Cyber security management of critical energy infrastructure in national cybersecurity strategies: cases of USA, UK, France, Estonia and Lithuania

. The progresses made in terms of cybersecurity in these past years have been huge, and the implementation of newer strategies has brought interesting results all over the globe. However, the full implementation of cybersecurity presents a challenge to a lot of countries, especially if considered the Critical Infrastructure Protection (CIP), which is still one of the areas with the most gaps in terms of cybersecurity. In this article, the first five countries by cybersecurity level according to the Global Cybersecurity Index (GCI) 2018, in order UK, USA, France, Estonia and Lithuania, will be evaluated for their solutions in terms of Critical Infrastructure Protection. The results will show the effective accuracy of the index and will shed light on the various approaches to Critical Infrastructure Protection.


Introduction
The introduction of the concept of cybersecurity has brought to a major development of the role and responsibility of a state towards its citizens.Since cyber-attacks have been regarded as a growing phenomenon, especially in advanced countries, many of them decided to implement newer strategies, which considered the cybersecurity of both private and public spheres.According to the International Telecommunication Union (ITU), by the end of 2018, 3.9 billion people were using the Internet (ITU, 2019), which means that the cyberspace is growing more and more wach year and needs to be protected.Many countries worldwide have published National Cybersecurity Strategies (NCSSs), which embodied the will of securing the cyberspace from cyber attacks and ransomware.
However, there seems to be an obstacle to the achievement of full cybersecurity, which is the protection in particular of Critical Energy Infrastructures (CEI).For "critical infrastructures", the definition can vary from country to country, but the general meaning can be traced back to "services and facilities used by society which disruption or malfunction would generate negative consequences to the public" (Izycki et al., 2019).While past attacks were focused mainly to IT (Information Technology) environments, the trend shows that cyber risks is now greater in the OT (Operational Technology) environment.Even though the risk is present and growing, many NCCs do not address specific plans which include Critical Infrastructure Protection (CIP) or recognize the need of an adequate framework for granting supply chain and aid during and after a cyber attack.This article will attempt to examine the issue of the CIP as a gap in NCSSs, by analyzing and comparing five different NCSSs.The countries will be firstly chosen by picking the first five that are represented in the Global Cybersecurity Index (GCI) 2018, issued by the ITU.The list is made by evaluating the country's commitment and development into cybersecurity solutions.The ranking is made by evaluating five elements, all with the same weight in the calculation of the final grade: legal, so the existence of legal institutions or frameworks concerning cybersecurity, technical, the existence of such technical institutions and framework, organizational, meaning policy coordinating institutions, capacity building, existence of research & development and education and training programs, and cooperation, so in terms of partnerships and cooperative framework (ITU, 2019).The list of the Global Ranking of 2018 puts in the first five slots (in order): UK, USA, France, Lithuania and Estonia (ITU, 2019).
The analysis would proceed by evaluating the strategies of Critical Infrastructure Protection of the first five countries by using the model that was developed by Limba T., Plėta T. et al., named the "Cyber Security Management Model for Critical Infrastructure", developed in 2017 (Limba, et al., 2017).The tiers are six, and each evaluates a specific feature needed for an adequate framework of management model for cybersecurity.Legal regulation evaluates the understanding of an organization of cybersecurity, its aims and the required planning; the second tier is for risk management, which evaluates the organization's ability to identify the growing risks and to develop adequate responses.Other important elements are Security Culture, which evaluates the level of undersanding of cybersecuirty for every member of the organization's staff, Technology Management, which concerns the knowledge of all of the organization's elements and their vulnerabilities and Incident Management, which considers whether the organizaiton has special planc regarding the incident consequence management (Limba, et al., 2017).After the evaluation, there will be a ranking which will establish the best and the worst strategy in terms of CEIP, and it would be possible to compare the results to the ones resulted from the GCI 2018.Furtherly, a new model will be proposed which could better ensure a high level of CEIP.In order to determine the level of preparation of NCSSs in terms of management models for Critical energy infrastructure protection, documents will be taken from official sources.However, the priority will be to consider documents 804 specifically dedicated to Critical Infrastructure Protection, in particular on management model and strategy.In the case of the country not having specific documents on CIP, the National Cyebrsecurity Strategies will be used.

