Resilience at the Core: Critical Infrastructure Protection Challenges, Priorities and Cybersecurity Assessment Strategies

The importance of a nation’s infrastructure is a vital core for economic growth, development, and innovation. Health, wealth, access to education, public safety, and helping prepare for global crises like pandemics are all de-pendent on functioning and reliable infrastructures. In decades, the substantial threats affecting infrastructures globally whether in the form of extreme weather, Covid-19 pandemic, or the threats of state and non-state actors’ hackers, demanded urgency in building resilience infrastructures both during crises and in more stable conditions. At the same time, the adoption of emerging and innovative technologies boosts the development of the infrastructures using information, communication, and technology (ICT) plat-form. This shift accelerated its evolution toward digitization where interdependent and interconnected cyberspace demands collaborative and holistic strategies in protecting critical and high risks infrastructure assets from a growing number of disruptive cyberattacks. These ever-evolving cyber threats are creating increasingly dangerous and targeted cyberattacks to damage or disrupt the critical infrastructures delivering vital services to government, energy, healthcare, transportation, telecommunication, and other critical sectors. The infrastructure’s high risks assets present serious challenges and are crucial to safety, efficiency, and reliability. Any nation must recognize and determine how to cope with any type of threats to their critical infrastructure as well as the strategies to remain resilient. This article first describes the challenges and the need for critical infrastructure protection including the related global risks challenges. It then reviews the United Nations, the European Union, and the United States’ strategies, priorities, and urgencies of critical infrastructure protection. Subsequently, it surveys the critical infrastructure protection resilience


