersecurity(ENISA),see Figure 1 containing four parts:i.attack techniques used on the supplier,ii.assets attacked in the supplier,iii.attack techniques used on the customer,iv.assets attacked in the customer.A supply chain attack is a combination of at least t

112、wo attacks:the first on a supplier that is then used to attack the target to gain access to its assets.The target can be the final customer or another supplier.Therefore,for an attack to be classified as a supply chain one,both the supplier and the customer have to be targets.3734 www.cmu.edu/iso/aw

113、are/dont-take-the-bait/social-engineering.html 36 In the MOVEit supply chain attack,the attackers,CI0p,exploited a vulnerability in the MOVEit Transfer tool thereby gaining access to the data stored in the database.The incident affected more than 620 2024|ICC Working Paper:Protecting the cybersecuri

114、ty of critical infrastructures and their supply chains|12Figure 1:Taxonomy for supply chain attacks Supplier Customer Attack techniques used to compromise the supply chain Supplier assets targeted by the supply chain attack Attack techniques used to compromise the customer Customer assets targeted b

115、y the supply chain attack Malware infection Social engineering Brute-force attack Exploiting software vulnerability Exploiting configuration vulnerability Open-source intelligence(OSINT)Pre-existing software Software libraries Code Configurations Data Processes Hardware People Supplier Trusted relat

116、ionship T1199 Drive-by compromise T1189 Phishing T1566 Malware infection Physical attack or modification Counterfeiting Data Personal data Intellectual property Software Processes Bandwidth People FinancialSource:ENISA,Threat Landscape for Supply Chain Attacks,20212.3 Added complexities in respondin

117、g to threats on critical infrastructureIn addition to the vast web of malicious actors and threats,one of the pivotal complexities in safeguarding these vital systems lies,in the nuanced interplay between the public and private sectors,where responsibilities for cybersecurity are often entwined.Publ

118、ic-private collaboration and responsibilitiesWhether critical infrastructure is managed by the public or the private sector,or a combination thereof,under the supervision of government authorities,it is imperative to establish clear delineation of duties and obligations between private sector and go

119、vernment authorities to facilitate cybersecurity.Specifically,the following should be clarified:Vertical roles and responsibilities:Government authorities function as supervisors,overseeing the overall direction and general target of cybersecurity requirements,as well as contingency actions during c

120、yber incidents.On the other hand,businesses are the practitioners,bearing the lead responsibilities for maintaining the daily routine of cybersecurity.Failures to establish clear delineation of the roles and responsibilities may hinder the effectiveness of these public-private partnerships.For examp

121、le,despite the importance of information sharing,the private sector might be reluctant to trust the authorities with their sensitive corporate information as this creates additional risks of unwanted data leaks and potential legal liabilities.38 Given the complexities of this case,it is crucial for

122、all stakeholders involved to collectively consider the option of adopting an alternative solution.Horizontal roles and responsibilities:More often,a cyber-incident may involve multiple government authorities,thereby complicating the roles and responsibilities regarding critical infrastructure.This o

123、ften contributes to the different perspectives on the delineation of the authority between daily supervision 38 www.gost.isi.edu/cctws/delroso-ghosh.PDFhttps:/gost.isi.edu/cctws/delroso-ghosh.PDFJuly 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply cha

124、ins|13and handling emergency of cyberattack.39 In light of this,it is advisable that the delineation of roles and responsibilities among the central supervising authority,local supervising authority,and the authority of cybersecurity must be carefully defined in a variety of scenarios,including but

125、not limited to daily maintenance,cyber incidents,and post-incident audits.Furthermore,the government should ensure that these delineations are clearly understood by both the authorities and the private entities involved.Cross-border implicationsSome critical infrastructure,such as finance networks o

126、r sub-sea cables often cross national boundaries and critical infrastructure supply chains exhibit even a greater degree of international linkages.Furthermore,cyber threats themselves know no boundaries.All this creates complications for businesses operating across several jurisdictions.As the opera

127、tions of critical infrastructure may expand across national boundaries,it is important to recognise that the cybersecurity of critical infrastructure and supply chains will also be subject to the influence of global political conflicts,impacting business continuity of critical infrastructures and th

128、eir supply chains.For instance,in the current global landscape,some countries are imposing restrictions on the import and export of certain goods and technologies to safeguard their national security.Consequently,companies operating in multiple jurisdictions are facing growing compliance challenges

129、and increased costs.This trend is particularly evident in cybersecurity,where governments are taking measures to protect their critical infrastructure from potential risks.40Besides the geopolitical conflict leading to restrictions on critical components thereby obstructing the sourcing of component

130、s for the critical infrastructure,the uneven policymaking remains the broader and deeper issue at hand.As discussed above,though the general principle to identify a critical infrastructure is similar worldwide,there is no unified definition for critical infrastructure.In addition,the inconsistent co

131、ntingency measures,reporting requirements and post-event improvement processes across the countries further complicate compliance for companies that provide domestic and cross-border critical infrastructure services and the suppliers of critical infrastructure supply chains.For instance,in some juri

132、sdictions,the competent authorities have designated particular critical infrastructure providers to be subjected to more stringent regulations.These regulations encompass the establishment of comprehensive cybersecurity maintenance plans and the mandatory reporting of any cyber incidents to the rele

133、vant authorities as soon as they become aware of such occurrences.41 Conversely,certain jurisdictions,like Japan,do not explicitly identify critical infrastructure providers.42 Instead,they develop their cybersecurity policies as non-binding guidelines,thereby not imposing an obligation on critical

134、infrastructure providers to report cybersecurity incidents,unless said incidents pertain to personal data breaches or other heavily regulated industries.Notwithstanding,subsequent to the promulgation of the Act on the Promotion of National Security through Integrated Economic Measures,the competent

135、authorities in Japan shall commence the identification of critical infrastructure providers and undertake additional supervision and regulatory measures.43 In sum,a standardised framework is recommended for defining and implementing measures for the operation of the critical infrastructure and inter

136、national cooperation.39 In the case of an oil pipeline company,the competent authorities responsible for overseeing the companys daily routine should be the government sectors in charge of energy and transportation.However,when it comes to addressing a cyberattack,the competent authorities may be th

137、e sectors responsible for information infrastructure.In the case of a cybercriminal incident however,the pipeline company might only notify the sectors of energy and transportation for the hindrances of its daily operations,while disregarding the sectors of information infrastructure,which possess m

138、ore competent capabilities to offer suggestions and prevent the further expansion of damages.www.cybersolarium.org/csc-2-0-reports/revising-public-private-collaboration-to-protect-u-s-critical-infrastructure/https:/cybersolarium.org/csc-2-0-reports/revising-public-private-collaboration-to-protect-u-