Analysis of the National Cybersecurity strategies
The following chapter will offer an analysis of national cybersecurity approaches to the protection of critical infrastructures.As mentioned in the introduction, the model that will be used for the evaluation will be of Limba et al. (Limba, et al., 2017), called Cyber Security Management Model for Critical Infrastructure.The goal of the analysis it to show the existing gaps in the national strategies when it comes to protection of critical infrastructures (CIP).For this reason, the countries that were chosen supposedly to implement the best possible practices according to the Global Cybersecurity Index (GCI).The evaluations will assess the presence of frameworks dedicated to CEIP and of effective management strategies.If the country does not provide a specific document on CEIP management, the analysis will be conducted on the existing NCCS.

UK
According to the Global Cybersecurity Index (GCI), the United Kingdom is placed at the first place of the list, immediatey before the US (ITU, 2019).The choice to put the UK in the first place reflects a serious commitment of the country to invest in cybersecurity development.In the 2015 National Security Strategy and Strategic Defence and Security Review issued by the government (HM Government, 2015), it can be found a part dedicated to the Critical National Infrastructure (CNI) and Energy security.In the strategy, it is mentioned the will to ensure resilience of CNI to future threats such as power disruptions and such (HM Government, 2015).Moreover, the government founded the Center for Protection of National Infrastructure, which focuses on reducing the vulnerability of the national infrastructure, in particular on CIP (CPNI, 2020) along with the National Cyber Security Centre in 2016 (National Cyber Security Centre, 2020).
The analysis that was conducted on the UK approach to management aspects of Critical Infrastructure Protection revealed a peculiar situation.The main documents concerning the topic were the second and third report of the In the analysis, it was difficult to find the requirements described in the Limba et al. model.Legal regulation, meaning the acknowledgement of the need of Critical Infrastructure Protection by official institutions (Limba et al., 2017), can be found in the National Cyber Security Strategy 2016-2021(HM Government, 2016).In the document, one of the objectives in the "Defend" section is "protecting our Critical National Infrastructure and other priority sectors" (HM Government, 2016).The Government declares that a reguatory framework is needed, but at the same time does not provide additional details about it.805 Sectretariat, 2004).The 2004 document that was formed for describing the guidelines that LGDs have to follow to promote assistance, The Lead Government Department and its role -Guidance and Best Practice (Civil Contingencies Sectretariat, 2004) contains a bit of general parts of the elements of good governance and risk management according to the Limba model (Limba et al., 2017).The procedures and the planning processes are presented in the document, as well as the emergency operation checklists and the responsibilities; however, since the LGDs can intervene in varioius situation of emergency, the outline results to be too general to have an adequate overview on the correct procedures (Civil Contingencies Sectretariat, 2004).About the security culture, there are various documents that explain in general the different types of cyber attack that an organization can experience, such as Common cyber attacks: reducing the impact (CESG, 2016).The document presents basic knowledge on the different types of cyber attacks, but it focuses more on the procedures that a non-critical organization could follow (CESG, 2016).Concerning technology management and Incident management, there are no known solutions or specific documents from the govenrment that cocern Critical Infrastructures.

