The 2016 GFCE-MERIDIAN Good Practice Guide on Critical Information Infrastructure Protection for governmental policy-makers (hereafter: 2016 GPG) outlined that Critical Information Infrastructure Protection (CIIP) is a complex but important topic for nations. By nature, CIIP is a national security topic in the sense that failure, disruption or destruction of Critical Information Infrastructure (CII) may cause serious impact to the society, economy and well-being of the citizens. Societies at large, critically depend on the proper functioning of the Critical Infrastructures (CI) such as energy supply, telecommunications, financial systems, drinking water, and governmental services. In turn, these CI often critically depend on the proper functioning of CII. CII is a complex concept and includes information and communication technologies (ICT), and operational technologies (OT). OT is also known as industrial control systems and SCADA systems, that monitor and control critical cyber-physical processes. The CII comprises (1) critical ICT infrastructures (e.g. mobile telephony and internet services), (2) critical ICT and OT systems that are part of each CI, and (3) new CII services beyond these established domains.
The focus of the 2016 GPG was providing assistance to nations new to the CIIP topic. The Meridian community identified the need for more elaborate guidance and good practices for both developing and mature nations in this domain on:
− Terminology and definitions.
− Identification of Critical Information Infrastructure (CII).
− The societal uptake of Information and Communication Technology (ICT) and Operational
Technology (OT) and their effects on the identification of new critical elements of the national CII.
This Companion Document provides these good practices and guidance in this domain to political leadership and governmental policy-makers in both developing and mature nations.