139、s-critical-infrastructure/40 Both the US and China have implemented restrictions on the use of specific devices and components manufactured by the other within their respective jurisdictions in order to mitigate potential risks.With the increasing focus on cybersecurity,this approach is becoming inc

140、reasingly common,resulting in heightened compliance costs for critical infrastructure operating across multiple www.ec.europa.eu/commission/presscorner/detail/el/MEMO_16_2422)42 43 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|14Cost implicat

141、ionsAs critical infrastructure delivers the services which are most fundamental to peoples lives,companies often have to perform a balancing act between offering those vital services at a competitive price to consumers and ensuring that critical infrastructure is as resilient as possible.Governments

142、 should be cognisant of this fact and think about how to support companies to improve resilience.As previously mentioned,critical infrastructure is vital to a countrys operation it is often built,operated,and owned by the private sector.To safeguard the basic welfare of the public,many governments i

143、mplement price regulations on the services that are essential to the public,including water,energy,and telecommunications,often in consideration of the domestic economic condition.Consequently,the imposition of price regulation may hinder the private sectors capacity to generate profits.For instance

144、,in Finland,the Electricity Market Act serves as the governing legislation for the energy industry.One crucial aspect that it addresses is the establishment of outage time limits,accompanied by corresponding penalties in the form of compensations to consumers.In the 2013 amendment,the Electricity Ma

145、rket Act introduced additional requirements for operators to meet resilience targets for weather hazards,which they must adhere to by the end of 2028 and are required to submit an investment plan to the energy authority every two years to demonstrate their progress.On the other hand,the regulation a

146、llowed these operators to raise distribution prices,up to a maximum increase of 30%in some instances.However,due to strong public and political reaction,the price increase was later capped at 15%per year,thereby creating cash-flow problems for some operators.This example highlights that despite the

147、importance of improving the resilience of the critical infrastructure,balancing public expectations and operators incentives and affordability is equally important.44Given the private sectors profit-driven nature,it is advisable for government authorities to promote cybersecurity across the critical

148、 infrastructure providers through the implementation of tax deductions,loans with prime rates,subsidies,and other incentives.44 www.oecd-ilibrary.org/sites/93ebe91e-en/index.html?itemId=/content/component/93ebe91e-en July 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructure

149、s and their supply chains|153.Protecting critical infrastructure and supply chains where are we now?3.1 Protecting critical infrastructure and essential servicesThe mechanisms for applying digital protection to critical infrastructures(whether digital or not)and essential services are already well k

150、nown and,apart from new risks that may arise with the arrival of new paradigms such as AI or quantum computing,the basic security processes can be identified in any of the standard cybersecurity frameworks that various organisations(ISO,NIST,ISF,etc.)have been developing over the past few decades.Th

151、e real difficulty comes from the impossibility of protecting everything for a simple matter of efficiency or even effectiveness(complex ecosystems cannot be secured with simple processes as they require segmentation for focused protection).Industry best practices In response to cyber threats,the pri

152、vate sector bolsters resilience and recovery by adopting comprehensive security measures,including maintaining robust asset inventories,developing incident response plans,implementing strong data backups,ensuring up-to-date systems with the latest security patches and zero-trust architectures,as wel

153、l as a sound supply chain policy.Cybersecurity training also comes into play as a crucial component,giving employees the necessary knowledge on best practices,aiming at building a strong security posture of systems and services from the inside out.Generally,businesses recommend the following tools a

154、nd good practices to prevent or tackle cybersecurity attacks:Maintaining an effective inventory of assets and robust perimeter surveillance with vulnerability management tools.This is especially important for critical infrastructure protection.Regularly backing up important data,stored in a properly

155、 protected system.Establishing security privilege policies to restrict unnecessary user access,while keeping systems up to date with the latest security patches.This is particularly relevant in the case of OT systems with access to non-replicated or safety-critical infrastructure.Utilising endpoint

156、detection and response(EDR)systems,including multifactor authentication for publicly exposed assets.Implementing advanced cross-layer detection and response solutions on all platforms.Employing up-to-date antivirus signatures and configuring firewalls at the application level.Paying attention to vul

157、nerabilities in backup and storage appliances,VPN software,and gateways and patching software to address vulnerabilities for both server and client applications.Applying zero trust principles across network architecture.Adding cyber-defence capabilities(based on SOC Security Operation Centre)to proc

158、esses,technologies,and operations,as well as the development of detailed incident response plans(IRP),with procedures for incident response strategies and providing dedicated incidence response teams(IRT).In the face of potential operational disruptions and financial burdens,essential service provid

159、ers are increasingly turning to partnerships and cooperative initiatives as a cornerstone of their defence.Monitoring of cyberattacks trends,information sharing and collaboration with regional authorities and other essential services providers is key.In cases of cyberattacks,deploying forensic inves

160、tigation to analyse the whole modus operandi employed by the attackers,assess the vulnerabilities that performed the initial access,and identify whether the cybercriminal accessed sensitive information or breached integrity allows future improvements.Conducting cybersecurity trainings to educate emp

161、loyees,performing regular security audits to test mechanisms and minimising external exposure to the internal networks.July 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|16 Consider that the supply chain is key not only to maintaining the eff

162、iciency and quality of service to customers,but also to ensuring that the potential compromise of one element of the chain does not affect other elements and the service as a whole.This has been the case in some of the most high-profile recent incidents(SolarWinds,Colonial,more recently the Ivanti V

163、PN vulnerabilities,etc.).Consider on-demand support and the formation of coordinated defence teams that operate across national boundaries to provide rapid and effective responses during large-scale cyber incidents.These teams will play a pivotal role in mitigating the impact of significant cyber th

164、reats on critical infrastructure.45So,which are the key aspects that should prevail in order to significantly improve the level of resiliency of essential services and critical infrastructure protection?To minimise the impact of potential disruptive situations,essential service providers need to bui

165、ld resilience and adopt best practices in risk management to protect critical infrastructures and end-to-end services.Adopting the new Business Under Disruption way of working involves working in aspects such as:Identifying essential assets and services and defining downtime and recovery times.Under

166、standing the interconnectedness of the business with other businesses,with particular attention to the supply chain.Using linked risk scenarios,updating risk map and concurrent event scenarios.It should cover activities such as identification(of assets),protection,prevention,detection,response,recov

167、ery,learning,evolution,and communication.Risk management will include the digital operational resilience strategy including,among others,performance indicators,deviation treatment,risk measurement parameters,test execution,incident reporting,audits,etc.to achieve the specific ICT objectives,as well

