Dr Paul Dorey has had more than 20 years of management experience in information security. He is a Director of the security research and strategy think tank CSO Confidential ( www.csoconfidential.com ) and Chairman of the Institute of Information Security Professionals ( www.iisp.org ). He is also an official advisor to the European Network and Information Security Agency ( www.enisa.europa.eu ) and a founder member of the Jericho Forum ( www.jerichoforum.org ). In Singapore for last month's Meridian Conference, he spoke to iN.SG about the challenges surrounding Critical Information Infrastructure Protection (CIIP).

Defining the scope of CIIP
The Critical Information Infrastructure (CII) refers to both information infrastructure itself - telecommunications and data network - and the embedded IT systems controlling physical infrastructure. In the petrochemical industry, for example, this would be the embedded IT systems controlling plants, pipelines and other facilities.

Dr Dorey: There is a growing need to develop experienced security professionals and assess their competency to global standards.

Most countries have identified a number of sectors that they deem critical, for example, energy, transport and logistics, telecommunications, health, financial services and the water supply.

To scope out CIIP, we have to look at what service is important in terms of national criticality, and then assess the dependence of those services on information, because not all sectors are equally dependent on information systems. The financial services, for example, would not operate if there were no IT, and sectors such as energy are becoming increasingly dependent on
information systems.

The importance of cross-border collaboration in CIIP
Cross-border collaboration is important for three reasons. Firstly, we are all using the same technology, so we need to solve IT security problems together. The economics of IT systems supply require that systems users collectively create the marketplace demand for security.

Secondly, we are all interconnected through networks. An attack could start in one geography and spread to another. We will need cross-border collaboration to manage such threats.

Thirdly, much of the CII is being operated by global corporations who need uniform standards across all of their operations to be effective. If countries adopt global standards, this greatly simplifies the task for global service providers and reduces overall cost.

The challenges
One of the key challenges facing cross-border collaboration in CIIP is that not all countries are at the same level of maturity when it comes to the development of the information infrastructure, or are comfortable engaging with the private sector in CIIP.

Yet, when it comes to the CIIP, the private sector has to be involved because private companies run most of the infrastructure. It is also important to understand that CIIP involves not just a national but also a multinational effort.

In terms of technical challenges, the fact is that security was not really designed into many of the existing systems in these critical sectors. We therefore have to build security into legacy systems, to invest in the past, and there is an economic challenge in doing that.

What's next?
There has to be a steady and planned transition to more secure environment. The OECD (Organisation of Economic Cooperation and Development) talks about a culture of security. We did not have this culture in the past because IT was very much driven by the functionality race. We had to increase the functionality of our systems in order to compete, and security lagged behind. But going forward, it will be easier to develop a culture of security because doing it right the first time is not expensive.

We need to do three things to address the challenges of CIIP. Firstly, we have to declare clearly the security standards we need to comply with. The ISO 27001 standard, for example, has been around for a few years, but not all governments have stated their adoption of the standard.

Secondly, there are facilities available to test components of the CII, and we have to make it a standard requirement for equipment to be tested before they can be deployed. The Industrial Security Compliance Institute, for example, has standards for testing CII. But this is not yet widely adopted.

The third area to address is the accreditation of security professionals. We have to test that those who advise on, and design security in systems have the right skills. Many have an "educational qualification" in security, but what we need is to build on this with competency-based security skills that show the ability to apply the knowledge.

When someone leaves university with a medical degree, for example, they are not really a doctor. They have the medical knowledge, but they become a doctor only when they have worked with other doctors in a hospital and are able to put their knowledge to use independently. It is the same with security. The risks are too important to treat casually. For adequate protection of the CII, and IT systems in general, there is a growing need to develop experienced security professionals and assess their competency to global standards.