USA
The second country in the world for level of cybersecurity level, according to the GCI 2018, is the Unites States of America.In fact, the US government dedicated a Department of Homeland Security to cybersecurity, the Cybersecurity and Infrastructure Security Agency (CISA) which has a National Infrastructure Protection Plan (NIPP) (CISA, 2018), to form a dedicated and comprehensive strategy for CIP.The documents that were revised for the evaluation are many, since the NIPP website provides a lot of material available to anyone.Firstly it is necessary to say that there are multiple documents entirely dedicated to Critical Infrastructures: the website offers an extensive access to core services and capabilities of the CISA.Amongst the listed, the Department of Homeland Security has as a priority to conduct assessments on infrastructure and communities to help the organizations to make decisions, to provide and share information to both public and private sector (public-private partnerships are considered vital to the development of CIP).Another major focus in the core services is on training and exercises by collaborating on state, local, and tribal level and providing training on critical infrastructure security (CISA, 2018).
In order to conduct the analysis, the documents that will be taken into consideration will be eight.The most important is the NIPP 2013, Partnering for Critical Infrastructure Security and Resilience, (Homeland Security, 2013), which outlines how the government and the private sector should behave in order to achieve CIP.The document represents an evolution of the preexisting version of the NIPP published in 2006, and provides the guidelines to achieve an integrated and collaborative approach to a secure and resilient critical infrastructure.The document is divided into five sections: Vision, Mission and Goals, which considers the guidelines for the critical infrastructure community, Critical Infrastructure Environment, which instead describes the policy, the risks and the partnership structure needed to achieve the community's goals, Core Tenets, describing the principles of the NIPP, Collaborating to Manage risks, which describes the framework for risk management activities, and finally the Call to Action to the entire critical infrastructure community (Homeland Security, 2013).There are as well three supplements of the NIPP 2013 that will be taken into consideration, such as the Supplemental Tool: Executing A Critical Infrastructure Risk Management Approach (Homeland Security, 2013), the Supplemental Tool: Incorporating Resilience into Critical Infrastructure Projects (Homeland Security, 2013) and the Supplemental Tool: NPPD Resources to Support Vulnerability Assessments (Homeland Security, 2013).In addition to the NIPP 2013 framework, which is appliable to all types of Critical Infrastructures, there are Sector specifici plans tailored for each type.Since that, as aforementioned, the focus on the article will be on Critical Energy Infrastructure (CEI), the two documents that will be considered for the analysis are the Energy Sector-Specific Plan (Homeland Security, 2015)  Firstly, the field of legal regulation according to Limba et al. (Limba, et al., 2017) is broadly evaluated by the presence of security instructions to employees, information security officers, network administrators and standards (Limba, et al., 2017).The US documentation offers a broad choice of standards, but the most important is surely the NIST: Framework for Improving Critical Infrastructure Cybersecurity (NIST, 2018).The document has a complementary role, meaning that is accessible to every organization in order to enhance their cybersecurity level and to evaluate their performance (NIST, 2018).In terms of instruction to information security and network administrator another important document is the Critical Infrastructure Threat Information Sharing Framework (Homeland Security, 2016), which offers a list and contacts of all the entities participating in the informationsharing process, as well as the Supplemental Tool: NPPD Resources to Support Vulnerability Assessments (Homeland Security, 2013), which provides information on the Federal resouces that are available to the sector partners to identify and assess CI vulnerabilities.
For what concerns the aspect of good governance, the model refers to it also as security planning (Limba, et al., 2017), and the document which is the most useful in that sense surely is the NIPP 2013, Partnering for Critical Infrastructure Security and Resilience (Homeland Security, 2013), which enlightens the policy and the environments in CIP.The documents offers an insight on the stucture of partnerships and the-ir fundamental role into the collaboration into building an effective regulation, as well as describing the National Partnership Structure, and the role of Infrastructure Partners and Stakeholders (Homeland Security, 2013).Instead for the aspect of risk management, which evaluates the presence of a contingency plan and is one of the main focus of the analysis, the document that is considered the most adequate is the Supplemental Tool: Executing A Critical Infrastructure Risk Management Approach (Homeland Security, 2013).In the document, it is described the Critical Infrastructure Risk Management Framework, which can be applied to all types of threats and hazards and is supported by the Threat and Hazard Identification and Risk Assessment (THIRA).As well the the Energy Sector Cybersecurity Framework Implementation Guidance (US Department of Energy, 2015) offers the Energy Sector Cybersecurity Risk Management Approaches, a list of possible approach s that can be implemented by any organization.
Concerning the security culture, meaning the presence of the security measures for all the employees (Limba, et al., 2017), can be evaluated as well in the Critical Infrastructure Threat Information Sharing Framework (Homeland Security, 2016), which offers as well a Reference guide for critical infrastructure owners and operators and general guidelines on the reporting of critical incidents, which as well reflect as well incident management (Limba et al.,2017).The technology management element (Limba et al., 2017) is overall about the organization's knowledge of their components and how they worked, and it can be found as a part of the aforementioned NIPP 2013, Partnering for Critical Infrastructure Security and Resilience, (Homeland Security, 2013), which has as a priority the identification of the Infrastrucure.

France
According to the 2016 French National Digital Security Strategy (Government of France, 2015), one of the strategic objective of France in the field of cybersecurity is to gain "fundamental interests, defence and security of state information systems and critical infrastrucrtures, major cybersecuirity crises" (Government of France, 2015).Being in the third place in ranking in terms of cybersecurity index (ITU, 2019), France developed in terms of cybersecurity.(Government of France, 2015).Hence, the approach of France is quite peculiar, as it bases on the international level rather than the national level.In terms of national organizations, France established in 2013 a regulatory framework for Critical Infrastructures Information Protection (CIIP) (ANSSI, 2020), the "CIPP law".
The framework identifies, in coordination with the General Secretariat for National Defence and Security, 12 sectors and 200 operators, defined as "operator[s] whose unavailability could strongly threaten the economical or military potential, the security or the resilience of the Nation"(ANSSI, 2020).The protection of CI is regardes as a priority, and the National Cybersecurity Agency (ANSSI) works with the government to nominate operators for each CI, which should be able to draw both operator security plan (OSP) and specific protection plans (Secretariat-General for National Defence and Security, 2017).
However, if we analyze the French approach, we can found gaps in the model proposed by Limba et al. (Limba et al., 2017).The legal regulaton is present, since the government is aware of the issue of Critical Infrastructures and hence is developing a solution, by putting their protection as one of the main objectives of their strategy, as aforementioned (Government of France, 2015).For what concerns good governance, the security planning is hardly markable as adequate, since the only security rules are common to every type of CI, and the processes are depending on the various operators and there is no mention of an effective common and comprehensive framework (ANSSI, 2020) (Limba et al., 2017).There are some measures in case of emergencies, during which the ANSSI receives information from the organization and provides assistance, but there are no mentions of plans or to effective regulations: the incident management could be considered as at a low level, but still present (ANSSI, 2020) (Limba et al., 2017).For what concerns the other elements in the model, France does not provide any more insights.