168、as,among others,the risk analysis methodology for confidentiality,integrity,availability,and authenticity of information.Performing tests on systems in production and determining the level of awareness.Policy and regulatory approaches to cybersecurity of critical infrastructures As said above,any of

169、 the existing cybersecurity frameworks is sufficient in itself to increase the resiliency of such services and infrastructures(digital-wise).Examples are the Cybersecurity Framework(CSF)from NIST or the recently updated ISO27001:2022 that brings the more structured ISMS(information security manageme

170、nt system)approach on board.Different regulatory schemes intend to contribute by setting requirements(instead of standards)such as DORA for the financial sector or NIS2 for digital providers and the Cybersecurity Resiliency Act that encompass,not just critical infrastructures but digital products.Be

171、st practices are yet to take hold once the DORA regulation is in place and the Regulatory Technical Standard(RTS)will be published in 2024.However,work can begin on meeting design requirements to ensure a solid foundation for the digital operational resilience of critical enterprises and entities.Ho

172、wever,the dynamics of the markets for different services place severe constraints on how much a key service provider can demand and evaluate security requirements.While certifications to cybersecurity frameworks serve this purpose,they are still limited in a scenario of decreasing business margins,w

173、here all parties in the services are looking for reduced costs and efficiencies in order to cut corners on controls(security controls therein).Also,at national level different regulations exist to bring down to earth more generic frameworks and to ease further compliance check by regulatory bodies.T

174、hese include for example the ENS in Spain for the public sector,TSA in UK for communication service providers,.In China,the Ministry of Transport released CII Security Protection Management Measures for the transportation sector,which requires CII operators in transportation sector to comply with a

175、series of compliance obligations.In Australia the Security of Critical Infrastructure(SOCI)Act(2018)46 defines critical infrastructure sectors and sets out their obligations.As part of a major wide-ranging national Cyber Security Strategy(2023-2030),47 the government is in the process of drafting a

176、number of key amendments to the SOCI 45 www.digital-strategy.ec.europa.eu/en/policies/cyber-solidarity 46 www.legislation.gov.au/C2018A00029/latest/text47 www.homeaffairs.gov.au/cyber-security-subsite/files/2023-cyber-security-strategy.pdfJuly 2024|ICC Working Paper:Protecting the cybersecurity of c

177、ritical infrastructures and their supply chains|17Act,which will,among other things,include data storage systems in the scope of business critical data(of a critical infrastructure asset),improve national responses to significant incidents,simplifying government/industry information sharing in crisi

178、s situations,and consolidating telecommunications security requirements in the one Act.These amendments(and the strategy more broadly)seek to ensure that the right entities and assets are being protected,ensure compliance with cyber security obligations,and provide the needed help to critical infras

179、tructure to manage the consequences of cyber incidents.Appropriate mapping across these frameworks is required,as in many cases essential service providers have to deal with different regulatory demands across geographies and sectors of activity(e.g.a financial arm of an Internet service provider ma

180、y have to comply with both telecoms and financial regulations,and a number of others depending on the countries and customers it serves).3.2 Securing the supply chain of critical infrastructuresThe current state of Cyber Supply Chain Risk Management(C-SCRM)across critical infrastructure sectors glob

181、ally is difficult to generalise.On the one hand,it is fair to say that a significant portion of critical infrastructure in some markets is owned and operated by the private sector.In the US,official estimates place private ownership of critical infrastructure at 85%.48 In the EU,it is 80%.49 In the

182、UK,approximately 50%of critical infrastructure is owned and operated privately50,while in many other markets,such as in China,the Middle East and others,state ownership of critical infrastructures is the prevalent model.On the other hand,however,the various private sector and state-owned entities th

183、at constitute the global community of critical infrastructure owners and operators are as diverse as they are numerous.These entities span the spectrum from large,multinational corporations to small,independent producers,service providers,independent contractors,and sub-contractors.Aside the differe

184、nce in ownership models across countries,the definition and hence the scope of what is deemed a critical infrastructure in a given jurisdiction varies across countries,from none to comprehensive definitions and frameworks as shown in Annex I.Differences in key definitions among others may lead to in

185、ternational policy challenges,when attempting to develop international best practices and rules that aim to strengthen cybersecurity and resilience of critical infrastructures at regional or global level.The World Economic Forums Global Cybersecurity Outlook 202451 identified among others a growing

186、cyber-resilience gap between large,small-and medium-sized enterprises highlighting an additional challenge when considering the security and resilience of supply chains of critical infrastructures.The situation is further aggravated by an expanded threat surface,by connecting through IoT operational

187、 technologies controlling the systems of energy,water,sewage,and other critical infrastructures.This is since the practice of“air gapping,”or physically segregating digital networks has given way to the demands of broader interconnectivity through IoT technology and legacy systems integration with m

188、ore modern software,supply chain breaches have become an attack vector favoured by malicious actors.It follows,then,that all these entities operating critical infrastructures have varying modes of ownership,face different regulatory frameworks,possess different degrees of resources,expertise,and cap

189、acity to properly secure operations and their supply chains.What is cybersecurity of supply chain about?As in security more broadly,cybersecurity is also a risk-management activity as there is no such thing as 100%security.In principle,risk management procedures consist of four core tasks:risk ident

190、ification,assessment and measurement of risks,treatment,and monitoring.One high-level descriptive example of a risk management process is provided by the Australian Government.5248 www.gao.gov/products/gao-09-654r 49 www.nic.org.uk/themes/design-funding/51 www3.weforum.org/docs/WEF_Global_Cybersecur

191、ity_Outlook_2024.pdf 52 www.austrac.gov.au/business/core-guidance/amlctf-programs/implement-risk-management-process July 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|18Exploiting vulnerabilities in existing software supply chains rather than

192、 targeting end-users has enabled these actors to magnify their impact compromising multiple accounts simultaneously and surreptitiously breaching accounts that may be more difficult to infiltrate directly.While supply chain cyber infiltrations are not a completely new phenomenon,with multiple known

193、supply chain breaches occurring as far back as 2013,53 the discovery of the breach of Solar Winds Orion IT monitoring and management platform in December 2021 marks a watershed event in the growth of this threat vector.Statista,the online statistics and survey platform,reports that the number of sof

194、tware packages worldwide affected in known supply chain attacks increased from 700 in 2019 to more than 185,000 in 202254 and there is no end in sight.Gartner predicts that by 2025,45%of organizations worldwide will have experienced attacks on their software supply chains,a three-fold increase from

195、2021.55 Total economic loss from supply chain attacks,albeit a fraction of aggregate cost of cyberattacks56 is expected to grow exponentially.Cybersecurity Ventures,a leading cybersecurity researcher,forecasts that economic loss to global business from supply chain attacks will grow by 15%year-over-

