WS #190 Securing critical infrastructure in cyber: Who and how?

Summary

This discussion focused on protecting critical infrastructure from cyber threats and implementing international cyber norms. Participants explored how to identify critical infrastructure, noting the challenges in reaching a universal definition due to regional differences. They emphasized the importance of understanding interdependencies between sectors and conducting thorough impact analyses.

The conversation highlighted the need for baseline cybersecurity measures for critical infrastructure operators and service providers. Suggestions included asset inventory, vulnerability management, and compliance with applicable standards. Participants stressed the importance of training employees and raising awareness about cybersecurity risks.

The role of international cyber norms and confidence-building measures was discussed, with participants generally agreeing that these voluntary agreements can help reduce risks and foster cooperation. However, questions were raised about their effectiveness in preventing attacks during conflicts.

Participants debated whether it’s realistic to expect cyber operations to avoid targeting critical infrastructure, especially during peacetime. They noted the challenges in attribution and accountability when norms are violated. The discussion touched on the potential for unintended consequences when attacking interconnected systems.

Regional and international cooperation was proposed as a way to address these challenges. Participants suggested creating shared definitions of critical infrastructure within regions and establishing mechanisms for information sharing and joint incident response.

The session concluded by emphasizing the need for more diverse global participation in discussions about critical infrastructure protection and cyber norms implementation, particularly from developing countries and civil society organizations.

Keypoints

Major discussion points:

– Defining and identifying critical infrastructure across different countries and contexts

– Implementing baseline cybersecurity measures and standards for critical infrastructure protection

– Understanding interdependencies between critical infrastructure sectors and supply chains

– The role and impact of voluntary cyber norms and confidence-building measures

– Challenges in protecting critical infrastructure during peacetime and conflicts

Overall purpose:

The goal of this discussion was to explore practical measures and international frameworks for protecting critical infrastructure, as part of the Geneva Dialogue project to connect high-level cyber norms with on-the-ground implementation.

Speakers

– Anastasiya Kazakova: Cyber Diplomacy Knowledge Fellow at Diplo, part of the Geneva Dialogue team

– Vladimir Radunovic: Director, E-diplomacy and Cybersecurity Programmes at DiploFoundation

– Thomas Schneider: Director of International Affairs, Swiss Federal Office of Communications (OFCOM)

– Nicolas Grunder: Global Lead Counsel Digital, Data & Cyber, ABB

– Bushra AlBlooshi, Director of Cybersecurity Governance Risk Management Department, Dubai Electronic Security Center

– Kazuo Noguchi, Senior Manager R&D, Hitachi America

– Kaleem Usmani, Head of the CERT-MU, Mauritius 

– Klée Aiken, Director, Community & Capacity Building, the Forum of Incident Response and Security Teams (FIRST)

– Maria Pericàs Riera, Project Assistant, Center for Geopolitics, Geoeconomics, and Technology, DGAP

– Melanie Kolbe-Guyot, Head of Digital Policy, C4DT – EPFL

Expanded Summary of Critical Infrastructure Protection Discussion

Introduction:

This discussion was part of the Geneva Dialogue on Responsible Behaviour in Cyberspace, an initiative launched by the Swiss government and implemented by DiploFoundation with the support of several actors, and aimed at connecting high-level cyber norms with on-the-ground implementation. As explained by Vladimir Radunovic and Thomas Schneider, the project currently focuses on protecting critical infrastructure from cyber threats and implementing the agreed cyber norms. The session brought together participants from various sectors, stakeholder groups and regions to explore practical measures and international frameworks for protecting critical infrastructure and promoting responsible behaviour in cyberspace.

Geneva Dialogue Project and Scenario-Based Exercise:

The session began with an introduction to the Geneva Dialogue and its goals. A significant portion of the discussion revolved around a scenario-based exercise, which presented participants with a hypothetical cyberattack on a fictional cloud service provider. This exercise served as a springboard for discussions on critical infrastructure protection, international norms, and practical implementation strategies.

1. Defining and Identifying Critical Infrastructure:

A central challenge highlighted throughout the discussion was the need to define and identify critical infrastructure across different countries and contexts. Maria Pericàs Riera presented the DGAP project and noted the significant diversity in how countries define critical infrastructure globally, with over 40% of countries not publicly announcing what they consider critical. This diversity presents challenges in establishing common norms and protections.

Dr. Bushra AlBlooshi emphasised the need for common agreement on critical infrastructure definitions at regional or international levels. Kaleem Usmani underlined a need for conducting thorough asset inventories and impact analyses at a national level, highlighting a difference in approach between standardisation and individualised assessment.

Nicolas Grunder from ABB stressed the importance of understanding what constitutes critical infrastructure, while Anastasiya Kazakova pointed out the challenges in identifying cross-jurisdictional interdependencies. This underscored the complexity of the issue, particularly when dealing with infrastructure that has national, regional, or international impact.

2. Protecting Critical Infrastructure:

The discussion emphasised the need for baseline security requirements for critical infrastructure. Kazuo Noguchi from Hitachi America highlighted the importance of backup systems and geographic distribution of infrastructure, introducing a specific, practical measure for protection. Paola Nkandu Haamaundu stressed the need for training and awareness programmes for critical infrastructure staff, while Nicolas Grunder emphasised the importance of business continuity and incident response planning.

Vladimir Radunovic pointed out the need to secure supply chains and address interdependencies, a point echoed by Dr. Bushra AlBlooshi, who highlighted the complexity of interdependencies between different infrastructure sectors. Dr. Bushra shared a practical example: “We need to defined the critical sectors, and for each sector, we need define their he interdependencies, and if one sector goes down, this will give us a better understanding of what we should expect from the other sector.”

3. Role of Cyber Norms and International Cooperation:

Kaleem Usmani from CERT-MU argued that cyber norms help reduce the risk of attacks on critical infrastructure. Vladimir Radunovic elaborated on the importance of confidence-building measures and the role of norms in guiding responsible state behavior in cyberspace.

Klée Aiken from FIRST highlighted the importance of information sharing and threat intelligence exchange. However, Melanie Kolbe-Guyot from C4DT-EPFL raised the question of whether cyber operations can realistically avoid targeting critical infrastructure, especially during conflicts.

4. Challenges in Critical Infrastructure Protection:

Several challenges were identified throughout the discussion. Dr. Bushra and Vladimir both highlighted the complexity of interdependencies between different infrastructure sectors and the challenge of protecting infrastructure with international or cross-border impacts.

Imad Aad from C4DT-EPFL pointed out the difficulty in controlling security of actors across supply chains, a point echoed by Kazuo Noguchi who emphasised the interconnected nature of supply chains, including software, hardware, IoT, and people.

Anastasiya Kazakova raised the issue of lack of transparency from some states about critical infrastructure protection approaches, suggesting that greater transparency is needed to enable stakeholders to support state efforts in critical infrastructure protection.

Vladimir Radunovic also highlighted the potential unintended consequences of attacks on service providers like the fictional OmniCloud, emphasizing the far-reaching impacts such attacks could have on various sectors and countries.

5. The Geneva Manual and Operationalizing Norms:

Thomas Schneider discussed the Geneva Manual, which focuses on operationalizing critical infrastructure-related norms. The manual aims to provide practical guidance on implementing cyber norms and protecting critical infrastructure.

Conclusion:

The discussion concluded with several key takeaways:

1. There is a need for international efforts to better understand cross-jurisdictional interdependencies across CI at national, regional and international levels.

2. Protecting critical infrastructure requires addressing complex interdependencies and supply chain vulnerabilities.

3. Cyber norms and international cooperation play an important role in critical infrastructure protection, but challenges remain in implementation.

4. Baseline security requirements and standards are needed for critical infrastructure operators and service providers.

5. Critical infrastructure protection requires engagement from multiple stakeholders including governments, industry, and researchers.

Action items included finalising the next chapter of the Geneva Manual focused on critical infrastructure protection by early next year, developing more scenario-based games and cards to facilitate discussions, and seeking more input and participation from developing countries in the Geneva Dialogue process.

Vladimir Radunovic concluded by mentioning an upcoming session on civil society engagement in technical discussions, further emphasizing the project’s commitment to inclusive dialogue.

The discussion highlighted the complexity of protecting critical infrastructure in an interconnected world, emphasising the need for continued dialogue, cooperation, and practical action at national, regional, and international levels.