Estonia
Placed at the fourth place in the GCI 2018 (ITU, 2019), Estonia is seldom seen as the poster child of Europe's digitalization.The republic of Estonia is deeply invested in the cause of cybersecurity, however in their Cybersecurity Strategy 2019-2022 one of the challenges marked in 2018 is "Insufficient understanding of the impact of cyber threats, incidents and infrastructure interdependencies" (Republic of Estonia, 2018).The republic passed in 2018 the Cybersecurity Act, which established requirements from businesses and institutions for preparing for a cyber threat (Republic of Estonia, 2018).In addition, the Minister of Entrepreneurship and Information Technology passed in 2018 the Requirements for risk analysis of network and information systems and description of security measures, established under the Cyber Security Act (Republic of Estonia, 2018).Following the 2007 cyber attacks in Tallinn, which brought distruption for the civilans for days, the government established the Emergency Act in 2009, which provides the legal basis for planning and crisis management (Government of Estonia, 2009): despite being passed in 2009, the act provides with guidelines for planning and risk assessment directed to providers of vital services, meaning Critical Infrastructure.It is important as well to mention the presence in Estonia of the NATO Cooperative Cyber Defence Centre of Excellence, which researches on cyber security expertise, and of the CERT-EE, established in 2006 and responsible for management of security incidents in .eecompiuter networks (Information System Authority, 2020) (CCDCOE, 2020).
The analysis accordind to the Limba model shows a better preparation for Critical Infrastructure protection than France, which is however put a rank above Estonia in the GCI.In terms of legal regulation (Limba et al. 2017), all the aforementioned documents mention the necessity to develop an effective cybersecurity for Critical Infrastructures, however in particular the Cyber Security Act enphasizes the necessity to maintain the functioning and maintenance of "network and information systems essential for the functioning of societ and state" (Republic of Estonia, 2018).The Cyber Security Act can be regarded, toghether with the regulation of Requirements for risk analysis of network and information systems and description of security measures can be part of the good  (Republic of Estonia, 2018).For what concerns Risk management, hence the presence of a contingency plan, the Estonian government offers an overview in the 2009 Emergency Act, in which are described the obligations of the vital service providers under law to perform risk assesments plan and continuous operation risk assessment (Government of Estonia, 2009).In the same doument there are the guidelines that the operators have to follow in the case of incident and disruption of critical services, which can be identified as part of the incident management tier (Limba et al., 2017) (Government of Estonia, 2009).Security culture and technology management have yet to be assessed for Estonia.

Lithuania
The last country to be part of the analysis is Lithuania, placed in the fifth place of the GCI (ITU, 2019 According to the Limba model, the Lithuanian approach to the problem of Critical Infrastructure Protection seems unadequate, since that the documents taken into consideration were not either specifically drafted for Critical Infrastructures, or had mention of the issue as a separate goal.The National Cyber Incident Management Plan offers some insight to the general procedures of risk management and incident management, as it provides general guidelines on how to report and communicate to the authorities in case of a cyber incident (Government of the Republic of Lithuania, 2018) (Limba et al., 2017).There are general mentions to improve the cybersecurity of Critical Information Infrastructures in the National Strategy could be seen as an initial stage of legal regulation (Limba et al., 2017).