196、year for the next years.Thus,the 2023 estimated cost of$45 billion is expected to rise to$138 billion by 2031.The good news is that government and industry have begun to take notice and are taking action.There is widespread recognition that to achieve more effective supply chain security practitione

197、rs must address the problem comprehensively.For example,mitigating software supply chain risk requires that sound security practices be incorporated into the inhouse coding process at the beginning of the product development cycle securing third part commercial software as well as open-source softwa

198、re.Thus,in well-resourced organisations with mature security programmes,developers have adopted practices,such as consistent code reviews,disciplined internal vulnerability management and aggressive patching protocols,especially concerning third-party dependencies.57Industry best practicesRegarding

199、the protection of supply chain,the use of best practices58 like the ones below could be considered:59 1.Focus on a set of priority security requirements based on an assessment of risk,a short list instead of over-loading the supplier,and ensure monitoring,oversight,and compliance.In addition,take in

200、to account the industry references and recommendations when they are available such as IEC 62443 in industrial cyberse-curity.2.Reduce the impact of third-party incidents via discrete actions like diversifying the supply chain,applying zero trust policies60,developing incident response plans,conduct

201、ing tests,and demanding early reporting of incidents by suppliers.3.Actively partner with suppliers to help them improve their security programmes,offering service mecha-nisms and trainings to protect against or respond to incidents as they occur.Third-party incidents will hap-pen,so preparing to ma

202、nage the impact on the enterprise must be a core priority.4.Consider leveraging emerging technologies such as blockchain for information sharing and asset man-agement to minimise the consequences of third-party cyber incidents,as well as artificial intelligence and advanced analytics to scale incide

203、nt detection and response capabilities.5.Add incentives and enforcements to contracts,setting requirements for suppliers based on international standards(e.g.ISO 27001 Information Security,ISO 27701 Privacy,ISO 22301 Security and resilience).6.Establish processes to increase business leaders involve

204、ment in managing third-party cyber risks.Doing so needs to be a priority at the most senior levels.53 56 www.weforum.org/publications/global-cybersecurity-outlook-2024/57 www.go.snyk.io/2023-supply-chain-attacks-report-dwn-typ.html?aliId=eyJpIjoidFd0SVpwb0R6M2VNeUMrMyIsInQiOiJGRUE3VFdwTDB4Tk95TzkzTE

205、RadzRRPT0ifQ%253D%253D58 www.cybertechaccord.org/best-practice-alignment-for-supply-chain-security-across-standards-and-regulatory-frameworks/59 60 www.cybertechaccord.org/zero-trust-once-again/July 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chai

206、ns|19In the context of ICT supply chain risk management,for example,a supply chain risk management process61 could cover internal software development,consumption of upstream third-party software,including open-source software,secure coding practices,vulnerability scanning,vulnerability testing,pene

207、tration tests,and operations.It is important to recognise that software supply chain security is just one element of supply chain security,but from a cybersecurity perspective,a key one to consider.Due to technological evolution in how software is developed and delivered,such as continuous integrati

208、on and continuous delivery(CI/CD)workflow,DevSecOps62 has evolved to address the need to build in security continuously across the software development life cycle.Another important development in the app-driven world is the application programming interface(API).Simply put,an API is a type of softwa

209、re that acts as an interface or connection point,enabling two different applications or functions to communicate with each other.From banks,retail,and transportation to communication networks,IoT,autonomous vehicles and smart cities,APIs are a critical part of modern mobile,software as a service(Saa

210、S)and web applications and can be found in customer-facing,partner-facing and internal applications.Taking these and other technological developments,a secure software supply chain based on SRM is visualised in Figure 2.Figure 2:Securing the software supply chain based on the Ericsson Security Relia

211、bility ModelSource:Ericsson,Security Reliability Model,2021Open-source software securityMany ICT vendors and communication service providers leverage open-source software(OSS)for their software projects and products with the purpose to enable communications service providers to build open,interopera

212、ble networks at a lower cost.Examples of industry collaborations promoting the use of open-source code are the Open Network Automation Platform(ONAP)and O-RAN Software Community(OSC)hosted by the Linux Foundation,and Openstack hosted by the OpenInfra Foundation.OSS has inherent benefits that can pro

213、vide secure code,but also has inherent security risks that require a higher level of due diligence.It is the responsibility of the software product vendor to ensure proper safeguards are in place for secure use of shipped product with OSS and proprietary software components.The Open Source Security

214、Foundation(OpenSSF)is another organisation that is promoting standards for assurance of open source across the industry.63Use of open-source software requires a higher level of due diligence which organisations can implement by applying industry best practices for supply chain management,secure soft

215、ware development,and secure software maintenance.There are government and industry organisations available to help,including DARPA AIxCC64,the US Department of Commerces National Institute of Standards(NIST),The Linux Foundation,and 61 62 63 www.openssf.org/64 2024|ICC Working Paper:Protecting the c

216、ybersecurity of critical infrastructures and their supply chains|20OWASP.The Linux Foundation Core Infrastructure Initiative has a Best Practices Badge for open-source projects to self-attest.OWASP has made available many automated vulnerability detection tools that are available for free to open-so

217、urce projects.According to CISA65,in order to secure open-source software,it is important to understand the relevant attacks and vulnerabilities.CISA is broadly concerned about two distinct classes of open-source software vulnerabilities and attacks:1.The cascading effects of vulnerabilities in wide

218、ly used open-source software.As evidenced by the Log4Shell vulnerability,the ubiquity of open-source software can cause vulnerabilities to have particularly widespread consequences.Given the prevalence of open-source software across government and critical infrastructure including the widely use of

219、open-source software in closed-source software,the widespread and distributed nature of open-source software can magnify the impact of open-source software vulnerabilities.2.Supply-chain attacks on open-source repositories leading to compromise of downstream software.The second category of risks is

220、the malicious compromise of open-source software components,leading to downstream compromises.Examples include an attacker compromising a developers account and committing malicious code,or a developer intentionally inserting a backdoor into their package.Real-world examples include embedding crypto

221、 miners in open-source packages,modifying source code with protestware that deletes a users files,and employing typosquatting attacks that take advantage of developer errors.Policy and regulatory approaches to cybersecurity of supply chainsThe globalisation of the enterprise supply chain poses new c

222、hallenges to ensure effective risk management in line with national security interests,which may call for tailor-made requirements.Indeed,governments around the world are using the power of regulation and legislation to encourage,and in some cases,mandate secure software development practices.In the

223、 US,the Biden Administration issued the Executive Order on Improving the Nations Cybersecurity(EO 14028)in May 2021,on the heels of the discovery of the SolarWinds breach.Among other things,the EO mandated that commercial software utilised by the federal government must adhere to certain guidelines.

