In this day and age, a country’s cyber-security in protecting its companies and organizations identified as critical infrastructures is the cornerstone for this country to achieve its full transition to the digital age and in such a way that can be fully protected from the action of malicious and directed cyber lone wolves or cyber troops equally.
The developed countries and their respective critical infrastructure companies are constantly taking care to upgrade and control their digital protection systems.
by Thanos S. Chonthrogiannis
It is prohibited by intellectual property law or in any way illegal use of this article, with heavy civil and criminal penalties for the offender.
Developing countries are in a phase of transition to the digital age and are trying to develop their respective digital protection systems, while some other countries due to economic weaknesses or other priorities of their governments believe that they cannot to proceed with this transition digital phase. That is a false impression.
What is needed is a detailed organizational plan to be implemented which will release with the application of any fear of damage to critical infrastructures of a country such as ports, airports, water and energy companies, banks, road and railway networks, refineries, etc. In this analysis we will present this organisational plan that is required to be implemented a government for the digital shielding of its country.
The organisational plan for digital shielding at the level of the country’s government
1. The government of the country should designate a central directorate of Cyber-Security which in turn should create in addition to all other and a separate troubleshooting group (Computer Security Incident Response Team-CSIRT) to be subject to it.
The country’s central cyber-security directorate will be under the command of the competent ministry for the digital governance of the country with the main purpose of this directorate to draw up a detailed guide-protocol on what should do the responsible Cyber-security officer of the company that is regarded as critical infrastructure in any case of trouble.
2. The government of the country in turn should create a hyper-computational centre which will aim to meet the needs of the entire public sector in the digital segment. The main core of the implementation of this project should be to reduce bureaucracy with a view to optimum service for the citizen.
In this hyper-computational centre, all the information systems of the governmental ministries of the country should be moved, except for those relating to the country’s security and defence.
3. At the same time, the government of the country should prohibit public bodies-organizations themselves from implementing their own information systems and applications unless they have been given permission by the competent ministry responsible for the digital governance of the country.
The organizational plan for digital shielding at the level of company-critical infrastructure
All these companies that are characterized as critical infrastructures in a country, have an obligation to develop all those actions in order to achieve the maximum degree of protection of their networks while keeping backups, applying at the same time frequent periodic or non-periodic checks-controls to assess their protection measures against unwanted intruders. To achieve these, the companies will must:
Companies characterized as critical infrastructures should institutionalise the positions of the responsible cyber-security officer of the company and the data protection officer of the company.
1. The company’s cyber security officer will then have to form and crew a troubleshooting team (Computer Security Incident Response Team-CSIRT).
2. The responsible cyber-security officer of each company should proceed to the self-assessment of the digital protection measures selected for implementation in the company and within a reasonable period.
Usually this self-assessment period should be done upon the receipt of the guide-protocol that will be received by the country ‘s Central Cyber-Security Directorate.
3. Access in a natural or digital way to the systems of cyber security, apparatus, network and information and the respective facilities of the company should be limited to the users only authorized to do so.
4. Procedures for the use of appropriate “authentication and access control procedures” mechanisms should be applied to minimise any possibility of access by an unauthorised person.
5. Their devices, systems and applications should be developed, maintained and managed more generally in such a way that to take into consideration the principles of digital security established initially as well as their default design in order to comply with all appropriate and proportionate safety requirements throughout their cycle of use and generally throughout their life.
6. The cyber security officer in cooperation with the data protection officer should propose to the company’s management specific and appropriate policies as well as procedures and automated systems of reception and preservation backup and in such format so that the data to provide the basic services to be assured giving the possibility of their immediate recovery.
7. The data protection officer of the company must not be the same person who holds the position of the responsible cyber-security officer of the company because the first one may need to check the second and vice versa.
8. Each company should apply technological systems in terms of detection, recording and threat analysis.
9. If in any case it is applicable, the company’s responsible cyber-security officer should separate the company’s critical infrastructure files in order to limit the risk of cyber-attack.
10. Companies designated as critical infrastructures will be able to make outsourcing part of their obligations to third companies if the legislative rules are fully implemented.
11. The cyber security officer and by extension the company’s CSIRT team will have to notify in immediate time, without undue delay and within 24 hours to the Central Directorate of Cyber-Security of the country of the competent ministry any incidents of violations that have an impact on the continuity of the provision of the company’s offered service. The notification of the event should contain the following information:
a) The time the malicious event was perceived.
b) The detailed duration of the event, from the moment it was perceived until the time resolved and given that it resolved.
c) The total amount of information relating to the event and the magnitude of the damage or malfunction that this has caused or is going to cause if the problem did not resolve.
d) All actions followed and what kind of damage containment measures have been applied.
With this organizational design, the government of a country can proceed fearlessly the digital shielding of its critical infrastructure without having any problem in managing and dealing with any cyber-attacks that occur. The difference is that the choice of persons who will be staffed all these positions will must be done with strict criteria in order to be chosen the best of the best every time.