World Bank Korea Office Innovation and Technology Note Series DECEMBER 2023, NOTE SERIES NUMBER 10 Strengthening Cybersecurity and Resilience of Critical Infrastructure Insights from the Republic of Korea and other digital nations PAGE | 2 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Acknowledgements This policy note was made possible by the Korea Digital Development Program (KoDi) at the World Bank Korea Office. The drafting team authoring the report comprised Zaki B. Khoury (Senior Digital Development Specialist and TTL, Korea Digital Development Program); Hye- In Song (Manager, KISA); Min-Ji Lim (Researcher, KISA); Sosun Kim (Researcher, Korea University); Dong Jin Kim (Research Fellow, Nextelligence Inc.); Eungyong Lee (Senior Researcher, Nextelligence Inc.); Jisoo Lee (Consultant, World Bank); Bora Kim (Consultant, World Bank); and Yulia Lesnichaya (Consultant, World Bank). The authors would like to thank Ministry of Economy and Finance (MOEF) and Ministry of Science and ICT (MSIT) of the Republic of Korea as well as the Korea Internet & Security Agency (KISA) for their assistance. The authors would also like to thank Jason Allford, Special Representative for the World Bank in Korea; Mahesh Uttamchandani (Practice Manager, East Asia Pacific) and Casey Torgusson (Program Manager) in the Digital Development Global Practice at the World Bank for their advice and guidance. Peer reviewers included Jae-hong Sim, Director of KISA; Professor Jiyeon Yoo of Sang Myung University; and several World Bank specialists including Anat Lwin (Senior Digital Development Specialist and Global Lead of Digital Safeguards); Ghislain de Salins (Senior Digital Development Specialist); Giacomo Assenza (Young Professional) and Hagai Mei Zahav (Consultant, World Bank). The authors would also like to thank Luba Vangelova and Sunny Kaplan for providing editorial guidance, as well as the KoDi team and The World Bank Korea Office for their overall support. Rights and Permissions The material in this work is subject to copyright. Because the World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to World Bank Publications, The World Bank Group, 1818 H Street, NW, Washington, DC 20433, USA; fax: 202-522-2625; e-mail: pubrights@worldbank.org. The Korea Office Innovation and Technology Note Series is intended to summarize Korea’s good practices and key policy findings on topics related to innovation and technology. They are produced by the Korea Office of the World Bank. The views expressed here are those of the authors and do not necessarily reflect those of the World Bank. The notes are available at: https://www.worldbank.org/en/country/korea. Cover image © Shutterstock/ Funtap KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 3 Table of Contents Acronyms and Abbreviations 6 Foreword from The World Bank 8 Foreword from KISA 9 Executive Summary 10 Chapter 1. Critical Infrastructure Protection (CIP): An introduction 12 1.1. Setting the scene: Why does CIP matter for developing countries?  13 Chapter 2. An overview of CIP policy practices: Case studies from selected countries  18 2.1 United States 20 2.1.1 CIP policy structure and governance 20 2.1.2 Prevention and protection 21 2.1.3 Response and recovery 21 2.2 Germany 22 2.2.1 CIP policy structure and governance 22 2.2.2 Prevention and protection  23 2.2.3 Response and recovery 25 2.3 Republic of Korea 25 2.3.1 CIP policy structure and governance 25 2.3.2 Prevention and protection 26 2.3.3 Response and recovery  28 2.4 Japan  29 2.4.1 CIP policy structure and governance 29 2.4.2 Prevention and protection 30 2.4.3 Response and recovery  30 2.5 Singapore 31 2.5.1 CIP policy structure and governance 31 2.5.2 Prevention and protection  31 2.5.3 Response and recovery  32 2.6 Findings from the country case studies analysis  32 Chapter 3. Developing a policy framework for CI security and resilience 35 3.1 Principles for a CIP policy framework 35 3.2 Development of a CIP Policy Framework  36 PAGE | 4 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE 3.2.1 Governance Considerations at the Strategic Level 36 3.2.2 CIP Activities and Capabilities at the Operational Level 38 3.3 Life Cycle of a CIP Policy 39 3.3.1 Step 1. Initiation 41 3.3.2 Step 2. Stocktaking and Analysis 44 3.3.3 Step 3. Production of CIP Policy 51 3.3.4 Step 4. Implementation 55 3.3.5 Step 5. Monitoring and Evaluation 67 Conclusion and next steps  69 Bibliography74 List of Figures Figure 1-1. Major cyberattacks on CIs 12 Figure 2-1. Key Areas for Comparing and Analyzing CIP Policies of Selected Countries 19 Figure 2-2. Cybersecurity Risk Management Procedures for CI in Korea 28 Figure 3-1. CIP Policy Framework for Government Policy Makers 41 Figure 3-2. Life Cycle of CIP Policy 41 Figure 3-3. Interactions Between Committee and Stakeholders for Developing CIP Policy 44 Figure 3-4. CI Identification Process 45 Figure 3-5. Procedure for Designating CI in Korea 47 Figure 3-6. The OECD National Risk Assessment Process 50 Figure 3-7. Relationship Between Guidance of Related Central Administrative Agencies and Protection Plans of CI Entities in Korea 56 Figure 3-8. Scope of Information Sharing on CI in Japan 62 Figure 3-9. Steps to Enhance CIP capabilities of CI Entities 62 Figure 3-10. Three CIP Considerations for policymakers  68 KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 5 List of Tables Table 2-1. Classification of CIP policies in selected countries 18 Table 2-2. CIP Policies in selected five countries 34 Table 3-1. Examples of CIP Leadership 37 Table 3-2. Information Security Level Evaluation Domain and Sub-control for CI Entities in Korea 51 Table 3-3. Information Security Maturity Model for CI Entities in Korea 51 Table 3-4. Key Elements of a CIP Policy Framework According to the Type of CIP Policy by Country 53 Table 3-5. Considerations When Establishing Incident Response System in the Korean Ministry of the Interior and Safety 54 Table 3-6. Cybersecurity Risk Management Guidelines for CI Entities in the Major Countries 57 Table 3-7. Cybersecurity Risk Management Programs or Guidance for CI Sectors in the United States 58 Table 3-8. Mobile Communication and Cloud Computing Service Technical Vulnerability Checklist in Korea 59 Table 3-9. CISA Cybersecurity Services for Industry and the Private Sector in the US  63 Table 3-10. Cyber Threat Information-Sharing Programs According to Information Level in the United States 67 PAGE | 6 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Acronyms and Abbreviations AIS Automated Indicator Sharing (United States) BMI Germany’s Federal Ministry of the Interior BSI Germany’s Federal Office for Information Security CEPTOAR Capability for Engineering of Protection, Technical Operation, Analysis and Response (Japan) CI Critical Infrastructure CII Critical Information Infrastructure CIRT National Computer Incident Response Team CISA U.S. Cybersecurity and Infrastructure Security Agency CMM Cybersecurity Maturity Model for Nations CER Critical Entities Resilience CIP Critical Infrastructure Protection CIP Act on the Protection of Information and Communications Infrastructure (Korea) CISA Cybersecurity and Infrastructure Security Agency (United States) CISO Chief Information Security Officers COVID-19 Coronavirus Disease 2019 CSF Cybersecurity Framework CSIRT Computer Security Incident Response Team (Germany) CSA Cybersecurity Agency of Singapore C-TAS Cyber Threat Analysis and Sharing CTI Cyber Threat Indicators DHS Department of Homeland Security (United States) DDoS Distributed Denial-of-Service Attack DM Defense Measure DRP Disaster Recovery Plan ENISA European Union Agency of Cybersecurity Directive FERC Federal Energy Regulatory Commission (United States) GCI Global Cybersecurity Index GCSCC Global Cyber Security Capacity Centre ICT Information and Communication Technology IDS Intrusion Detection System (Germany) IMPACT International Multilateral Partnership Against Cyber Threats KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 7 IPA Information-technology Promotion Agency (Japan) ISAC Information Sharing and Analysis Centers ISMS Germany’s Information Security Management System IT Information Technology ITU International Telecommunication Union KEPCO Korean Electronic Power Corporation KPIs Key Performance Indicators KISA Korea Internet & Security Agency KoDi Korea Digital Development Program KWPF Korea World Bank Partnership Facility LDC Least Developed Countries METI Ministry of Economy, Trade and Industry (Japan) MOEF Ministry of Economy and Finance (Korea) MOIS Ministry of the Interior and Safety (Korea) MSIT Ministry of Science and ICT (Korea) NCTI National Cyber Threat Intelligence (Korea) NERC CIP North American Electric Reliability Corporation Critical Infrastructure Protection NIPP National Infrastructure Protection Plan 2013 (United States) NISC National Center of Incident Readiness and Strategy for Cybersecurity (Japan) NIS Network and Information Security (Germany) NIS National Intelligence Service (Korea) NIST CSF National Institute of Standards and Technology Cybersecurity Framework NSO National Security Office (Korea) OECD Organisation for Economic Co-operation and Development OT Operational Technology PPP Public-Private Partnership R&D Research and Development SCMM Sectoral Cybersecurity Maturity Model SIEM Security Information and Event Management (Germany) SSAs Sector-Specific Agencies SSPs Sector-Specific Plans PAGE | 8 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Foreword from The World Bank Critical infrastructure is a cornerstone in the architecture of a country’s prosperity. The imperative to enhance cybersecurity and bolster resilience measures within critical infrastructure (CI) is crucial in emerging economies, where secure and effective CI functions are vital to supporting sustainable development, fostering economic growth, and ensuring social well-being. This note examines a comprehensive set of critical infrastructure protection (CIP) policy practices in the Republic of Korea and other developed digital nations , with the purpose of preventing and safeguarding critical infrastructure from cyberattacks, as well as responding to and recovering from cyber events. The emphasis is on a whole-of-government approach to enabling policies and regulations that developing countries may use to guide them on their path to a digitally resilient and prosperous future. The World Bank’s Korea Digital Development Program (KoDi) advances the shared goal of connecting Korea’s knowledge and best practices in digitalization with the demands of our client countries in collaboration with the Ministry of Economy and Finance (MOEF) and the Ministry of Science and ICT (MSIT) as well as other relevant Korean stakeholders. It has provided developing countries with knowledge exchange and capacity building initiatives, as well as technical assistance, so they may benefit from Korea’s technology expertise and experiences as they accelerate their digital transformation for development. I would also like to thank the Korea Internet & Security Agency (KISA), the nation’s leading organization in building safe and reliable internet and cybersecurity, for its ongoing collaboration and support to the World Bank Korea Office in the digital development agendas as well as its significant contributions to this report. We will continue and expand our efforts to increase awareness about the cybersecurity risks that accompany rapid digital transformation as well as routes to a safe digital society in which our people can trust. Jason Allford Special Representative for the World Bank in Korea KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 9 Foreword from KISA It gives us great pleasure to contribute to the completion of “Strengthening Cybersecurity and Resilience of Critical Infrastructure” in collaboration with the World Bank team and a number of specialists. This note underscores the importance of strengthening capabilities to secure critical information infrastructure and establishing standardized cybersecurity protection measures. The Korea Internet & Security Agency (KISA), functioning as a nongovernmental support organization for critical infrastructure protection (CIP), is involved in advancing safeguarding countermeasures for critical infrastructure and delivering technical guidance to prevent breaches and restore compromised systems. In addition, KISA is engaged in administering certifications that concern the protection of infrastructures, including IOT Product Certifications, ISMS-P, and Cloud Security Certifications. In addition, the institution is in the process of constructing reliable data ecosystems. According to news reports, the digital transformation of numerous government agencies and enterprises was expedited by around seven years due to COVID-19. However, this also suggests there has been a seven-year evolution in cyber threats; as a result, it is reasonable to expect a corresponding seven- year advancement in the cyber security industry. In light of the formidable cyber threats, we must collaborate and deliberate on the globalization and administration of infrastructure security systems, not just at the national level. In conclusion, I wish to express my genuine hope that this report will provide developing nations with some insights for understanding CIP in order to mitigate a variety of cybersecurity vulnerabilities. Hyun-O Kwon Vice President, Korea Internet & Security Agency (KISA) PAGE | 10 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Executive Summary Governments and industries have adopted the use of technology in their essential system operations at an accelerating rate. This rapid pace of digitalization leaves critical sectors of a country including transportation, healthcare, information and communication technology, waste management, and water distribution vulnerable to cyberattacks. These physical and digital resources necessary to maintain essential services and operations are critical infrastructure (CI) that are vital for safeguarding national security, public health and safety, the economy, and society at large, even when confronted with cyberattacks or natural disasters. Since the early 2000s, countries have encountered a series of cyber assaults targeting their networked infrastructures that have resulted in significant economic and social repercussions. Some examples include the temporary shutdown of a nuclear power plant in Ohio and destruction of numerous centrifuges in Iran; an explosion in Turkey due to a network failure of an oil pipeline; water pumping stations or treatment plants in the United States and Israel experiencing disruptions or contamination; ransomware attacks on banks, ministries, electricity firms, gas stations, oil pipelines, food suppliers, and companies across the globe; and at the beginning of the COVID-19 pandemic, unauthorized access at the European Medicines Agency led to vaccine-related information theft. In light of these threats, governments have increasingly recognized cyberattacks as one of the highest priority risks to CIs. They acknowledged the significance of establishing and implementing relevant policies at the whole-of-government level so as to help CI operators systematically address and respond to these risks. In particular, among developing countries, protection of CIs is being reframed as a development agenda since well-designed infrastructure is a critical driver of economic productivity, public safety, technological advancement, and sustainable development. Resilience of network infrastructures can also promise long-term economic benefits by upgrading business operations and increasing investment opportunities. Starting in the late 1990s, digitally advanced countries began developing comprehensive strategies and implementing vital regulations to safeguard national infrastructure against the perpetual escalation of malicious cyber operations. This policy note analyzes various strategies for the expansion of critical infrastructure protection (CIP) policies in developed digital nations, including the Republic of Korea, Singapore, the United States, Germany, and Japan. These countries were chosen among those that have enacted legislation on CIP or established and implemented relevant strategies since the early 2000s whose experience can provide valuable lessons for countries embarking on establishing a policy framework for CIP or exploring different options to that end. Korea, in particular, has chosen to gradually elevate the agenda of CIP to the core of its cybersecurity policies. Such an incremental approach can ease the entry barriers for developing countries that are at relatively early stages of policy development. There is broad consensus that there is no universal framework, much less an ideal one, for CIP regulations, as each nation has pursued a unique approach. This report identifies three characteristics of the policies pursued by these nations: • Establishment of legal frameworks to systematically identify threats and uphold the minimum security standard of CI operators; implementation of subsequent additional protective measures and supplementary policies. • Government-led incorporation of resilience into the policy frameworks of the CIP. • Active leveraging of the expertise of the private sector and encourage voluntary participation via public-private partnerships (PPPs). The analysis of policy practices in these five digital nations offers insights that can be used by other nations embarking on comparable endeavors to enhance the resilience of critical KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 11 infrastructure and cybersecurity. To provide practical examples, the note conducts an in-depth examination of the countries’ practices throughout the phases of the CIP policy life cycle. The baseline is established in the International Telecommunication Union’s (ITU) Guide to Developing a National Cybersecurity Strategy, which delineates the phases of the CIP policy formulation process as follows: inception, inventory and analysis, implementation, monitoring, and assessment. The significance of this remark becomes apparent during the implementation phase, when the variety of policy instruments utilized in the five countries becomes apparent. Consequently, countries may prioritize specific measures in accordance with the overarching policy approaches adopted by governments (e.g., the cyber-risk approach or the all-hazards approach) or the established correlation between the public and private sectors. Conducting extensive research on different CIP policy frameworks allows for the identification of their strengths and the development of optimal approaches. It is imperative to acknowledge that CIP frameworks do not invariably adhere to a predetermined sequence of processes; instead, they often encounter significant changes in response to emergency crises that result in disastrous repercussions. This policy note concludes with a summary of three main pillars of the CIP policy framework that are essential for developing nations to examine: 1. Governments should adopt a comprehensive approach to promoting the agenda for cybersecurity and CI resilience by involving the entire government. This approach would enable them to unambiguously delineate the responsibilities of key stakeholders. As Korea has demonstrated, implementing a regulatory framework can facilitate the concept’s integration and change within the policy environment. 2. In addition to regulatory measures, various policy instruments can be utilized to enhance PPPs, facilitate information sharing, raise awareness, and provide training. This will allow the government to provide CI organizations with varying institutional capacities for CIP with greater tailored assistance. 3. Lastly, specific regulations mandated by the government serve to enhance the CIP capabilities of CI firms. This requires a paradigm transition from the government’s perspective to that of the CI entities spearheading protective efforts. In regions where resources are limited, demand-driven policies can provide CI organizations with greater direct assistance while also encouraging their voluntary participation in government-led initiatives. Cybersecurity and resilience of CIs is one of the most important and prioritized agendas among the digital nations across the government, CI owners and operators, industry, and academia. It is imperative for developing countries to take a comprehensive, cross-government approach to cybersecurity and CI resilience involving the participation of all stakeholders and are strongly encouraged to conduct a thorough maturity assessment to detect deficiencies and opportunities for improvement within their policy frameworks. The Sectoral Cybersecurity Maturity Model (SCMM), jointly developed by the World Bank Digital Development team and Tel Aviv University’s Blavatnik Interdisciplinary Cyber Research Center (TAU ICRC), could potentially function as a viable initial framework for this purpose. The recommendations in this note can play a pivotal role in providing valuable insights for developing countries that are essential for developing their CIP policy frameworks. PAGE | 12 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Chapter 1. Critical Infrastructure Protection (CIP): An introduction Critical infrastructure (CI) consists of physical facilities, networks, systems, and human resources upon which an economy, public health, service provision, and national security rely upon. Numerous factors, including natural disasters and human-caused incidents, have the potential to compromise the operations and functions of CIs. As CIs become more dependent on information and communication technology (ICT) and ICT-related services, the frequency of such incidents has correspondingly escalated. Furthermore, accurately measuring and anticipating the magnitude of their consequences has become more challenging. Countries have encountered a series of cyber assaults targeting their networked infrastructures since the early 2000s. These attacks have resulted in significant economic and social repercussions. (Figure 1-1). Figure 1-1. Major cyberattacks on CIs Currently, there is no universally agreed-upon definition of CIs since each country defines them based on their current needs and priorities. Within the scope of this policy note, CI and CI protection (CIP) are defined in Box 1-1. Furthermore, countries have increasingly been incorporating the concept of resilience in their CIP policy frameworks. Resilience is a term commonly used among the experts and practitioners in disaster risk management (DRM) and climate change communities, which is expanding its realm of application to other areas including the CIs.1 Similarly, the U.S. National Infrastructure Advisory Council (NIAC) defined infrastructure resilience in 2009 as “the ability to reduce the magnitude and/or duration of disruptive events.” According to this definition, the effectiveness of CI resilience depends on its ability to “anticipate, absorb, adapt to, and/or rapidly recover from a potentially disruptive event.”2 Having noted the growing significance of CIP policies, the United Nations Development Programme (UNDP) guidance notes on building critical infrastructure resilience in Europe and Central Asia identifies three key characteristics that a resilient CI system shows: robustness, resourcefulness, and rapid recovery. Robustness refers to the system’s ability to continue the operations and functions in the face of disaster, resourcefulness to the ability to skillfully prepare for disaster response, and rapid recovery to reconstitute normalcy as quickly as possible after a disaster. 1  The Intergovernmental Panel on Climate Change (IPCC) defines resilience as the “ability of a system and its component parts to anticipate, absorb, accommodate, or recover from the effects of a hazardous event in a timely and efficient manner, including through ensuring the preservation, restoration or improvement of its essential basic structures and functions.” 2  NIAC is a presidential advisory council that invites executive leaders from both priave and public sectors to advise the White House on how to reduce physical and cyber risks and improve security and resilience of the national CIs. On behalf of the president and under the authority of the U.S. Department of Homeland Security (DHS), the U.S. Cybersecurity and Infrastructure Security Agency (CISA) administers the operations of the Council; https://www.cisa.gov/resources-tools/groups/presidents-national- infrastructure-advisory-council-niac KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 13 Box 1-1. Definition of Critical Infrastructure (CI) and Critical Infrastructure Protection (CIP) CIs refer to the essential assets (physical facilities, systems, networks, and human resources, etc.) required to maintain the minimum core services or functions for national security, public health, safety, and national economy and society against the potential hazards of physical and cyber threats. Not all infrastructures within an industry sector serve the core functions of an economy, and it is important to identify those that not only provide essential services or functions but also are more likely to be vulnerable to risks originating from cyberspace. In some cases, critical information infrastructure (CII) is conceptually distinguished from CIs as its subgroup. CII can be defined as infrastructures that are necessary to protect against cyber risks among the ICT components (e.g., telecommunications, systems, software) that support critical services or functions of CI. While acknowledging the value of additionally establishing the definition of CII, only CI is used within the purview of this note, and subsequently critical infrastructure protection (CIP). Energy Drinking water ... Financial sector sector sector sector CI CI CI CI CII CII CII CII Information and Telecommunication CI Critical Information Infrastructure (CII) The CII encloses (1) the Information and Telecommunications CI, and (2) the CII components in CI (e.g., control systems). Relationship Between CI and CII CIP refers to all activities to prevent and mitigate the consequences of these potential hazards or minimize their possibility of occurring with an aim to ensure the CIs’ functionality, continuity, and integrity. Connecting the CIs to cyberspace can help countries achieve efficiency, cost effectiveness, and scalability, however it may also expose them to unanticipated risks, jeopardizing national security, economy, and society. For instance, a power outage from a ransomware attack can lead to massive repercussions in various industries, including disruption of telecommunication, healthcare, transportation payment, and manufacturing systems. Source: Authors and Luiijf, van Schie, and van Ruijven 2017. 1.1. Setting the scene: Why does CIP matter for developing countries? Governments are responsible for not only identifying their CIs but selecting and taking appropriate measures to protect them. Prioritizing cyber risks and mainstreaming the considerations for cybersecurity and resilience are particularly important, based on which the CIP policies can be developed at the strategic level to facilitate the implementation of relevant policies. From an implementation aspect, governments may consider policies that promote the adoption of consistent cyber risk management approaches and measures among the relevant stakeholders such as the ministries responsible for CI management, government offices in charge of industrial regulations, and the CI owners and operators (CI entities). In particular, a holistic cyber risk management system is important for the CI entities that are PAGE | 14 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE placed to experience the firsthand impacts of cyber incidents more acutely and are expected to respond in a timely fashion and restore services. In fact, there has been a crucial shift from voluntary programs and information sharing that rely on the discretion of respective entities to dictate a minimum standard of care through regulations and laws across industries. Establishing a sound CIP policy framework holds significance for all countries regardless of the stages in economic development they are in, but possibly more for developing countries. This is because the potential challenges can be much bigger and more widespread without sufficient measures to guarantee CIP. Among developing countries, CIP has been elevated to a development issue rather than a national security or defense issue. Against this backdrop, international organizations have consistently addressed the urgent need to enhance CIP in developing countries within the wider scope of risk management and cybersecurity. The World Bank has acknowledged that successful risk management can be a powerful instrument for development by both increasing people’s resilience and creating opportunities for development (Box 1-2). More specifically, it has designed the Global Cybersecurity Capacity Program to assist selected developing countries in strengthening their cybersecurity environments. The beneficiary countries underwent a Cybersecurity Maturity Model for Nations (CMM) assessment, a methodical framework developed by the University of Oxford’s Global Cyber Security Capacity Centre (GCSCC). Thus far, it has been deployed more than 130 times in over 90 countries around the world. The model considers cybersecurity to comprise five dimensions that constitute the breadth of national cybersecurity capacity: 1) policy and strategy; 2) culture within society; 3) knowledge and capabilities; 4) legal and regulatory frameworks; and 5) standards and technologies. The first dimension includes an aspect on CIP that looks at whether a country has adopted policy mechanisms to ensure that assets, systems, and services vital to the country and its society continue to function as required (Box 1-3). Box 1-2. Five key insights on the process of risk management from the World Development Report 2014 The World Development Report is an annual report published by the World Bank that provides an in-depth analysis of a specific aspect of economic development. In 2014, the report paid particular attention to the process of risk management by addressing the questions of why risk management is important to development, how it should be conducted, and what obstacles prevent people and societies from conducting it effectively and how those can be removed. The main message is that countries can seek development by actively embracing the idea of risk management since it not only builds people’s resilience against adverse events but also allows them to benefit from the opportunities for improvement. The report draws five key insights on its process: 1. Taking on risks is necessary to pursue opportunities for development. The risk of inaction may well be the worst option of all. 2. To confront risk successfully, it is essential to shift from unplanned and ad hoc responses when crises occur to proactive, systematic, and integrated risk management. 3. Identifying risks is not enough. The trade-offs and obstacles to risk management must also be identified, prioritized, and addressed through private and public action. 4. For risks beyond the means of individuals to handle alone, risk management requires shared action and responsibility at different levels of society, from the household to the international community. 5. Governments have a critical role in managing systemic risks, providing an enabling environment for shared action and responsibility, and channeling direct support to vulnerable people. Source: The World Bank. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 15 Box 1-3. Focus on the Critical Infrastructure Protection – The World Bank Global Cybersecurity Capacity Program Since 2016, the World Bank has run the Global Cybersecurity Capacity Program that was financed by the Korea World Bank Partnership Facility (KWPF). The program was one of the key initiatives of the Bank to bridge existing gaps in cybersecurity capacities by providing customized programs offering technical assistance and capacity building activities to six client countries for Phase 1 (2016–2019) and two countries for Phase 2 (2019–Present) with more countries to be engaged. The program covers wide geographical regions, including Albania, Bosnia and Herzegovina, Republic of North Macedonia (Western Balkan region), Ghana (West Africa), the Kyrgyz Republic (Central Asia), Myanmar (Southeast Asia), Kosovo and Serbia (Europe and Central Asia). The findings of the six client countries reveal the following points on CIP, among which some are common to several countries. First, the cybersecurity component in CI was either still in the early stages or CI as a term has not been understood yet. This may pertain to a wider problem in that a national risk assessment may never have been executed, or the general crisis management is considered necessary for national security but cybersecurity was not yet considered a crucial component. In parallel, in some countries, no accepted definition of national CI and formal categorization of CI assets existed at the state level. On governance, there was no national body to coordinate cybersecurity incident response and management. Or, if one existed it remained as limited and ad-hoc interaction between governments ministries and owners of CI assets. Furthermore, this manifested as limitations on the operational level where there was no list of CI stakeholders nor mandatory security controls to adhere to, no mechanisms for threat and vulnerability disclosure, and no mandatory reporting requirements for cyber incidents. Source: The World Bank. Similarly, the ITU organizes a series of special programs for the Least Developed Countries (LDC), Landlocked Developing Countries (LLDC), and Small Island Developing States (SIDS). First, the Cybersecurity Work Programme to Assist Developing Countries 2007-2009 highlights the need to establish effective CIP structures in developing nations because of the potential impact that they have on the global economy, and suggests a comprehensive list of high-level assistance activities from strategic aspect such as on National Strategies and Capabilities to operational aspects including the Watch, Warning and Incident Response (WWIR) capabilities and Countering Spam and Related Threats.3 More recently, the ITU launched the Enhancing Cybersecurity in Least Developed Countries project to support LDCs in strengthening their cybersecurity capabilities to better respond to cyber threats and ensure enhanced protection of their CIs. In summary, the significance CIP holds for developing economies can be considered along the following aspects: • Economic impact: Developing countries often rely heavily on CIs such as power grids, transportation systems, and financial institutions to support their economic growth. A cyberattack on these systems can have a devastating impact on the country’s economy, disrupting essential services and causing financial losses. • Human safety: Many CI systems, such as water treatment plants and healthcare facilities, directly impact public safety and health. Cyberattacks on these systems can jeopardize human lives, making cybersecurity crucial for protecting the well-being of citizens. 3  The activities include: General Management and Coordination; ITU Member States’ Cybersecurity Requirements and Mutual Assistance Capabilities; National Strategies and Capabilities; Legislation and Enforcement Mechanisms; Watch, Warning and Incident Response (WWIR) Capabilities; Countering Spam and Related Threats; Bridging the Security-Related Standardization Gap; Project on Enhancing Cybersecurity and Combating Spam; Cybersecurity Indicators; Fostering Regional Cooperation Activities; Information Sharing and Supporting the ITU Cybersecurity Gateway; and Outreach and Promotion. PAGE | 16 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Box 1-4. ITU project on Enhancing Cybersecurity in LDCs – case study in Sierra Leone The International Telecommunication Union’s (ITU) role in cybersecurity can be defined under three pillars: global cooperation, standardization, and cyber capacity development. Pertaining to the last pillar, they acknowledge that ensuring cybersecurity can be particularly difficult for LDCs that lack adequate legal and regulatory frameworks, have a limited pool of human resources, and experience constant financial constraints. In this context, the project on Enhancing Cybersecurity in LDCs was implemented in the framework of ITU’s mandate to enhance security of their cyberspace and CIs and to build confidence in the use of ICTs applications. The project encompasses a wide range of aspects including legal, regulatory, and technical aspects related to cybersecurity, building on the activities implemented with the International Multilateral Partnership Against Cyber Threats (IMPACT) and in the partnership with the European Union (EU). It is implemented in 49 countries over a two-year period following the three main pillars: 1) Policy-level assistance; 2) Capacity building; and 3) Equipment and software distribution, and it defines five main activities: • Launch of the project in selected LDCs • Assessment of the situation • Development of guidelines (on cybersecurity legislation, regulation, and technologies that would facilitate the implementation of an electronic protection system on a national level) • Equipment and solutions distribution • Capacity building (on national, regional, and international cybersecurity legislation and regulation, as well as on technology aspects) In 2013, ITU-IMPACT convened a highly intensive workshop program on cybersecurity in Sierra Leone with the primary objective of assisting both public and private sector stakeholders (ministers, private sector CEOs, bank CEOs/CFOs, critical sector/critical national information infrastructure [CNII] CEOs/CFOs, IT companies, internet service providers (ISPs), law enforcement agencies, judiciary, network administrators, and security experts) in implementing a National Computer Incident Response Team (CIRT) and initiate the process of establishing a National Cybersecurity Framework. Source: International Telecommunications Union. • Technological Adoption: Developing countries are increasingly adopting modern technology and digitizing their infrastructure to keep pace with global trends. This digitization makes them more susceptible to cyber threats, as better connected systems create an increase of potential entry points for cybercriminals. • Global interconnectedness: The interconnected nature of CI means that a cyberattack in one country can have ripple effects across borders. Developing countries are not immune to these global cyber threats, and their vulnerabilities can be exploited by threat actors from anywhere in the world. • Foreign investment and development aid: Many developing countries rely on foreign investment and aid to develop their critical infrastructure. Demonstrating a commitment to cybersecurity can make these countries more attractive to investors and donors who want to ensure the safety and resilience of their investments. • Capacity building: Building cybersecurity capabilities in developing countries can lead to the development of a skilled workforce and a growing cybersecurity industry. This can create job opportunities and contribute to economic development. • Sustainable development: Achieving the Sustainable Development Goals (SDGs) often requires a stable and secure environment. Cybersecurity is an essential component KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 17 of stability, as it helps prevent disruptions that can hinder progress in areas such as healthcare, education, and poverty reduction. • Cybercrime prevention: Developing countries are not only vulnerable to state-sponsored cyberattacks but also to cybercriminal activities such as fraud, identity theft, and ransomware attacks. Robust cybersecurity measures can help protect individuals and businesses from falling victim to cybercrime. Given these aspects, the need exists to reframe the CIP and cybersecurity agenda as a development issue and enabler of sustainable growth rather than limiting it to a national security and law enforcement issue. At the same time, it is important to consider whether the suggested CIP policy framework is affordable for the developing countries. Low- and middle- income economies often use the residual model to finance cybersecurity, which often falls short of what a country needs to safeguard its CIs. Also, smaller-scale private businesses in developing countries show a limited interest in investing in cybersecurity as part of national initiatives. Therefore, achieving a sustainable balance between what needs to be included as essential elements and what is functionally feasible in developing countries is important in designing a comprehensive CIP policy framework. This policy note aims to raise awareness around the importance of mainstreaming CIP in the process at the national level primarily in developing countries. To that end, the note started by drawing attention to the concepts of CI and CIP and their implications for developing countries (Chapter 1). Then, it selects five country cases – the United States, Germany, Korea, Japan, and Singapore – that are early starters in preparing policy frameworks for CIP and presents their policy practices that can provide useful reference points (Chapter 2). Building a CIP policy framework is still relatively new in many countries, which in many cases requires a rethinking of the existing systems. Therefore, the aim of this policy note is not to offer a one-size-fits- all model for CIP policies but to introduce various approaches in the policy making process. Building on this, Chapter 3 takes a more granular view and introduces specific country cases along the five steps of the CIP policy life cycle defined by the ITU. Finally, Chapter 4 concludes with three policy considerations derived from the discussion above that may prove useful for policymakers in the developing countries. Furthermore, it stresses the need for more in-depth maturity assessments in these countries in order to provide more accurate and actionable recommendations in designing the CIP policy framework. PAGE | 18 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Chapter 2. An overview of CIP policy practices: Case studies from selected countries Since the late 1990s, some countries have begun to develop strategies, plans, and related laws to protect their critical infrastructure from malicious activities. A country’s CIP policy can be classified as one of the two categories below, according to how they define the scope of risks that adversely affect essential services or functions of CIs: • All-hazard approach that focuses on overall risk management of CI by taking into account all potential risks, such as physical and cyber incidents that may adversely affect the CIs. • Risk-based approach that focuses on cyber risk management of ICT infrastructure that supports the CIs’ delivery of essential services. Countries such as the United States, Germany, and Australia have adopted an all-hazard approach in developing CIP policies. These countries have complementarily developed and implemented additional strategies and guidelines on cyber risk management and reporting cyber incidents. On the other hand, countries such as Korea, Japan, Singapore, and China, have opted for a risk-based approach that pays special focus on cyber incidents. In practice, both approaches can be generated either in the form of regulations (i.e., legislation and acts) or strategies and implementation plans (i.e., action plans and sector-specific plans) as illustrated in Table 2-1. Table 2-1. Classification of CIP policies in selected countries All-hazard approach (Enhancing Policy type Cyber-risk approach cybersecurity) Legislation • United States: Presidential Policy • Korea: Act on The Protection of (legal/ Directive (PPD)-21, Executive Order Information and Communications regulatory) (EO)-13636. Infrastructure • Germany: IT Security Act 2.0, • Singapore: Cybersecurity Act • Federal Office for Information Security • China: Regulations on CII security (BSI) KRITIS Regulation protection • Australia: Security Legislation • France: CIP Law Amendment (CI) Act (2021, 2022) • Estonia: Cybersecurity Act • United Kingdom: 2018 Network and Information Systems (NIS) Regulations (2018) Strategy/ • United States: National Infrastructure • Korea: Central administrative agencies’ plan Protection Plan (NIPP) (2013); plans for protecting CI; National Sector-Specific Plans (SSPs) cybersecurity strategy • Germany: CIP Strategy • Japan: The basic policy of CIP (CIP action • Australia: Critical Infrastructure plans) Resilience (CIR) Strategy & Plan • United Kingdom: National Cyber Security Strategy This chapter presents five country cases – United States, Germany, Korea, Japan, and Singapore – that are among the top 20 countries ranked in the ITU’s Global Cybersecurity Index (GCI). The selection was made among the countries that have enacted legislation on CIP or established and implemented relevant strategies since the early 2000s whose experience can provide valuable lessons for countries embarking on establishing a policy framework for CIP or exploring different options to that end. In particular, Korea has chosen to gradually elevate the agenda of CIP to the core of its cybersecurity policies as evidenced by its intricate institutional policy frameworks (Section 2.3). Such an incremental approach KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 19 can ease the entry barriers for developing countries that are at relatively early stages of policy development. This chapter is structured along the three general characteristics of a policy framework, which includes the main elements of infrastructure protection and cybersecurity policies (Figure 2-1): 1. Overall policy structure and governance (incl. goals and objectives, governance, PPPs, and definition and identification) 2. Prevention of and protection against cyber threats to CI 3. Response to and recovery from cyber incidents. The trajectories of policy development in five selected economies are analyzed along these three characteristics, with an aim to derive policy lessons that may prove useful for other countries exploring options to build comparable policy frameworks. An important caveat is that there is no one-size-fits-all solution to building a CIP framework. Therefore, the aim is to explore the diversity in the approach among the countries that have adopted agile policy making processes to deal with the fast changes in the environment and act on the large rise in security incidents. Figure 2-1. Key Areas for Comparing and Analyzing CIP Policies of Selected Countries GOAL AND OBJECTIVES FOR CIP Strengthen the security and resilience of the CI by managing cyber risks through the collaborative and integrated efforts of the stakeholders GOVERNANCE PUBLIC-PRIVATE PARTNERSHIPS Cooperation • Entities: Governments, CI entities, IT/OT product and service • (Public) CIP coordinators, sector-specific agencies, regulatory providers, etc. authorities, national cyber-security center, national-CSIRT • (CIP) committee, coordinator, sector-specific agencies • (Private) CI entities, IT/OT product and service providers, CIP • (Cybersecurity) national cybersecurity center, national-CSIRT cybersecurity service providers, etc. • Roles and responsibilities for each entity Policies (Legislation, Strategies, and Plans) DEFINITION AND IDENTIFICATION OF CI • Define the national CI • Identify CI sectors and critical services • Periodic review of CIs PREVENTION AND PROTECTION RESPONSE AND RECOVERY • Cybersecurity risk management • Cyber incident management • Sector-specific agencies: providing cybersecurity enhancement • Cyber crisis management and communication guidelines, tool, and cyber hygiene services • Cyber exercises • CI entities: establishing a cybersecurity risk management program • Information sharing and cooperation for protection CI PAGE | 20 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE 2.1 United States 2.1.1 CIP policy structure and governance CIP policy making gained political visibility in the United States starting with the Clinton administration, which prepared a federal-level CIP policy to respond to cyber incidents in eight industry sectors, including financial services, telecommunications, and electricity. The Patriot Act adopted in 2001 defines CIs as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” In the United States, these physical and cyber infrastructure are mostly owned and operated by private entities, although some infrastructures are owned by the federal, state, local, tribal, and territorial (SLLT) governments. The primary responsibility of CIP policy making and implementation lies with the federal government, which coordinates national CI-related policies in support of CI entities. It also identifies specific assets and systems to be protected in partnership with the CI entities in the public and private sectors, and these entities evaluate all types of hazards, including natural disasters, human-made threats (such as terrorism and cyber incidents), and vulnerabilities to the assets. They also identify the level of risk such events may pose and implement a set of measures to mitigate them. In particular, in response to the recent surge of advanced cyber incidents that could compromise national security or spur social unrest, the federal government established PPPs with the stakeholders including the CI entities to strengthen their cybersecurity capabilities. In the aftermath of the September 11th attack, the Bush administration enacted the Critical Infrastructure Information Act of 2002 (hereinafter the CII Act of 2002), marking an official shift in the government’s CIP policy direction to an all-hazard approach that expands the scope of CI to not only cyber but also to physical assets. The following Obama administration shared a similar view, and the government attempted to mitigate cyber risks through PPPs rather than by dictating the types of risk management activities CI entities must implement. In addition, the policy initiatives on information sharing have gained prominence to raise the overall awareness and understanding of cyber risks among both the policy makers and relevant stakeholders. Building on this, the Presidential Policy Directive 21 (PPD-21) introduced the concept of resilience to the existing all-hazard approach, forming today’s overall CIP policy landscape in the United States. In PPD-21, the term resilience refers to the ability to prepare for and adapt to the evolving policy environment and withstand and recover rapidly from disruptions, deliberate attacks, accidents, or naturally occurring threats or incidents. Therefore, CI resilience emphasizes the procedural aspect, meaning that the entity prepares for and adapts to a changing environment and quickly recovers while enduring a system failure. Resilience also entails the mitigation of the impact of events and securing response and recovery capabilities. Furthermore, PPD-21 has reduced the number of CI sectors from 18 to 16 and redefined sector-specific agencies (SSAs) for each of them. A notable change in the American CIP policy governance structure was made in 2018 with the adoption of the Cybersecurity and Infrastructure Security Agency (CISA) Act. CISA was established under the Department of Homeland Security (DHS) to “lead the national effort to understand, manage, and reduce risk to [our] cyber and physical infrastructure.”4 CISA serves two roles, the first of which is to serve as the operational lead for cybersecurity – protecting federal, civilian, and government networks – in close partnership with the Office of Management and Budget (OMB), and second, as the national coordinator for critical security and resilience. It is committed to work with partners across the government and industry to defend against major cyber threats. 4  Previously, the National Protection and Programs Directorate (NPPD), under the DHS’s supervision, oversaw implementing policies on CIP. The US Computer Emergency Readiness Team (US-CERT) has also been incorporated into CISA. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 21 The CIP policy direction and approach described above continued until 2020 when major attacks that were waged on the U.S. software supply chain and subsequent information leakage from federal government agencies and the ransomware attacks on Colonial Pipeline and JBS S.A.. In response, the federal government enhanced the cybersecurity level of the industrial control system (ICS) for the CIs and improved its software supply chain’s risk management by making it mandatory to report on cybersecurity incidents. 2.1.2 Prevention and protection In principle, the government utilizes voluntary standards based on comprehensive CIP laws, which encompass various aspects from the support of cybersecurity services and technologies, dispatching cybersecurity experts, provision of instructions, guidelines, and advice to education and training of CI entities. For specific sectors, however, the federal government has adopted a policy enforcement scheme that continuously manages and supervises CIs to ensure their compliance with the sectoral regulations. Examples include the energy, finance, and nuclear energy sectors. Concurrently, the CI entities are responsible for the identification and both the ex-ante analysis of potential risks to their CIs and devising measures to mitigate them. In doing so, the relevant international standards5 or guidelines published by other organizations such as the National Institute of Standards and Technology (NIST), CISA, and information sharing, and analysis centers (ISACs) can become useful reference points. However, since the development of cybersecurity measures is highly context-dependent, the operating environment of respective industry sectors as well as the organizational environment of the CI entities may need to be taken into consideration. For example, in the U.S. electricity sector, the CI entities that generate and distribute electricity are required to adopt the Electricity Subsector Cybersecurity Risk Management Process developed by the Department of Energy (DOE) in collaboration with NIST, the North American Electric Reliability Corporation (NERC) and representatives of the private sector. Taking note of this, the CI entities can prepare measures to evaluate their current cybersecurity and risk management systems vis-à-vis the power sector’s Cybersecurity Capability Maturity Model (C2M2). In addition, the entities that operate and manage the bulk of the electric system (BES) are asked to comply with the CIP standards of the NERC, such as the security requirements and implementation methods to protect cyber assets. 2.1.3 Response and recovery To manage and monitor the cyber incidents that can potentially harm national security, foreign relations, the economy, or public health, the DHS developed the National Cyber Incident Response Plan (NCIRP) to mobilize federal agencies and SLLT governments and CI entities in systematically responding to incidents following a consistent set of principles. Moreover, CISA periodically conducts a cyber simulation exercise called a “cyber storm” to check the capacity and effectiveness of responding to a cyber crisis that affects the national CIs. In practice, if a CI entity recognizes a cyber incident such as a ransomware attack, it must report to the DHS per the Cyber Incident Reporting for Critical Infrastructure Act of 2022. CISA has been operating information tools that can be used by constituents to report incident information and access information-sharing products, such as the Automated Indicator Sharing (AIS), which enables a real-time exchange of machine-readable cyber threat indicators and defensive measures with both public and private partners. In 2023, CISA formally retired the US-CERT and the Industrial Control Systems CERT (ICS-CERT) by integrating the operational content previously provided by the two separate channels into one website. 5  ISO/IEC 27000 family of information security standards, ISA/IEC 62443 series of standards; The ISA/IEC 62443 series of standards define requirements and processes for implementing and maintaining electronically secure industrial automation and control systems (IACS). PAGE | 22 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE 2.2 Germany 2.2.1 CIP policy structure and governance The CIP policy governance in Germany is essentially twofold: national-level policies implemented by the German federal government and the regional policies on the EU-level that set the wider policy framework the German government is required to comply with as a member country. On a national level, the German federal government recognized the importance of critical infrastructures (KRITIS in German6) and facilities’ increased dependence on IT. In 2005, the Federal Ministry of the Interior (BMI) established its first CIP policy by announcing the National Plan for Information and Communication Infrastructure Protection (NPSI). It is a comprehensive strategy for IT security that presents three strategic goals and detailed objectives for prevention, response, and sustainability. An official definition of CI was coined in 2009 by the National Strategy for Critical Infrastructure Protection (hereinafter CIP Strategy) as “organizational and physical structures and facilities of such vital importance to a nation’s society and economy that their failure or degradation would result in sustained supply shortages, significant disruption of public safety and security, or other dramatic consequences.” In order to facilitate implementation, the CIP Strategy set out three strategic objectives of German CIP policies: prevention, response, and sustainability. The strategy also stresses the need for intensive cooperation and coordination among relevant partners and players in the CIP policy ecosystem and the need to optimize the legal framework to serve the purpose. On implementation, the strategy lays out the “implementation procedure” that includes the “work packages” led by the public sector in partnership with collaboration with the private entities, as well as a set of policy instruments to achieve the strategic aims. Overall, the CIP Strategy signaled the country’s conversion of its CIP policy from its initially limited focus on the security of information and communication infrastructure to an all-hazard approach CIP policy. Furthermore, the government published the Cyber Security Strategy and Digital Agenda 2014–2017 that aims to strengthen cybersecurity regulations and improve the IT security level of the federal government and CI, including data protection. The IT Security Act of 2015 was the first outcome of the agenda that presents a uniform legal framework for cooperation between the government and private actors on improving the security and protection of IT systems and services. The Act stipulates two key requirements of CI operators: maintaining a minimum security level and setting up regulatory reporting, and the statutory order pursuant to a section of this Act defines in more detail the critical infrastructures (Federal Office for Information Security [BSI] KRITIS Regulation or BSI-KRITIS Ordinance). In 2021, the Act was updated to the IT Security Act 2.0, adding the waste management sector to the group of potential CI operators and expanding the target groups. In addition, the Act changed the criteria for designating a CI system, such as the strategic supply threshold, and expanded the scope of existing CIs and CI entities by adding new asset types. It has also mandated the CI entities to submit evidence of organizational and technical measures for CIs in their jurisdictions to the Federal Office for Information Security (hereafter BSI) and report incident information to the BSI during IT failures or other incidents. In terms of the relevant public authorities on CIP, BMI oversees national cybersecurity and CIP policies while closely interacting with the federal departments, such as the Federal Ministry of Defense (BWVg), the Federal Ministry of Economic Affairs and Climate Action (BMWK), and the Federal Network Agency (BNetzA) that govern relevant sectoral policies. More closely on CIP and on the operation level is the BSI that manages a communication structure with relevant stakeholders and oversees the national cybersecurity practices, in particular, the collection and analysis of cybersecurity-related information. Such information can include protecting CI from IT system failures and cyber incidents, providing cybersecurity-related information, security consulting, developing standards, and supporting cyber crisis responses. 6  In German, kritische Infrastrukturen. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 23 Other public bodies serve different roles that are indirectly related to CIP considering its cross-cutting nature. The Federal Criminal Police Office (BKA) that also sits within the BMI investigates the e-government functions, analyzes cybercrime cases, and performs international cooperation activities. The Federal Office for the Protection of the Constitution (BfV) is responsible for collecting domestic cyber threat information while the Federal Office of Civil Protection and Disaster Assistance (BBK) supports citizens with an information system during state emergencies due to natural disasters and through partnerships between federal and state governments. As a member state of the EU, CIP policy structure in Germany is largely shaped and influenced by the overarching framework set by the European Commission (EC). The EC has sought to significantly upgrade the EU’s rules on the cybersecurity and resilience of CIs. The two key directives were entered into force, which are, the directive on measures for a high common level of cybersecurity across the EU (Network and information Security [NIS] Directive) and the directive on the resilience of critical infrastructures (Critical Entities Resilience [CER] Directive). In 2016, the EU introduced the Network and Information Security (NIS) Directive as the first piece of EU legislation to ensure a consistent approach to cybersecurity “with a view to achieving a high common level of security of networks and information systems within the Union so as to improve the functioning of the internal market.”7 The main purpose is to harmonize national cybersecurity capabilities and foster cross-border collaboration and supervision of critical sectors8 across the EU; the European Union Agency for Cybersecurity (ENISA) is the directive’s main implementing agency. The NIS 2.0 entered into force in 2022, thereby adding a few additional aspects to be addressed and updating existing standards and baselines for CIP (Box 2-1); the Member States must transpose its measures into national law by October 2024. More recently in January 2023, the Critical Entities Resilience (CER) Directive replacing its 2008 edition entered into force, which defines a list of essential services in the 11 sectors.9 While the NIS 2.0 has an explicit focus on cybersecurity, the CER Directive aims to create an overarching framework that addresses the resilience of CIs in respect to all types of hazards, including natural hazards, terrorist attacks, insider threats, or sabotage. Member States must comply with the Directive by July 2026 and identify the list of critical entities in the sector. The list is then used to carry out risk assessments, based on which entities are required to take measures to enhance resilience. Germany has been a firm advocate of the regionwide application of cybersecurity rules as demonstrated by their high level of implementation of the NIS 1.0 Directive. The Directive was also implemented as part of the IT Security Act 2.0. Also, in response to the renewed CER Directive, BMI recently announced its draft umbrella act for critical infrastructure protection (KRITIS Umbrella Act) where they are currently receiving comments from the federal states and relevant associations. The Umbrella Act is expected to provide standardized rules for the physical protection in the aforementioned 11 sectors and set out the minimum standards to be complied with by the CI entities while imposing mandatory reporting of significant incidents. 