Vladimir Radunovic: Okay, let’s start. I hope you all got the headphones. It’s channel number four. So, number four is the room. Welcome to the session Securing Critical Infrastructure, Who and How. My name is Vladimir Radunovic. I’m leading cybersecurity programs for Diplo Foundation, an international educational capacity building institution. I’ll be sort of a host today together with my colleague, Melanie, who is here on behalf of DPFL and C4DT. But there will be a number of distinguished experts also joining us both here and online. And there I count all of you as well. Now, critical infrastructure has become a buzzword and we have seen it everywhere, popping up in the norm setting and policy setting frameworks, but also popping up among the professionals dealing with cybersecurity. But rarely we see how these two connect. Typically, the discussions are in silos. What we are trying to do with the Geneva Dialogue Project, and you will hear in a second a bit more about that, is to connect the high-level norms, cyber norms and frameworks with the practical work in protecting critical infrastructure. But before we dive into the session, let me welcome on behalf of Switzerland, who is the main supporter of the Geneva Dialogue on Responsible Behaviour, Thomas Schneider on behalf of Ofcom of Switzerland, to maybe put the welcome words and set the stage. Thomas, the floor is yours.

Thomas Schneider: Yes, thank you. This is an initiative of the Swiss Federal Foreign Ministry, but we partner with them in many ways, so they’ve asked me to say a few things about the Geneva Dialogue and the motivation also behind this. The Geneva Dialogue on Responsible Behaviour in Cyberspace was established by the Swiss Foreign Ministry now six years ago. It is led by our friends from the Diplo Foundation with the support of the Republican State of Geneva. Geneva is, in their view, a state of themselves. Other partners include the C4DT, we’ve already heard from EPFL, Swisscom and UBS. The aim of the Dialogue is to analyse and map the roles and responsibilities of the various actors in ensuring the security and stability of cyberspace. The Geneva Dialogue is a global dialogue, building on the Geneva tradition of bringing the world together. It engages some 100 companies, organisations, institutions and experts. In 2023-2024 more than 50 representatives and independent experts have contributed to the drafting of the Geneva Manual. In this context the dialogue stems from the principle of shared responsibility and particularly asks how the agreed cyber norms can be best implemented by relevant stakeholders together as a means to contribute to international security and peace. Concretely the Geneva Dialogue investigates the consequences of agreed upon norms for the relevant stakeholders. It does not try to find consensus but to document existing views of such stakeholders on their roles and responsibilities in the Geneva Manual as well as give good practices that should inspire others and promote responsible behavior in cyberspace. So this inaugural edition of the Manual focuses on two norms related to supply chain security and reporting of ICT vulnerabilities. This year the Geneva Dialogue discusses the operationalization of the critical infrastructure related norms and the sessions is another important opportunity to gather international feedback from various experts for the next chapter of the Geneva Manual. So I’m looking forward to an interesting discussion and I hope you all enjoy it. Thank you very much.

Vladimir Radunovic: Thank you Thomas. So briefly what the outline of the session will look like. We’ll start with a short overview of what is the main challenge that we try to address and what is the Geneva Dialogue about. My colleague Anastasia remotely will run us through that and then we’ll play a little bit and I think that’s the point of making most of the sessions useful but also interesting. So we’ll have a scenario game with cards. and we’ll break up in groups, we’ll try to step into shoes of governments, operators of critical infrastructures, researchers. And then after that, we’ll get back to a plenary discussion to reflect a little bit on main issues that were raised. I’ll pass the floor now to Nastya to lead us through the main issues and the Geneva dialogue, and then to drive us into the scenario exercise that we’ll play. Nastya, over to you.

Anastasiya Kazakova: Hello, everyone. Happy to be here. My name is Anastasia Kozakova. I’m a Cyber Diplomacy Knowledge Fellow at Diplo, and I’m also part of the Geneva Dialogue team. And within my 10 minutes, I’m going to briefly tell the story of what we do within Geneva Dialogue. And I think the perfect example would be this fictional story, which, of course, unfortunately, inspired by real events. So let’s imagine a large logistics company identified as a critical infrastructure operator, which was hit by a ransomware attack because the threat actors managed to target the weak security at the company service provider. And the service provider happened to be a small company, which provides cloud services and manages the cloud infrastructure of that logistics company. Imagine a part or a whole infrastructure of your company being frozen just because you are interdependent with other companies across supply chains. But of course, you have little control over the security of other actors across supply chains. The challenge that you are inevitably affected and your infrastructure might be at risk. And that’s, I think, one of the default scenarios across different actors across supply chains where different products, infrastructure have been interconnected with inherent vulnerabilities and the potential for malicious actors to target this. One of the main questions for us that we’ll look at and this story provides us with the example, who is responsible for taking action to mitigate cyber risks and protect critical infrastructure across borders and supply chains? Fortunately, there is some guidance. Almost 10 years ago, states formulated and agreed on a set of norms for responsible state behavior at the UN and some of the norms specifically agreed on to ensure supply chain security, report ICT vulnerabilities and also to protect critical infrastructure. There are questions though, how these norms guide actors in protecting critical infrastructure and how can specifically non-state stakeholders, which is the private sector, academia, civil society, technical community can implement the norms and support state’s efforts? So these are the questions that we look at the Geneva Dialogue, which is the global dialogue, we build a community and we discuss the roles, responsibilities of different actors in cyberspace to facilitate responsible behavior, implement the norms and address cyber risks. The initiative has been running since 2018 and there was a lot of work being done since then. In 2023, we started exclusively looking at the implementation of the norms and since then you can see that more than 60 contributors, which represent organizations, businesses and also individual experts who participate on a personal capacity have contributed to the Geneva Dialogue. All of these contributors come from more than 20 countries from different regions and that highlights that Geneva Dialogue is truly about the global community connecting different people in different parts of the world. In our community, we look at the four main stakeholder groups. So as I mentioned, this includes non-state stakeholders represented by the private sector and industry, academia, civil society and technical community, which is mostly represented by open source community, cybersecurity researchers and incident response experts. As there are 11 norms that we need to look at, we started discussing them step by step and in 2023, First we started with the two norms related to vulnerabilities and supply chain security. So that was the first step of our work. The outcomes were published in the Geneva Manual, the comprehensive guidance on how the stakeholders can help support the state’s efforts, other efforts in the community and implement the norms. This year, we expanded the scope and started looking at the three norms which we grouped as the norms related to protection of the critical infrastructure protection. We did quite a lot of work and here, there’s just some of the examples. In 2020, we already discussed different good practices, which the private sector implements to build a secure by design products and reduce vulnerabilities in them. In 2021, there was a study where we looked at the different governance approaches of selected countries to regulate the security of digital products. Essentially, that was a solid basis for us to more actively look into the implementation of the relevant norms and produce the first chapter of the manual in 2023. Structurally speaking, the Geneva Manual provides different inputs and we intentionally want to keep this document user-friendly for different stakeholders with different backgrounds. So when we discuss roles and responsibilities, there’s the first element, what when we identified a particular role, which is important to implement the norm, then we also look at the responsibilities, the incentives, this is the white element, different challenges, which stakeholders might have, which serve as a barriers for them to implement the norms and the good practices. Hopefully that might be helpful for those who are not part of the Geneva Dialogue, but who might be interested to make the contributions and find different useful experiences from Geneva Dialogue experts. And specifically when we discussed the norms related to vulnerabilities and supply chain security, we identified five roles. So you see them on the right side and specific. I just want to emphasize that civil society was also highlighted as one of the roles by our experts because we believe that and we heard the feedback from our experts that civil society, especially those actors who are involved in policy, advocacy and research might be a really important element putting the pressure on both state actors and the private sector to implement the norms and facilitate implementation of the relevant security practices. Today’s session is one of the first steps for us to collect international feedback which is increasingly important for us to produce the final chapter of our work this year with the focus on the critical infrastructure protections. Early next year we are going to announce the next chapter, the second chapter, with the focus on critical infrastructure protection. Just to give you a brief example of the level of discussions that we have in the Geneva Dialogue, there are some preliminary findings that we’re able to hear from our experts. I’m not going to read out all of them and we will be actually happy to share the finalist version early next year as I just said, but just to give you some of the examples of what we discussed. When we unpacked those norms which are the result of the diplomatic agreements between states at the UN, our non-state stakeholders and experts highlighted different concerns. One of them is the lack of the international efforts to understand and protect cross-jurisdictional interdependencies in some critical infrastructure sectors that might have regional international impact. The other point that we also heard is that critical infrastructure is governed by national legal frameworks and some states prefer to keep a high level of secrecy due to national security reasons. However, a lack of sufficient transparency for stakeholders, specifically domestic stakeholders, was highlighted as one of the barriers for them to support state efforts in critical infrastructure. protection and therefore different experts have highlighted that transparency about how states see the approach to protect critical assets is important element to make sure that stakeholders are aware of those efforts. Another example of what we so far have heard from our experts and that would be the topic of our tabletop exercise, a lack of universal baseline or minimum cyber security requirements to protect critical infrastructure. The suggestion came from the discussion that again there’s acknowledgement that critical infrastructure is governed by national legal frameworks, however there are connections between different critical infrastructure facilities through transnational essential services or other types of the infrastructure and that actually raised different more or less universal questions about the security across the supply chains for critical infrastructure operators. The question then further how to make the different legal systems which govern critical infrastructure and the security in them more or less interoperable so the actors who face more or less the same security issues might already have a common basis at least baseline understanding on how to address those security issues. I’d like to stop here and just make a call that as I mentioned we build the community and we also welcome the input of our interested stakeholders to support our work and also contribute with their expertise so the first chapter of the manual that we produced last year is published and you can see the link on the website that’s open to the feedback you can get in touch with us directly and at the same link we are going to announce the next chapter of the Geneva manual and ultimately we would welcome other stakeholders who are interested who have time and passion please join us to discuss this. important topics. So thank you very much. I’d like to briefly then go to the next segment as Vlada mentioned. We have the table top exercise which will be the with the main focus on discussing possible universal minimum baseline security measures for critical infrastructure protection. And before we explain the rules for participants on-site and virtually, we prepared the fictional scenario and to explain it perfectly we prepared also the video and hope that will be a little bit entertainment today. So I’m gonna to launch the video and please let me know if you can hear it.