Introduction
Understanding the challenge Recognizing that the national and economic protection of any nation depends on the reliable functioning of critical infrastructures (CIs), nevertheless, the CIs are arguably now more at risk than ever. The highly digitized and connected of today's critical infrastructures such as healthcare, government, and other critical sectors have placed them firmly in the sights of domestic and nation-state threats. Historically, the goal of cybersecurity experts is to protect from cyber threats by providing confidentiality, integrity and availability of created, processed, stored, and transmitted IT assets. These cyber threats include internal, external actors and persistent attacks that are often sophisticated, systematic, regimented, and well-funded. In addition, with the responsibility of protecting IT infrastructure assets, cybersecurity experts need to consider the real threats that jeopardize the safety of critical infrastructure operators and their operational technologies (OT). However, addressing the security of OT vulnerabilities and the poorly protected operational system, control system, and connected devices has fallen behind IT infrastructure protection. According to [1] OT is a highly complex industrial control (IC) system such as Supervisory Control and Data Acquisition (SCADA) that manages the programmable systems or a piece of equipment interacting with the physical environment. The IC system or a piece of equipment monitors and controls devices, processes, and events such as power, water, transport, manufacturing, and other essential services. Traditionally, IT assets are considered as the sensitive resources for IT systems, technologies, and business continuity therefore addressing the system vulnerabilities and respond to attacks that are essential. Consequently, these assets' main concern is to provide confidentiality of sensitive information within IT systems by preventing any unauthorized access. In comparison, OT assets are considered as the power systems, known as cyber operational and physical systems; thus they have different security requirements and constraints in terms of applying security measures as well as providing availability, authentication, authorization, integrity, and safety levels. Additionally, any disruptive incidents on OT assets can harm the safety and reliability of power systems and cause catastrophic repercussions. The repercussion with the greatest consequence of safety as the intentional or accidental mis-operation of OT assets could cause harm or even death. At the same time, the repercussion of reliability is important as it will affect the power system such as generators, breakers, transformers, power, and gas lines [2]. Figure 1 illustrates the different priorities and security requirements of critical infrastructures Journal of Computer and Communications IT and OT systems.
The need for Critical Information Infrastructures Protection The urgent need for Critical Infrastructures Protection (CIP) to strengthen the critical infrastructure operators and their operational technologies is today's goal to ensure sufficient trustworthiness of systems, products, and services and provide the necessary resilience to support the economy and security interests. Nations should recognize the importance of protecting critical infrastructures against natural disasters, terrorist activities, and now cyber threats. The CIP helps all critical infrastructure sectors to the highest standard and prepares them for disaster preparedness, response, and recovery. According to the Whitehouse fact sheet 1 , the United States of America is recognized as the wealthiest country in the world, yet when it comes to the overall quality of infrastructure protection, it ranks 13 th globally. In general, nations defined their critical Infrastructure sectors, however, the main four designated lifeline sectors are transportation, water, energy, and communication. Any disruption or loss of one of these sectors will directly affect the security and resilience of numerous sectors and cause harm and catastrophic consequences. While for decades governments and industries prioritized the protection of CI against physical attacks such as sabotage, it is recognized the rapid increase of cyberattacks by increasing the dependency on ICT infrastructures creating more security issues. The main factor in the nation's CI protection is not only physical disruption or destruction. It is also the accurate operation of CI using ICT-based services. It is important to recognize Critical Information Infrastructures (CII) as a vital component of CI in securing and protecting the availability of critical assets. The CII comprises the critical information and ICT process control systems such as increasing connectivity, remote monitoring, scalability, reliability. The compromised or disturbed CII nevertheless can be initiated by man-made, technical failures, vulnerabilities, and disasters that can jeopardize national security, economic growth, and stability of daily life. Therefore, the need for effective Critical Information Infrastructures Protection (CIIP) strategies, policies, and priorities are significantly essen-tial for most nations. CIIP is considered a subset of CIP, however, governments and industries need to realize that CIP is considered a national security issue whereas CIIP is a global issue. Consequently, private-public sectors require to develop strong partnerships in information sharing and exchange capabilities. As shown in Figure 2, CII is a set of interconnected ICT infrastructures which are crucial for the safeguarding of vital CI functions such as health, safety, and economy. Any disruption or destruction of ICT functions will result in serious consequences and may cause a major impact on a nation [3].
In regards to the importance of cybersecurity strategies, nations should adopt CIP and CIIP risk assessment as vital elements of cybersecurity. Figure 3 illustrates the perspective between elements and concepts of CIP, CIIP, and Cybersecurity strategies.
Critical Infrastructure Threats and Risks The Global risks report 2021 [4] recognized cyberattacks among the top five risks along with extreme weather, climate action failure, natural disasters, and infectious diseases risks. The cyberattack risk can cause significant harmful impacts and adverse consequences on technological advances, critical infrastructures, and  massive exploitation of data on an unprecedented scale. In addition, the Global risks report shows that in the last five years the cyberattacks were among the top five risks which consequently expose the critical infrastructures and their operational technologies subject to risks associated with physical and virtual threats such as natural disasters or risks in cyberspace respectively. Figure 4 illustrates the ranking of global risk in 2021 in terms of likelihood and impact on economic, environmental, geopolitical, societal, and technological risk factors.
This report shows the advancement of integration and interaction between physical and ICT in critical infrastructures shaped physical infrastructures more reliant using complex operational ICT systems. Consequently, this shift influenced the adversaries' focuses on exploiting potential cyber vulnerabilities. Due to the nature of interdependencies of the critical infrastructure sectors any damage, disruption, or destruction to one infrastructure sector or subsector can cause cascading effects, create a significant impact on other sectors' operations.
Significant critical infrastructures cyber incidents timeline In 2021 [5], identified significant cyber-attacks on critical infrastructure sectors globally since 2006. Figure 5 shows the substantial cyber incidents between 2006 to March 2021. The cyber incident dataset are focuses globally on government agencies, defense and critical infrastructures (note that the 2021 data is YTD March).
[6] collected significant incidents worldwide using publicly available information against the different domains of critical infrastructures from January 1, 2009, to November 15, 2019. The dataset contains 130 incidents that were carried out against critical infrastructure sectors. Figure 6 shows the major incidents in different critical infrastructure sectors recorded between 2009 to 2019.   Based on the above graph, it is observed that the collected data on disruption of the critical infrastructure sectors are Energy and Transportation sectors. These sectors have significantly the highest spike followed by critical manufacturing and nuclear sectors, respectively. This observation emphasized that the spike is due to recent ransom ware attacks such as WannaCry and wiper malware such as NotPetya in 2017. The key factors of datasets are disruptive cyber-physical incidents as well as cyber-operational incidents. The disruptive cyber-physical incident initiated by the malicious activities executed with state or nonstate threat actors and had disruptive effects in the operational technology (OT) systems, devices, and processes compromising Industrial Control (IC) systems. The other key factor is disruptive cyber-operational incidents where a threat actor performs the malicious activities that disrupt IT systems attached to the ICS or Internet of things (IoT) systems and devices for managing inspection on intelligence preparation of the battlefield (IPB) or stealing intellectual property (IP) for economic commitments. Figure 7 shows the disruptive incidents cases by cyber-physical incidents, cyber-operational incidents, or unknown factors from January 1, 2009, to November 15, 2019.
The dataset collected by different threat agents that targeted critical infrastructure   sectors, shown in Figure 8, suggested that the sectors targeted by the state agents are higher than non-state agents due to the fact the non-state incidents in the cyber domain frequently remaining anonymous.