224、These guidelines,developed by the National Institute of Standards and Technology(NIST)and released in two separate publications in February 2022,the NIST Special Publication(SP)800-218:Recommendations for Mitigating the Risk of Software Vulnerabilities and the NIST Software Supply Chain Security Gui

225、dance require federal agencies and private sector providers contracting with the federal government to employ such measures as encryption,continuous monitoring,multi-factor authentication,vulnerability management,Software Bills of Materials(SBOMs)and numerous other requirements.While not mandatory f

226、or private sector providers outside of the government contracting space yet,they use of these guidelines establishes a standard of supply chain security that is widely recognised and encouraged,elements of which may become mandatory in subsequent legislation and/or regulation.In September 2022,the E

227、uropean Commission proposed the Cyber Resilience Act(CRA)to improve cybersecurity and cyber resilience in the EU.The CRA aims to establish common security standards for all products with digital elements in the EU.The CRA will require manufacturers of products with digital elements to implement appr

228、opriate cybersecurity measures across the lifecycle of the product.This will include conformity with“essential cybersecurity requirements”during the design and development stage with initial cybersecurity assessments and ongoing vulnerability management and updates as well as incident reporting thro

229、ughout the product lifecycle.Common agreement on the final text of the CRA was reached in December 2023 and a final approval from the European Parliament and the European Commission is expected in 2024.In addition,Europes recently approved Regulation(EU)2022/2554 on digital operational resilience fo

230、r the financial sector(DORA),applicable from January 2025,will test the waters further on supply chain protection.It includes provisions on contracts,security standards,management of risks,rights of access,inspection and audit on suppliers,risk and resilience training and awareness-raising for staff

231、 and governance structures for security management,among others.65 www.cisa.gov/sites/default/files/2024-02/CISA-Open-Source-Software-Security-Roadmap-508c.pdf July 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|21GSMA and NIST have developed

232、IoT security guidelines for manufacturers and their supporting third parties as they conceive,design,develop,test,sell,and support IoT devices across their spectrum of customers.According to GSMA,for the IoT to continue to evolve effectively,following security challenges must be addressed:Availabili

233、ty:ensuring constant connectivity between Endpoints and their respective services Identity:authenticating Endpoints,services,and the customer or end-user operating the Endpoint Privacy:reducing the potential for harm to individual end-users Security:ensuring that system integrity can be verified,tra

234、cked,and monitoredIoT security mitigations need to be tailored for customers,applications and/or environments.Tailoring can be for business sectors or vertical industries and can add requirements,edit specific requirements narrowing or expanding how they are applied or,in rare instances,delete requi

235、rements.In October 2022,the UK National Cyber Security Centre(NCSC)released guidance for medium and large organisations to“gain assurance about the cybersecurity of their organisations supply chain.66 The guidance describes how organisations are exposed to vulnerabilities and cyberattacks through th

236、eir supply chain and defines expected outcomes and key steps to help organisations assess the security of their supply chain.The guidelines are voluntary and there is no mandatory supply chain security legislation presently in the UK.At the present time,the UK is seeking to“find an appropriate legis

237、lative vehicle”by which to update the EUs Network and Infrastructure Systems(NIS)Directive of 2018,which it hopes to accomplish in 2024.The proposed amendments include many of the same supply chain security measures discussed in the US and EU legislation/regulation.In addition,the UKs Product Securi

238、ty and Telecommunications Infrastructure Act 2022(PSTIA),replicates many of the provisions of the CRA with respect to digital products,including transparency on minimum periods for security support and vulnerability reporting,as well as banning default passwords.These provisions will become enforcea

239、ble in April 2024.In China,the Cybersecurity Review Measures(CRM)issued by the Cybersecurity Administration of China(CAC)in December 2021,established a cybersecurity review mechanism for CIIs procurement of network products and services,which affect or may affect national security.Additionally,the M

240、inistry of Industry and Information Technology(MIIT)and the CAC released the Administrative Provisions on Security Vulnerabilities of Cyber Products.The provisions require cyber product providers to take measures to manage security vulnerabilities of cyber products and report them to the Cyber Secur

241、ity Threat and Vulnerability Information Sharing Platform.67There are also initiatives underway in other markets,such as the guidance by the Canadian Centre for Cyber Security on protecting organisations from software supply chain threats68 or by the New Zealand National Cyber Security Centre on sup

242、ply chain cyber security69.Nonetheless,much remains to be done.The aim should be to achieve harmonised requirements across markets based on business best practices and international standards.Many past efforts to harmonise requirements and assessments have failed to reach agreement and have unfortun

243、ately increased the complexity of compliance,thereby increasing risk.As a result,it is proving difficult and costly for prime contractors for specific services to understand and manage the risks of multiple subcontractors.International cooperation on incident reporting obligations for critical infra

244、structure operators is another welcomed area for cooperation where international alignment can decrease complexity and administrative burdens while at the same time ensure that relevant and timely information is available to increase situational awareness and over-time expanded cumulative knowledge.

245、To further this development the steps taken between the US and EU to streamline incident reporting obligations should be further encouraged and also over time geographically broadened in relevant international forums.7066 www.ncsc.gov.uk/collection/assess-supply-chain-cyber-security67 www.cyber.gc.c

246、a/en/guidance/protecting-your-organization-software-supply-chain-threats-itsm10071 69 www.ncsc.govt.nz/assets/NCSC-Documents/NCSC-Supply-Chain-Cyber-Security.pdf 70 www.digital-strategy.ec.europa.eu/en/library/comparative-assessment-dhs-harmonization-cyber-incident-reporting-federal-government-repor

247、t-andJuly 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|22Additionally,to sustain resilience,security,trust and competitiveness of networks and supply chains,diversification is key.National security decisions restricting the critical or sensi

248、tive components from specific vendors need to be based on objective criteria,proportionate,and effectively implemented.Exclusions of suppliers may have high impact on private critical infrastructure operators costs but also impact national security,resilience,and market development.Hence,such decisi

249、ons must also take into account that private operators of critical infrastructures are not accountable for national security nor necessarily considering national security risks in their business decisions.A cooperative and coordinated approach among all stakeholders is the best means by which govern

250、ments will raise the baseline cybersecurity standards,avoiding over reporting,while generating an efficient common trust-based practice,particularly in the supply chain.A holistic approach,enhancing multistakeholder cooperation to counter cybercrime and implementing rules for responsible state behav

251、iour in cyberspace are essential to reduce cyberattacks,and thus increase security.July 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|234.Towards better protection of critical infrastructures and increased supply chain security The protection