Vladimir Radunovic: We don’t hear the sound though it’s not necessary. You can try to see if you can

Anastasiya Kazakova: put the sound on but we have the script. Okay on my side the sound is the maximum.

Vladimir Radunovic: Is the sound also shared? I hope so. Even if not I mean it’s it’s very visual and it’s inside so it’s fine. Okay so I’ll continue.

Video: Something significant has happened. Mr. Martin. Come in. I’ve been waiting for you. We’ll skip the formalities. Global Flow Logistics has a big security problem. IT will handle that. We need your services to deal with a different type of problem. Needless to say, I expect absolute discretion. It wasn’t even us they targeted directly. The breach had come through Nimbus Tech Solutions. Could you explain what happened? The attackers have exploited vulnerabilities in Nimbus Tech Systems’ poor network segregation, weak access controls, and outdated patches. Once inside, they moved into the infrastructure of the cloud service provider OmniCloud, eventually further slipping into, among other clients, into GFL IT systems. I assume something similar to this scenario happened. All our systems are blocked. The key infrastructure is offline. What happened? We need answers now. I’m working as fast as I can. The threat actors breached our systems and the entire supply chain that supported critical infrastructure across the region. Get the global flow online and fast. Their infrastructure goes offline and puts the entire critical infrastructure in our country at risk. Great. Now all systems are blocked. I just had a call from the government. They are asking for answers. Ms. Wong? This was no ordinary cyber attack. It was a full-scale assault on the networks that kept modern society moving. It seems that it had all started with a simple, preventable breach in a small company. The consequences would echo for weeks. But at that moment, she only had a few hours to figure out how to stop the bleeding before the entire structure crumbled.

Anastasiya Kazakova: So that was the scenario. That was a really short explanation of what happened. And the main idea, it’s completely fictional that there was a supply chain attack targeted a large logistics company through the weak security of the company’s service provider. And that affected multiple critical infrastructure industries in the country. So currently, at this moment, we’d like to proceed discussing this scenario in several groups and I’ll just want to briefly explain the rules. The main goal would be for this scenario to discuss the three questions that we prepared in smaller groups and reflect mainly on what could be possible those minimum cybersecurity requirements for, first of all, critical infrastructure operators and relevant stakeholders, service providers to protect critical infrastructure. So we want to look at this problem from different perspectives, different lens: government, critical infrastructure industry and cybersecurity research stakeholders. And we will have also team captains for each group on site and virtually. And as I mentioned, we will have three questions for each group. Those questions you can see on the slide. So basically, one of the first questions, what universal baseline security should be mandated for the operators? The next question with a focus on the same security requirements, but for the service providers, if you see the difference between them, would you believe that might be actually a closer approach to define those security measures for service providers as for the critical infrastructure operators? And the third question, a little bit optional, if you still have the time, which steps are required at a regional international level to ensure these requirements are effectively implemented across different sectors and jurisdictions? The question mostly targets different international efforts, if you see the necessity, especially in currently complex, geopolitically complex environment. We mentioned we also have team captains. So on site, we will have several groups.

Vladimir Radunovic: Thank you, Nastya. But as you can see, we have quite some ladies, which is a nice surprise in cybersecurity areas, not so often. What we are going to do now, we’re going to break into, I’ll add another group because there is a huge number of people in the room. So on this side of the room, I invite everyone who wants to play a role of the government to just move there slowly. They will be led by Dr. Bushra and Melanie. On this side of the room, we’ll have all those that want to play the role of the critical infrastructure operators. Think about critical infrastructure in whatever way you want. Hospitals, transportation, energy, whatever. In this case, we have a transportation issue. Maria will lead that group. I’ll take the third group, which is the cybersecurity researchers, incident responders and techies in a way, in this part of the room. What we are going to do, my colleagues will give us the scenario. So this video that you saw you also get in a comic book format So we’ll have few minutes to go to the comic book to remind ourselves Then we’ll get the cards each group will have the cards which will make us enable us to discuss the options to choose couple of cars that are priority options based on three questions that Anastasia looked at now the important thing the scenario shows something that happened an incident We’re not responding to an incident. We are rolling the time backwards and saying what should have we done so that this doesn’t happen. So think about rolling backwards to say if we have done this measure which says maintain and up-to-date all the digital assets of the critical infrastructure. This might not have happened and so on. Don’t go into details of the incidents – we are trying to see how the global norms and these practical issues are connected. Okay those that want to play the government move to that side those that want to play the critical infrastructure play move here. We’ll have about 20-25 minutes to discuss in groups and the colleagues the leaders will tell us what to do. Thank you.

Anastasiya Kazakova: All Right, so we will proceed virtually I Hope the participants on site can hear us. So Kaleem the floor to you and I will start her in the screen.

Kaleem Usmani: Thank you very much, Anastasia, and good afternoon, everyone. As Anastasia has mentioned, we are the Cybersecurity Research Stakeholder Group, and then, as announced before just starting this scenario, we are having some 20-25 minutes, and we are having three questions in a round. One, universal baseline cybersecurity measures should be mandated for CI operators to protect their infrastructure. And again, in terms of the CI operators, in terms of the service providers, so basically what we’re trying to do here is that we are encouraging the participants to come up with their suggestions, and then we will be opening the floor soon. We will also be having our colleague, Nicholas, who will be again talking about the first question on to the CI operators. So, we will wait a little bit on to that and then maybe we can start.

Nicolas Grunder: Yeah, thank you very much, Kaleem. I think I would not add too many more words, as we only have 25 minutes, I suggest that we just get started, right? And Anastasia, I was not so sure with the cards, it’s probably difficult to pull up the cards with suggestions, right? So, maybe we… Yeah, I think I would not add too many more words, as we only have 25 minutes, I suggest that we just get started, right? And Anastasia, I was not so sure with the cards, it’s probably difficult to pull up the cards with suggestions, right? So, maybe we… So, I suggest that we maybe just start with someone from the participants, considering what should be some baseline security measures and suggestions. I think we should just open the discussion of anyone who would propose a suggestion and why you would have such a suggestion.

Kaleem Usmani: So, I think we’re having one hand raised, Imad, please go ahead.

Imad Aad: One thing that comes to my mind for researchers to make some requirements for critical infrastructure operators is first to understand the critical infrastructure first. It’s not clear for all the researchers what is a critical infrastructure even in their own country. Second thing, they don’t know what is the supply chain of this critical infrastructure, right? Here, there’s a big question which is, should the critical infrastructure make it transparent? How they depend, what are their providers, there are some pros and some cons against this.