2.2.2 Prevention and protection In principle, CI operators are responsible for cybersecurity risk management of CIs in Germany through the establishment and operation of autonomous security systems. Nevertheless, BSI intervenes to verify the overall scope of CI as well as to assess the adequacy and effectiveness of the implemented measures through audits so as to ensure the minimum security level is achieved. As mentioned above, the IT Security Act 2.0 has expanded the BSI’s supervising authority and imposed stricter legal obligations on the CI operators. 7  Directive (EU) 2016/1148 of the European Parliament and of the Council of July 6, 2016, concerning measures for a high common level of security of network and information systems across the Union. 8  Energy, health, transport, banking, digital infrastructure, financial market infrastructures, and drinking water supply and distribution. 9  Directive (EU) 2022/2557 of the European Parliament and of the Council of December 14, 2022, on the resilience of critical entities and repealing Council Directive 2008/114/EC (Text with EEA relevance); the 11 sectors are: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space, and food. PAGE | 24 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Box 2-1. Network and Information Security (NIS) 2.0 and its policy implications The NIS 2.0 that replaces NIS (hereinafter NIS 1.0) of 2016 seeks to improve the existing cybersecurity structure. The significance of this new set of regulations is that it: • Creates the necessary cyber crisis management structure (CyCLONe) • Increases the level of harmonization regarding security requirements and reporting obligations • Encourages Member States to introduce new areas of interest such as supply chain, vulnerability management, core internet, and cyber hygiene to their national cybersecurity strategies • Brings novel ideas such as the peer reviews for enhancing collaboration and knowledge sharing among the Member States • Covers a larger share of the economy and society by including more sectors Compared to NIS 1.0, NIS 2.0 applies to a larger group of CI entities by introducing a size- cap rule as a general method to identify the regulated entities. Whereas the Member States were responsible for determining which entities would qualify as essential service providers, all medium-sized and large entities operating within the defined sectors or providing services now fall under the scope of the law. Also, it expands the reporting obligations by imposing a stricter risk management approach. Upon first becoming aware of a “significant incident” in their systems, the CI entities must notify the competent authorities within 24 hours, submit notification within 72 hours, and issue a final report no later than one month later. Furthermore, it requires individual companies to more closely address the cybersecurity risks in supply chains including the ICT supply chains. After consultation with ENISA and the Commission, the NIS Cooperation Group is tasked to carry out a coordinated risk assessment of critical supply chains. The criteria based on which the criticality of supply chains can be determined are not provided yet, apart from the Directive’s reference to the EU toolbox for 5G security as a model procedure. In essence, they will be determined upon political consensus on not only the technical aspects of the ICT services in question (e.g., extent of use, level of dependence, importance in performing critical functions, availability of alternatives, resilience to disruption throughout the whole life cycle, and future significance) but also the non-technical factors that may affect the provision of those services such as the undue influence by a third country on ICT suppliers and service providers. Source: ENISA. One of the prevention measures within the overall risk management scheme is the information security management system (ISMS). The CI entities can design ISMS according to the IT security standards of the BSI, including both domestic and foreign cybersecurity-related standards such as the NIST Cybersecurity Framework (NIST CSF and ISO/IEC 27001) or the sectoral industry standards. They also need to respond appropriately to attacks by establishing a systematic process that can detect and respond to cyber threats such as the security information and event management (SIEM) and intrusion detection system (IDS), a computer security incident response team (CSIRT), and an incident management. Moreover, the CI operators that exceed the BSI-KRITIS Ordinance thresholds are required to submit compliance documents and audit evidence every two years. An implementation of these measures should essentially describe the system, essential services provided by the CI operator, essential services provided by external providers (e.g., outsourcing or provision through parent/subsidiary groups), interaction with other systems, and the interfaces with or dependencies on other systems. If certain flaws are detected during the auditing process, the CI operator may be asked to take action to amend them. The process allows the auditors to keep in check whether the CI operators are fulfilling the cybersecurity requirements. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 25 2.2.3 Response and recovery The IT Security Act 2.0 requires that the CI operators are required to organize a point of contact to communicate with BSI. In the event of a cyber incident that can have serious consequences on the CI’s provision of essential services, the operators need to follow incident response procedures and report the incident to BSI. With the amendment of the IT Security Act, the sectoral laws governing the functions of CIs such as the Energy Industry Act and Telecommunications Act were also revised, which obliged the operators in these sectors to report to BSI. The types of information submitted includes the general information on the incidents, IT interruption, its cause, and any other details about an IT attack, and they are gathered on the BSI website using the traffic light protocol that allows information sharing with other operators and competent authorities. BSI can also ask pertinent IT product and information system manufacturers to cooperate with them. In addition, according to the EU’s NIS directive and DSPs, public information and communication network providers and operators should report serious data leakage to the BSI. 2.3 Republic of Korea 2.3.1 CIP policy structure and governance Korea’s dependence on information and communication systems has gradually increased in the 2000s with the growth matched by the simultaneous development of cyber policies. Most notably, in 2001, the Act on the Protection of Information and Communications Infrastructure (hereafter CIP Act) was enacted as a comprehensive legal framework that sets out from the overall governance structure for CIP, the process for designation and analysis of the CIs, protection measures for technical support, and the modes of private cooperation. The volume and political significance of cyber threats grew exponentially, and in 2013, three major Korean banks and two of the largest broadcasting companies were paralyzed by sizeable cyberattacks. This triggered the preparation of the 2013 National Comprehensive Plan for Cybersecurity. The plan established four pillars for cybersecurity development: to enhance prompt response systems against cyber threats, build smart cooperative systems between the relevant authorities, improve the robustness of the protection of cyberspace, and apply creativity to deal with cybersecurity. The plan serves as grounds for following implementation plans to be established by each ministry. In 2015, the government sought to consolidate the policy framework by creating a focal point for cybersecurity policy making and coordination. A cybersecurity expert was appointed as the presidential special advisor on national security within the National Security Office (NSO). The focus was on providing a blanket of information security rather than an overarching strategy and institutionalized policy to enhance cybersecurity. In 2019, the National Cybersecurity Strategy in Korea was published by the NSO putting forth the country’s mid- to long-term policy directions for national cybersecurity. The strategy establishes three strategic objectives – ensuring stable operations of the state, responding to cyber threats and building a strong cybersecurity foundation – and six strategic tasks, among which the first is on “increase[ing] the safety of the national core infrastructure.”10 In terms of the implementing authorities, respective CIs are designated to their relevant central administrative authorities, but the scope of detailed information and communication infrastructure (the IT/OT systems and networks that compose the CIs) are evaluated and defined by the criteria laid out in the CIP Act. Unlike the other benchmarking countries that define specific CI fields, Korea identifies the management organizations to take charge of maintaining national security, economy, and society both in the public sector and the private sector. 10  The other five strategic tasks are: Enhanc[ing] cyber attack response capabilities; Establish[ing] governance based on trust and cooperation; Build[ing] foundations for cybersecurity industry growth; Foster[ing] a cybersecurity culture; and Lead[ing] international cooperation in cybersecurity. PAGE | 26 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE The Committee for Protection of Information and Communications Infrastructure under the Prime Minister’s Office oversees the making and implementation of CIP policies in Korea. This Committee allocates tasks of relevant ministries and coordinates their works, seeks to improve the functions of CIP-related institutions, and finally determines the designation and cancellation of CIs. In addition, the Committee operates working committees (the National Intelligence Service [NIS] in the public sector and the Ministry of Science and ICT (MSIT) in the private sector) for efficient operation. The relevant central administrative agency supervising CI establishes guidelines to protect CI so that the CI entities can effectively carry out the protection activities stipulated in the CIIP Act; specify the preventive system, information security measures, response, and recovery system to be carried out by the CI management organizations; and the scope of support for information protection activities. 2.3.2 Prevention and protection The CI entities are required to conduct vulnerability assessments of the CIs, based on which they establish and implement protection measures to mitigate cyber risks. The vulnerability assessments are planned according to the Standards for Vulnerability Assessment of the CIP Act where the CI entities can derive specific checklists for analysis based on three categories: organizational, physical, and technical. Items with a “high” priority are inspected annually, while those with “low” grades can be inspected voluntarily by CI entities, taking into account their operational environments. The results of these annual assessments are then fed into establishing the entities’ protection measures the following year. Concurrently, the NIS and the MSIT develop and distribute Guidelines for Establishing CI Protection Measures and Plans in advance every year. These guidelines define the types of cyber risks for which the CI entities need to develop protection measures and then submit the aforementioned protection measures to the relevant ministries and agencies. The measures are reviewed by the central authorities who then establish comprehensive CI protection plans. The plans also include detailed tasks for the next year in terms of both the strategic aspects of defining and setting the goals and implementation. Korea is unique in this respect in that the ministries and agencies maintain a relatively close loop of interaction compared to other countries. This is partly due to the larger share of CI entities being operated by public authorities in comparison with Japan and the United States where most CI entities are privately owned. For instance, the Korean Electronic Power Corporation (KEPCO), an integrated electricity utility in Korea, has established protective measures in correspondence with the CIP Act that designates its design-related information systems as “critical information infrastructure” (Box 2-2). Also, the Korea Water Resources Corporation (K-Water) has established its own safety management masterplan and operates the Information Security Center in charge of information protection tasks for the corporation’s information and communication infrastructures, establishing security strategies, and personal information protection (Box 2-3). Considering the relative dominance of public-owned CI entities in developing countries, the Korean experience where the government has assumed a leading role in shaping the CIP policies can become a useful reference. In addition, the NIS and the MSIT can determine whether the CI entities have implemented measures to protect critical information and communications infrastructure, request the submission of data necessary to check the implementation, and verify the details of the protection measures. The results are then reported to the Committee for Protection of Information and Communications Infrastructure that recommend the management organizations to take corrective actions. See Figure 2-2 for a comprehensive summary of the process. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 27 Box 2-2. KEPCO Cybersecurity operations center KEPCO is an integrated electricity utility that generates, transmits, and distributes electricity in Korea. It is responsible for 93% of Korea’s electricity generation, and the government owns a 51% share of KEPCO. In accordance with the government’s designation of their design-related information systems as CIs in 2016, KEPCO opened the cybersecurity operations center, which began full-scale operation the same year. The center is equipped with video control facilities that can monitor and disseminate situational information on security threats and technical data leaks in real time. Furthermore, KEPCO has deployed professional control personnel to strengthen their response capacities to internal data leaks. Source: KEPCO. Box 2 3. K-Water safety management masterplan and actions K-Water is a government agency for water resource development and provision of both public and industrial water in Korea. It first established its Enterprise Risk Management (ERM) system in 2007 and established a comprehensive safety management plan (hereafter masterplan) in 2016. The masterplan updates the existing safety management system in three directions: • Reinforcing the control tower function for disaster management • Establishing safety management focused on prevention • Enhancing the actual capabilities to respond to crises The Information Security Center under the Information Security Department is a dedicated body comprised of nine information security personnel in charge of protection activities. The overarching CIP Act designates three facilities managed by K-Water – a dam flood warning system, integrated power generation and operation system, and integrated waterworks operation system – as critical information infrastructures, and the center carries out the annual vulnerability assessments based on the government guidelines and supports the establishment of protection measures based on a comprehensive security diagnosis. More recently in 2021, the Safety Innovation Department was established under the Planning Division to strengthen the aforementioned “control tower function” and consolidate the company-wide command system. The department is placed under the direct control of the president and is tasked with the establishment of safety management master plans, revision of risk management manuals, inspection measures and training, and creation of the industrial safety management portal system to prevent accidents from impacting the facilities managed by K-Water. Source: K-Water. PAGE | 28 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Figure 2-2. Cybersecurity Risk Management Procedures for CI in Korea Committee for protection Relevant ministries or of information and CII entity NIS & MSIT agencies communications infrastructure Deliberation and Preparation of Designation of Recommendation for resolution of Self-evaluation infrastructure infrastructure infrastructure designation infrastructure designation draft designation draft Agencies on vulnerability assessments Analysis and evaluation Vulnerability for physical, technical, • Korea Internet & Security Agency (KISA) assessments and managerial • Information sharing and analysis centers (ISACs) inspection items • Enterprises specializing in information security services • Electronics and Telecommunication Research Institute Guidelines for develop- Deliberation and Protection plan Setting up of protection Coordination of ment and distribution resolution of protection setup plan submitted protection plan of protection measures plans and planning Examination of the Inspection for Implementation of Implementation of implementation protection plan protection plan protection plan of the protection plan Source: NIS, MSIT, MOIS, PIPC (Personal Information Protection Commission), FSC (Korean Financial Services Commission), and MOFA (Ministry of Foreign Affairs) 2021, p.71. modified. 2.3.3 Response and recovery Relevant ministries and agencies can request the CI entities to comply with the requirements for establishing a communication system to promote notification of incidents and an efficient incident response system. Upon these requests, the CI entities identify possible cyber threat scenarios, establish cyber crisis response manuals and plans that define the scope of responsibilities of each actor, and set out the reporting and recovery procedures. Moreover, the CI entities participate in the training conducted by the relevant departments at least once a year to better respond to malicious emails and distributed denial-of-service (DDoS) attacks, disaster recovery exercises for practitioners to familiarize themselves with the protocol, as well as the activities such as updating the cyber crisis response manual. When the CI has been disturbed, paralyzed, or destroyed due to an infection caused by malicious code, the CI entities are expected to report on the incident. In particular, the CI faulty code details must be reported to the relevant ministries and agencies for necessary support, such as KISA. However, in the case of widespread intrusion, the committee may engage the Headquarters for Countermeasures against Intrusion Incidents in Information and Communications Infrastructure to take emergency measures, provide technical support, damage recovery, and other necessary steps. Voluntary sharing of cyber threat information can be used as a preemptive measure to facilitate the recovery of CIs from cyber incidents. This was not considered a common practice among the private companies and CI operators, which made an active use of data nearly impossible. As a result, the National Cyber Security Strategy required the establishment and activation of a national information-sharing system as one of the strategic tasks in the overall policy direction. The National Cyber Security Strategy established a national-level information-sharing system KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 29 that encompasses the private, public, and defense domains so cyber threat information can be quickly shared; maintains the confidentiality of information; and prepares legal means for information privacy in the process of information sharing. Accordingly, the National Cyber Security Master Plan established specific policy measures so private companies and organizations can voluntarily participate in cyber threat information sharing. The information of private companies can only be accessed under exceptional conditions necessary for national security and criminal investigation to protect the fundamental privacy rights of the public. The Korean government has encouraged the establishment of an ISAC, preparing legal grounds for financial and technical support. The government has also developed and operated a real- time cyber threat information analysis and sharing (C-TAS) platform. 2.4 Japan 2.4.1 CIP policy structure and governance In 2000, Japan initiated its CIP policy making process with the adoption of the Special Action Plan on Cyber-terrorism Countermeasures for Critical Infrastructure. It signaled the official promotion of security policies focused on the protection of seven sectors from cyber incidents, including information and communications, finance, aviation, and railways. In 2005, the Action Plan was translated into the Implementation Plan for Measures for Information Protection of Critical Infrastructure, and in 2017, the fourth revision of the policy structure was made to promote the CIP policy. Building on this, the Action Plan for Critical Information Infrastructure Protection includes in its scope the establishment of national cybersecurity policies (e.g., the Basic Act on Cybersecurity and the Cybersecurity Strategy), CI operation, and the overall cybersecurity environment. Thus, the plan can be identified as setting the fundamental direction of the Japanese government’s cybersecurity policies for CIP. Whereas the first three versions of these plans formed the basic policy structure of CIP, the fourth plan included in its the scope the IT/OT and IoT as operating environments supporting the provision of CI services. In addition, the fourth Action Plan addresses not only the cyber risks but also physical events resulting from negligence, system vulnerabilities, device failures, and natural disasters. Nevertheless, the focal point of the plan remains to be the cybersecurity components of these risks. The fourth Action Plan defines the concept of “mission assurance” and fundamental policy direction of subsequent cybersecurity strategies. Mission assurance indicates that each of the CI entities has the responsibility to ensure a stable provision of CI services and that each entity should appropriately perform necessary measures to achieve protect their CIs. Based on the concept of mission assurance, the purpose of CIP in Japan is to ensure a safe and continuous provision of services, and the Basic Cybersecurity Act mandates that the roles and responsibilities of CIs be defined to serve that purpose. The government is expected to support them, and the CI operators and related stakeholders are encouraged to form a close cooperation system to protect their CIs from various risks. In Japan, the Cybersecurity Strategic Headquarters (hereinafter HQ) that sits within the Cabinet establishes the wider framework for national cybersecurity and CIP cybersecurity policies. It was created in 2014 to “effectively and comprehensively promot[ing] cybersecurity policies,”11 and has a special Critical Infrastructure Expert Panel within to advise on the issues related to CIP. The National Center of Incident readiness and Strategy for Cybersecurity (NISC) established in 2015 serves as the HQ’s secretariat with a mission to “coordinat[ing] intra-government collaboration and promot[ing] partnerships between industry, academia, and public and private sectors.”12 NISC is also responsible for the practical aspects of policy making. It coordinates CIP cybersecurity policies with the private companies and 11  NISC. https://www.nisc.go.jp/eng/index.html. 12  Ibid. PAGE | 30 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE local public organizations, relevant ministries13, and cyberspace operators such as the IT and cybersecurity products and services providers. Furthermore, it provides information to stakeholders on large-scale incidents based on its own analysis by maintaining strategic partnerships with organizations such as the Information-technology Promotion Agency (IPA), JPCERT Coordination Center (CC), National Institute of Information and Communications Technology (NICT) and the National Institute of Advanced Industrial Science and Technology (AIST). 2.4.2 Prevention and protection The ministries develop standards that define information security measures according to the “Plan-Do-Check-Act” by referring to the HQ’s Guidelines for Establishing Safety Principles for Ensuring Information Security of Critical Infrastructure. Concurrently, NISC and ministries help CI entities strengthen their cybersecurity capabilities by both raising awareness around information protection measures and providing information on security measures14 necessary for each stage. If necessary, they can establish safety regulations for specific CI sectors for CI operators to conduct cybersecurity activities, such as information security audits and penetration tests of the power sector. Moreover, the education and training programs have specific target groups such as the management levels in CI entities and cybersecurity managers and practitioners. The programs can be adjusted to three levels: elementary, intermediate, and advanced. The aim is to provide practical education and training in order to raise the management’s awareness of cybersecurity and improve cybersecurity knowledge and skills. 2.4.3 Response and recovery The Japanese government officially introduced the concept of resilience in its Third Action Plan and established policies focusing on the IT/OT convergence environment and post- incident response plans. Therefore, the Guideline for Establishing Safety Principles for Ensuring Information Security of Critical Infrastructure lays out three cybersecurity activities CI operators should perform: introducing and implementing information security measures, responding to CI service failures, and implementing training. First, the information security measures aim to increase the system’s readiness level against the events that cause CI service failures. With these measures, the system can detect the events that may compromise the quality of services delivered, analyze their impacts, respond quickly, and utilize the information on risks. The second relates to the contingency plan and business continuity plan activities to ensure continuous and stable CI service provisions even after the incidents occur. To that end, the Guideline encourages the formation of a specialized team within the organization such as a CSIRT. Lastly, cyber exercises aim at strengthening the capabilities of the staff in charge of incident response. The Fourth Action Plan focuses on establishing an effective incident response system by conducting cross-sectoral exercises led by NISC and responsible ministries for CI, or a sectoral exercise led by the organization Capability for Engineering of Protection, Technical Operation, Analysis and Response (CEPTOAR). Overall, the Japanese government prioritizes policies to strengthen and promote information sharing so that NISC, ministries, and CI operators can respond quickly to events affecting their CI services. Information sharing between CI operators is explicitly defined. Once NISC receives all information on cyber risks and disasters, they analyze the reported items and provide the results to ministries, agencies, and other private companies. In addition, the Cyber 13  The CI ministries are: the Financial Services Agency (finance), the Ministry of Internal Affairs and Communications (information and communication, and local public organizations), the Ministry of Health, Labor and Welfare (medical and water supply), the Ministry of Economy, Trade and Industry (electricity, gas, chemicals, credit, and petroleum), and the Ministry of Land, Infrastructure, and Transportation (air travel, airports, railways, and logistics). The CI ministries support five CIP cybersecurity policy areas: (1) maintenance and promotion of safety principles, (2) enhancement of the information-sharing system, (3) enhancement of incident response capability, (4) risk management, and (5) preparation of incident readiness and enhancement of the basis for CIP in the Fourth Action Plan. 14  For instance, security requirements for information security management system (ISMS) or cyber security management system for industrial control system (CSMS) certification, and IoT security guidelines. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 31 Security Council was established as a cyber threat information sharing platform where the government agencies, CI operators, and academia voluntarily participate. 2.5 Singapore 2.5.1 CIP policy structure and governance Earlier than other countries, Singapore officially recognized that cyber risks can cause significant economic and societal impact, including to critical infrastructures, and the government has made efforts to improve its cybersecurity capabilities at the national level. In 2005, the government established the first Masterplan to lay the foundation for CIP and strengthen CI security and resilience. However, with the emerging need for more active responses to advanced cyber threats at the national level, Singapore enacted a comprehensive law with a risk-based approach while grating them sufficient flexibility so that the government can better address the unique circumstances and prepare regulations for each sector. In 2018, the government defined a list of essential services and established the legal framework of CIP by enacting the Cybersecurity Act 2018. Furthermore, in 2019, the Cyber Security Agency of Singapore (CSA) announced the OT Cybersecurity Masterplan to promote securing human resources and strengthening the capabilities of processes and technologies of the CI owners and organizations operating the OT systems. The Cybersecurity Act presented a legal framework for the national cybersecurity agenda and elevated the authority of CSA from the existing Computer Misuse and Cybersecurity Act. It also establishes an information-sharing environment and a licensing framework for cybersecurity service providers. Moreover, the Masterplan and Act together set the direction of the CIP policy and divided the beneficiaries of the CIP policy into the government and CI owners. In addition, the government established programs for all CI sectors to evaluate the security status of CI owners, manage cyber risks more systematically, and necessitate an incident response system such as a business continuity planto prepare for continuous services in the event of an incident. Fostering collaboration with the private sector, such as CI operators and the cybersecurity community, comprises another critical pillar of the policy. Established in 2015, the CSA is under the Prime Minister’s Office and managed by the Ministry of Communications and Information. Tasked with protecting the country’s cyberspace, one of its core missions is to protect the CIs and ensure continuous delivery of essential services in the following sectors as identified by the government – utilities (e.g., electricity, water, telecommunications), transport (e.g., marine, air, rail), and services (e.g., finance, administration). To do so, the CSA develops the country’s cybersecurity policies, investigates large-scale cyber incidents, regulates cybersecurity-related matters, and promotes international cooperation. It also coordinates relationships with other stakeholders including the supervisory and regulatory agencies for each CI sector. The CSA is mandated to require sectoral regulatory authorities such as the Infocomm Media Development Authority, Ministry of Home Affairs, and Monetary Authority of Singapore to carry out risk management duties on the private companies based on sector-specific regulations. To continuously provide essential services defined by the Act, if some of the computers and computer systems meet the CI designation criteria, the cybersecurity commissioner designates the infrastructure as CI, based on which the CI operators bear legal obligations and responsibilities. 