This paper is designed to provide decision-makers with information to make threat-informed decisions regarding resource allocation toward security in critical infrastructure organizations. In a world of ever-evolving threats, both cyber and physical, it is crucial for organizations in critical sectors to be cognizant of the scale of sector interdependence and incorporate it into disaster recovery (DR) and business continuityPurple (BC) planning. This white paper seeks to provide the reader with the knowledge necessary to begin the accession of dependency-based risk analysis into the larger DR/BC schema.
Key Judgements
- Interconnectedness has resulted in interdependence. Therefore, critical infrastructure should be treated as a singular entity from a security perspective.
- Threat actors capitalize on single-point-of-failures in successful attacks.
- Critical Infrastructure faces a unique security dilemma: expanding outreach while decreasing volatility.
- Redundancy, in both architecture and knowledge, is the key to critical infrastructure security. Light Blue
- Breaking down the silos of information sharing across critical infrastructure security communities is vital to collective success.
- Disaster Recovery (DR) and Business Continuity (BC) planning should incorporate inbound and outbound dependencies.
Introduction
The definition of critical infrastructure may vary from country to country, but it’s safe to say that critical infrastructure is what governments consider essential for the functioning of society and the economy. INTERPOL (the world’s largest international police organization) asserts that regardless of definition, these sectors must be effectively protected from attacks1. Both the European Union and the United States have included healthcare as part of their respective critical infrastructure (CI)2. However, the healthcare sector needs other critical infrastructure sectors to operate and sustain operative conditions. Healthcare, like all other critical infrastructure, is dependent upon other sectors. For instance, if there were an interruption in electricity, manufacturing assembly lines would not be able to function, thus causing shortages in medication which would impact the ability of healthcare providers to serve their patients; but without a healthy workforce, the energy sector would have no way of functioning. This phenomenon is known as interdependence. The term single point of failure is a term often used to visualize cascading consequences. In this context, it also applies to critical infrastructure. The analogy is as follows: A chain is made up of many different links. Should any one of those links break, the entire chain will fall apart, regardless of how large it is. Due to the interdependencies of critical infrastructure, if one sector experiences an outage, the entire ecosystem suffers a decrease in productivity or an outright outage.