Kaleem Usmani: All right, maybe also another aspect of it is that we are trying to focus from the organizational and the technical measures. So meaning to say that what could be the organizational measures that these CII operators, they should be putting in place and as well as the technical measures, what they should be putting in place. As Imad said that first of all, it is important for us to understand that what are the critical infrastructure, what it is, how do we identify that, how do we carry out the assessment, what organizational structure is required. So I think these are the aspects and Nicholas, I think we will be having one more hand raised, Paula. So Paula, please go ahead. Thank you. Thank you.

Paola Nkandu Haamaundu: Thank you Dr. Kaleem. Just adding on to what the previous contribution was, understanding what critical infrastructure is. So for instance, if the nation deems that maybe the health sector is critical infrastructure, what the health sector should do as a start is to identify what assets they are in charge of, what assets they have. That way, they’ll be able to know what needs to be protected, what should be classified as high risk, what should be classified as low risk. And this is maybe more on the operational side. So they should be able to understand what assets they have as the health sector, what’s critical for the nation to have and to deem as critical infrastructure, what should be protected first. If the health sector was attacked, what would cause the biggest challenge to the health sector? So a basic understanding of what the assets are, or sort of like an asset inventory.

Kaleem Usmani: All right. Thank you, Paula. So I think again, the question which is coming here is that how do we identify critical infrastructures and what are the ways of doing it? So maybe we are having Nicolas on board from ABB. Nicolas, would you be able to share a little bit of experience where what are the ways and what are the sort of, in a way, baseline questions or kind of a checklist, which helps the organizations in order to identify their critical infrastructures? Obviously, in different countries, critical infrastructures, they vary a little bit as compared to the other country. But as per your experience, Nicholas, would you quickly tell us a little bit about how to identify and then how to carry out the risk identification around so that clearly they’re able to identify which sectors are or could be considered as critical?

Nicolas Grunder: It may vary between the countries depending on the industries they’re actually having. But I think what is something common is looking at the impact. So what impact does it have if a certain company or a certain type of providers of infrastructure would be taken out of service, either partially or completely, and what impact does it have on individuals on the functioning of certain services. And it’s basically about defining the services that are critical for functioning of society, right. So, of course, it’s very, very high level but but I think that that would be something important as we have heard is, if there is at least some sort of a common understanding and I think now looking at from an info for also from a provider of products into critical infrastructure so basically looking at the supply chain. That’s of course is important for the providers of products into critical infrastructure because we will have to to actually employ and deploy and develop cybersecurity measures for the products that are then secure to be used in these critical infrastructures. So so looking at the question what what is what is the universal baseline. I think that this probably difficult to formulate conclusively what is critical infrastructure but giving some of the criteria, what, based on the impact, it can have, I think, I think that that would be certainly helpful.

Kaleem Usmani: Thank you. Thank you, Nicolas, and also, I think, along with this particular group we are having two other experts, and one is clear from first and one is casual. And maybe we can also hear from clay clay. Do you have some sort of explanation around what Nicholas has added. clearly that how and what are the best practices for identifying critical infrastructures because normally we see that as Nicolas mentioned that that’s the key that that’s the key once we have and then also some reflection onto the part of the governance and the risk management that how the whole governance of this critical information infrastructure partition has to happen in a country and then we move on to the next level of understanding. So Klee, the floor is yours.

Klée Aiken: Good everyone and thanks Kaleem. I hope everyone can can hear me okay. Yeah I think you know in terms of the basic baseline cyber security measures and things like that obviously there’s the normal level that you’d expect from any type of organization but by being critical infrastructure you do have these additional requirements that are placed upon your organization. In terms of determining which organizations fall into that category it’s very much determined by each individual government and their approach and their perspective. You know we’ve had conversations with folks in the Pacific for example where you know certain cultural aspects or assets or tourism related assets that wouldn’t necessarily be considered critical infrastructure in other countries were deemed critical infrastructure at least in the exercises that we were doing. So it’s really important as Nicolas said to look at what is that impact on the individual economy. So that’s national security perspective, that’s an economic perspective and most importantly is looking also at the human impact both directly in terms of you know for example health and human services and that impact on people’s health and their ability to get treatment and emergency care but also kind of the flow-on impacts that can that can have effects on individuals. Last or two weeks ago, we were on a panel and one of the speakers was speaking about the ransomware incident in Australia last year. And one of the challenges that they faced was finding means to coordinate between the federal government, the state governments, and being able to reach from a cyber perspective into women’s shelters, because very sensitive information about folks staying in those facilities were leaked through the ransomware incident. So you have to really focus on those kind of flow on third order impacts that wouldn’t necessarily come to mind. So critical infrastructure can get very complicated to define. But yeah, it’s just important to focus on that impact on individuals, national security, and economy. Thank you.

Kaleem Usmani: Thank you very much, Klée. And another aspect also is in terms of organizational measures we have been talking about. And then also, the other important aspect is the technical measures, because both are the combination. Because if you want to put it in a more structured, then obviously both organization and technical measures are important, because organizational measures normally govern the whole technical measures implementation. So we are having a hand, and then maybe we’ll get back to Kazuo on the technical measures. Imad, you have the floor, and then we move on.

Imad Aad: Yeah. Here I am again. Regarding the impact, it is very complicated to measure the impact of a flow in a given infrastructure because of the dependencies. Let’s say if you are cutting water, okay, water is critical infrastructure. And then how long will the society survive just because of the lack of water, but it’s also for cooling. for instance, for cooling generators or for cooling whatever, then electricity might depend on the water. Everything else depends on the electricity. And trying to measure how much dependent water is on electricity or vice versa, this is super hard, right? What may help in this direction, what may help the researchers is, for each critical infrastructure service, they can define what they depend on and what other stuff depend on them. So input and output dependencies. This may be helpful for researchers, right? In order to assess the impact of attacks.

Kaleem Usmani: Sure. Thank you very much. I think interdependencies is the key into defining the critical infrastructures. I totally agree. And this is an area, which is a complex area, which we need to look into and work onto. And I think for today’s discussion, interdependencies of the critical infrastructure is one of the areas to be discussed and have a thought process onto that. Imad, do you want to say something?

Imad Aad: Yeah, I would add to the note that it’s inward and outward for each service. So it’s not only if I am electricity, I’m an electricity provider. It’s not only what I depend on, but I can also list what other services depend on me. You see what I mean? Yeah, thanks.

Nicolas Grunder: I just may add, I just seen a comment that Paolo Carlos made and he mentioned continuity planning. And I think this is a very important baseline that… So what’s the goal of protecting critical infrastructure? So the goal is that it actually, it can continue to operate and having the business continuity and the recovery planning in place, having played that, I think that is also an important requirement that actually should be applicable across the board, regardless of jurisdiction, right? Because you want to keep it running.

Kaleem Usmani: Thanks. Thanks, Nicolas. And again, that’s again a good point, of course, continuity and business continuity is important, and especially here, we are talking about the design and that is, again, an important aspect. So maybe even Kazuo is with us. And Kazuo?

Kazuo Noguchi: Yes, great targets here already. Ultimately, for critical infrastructure to be sustainable or resilient, any attacks can be tolerated. So how long it can be sustained, regardless of attacks, how to create not to be kind of down. So that’s one of the resilience measure. But impact analysis, I totally agree the consequences, as well as the risks measure, particularly to the human lives. And from that, investment and the priorities and the resources should be allocated accordingly. But critical infrastructure named based on the countries like 15 or 13 or 18. But those are adding based on the risks and human lives these days for the technical advancement. In addition, these new additional things such as AI can be impacted quite well, positively and negatively, how to make those measures or risks or consequences human lives should be properly put into the context. So let me stop here.

Kaleem Usmani: Thank you. And so obviously, as the discussion is moving towards that, how do we identify how to identify the services? What is the importance of interdependencies inward and outward? again secure your supply chain. This is again is coming up out of this particular discussion. Even impact analysis is important. I think this was mentioned by Nicolas as well as Klée. This is also something what we need to have once we are talking about the baseline security measures which we need to have and we move on accordingly. So still I think we are having some three to four minutes for us to discuss from that. Any other questions from the floor maybe that we can take it up and then we can summarize quickly and then we can have a last round with the experts here and then maybe then we can wrap up this part of the discussion. So any questions from the floor? Paula, you have the floor.

Paola Nkandu Haamaundu: Thanks. Maybe not a question per se but I think there should also be an aspect of training for the employees and awareness because of the industry or because of how quickly cybersecurity changes and things are moving. There’s constant need to be up to date with how to protect critical infrastructure. So there’s need for training for staff that are working on that critical infrastructure but also the general awareness for staff that interact with the infrastructure. Thank you.

