Information Security Standards in Critical Infrastructure Protection

Abstract

The standards applicable to Information Security are legion, from the purely technical, low-level specification of crypto protocols to the high-level organisational management frameworks. Industrial Control Systems - among them the Information Systems in Critical Infrastructure - still present their own set of challenges and quirks, despite the convergence trend towards mainstream information technologies and networking. Among these challenges we can recognise the still widespread use of legacy and proprietary systems with a long life and often poor documentation, the geographical spread, the fact that ICSs control physical equipment with all the related consequences (safety risk, difficulty of testing), the lack of IT and especially security training among the personnel, the legal and regulatory environment. The paper analyses the application of standards in Critical Infrastructure Information Protection, both from an organisational and technical perspective, their choice, their implementation and economic cost and benefits, in the context of the existing legal landscape, in particular in the European Union context. A brief theoretical excursus will examine a cost-benefit model for policymakers called to formulate the best policy in mandating - or not - the use of standards.