252、 of the cybersecurity of essential services and critical infrastructure and their supply chains requires a balanced,well-targeted,and proportionate approach for all service providers of critical infrastructure and essential services,paired with an appropriate national and international regulatory fr

253、amework with sufficient public capacity to enforce and incentivise appropriate behaviour.As perfect cybersecurity is an elusive goal,residual risks need to be mitigated by measures aimed to decrease potential threats.These measures involvei.disrupting cyber threat actors,i.prosecuting cybercrimes mo

254、re effectively,and ii.fostering urgent,large-scale,and effective implementation of the widely agreed existing norms and rules for state behaviour in cyberspace by setting shared goals for action.Well-designed public-private partnerships are also necessary for normative development and cross-sector i

255、nvestment to support the continued evolution of required level of protection and hence resilience of essential services and their supply chains.The fundamental cybersecurity challenge to protect essential services,critical infrastructures,and their supply chains can be generally summarised into thre

256、e points:1.Need for transnational agreements for the establishment of baseline cybersecurity outcomes and objectives.Fragmentation at this level is not an effective cybersecurity approach,but rather creates complexity,inefficiencies and increased costs ultimately negatively impacting all stakeholder

257、s.Common approaches can be facilitated by:a.Alignment across supply chains on the development and use of technical security standards.b.Alignment on and implementation of risk-based security risk management frameworks for the suppliers and the operators of critical infrastructure and essential servi

258、ces.c.Clarity on the roles and responsibilities for cybersecurity across the value chain.Suppliers are accountable and responsible for their products and solutions,and operators of critical infrastructure and essential services are responsible for the security of critical infrastructure and services

259、.Nation states are responsible to disrupt cyber threat actors and decrease cyber threats that critical infrastructure and essential service providers and suppliers are exposed to.2.Need to decrease cyber threats,including cybercrime originating from criminal groups and threats by states or state-spo

260、nsored cyber actors.3.Identification of incentives and deterrents for cybersecurity investment that isolate the resilience cores of essential services and critical infrastructure,likely changing the way such services and infrastructures are designed,deployed,and operated.Along the same lines,it woul

261、d also be how the objectives of economic profitability and competition between service providers are balanced with the appropriate levels of public investment in support of the social relevance of essential services and critical infrastructures,beyond reinforcing with regulation the strict requireme

262、nt of resilience of the same.Neither of these three points can be solved by simple or immediate measures.July 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|24Recommendations for private sector actorsAs noted in the industry best practices sec

263、tions above,businesses already work to apply the basic security controls helping to prevent the attacks and mitigate the risks.These efforts should be adopted and implemented at a large scale across regions and sectors.As a reminder,the common good practices are:Implement a cybersecurity risk manage

264、ment framework for assets and their supply chain;Ensure to follow suppliers configuration and hardening recommendations when deploying assets into operational environment;Maintain an effective inventory of assets and robust perimeter surveillance with vulnerability management tools;Regularly back up

265、 important data,stored in a properly protected system and perform restoration tests;Pay attention to vulnerabilities in backup and storage appliances,VPN software,and gateways and patching software to address vulnerabilities for both server and client applications;Establish a zero trust approach,fol

266、lowing the principle“never trust,always verify”and across network architecture;Utilise multifactor authentication;Utilise endpoint detection and response(EDR)systems,while being mindful that automated response can lead to service disruptions unless well tested in the specific context,including in ED

267、R configuration changes and life cycle management.Implement advanced and automated cross-layer detection and response solutions on all platforms while minimising negative impacts on the expected quality of service;Employ up-to-date antivirus signatures and configure firewalls at the application leve

268、l;Add cyber-defence capabilities to processes,technologies and operations;Develop detailed incident response plans(IRP),with procedures for incident response strategies and set up a dedicated incidence response team(IRT);Conduct crisis drills often to understand the organisations level of preparedne

269、ss;Conduct cybersecurity trainings to educate employees,perform regular security audits to test mechanisms and minimise external exposure of the internal networks;and Consider that the supply chain is key not only to maintaining the efficiency and quality of service to customers,but also to ensuring

270、 that the potential compromise of one element of the chain does not affect other elements and the service as a whole.Recommendations for policymakers If not already in place,set up an independent cybersecurity agency with specialised staff and budget and specified goals and means including regularly

271、 coordinating cyber exercises.Adopt a holistic71 public cybersecurity approach that i)considers the entire lifecycle of products and services on which operators rely,ii)gathers all relevant stakeholders and iii)is coordinated across the entire government and at the international level.Given the incr

272、easing complexity of communication networks supply chain and lifecycle,no single stakeholder can be held entirely responsible for enhancing overall digital security.Thus,when governments design policies to enhance the digital security of communication networks,they need to consider the following fou

273、r categories of stakeholders,which have a specific role in digital security risk management:71 www.oecd-ilibrary.org/science-and-technology/enhancing-the-security-of-communication-infrastructure_bb608fe5-en July 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and thei

274、r supply chains|25 OCommunication network operators;OUsers,including industrial users such as operators of other critical activities;OSuppliers of products and services,including hardware equipment and software,system integration,managed services,and cloud services;and OStandard development organisa

275、tions(SDOs).There is often a patchwork of legislative instruments regulating cybersecurity obligations affecting the same actors and different agencies in charge.A holistic approach also includes coordination and alignment in demands across different governmental agencies,such as the government depa

276、rtment in charge of communication policy,the communication regulator,the digital security regulator,the competition authority,the department in charge of economic development,and others.A clear definition of responsibility and/or mandates between the different bodies is also essential.Develop a nati

277、onal security plan for critical infrastructure and essential services in partnership with the private and public sectors.Ensure transparency on designation of critical infrastructure and essential services,working with industry to determine how critical infrastructure should be identified,including

278、supply chain risk mitigation and covered suppliers.Improve policies on the protection of supply chains,including the implementation of international standards,and mutual recognition of regional standards.Create information sharing mechanisms,both voluntary and mandated,and ensure that there is a two

279、-way flow of information.Ensure that businesses know exactly which agencies are involved in not only the regulation of critical infrastructure,but also in assisting in the event of an attack.Build a culture of cybersecurity and ensure the development of cybersecurity talent.Invest in capacity buildi

280、ng(including human capital),raising awareness and effectively fighting against cybercrime.Recommendations on effective international collaborationA holistic national policy framework is more likely to be effective if coordinated at the international level,as supply chains for communication networks

281、are global and interconnected.No country alone would be able to build the entire supply chain of products and services critical to communication networks from scratch.Therefore,governments should:Strive to harmonise regulatory approaches on an international and cross-sector basis.Enumerate critical