Kaleem Usmani: And coming back one more thing which is connecting of course because even training and awareness is important. Another aspect also once we are talking about the technical measures here is again compliance and standards and I think that connects a part of very much as a cybersecurity major onto the CI operators. So maybe I can open the floor to the experts and around compliance and standards for this as a cybersecurity major for the CI operators and then maybe we can wrap up this session here. So I’ll start with Nicolas and then Klée and then to Kazuo and for that if there is any final question which we have that we can take it up and then we can close. So over to you Nicolas.

Nicolas Grunder: Thank you Kaleem. I think I mean standards is absolutely essential especially if you look at it from perspective. of a globally operating company. I think that is where the big benefit of cooperation or global cooperation is essential, that there are certain standards that you can also rely upon and that you know they apply in country A and in country B and in country C and that would then be actually the real baseline. I’m now trying to look, I’m a lawyer so I’m not a researcher, but trying to look at it from a researcher’s perspective, I think that is where where researchers can play a huge, huge role in actually defining these standards, right? Because that’s something when you look at it from a technical perspective, that’s very much something where the researchers will actually provide the input.

Kaleem Usmani: Thank you. Thank you, Nicholas. Over to you, Klee, for your final thoughts.

Klée Aiken: Yeah, definitely. So with standards and compliance, you know, there’s obviously the clear value of the standards to help teams to uplift their cybersecurity, but there’s also kind of the responsibility on government when you’re defining certain industries and certain organizations as critical infrastructure to create certainty of the expectations that you have on the companies. So that’s a pretty critical role that can be played and you can look not only at the technical standards and technical expectations and policies that need to be in place, but also responsibilities around reporting as well as communications. Because again, we’re looking at critical infrastructure because of the flow-on impact that it has on the wider economy and individuals. So thinking about other aspects beyond just technical expectations when you’re developing these types of standards is quite important. Thank you very much, Klee.

Kazuo Noguchi: Yes. So, ultimately, global supply chains are really complex, and including small companies and small nations, and built onto supply chain, software, hardware, IoT, and the people in the supply chain, and how to make sure that the end-to-end is working well, and all the service providers to protect those, including databases, as well as those chains, and the hardware chains, which is part of this exercise, but software supply chain, there is also, and the database are all connected. So, all the researchers to analyze those, and some vulnerabilities to get to know and protect constantly, those are the part of the measures, particularly automated things are coming up, and all connected, physical, as well as the virtual things. This case is cloud, which is a new type of, perhaps, political infrastructure category, perhaps. So, how we can make sure that all connected things can be protected well. So, those are going forward. Thank you.

Kaleem Usmani: Thank you very much, Kazuo. So, more or less, I think we are getting into the shape of understanding that what should be the basic or baseline cybersecurity measures should be mandated for a CI operation. And the discussion which has come up here is, how do you identify? What are the ways of identifying and understanding the structure of the CI? I think this is another aspect which we have been talking about. Interdependencies was something, again, we have been discussing that how the interdependencies inbound and outbound, that has to be seen in order for us to look at the complete visibility of the supply chain attacks, in order to identify the CIS and accordingly put subsidy measures in place. We also have been talking about the impact analysis because this is impact analysis is important in order for you to identify whether the CI is critical or not. This is, again, I think what we have been talking about. Another discussion which came up as a baseline cybersecurity is also the business continuity and even the incident response plans, they’re important aspect of having that baseline cybersecurity measure in place for the CI operators. Also, we have been- We start? And then obviously implement the vulnerability management and of course, securing the data, that’s the data protection. So that’s the important aspect.

Vladimir Radunovic: Thank you, Nastya. Playing in different shoes. Oh. Just scratching the surface, what are some of the issues? Certainly we’ll be waiting for the next step to define more of those kinds of- See how to-

Anastasiya Kazakova: Vlada, apologies. I think we can’t really hear you properly. You are disappearing from time to time.

Vladimir Radunovic: Ah, this one, yeah. I didn’t sing enough, you know. If I sang enough, I would know how to mic. Thank you. Thank you. Okay, we move to the last part of our session. To discuss a little bit, couple of questions that we had for round table. And we start with a question on, well, Nastya, you can probably show the questions. We start with a practical aspect, then we try to connect with cyber norms and confidence building measures. At this point, I’ll pass the floor to Melanie to lead, but I invite you to jump at any point, raise a hand. We wanna interact, right? Melanie, over to you.

Melanie Kolbe-Guyot: Fantastic, so please, now we’re starting out with our discussion rounds. And I really invite everyone to also report from their group what they found was most interesting, speaking also a little bit from which perspective you were talking about, and also what your reasoning was. So the first question we wanna discuss is, how can we effectively protect critical infrastructure, facilities, and assets that do have national, regional, or international impact? So in particular, what practical measures should be implemented? And importantly, which stakeholders need to be engaged in this? Right, so we’re trying to kind of go between our online audience and the in-room audience. I would like to start very quickly with our Zoom people. Nicolas, would you start out?

Nicolas Grunder: Yeah, Melanie, thank you very much. And I’m also reporting a little bit of what we discussed in the group, and we were the researchers group. And interestingly, the first questions from the perspective of the researchers, what is actually critical infrastructure? And so we delved a bit into that topic and seeing that critical infrastructure might be defined differently from jurisdictions, but essentially, what we’ve seen important is that there is some sort of a baseline that is developed based on… on the impact that an incident can have. And then we very quickly, we started talking about standards as well, which I think we all think it can be very beneficial and standards, not only being technical standards, yes, that’s an important part of it, but also organizational standards, incident response notifications, et cetera, et cetera. So it’s that kind of broad array, but let me open the discussion again to the group of people as well.

Melanie Kolbe-Guyot: Great, fantastic. Someone else, what practical measures do you think are really important? Anyone in the room who would like to give it a go? Yes. Volunteers? Dr. Bushra, go ahead.

Bushra AlBlooshi: So thank you so much, first of all, for the invitation and for the very nice interactive session that we had so far. Just to reflect on a few practices that we’ve been doing in United Arab Emirates or in Dubai and few of the practices that we were doing also internationally with the World Economic Forum. Reaching to an agreement, what is critical infrastructure and reaching to a common agreement at the regional level or national level might be challenging, but reaching to unified agreement to the policies regulations that we can all deploy on our service providers, whether those service providers are cloud providers, software providers, or even critical infrastructure operators themselves, I think we are all doing common things but we need just to come together in order to say, okay, those are common things, let’s agree on them internationally. And we published a report with the World Economic Forum in 2021, where we were calling for harmonized certification for individuals, professionals, service providers, and even products. You can find the report in WEF website, its call for harmonized certification report with the World Economic Forum. Out of that report, actually, there was an action that was taken forward. So there is an international coalition that was created for cyber security professional certification where more countries came together, and we met last November in Wilton Park, and we came out with agreed, let’s say, set of definitions for certification accreditation within the professional domain. If that can be done for cyber security professionals, why not for other domains? Why not for cloud providers? Why not for software? And also there is a platform for certifying hardware devices. It’s called Common Criteria, and with multiple countries, they came together. They are agreeing on minimum security requirements for hardware devices. And ICT hardware devices, if that can be also done, and it was done, and it was proven to be effective, then we can do something similar at provider’s level or even software level. So for me, priority one is to agree, whether regionally or internationally, on the minimum security requirements, certification requirements that can be done for the service providers. Why I need to certify cloud provider in multiple countries with the same regulations or same requirements.

Melanie Kolbe-Guyot: Thank you. Dr. Bushra, this is precisely what we were actually talking about in our group, which was the government group. It’s like some sort of credential, some kind of checkup system and management of the service providers, and especially those four critical infrastructure providers. Let me revert back to our Zoom. Kazuo, could you chime in, please?