2.5.2 Prevention and protection Private companies may create systems to deal with potential risks according to standards and guidelines set by supervisory and regulatory agencies in the sector. However, organizations designated as CI operators are legally bound to establish minimum-level cybersecurity measures following CSA’s Cybersecurity Code of Practice for CI (CCoP) and may be subject PAGE | 32 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE to additional protection measures if deemed necessary by the authorities in charge. CCoP presents a comprehensive set of requirements spanning from governance, incident response, and recovery. It mandates the establishment of a dedicated cybersecurity team within a CI as well as the cybersecurity risk management framework on the organizational level. If such measures are considered insufficient, the commissioner heading the CSA can issue a written direction to the CI operators. In compliance with the regulations, the CI operators should conduct a cybersecurity risk assessment at least once a year and submit the risk assessment report to the commissioner within 30 days after the completion. After reviewing their risk assessment reports, the commissioner may instruct them to further verify the cybersecurity status or designate a service provider to conduct a risk assessment of the CI operator. Furthermore, the operators are required to conduct an audit on CI at least once every two years and submit the results to the commissioner within 30 days of its completion. If the commissioner determines that it is insufficient, the CSA may appoint a cybersecurity auditor to conduct an additional round of audits for which the operators bear the cost. On human resources, the government has promoted relevant policies since 2005 with the adoption of the infocomm security masterplans. Overall, the policies aim to raise cybersecurity awareness among government agencies, CI operators, private companies, and individuals. In parallel, the government operates education and training programs to develop necessary knowledge and skills. Furthermore, the CSA Academy provides customized cybersecurity training courses, including about operational technology, in cooperation with higher education institutions and private companies, while the Cyber Security Associates and Technologists train ICT and engineering professionals. 2.5.3 Response and recovery The CI operators have legal obligations to establish a cyber incident response system, report cyber incidents, and participate in cybersecurity training under the Cyber Security Act. The CCoP sets the minimum requirements for three components: incident management, crisis communication plans, and cybersecurity exercises. To ensure successful management of cyber incidents, the CCoP mandates the establishment of the Cybersecurity Incident Response Plan. The Plan subsequently establishes the Cybersecurity Incident Response Team (CIRT), an incident reporting structure, and the communication and coordination structure that would ensure the timely escalation of cybersecurity incidents to both CIRT and the CI operators. The Plan also sets engagement protocols with relevant stakeholders, including the external parties, and a communication plan. In parallel, the CI operators are required to establish a crisis communication plan to provide relevant information to stakeholders and customers and conduct scenario-based cybersecurity exercises to validate their planning and operational capabilities. A review of CIRT, crisis communication plans, and cybersecurity exercises are conducted once a year. 2.6 Findings from the country case studies analysis This chapter analyzed CIP policies of the five countries from three inter-related aspects: (1) structure, governance, and PPPs on CIP policy; (2) CI prevention and protection against cyber threats; and (3) response to and recovery from cyber incidents. Three common characteristics can be derived below. First, the governments have identified essential assets constituting their CIs to mitigate the impacts of cyber risks on CI. Based on the analysis and assessment of possible risks, the governments established and implemented appropriate cybersecurity measures. Specifically, the CI entities are tasked with developing and implementing risk management programs to safeguard CI, selecting appropriate protection measures for the operating environments, and conducting periodic cybersecurity exercises. With such practices come legal obligations of KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 33 the CI entities that need to maintain a minimum level of security or developed cybersecurity standards and guidelines. The second finding is that these countries have introduced the concept of resilience in their CIP policies. In the event of cyber incidents such as a ransomware attack, system defect, or system interruption, CI entities are required to detect them as quickly as possible, report them in due course, and recover the services or functions to their normal operating level in accordance with the established crisis management system. The governments have also leveraged PPPs to jointly respond to incidents. Moreover, the governments have prepared the regulatory structure to promote cyber threat information-sharing in the private sector, stipulated information-sharing procedures in relevant laws, and built and operated information-sharing programs for CI entities or interactive real-time information-sharing platforms. Lastly, all five countries are actively operating PPPs. They have organized several types of PPPs that include committees with private sector actors participating in the process of CIP policy making, information sharing, and analysis centers or initiatives to address specific cybersecurity issues, such as supply chain security or operating technology (OT) security. They allow governments to indirectly shape the protection activities of CI entities, such as on the coordination of CIP policies, use of skills and expertise in private sector security and resilience, voluntary collaboration by the private sector or local communities, and development of collective action on cybersecurity risk management. The lessons derived hold equal significance for developing countries that are embarking on similar paths. As many of them experience massive growth in the internet capacity and the use of new technologies, there has been an increasing awareness among policymakers of the need to update the policy framework to actively embrace the concept of cybersecurity and resilience in protecting the CIs. As previously mentioned, this is because the cybersecurity of CIs is relevant due to its impact on economic stability, public safety, technological advancement, and global interconnectedness. At the same time, developing countries are facing unique challenges, most notably the inadequate legislation and policy to address cybersecurity and policy, without which applying the lessons from the above five countries may be unimaginable. The challenge can also come from the structural differences across countries. For instance, in the United States and Japan, the majority of CIs are owned and operated by private entities, whereas in many developing countries most of the infrastructures are government-owned. Furthermore, each country places different levels of political importance on CIP, when from a policy framework, building a new framework is inevitably shaped to a great extent by the country’s institutional history. Nevertheless, the value is in that the experiences of the five countries offer a set of policy options the developing countries can refer to in planning paths forward. The five countries share a similarity in that they are the early adopters of CIP policy making practices, but the policy processes and measures taken are vastly different. The following section takes a granular look at each step of the policy making process by taking a life-cycle approach to present a variety of policy approaches among the five countries. PAGE | 34 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Table 2-2. CIP Policies in selected five countries * Legislation (legal framework or regulatory) All-Hazard Approach (Enhancing Cyber-Risk Approach Cybersecurity) US Germany Korea Japan Singapore CIIP Policy Framework Act on the PPD-21 and EO- Protection of The basic policy IT Security Act 2.0*, Cybersecurity Act 13636,* etc., Information and of CIIP (CIIP action CIP Strategy 2018* NIPP2013 and SSPs Communications plans) infrastructures* Definition and identification of CI 16 sectors 8 sectors Public and private 14 sectors 11 sectors Governance (leading authority CISA BMI and BSI CPICI CSH and NISC CSA and coordinators) CIP action planning NIPP2013 and SSPs - Protection plan CIIP action plans - Public-private partnerships CIPAC, ISACs, and UP KRITIS 1) ISACs CEPTOARs and AiSP, ANSES, and National Council of CEPTOAR-council OT-ISAC, etc. ISAC Cyber- Cybersecurity risk NIST CSF, CI BSI specific for CI, Criteria for analysis CI sectoral safety Cybersecurity Code security management sectoral cyber- NIST cybersecurity and evaluation of principles, risk of Practice for CI, and security standards framework, ISO/IEC vulnerabilities management process risk assessment for resilience 27001, etc. CI, etc. for CI Cyber supply chain ICT SCRM2), Control the use of Requirements for - CI supply chain entities risk management NIST C-SCRM critical components in products deployment program telecom sector (CC certificate, CMVP3)) Cyber incident and Reporting cyber Reporting IT Reporting incidents Reporting incidents Reporting cyber crisis management incidents incidents (IT Security and information incident and Act 2.0) sharing on CI information sharing Information sharing CISCP, ECS, C-TAS on CI AIS, etc. Cyber exercises Cyber Storm - DDoS and malicious Financial industry- Cyber exercise for CI email exercises wide cybersecurity exercise (DeltaWall), Cross-sectoral cyber exercise, etc. 1) UP KRITIS is a public-private partnership between CI operators, their associations, and responsible government agencies. 2) Information and communication technology (ICT) supply chain risk management, 3) Cryptographic module validation program KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 35 Chapter 3. Developing a policy framework for CI security and resilience This chapter presents several implications for developing a comprehensive CIP policy that would be established and implemented at a whole-of-government level to protect CI from cyber risks. The first part of this chapter defines the fundamental principles of CIP that are universally applicable in all country contexts. It then presents the aspects that deserve policy makers’ consideration in designing such a framework, including governance tasks at the strategic level and CIP activities and capabilities at the operational level. The CIP policy area is continuously evolving, meaning that no single model can offer a definitive solution to guarantee cybersecurity and resilience of CI. Such policies are also heavily context dependent, whose implementation can vary across different institutional settings and political environments. Therefore, the aim is to support policy makers in configuring the elements of CIP policies suitable for their own environments. The framework suggested in this chapter should be understood as one of the first steps to comprehensively grasp the essential elements. The second part of this chapter defines the life cycle of a CIP policy and the tasks to be performed by the government at each step of development, implementation, and policy review. Given that CIP policies are implemented in the form of public policies or as part of national cybersecurity strategies, this chapter extensively explores the policy landscape in which CIP policies are situated. This includes policies designed to enhance the cybersecurity and resilience capacities of government agencies and CI entities. 3.1 Principles for a CIP policy framework To ensure the security and resilience of CI from cyber risks, the governments share their visions and goals with relevant stakeholders and establish strategic objectives to achieve those goals. International entities have been active in building relevant norms to advance discussions on building effective CIP policies. Notable steps have been made by the G8 Principles for Protecting Critical Information Infrastructure established in 2003 and the recommendations on CIIP followed by case analyses by the Organisation for Economic Co- operation and Development (OECD), primarily in developed countries. The fundamental principles and policy directions are enshrined in the national legislations, based on which national cybersecurity policies are designed. The principles for protecting CI are as follows: 1. Appoint leadership for CIP policies and identify each stakeholder (government agencies, CI entities, IT and cybersecurity product and service providers, IT/OT system designers and system integrators) to clarify each role and responsibility. 2. Raise each stakeholder’s awareness and understanding of the types and domains of CI and the level of responsibility each stakeholder has in order to protect CI and prepare measures to strengthen cybersecurity management capabilities. 3. Identify the infrastructures that provide and support the essential functions and services of the nation and analyze the inter-dependencies of these infrastructures to designate and manage CIs for protection. 4. Recognize the need for cybersecurity risk management for CI, prepare cost-effective CI cybersecurity measures, and build a resilient system for timely response and recovery PAGE | 36 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE while minimizing damages in case of an unexpected cyber event that causes service disruption or delay. 5. Build PPPs and operate a platform to share and analyze applicable information for the public and private sectors to respond in a timely way to cyber threats, vulnerabilities, and cyber incidents on CI. 6. Accommodate cyber crisis management and communication at a national level against cyber crises and prepare training programs for stakeholders to verify the continuity of CI and cyber crisis response systems. 7. Protect against new cyber threats through periodic monitoring and reviews in line with the fast-changing components and operating systems of CI and cyberattack techniques and tactics. 8. Promote research, development, and international cooperation for CI security and resilience reinforcement, and encourage the adoption of security technologies certified by national and international standards. Since these principles are not limited to specific sectors, they are commonly applied to all essential CIs related to maintaining national security, economy, and society. The principles range from those that apply to the strategic level (e.g., CIP governance) to those that apply to the operational level (e.g., cybersecurity risk management, cyber incident, and crisis management). 3.2 Development of a CIP Policy Framework Applying these principles in practice requires the government to rethink the governance challenges at the strategic level based on the principles of CIP. At the operational level, CI entities are accountable for ensuring an uninterrupted operation and safe maintenance of the CI. They are also required to reinforce the security and resilience via establishing an incident response system to mitigate cyber risks and provide continuous services and functions. 3.2.1 Governance Considerations at the Strategic Level A. Setting up multi-sector governance to secure CI security and resilience Forming an effective CIP governance system requires a whole-of-government approach that is both cross-departmental and cross-sectoral. To this end, a CIP policy director may be appointed or a committee may be organized to include responsible ministries that oversee the functions of CI entities. The set of CIP policies that are co-designed by these stakeholders define the roles and responsibilities of respective ministries and public organizations, and the director or the committee is responsible for performance monitoring during the policy making and implementation processes. Concurrently, the government appoints regulators across sectors and for each industry, including administration, finance, electricity, and medicine. In effect, the concerned organizations in respective sectors, including the CI entities, come under regular monitoring and supervision of the government. The central and local governments are also CI entities because they own and operate CI directly or indirectly through public organizations and PPPs. Government entities can also be the users or clients of the essential services of CI because they ensure the continuity and reliability of government operations even in the face of any incidents. To that end, the governments need to identify and coordinate the governmental functions for disaster response, national risk management, and national cybersecurity that are often scattered across different authorities of various industries. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 37 Table 3-1. Examples of CIP Leadership Category Nation Government CIP policy Committee for CIP Korea • Chairperson: minister Act on the Protection on for government policy Information and Communications coordination Infrastructure • Members: vice ministers of 19 organizations (MOEF, MSIT, MOFA, MOIS, etc.) CIP coordinator United States • DHS (CISA) PPD-21 Germany • BMI (BSI) BSI Act (BSIG), IT Security Act 2.0 Japan • NISC The Cybersecurity Policy for CIP (fourth edition) Singapore • CSA Cybersecurity Act 2018 B. Understanding the overall interdependence between or within CI sectors Prior to making investment decisions for CIP and establishing a set of identification criteria, it is important to fully understand the interdependence of the CI sectors and the impacts any disruption can have on related systems or services. In Korea, for example, the central administration identifies CI operators for “candidate CIs,” and these operators designate and identify specific domains of candidate CIs based on five evaluation criteria, including the national and social importance of the task stipulated in the Act on the Protection of Information And Communications Infrastructure, the information and communication infrastructures dependent on the CI management organizations, and connections to other information and communication infrastructures. C. Establishing PPPs to share a vision and goal for CIP With the privatization of some CIs, the private sector has also become responsible for their operation and consistent provision of essential services. Therefore, proactive participation of the private sector is necessary, and the sharing of visions and goals for CIP should be extended to them. However, as the government sets the strategic objectives and, subsequently, the measures, CI entities may have diverging views regarding the types and levels of essential services, minimum levels of security required, and regulations. Furthermore, the discrepancy in size among the CI entities may determine their levels of interest and participation in shared initiatives. Security interests and investments are common requirements and demands from the management perspective of CIP, but relatively smaller CI entities are not likely to actively invest in security infrastructures due to their limited technological and financial resources. Maintaining a channel of consistent communication and cooperation with stakeholders, including CI entities and IT and cybersecurity products and service providers, can contribute to resolving such issues. An approach with the highest utility for CIP policy makers is building PPPs that are generally operated through regular meetings and mock exercises. In some countries such as Japan, the representatives of CI entities and academic experts participate in the CIP policy making processes. D. Building trust between governments and CI entities As seen in the cases of software supply chain attacks and the Log4j zero-day vulnerability, cyber incidents can occur simultaneously and their impacts can be far-reaching. Given this, establishing and maintaining a platform to share risk-related information on CI can help governments assess the situation and respond in a timely manner. However, CI entities, particularly those that have experienced leakage of their personal or confidential information, may refrain from sharing information out of fear of legal punishment under data protection acts or of consequential damage to their reputations and market PAGE | 38 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE competitiveness. To some extent, a legal framework can be used to enable voluntary or obligatory sharing of cyber threat information and incentivize CI entities to share information by exempting them from legal obligations or making rewards for security vulnerability. An example is the U.S. CII Act of 2002 and the Cybersecurity Information Sharing Act of 2015. Furthermore, certain protection measures can prohibit the use of information shared by CI entities for purposes other than those stipulated in the laws, limit the range of information shared by information providers, and ensure the anonymity of information sharers and owners. E. Determining the policy instruments The governments select and use policy instruments, such as regulations, sector-specific standards, certificates, incentives, and information sharing on best practices to achieve the strategic objectives for CIP. According to a survey conducted by the OECD in 2018, among the 22 countries that implemented policies to increase CI resilience capabilities, the most popular policy instruments had the following characteristics: they encourage voluntary participation of CI entities, aim at security awareness enhancement and training, and promote the sharing of best practices. Since such measures are not legally binding, they may obscure the actual compliance standards of CI entities at implementation and depend on the level of proactive participation of stakeholders. In contrast, if the CIP laws and regulations are prescriptive and mandatory, more costs are likely to be incurred. The two approaches present different opportunities; thus, it is important to strike the right balance between mandatory and voluntary frameworks in setting the CIP strategic objectives and defining the whole life cycle of infrastructures. For example, whereas the laws and regulations oblige CI entities to fulfill the minimal cybersecurity requirements, the governments can supplement the approach by distributing guidelines on cybersecurity risk management for CI entities in a gradual manner to avoid alienating some. These can include a set of checklists or tools to self-evaluate the status and level of cybersecurity and help the entities determine which policy instruments to implement, such as research and development (R&D) and technology transfer. F. Ensuring accountability of CI entities and monitoring implementation of policies The level of security and resilience of CI depends on the achievement of the objectives and requirements proposed by CI entities, such as on asset identification and management, risk assessment, vulnerability management, cyber exercises, and supplier management including third party or vendor management. Therefore, governments may need to consider policies that ensure the accountability of CI entities and prepare the grounds for securing necessary human and financial resources. Moreover, the policy implementation can be accompanied by appropriate monitoring schemes and action plans that include key performance indicators (KPIs)—that can be used to design procedures to evaluate and review the policy implementation. These action plans may need to be updated on a regular basis in order to include newly concerned policies. Based on these, the CI operators would regularly report, conduct security audits, and inspect the measures taken. 3.2.2 CIP Activities and Capabilities at the Operational Level A CIP policy framework defines the activities that secure the continuous operation of CI in the event of harmful incidents and set out the measures that can be employed to identify and mitigate the risks. Within the framework, the role of CI entities is particularly important since their capacities directly affect the quality of those activities. Therefore, the CIP policy director/ coordinator and relevant ministries can prepare appropriate policy instruments to support these activities by mandating the adoption of cybersecurity measures and incident reporting, developing and distributing cybersecurity guidelines, offering cybersecurity education and training programs, and sharing information on cyber incidents. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 39 A. Establishing a cyber risk management program for CI CI entities use information security management processes (e.g., ISO/IEC 27005) to identify, analyze, and evaluate possible risks against the CIs and select appropriate measures to manage risks to an acceptable level. Based on this, they set up and implement cyber risk management programs that will allow them to systematically prepare for unexpected incidents and manage cyber risks in an organized manner. Since the effects of cybersecurity measures might become outdated over time, continuous risk management is needed to ensure a consistent level of awareness. B. Preparing for cyber incidents and ensuring a continuous provision of CI services CI entities should be able to respond in a timely manner to cyber incidents that may degrade the quality of essential services and prevent further damage while reinstating stable CI services or functions. This may include forming a CSIRT in advance and creating a cyber incident response plan that covers response and recovery processes, cyber threat information-sharing measures, cyber crisis communication, and a business continuity plan and contingency plan. CI entities must also assess and improve the effectiveness and practicality of the cyber incident response system through cyber exercises. C. Strengthening security and resilience capabilities to protect CI under jurisdiction An effective execution of cybersecurity risk management and cyber incident response activities will ideally be supported by strengthening the security and resilience capabilities of the CI entities, including the workforce, technical, and operational aspects. First, the workforce classification follows the roles and responsibilities of the executives (management), managers in charge of CI protection, and staff members in charge of practical security affairs. The management needs activities that can improve security awareness and ensure consistent investment in security, while managers and staff members need to receive appropriate education and training to successfully undertake their respective roles. Second, for technical and operational aspects, an appropriate cybersecurity risk management program can set up a desirable operating environment for the CI based on the national and international standards and security guidelines of the CI sectors. In the meantime, technical information, such as on cyber incidents and best industrial practices, is to be shared among stakeholders, including the government, IT/service product and service providers, and other CI entities, in order to improve CIP. Figure 3-1 presents a summary of the principles of CI protection and considerations for CIP policy framework development at the strategic and operational levels. Governments can use the CIP policy framework proposed in this report to select any components they need to explore and design the contents of their national CIP policies accordingly. For example, a comprehensive CIP legislation would ideally include essential activities for CIP, ranging from: the definition and identification of CI, CIP governance, PPPs, cybersecurity risk management for a CI security and resilience framework as a legal obligation of CI entities, cyber incident management, to information sharing. Consistent communication and cooperation with stakeholders are vital, considering the national cybersecurity and the CI operating environment. Governments may add R&D and international cooperation within the scope of their CIP laws, strategies, or action plans. 