Critical Infrastructure Protection (CIP)
The United State CIP The United State relies on reliable critical infrastructures as a lifeline to their daily lives such as clean water, power, transportation, and communications. The Patriot Act of 2001 [7] redefined the critical infrastructures as a set of assets, systems, operational technologies, and other vital elements in the physical and cyber environments. As the United State critical infrastructure protection became a top priority for the nation, in 2013 the Executive Order 13,636 [8] was initiated for the development of improving critical Infrastructure's cybersecurity.
It directs a policy of the United States "to enhance the security and resilience of the Nation's critical infrastructures and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties." [8]. In the U.S, both critical physical and cyber infrastructures are owned and operated by the private sector, federal, state, or regional governments. Following the Execu-tive Order 13,636, in 2014 the Cybersecurity Enhancement Act 2014 (CEA) [9] was authorized through the National Institute of Standards and Technology (NIST) to facilitate and develop a framework for reducing risk to critical infrastructures by 1) Collaboration of public-private on cybersecurity; 2) Cybersecurity Research and Development; 3) Education and Workforce Development; 4) Cybersecurity Awareness and Preparedness; 5) Advancement of Cybersecurity Technical Standards. The framework is to identify "a prioritized, flexible, repeatable, performance based, and cost-effective approach, including information security measures and controls that may be voluntarily adopted by owners and operators of critical infrastructures to help them identify, assess, and manage cyber risks." Furthermore, in 2015, Executive Order 13,691 [10] was issued to encourage and promote cybersecurity information sharing and to engage the private sectors in sharing information related to cybersecurity risks and disruptive incidents. In the U.S., Critical infrastructure is emphasized on four designated vital components 1) Communication, 2) Energy, 3) Water, and 4) Transportation. Numerous sectors rely on these four vital components. The Cybersecurity and Infrastructure Security Agency (CISA) identified a total of sixteen critical infrastructure sectors 2 and their Sector-Specify Agencies as defined in Presidential Policy Directive-21 [11] and the 2013 National Infrastructure Protection Plan 3 , shown in Table 1. The sixteen CI sectors are interdependent and reliant on each other to provide reliable operations thus any disruption or loss of one of the critical sectors will directly affect the security and resilience of critical infrastructures operators and their operational technologies of other sectors. It is important to identify and understand the interdependencies between the sectors to evaluate the potential risks and vulnerabilities. Figure 9 illustrates the interdependencies of the U.S. critical infrastructure sectors.
The vast majority of the US critical infrastructure sectors owns and operates by the private sectors. The core commitments of private sector partnerships with the public sectors are essential to foster security and resilience through integrated, collaborative engagement and interaction. The partnerships play a central role in implementing an information sharing and awareness program to disseminate efficiently and effectively the critical threat information, risk mitigation, and other sensitive information from state, local, tribal and territorial governments and international partners. The Department of Homeland Security (DHS) and Cybersecurity and Infrastructures Security Agency (CISA) manage with public and private sector critical infrastructures partners engagement to boost the security and resilience of the US's critical infrastructures. The partnership between the public and private critical infrastructure sectors 4 is shown in Table 2.
In addition to partnership, facilitating information sharing and awareness programs 5 can be used voluntary and regulatory to provide security and resilience for critical infrastructures. They are a vital key to build a knowledge system to share and maintain crucial threat information, risk mitigation and other sensitive information and assets as shown in Table 3.
Furthermore, a set of guidelines has been provided to form a framework for private and public critical infrastructure sectors for sharing the threat information. This framework aims to facilitate information sharing platforms and accelerate the flow of threat information sharing with private and public critical infrastructures sectors. The vital resources for critical infrastructures security and  Provide a forum for active participants to assure that state, local, tribal, and territorial (SLTT) homeland security partners fully engaged in resilience efforts Provides a framework to support and promote resilience activities existing regional groups in the public and private sectors. Enables efficient risk-informed data exchange across public-private participants resilience 6 are shown in Table 4. The United Nation Security Council (UNSC) CIP resolutions The complexity of critical infrastructure protection becomes a complicated process to encompass the entire progression of potential cyberattacks. The An individual framework that implements the tools required to provide security partners to distribute vital information in their infrastructure's security and risk, respond to events, and enhance resilience management United Nations has recognized the urgency of critical infrastructure protection that requires a partnership, cooperation, and obligation nationally and internationally as well as an immediate response plan to prevent the cascading effects of high-impact terrorist attacks. United Nations Security Council (UNSC) is one of the six organs of the United Nations (UN). UNSC is the premier global body with the principal goal and obligations of assessing, maintaining, and addressing international peace and security. UNSC issues resolutions to form a formal appeal for resolving security challenges and urgencies. The UNSC adopted resolution 1373 [12] in 2001 to establish an obligation on all UN member states a common core of a new campaign identifying good practices, early warning, and vulnerabilities as well as recognizing possible prevention measurement in strengthening national, international security strategies and policies. Following resolution 1373 (2001) [14] is to coordinate a common UN approach in implementing and preventing terrorist acts. The CTC is supported by the Counter-Terrorism Committee Executive Directorate (CTED) to execute the committee's evaluations on the member state counter-terrorism technical assistance. The UNSC resolutions facilitate the assessment of the effectiveness of member state's policies to protect critical infrastructures including identifying good practices, deficiencies, and vulnerabilities as well as developing and sharing information analysis of counter-terrorism trends. Subsequently, UNSC resolution 2341 in 2017 [15] adopted the primary resolution on the protection of the critical infrastructures against emerging and rapidly evolving threats posed by cyberattacks and strengthening of States' capabilities of critical infrastructures. Resolution 2341 (2017) aims with the support of CTED to endorse a necessary step concerning the global awareness and preparedness to cyberattacks on critical infrastructures. The five key elements of the UNSC resolution 2341 (2017), shown in Figure 10, are recognized as 1) the awareness emphasizes the strengthening and reinforcing knowledge as well as recognizing the vulnerability and threats on critical infrastructures, 2) the capabilities evaluate the strength of states' capacities, the partnerships of private and public sectors to mitigate the risk of cyberattacks to a controllable level, 3) the resilience promotes methods of preparation, prevention, crisis management, and recovery to reduce cyberattacks intended to destroy or disable critical infrastructures, 4) the distribution Table 5. UN counter-terrorism four pillars strategy 8 .