Kazuo Noguchi: Yeah. Thank you, Melanie. It was a really interesting scenario case that we had in a short period of time. To remind myself for the question that Brad mentioned, how to make it better before it happens. One of the critical things for the infrastructure provider is that the backup, backup, backup. And backup system in the different geography and the countries and regions, so that the spread, there are risks. That’s one thing that we can do. The difficult part here, the scenario is a new one, global cloud provider. Sometimes difficult to know, identify single point of failure, it’s great to have as a measure. And the data perspectives for the supply chain, including people, sometimes happening, how to make the measure so that that data integrity, also the hardware, software, supply chain’s integrity should make properly. And the zero trust architecture is coming up. For instance, the development, also the good for security by design and the default for the users. So risk scenario. We talked in this, the online discussions, how to make the good consequences risk assessment and all interdependent to the business as well as people, how to make that impact analysis to clarify how critical it is. And to based on those critical infrastructures level, how to make the prepared investment and prepare not to happen. And for the resilience perspective, although cloud may be not working, but there may be the way to get around. And for the United Nations, GGE and OEWG 11 norms, those are great starting point for the operationalization. As Anastasia mentioned, this one is good guide and good capacity building for that is ultimately the confidence building. And also the confidence building, meaning that communicate well. And the UN Open Networking Group started the point of contacts globally, more than 110 countries. And communicate through those, for the private or stakeholders are good or initiative through all the channels of nation jurisdictions. Finally, on the prevention and resilience coming up, some are identified, but on prevention, how to make the better use of AI for instance to detect. and to address the vulnerabilities beforehand what’s happening, but ultimately for the operators to be sustainable, that’s critical for life. Yeah, thank you for this opportunity.

Melanie Kolbe-Guyot: Thank you Kazuo. You packed up a bunch of operationalizations. Thank you very much to also put this a little bit in the global perspective, in the interdependence between service provider critical infrastructures and of course the governments. I would like to see one more person from our live audience. Yes, we have someone. Fantastic. Thank you.

Audience: Thank you. I’m assuming here that the hacker and the country that has been hacked are in peace, I mean between their two countries. However, there is a probability that both countries are in war. And I’m believing that there should be a framework under the United Nations with a certain of infrastructure. No? Shall I repeat? With a listed infrastructure items and should be agreed between everywhere around the world that those elements should not be touched in peace or wars by cyber crimes. For example, even if there is a war, electricity, water and transportation shouldn’t be touched or affected even in those sort of nonsenses. I think this is one of the agreements that should be in place these days, you know, in order to avoid such… future problems.

Melanie Kolbe-Guyot: Thank you, fantastic, and you kind of skipped a bit to question number three already, because that’s exactly an important point to consider. So we will come back to this, thank you. So let’s move to the second question. Now, we looked at the practical measures, and we kind of want to come back to what the roles of cyber norms is, right? The roles of cyber norms, especially FG&H, that’s been discussed, and confidence-building measures, CBMs, when it comes to the protection of critical infrastructure. So they are voluntary in nature, right? Do you think they have an impact on the protection of critical infrastructure, although they’re clearly voluntary? Vlada, go ahead.

Vladimir Radunovic: Yes, I actually wanted to connect to what our colleague mentioned. The context that we are discussing this is the UN agreement within the General Assembly, ultimately before, by all the states of the UN, about these cyber norms and confidence-building measures. And exactly as you said, one of the norms is do not attack each other’s critical infrastructure, and boost the resilience of each other’s infrastructure. And some of the CBMs, the confidence-building measures that the countries have agreed, include something that we have in the cards and that we have discussed in the groups, such as work on understanding how each country defines the critical infrastructure. Sorry, probably we’ll never be able to agree. This is a common agreement of what is critical infrastructure everywhere. But this is one of the CBMs to try to exchange it and understand. And then the other one is capacity-building, which we mentioned in our group, I guess, in ours, in others, capacity-building across the board. of the governments, but also, for instance, there was a good point of training of the suppliers towards their customers in critical infrastructure. What are the risks? So what I want to say is, even if these norms are voluntary, all the states have agreed. Even if they would be binding, it’s a good question if states would be adhering to them. We see breaking the international law every day. But I think the measures that we discussed are very practical ones which directly contribute to implementing the norms and CBMs. My question, maybe back, is to what extent the governments, which made the agreement understand this, that this is the implementation? Back to you, Melania.

Melanie Kolbe-Guyot: Thank you so much. Kaleem, actually, we’re calling you as the head of CERT in Mauritius.

Kaleem Usmani: Thank you, Melania. And I think that this is a good question. All the way with the rule of cyber norms and confidence building emerges when it comes to the protection of CIE. Does the voluntary nature have an impact on the protection of CIE? And I think the answer is very much yes. And this is what Vladimir has been talking about. And there are a few things around quickly how they’re going to help. And being voluntary in nature, all these 11 norms, and especially I think this is what we have been studying. So what they basically do and how they help. And though they are voluntary, first of all, what they do is that they try to reduce the risk of cyber attacks. And I think that’s the point what we are talking about. And why they do that? Because the norms establish the prohibition of cyber attacks on critical infrastructure during a peacetime. And examples are even very much mentioned into the GGE report of 2021 and the OEW report of 2021 as well as what we are talking right now through the OEWG dialogue which is going on currently. And then it will be maturing in July 2025. So yes. And then also one of the components here is that they act as a deterrent, in fact, against state-sponsored threats by increasing accountability. So I think that’s another aspect which, again, where voluntary non-binding norms, they help into protecting critical infrastructures because there are some three, four norms are specifically around CIIs if you look at the all 11 norms and including the supply chain and the vulnerability. So, of course, they all connect. Now, also, they foster international cooperation if we talk on those lines. and especially sharing the threat intelligence content against targeting CIIs. And also the states collaborate under these principles to build a global resilience to cyber threats. That’s another aspect I think, that’s how the norms, they help into protecting CIIs. And also they enhance the incident reporting mechanism. This is, I think, coming from the technical community. That’s an important aspect once we are talking about the incident handling and resolution of the critical infrastructure, especially, for example, into the SCADA systems or the technology environment. And maybe also the last comment which I wanted to add here is the promoting accountability and responsible behavior. And I think that’s what the gentleman from the audience has said, that there has to be some sort of an agreement where the states, they should not be attacking to the essential services law. Like, for example, electric grid or water supply. So that’s another aspect, and this is where the contribution of the incident response team that comes to picture. So maybe I’ll stop here. I thank you very much for giving me the floor.

Melanie Kolbe-Guyot: Thank you, Kaleem. Thank you very much. We have one more intervention from the audience.

Audience: So this intervention is within the context of the talent discussions and the two consequent manuals that have been released. So there has been international consensus on the fact that you cannot attack cyber critical infrastructure, but the problem lies in identifying those infrastructures. And a potential solution for this could be regional cooperation. For example, where we are at the Middle East could agree on any infrastructure relating to oil could be critical to them and it could be established and there could be regional cooperation setting up a body of its own for the region. And this could be done globally with certain regions focusing on their own vulnerabilities. And then this could potentially pave the way forward for international cooperation.

Melanie Kolbe-Guyot: Right, before we move to the last question, any more assessments on the impact that you think cyber norms and CBMs can have? All right, then let’s move on to the last question, and we kind of had these little nuggets of this conversation already in the previous minutes. So the question is like, is it reasonable to expect cyber operations to avoid targeting these critical infrastructures? And we’re talking here particularly about in context of peace times, right? Or is this an unrealistic expectation? And how do we establish this kind of accountability for harm that is caused by threats to critical infrastructure, especially when the agreed upon norms are being violated? So these are two kind of questions in one, but you are free to only answer to one of them. Maria, please go ahead.

Maria Pericàs Riera: Yeah, first of all, thank you. Thank you for giving me the opportunity to be here today. So first of all, I would like to talk briefly about what has been mentioned about the identification of critical infrastructure at the nation level. So I will here like to introduce the project that we have done at the DGAP. It’s called German Council on Foreign Relations. If you have any questions, then you can come to me and I will really talk a bit more individually with you about it. So what we have tried to see is to identify or to look at every country in the world, all the 190 plus something nations worldwide, and see what each country considers as critical infrastructures. And one of our main takeaways is that it’s very different worldwide. So for example, even when you check energy sector, this can mean very different things across the globe. And yeah, during our study, we’re not trying to see, okay, you should consider this or this or that as critical, but rather to see how diverse it can be and how complicated it can be. So we’re just like acknowledging that this is a huge task. Our second takeaway would be that there are still many, many countries all over the world. It was over 40% of. countries worldwide that haven’t publicly announced what is critical for them. So when I was doing this research, I was checking at all, I don’t know, constitution, ministries, websites, et cetera, to see what is critical for them, but still, this DGAP tries to be a disaster. Otherwise, again, is it better now? Thank you. So if you check the database and you see that some countries that you know that they have defined it have been omitted, please let me know, and we would love to introduce this. And regarding the accountability of these norms, I’m not the person that can say if they’re going to help or not in avoiding attacks on critical infrastructure during peacetime, but I think that at least the first step of a country saying, okay, this is critical for me, and then this respective country trying to create some type of critical infrastructure resilience, and then getting in contact with the service providers and critical infrastructure providers is already going to be a great step in order to promote the resilience of the providers, because, for example, our group, we were the critical infrastructure operator, and then we saw how many things can go wrong in one second and how interconnected we are. So yeah, these are my thoughts on this, but also, if some people from our group wants to contribute or say or mention something, please feel free to do so.