282、infrastructure sectors on their own and in diplomatic forums to include traditional sectors such as water,food or energy,as well as the IT sector and in particular cloud services which underscore the maintenance and delivery of essential services.Recognise at the United Nations a new norm prohibitin

283、g state-sponsored cyberattacks targeting the ICT supply chain.Routinely issue public attribution statements following cyber incidents conducted by state actors that violate international norms or rules,noting more precisely which expectations were violated.Establish robust deterrent consequences for

284、 state-sponsored cyberattacks targeting critical infrastructure which reflect the costs associated with repair and any potential harms threatened by the attack.July 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|26Recommendations on effective

285、public-private partnerships Make cybersecurity investment an integral part of the governments national development plan.Rapid digitalisation is testing the resilience of private and public services and infrastructures,which in turn means that cybersecurity must be integrated into a countrys modernis

286、ation policy.As a best practice,some countries even set aside between 10%and 20%of the public support budget for each digital transformation project for cybersecurity,to promote cybersecurity by design.Collaborative promotion and funding of technology innovations in cybersecurity,particularly the de

287、velopment and integration of artificial intelligence technologies,is crucial for advancing defence mechanisms and effectively countering the increasing frequency and sophistication of cyberattacks.Measures to enhance cybersecurity across the critical infrastructure providers could also be encouraged

288、 through the implementation of tax deductions,loans with prime rates,subsidies,and other incentives.Encourage multistakeholder cooperation,including the structured inclusion of private sector and other stakeholder voices in diplomatic forums,at the United Nations and elsewhere,responsible for establ

289、ishing and upholding international expectations for responsible state behaviour online.Encourage and increase international cooperation among countries and between players by breaking silos,collaborating with private partners,and making use of specialised Digital Operation Centres(SOCs/DOCs)to strea

290、mline response in time of crises.Make cybersecurity requirements an element of government procurement contracts.Increase prevention measures and cybersecurity capacity building.Promote information sharing about threats by supporting information sharing and analysis centres(ISACs)and regional securit

291、y operation centres(SOCs).Dedicated knowledge-sharing platforms could help facilitate the exchange of lessons learned,effective practices,and detailed reports of cyberattacks,enhancing the collective resilience against threats to critical infrastructures.Provide funding for information sharing centr

292、es and to increase cyber resilience and fighting cybercrime.July 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|27Annex I:Overview of national and regional approaches on the cybersecurity of critical infrastructures and essential servicesRegio

293、nCountry/regional entityHow infrastructure is defined?What is designated as critical infrastructure?SourceAmericasArgentinaIn Sept 2019,Argentina passed a resolution which defined and designated critical infrastructures(CI)and critical information infrastructures(CII).Critical Infrastructures are th

294、ose that are essential for the proper functioning of essential services of society,health,safety,defence,social welfare,the economy and the effective functioning of the State,whose destruction or disturbance,total or partial,affects and/or impacts them significantly.CII are information technologies,

295、operation and communication,as well as the associated information,which are vital for the operation or security of CI.1.Energy2.Information and Communications Technologies3.Transport4.Water5.Health6.Food7.Finance8.Nuclear9.Chemical10.Space11.StateResolution 1523/2019:www.argentina.gob.ar/normativa/n

296、acional/resolu-ci%C3%B3n-1523-2019-328599/texto Definition and designation is in Annex:www.argentina.gob.ar/sites/de-fault/files/infoleg/res1523-1.pdfFurther relevant definitions:www.argentina.gob.ar/sites/de-fault/files/infoleg/res1523-2.pdf AmericasBrazilDecree No.9,573 of 22 November 2018 approve

297、d the National Critical Infrastructure Security Policy(PNSIC),which defines CI as facilities,services,goods and systems whose interruption or destruction,in whole or in part,would have a serious social,environmental,economic,political,international or security impact on the state and society.Likewis

298、e,it characterises critical infrastructure security as a set of preventive and reactive measures designed to preserve or restore the provision of services related to CI.1.Water2.Energy3.Transport4.Communications5.Finance6.Biosafety and Bioprotection7.DefenceNational Policy and security of critical i

299、nfrastructure:www.gov.br/gsi/pt-br/assuntos/seguranca-de-infraestruturas-criticas-sicwww.planalto.gov.br/ccivil_03/_ato2015-2018/2018/decreto/D9573.htmNational strategy on security of critical infrastructure:www.planalto.gov.br/ccivil_03/_ato2019-2022/2020/decreto/D10569.htmNational security plan of

300、 critical infrastructure:www.planalto.gov.br/ccivil_03/_Ato2019-2022/2022/Decreto/D11200.htmJuly 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|28RegionCountry/regional entityHow infrastructure is defined?What is designated as critical infrast

301、ructure?SourceAmericasCanadaCI refers to processes,systems,facilities,technologies,networks,assets and services essential to the health,safety,security or economic well-being of Canadians and the effective functioning of government.CI can be stand-alone or interconnected and interdependent within an

302、d across provinces,territories and national borders.Disruptions of CI could result in catastrophic loss of life,adverse economic effects and significant harm to public confidence.1.Water2.Safety3.Health4.Finance5.Transportation6.Energy and utilities7.Food8.Manufacturing9.Government10.Communication t

303、echnologyPublic Safety Canada Canadas Critical Infrastructure:www.publicsafety.gc.ca/cnt/ntnl-scrt/crtcl-nfrstrctr/cci-iec-en.aspxNational Strategy for Critical Infrastructure:www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/srtg-crtcl-nfrstrctr-eng.pdfAmericasChileChile passed in Decem

304、ber 2023 a Framework Law on Cybersecurity and Critical Information Infrastructure,establishing a national cybersecurity agency.Scope of the law:Requires public and private entities that qualify as providers of essential services and those that,in addition to providing Essential Services,are qualifie

305、d as operators of vital importance(OIV)by the new National Cybersecurity Agency.To be defined by the new Cybersecurity Agency.Chile Framework Law on Cyber-security and Critical Information Infrastructure:www.camara.cl/legislacion/ProyectosDeLey/tramitacion.aspx?prmID=15344&prmBOLE-TIN=14847-06 (Appr

306、oved in De-cember 2023)AmericasColombiaColombia(2022)defines critical cyber infrastructure as follows:Systems and assets,physical or virtual,supported by Information and Communication Technologies,whose significant affectation would have a serious impact on the social or economic well-being of citiz

307、ens,or on the effective functioning of the government or the economy.It establishes security obligations for authorities owning critical infrastructure,or providing essential services.The authorities,defined as holders of critical infrastructure or providing essential services,shall endeavour to hav

308、e a digital security plan,protection of networks,critical cyber infrastructures,essential services and information systems in cyberspace and shall periodically carry out a digital security risk assessment.To this end,they must have the necessary rules,policies,procedures,technical,administrative and

309、 human resources to effectively manage the risk,and in compliance with the best practices and standards that may be required.No defined sectors.Government of Colombia nor-mative paper on critical infra-structure:www.funcionpublica.gov.co/eva/gestornormativo/norma.php?i=181866July 2024|ICC Working Pa

310、per:Protecting the cybersecurity of critical infrastructures and their supply chains|29RegionCountry/regional entityHow infrastructure is defined?What is designated as critical infrastructure?SourceAmericasUnited States of AmericaThe National Institute of Standards and Technology(NIST)defines critic

311、al infrastructure as system and assets,whether physical or virtual,so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security,national economic security,national public health or safety,or any combination of those matters.