Strategy Description
Pillars I "Measures to address the conditions conducive to the spread of terrorism" Pillars II "Measures to prevent and combat terrorism" intensifies an open exchange of operational information between a range of stakeholders such as governmental authorities, law enforcement, foreign partners and private sector owners and operators, 5) the engagement enhances the international and regional sectors to support regional connectivity projects and related cross-border infrastructures. UNSC recognized three sectors of critical infrastructure: 1) Energy, 2) Transportation and 3) Water Supply, as well as the vulnerability of critical infrastructures to attacks committed by terrorists in cyberspace. UNSC resolution 2341 (2017) emphasized that terrorist attacks as a distinctive threat to critical infrastructures and urged all states to establish concrete and coordinated efforts in raising awareness and expanding knowledge and understanding to improve preparedness through international cooperation. It is also recognized that threats against critical infrastructures have multiple dimensions. While soft targets consider as sites or regions that are relatively vulnerable to terrorist attacks due to their unrestricted access with limited security, hard targets are intended to make it harder for a terrorist to strike. The classification of such threats caused by these targets depends on their nature, their origin, and the context in which they occur. Table 6 shows the specific threat classifications to critical infrastructures.
The European Union (EU) CIP The European Council Directive 2008/114/EC was adopted in 2008 as a vital part of the European Program for Critical Infrastructure Protection (EPCIP). The Directive's purpose is to establish a framework for the identification and designation of critical infrastructure in the EU. The directive defines the European critical infrastructure (ECI) as [16] "an asset, system or part thereof located in the Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions." The scope of the EPCIP framework is to focus on the assessment and resilience of ECI as well as the need to improve the protection. The directive divides the framework into  Table 7. The directive scope recognizes two CI sectors, 1) Energy and 2) Transport (excluding nuclear energy) as illustrated in Figure 11.

Cybersecurity Assessment Strategies
NIST Framework for improving critical Infrastructure's cybersecurity The United State national and economic depends on reliable and functional critical infrastructures. It is recognized that the protection and security of critical  The components aim to strengthen the partnership across critical infrastructure sectors in recognizing, prioritizing, and reducing cybersecurity risks including cybersecurity achievable outcomes and their relevant recommendations.

1) Framework Core
The Framework Core consists of a set of industry standards, guidelines, and organizational best practices to manage cybersecurity risk that is recognized and identified by stakeholders. The Framework Core has four key elements: 1) Functions form necessary attributes to assist organizations in managing cybersecurity risks, 2) Categories are a subset of a Function that group the cybersecurity issues such as detection methods, asset management, and controls 3) Subcategories are a subset of a Category that assists in achieving the outcomes of each Category such as the investigation of notification from detection systems 4) Information References represent as a section of standards, guidelines, and practices that is frequently used in critical infrastructure sectors. The functions are Identify, Protect, Detect, Respond, and Recover as shown in Table 8.
The functions are facilitating risk management evaluations, addressing threats, and improving the incident post-analysis. Figure 12 demonstrates the Framework Core structure. Journal of Computer and Communications Table 8. Framework core functions.