Melanie Kolbe-Guyot: Yeah. Can I just pick up on this? So yes, this is one of the issues we also in the Geneva Dialogue had the questions like we can endlessly talk about what is critical infrastructure and what is not, and it’s actually complicated because there’s a diversity across contexts, but yes, at some point, there might be some exchange necessary to understand this. At the same time, we can go very simple and say electricity grids. It’s probably, I think, probably in all contexts, we would agree that’s critical infrastructure, right? Okay. Or nuclear power plants. Right? Okay. So let’s assume we have one definition in mind. Is it reasonable to accept to expect and pursue norm violations that targeting, for example, electricity grids during peacetimes? Is this? Is this a reality? Is this something we that’s reasonable to expect? Or are we like, yeah, well, probably not. I just remember we had volt typhoon attack in the salt typhoon attack in the US, where exactly these kind of things were prepared, prepared for. Let’s go ahead.

Vladimir Radunovic: This one is probably better. Based on this, I’m thinking one thing is whether the states are going to avoid attacking each other, particularly in peacetime, which I guess and I don’t know if anyone here from the defense sector, but I suppose the defense sector would say, Okay, if we have a conflict, there are no borders. And in peacetime, we can call it a peacetime. I’m not sure they would avoid doing that. But I have another concern is that sometimes it can be an attack against the omni cloud. And the attackers actually do not know that they will cause the the spillover effect on one or more critical infrastructures. So we are back to that question, not only how we define critical infrastructure, but do we know the dependencies of all those critical infrastructure on the service providers, cloud software, and so on.

Melanie Kolbe-Guyot: Dr. Bushra, please.

Bushra AlBlooshi: Yeah, I can I can reflect on that very good point that Vladimir raised, I think from a nation, a nation perspective, it’s very important to define critical infrastructure, then define also the assets related to each sector and the sector lead and who’s doing what, this is the first step. And this is what we did. This is what we did in Dubai, it took us a while till we came out with that model, what is a critical and then what are the critical services from a business point of view, it should be done absolutely from business point of view. And then you start defining the critical assets from IT point of view. Then we also did one more important exercise. What are the interdependencies between those critical infrastructure? What is the interdependency between the power sector and transportation sector? What if the power sector goes down? How the transportation will react? How all other sectors will react? And what are the countermeasures or the agreements that we need to take at the nation level? So I think starting from the national level is very important, and then building up the other types of collaboration at the regional level or international level are considered as next steps.

Melanie Kolbe-Guyot: Thank you very much for this good illustration of how to identify these questions and interdependencies. Fantastic. So we’re on the finishing line, and I’ll hand back to Vlada, no, to Nastia, to give us our last closing remarks.

Anastasiya Kazakova: Yeah, and before that, if you allow, I’ll just probably a quick follow-up question to Dr. Bushra, because that was a really important also aspect for the second chapter of the Geneva Manual. So Dr. Bushra, if you could quickly share, is there also a defined approach? How does Dubai approach the security of those interdependencies and services which are provided by foreign companies and overseas actors?

Bushra AlBlooshi: Just briefly, because for the sake of time, I think we are limited in time here. So we have plans for each interdependency. By the way, our critical infrastructure sectors is already in our website, desc.gov.ae. You can find the critical sectors, and for each sector, we define what are the interdependencies, and if one sector goes down, what we should expect from the other sector. For example, power sector, they said if our systems goes down, we are expecting that the critical infrastructure on the other side, transportation, for example, they can react and they can operate for four hours till we bring up the service up. And in that case, transportation, they should make sure that they have generator that can operate if the power goes down in Dubai.

Melanie Kolbe-Guyot: Thank you so much. Nastya, back to you.

Anastasiya Kazakova: Thank you very much. That was really helpful. We’ll finalize on the now side. We just wanted to… briefly share the key insights what we discussed virtually in our groups and perhaps that might be also helpful maybe some thought-provoking photo for the audience on site. So we from the cybersecurity research perspective discussed the measures so which should be mandated for critical infrastructure operators to protect the infrastructure and some of the key insights so we definitely most of the inputs were about a better understanding of the what’s actually critical is and understanding the asset inventory what are those assets that needs to be protected what are those dependencies inward outward securing those dependencies and looking also more comprehensively at your supply chain. The participants we also discussed the importance of conducting impact analysis and threat assessment given the regional and local specifics of the facilities and an infrastructure and you also probably see that we specifically pointed out to the necessity to ensure the compliance with applicable standards and laws and implement vulnerability management and securing the data. So that was some of the insights that we discussed so far. I will open the floor if anyone has any further comments from the virtual group.

Kaleem Usmani: Thank you very much just the last question where we have been talking about the interdependencies and interdependencies as you mentioned about that how the overseas foreign actors they come into picture. Normally what we did at the level of the country here is that we have a clear guideline which talks about it how the interdependencies they have to be dealt with. So what we did is that we have come up with the full fledged CIIP framework and that CIIP framework is connected with the national information infrastructure guideline and which in a way the implementation of the CIIs, and that has a very clear baseline that how both overseas and the local CII operators, they have to interact with each other. So this is what we are basically trying to do to ensure this particular guideline so that there is a clear-cut actions that are required in order for them to carry out their risk assessment and the major gap in terms of the vulnerabilities and the weaknesses they have into their system so that the CII operators, they are in a position to guide their operators in order to implement those. So thank you very much. That’s the point which I wanted to make.

Vladimir Radunovic: Probably time to wrap up. Thank you so much for the online group there. I hope you also had fun. Thank you all for being with us. I want to just with a few lines close this. The next steps we are working on is trying to finalize the Geneva Manual like this on the vulnerability disclosure and supply chain about critical infrastructure. The game we did is not finalized so I hope by mid next year we’ll have the next manual. We’ll have the games as well, probably more cards, more scenarios. Everything will be open for the audience. Now what is critical for us is that in this process of shaping the final document we get as many voices particularly around the world from developing countries which honestly we’re still missing. So if any one of you want or know someone of the companies, technical community, civil society, open source community regulators, that want to get involved in Geneva Dialogue and provide their feedbacks and experiences, please do. You’ll find us around the Diplo booth over there today and tomorrow still. And then with this we close this discussion. much the civil society in this discussion. You’ll notice that in discussions about vulnerability disclosure, we did have a particular actor on civil society. We should reflect on that more. But in the meantime, the next session here in this room is connecting to that. And the question is, how do we make sure that the global civil society gets more engaged in these sometimes rather technical discussions about standards, security, Internet governance, and so on. So stay in the room for the next session. We’ll come back in 10 minutes. With that, I thank you so much.

Agreement Points

Importance of defining and identifying critical infrastructure

Nicolas Grunder

Bushra AlBlooshi

Maria Pericàs Riera

Kaleem Usmani

Importance of understanding what constitutes critical infrastructure

Need for common agreement on critical infrastructure definitions at regional/international level

Diversity in how countries define critical infrastructure globally

Importance of conducting asset inventory and impact analysis for critical infrastructure

Multiple speakers emphasized the crucial need to define and identify critical infrastructure, recognizing the challenges in reaching a common understanding across different jurisdictions and the importance of conducting thorough assessments.

Need for addressing interdependencies in critical infrastructure

Anastasiya Kazakova

Vladimir Radunovic

Bushra AlBlooshi

Challenges in identifying cross-jurisdictional interdependencies in critical infrastructure

Need to secure supply chains and address interdependencies

Complexity of interdependencies between different infrastructure sectors

Several speakers highlighted the importance of understanding and addressing the complex interdependencies within critical infrastructure, both within and across national boundaries.

Similar Viewpoints

Both speakers emphasized the importance of international cooperation and norms in protecting critical infrastructure, suggesting that collaborative approaches are essential for effective protection.

Kaleem Usmani

Unknown speaker

Cyber norms help reduce risk of attacks on critical infrastructure

Need for regional cooperation in identifying critical infrastructure

Both speakers stressed the importance of preparedness and resilience in critical infrastructure protection, focusing on backup systems and continuity planning.