312、1.Chemical sector2.Commercial facilities sector3.Communications sector4.Critical manufacturing sector5.Dams sector6.Defence industrial base sector7.Emergency services sector8.Energy sector9.Financial services sector10.Food and agriculture sector11.Government facilities sector12.Healthcare and public

313、 health sector13.Information technology sector14.Nuclear reactors,materials and waste sector15.Transportation systems sector16.Water and wastewater systemsNIST critical infrastructure-Glossary|CSRC(nist.gov)Cybersecurity and infrastructure security agency critical infra-structure sectors:Critical In

314、frastructure Sectors|CISAAsiaP.R.China The Security Protection Regulations for Critical Information Infrastructure(the“Regulation”)was passed at the State Council executive meeting on April 27,2021,and went into effect on Sept 1,2021.The regulation defined the critical information infrastructure as“

315、the key network facilities and information systems in important industries and areas such as public telecommunication and information service,energy,transport,water conservancy,finance,public service,e-government and science and technology industry for national defence,which may seriously endanger t

316、he national security,national economy,peoples livelihood and public welfare once they are subject to any destruction,loss of function or data leakage.”Important network facilities and information systems in important sectors,including but not limited to:1.Public telecommunications and information se

317、rvices sector2.Energy sector3.Transportation sector4.Water conservancy sector5.Finance sector6.Public services sector7.E-government sector8.National defence science,technology and industry sectorIn accordance with the SPRCII and practice,operators of CII are usually informed by regulatory authoritie

318、s that the network facilities or information systems they operate constitute CII,and the list of such CIIs is not publicly available.Cybersecurity Law of the PRC: version only)SPRCII: version only)July 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply c

319、hains|30RegionCountry/regional entityHow infrastructure is defined?What is designated as critical infrastructure?SourceAsiaIndiaAs per the Information Technology Act 2000(amended in 2008),CII means Computer Resource,the incapacitation or destruction of which,shall have debilitating impact on Nationa

320、l Security,Economy,Public Health or Safety.1.Telecommunications2.Power and energy3.Banking and financial services4.Transportation5.Strategic entities6.Government enterprises7.HealthcareBank Info Security India to Launch Critical Infrastructure Security Framework:www.bankinfosecurity.asia/in-dia-to-l

321、aunch-critical-infrastruc-ture-security-framework-a-22282The Information Technology Act of 2000:eprocure.gov.in/cppp/rulesand-procs/kbadqkdlcswfjdelrque-hwuxcfmijmuixngudufgbuub-gubfugbububjxcgfvsbdihbgf-GhdfgFHytyhRtMjk4NzY=#:-text=%5B9th%20June%2C%202000%5D%20An,communica-tion%20and%20storage%20of

322、%20information%2CAsiaSingaporeUnder section 7(1)of the Cybersecurity Act,a CII is a computer or a computer system located wholly or partly in Singapore,necessary for the continuous delivery of an essential service,and the loss or compromise of the computer or computer system will have a debilitating

323、 effect on the availability of the essential service in Singapore.1.Energy2.Water3.Banking and finance4.Healthcare5.Transport(including land,maritime,and aviation)6.Infocomm7.Media8.Security and emergency service9.GovernmentCybersecurity Act Overview www.csa.gov.sg/faq/cybersecu-rity-actCybersecurit

324、y Act,Critical Infra-structure:www.csa.gov.sg/legislation/Cy-bersecurity-Act#:text=The%20CII%20sectors%20are%3A%20Energy,and%20Emergency%20Services%2C%20and%20Govern-ment.July 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|31RegionCountry/regi

325、onal entityHow infrastructure is defined?What is designated as critical infrastructure?SourceAfricaEgyptCyber warfare involves threats by nations and their sponsored groups aimed at infiltrating the critical infrastructure sectors of other countries,such as energy,telecommunications,and banking,for

326、purposes of espionage,political and strategic gains,or purely for sabotage.It is important to note that many countries have openly declared their possession of offensive cyber capabilities as a means of self-defence against these threats.In the context of Egypt,critical infrastructure encompasses es

327、sential services and assets whose disruption would significantly impact national security,economic stability,public health,or safety.1.ICT sector:It includes telecommunications networks,submarine and land cables,communications towers,communications satellites,communications control centres,telecommu

328、nications and Internet service providers.2.Financial services sector:It includes networks and websites of banks,banking transaction,e-payment platforms,stock exchange,securities trading companies and postal financial services.3.Energy sector:It includes systems,networks and stations that control the

329、 production and distribution of electricity,oil and gas;High Dam stations;nuclear power plants;and others.4.Government services sector:It includes the e-government portal and websites,government agencies and institutions websites,national databases the most important of which is the national ID data

330、base,and associated networks and websites.5.Transportation sector:It includes air,land,sea and Nile transport.It covers all train and metro control systems,centres and networks,as well as air and sea navigation traffic networks and control systems.6.Health and emergency aid services sector:It includ

331、es relief and emergency networks,blood banks,hospital systems and networks,health care networks and websites.7.Information and culture sector:It includes networks,systems and websites of information and broadcasting services.National Cybersecurity Strategy for Egypt 2023-2027:www.mcit.gov.eg/Upcont/

332、Docu-ments/Publications_1412024000_National_Cybersecurity_Strate-gy_2023_2027.pdf www.egcert.eg/wp-content/uploads/2024/02/Publica-tions_1412024000_ar_Na-tional_Cybersecurity_Strate-gy_2023_2027.pdf National Cybersecurity Strategy 2017-2021:www.egcert.eg/wp-content/up-loads/2023/02/strategy.pdf July

333、 2024|ICC Working Paper:Protecting the cybersecurity of critical infrastructures and their supply chains|32RegionCountry/regional entityHow infrastructure is defined?What is designated as critical infrastructure?SourceAfricaGhanaCII constitutes assets(real/virtual),networks,systems,processes,information,and functions that are vital to the nation such that their incapacity or destruction would have