3.3 Life Cycle of a CIP Policy This section revisits the five-step life cycle of a CIP policy from the ITU’s Guide to Developing a National Cybersecurity Strategy (Figure 3-1) and matches each step with policy practices of selected countries. The steps are intended to operationalize the existent knowledge and experience with CIP policy making rather than prescribing an ideal path. Many countries’ cases prove there exists no linear path for CIP policy development. Nevertheless, individual country cases that correspond to each of the five steps can present interesting learning PAGE | 40 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE experiences for countries that are currently at the initial stages of policy making. Notably, Korea has adopted an incremental approach in developing its CIP policies by institutionalizing the constant feedback loop between the government and CI entities. Among these steps, it is more likely that countries with less-developed CIP policy structures (for instance, see Box 1-3) remain at the first two steps – Initiation and/or Stocktaking and Analysis. These countries may gain necessary insights by conducting a maturity assessment with the Sectoral Cybersecurity Maturity Model (SCMM) in the industry sectors they prioritize. Figure 3-1. CIP Policy Framework for Government Policy Makers Goals and objectives for protecting CIP Strengthen the security and resilience of the nation’s CI, by managing cyber risks through the collaborative and integrated efforts of the stakeholders. Definition and identification of CI CIP governance • Definition of the national CI • Muti-sector governance by the government at • Identification of CI sectors and critical services strategic, tactical and operational levels • Periodic review of CIs (coordinators, SSAs, CSIRTs, etc.) • Choose an organizational structure to embed Strategic CIP in government Level CIP action planning (policy implementation) Cooperation • National or Sector-specific CIP action plans • Consider a broad range of policy instruments Public-private partnerships Research and development CI security and resilience framework International Cooperation Secure CI against threats through Ensure continuity of critical services sustainable efforts to reduce cyber risk and CI operations Event Prepare and Identify Protect Detect Response Recover Cybersecurity risk management Cyber incident management • (CIP Authority, SSAs) Establish plans for CIP, • (CIP Authority, SSAs) Establish a strategic cyber Support for protection of CI (guidance and incident response plan and processes, support standards, etc.) for response and recovery from significant cyber • (CI entities) Analyze and evaluate risk of CI, incidents Operational establish measures to protect CI, and submit details • (CI entities) Cyber incident reporting Level of such measures to SSAs Cyber supply chain risk management (C-SCRM) Cyber crisis management and communication • Identify, assess, and mitigate the cyber risks • (CIP Authority, SSAs, CI entities) Create associated with ICT product and service supply cybersecurity contingency plans to CI incidents chains in CI or crises Cybersecurity workforce and training Information sharing and cooperation Cybersecurity awareness Cyber exercises KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 41 Figure 3-2. Life Cycle of CIP Policy Step 2. Stocktaking and Step 3. Production of CIP Step 1. Initiation analysis policy • Identifying the lead CIP • Defining and identifying • Drafting the CIP policy authority Output national CI (with national risk Output (e.g., CIP law, strategy, • Establishing a steering profiles) regulation, etc.) committee CIIP Policy • Addressing current cyber- Report and • Consulting with a broad • Identifying stakeholders to be Development security-related policies Consolidated range of stakeholders involved in the development of Plan and industry’s regulations Repository (public-private partnership) the CIP policy and establishing for CI sector • Seeking formal approval an advisory committee • Publishing the CIP policy • Planning the development of the CIP policy Output CIP policy Step 4. Implementation Step 5. Monitoring and evaluation Output Relevant laws and regulations • Developing the action plans (e.g., national or sectoral • Establishing a formal process CIP plan) • Monitoring the progress of the implementation of the in each CI sector • Determining initiatives to be implemented CIP policy • Allocating human and financial resources for Action Plans Monitoring ICT trends the implementation (national or Evaluating the outcome and changes in the CI • Setting timelines and metrics sectoral CIP) of the CIP policy operating environment Decision to issue new CIIP policy Cross-sectoral CIP plan Sectoral CIP plan and • Confirming the • Addressing industries, and activities (Leading activities (Sector-specific implementation of ICT infrastructures, or authority/coordinator) governments/agencies) measures to protect CI CI entities that require • Establishing a cyber- • (Electricity, ICT, etc.) or conducting a security new CII identification security risk Developing the audit for CI entities and designation management program regulation, standards • Developing a cross- • Monitoring CI entities (e.g., risk assess- or programs for sectoral or sectoral that need cancellation ment, C-SCRM) enhancing cyber- cybersecurity maturity of CII designation due • Building a cyber security reflecting model to business or service incident and crisis the characteristics termination National cybersecurity management of the sector strategy and plans Building/Enhancing security and resilience capabilities Monitoring cybersecurity trends and cyber threat for protecting CI (Leading authority/coordinator landscape (e.g., cyber attacks against CI, zero-day and Sector-specific governments/agencies) vulnerabilities) • Building a CIP program for cross-sectoral or • Analyzing recent cyber attacks or cyber threats on sectoral CI entities a global basis and major counties, and regions • Enhancing security and resilience capabilities for • Addressing measures to respond to recent cyber cross-sectoral or sectoral entities attacks or cyber threats Has a cyber No threat occurred and CIP policy effectiveness (e.g., security Adjustments to action plans had a significant impact level or maturity of CI entities), new or Influence (e.g., national or sectoral CIP plan) on the provision of de-designated CI candidates, cyber- critical services? attacks targeting CI Yes 3.3.1 Step 1. Initiation Considering the far-reaching nature of CIP policies, it is important to identify stakeholders and encourage their participation in policy making, either directly or indirectly. In order to initiate the process and lay the foundation for CIP policy development, major stakeholders are identified as participants of policy making, and an overseeing body or a steering committee is formed to define such processes and relevant timelines. The types of stakeholders can vary depending on the national contexts and they can include government representatives, private CI entities, PAGE | 42 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE IT system providers, cybersecurity service providers, OT integrated builders, academicians, and domestic and international cybersecurity experts. A. Identifying the Lead CIP Authority Coordination of the comprehensive CIP efforts among the stakeholders would ideally be preceded by government executive leaders first designating the relevant ministries and agencies to oversee the CIP policy making process. The roles may necessitate the creation of new bodies. This section refers to the overseeing and coordinating bodies for CIP policies as the “lead CIP authorities” that are in charge of drafting CIP policies (e.g., legislation, strategies, and regulations) by gathering and coordinating the inputs from stakeholders (i.e., related ministries and CI entities) on the current status of cybersecurity and CIP on a national level. B. Establishing a Steering Committee Using a whole-of-government approach, the government’s executive leaders can establish a steering committee that can closely support and cooperate with the lead CIP authorities. The committee can be placed at the core of the policy ecosystem to identify the stakeholders that would effectively be incorporated into the committee and ensure the policy making process is kept transparent and comprehensive. The committee mainly provides the overall guidelines on the direction of CIP policies with considerations for each industrial sector and ensures the quality of draft CIP policies by reviewing them and providing advice to the lead CIP authorities. The members of the steering committee include supervisory and regulatory agencies of industry sectors and relevant ministries on cybersecurity. If deemed necessary, private sector experts on CIP can be appointed as a way to encourage active participation from the private sector. The composition and subsequent division of roles can vary across benchmarking countries as seen in Box 3-1. The government can also consider soft measures to raise awareness of the need to address CIP on the policy level. CIP-related seminars and regular meetings and security awareness programs can help in that regard by leveraging interests among the relevant ministries, regulatory agencies, and major industry actors. The aim is to form a consensus on the needed CIP policies primarily among government agencies, while exchanging knowledge and information about the emerging risks in cyberspace that may affect the CIs and learning about the cases in benchmarking countries. Knowledge exchange can also present opportunities for developing countries to acquire expertise as well as financial support, when necessary, from international organizations such as the World Bank and the ITU of the UN. C. Identifying Public, Private, and International Stakeholders The lead CIP authorities can consider establishing an advisory committee composed of academic and industrial experts in cybersecurity and CIP and nongovernmental groups as additional stakeholders. This can allow for the authorities to utilize all available expertise and knowledge in all steps of the policy life cycle such as on recent technology trends, cybersecurity risk assessment methods and analysis, and best practices. The committee can be situated under the steering committee and contribute to their work in providing timely and sector- specific knowledge and advice to the lead CIP authorities. At the same time, the advisory committee can communicate directly with the lead authorities by providing knowledge and expertise. Additionally, international stakeholders can provide knowledge and expertise to both committees and in some cases funding to the lead CIP authorities. International actors include inter-governmental organizations such as the World Bank, G8, ITU, North Atlantic Treaty Organization (NATO), the OECD, nongovernmental organizations, and private organizations based in foreign countries. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 43 Box 3-1. European Union Agency of Cybersecurity (ENISA) – three types of CIP governance approaches Centralized approach In the centralized governance structure, the policy coordinating bodies or working agencies take the lead in developing the policies. For Public Agency instance, the lead CIP authority coordinates CI policies with other ministries and forms a working relationship with the national cybersecurity or Public Public CSIRT agency. Examples of such relationship Agency Agency include DHS and CISA in the United States, BMI and BSI in Germany, CSA in Singapore, Ministry of Home Affairs and Cyber and Infrastructure Security Centre (CIC) in Australia, and Secretariat-General for National Defence and Sector Sector Sector Security (SGDSN) and National Cybersecurity Agency of France (ANSSI) in France. Decentralized approach A council or a committee serves as a collaborating platform between different agencies governing the CIs. Compared to the above that aims to form an overarching policy framework, the CIs are managed by sectoral laws and regulations. Public Public Examples of councils include the Committee for Council Agency Agency Protection of Information and Communications Infrastructure in Korea, Cooperation Group for Information Security (SAMFI) in Sweden, and Cyber Security Steering Group (CSSF) in Austria. In particular, the Committee on the Sector Sector Information and Communication Infrastructure Protection in Korea under the Prime Minister’s Office is chaired by the head of the Office for Government Policy Coordination and includes vice minister-level public officials of central administrative agencies. The committee has the authority to either designate the new CIs or cancel the designation of CIs. Co-regulation with the private sector This model is based on the PPP formed by the government, which is an institutional Public Private cooperative system among the CI entities that PPP Agency Actors makes joint decisions on the development and implementation of CIP policies. The difference with the other models is that the private sector is involved early on in the policy making process at the strategic level. Examples include the the Sector Cyber Security Council (CSR) in the Netherlands and the public-private cooperation committees (sector coordinating councils (SCCs) and government coordinating councils (GCCs)) for each CI sector in the United States. Source: ENISA (2016), p.6. PAGE | 44 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Figure 3-3. Interactions Between Committee and Stakeholders for Developing CIP Policy Government's executive Appoint Appoint Steering committee Lead CIP authority • Regulatory authorities such as electricity, • (National cybersecurity lead and coordinator) ICT, finance, etc. Advises US DHS and CISA, Germany BMI and BSI, • National cybersecurity ministries or agencies Japan’s NISC • Crisis management and disaster prevention • (ICT lead and regulatory authority) Korea ministries or agencies, etc. MSIT, Singapore’s IDA and CSA Planning the development of Contribute the CIP policy Advisory committee • (Public) Cybersecurity related ministries Stocktaking and analysis or agencies Provides • (Private) Large CI owners and operators, knowledge CI sector’s representative organizations such and expertise and as electricity, ICT, finance, etc., major IT/OT/ consults on List of CI entities, Cybersecurity product and service providers, CI risk profile and consolidation academia, and R&D institutions Provides funding, knowledge, expertise and Provides knowledge and expertise cybersecurity capabilities program, etc. International organizations (e.g., the World Bank, G8, ITU, NATO, OECD, etc.) Source: NCS Guide, Figure 2, Stakeholders (https://ncsguide.org/the-guide/lifecycle/), modified. D. Planning the development of the CIP policy Prior to drafting plans for CIP policy making, the lead CIP authority should first identify the resources needed to implement policies, both human and financial. Although the government may provide expertise and technologies, private sector members (i.e., industry and academia), research development organizations, and civil society (as discussed above) can contribute to providing financial security for CIP policy making. They can adjust and reallocate existing budget envelopes and funding from the international organizations supporting developing countries. Moreover, in order to prepare for a sound framework, the existing legal frameworks may need to be revisited in order to prioritize CIP protection in the policy landscape. Accordingly, the revision or creation of laws allows the lead authorities to clarify the roles and responsibilities of the stakeholders, securing minimum security levels, and preparing the grounds for securing necessary human and financial resources. 3.3.2 Step 2. Stocktaking and Analysis The stocktaking and analysis step begins by identifying CI and collecting related information for evaluation and analysis among the relevant legal regulations, national cybersecurity policies regarding CI, and potential cyber incidents against CI. All types of risk factors are identified through the national risk profiles that are drawn from the analytical results of the national risk assessment. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 45 The steering committee or the lead CIP authority, with support from the advisory committee, oversees conducting the stocktaking and analysis. A summary report detailing the matters regarding general CI operations, the environment for cyber incidents, and security status is submitted to the steering committee. This report should include CI definitions and identifications, a list of identified and designated CIs, major cyber threats on the current CI, CIP activities, and related policies in response to such incidents. A. Defining and Identifying CI With the contribution of the advisory committee, the lead CIP authority identifies CI with considerations of the essential national industries and operators through a procedure shown in Figure 3-4. Figure 3-4. CI Identification Process Definition of CI Sector • Identify the critical services and operators in CI sector Operator mission • Identify the core functions (e.g., business processes, applications) which are essential for the and business supply of the critical services ICT infrastructures • Identify the resources (e.g., IT/OT systems, network devices, cloud computing services, (IT/OT assets and services) cybersecurity systems and services) of ICT infrastructure which supports the core functions Critical ICT infrastructures • Select and assess assets and technical components of the candidate CIs (Output) The list of CIs and CI entities A consultative body may be organized with the relevant ministries for the CI sector, organizations in charge of national cybersecurity, and regulatory bodies on telecommunication. This body also includes major CI entities, IT service providers, IT/OT system integrators, IT and cybersecurity service providers, and academicians, that co-define the essential services of CI and identify the types of assets. Additionally, resources necessary for the CI identification process are sourced by domestic and international stakeholders such as international organizations. The CI identification and designation is essentially a two-step process: • First, CI sectors and critical services within each sector are defined, using international definitions (e.g., OECD15 or CIPedia16) and referring to the initial values set in the CI sector and essential services (refer to Appendix B of the report). However, since the types of services provided by the CIs are dependent on the operating environments they are embedded in, the identification of CI sectors can refer to examples of benchmarking countries that share similar CI definitions, and, in a wider sense, societal, geographical, and technical development structures. • Second, the government agencies or CI entities identify the critical services of the CI sector as well as the core functions supporting such services, based on which the 15  Annex 3.B. Definition of Critical Infrastructure in OECD countries and Annex 3.C. list of critical sectors per OECD countries. 16  Online community service provided by the European Union’s Seventh Framework Programme “Critical Infrastructure Preparedness and Resilience Research Network (CIPRNet)”. PAGE | 46 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE scope of candidate CIs is determined. This is to identify resources (e.g., IT/OT systems, network devices, cloud computing services, and cybersecurity systems) in the wider ICT infrastructure that support the core functions. An assessment reveals the set of final national CIs, and many countries create a set of criteria that are used to identify and evaluate CI and their interdependencies within a sector or among sectors. For example, the United States, Germany, and Australia have developed their standards to identify CI, with the identification done for each sector under governmental leadership. Similarly, in Korea, CI designation follows sector-specific standards. Consequently, CI entities designate CI by identifying the scope of assets, such as IT/OT systems and networks, and evaluate them with the designation and evaluation standards above. Therefore, cooperation with the CI entities is crucial for the governments to identify the core functions and specific resources such as systems and services that make up information infrastructures. In Korea, the Act on the Protection of Information and Communications Infrastructure provides the criteria for designating the CI and the responsible central administrative agency. However, the scope of CI sub-facilities, such as the IT/OT system, network, and information protection system, is determined by the CI entities who are the management agencies. Therefore, the operator first identifies and evaluates the essential businesses, services, and detailed CIs, and reports the results to the central agency, with the results finalized after deliberation by the Committee for Protection of Information and Communications Infrastructure. In addition, when it is necessary to designate a specific information and communication infrastructure as CI, the NIS and the MSIT can make a recommendation to the relevant ministries and agencies. Box 3-2. Designating the CIs with the function-oriented approach in Singapore The function or service-oriented approach defines the essential services and functions to be provided by CI. The government performs the risk assessment and analysis to identify and assess the information infrastructures and ICT assets needed to ensure the continued provision of such services and functions. In Singapore, the Cybersecurity Act 2018 defines 11 CI sectors, including energy, information, communication, and 46 essential services to maintain national security, economy, and society. The Act also stipulates that the commissioner of cybersecurity (hereafter the commissioner) designates CI among the computers and computer systems that are needed to seamlessly provide essential services. Accordingly, the commissioner identifies the data archiving facilities, communication facilities, and IT/OT systems and designates them as CI. The commissioner also identifies the owners of such facilities. Then, the CI owners are communicated the decision on CI designation and the legal obligations and responsibilities they need to bear, who can then submit their opinions to the commissioner. If the commissioner considers the necessary requirements of CI designation are fulfilled, the process is completed, and the owners are then labeled as CI operators. The designation is valid for five years until re-evaluation, and if it is considered that the CIs no longer fulfill the requirements, their designation can be rescinded with a written notice. Moreover, the CI entities are required to provide CI-related information, such as on the design and structure of the facilities, connected facilities, and security information, upon the commissioner’s request. In case of any changes in the design, configuration, security, or operation of CII, including a change or transfer of the practical or legal ownership, such a fact shall be communicated to the commissioner. Source: CSA Singapore. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 47 Since Korea adopts the operator-based approach in which the government authorities delegate the responsibility to the CI operators to identify the essential tasks, services, and correspondingly the CIs, the government first selects candidate CI entities with dominant market shares in each sector, then the selected entities are tasked with identifying and assessing information infrastructures that deliver essential services. Korea has a dedicated process for CI designation that employs the operator-based approach (Figure 3-5). The Korean case is not a sole way for CI designation and other countries have adopted different approaches such as the function-oriented approach of Singapore (Box 3-2) and asset-based approach of Germany and Australia (Box 3-3 and Box 3-4). Figure 3-5. Procedure for Designating CI in Korea Committee for protection of Management institutions information and communications Relevant ministries and agencies (CI operators) infrastructure (Committee) Set up evaluation criteria 1.  for designation Selection of facilities subject Select designated units 3.  to designation and scope of facilities Distribute designation 2.  (e.g., servers, control procedures and methods system, network) in detail Need to designate Evaluate the facilities (e.g., 4.  Management servers, control systems, institution’s network) to be designed evaluation Recommend Re-evaluation No need to designate No need to designate Review by related central Proposal for deliberation Distribute designation 5.  administrative Set up self-protection measures procedures and methods agency Deliberate by public and 6.  private working committees Deliberation by Committee Deliberate by Committee 7.  Notify deliberation result Set up cybersecurity systems 9.  Notification No need to designate 8.  including protection plan Source: NIS, MSIT, MOIS, PIPC, FSC, and MOFA 2021, p. 67. modified. PAGE | 48 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Box 3-3. IT Security Act 2.0 BSI-KRITIS Ordinance: Asset-based approach in Germany The asset-based approach allows the government to define the essential services in each CI sector and the assets that support the provision of these services. The regulations define the types of assets in each sector and the operators of these assets are tasked with identifying assets that deliver essential services. If the operators consider their assets fulfill the CI designation criteria, they are registered as CI operators (as opposed to simply operators) by relevant public authorities. In Germany, the CIP strategies announced in 2009 classifies CIs as either technical basic infrastructures or socioeconomic services infrastructures, in consideration of their technological, structural, and functional aspects. After nine CI sectors were designated in 2014, the IT Security Act 2.0 in May 2021 added the waste management sector as the 10th CI sector. Building on this, the BSI has established the specific designation criteria for each of these nine CI sectors that includes the definition of services and essential assets that support those services as well as the threshold of the CI systems as shown in the table below. For instance, for electricity supply service, the systems concerning electricity generation, transmission network, power exchange, gas generation and gas-saving will be considered. Therefore, any entities that operate essential assets constituting CI and exceed the threshold is referred to as a CI operator. CI Systems in the German IT and Telecommunications Sectors Service CI system Description Threshold Voice Access network Access to voice communication, publicly Subscribers: and data available data transmission or internet access 100,000 transmission (e.g., fiber optics, mobile communications) Transmission Transmission of voice and data for voice Contractors network communications, publicly available data of the service: transmission or internet access (e.g., 100,000 backbone, core networks) Internet exchange Device for interconnecting independent Connected AS point (IXP) autonomous systems (AS) for the direct annual average: exchange of internet data traffic 100 The CI operators implement these standards by identifying the assets that meet the criteria. For the identified IT it is required that the components that can affect the overall operations of CIs such as the IT system (including the IT application, infrastructure, and OT), external services and interfaces are documented. To that end, the CI operators are registered in the portal operated by the BSI through which they need to report on the assets they are managing. Source: Critical infrastructure sector IT and telecommunication, OPENKRITIS, https://www.openkritis.de/it- sicherheitsgesetz/sektor_informationstechnik-telekommunikation.html (Last access date: July 4, 2022). After the nomination of candidate CIs, the operators can organize an evaluation board consisting of the internal staff and external experts that selects the initial scope of CI by identifying the assets, such as the servers, databases, network equipment, control systems, and cybersecurity systems. In doing so, they are required to refer to the criteria and assessment methods distributed by the ministries and the CIP Act. For instance, the operators of wired and wireless communication services conduct the primary evaluation in accordance with the sector-specific evaluation criteria on wired and wireless communication services, as shown in the table below, as well as the CIP Act for social and economic considerations. The latter concerns the national and societal importance of duties, dependency of affairs on information infrastructure, inter-connection to other information infrastructures, and the potential areas and extent of damage caused by intrusion incidents to the national security, economy, and society. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 49 Box 3-4. Security Legislation Amendment (Critical Infrastructure Protection) (SLACIP) Act 2022 in Australia In 2021 and 2022, the Department of Home Affairs of Australia revised the existing CIP legislation, the Security of Critical Infrastructure Act 2018. This revision expanded and defined the scope of the CI sectors and types of specific assets and classified CI operators, which constitute the backbone of the Australian economy, into three types: (1) CI entities; (2) regulated CI entities (e.g., port operators designated in the legislation on ports); and (3) operating and managing entities for the systems of national significance. For each type, the Act regulates the legal obligations and governmental supports and interventions differently. Based on these regulations, the CI entities are required to establish and operate risk programs for the CIs and report to the relevant federal government agencies when certain incidents occur that may compromise their operations. The CI entities that own, operate, and manage the systems of national significance are governed by additional legal obligations, such as having to conduct vulnerability analyses and evaluations, establish and execute incident response plans, and conduct cybersecurity exercises. Classes of Entities and Relevant Elements of CI in Australia Critical Description: All entities within expanded Security of Critical Infrastructure infrastructure Act 2018 designed critical infrastructure sectors entities Framework elements: Government Assistance (directions and direct action) Description: Security of Critical Infrastructure Act 2018 designed critical Regulated critical infrastructure entities infrastructure entities Framework elements: Positive security obligations; Government Assistance (directions and direct action) Systems of Description: The subset of critical infrastructure entities of highest criticality national Framework elements: Enhanced Cybersecurity obligations; positive significance security obligations; Government Assistance (directions and direct action) Description: Entities outside of an expanded Security of Critical Whole of Infrastructure Act 2018 with cyber assets captured by the 2020 Cyber economy Security Strategy Source: Australian Department of Home Affairs, Critical Infrastructure Centre 2020, p. 13. Modified. B. Addressing Current Cybersecurity-Related Policies and Industry Regulations for CIP The CIP authorities are tasked with identifying the current legislation, industrial regulations, policies, programs and capabilities in place that are related to cybersecurity policies and CI sectors. This can be carried out by the advisory committee or by the lead CIP authority with the support from the advisory committee. It is important to address the overlaps between the newly adopted CIP regulations with existing sectoral legislations. Furthermore, the collection of relevant data can help identify the cybersecurity and resilience capacities of the CIs. The types of data needed may include information on the policies designed to strengthen the national cybersecurity capabilities such as in cybersecurity training programs and R&D initiatives from the ministries in charge in order to achieve coherence in policy implementation. In the end, the results of the analyses can be summarized in a written report and submitted to the steering committee. With these results, the lead CIP authority can identify the gaps of PAGE | 50 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE the CI security and resilience capabilities on the national level and monitor the effectiveness of policy implementation on achieving sufficient CIP. The policy insights gained can provide feedback to the process in which the lead CIP authorities establish a set of strategic goals and identify the policy instruments needed to achieve them. C. Risk and maturity assessment It is recommended that the CI entities clarify the scope of cybersecurity risk management by reviewing the list of CIs designated by the ministries and agencies. In practice, the lead CIP authority can create national risk profiles of the CIs through an analytical process shown in the Figure 3-6. Figure 3-6. The OECD National Risk Assessment Process 1. Assemble team and 3. Assess impact 2. Identify risks 4. Evaluate risks 5. Manage risks agree on methodology and likelihood Source: OECD 2018, p. 28. modified. For example, the Dutch government developed the national risk assessment methods in 2019 that conceptually divides national security into six territories, including territorial security, physical safety, and economic security. Then, following the all-hazards approach, the government defined the types of risks that may arise in the country such as the natural disasters (e.g., extreme weather, floods, wildfires and earthquakes), disruption of critical infrastructure, and cyber risks (e.g., digital sabotage, disruption of the internet, cyber espionage, and cybercrime). Based on this, it developed the risk scenarios that link the cyber incidents to respective areas of national security, which comprehensively considers the likelihood and impacts of cyber incidents due to the interdependence among the CIs. Through this exercise, the government can prioritize the high-risk cyber incidents such as the disruption of critical infrastructure and digital sabotage. It allows the government to create a national risk profile that takes stock of current CI protection activities and related cybersecurity policies to assess the overall CI operation and cyber risk environment and determine the adequate level of security. Concurrently, the government can utilize the cybersecurity maturity model to determine the level of cybersecurity and resilience of CI entities or establish related programs. This model, as one of the guidelines for strengthening cybersecurity capabilities, identifies the level of CIP activities currently performed by the organization in terms of process, technology, and people, and operates to support CI entities to develop measures to continuously improve their protection activities. For example, Korea assesses information security levels as well as vulnerabilities to evaluate the cybersecurity capabilities of CI entities. In particular, private CI entities examine the security maturity of the organization and prepare for improvements. The evaluation consists of 12 domains and sub-control items and five maturity levels as shown in Table 3-2 and Table 3-3. Furthermore, the SCMM that has recently been published by the World Bank in cooperation with the Tel Aviv University Blavatnik Interdisciplinary Cyber Research Center (TAU ICRC) expands the breadth and depth of cybersecurity assessment methodologies (Box 3-5). The model takes a holistic approach and sheds light on interdependencies and interactions among multiple stakeholders that together shape the sector’s cybersecurity policies. It is inherently sector-agnostic, meaning that it is designed to capture any sector or sub-sector in the economy since its scope is beyond a single entity or a technical system. This toolbox marks an important step in that it provides a general framework within which a country’s policies to ensure cybersecurity and resilience of CIs can be assessed. Nevertheless, despite the potentially wide applicability of this model, there still exists the need for a more in-depth maturity assessment for developing countries to accurately adopt a range of effective policies and strategies. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 51 Table 3-2. Information Security Level Evaluation Domain and Sub-control for CI Entities in Korea Domain Sub-control Information security Organization of information security, information security plans policies Risk assessment Asset management, risk assessment, etc. Configuration System changes control procedures, restrictions on changes to software management packages, configuration security settings, etc. Maintenance Control procedures using the maintenance tool, remote maintenance Media protection Media access management, document management, media, and record destruction, etc. Security awareness and Security awareness, education, and training education Contingency planning/ Contingency planning exercise and update, communication services redundancy, Business continuity information system backup and recovery, etc. planning Physical/environmental Physical security perimeter and entry controls, protecting against external and security environmental threats (e.g., uninterruptible power supply system (UPS), etc.) Human resource security Background check, personnel management, internal personnel management, third party security Incident response Incident response exercise, monitoring, incident reporting Audit and accountability Audit target event creation, audit information management, audit monitoring and analysis, non-repudiation, etc. System access control Account management, password management, access control, encryption key and communication construction and management, intrusion detection and prevention tools and security technology, etc. Table 3-3. Information Security Maturity Model for CI Entities in Korea 5-Level Description Initial Sub-control not implemented, or implemented with no plan Developing Sub-control implementation plans (specific procedures, schedule, budget, etc.) partially established and documented Defined Sub-control widely implemented or completed according to documented plan Managed Sub-control accomplishment measured, and continued to be implemented and reviewed for a certain period of time Optimized Measurements of sub-control accomplishment reviewed, and improvements regularly implemented according to such results Furthermore, the government can complement its requirement on risk assessment by making special considerations for smaller-scale CI entities. Small entities face difficulty securing enough cybersecurity human resources or technologies, and the legal obligations on cybersecurity risk management may be lacking since the executives are likely to be burdened by the costly cybersecurity investments. A review of the cyberattack on a Florida water treatment plant in 2021 was a good demonstration that highlighted the need for support for small-scale CI entities. Such consideration might hold particular significance for developing countries where it is more difficult to attract active participation from the private sector. Therefore, the government can alleviate their financial burdens by providing operational and technical support such as through subsidies or vouchers. 3.3.3 Step 3. Production of CIP Policy Based on stakeholder consultations, CIP policies are co-created, first in the draft form as legislation or governmental regulations and strategies that generally include visions, goals, and achievable objectives. They are then open for feedback from the public and private stakeholders who have not participated in the policy making. Finally, they are officially PAGE | 52 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Box 3-5. The World Bank Sectoral Cybersecurity Maturity Model (SCMM) The SCMM is designed to rigorously capture the different aspects of sectoral maturity and establishes the structure of assessment that include the main elements, from 1) Layer of Assessment (LoA); 2) Dimensions; 3) Factors; down to 4) Indicators where the level of analytical granularity is the highest. The LoAs correspond to the different categories of stakeholders. The model defines three LoAs: the LoA 1 National entities (i.e., external actors that influence the cybersecurity maturity and resilience of the sector; e.g., MDAs, IT/cybersecurity training and service providers, and academic institutions), the LoA 2 Sectoral supervisory authorities (i.e., main regulatory and supervisory authorities; e.g., ministry and department responsible for regulating the sector), and the LoA 3 Key entities (i.e., entities that own, manage, and operate the CIs). Whereas the first two have been included in the traditional assessment models, LoA3 integrates important external dependencies in the model by considering the aspects such as the supply chains and third-party risk management. Each LoA is further analyzed by five Dimensions: 1) Cybersecurity governance; 2) Cyber risk management; 3) Cybersecurity measures; 4) Cyber capacity building; and 5) Incident response and crisis management. For respective LoAs, some dimensions are more pertinent than others, for instance, the governance dimension is better addressed in the higher layers (i.e., national entities) since it requires a cross-cutting view. Then, to increase the measurability, the model establishes factors that constitute a dimension and corresponding indicators that help explore the dimension in a more structured way. Whereas the dimensions and factors are identical for all LoAs, the indicators are tailored for each LoA. At the end of this process, the model assigns Maturity Levels (MLs) from the scale of 1 to 5: Startup – Formative – Established – Strategic – Dynamic. On a practical level, the SCMM model is implemented through a rigorous six-phase process: 1) Kick-off and scoping; 2) Desk research; 3) Interactive assessment; 4) Analysis of findings; 5) Formulation of high-priority recommendations; and 6) Delivery and feedback. The SCMM model is one of the first institutional attempts to capture the intricate link between various system components in assessing a sector’s cyber resilience capabilities and to look at a sector as a system. Although the model requires further tests and verification to increase it general applicability, an effective use of SCMM is expected to mainstream cyber resilience into the wider development agenda and assist policymakers and other relevant stakeholders in the economy to identify gaps in their cybersecurity practices, capacities, and resources. Source: The World Bank. approved by the administrative branch and announced to the stakeholders and the public through internal and external promotion channels. A. Drafting CIP Policy CIP policies set the directions for security and resilience of the national CII and establish clear visions and scope of the implementation of related policies. As mentioned above, these policies can come in the form of comprehensive CIP legislation or a national strategy. However, this policy note recommends developing a comprehensive legal framework that clarifies the responsibilities and activities of CI entities and secures the minimal levels of security and resilience of the CIs. Nevertheless, the CI entities that perform the practical functions of CIP may be passive about investing in security due to their different levels of awareness of the management and cybersecurity capabilities. Security maturity also may differ even within the same sector or among entities of similar size. Whereas some CI sectors (i.e., electric power, finance) have already established their cybersecurity guidelines and industrial standards, the same measures may not equally apply to all sectors and entities. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 53 As shown in Table 3-4, the lead CIP authorities list the minimal requirements that apply to all CI sectors, and in some cases these requirements are mandated by relevant legal frameworks. Responsible ministries may introduce additional security requirements based on the specific CI characteristics, legislative, and operating environment the industries CIs are in. Two important considerations at the drafting stage are to first revisit the existing regulations on CI entities to avoid duplication, and second, to include them in the initial stages of consultative process prior to legislation since they are directly impact by the changes. Table 3-4. Key Elements of a CIP Policy Framework According to the Type of CIP Policy by Country Strategy Legal framework action plans CIP policy framework Singapore Germany Australia (Cyber- Korea (IT Security (SLACIP Japan security 2.0) Act) Act) Goal and objectives ● ● ● ● ● Definition and identification of CI ● ● ● ● ● CIP governance ● ● ● ● ● CIP action planning ● - - - ● PPPs ● - - - ● Research and development ● - - - - International cooperation ● - - - ● CI security Cybersecurity risk ● ● ● ● ● and resilience management for CI Cyber supply chain entities - - - - - risk management Cybersecurity - - - ● ● workforce and training Cybersecurity - - - - ● awareness Cyber incident ● ● ● ● ● management Cyber crisis management and - - - - ● communication Cyber exercises - - - ● ● In Korea, the Ministry of the Interior and Safety (MOIS) established protection guidelines for the CI in their jurisdictions that contain details regarding: management of information protection systems, establishment and implementation of protection measures, and response to and recovery from security incidents as administrative regulations based on the Act on the Protection of Information and Communications Infrastructure. In accordance with this, the CI entities are to fulfill the requirements related to the following matters: appointment of the chief information security officers (CISO) and information protection manager; designation and assessment of the specific facilities of the CI in their jurisdiction; cooperation with relevant organizations; analysis and evaluation of vulnerabilities; establishment and implementation of protection measures; inspections; notification of, response to and recovery from security incidents; and technical protection measures (e.g., data communication network, security management of control systems, management of external contractors), among others. To illustrate, when the CI entities establish a response system and incident response plan, the following considerations should be made, as listed in Table 3-5. PAGE | 54 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Table 3-5. Considerations When Establishing Incident Response System in the Korean Ministry of the Interior and Safety Category Description Response and • Definition and scope of incidents recovery procedures • Establishment of emergency contact system and methods for • Response methods and procedures when the incident occurs incidents • Establishment of an incident recovery organization • Procurement of incident recovery equipment and resources • Conduct of incident response and recovery exercises Report an incident • Date and time of the incident • Reporter and report date • Details of the incident and response history First aid after an • Damaged system stops working immediately incident • Immediately block external access to the internal network • Intrusion detection and recovery by information security experts in places where emergency recovery must be performed immediately Recover from an • Analysis and definition of the cause of the accident incident • Establishment and implementation of measures to prevent recurrence, if necessary • System rebuilding method through information resource and system backup • Removal of vulnerabilities in systems and information and communications networks Source: MOIS. 2021. Guidance for the Protection CII Under the Jurisdiction of the Ministry of the Interior and Safety. Enforcement March 5, 2021. On the other hand, in Japan, the responsible ministries develop and disseminate safety standards for strengthening information security17 for each CI sector and help CI operators maintain the minimum-security standards to provide stable services. The safety standards that define information security measures according to the plan-do-check-act life cycle are established by referring to essential requirements or recommendations for information security under the Guideline for Establishing Safety Principles for Ensuring Information Security of Critical Infrastructure enacted by the Cyber Security Strategy Headquarters, and related laws and safety principles, such as the industry standards or guidelines and the CI operators and industry internal regulations. In addition, safety standards for each CI sector are developed under the supervision of responsible ministries or the industry organization and association of the sector and are reviewed annually by NISC. However, in some sectors such as electricity and finance, a separate safety regulation is adopted if necessary, and the CI operators are required to comply with the regulations for cybersecurity activities. B. Consulting with Public, Private, and International Stakeholders As discussed above, stakeholder participation is vital for CIP policy making and policy implementation. Since CIP policies indirectly affect other groups, such as the IT system provider, cybersecurity service operators, IT/OT system designers, and integrated builders, these policy drafts should be disclosed to other stakeholders in the public and private sectors for feedback. This can be done through online platforms, workshops, or by creating additional working groups. International organizations and other external stakeholders can also provide their advice and expertise. C. Seeking Formal Approval The developed CIP policies are officially approved by the administrative branch, thereby providing the grounds for consistent procurement of resources subsequent to policy making in relevant fields, and for the implementation processes and CI protection activities performed by the stakeholders. This procedure differs by country and by types of policies created. For example, the CIP policy that aims to develop a comprehensive legal framework would be put in the official legislation process. 17  e.g., (Financial Sector) Guide For Establishing Security Policies For Financial Institutions, Etc., Safety Measures Standards And Commentary For Financial Institutions, Etc., Guide For Establishing Emergency Response Plans (CP) For Financial Institutions, Etc., (Electric Power Sector) Electricity Business Act Enforcement Regulations Article 50 Interpretation Of Article 2, Explanation Of Technical Standards For Electrical Equipment, Power Control System Security Guidelines, Smart Meter System Security Guidelines, (Gas) Scada Security Measures And Commentary On City Gas Manufacturing/Supply. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 55 D. Publishing and Promoting the CIP Policy The final approval is followed by internal and external promotions convened by the government to promote the public and industry partners’ understanding of the new policies. In particular, if the CI entities are newly assigned the legal obligations of cybersecurity risk management and incident reporting by the adoption of CIP laws, the government may create education and training programs, awareness campaigns, and workshops where they can host more tailor- made information sessions on the new requirements and best practices. 3.3.4 Step 4. Implementation Implementation is the most important stage in the entire life cycle of CIP policies as it relates to the selection of policy instruments and allocation of human resources and budget to achieve the strategic objectives of CIP policies. The selected policy instruments can be employed to facilitate the enactment of comprehensive CIIP laws or regulations, security testing and evaluation of CII components, cybersecurity surveys or vulnerability assessments, incentive systems to promote cybersecurity investment, information on cybersecurity risk management, cybersecurity awareness, cybersecurity education and training, and cyber exercises, to name a few. A. Developing CIP Action Plans To implement a CIP policy, securing support from a variety of stakeholders from the industry, academia, and research organizations is essential throughout the entire implementation step. The lead CIP authority takes charge of coordinating the inputs from these stakeholders and secures resources to that end. Establishing mid- to long-term master plans or national action plans can effectively form an overarching framework, providing institutional grounds for the sectoral action plans of respective ministries and national cybersecurity strategies. For instance, the National Infrastructure Protection Plan (NIPP) 2013 in the United States is a follow-up measure of the PPD-21, and it aims to strengthen CI security and boost resilience against physical and cyber risks through the minimization of system vulnerabilities and their impact, identification and defense, and response and recovery. Subsequently, the sector- specific agencies (SSAs) and ministries establish the CIP plans in a top-down manner, which may include updates in the existing protection plans (i.e., the sector-specific plans (SSPs)) considering the policy environment, regulations, and characteristics of respective sectors. Based on the updates in the SSPs, the SSAs recommend the adoption of the National Institute of Standards and Technology cybersecurity framework (hereinafter NIST CSF) to CI entities and present the current and future cybersecurity efforts in order of importance, including cybersecurity information-sharing initiatives, risk assessment, incident response and recovery, and measuring criteria. However, the plans do not specifically define the activities that need to be protected and it is up to the CI entities to individually identify and implement cybersecurity standards and guidelines as well as the security and resilience requirements. On the other hand, the Korean government has established CIP policy plans by combining the top-down and the bottom-up approaches. The central administrative agencies, in this case, the MOIS and the MSIT, establish and implement yearly protection plans for CIs in their jurisdictions based on the Act on the Protection of Information and Communications Infrastructure (Figure 3-7). PAGE | 56 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Figure 3-7. Relationship Between Guidance of Related Central Administrative Agencies and Protection Plans of CI Entities in Korea CIP Act Guideline for development and Legal obligations distribution of protection measures and Legal obligations planning Ministry of the Interior and Safety (MOIS) Ministry of Science and ICT (MSIT) (Regulation) Guidance for protecting CI (Regulation) Guidance for protecting CI under the jurisdiction of MOIS under the jurisdiction of MSIT Annual CIP plan Referrence to Annual CIP plan (Comprehensive and coordinated the guideline (Comprehensive and coordinated protection measures for CI entities) protection measures for CI entities) Submit the annual protection plan Submit the annual protection plan Legal Legal established according to the result established according to the result obligations obligations of vulnerability assessment of vulnerability assessment CI entities CI entities • (Public sector) Central administrative • (Public sector) Central administrative agencies, local governments, and agencies, local governments, and public institutions public institutions • (Private sector) Metro and water • (Private sector) ICT companies, etc. unitalities, financial institution, etc. Although the broad direction is set by the MOIS and MSIT, the plans are also a result of coordination of inputs of the CI managing organizations who submit the protection plans to the Committee for Protection of Information and Communications Infrastructure for deliberation. These protection plans stipulate the designation or cancellation of CIs and the strategies for and challenges in CIP, such as support for strengthening the capabilities of CI entities for prevention, response to, and recovery from intrusion incidents. The support for CI entities can include simulated penetration tests based on cyber risk scenarios, opening security practice training programs for the practitioners, and the establishment of essential information security systems for CI. For instance, the NIS and MSIT have established guidelines for the establishment of CI protection measures and plans and distribute them to relevant central administrative agencies. These guidelines allow them to also rapidly respond to changing cybersecurity environments by providing security-related information including the risk factors in the operating environment, latest trends, and types of countermeasures to the responsible ministries of CIP. B. Determining Policy Instruments to be Implemented The types of policy instruments can largely be categorized into two types: regulatory approaches (i.e., enactment and revision of CIP statutes) and other support policies. The first includes the enactment of new CIP statutes or the revision of existing ones, and the aim is to establish an overarching CIP policy framework based on which the responsible ministries provide adequate support to the CI sectors within their jurisdictions. On the other hand, the support policies can further be divided into four types of policies: developing and distributing guidelines and consulting services; placing cybersecurity personnel; providing service and technological supports; and disseminating relevant information. These policies are to KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 57 ensure that the CI entities perform cybersecurity risk management and protection activities in compliance with their legal obligations. In general, government agencies establish relevant initiatives or capacity building programs and closely interact with the stakeholders. (1) Regulatory approaches The legislative frameworks make the CI entities accountable for CIP and the entities are obliged to establish a risk management system on the organizational level. The directions are generally shared with the CI ministries in charge or the lead CIP authorities and any violations may result in legal consequences. For instance, according to the CI protection laws of Korea, Germany, and Singapore, CI entities in all CII sectors are required to conduct security assessment and report the status of the protection measures in place to the responsible ministries (Korea) and/ or lead authority or working agency (BSI in Germany, CSA in Singapore). In Germany and Singapore, the entities may face legal penalties if they violate the requirements (Table 3-6). Table 3-6. Cybersecurity Risk Management Guidelines for CI Entities in the Major Countries Category Information security or cybersecurity standards, guidance, and guidelines International • (ISMS) ISO/IEC 27000 series (ISO 27001, ISO/IEC 27002 Code of practice for standards information security controls, etc.) • (ICS/OT) ISA 62443 series Korea • Vulnerability analysis/evaluation guidelines for CI • Detailed guide on how to analyze and evaluate technical vulnerabilities of CI Germany • BSI specification for CI, BSI IT-Grundschutz18 • (Cloud service) Cloud computing compliance criteria catalogue (C5) • (Industry standards) B3S (KRITIS Branchesstandards)19, etc. Singapore • Guide to conducting cybersecurity risk assessment for CI • Guidelines for auditing CII • Guide to cyber threat modeling • Security-by-Design Framework version 1.0 and checklist Japan • Guideline for establishing safety principles for ensuring information security of CI Risk assessment guide based on the concept of mission assurance in CI • Guidance on system operation using cloud services • Safety principle sets for each CI sector United States • NIST Cybersecurity Framework, NIST SP800-53, CIS Critical security controls for effective cyber defense (CIS Controls) On the other hand, some countries, such as the United States and Japan, maintain sectoral approaches where they selectively apply mandatory assessment and reporting principles while maintaining an overall voluntary approach. In the United States, the government selects cybersecurity measures suitable for their operating environments based on the risk assessment results. For instance, in the sectors of energy, chemicals, finance, and medicine, there already exist relevant legislation or industrial standards that define essential cybersecurity activities to comply with, on top of the separate programs or guidelines on cybersecurity risk management prepared by ministries (Table 3-7). In particular, the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standard sets out the cybersecurity obligations for electric companies and periodically revises them to respond to evolving cyber incidents. The regulations become mandatory once approved by the U.S. Federal Energy Regulatory Commission (FERC), and in this case, the electric companies may face fines of up to $1 million per day if they do not comply with the regulations. 18  IT-Grundschutz is a national general standard for information security that has been published by the BSI since 1994. Originating in the government environment, IT- Grundschutz has always been used primarily by public authorities, for whom the methodologically very stringent procedure is sometimes mandatory. 19  There are industry standards (B3S) for individual industries in CI (KRITIS) sectors, which were created by industry associations for critical infrastructures and approved by the BSI. PAGE | 58 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Table 3-7. Cybersecurity Risk Management Programs or Guidance for CI Sectors in the United States *M: Mandatory, V: Voluntary CI sector Cybersecurity risk management programs or guidance M/V All CI sectors • NIST cybersecurity framework V Chemical • Chemical facility anti-terrorism standards (CFATS) M • Electricity subsector cybersecurity risk management process M • Electricity subsector Cybersecurity capability maturity model • (ES-C2M2) Program Electricity Energy • (BES (bulk electric system) cyber system) NERC CIP Standard M • NISTIR 7628: guidelines for smart gird cybersecurity V Oil and • Oil and natural gas subsector cybersecurity capability maturity model M natural gas (ONG-C2M2) Program Financial • FFIEC cybersecurity assessment M Healthcare • Health insurance portability and accountability act (HIPAA) security M rule • (Oil & natural gas pipeline systems) Std1164 Pipeline SCADA Security M Transport • TSA pipeline security guidelines V • ANSI/AWWA G430-14: security practices for operation and M management • ANSI/AWWA J100-10: RAMCAP standard for risk and resilience Water management of water and wastewater systems • Business continuity plans for water utilities V • Process control system security guidance for the water sector Similarly, in Japan, the electricity and gas sectors perform information security audits and intrusion simulation testing as required by the Ministry of Economy, Trade and Industry (METI). For instance, as the smart grid is on the rise, the electric power industry in Japan has established smart meter system security guidelines. As an enforcement mechanism METI has included them in the electric power safety regulations and promotes regular internal and external audits, intrusion simulation testing, and strengthening of information-sharing systems on vulnerabilities (electric power ISAC). Electric control system security guidelines have also been established and included in the electric power safety regulations to enforce self-inspection. Australia developed the Australian Energy Sector Cyber Security Framework in 2018 using the U.S. Department of Energy’s ES-C2M2 and NIST CSF. This framework is used by companies participating in the Australian energy market to check the status or level of cybersecurity or to make an investment decision to enhance cybersecurity capabilities. (2) Support policies While the adoption of regulations can help institutionalize the necessary measures to promote cybersecurity and resilience, they need to be supplemented with relevant support policies to strengthen the entire policy ecosystem. Such interventions may include the establishment of standards and guidelines, capacity building programs, service and technological supports (i.e., direct support), PPPs, and information-sharing initiatives. The following section presents examples from Korea and benchmarking countries for each type of policy instrument. a. Standards and guidelines Compared to countries that choose to adopt regulations to secure the minimum level of protection applied to all or some CI sectors, others opt to develop and distribute standards or guidelines. In preparing the guidelines, it is important to consider that even among CI entities of similar size and scope, there may be differences in their cybersecurity measures and procedures and the installation and operation of their security systems according to their levels of cybersecurity awareness and management capabilities. Therefore, guidelines are developed either jointly by the public and private sectors, or internally by the government or KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 59 the private sector as in the cases of the Control System Security Center (CSSC) in Japan and the Water-ISAC in the United States. Some examples are the guidelines on cybersecurity risk management guidelines and cyber incident response and recovery systems. Cyber risk management guidelines Guidelines on the cybersecurity risk management methodologies on CI distributed by NISC of Japan and CSA of Singapore stress the need for cybersecurity risk assessment and define the roles and responsibilities of relevant entities that perform the assessment. The procedure consists of risk identification, analysis, and evaluation. On the other hand, Korea provides specific cybersecurity risk assessment methods such as the checklist-based evaluation criteria for not only the administrative and physical aspects but also the technical aspects, including servers, databases, security systems, network equipment, personal computers, and control systems. Based on this, CI management organizations are required to conduct inspections once a year as shown in Table 3-8. Each criterion is assessed for its criticality