Kazuo Noguchi

Nicolas Grunder

Importance of backup systems and geographic distribution of infrastructure

Importance of business continuity and incident response planning

Unexpected Consensus

Transparency in critical infrastructure protection approaches

Anastasiya Kazakova

Bushra AlBlooshi

Lack of transparency from some states about critical infrastructure protection approaches

Need for common agreement on critical infrastructure definitions at regional/international level

Despite potential national security concerns, there was an unexpected consensus on the need for greater transparency and international cooperation in critical infrastructure protection approaches.

Overall Assessment

Summary

The main areas of agreement centered around the need for clear definitions of critical infrastructure, addressing interdependencies, international cooperation, and the importance of preparedness and resilience.

Consensus level

There was a moderate to high level of consensus among speakers on the key challenges and necessary steps for critical infrastructure protection. This consensus suggests a growing recognition of the global nature of the issue and the need for collaborative, multi-stakeholder approaches to address it effectively.

Different Viewpoints

Approach to defining critical infrastructure

Maria Pericàs Riera

Bushra AlBlooshi

Diversity in how countries define critical infrastructure globally

Need for common agreement on critical infrastructure definitions at regional/international level

Maria Pericàs Riera highlighted the significant differences in how countries define critical infrastructure, while Bushra AlBlooshi argued for the need to reach a unified agreement on definitions and policies at a regional or international level.

Unexpected Differences

Overall Assessment

summary

The main areas of disagreement centered around the approach to defining critical infrastructure and the level at which security measures should be standardized (national, regional, or international).

difference_level

The level of disagreement was moderate. While there were differing perspectives on specific approaches, there was a general consensus on the importance of protecting critical infrastructure and the need for some form of standardization. This suggests that despite differences in approach, there is potential for collaboration and progress in developing effective cybersecurity measures for critical infrastructure.

Partial Agreements

Both speakers agreed on the importance of identifying and defining critical infrastructure, but differed in their approaches. AlBlooshi advocated for a common international agreement, while Usmani focused on conducting thorough asset inventories and impact analyses at a national level.

Bushra AlBlooshi

Kaleem Usmani

Need for common agreement on critical infrastructure definitions at regional/international level

Importance of conducting asset inventory and impact analysis for critical infrastructure

Similar Viewpoints

Both speakers emphasized the importance of international cooperation and norms in protecting critical infrastructure, suggesting that collaborative approaches are essential for effective protection.

Kaleem Usmani

Unknown speaker

Cyber norms help reduce risk of attacks on critical infrastructure

Need for regional cooperation in identifying critical infrastructure

Both speakers stressed the importance of preparedness and resilience in critical infrastructure protection, focusing on backup systems and continuity planning.

Kazuo Noguchi

Nicolas Grunder

Importance of backup systems and geographic distribution of infrastructure

Importance of business continuity and incident response planning

Key Takeaways

There is a need for clearer definitions and identification of critical infrastructure at national, regional and international levels

Protecting critical infrastructure requires addressing complex interdependencies and supply chain vulnerabilities

Cyber norms and international cooperation play an important role in critical infrastructure protection, but challenges remain in implementation and accountability

Baseline security requirements and standards are needed for critical infrastructure operators and service providers

Critical infrastructure protection requires engagement from multiple stakeholders including governments, industry, and researchers

Resolutions and Action Items

Work on finalizing the next chapter of the Geneva Manual focused on critical infrastructure protection by mid-next year

Develop more scenario-based games and cards to facilitate discussions on critical infrastructure protection

Seek more input and participation from developing countries in the Geneva Dialogue process

Unresolved Issues

How to effectively identify and protect cross-jurisdictional interdependencies in critical infrastructure

Whether it’s realistic to expect cyber operations to avoid targeting critical infrastructure, especially during conflicts

How to establish accountability mechanisms when agreed-upon cyber norms are violated

How to balance national security concerns with the need for transparency in critical infrastructure protection approaches

Suggested Compromises

Focus on agreeing on baseline security requirements and certifications for service providers rather than trying to reach universal agreement on critical infrastructure definitions

Pursue regional cooperation and agreements on critical infrastructure protection as a stepping stone to broader international cooperation

Start with protecting universally recognized critical infrastructure like electricity grids and nuclear plants while working towards more comprehensive definitions

Reaching to an agreement, what is critical infrastructure and reaching to a common agreement at the regional level or national level might be challenging, but reaching to unified agreement to the policies regulations that we can all deploy on our service providers, whether those service providers are cloud providers, software providers, or even critical infrastructure operators themselves, I think we are all doing common things but we need just to come together in order to say, okay, those are common things, let’s agree on them internationally.

speaker

Dr. Bushra AlBlooshi

reason

This comment shifted the focus from trying to define critical infrastructure to finding common ground on policies and regulations for service providers. It offered a practical approach to addressing the challenge.

impact

It led to discussion of specific initiatives like harmonized certification and international coalitions, moving the conversation towards concrete actions rather than theoretical definitions.

One of the critical things for the infrastructure provider is that the backup, backup, backup. And backup system in the different geography and the countries and regions, so that the spread, there are risks.

speaker

Kazuo Noguchi

reason

This comment introduced a specific, practical measure for protecting critical infrastructure that hadn’t been mentioned before.

impact

It shifted the discussion towards more technical, operational considerations and led to further comments about risk assessment and resilience.

I’m believing that there should be a framework under the United Nations with a certain of infrastructure. No? Shall I repeat? With a listed infrastructure items and should be agreed between everywhere around the world that those elements should not be touched in peace or wars by cyber crimes.

speaker

Audience member

reason

This comment introduced the idea of a global agreement on protected infrastructure, even during wartime, which was a novel perspective in the discussion.

impact

It prompted consideration of international frameworks and agreements, leading to further discussion about the role of the UN and global cooperation in cybersecurity.

So we have plans for each interdependency. By the way, our critical infrastructure sectors is already in our website, desc.gov.ae. You can find the critical sectors, and for each sector, we define what are the interdependencies, and if one sector goes down, what we should expect from the other sector.

speaker

Dr. Bushra AlBlooshi

reason

This comment provided a concrete example of how a government is addressing the challenge of interdependencies in critical infrastructure, offering practical insights.

impact

It grounded the discussion in real-world practices and prompted consideration of how different sectors interact and depend on each other in critical infrastructure.

Overall Assessment

These key comments shaped the discussion by moving it from theoretical considerations to practical approaches and real-world examples. They broadened the scope from defining critical infrastructure to considering international cooperation, technical measures, and interdependencies between sectors. The comments also highlighted the complexity of the issue, showing how it involves multiple stakeholders and requires both national and international efforts. Overall, these insights deepened the conversation and led to a more nuanced understanding of the challenges and potential solutions in protecting critical infrastructure.

How to define and identify critical infrastructure across different countries and contexts?

speaker

Maria Pericàs Riera

explanation

There is significant diversity in how countries define critical infrastructure, with over 40% of countries not publicly announcing what they consider critical. This makes it challenging to establish common norms and protections.

How to map and understand interdependencies between different critical infrastructure sectors?

speaker

Dr. Bushra AlBlooshi

explanation

Understanding interdependencies (e.g. between power and transportation sectors) is crucial for assessing vulnerabilities and developing contingency plans.

How to establish universal baseline or minimum cybersecurity requirements for critical infrastructure protection across jurisdictions?

speaker

Anastasiya Kazakova

explanation

Given the transnational nature of many critical infrastructure services, there’s a need for more universal security standards while respecting national frameworks.

How to make legal systems governing critical infrastructure security more interoperable across countries?

speaker

Anastasiya Kazakova

explanation

This would help address common security issues faced by actors across different jurisdictions.

How to effectively protect critical infrastructure facilities and assets that have national, regional or international impact?

speaker

Melanie Kolbe-Guyot

explanation

This requires identifying which stakeholders need to be engaged and what practical measures should be implemented.

How to establish accountability for harm caused by threats to critical infrastructure when agreed-upon norms are violated?

speaker

Melanie Kolbe-Guyot

explanation

This is crucial for enforcing norms and deterring attacks on critical infrastructure.

How to address the lack of transparency from some states regarding their critical infrastructure protection approaches?

speaker

Anastasiya Kazakova

explanation

Greater transparency is needed to enable stakeholders to support state efforts in critical infrastructure protection.

How to secure the complex global supply chains involving small companies and nations?

speaker

Kazuo Noguchi

explanation

The interconnected nature of supply chains, including software, hardware, IoT, and people, presents significant security challenges.