Evaluation and comparison
The previous part of the article provided an analysis of the first five countries for Cybersecurity Level according to the GCI 2018 (ITU, 2019).The model that was used provides six indicators, which are described in the table 1 below: each indicator can have a value that ranges from zero to five.Zero means that there is no mention of the indicator in the chosen documents, and there is no alternative seen in general cybersecurity approaches, and it ranges till the level Five, which indicates an adequate and comprehensive implementation of functioning regulations.From the results gathered from the analysis of the five countries, it is noticeable how the protection of Critical Infrastructure, despite being vital for the cybersecurity of a country, has yet to be developed even in the most developed countries in terms of cybersecurity.The US model currently represents the most comprehensive and adequate framework in terms of Critical Infrastructure Protection, as it offers higher marks compared to all the other countries, as seen in the analysis.It is interesting to see how much the evaluation shows a distancing between the USA and the rest of the countries taken in for the analysis, while according to ITU, the UK still has the first place for cybersecurity index (ITU, 2019).The table clearly shows the areas in which the countries possess gaps in the framework, and the countries that score the worst performance by having more zeros are Lithuania, at the last place of the GCI, and surprisingly France, which instead is placed above Estonia in the GCI.The areas that have resulted in getting the highest evaluations are Legal regulation and Good Governance, while the areas in which are regarded the more gaps are security culture and technology management.This shows how the weakest spot in the implementation of Critical Infrastructure Protection is the awareness and the training of the workers, fundamental for the development of newer solutions.In addition, beside the US it is seen a total lack of knowledge of the various components and parts of Critical Infrastructures, along with their functioning.
The analysis brought to light an average deep inadequacy concerning the protection of Critical Infrastructures, except the US approach.The model not only shows how the countries generally lack an adequate framework, but also how the general approach to cybersecurity can be apparently satisfactory, like the criteria used by the ITU to develop the GCI, but can be deceiving in evaluating the practical applications of the cybersecurity principles.The Limba model that was used in the analysis is adequate, but it could be highly improved.It should be implemented an international criteria which would consider more elements to be necessary for a country to develop.The model should also take into consideration a more hierarchical approach to the classification of Critical Infrastructure, by organizing a list in which the different types of Critical Infrastructure in the country could be evaluated in order of importance in case of attack or emergency, and to assure the supply-chain to the most important ones.This could help countries with a poorer state budget to prioritize their investment in Critical Infrastructure Protection.Another important issue that should be taken into consideration in developing a newer model should focus as well on the planning, as seldom it is unclear what it is to protect in Critical Infrastructure, and the previous analysis confirmed this vision with the lacks in technology management.
In order to develop a model with adequate criteria, the best standard that should be used to implement a newer approach is the ISO/IEC 27002: Information Technology -Security Techniques -Code of practice for information security controls (Technical Committee ISO/IEC JTC 1, 2013), which represents the best practices for implementing an effective model for Critical Infrastructure Protection.
In the third report, as well, it is said that the Government's definition of Critical National Infrastructure it is too broad, and it does not help in identifying the types of Infrastructure that need the most protection (Joint Committee on the National Security Strategy, 2018).
and the Energy Sector Cybersecurity Framework Implementation Guidance (US Department of Energy, 2015).Ultimately, there will be mention as well of NIST: Framework for Computer Emergency Response Team of the European Union (EU) institutions, bodies and agencies) and to the NCIRC (Computer Incidence Response Capability) of the North Atlantic Treaty Organization (NATO) In the document, it is explained the government's decision of partnering at the European level with the European agency ENISA (European Union Agency for Network and Information Security), and relying ).The resolution to the issue of cybersecurity is discussed in the 2018 National Cyber Security Strategy(Government of  the Republic of Lithuania, 2018).Additionally, in September 2016 Lithuania launched its own National Cyber Security Centre (NKSC), which took on the information security incident investigation previously performed by the Communications Regulatory Authority of the Republic of Lithuania on January 2018 (National Cyber Security Centre, 2020).Concerning the protection of cyberspace, it is currently present the Computer Emergency Response Team in Lithuania (CERT-LT), which plays a key role in providing assistance to organizations and businesses (Government of the Republic of Lithuania, 2018).In the strategy however, it is mentioned that "[…] on the national level, the security risk assessment culture and cyber security risk assessment are still fragmentary.There is a lack of analysis on cyber threats and gaps in security as well as full integration into activity risk assessment processes."(Government of the Republic of Lithuania, 2018).There is a focus on the protection of Critical Information Infrastructure, but no sign of will if implementing a framework to protect CI.It is worth mentioning as well that in the capital Vilnius the NATO Energy Security Centre of Excellence (ENSEC COE) is collaborating with the government to research newer solutions to the issue of Critical Infrastructure Protection (NATO Energy Security Center of Excellence, 2020).Another important document that needs to be taken into consideration for the purposes of the analysis is the National Cyber Incident Management Plan, developed and implemented in 2018(Government of the Republic of Lithuania, 2018).

Table 1 .
Indicators of Cybersecurity Level