from low to high; those ranked as average or low can be referenced for optional inspections according to their operating environments. Table 3-8. Mobile Communication and Cloud Computing Service Technical Vulnerability Checklist in Korea Category Checklist Criticality When operating a mobile communication edge network, High cybersecurity technology is applied in consideration of internet connection, etc. When applying virtualization technology in a mobile High communication network, cybersecurity configuration or Mobile Operation technology application such as account management and communication management abnormal symptom detection Establish and operate security policies with mobile High communication network equipment and software manufacturers When designing mobile network equipment and designing High networks, conduct security design Cloud service logoff and session management Medium Access control Block external access to cloud services Medium Cloud computing Cloud service root account management Medium service Cybersecurity Cloud service account permission management Medium management Enhanced cloud service user authentication Medium Source: MSIT. 2021. Criteria for Analysis and Evaluation of Vulnerabilities in CII (Enforcement date: December 28, 2021). Cybersecurity standards can also promote the adoption of cost-effective protection measures. One example is the NIST CSF that was developed in consultation with the private sector. These guidelines supplement the existing cybersecurity programs operated by the CI entities and seek to facilitate an understanding of the potential outputs of cybersecurity investment among their management boards that consist of non-experts. They also serve as a communication tool for internal and external stakeholders, managers, and staff members. In detail, the NIST CSF consists of the core, tier, and profile. The core refers to cybersecurity activities categorized into five functions: identify, protect, detect, respond, and recover. It systematically presents relevant information on cybersecurity by summarizing the industrial standards, guidelines, and best practices. This map of information provides the CI entities with various options of cost-effective measures to reduce cyber risks and allow them to raise awareness around cybersecurity considerations in their organizations. In other cases, CIP guidelines may be adopted as an additional layer to sectoral regulations and guidelines, meaning that the CI entities in specific sectors such as electric power, ICT, and finance may be required to fulfill additional security requirements stipulated on relevant laws. For instance, an internet data center in Korea needs to abide by the Data Center PAGE | 60 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Protection Guidelines (Box 3-6). Similarly, the smart grid businesses and financial market infrastructure operators refer to the Guidelines Regarding the Protection Measures for Smart Grid Information and Cyber Resilience Assessment Methodology for Korean Financial Market Infrastructure, respectively, to conduct self-diagnosis and decide on improvements based on the results (Box 3-7). Box 3-6. Learning from Korea: CIP guidelines for data centers In the case of data centers, the Act on Promotion of Information and Communications Network Utilization and Information Protection is prioritized over the Act on the Protection of Information and Communications Infrastructure. The main goal is to enhance the security awareness of businesses operating these facilities and to improve the safety and reliability of the facility with respect to the Data Center Protection Guidelines. Businesses that operate and manage data centers should meet the detailed criteria listed in the table below to protect the facility in their jurisdiction from incidents, disasters, and cyber-attacks. Detailed Criteria for Protection Measures for Integrated Information and Communication Systems Category Objective Security measures Administrative Security • Full-time guards, expert technicians, administration security measures management system manager, facility security plan, and business continuity plan Physical/technical Access control and • Access control device, access record, protection of security measures monitoring client information system device, central monitoring room, CCTV, alarm system Availability • Protection of electric power and related facilities, uninterruptible power supply (UPS), self-generation facility, water substation facility, ground facility, thermo-hygrostat, emergency light, and guide light Protection • Structure of walls, glass windows Disaster • Load stability, firefighting facilities, construction preparedness materials, flood prevention Cyber incident response and recovery system guideline Similarly, governments can establish and implement response plans for the CI sectors and distribute relevant guidelines. These could be business continuity plans (BCPs) or contingency plans (CPs), disaster recovery plans (DRPs), and cybersecurity response procedures. For example, CI operators in Singapore created a cybersecurity incident response plan and a crisis communication plan following the requirements of the Cybersecurity Code of Practice for CI. The former includes organizing cyber incident response teams, an incident reporting structure defined by the cybersecurity act and related laws and regulations in the sector, incident response procedures and recovery processes, and processes for establishing and reviewing measures for future prevention, to name a few. A crisis communication plan provides relevant information to stakeholders and customers in a crisis caused by cybersecurity incidents. After a risk management plan is established, the government leads training exercises once a year to test the system’s aptness to manage cybersecurity incidents and to evaluate the effectiveness of the BCPs and DRPs. In addition, governments can promote cyber threat information sharing through relevant programs, laws, or guidelines . For example, in 2013, the Obama administration in the United States promoted policies to strengthen cyber threat information sharing through executive orders 13636 and 13691. These executive orders expanded the scope of the existing cyber KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 61 Box 3-7. Designating the CIs with the function-oriented approach in Singapore Those that use a smart grid to supply electricity and operate electric systems (the electric power sector and businesses and service providers in power transmission, power distribution, and district electricity) are required to prepare managerial, physical, and technical protection measures in order to secure the reliability and safety of smart grid information. In this case, the Smart Grid Construction and Utilization Promotion Act is the main reference point rather than the Act on the Protection of Information and Communications Infrastructure. Guidance on Protection Measures for a Smart Grid in Korea Category Security measures Administrative • Establishing information security plans and organizing an exclusive team security measures • Building a response system for security incidents and analyzing vulnerabilities • Managing the policies regarding information security systems • Conducting information security education and training, securing confidential information, securing external personnel, managing portable storage devices • Preparing personal information protection measures in the smart grid, etc. Physical security • Enforcing access control measures • Operating monitoring control on entrants • Accessing control to facilities Technical security • Smart grid system security management measures • Account and password management • Information security system operation and malware prevention • Wireless communication security • Smart grid system authentication • Security of smart grid device communication and data threat information-sharing program (e.g., CISCP,20 ECS21) operated by the DHS to CI entities, which led to the development and sharing of threat indicators that use information detected by the administrative network of the U.S. federal government. Similarly, in Japan, the incidents such as the defects or abnormal symptoms of the IT or control IoT system, including CI service failure, are reported to the CEPTOAR secretariat or the relevant CI department, within the scope of information sharing shown in Figure 3-8. Concurrently, the CI entities can evaluate the effectiveness of policies such as response and recovery procedures in the event of cyber threats through periodic cyber exercises. The government conducts cyber exercises for all or specific CI sectors, and at the initial stage, plans are established from the tabletop exercise. In addition, the government creates training scenarios such as malicious emails, ransomware, and DDoS that can occur commonly throughout the entire CII sector, and based on these scenarios, recruits, and trains cyber exercise participants. b. Capacity building Some measures are aimed at enhancing the overall capacities of the CI entities since they are at the forefront of implementing CIP policies. To that end, the government can promote the agenda of security reinforcement to the corporate level from a governance perspective, rather than from a technical perspective, or a specific department can be designated to perform the CIP tasks. Therefore, CI security and resilience capabilities should be systematically and continuously strengthened according to the steps outlined in Figure 3-9. 20  Cyber Information Sharing and Collaboration Program. 21  Enhanced Cybersecurity Services. PAGE | 62 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Figure 3-8. Scope of Information Sharing on CI in Japan Critical infrastructure services Other services Hindrance to safe and Critical infrastructure cybersecurity measures continuous provision Phenomena requiring of services services outages Impact level Actualization of System failures phenomenon Abnormal behaviors and events Source: Cybersecurity Strategic Headquarters Government of Japan. 2020. Cybersecurity Policy for CIP (Fourth Edition) (Tentative Translation). Cybersecurity Strategic Headquarters Government of Japan, revised January 30, 2020, p. 48. modified. Figure 3-9. Steps to Enhance CIP capabilities of CI Entities 1. Assess cyber risk and 2. Implement risk cybersecurity and management strategy resilience preparedness CIP capabilities 3. Follow response and of CI entities recovery procedures CI security if the event occurs and resilience 4. Document and 5. Share knowledge incorporate lesson with other stakeholders learned from the event To strengthen the cybersecurity and resilience capabilities, the government can create special education and training programs for the top management, the CISO and practitioners. The programs can be designed to teach top managers how to manage cyber risk at the enterprise level from a cybersecurity governance perspective. On the other hand, for CISO and practitioners who perform CIP tasks, the programs provide practical training to provide professional knowledge on security practices For example, among the cybersecurity training programs operated by CISA in the United States, there are programs targeting CI entities such as the tabletop exercise packages (cybersecurity, physical security, cyber-physical convergence security scenarios, etc.), incident response, industrial control system (ICS) security, and cyber training. These programs consist of online education, instructor-led education, and active participation of learners. On the other hand, the IPA in Japan mainly operates short-term practical education and training programs: cybersecurity simulation training for practitioners who operate ICS/OT systems; tabletop training for cyber crisis response; cyber resilience reinforcement training and strategy seminars by sector for CISOs and managers, etc. In addition, these countries have established a virtual educational environment (e.g., FedVTE22 in the US, Cyber Range 22  Federal Virtual Training Environment. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 63 as an Open Platform (CYROP) in Japan) for practical training by groups or individuals and are using it for their education and training programs. They also have built ICS/OT testbeds and are conducting desktop training, demonstration of cyberattack scenarios, and practical training on cyberattack and response (red and blue team). In addition, CI entities are required to review their cyber incident response system, including the overall BCP/CP/DRP, the incident response team, response, and recovery procedures, evaluate their effectiveness, and reflect on the latest issues. The government can provide cyber training for CI entities and develop cyber risk scenarios on top of the existing desktop training, so that the entities can respond to possible risks more quickly. In particular, the government ensures that incident reporting and information sharing on cyber threats is facilitated between CI-specific entities and among related CI entities. c. Service and technological support Some policy instruments aim at providing direct support for cybersecurity operations to the CI entities. For instance, the Cybersecurity and Infrastructure Security Agency (CISA) in the United States offers cybersecurity programs (Table 3-9) at no cost to CI owners and operators in the industries to review the status and levels of cybersecurity and resilience. Table 3-9. CISA Cybersecurity Services for Industry and the Private Sector in the US Category Description Cyber resilience An assessment that evaluates an organization’s operational resilience and review cybersecurity practices. Phishing campaign A six-week engagement that evaluates an organization’s susceptibility and reaction to assessment phishing emails. Remote penetration A two-week remote assessment to identify vulnerabilities and work with customers to test eliminate exploitable pathways. Risk and vulnerability Provides customers with an onsite assessment of whether and by what methods an assessment adversary can defeat network security controls. Validated architecture An in-depth architecture and design review of network traffic to determine design review susceptibility to potential attacks and identify anomalous communications flows. Vulnerability scanning CISA offers organizations continual vulnerability scanning of internet-accessible systems. Web application A monthly (or on an as-needed basis) scan of all publicly facing web applications scanning accompanied by a comprehensive report of all findings. Source: CISA. 2021. CISA Services Catalogue (Second Edition). https://www.cisa.gov/publication/cisa-services-catalog. The CISA also disseminates the Cyber Security Evaluation Tool (CSET), a self-assessment SW, to the CI entities so that they can evaluate cybersecurity vulnerabilities and levels for the ICS/OT, IT systems, and networks. Since 2018, it has been managed as an open-source SW through GitHub, therefore charging no costs to the users. With this SW, the CI entities can select industrial standards or guidelines (e.g., NIST SP800-53, NIST cybersecurity framework, NERC CIP standard), determine the assurance levels, and draw a networking concept map, based on which the evaluation criteria on the status of cybersecurity are generated. It also allows for a comparison among the components of cybersecurity. Nevertheless, since the SW focuses on the individual components and not the whole system, it may not be suitable for a detailed risk assessment. d. Public-private partnerships (PPPs) Since the CIs are owned and operated more by private companies in many countries, the government may consider utilizing PPPs as a means to implement CIP policies. Countries rely on PPP-based collaboration and cyber and physical threat information sharing as major initiatives. The structures of PPPs may take different forms, ranging from committees with PAGE | 64 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE joint participation of government and private sector representatives to Information Sharing and Analysis Centers (hereafter ISACs) for each CI sector. Regarding the former, the functions of the committee can vary depending on whether the private sector is involved at the strategic or operational level, and whether it makes decisions on CIP policies. Most countries operate an advisory committee that advises on issues in the CI sector or cybersecurity and gathers opinions of the public and private sectors in implementing CIP policies. For instance, both the Cyber Security Council (CSR) in the Netherlands and the Critical Infrastructure Partnership Advisory Council (CIPAC) in the United States benefit from an active participation of the private sector CIP policy development and decision-making. The CSR is a national and independent advisory body composed of high-ranking representatives from public and private sector organizations and the scientific community, which advises on the strategic aspects of cybersecurity. The CIPAC is also an advisory committee established by the US Department of Homeland Security (DHS) to directly support the implementation of the National Infrastructure Protection Plan (NIPP). The CIPAC is a forum for the members of CIPAC (i.e., government coordinating councils (GCCs), sector coordinating councils (SCCs), and cross-sector councils) to discuss issues related to CIP by utilizing the partnership structure in the NIPP.23 Through CIPAC, participating members jointly discuss matters related to CI protection planning, risk management, and implementation of the national-based protection plan, and play a role in reaching consensus on policies, advice and recommendations regarding CI security and resilience. Second, PPPs can be based on voluntary participation, as seen in the case of ISACs. ISACs have been established and operated to share comprehensive information on CI entities in each sector. In the United States, ISACs were established as a follow-up to the presidential decision directive 63 (PPD-63) – critical infrastructure protection in 1998. From 1999 to 2000, ISACs were established in four sectors: financial services, telecommunications, electricity, and emergency services. Since then, based on the homeland security presidential directive 7 (HSPD-7), the DHS supported the establishment of ISACs, and now the United States operates ISACs in 16 CI sectors. They mainly perform the tasks of dissemination of the vulnerability information in the system, collection and analysis of incidents, advising on the impact of threats and performing as contact points to exchange threat information among the member organizations. Korea has established similar legal grounds in the Act on the Protection of Information and Communications Infrastructure to promote the creation of ISACs.24 Box 3-8. CEPTOAR in Japan Capability for Engineering of Protection, Technical Operation, Analysis and Response (CEPTOAR) is an organization formed by the voluntary participation of CI entities with an aim to enhance their incident response and recovery capabilities through information sharing and analysis functions. As of the end of March 2022, 19 CEPTOARs are in operation in 14 sectors. Under normal circumstances, CI entities share information related to CI cybersecurity with other stakeholders through the CEPTOAR in their sector. However, in the event of a cyber incident, the incident is reported to the responsible ministries and NISC through the CEPTOAR and relevant information is shared with other CI entities. If a large-scale IT failure occurs, the cabinet office in charge of incident response and crisis management and NISC respond in a unified way and share related information such as incident information and recovery plans with the responsible ministry of CI, cybersecurity-related ministries and agencies, and cyberspace- related businesses. In addition, in the ICT, finance, electricity, and transportation sectors, CI entities have established information sharing and analysis centers (ISACs) composed of working-level officials to share cyber threats and best practices, thereby establishing a voluntary information-sharing system. 23  The GCCs consist of representatives from various levels of government, including federal, state, local, tribal, and territorial government, which enables interagency and cross-jurisdictional coordination as the government counterpart to each SCC. On the other hand, the SCCs are self-organized private sector councils that include the CI entities and serve as the principal collaboration points between the government and private sector. 24  Article 16 on Information sharing and analysis center. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 65 In order for the ISACs to generate impact, the government needs to mandate the establishment, operation and main role of ISACs in the CIP policy (legislation or strategy), provide technical or financial support measures for ISACs, and encourage the establishment of ISACs. Furthermore, the government can choose to expand the scope of operation of ISACs especially for major CI entities or those with high market share. One way is to establish an ISAC council to promote trust-based cooperation among sectors. For example, the United States established the National Council of ISACs in 2003 for linkages among ISACs in each sector and has been operating a cross-sectoral portal for information sharing and training. Similarly, Japan has Box 3-9. Types of sector-specific ISACs in Europe ENISA’s investigation of Information Sharing and Analysis Centers (ISACs) established and operating in Europe showed that their ISACs were of three types: a country-centered model; a sector-specific model centered on essential and vital sectors of CI or essential sectors; and an international collaboration model. The sector-specific model aims to support CI entities to make the most of their sectoral knowledge and experience through information sharing and the ISAC is positioned as one of the information-sharing platforms as shown in the figure below. Sector-Specific ISACs in Europe Types of organizations Collaboration Sectors participating in ISAC styles and tools   Cyber security agencies   Energy   Regular meeting   Service operator private  Drinking water supply   Working groups   National competent authorities and distribution   Conference and side events   Law enforcement   Health sector   Web portals/platform   Product manufacturer private  Financial market   Emails and teleconferences infrastructures   National intelligence authorities  Banking   Rail transport Governance structure Capacity building   Air transport   Management roles   Vulnerability and threat  Maritime   Supporting roles analysis   Road transport   No structure   Training and exercises   Food distribution   Trend analysis  Other Funding options   Government subsidies Legend   Mandatory fees   Covered  Uncovered   Voluntary contribution Source: ENISA 2018, p. 20. PAGE | 66 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE established and been operating the CEPTOAR Council as a consultative body composed of representatives of the CI sectors. The Council is an independent consultative body that is not affiliated with other organizations, and it consists of CEPTOARs by sector, as well as government agencies such as responsible ministries of CI, IPA, NICT, and JPCERT/CC. For more information, see Box 3-8. ISACs are also commonly found in European countries, and ENISA identifies three potential types of ISACs (Box 3-9). e. Information sharing Governments can operate cyber threat information-sharing programs for the CI sectors and build automated information-sharing platforms and services to strengthen the cybersecurity and resilience capabilities of CI entities. For example, in Korea, various platforms have been built and are used to collect, analyze, and share real-time information on cyber incidents. Two examples are the national cyber threat intelligence (NCTI) of the NIS and cyber threat analysis and sharing (C-TAS) of KISA. The NCTI has been in operation since 2015 and is designed to distribute and share cybersecurity information with the central administrative agencies based on the regulations of cybersecurity duties. From 2020, the service is provided via the internet-based information sharing system that was built after signing an information- sharing agreement with the industries that are closely concerned with national interests and security such as the corporations owning the national essential technologies and those in the national defense industry. Similarly, C-TAS has been operated by KISA since August 2014, and is designed to share information on cyber risks to enable timely responses to intrusions. The members include those in the manufacturing industry, cybersecurity organizations and corporations, as well as the web portals. Users share real-time information in an interactive manner through the web and application programming interface and the shared information can be reorganized by targets and scope. There are 38 types of information in eight groups being shared via C-TAS, including the single indicators25, analytical reports, and trend information, and a total of 328 member organizations participated in C-TAS as of 2023. By systematizing the information- sharing practices, the user base has been expanded to include all types of corporations who can access information on the latest trends and provide customized information to CISO and staff members. Furthermore, the members can choose to receive additional cyber threat information and in-depth analytical information for a systematic response. In a similar vein, the United States operates a cyber threat information-sharing program, as shown in Table 3-10, according to the level of information provided to stakeholders such as CI entities. The United States built a technical system with automated and interactive information sharing by using STIX26 and TAXII27 and DHS launched the Automated Indicator Sharing (AIS) Initiative in February 2016. Information shared through AIS includes cyber threat indicators (CTIs) and defensive measures (DMs). The CTI is information necessary to describe or identify malicious actions or vulnerabilities. For example, the CTI of spear-phishing emails, excluding From/Sender email addresses, includes malicious URLs in emails, malicious attachments, email content, additional email information related to malicious emails, and information about potential cybersecurity threat actors (title, message ID, X-Mailer, etc.). The DM is for known information systems or applied security activities, devices, procedures, signatures, techniques, or other measures. The DM includes, for example, computer programs that identify patterns of malicious behavior in web traffic entering an organization; an enterprise intrusion detection system that detects spear-phishing behavior with specific characteristics; firewall rules to block malicious traffic entering the network; and an algorithm that searches for anomalous patterns suspected of malicious behavior through the network traffic cache. 25  Malware, command and control (C&C), infection internet protocol (IP), attack attempting IP, source of distribution, etc. 26  Structured Threat Information Expression 27  Trusted Automated eXchange of Indicator Information KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 67 Table 3-10. Cyber Threat Information-Sharing Programs According to Information Level in the United States Level Information-sharing programs Classified • (DHS and CISA) enhanced cybersecurity services (ECS) and cyber information sharing and collaboration program (CISCP) • (DOD) defense industrial base (DIB) cybersecurity (CS) program Declassified • (FBI) private industry notifications (PINs) and FBI liaison alert system (FLASH) reports • (DOE) cybersecurity risk information-sharing program (CRISP) Unclassified • (CISA) automated indicator sharing (AIS), US-CERT/ICS-CERT portal website • (DOE) cyber fed model (CFM) program • (USDT) Financial sector cyber intelligence group, etc. In Japan, the Information-technology Promotion Agency (IPA), an independent administrative agency, established a cyber information-sharing initiative in 2011 in cooperation with METI. The initiative targets the manufacturers of equipment used in heavy industries and critical infrastructure to prevent damage from cyber incidents through initial response and information sharing. IPA and the corporations participating in the initiative sign a non-disclosure agreement (NDA) and IPA collects information on the targeting attacks detected in the member organizations and groups. The source of information is kept anonymous, labeled with analytical information by IPA, and it is shared with the member corporations upon the approval of the information providers. NISC can respond to vulnerabilities and alarm the private businesses and independent administrative corporations based on the strategic partnership with IPA in the private sector. f. Allocating resources and setting time frames / metrics The lead CIP authority determines whether the government agency that leads the initiative has the appropriate authorities (legal or other) for policy implementation. Moreover, the lead CIP authority identifies and allocates resources, human resources, expertise and budget, to implement the policy. Concurrently, the time frame is set, and the metrics and KPIs are defined to evaluate the effectiveness of policy implementation. These are developed by the government agency that leads the implementation of the policy or initiative. The standards and methods are specified with measurable indicators 3.3.5 Step 5. Monitoring and Evaluation CIP policy development and implementation is a continual process that necessitates a corresponding monitoring and evaluation scheme. The two inherently share the aim of ensuring policy effectiveness, but the timing in which they are performed can be different. Regarding the monitoring of policies, their status is continuously observed against the established master plans or action plans and any changes in the CI operation and risks are kept track of in light of the changes in the ICT and cybersecurity environment. Evaluation, on the other hand, is generally an ex-post process where the authority assesses the effectiveness of the policy with measurable indicators such as the security level of the CI entities, the result of security audits or security maturity, and analyzes the aptness of the current CIP policies in response to the changing ICT and cyber environment. Government bodies seek improvements in the policy framework by comprehensively analyzing new designations or cancellations of CI following the monitoring and evaluation as well as changes in the ICT and cyber incidents affecting the CIs. In cases of major changes in their operating environment that introduce unknown factors or the need to update the CIP policy following the events that compromise the security of CI, the government can start the policy making process by moving to Step 1(Initiation). In other cases, the government may update the CIP policy implementation plans and adjust them for all CI sectors or specific sectors in order to respond to the new operating environment. PAGE | 68 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE A. Establishing a review process The lead CIP authority identifies and appoints an independent organization to undertake the task of monitoring and evaluation. The authority reviews the metrics or KPIs for each of the long-, mid- and short-term goals and defines the roles and responsibilities of the organization for successful implementation. B. Monitoring the progress of the implementation of the CIP policy and operating environment The monitoring organization follows the agreed time frame within the life cycle of the CIP policy. The results of these monitoring activities may, however, specify the reasons for any delays in the agreed timeline, such as due to any changes in priorities and shortages in human or other resources. The reports that contain the results are regularly updated. All related stakeholders actively participate in monitoring the status of the policy implementation to detect any issues early in the process. Some plans may be adjusted accordingly. As the operating environments and the types and magnitude of cyber incidents change along with the advancement of ICT, it is crucial that the relevant authorities understand them and update the list of CI candidates based on the identification of new or terminated essential services as well as the operational changes in IT/OT systems that may affect CI core services. C. Evaluating the outcomes of the CIP policy In addition, the results should be regularly evaluated vis-à-vis the pre-set goals over the long term to assess whether the strategic objectives of CIP are achieved. Therefore, in the evaluation step, an outcome in the form of a report is produced, which contains the recent improvements and recommendations and any follow-up measures needed, such as policy updates through a reassessment of the priorities and objectives. For example, in Korea, the CI-related ministries measure the levels the achievement and effectiveness of their protection plans with KPIs that have both quantitative and qualitative aspects.28 Moreover, the head of the NIS and the minister of MSIT can check whether the CI entities comply with the protection measures, report the results to the Committee on Information and Communication Infrastructure Protection, and recommend improvements to CI managers. Figure 3-10. Three CIP Considerations for policymakers Vision and goal for protecting critical information infrastructure Strengthen the security and resilience of the nation’s CI by managing cyber risks through the collaborative and integrated efforts of the stakeholders Building CIP program for CI entities Enhancing CIP capabilities Establishing CIP policy and governance (CI security and resilience framework) of CI entities Develop the CIP policy and governance with Build a CIP program for CI entities Strengthen the security and resilience the CIP policy framework for according to the CIP policy (Mandatory capabilities of CI entities (Voluntary policy makers and voluntary activities) activities by CI entities) 1. Raising security awareness such as 1. Building security awareness and 1. Building practical training programs to cyber risk on CI and the need for CIP education programs for CI entities strengthen the capabilities of CI entities to government policy makers 2. Establishing public-private partnerships 2. Expanding public-private partnerships 2. Conducting Stocktaking and analysis in some CII sectors such as electricity in all CI sectors (Step 2) and ICT 3. Reviewing the protection scope of 3. Establishing CIP governance with a 3. Identifying and managing detailed CI sectors and CI entities with the whole of government approach in Step 3 protection scopes (e.g., IT/OT systems, development of ICT and changes in the 4. Building a legal framework for all CI NW) of CI entities under the jurisdiction national cybersecurity environment entities (Mandatory regulations 4. Building cybersecurity risk management 4. Strengthening the security capabilities approach) in Step 3 system for CI entities of CI entities 5. Building cyber incidents response and 5. Strengthening the resilience capabilities of recovery system for CI entities CI entities against cyber incidents 28  Examples include: removing vulnerabilities from the major systems of CI through penetration testing; strengthening the security capabilities of CI managers through cybersecurity education and training; improving 10% more of the cybersecurity levels of CI entities compared to the previous year; improving 10% more of the removal rate of vulnerabilities from CIs in the jurisdiction compared to the previous year. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 69 Conclusion and next steps Cybersecurity and resilience of CIs is one of the most important and shared agendas among governments, CI owners and operators, industry, and academia. Policies that promote the secure and effective functions of CIs necessitate a comprehensive approach involving the participation of all stakeholders. On this basis, this policy note presents five country cases (Chapter 2) that illustrate diverse endeavors to establish and implement CIP policies. Its purpose is to provide developing nations, whose policymakers are becoming increasingly cognizant of the importance of CIP, with a variety of entry points. The note then describes the building blocks of CIP policy making and provides a five-step illustration of how a CIP policy can be created, implemented, and evaluated. This enables developing countries to evaluate their progress towards CIP policy development and acquire knowledge from the experiences of other countries. To recap, three considerations can be made in designing CIP policies: 1. Establishing CIP policy and governance: Building a sound governance framework with a whole-of-government approach would ideally start with taking stock of the current operational status of the CIs, the country’s national cybersecurity environment, and key stakeholders. It needs to be followed by a clear identification of roles among the relevant actors and establishment of a comprehensive legal framework that encompasses the functions of all CI operators in the CI sector in order to maintain a minimum level of security and resilience. Concurrently, the governments can explore cybersecurity awareness- raising campaigns to strengthen the CI entities’ understanding of the severity of CI-related cyber risks and the subsequent need for CIP policies. 2. Building a CIP program for CI entities: The enforcement of laws and regulations can be complemented by supportive policy measures illustrated under Step 4 of Chapter 3. These measures can help the CI entities in developing countries, especially in planning and carrying out cybersecurity risk management practices that are considered primarily the entities’ responsibilities in many countries. The center of government and sectoral ministries in charge of the CIs can guide the entities by providing general or sector-specific CI programs and securing finances and human resources. 3. Enhancing CIP capabilities for CI entities: Empowerment of CI entities can help not only strengthen the cybersecurity and resilience of CIs but also to increase their voluntary participation in national-level CIP activities. From the government’s perspective, it can continuously monitor the trends in cyber threats and the CIs’ operating environments to determine an adequate level of protection so that ultimately the CIP considerations can be internalized within the corporate structure. Although this policy note contributes significantly to the broader policy dialogue regarding the development of sustainable and effective CIP policies, it is not devoid of limitations. By defining the stages of the CIP policy life cycle, the knowledge required for policy design can be operationalized and made more generalized. When enacted, policies of any kind are prone to encounter institutional resistance and are inherently contingent on the circumstances. Developing countries should undergo a more comprehensive maturity assessment in order to facilitate the precise implementation of a variety of effective policies and strategies pertaining to the resilience and cybersecurity of their critical infrastructure. A tailored examination utilizing the SCMM model (Box 3-5) can facilitate the identification of systemic deficiencies requiring comprehensive policy interventions. In light of the potential widespread and substantial damage that sophisticated cybersecurity threats pose to nations (across all critical sectors), this note can provide countries with valuable insights on how to enhance the security and resilience of critical infrastructure and avert future risks through a comprehensive CIP policy framework. PAGE | 70 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Appendix A. Key Activities to Address at the Strategic and Operational Levels for Government Policy makers and CI Entities 1. Governance Challenges and Key Activities at the Strategic Level A. Setting up multi-sector governance to secure CI security and resilience • Identifying government functions related to CII protection such as regulatory authorities in each CI sector, national disaster, and cybersecurity response, etc. • Establishing the CIP governance with a whole-of-government approach (designated as CIP leading authority and coordinator with public-private sectors.) • Specifying in the comprehensive CIP policy the CIP governance and roles and responsibilities of each related government agency. B. Understanding the overall interdependence of CI sectors or CIs in the sector • Defining CI, CI sectors, and critical services in each sector considering the current state of the industry. • Developing a methodology to identify and evaluate the assets that support the CI critical services or functions. • Analyzing the interdependency between CI sectors or other CIs within the sector and addressing the impact of CI disruption. • Designating CI and managing list of CI operators. C. Establishing PPPs to share a vision and goal for CIP and to agree on achievable objectives • Establishing a system for CI entities to participate in the process of developing and implementing CIP policy, establishing PPPs, etc. • Developing a common vision, goals, and strategic objectives for protecting CI through PPPs. D. Building trust between governments and CI operators in the public-private sector by sharing risk-related information • Establishing a legal framework for sharing cyber threat information. • Developing protection measures for protecting shared information and providers. • Building and operating a platform to share cyber threat information interactively between government agencies and CI entities. • Developing measures to promote and activate cyber threat information sharing, such as incentives for exemptions from legal liabilities. E. Determining the policy instruments to support or strengthen cybersecurity and resilience capabilities of CI entities • Establishing a comprehensive legal framework for CIP. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 71 • Preparing the policy instruments to strengthen cybersecurity and resilience capabilities of CI entities, such as developing guidelines on CIP, sharing best practices for cybersecurity risk management, and providing cybersecurity education/training program, tools, etc. F. Ensuring accountability for protecting CI and monitoring implementation of CIP policies • Assigning the responsibility of CI entities to protect the CI under their jurisdiction. • Building procedures to evaluate and review the implementation status of CIP policies and the effectiveness of policy instruments. 2. CI Protection Activities and Capabilities at the Operational Level A. Establishing a cyber risk management program for CI to reduce cyber risks against threats • Conducting identification, analysis, and evaluation of cyber risk for CI. • Implementing cost-effective measures to reduce cyber risk according to priorities. B. Preparing for cyber incidents and providing CI services continuously, even if? in case? an unpredictable threat occurs • Establishing the cyber incident and crisis management system (e.g., CSIRT, response and recovery plans). • Verifying the effectiveness of response and recovery plans and updating them through periodic cyber exercises. C. Strengthening cybersecurity and resilience capabilities to protect CI under jurisdiction • Strengthening cybersecurity and resilience capabilities to protect CI under jurisdiction with human resource and operational and technical aspect.   PAGE | 72 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Appendix B. Initial Set of CI Sectors and Critical Services Sector Subsector Critical services Energy Electricity Electric power generation, distribution, transmission, electricity market aggregation, demand response or energy storage Oil Oil production, refining, treatment facilities, storage, and transmission including pipelines Gas (LNG, natural Supply, distribution, transmission, and storage including liquefied natural gas, etc.) gas (LNG) systems, natural gas refining and treatment facilities District heating District heating generation, distribution, and transmission Hydrogen Hydrogen production, storage, and transmission ICT Telecommunication Public electronic communication network, provision of fixed and mobile telecommunications, radio communication, navigation (long range navigation (LORAN), GPS), and satellite communication IT Internet exchange point, DNS service, internet top level domain (TLD) name registration, cloud computing service, data center service, content delivery network, trust service, instrumentation, and automation and control systems (SCADA, etc.) Broadcasting and Broadcasting services media Transport Air/aviation Air transportation services for passengers and cargo, air traffic control (ATC) services, reservations, ticketing, boarding, and loading procedures, flight maintenance, flight plan creation, airport management Rail (freight rail, Passenger transport services, ticketing procedures, traffic control mass transit, and systems, infrastructure management passenger rail) Water/maritime Inland, sea and coastal passenger and freight water transport, ports management, vessel traffic services Road (highway and Road transport, intelligent transport systems motor carriers) Finance Banking Deposits, loans, currency exchange Financial market Trading venues operations, central counterparties infrastructures Insurance Insurance claim, etc., payment demands, payment screenings, payments, accident reception, damage investigations, etc. Superannuation Superannuation services Credit Credit card settlement services Healthcare Medical and Healthcare service hospitals Medicines, serums, Manufacturing basic pharmaceutical products and preparations, medical vaccines, and devices considered as critical during a public health emergency pharmaceuticals Bio-laboratories and Research and development of medical products bio-agents Water Drinking water Supplying and distribution of drinking water, control of water quality, stemming and control of water quantity Wastewater Collecting, disposing, treating urban, domestic, and industrial wastewater Food and agriculture Manufacturing, processing, packaging, distributing, supplying food or groceries Public and legal order and safety Maintaining public and legal order, safety and security, administration of justice and detention KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 73 Sector Subsector Critical services Public administration Government functions, civil administration services, local government administration services, postal and courier services, elections (voting systems, storage facilities for election and coding system infrastructure, etc.) Emergency services Security services, firefighting services Chemical and nuclear industry Production and storage, processing of chemical and nuclear substances, pipelines of dangerous goods (chemical substances) Space Support the provision of space-based services, excluding providers of public electronic communications networks Other Research, education   PAGE | 74 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE Bibliography 김상배, 유지연, 김주희, 김도승, 양정윤, 유인태, . . . Shymanska, A. (2019). 사이버 안보의 국가전략 3.0. (주)사회평론아카데미. 관계부처 합동. (2019, 9 3). 국가 사이버안보 기본계획 (National Cybersecurity Masterplan). Republic of Korea 행정안전부(Ministry of Interior and Safety). (2021, 3 5). 행정안전부 소관 주요정보통신기반시설 보호지침. Retrieved from 국가법령정보센터 행정규칙: https://www.law.go.kr/LSW// admRulLsInfoP.do?admRulSeq=2100000200256 과학기술정보통신부(Ministry of Science and ICT). (2020, 12 10). 정보통신기반 보호법(Act On The Protection Of Information And Communications Infrastructure). Retrieved from 한국법제연구원 법령번역센터: https://elaw.klri.re.kr/kor_service/lawView. do?hseq=55568&lang=ENG サイバーセキュリティ戦略. (2018, 7 25). サイバー攻撃による重要インフラサービス障害等の 深刻度評価基準(初版). Japan. サイバーセキュリティ戦略本部. (2019, 5 23). 重要インフラにおける情報セキュリティ確保に 係る安全基準等策定指針(第5版). Japan. サイバーセキュリティ戦略本部. (2020, 1 30). 重要インフラの情報セキュリティ対策に係る第 4次行動計画. Japan. サイバーセキュリティ戦略本部. (2021, 9 28). サイバーセキュリティ戦略. Japan. 内閣サイバーセキュリティセンター. (2020, 2 3). 「重要インフラの情報セキュリティ対策に係 る第4次行動計画」に基づく情報共有の手引書. Japan. サイバーセキュリティ戦略本部重要インフラ専門調査会. (2019, 5 23). 重要インフラにおける 機能保証の考え方に基づくリスクアセスメント手引書(第1 版). Japan. 内閣官房内閣サイバーセキュリティセンター重要インフラグループ. (2022, 4 5). クラウドを利 用したシステム運用に関するガイダンス(詳細版). Japan. 117th Congress. (2022, 03 15). H.R.2471 - Consolidated Appropriations Act, 2022. Retrieved from Congress.gov: https://www.congress.gov/bill/117th-congress/house-bill/2471/actions Allianz Global Corporate & Specialty. (2022, 1). Allianz Risk Barometer. Retrieved from Allianz News & Insights: https://www.agcs.allianz.com/news-and-insights/reports/allianz-risk- barometer.html Allianz Global Corporate & Specialty. (2022, 01). Allianz Risk Barometer 2022 - Rank 1: Cyber incidents. Retrieved from Allianz News & Insight: https://www.agcs.allianz.com/news-and- insights/expert-risk-articles/allianz-risk-barometer-2022-cyber-incidents.html ANV(National Network of Safety and Security Analysts). (2019). National Risk Assessment : The National Network of safety and Security Anlaysis. Australian Department of Home Affairs, Critical Infrastructure Centre. (2020). Protecting critical infrastructure and systems of national significance – consultation paper. Australian Department of Home Affair. Barker, W. C., Scarfone, K., Fisher, W., & Souppaya, M. (2022). NISTIR 8374: Ransomware risk management: A cybersecurity framework profile. NIST. BMI. (2009, 5). CIP Implementation Plan of the National Plan for Information Infrastructure Protection. Germany. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 75 BMI. (2009). National Strategy for Critial Infrastructure Protection (CIP Strategy) . Berlin: Federal Republic of Germany Federal Ministry of the Interior. BMI. (2009, 6 17). National Strategy for Critical Infrastructure Protection(CIP Strategy). Germany. BMI. (2009, 6 17). National Strategy for Critical Infrastructure Protection(CIP Strategy). Germany. BMI. (2023, 7 28). Better protection for critical infrastructure. Berlin, Germany . Check Point. (2020, 1 10). Check Point Research: Cyber Attacks Increased 50% Year over Year. Retrieved from Check Point Blog: https://blog.checkpoint.com/2022/01/10/check- point-research-cyber-attacks-increased-50-year-over-year/ Check Point. (2021, 12 20). Protect Yourself Against The Apache Log4j Vulnerability. Retrieved from Check Point Blog: https://blog.checkpoint.com/2021/12/11/protecting-against-cve- 2021-44228-apache-log4j2-versions-2-14-1/ Chris Johnson, L. B. (2016, 10). NIST SP800-150: Guide to Cyber Threat Information Sharing. The United States. CISA. (2019, 11). A Guide to Critical Infrastructure Security and Resilience. Retrieved from CISA: https://www.cisa.gov/sites/default/files/publications/Guide-Critical-Infrastructure- Security-Resilience-110819-508v2.pdf CISA. (2023). Automated Indicator Sharing (AIS). Retrieved from Cybersecurity & Infrastrucrure Security Agency : https://www.cisa.gov/topics/cyber-threats-and-advisories/information- sharing/automated-indicator-sharing-ais CISA. (n.d.). About CISA. Retrieved from Cybersecurity & Infrastrucrure Security Agency : https://www.cisa.gov/about CISA NRMC(National Risk Management Center). (2018). Supply chain risks for information and communication technology. CISA. CISCO. (n.d.). What Is a Cyberattack? Retrieved from CISCO: https://www.cisco.com/c/en/us/ products/security/common-cyberattacks.html Claroty Team82. (2021). Clatory Biannual ICS Risk & Vulnerability Report: 1H 2021. Claroty. Collier, K. (2021, 6 18). 50,000 security disasters waiting to happen: The problem of America’s water supplies. Retrieved from NBC News: https://www.nbcnews.com/tech/security/ hacker-tried-poison-calif-water-supply-was-easy-entering-password-rcna1206 CRO Forum. (2011). Power Blackout Risks: Risk Management Options Emerging Risk Initiative - Position Paper. CRO Forum. CSA. (2016). Singapore’s Cybersecurity Strategy 2016. Singapore. CSA. (2017, 11 9). Security-by-Design Framework Version:1.0. Singapore. CSA. (2018, 9). Cybersecurity Act 2018(Act 9 of 2018): Cybersecurity code of practice for critical information infrastructure(1st Edition). Singapore. CSA. (2019). Singapore’s Operational Technology Cybersecurity Masterplan 2019. Singapore. CSA. (2020, 1). Guidelines for auditing critical information infrastructure. Singapore. CSA. (2020). Singapore’s Safer Cyberspace Masterplan 2020. Singapore. CSA. (2021, 2). Guide to conducting cybersecurity risk assessment for critical information infrastructure. Singapore. PAGE | 76 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE CSA. (2021, 2). Guide to cyber threat modelling. Singapore. CSA. (2021, 10). The Singapore Cybersecurity Strategy 2021. Singapore. CSA. (2022, 3 4). Review of the Cybersecurity Act and Update to the Cybersecurity Code of Practice for CIIs. Retrieved from CSA: https://www.csa.gov.sg/News/Press-Releases/ review-of-the-cybersecurity-act-and-update-to-the-cybersecurity-code-of-practice-for-ciis CSA. (n.d.). SG Cyber Safe Programme. Retrieved from CSA: https://www.csa.gov.sg/ Programmes/sgcybersafe/about Dailey, M. A. (2019, 07 16). Cybersecurity and Infrastructure Security Agency. The United States. Deep Instinct. (2021, 2 11). Cyber Threat: Report on 2020 Shows Triple-Digit Increases across all Malware Types. Retrieved from Deep Instinct: https://www.deepinstinct.com/ news/cyber-threat-report-on-2020-shows-triple-digit-increases-across-all-malware-types DHS. (2016, 10). Critical Infrastructure Threat Information Sharing Framework: A Reference Guide for the Critical Infrastructure Community. The United States. DHS. (2016, 12). National Cyber Incident Response Plan. The United States. DHS, DOE. (2015). Energy Sector-Specific Plan 2015. DHS, DOE. DINU, C. (2021, 8 27). Defining Zero Day Attacks, Exploits, Vulnerabilities. Retrieved from HELMDAL Security: https://heimdalsecurity.com/blog/zero-day-attack-exploit- vulnerability/ DOE. (2015). Energy sector cybersecurity framework implementation guidance. Office of Electricity Delivery and Energy Reliability. EMA(European Medicines Agency). (2021, 1 25). Cyberattack on EMA - update 6 . Retrieved from Enropean Medicines Agency: https://www.ema.europa.eu/en/news/cyberattack- ema-update-6 ENISA. (2016). CIIP Governance in the European Union Member States(Annex). ENISA. ENISA. (2018). Information Sharing and Analysis Centres(ISACs) Cooperative models. EU: ENISA. ENISA. (2020). NIS Investments Report 2020. ENISA. ENISA. (2021). ENISA Threat landscape for supply chain attacks. ENISA. ENISA. (2023). NIS Directive tool . Retrieved from European Union Agency for Cybersecurity : https://www.enisa.europa.eu/topics/cybersecurity-policy/nis-directive-new/nis-visualtool ENISA(European Union Agency for Cybersecurity). (2016, 1 21). Stocktaking, Analysis and Recommendations on the protection of CIIs. ENISA. Retrieved from https://www.enisa. europa.eu/publications/stocktaking-analysis-and-recommendations-on-the-protection-of- ciis Eric, L., Tom, S. v., & Teo, R. v. (2017). GFCE: Companion Document to the GFCE-MERIDIAN Good Practice Guide on Critical Information Infrastructure Protection for governmental policy-makers. TNO, MERIDIAN, GFCE. European Commission. (2023). Shaping Europe’s digital future. Retrieved from European Commission: https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/ europe-fit-digital-age/shaping-europes-digital-future_en KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 77 Federal Energy Regulatory Commission. (2020.06). Cybersecurity Incentives Policy White Paper(A Staff paper: Federal Energy Regulatory Commission). Office of Energy Policy and Innovation. Greig, J. (2021, 6 22). Average time to fix critical cybersecurity vulnerabilities is 205 days: report. Retrieved from ZDNet: https://www.zdnet.com/article/average-time-to-fix-critical- cybersecurity-vulnerabilities-is-205-days-report/ Grove, C. (2021, 2 10). Hard Lessons from the Oldsmar Water Facility Cyberattack Hack. Retrieved from NOZOMI Networks: https://www.nozominetworks.com/blog/hard-lessons- from-the-oldsmar-water-facility-cyberattack-hack/ Gudzien, W. (n.d.). IT Security Act - New Requirements for Critical Infrastructure Operators. Retrieved from https://core.se/en/blog/it-security-act-new-requirements-critical- infrastructure-operators IDA. (2013). National Cyber Security Masterplan 2018. Singapore. IGLOO security. (2020, 6 1). Examples of ransomware attacks on industrial control systems. Retrieved from IGLOO security. Info-communications Devlopment Authority. (2005, 7 17). Launch of The Infocomm Security Masterplan. Retrieved from https://www.imda.gov.sg/news-and-events/Media-Room/ archived/ida/Speeches/2005/20050717163018 IPCC. (2012). Managing the Risks of Extreme Events and Disasters to Advance Climate Change Adaptation. Cambridge CB2 8RU ENGLAND: The Intergovernmental Panel on Climate Change. KISA. (n.d.). 사이버 위협정보 분석공유(C-TAS) 시스템. Retrieved from KrCERT: https://www. krcert.or.kr/webprotect/ctas.do Livia Borghese, S. B. (2021, 8 2). Hackers block Italian Covid-19 vaccination booking system in ‘most serious cyberattack ever’. Retrieved from CNN Business: https://edition.cnn. com/2021/08/02/business/italy-hackers-covid-vaccine-intl/index.html Matte Barret, J. M. (2020, 03). NISTIR 8170: Approaches for Federal Agencies to Use the Cybersecurity Framework. Retrieved from NIST: https://nvlpubs.nist.gov/nistpubs/ir/2021/ NIST.IR.8170-upd.pdf McAfee. (2015). McAfee Labs Threat Report. McAfee. Muller, L. P. (2015). Cyber Security Capacity Building in Developing Countries: Challenges and Opportunities. Norwegian Institute of International Affairs. Myriam Dunn Cavelty, M. S. (2012). The Art of CIIP Strategy: Tacking Stock of Content and Processes. Critical Infrastructure Protection (pp. 15-38). LNCS 7130. National Security Office . (2019). National Cybersecurity Strategy . Seoul : National Security Office . National Security Office. (2019, 4). National Cybersecurity Strategy. Republic of Korea. Ng, A. (2018, 2 15). US: Russia’s NotPetya the Most Destructive Cyberattack Ever. Retrieved from CNET News: https://www.cnet.com/news/privacy/uk-said-russia-is-behind- destructive-2017-cyberattack-in-ukraine/ NIS (Network and Information Systems), MSIT (Ministry of Science and ICT), MOIS (Ministry of the Interior and Safety), PIPC (Personal Information Protection Commission), FSC (Korean Financial Services Commission), and MOFA (Ministry of Foreign Affairs). (2021, 6). 2021 National Cybersecurity White Paper. Republic of Korea. PAGE | 78 STRENGTHENING CYBERSECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE NIST. (2018, 4 16). Framework for Improving Critical Infrastructure Cybersecurity Version 1.1. The United States. Retrieved from NIST. OECD. (2018, 10). National Risk Assessments: A cross country perspective. Retrieved 05 2022, from https://read.oecd-ilibrary.org/governance/national-risk- assessments_9789264287532-en#page3 OECD. (2019, 4 17). Good Governance for Critical Infrastructure Resilience. Retrieved from OECD iLibtaty: https://www.oecd-ilibrary.org/sites/02f0e5a0- en/1/2/1/index.html?itemId=/content/publication/02f0e5a0-en&_ csp_=eb11192b2c569d5c3d1424677826106a&itemIGO=oecd&itemContentType=book OECD. (2019, 7). OECD Reviews of Risk Management policies, Good Governance for Critical Infrastructure Resilience. (OECD iLibrary) Retrieved 4 26, 2022, from https://www.oecd- ilibrary.org/sites/b1dac86e-en/index.html?itemId=/content/component/b1dac86e-en OECD. (2019). OECD Reviews of Risk Management policies, Good Governance for Critical Infrastructure Resilience. Paris: OECD. Ponemon Institute and IBM Security. (2021). Cost of a Data Breach Report 2021. IBM. Republic of Singpare Government. (2018, 3 2). CYBERSECURITY ACT 2018(No.9 of 2018). Retrieved from https://sso.agc.gov.sg/Acts-Supp/9-2018/ Published/20180312?DocDate=20180312 Roccia, T. (2018, 11 8). Triton Malware Spearheads Latest Attacks on Industrial Systems. Retrieved from McAfee: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/triton- malware-spearheads-latest-generation-of-attacks-on-industrial-systems/ SANS ICS, E-ISAC(Electricity Information Sharing and Analysis Center). (2016, 3 18). Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense use case. Retrieved from E-ISAC: https://www.eisac.com/resources/documents SCADAfence. (2021, 7 1). Water Utilities Face Increasing Risk of Cyber Attacks. Retrieved from SCADAfence Blog: https://blog.scadafence.com/water-utilities-face-increasing-risk- of-cyber-attacks Schwartz, M. J. (2016, 4 25). Bangladesh Bank Attackers Hacked SWIFT Software. Retrieved from DataBreachToday: https://www.databreachtoday.com/bangladesh-bank-attackers- hacked-swift-software-a-9061 Skelton, S. K. (2021, 8 9). Possible ransomware attack hits Italian vaccine booking system. Retrieved from ComputerWeekly.com: https://www.computerweekly.com/ news/252505057/Possible-ransomware-attack-hits-Italian-vaccine-booking-system Smith, B. (2020, 12 17). A moment of reckoning: the need for a strong and global cybersecurity response. Retrieved from Microsoft : https://blogs.microsoft.com/on-the-issues/2020/12/17/ cyberattacks-cybersecurity-solarwinds-fireeye/ sonatype. (2021). 2021 State of the Software Supply Chain. Retrieved from sonatype: https:// www.sonatype.com/resources/state-of-the-software-supply-chain-2021 Sonicwall. (2022). 2022 Sonicwall Cyber Threat Report. Sonicwall. Spidalieri, F., & Lewin, A. (2023, January 18). Enabling cyber resilient development. Symantec. (2022, 1 20). The Threat Landscape in 2021. Retrieved from Symantec Enterprise Blogs / Threat Intelligence: https://symantec-enterprise-blogs.security.com/blogs/threat- intelligence/threat-landscape-2021 Synopsys. (2021). 2021 Open Source Security and Risk Analysis Report. Synopsys. KOREA OFFICE INNOVATION & TECHNOLOGY NOTE SERIES PAGE | 79 The Economist. (2021, 5 10). Ransomware attacks like the one that hit Colonial Pipeline are increasingly common. Retrieved from The Economist Daily Chart: https://www.economist. com/graphic-detail/2021/05/10/ransomware-attacks-like-the-one-that-hit-colonial- pipeline-are-increasingly-common The White House. (2013, 2 12). Presidential Policy Directive: PPD-21 -- Critical Infrastructure Security and Resilience. Retrieved from The White House President Barack Obama: https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy- directive-critical-infrastructure-security-and-resil The White House. (2016, 07 26). Presidential Policy Directive: PPD-41 -- United States Cyber Incident Coordination. Retrieved from The White House: https://obamawhitehouse. archives.gov/the-press-office/2016/07/26/presidential-policy-directive-united-states- cyber-incident The World Bank . (2013). World Development Report 2014: Risk and Opportunity Managing Risks for Development . Washington, DC: International Bank for Reconstruction and Development / The World Bank. U.S. Department of Homeland Security. (2013, 12). NIPP 2013: Partnering for Critical Infrastructure Security and Resilience. The United States. U.S. Department of Homeland Security. (2021, 7 20). DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators. Retrieved from DHS News: https://www.dhs.gov/news/2021/07/20/dhs-announces-new-cybersecurity-requirements- critical-pipeline-owners-and-operators UNDP/RBEC. (2022). Guidance notes on building critical infrastructure resilience in Europe and Central Asia. UNDP. Viresec. (2021, 5 11). Virsec Analysis of the Colonial Pipeline Attack. Retrieved from Viresec Insights: https://www.virsec.com/blog/virsec-analysis-of-the-colonial-pipeline-attack World Bank Group. (2023). Sectoral Cybersecurity Maturity Model . Washington DC: World Bank Group.