Functions Description
Identify Promote an organizational knowledge in managing cybersecurity risks "system, people, assets, data, and capabilities" Protect Ensure that applicable security control in the safeguarding of availability of critical services Detect Utilize and execute applicable actions to discover the occurrence of a cybersecurity event Respond Apply and achieve detection responses to a cybersecurity incident Recover Perform and execute applicable actions to recover any damaged services promptly caused by a cybersecurity incident Figure 12. Framework core structure.

2) Implementation Tiers
The Implementation Tiers provide the degree of implementing cybersecurity risk controls. As Table 9 shows, four tiers measure the degree of organizational decision making on consistency and difficulty in cybersecurity risk management practices as well as identifying responses for the prioritized organization assets that could have potential risk.

3) Framework Profiles
The Framework Profile, known as Profile is the association of the functions, categories, and subcategories that measures the security requirement, quantitative and qualitative risks estimated values as well as risk sensitivity, acceptance, and resources to achieve the desired outcomes in the Framework Core.
ISO/IEC 27000 Series of Standards The International Standard Organization (ISO) is an independent, non-governmental international organization that closely works with the International Electrotechnical Commission (IEC), the International Telecommunication Union (ITU), and World Trade Organization (WTO) as well as liaison with United Nations (UN) and its partners. The ISO/IEC Joint Technical Committee (JTC1) developed the ISO/IEC 27,000 family of Standards for information technology (IT) systems to help and support the best practices for improving organizations' information security. The ISO/IEC 27000 series of standards were published by ISO and IEC to provide a systematic approach of Information Security Management System (ISMS) for risk management for all organization sizes and sectors. The series consists of inter-related standards that ready for adoption by organizations to develop and implement a framework for managing the security of critical infrastructure assets. Table 10 explains the ISO/IEC 27000 series standards [18].
As shown in table [10], for effective critical infrastructures cybersecurity risk management, ISO/IEC 27001 and ISO/IEC 27010 parts of ISO/IEC 27000 series are used. While ISO/IEC 27001 is designed to protect the confidentiality, integrity, and availability of their information assets, ISO/IEC 27010 provides controls and guidance for implementing information exchanging and sharing of sensitive information as well as provisioning, maintaining, and protecting organizations or state's critical infrastructures.
ISO ISA/IEC 62443 series The ISA/IEC 62443 series is a series of standards developed by the International Society of Automation (ISA) and International Electrotechnical Commission (IEC) for industrial and critical infrastructures operational technology, including but not restricted to power utilities, water management systems, healthcare, and transport systems. The ISA/IEC 62443 has four categories to assess the cybersecurity risks and recognize the critical systems. Table 11 shows the series categories and their descriptions 9 .
Cyber Assessment Framework (CAF) The United Kingdom (UK)'s National Security Strategy recognized the security, protection, and resilience of the UK's Critical National Infrastructures (CNI) remains crucial for the functioning of society, such as those associated with energy supply, water supply, transportation, health, and telecommunication. The UK National Cyber Security Center (NCSC) developed the Cyber As-sessment Framework (CAF) [22] known as the NCSC CAF collection to provide a set of fourteen cybersecurity and resilience principles for securing CI sectors. NCSC CAF collection adopted the EU Security of Networks & Information Systems (NIS) Directive that aims to raise levels of cybersecurity and resilience of crucial systems across the EU. The CAF collection is intended for use of any organizations that are part of UK Critical National Infrastructures (CNI) or responsible to provide services to CNI sectors. Table 12 provides an overview of the fourteen CAF cybersecurity and resilience principles as well as classifies the  fourteen objectives, principles with related guidance and reference for CAF collection 10  of the University of Oxford to assess, measure, and evaluate the nations' cybersecurity capacity. The CMM framework [23] is comprised of five Dimensions to measure and evaluate the effectiveness of security, protection, and resilience of national cybersecurity strategies as shown in Table 13.

Conclusion and Future Improvements
Critical infrastructure is a crucial requirement for any society to survive. This article assessed that CI protection strategies only are effective if security and resilience are seen as critical requirements in CI. This article reviewed the NIST, ISO/IEC, ISA/IEC, CAF, and CMM cybersecurity assessment frameworks and strategies and their common goal of an assessment framework for increasing the effectiveness of cybersecurity capacity. The assessments focus on evaluating the level of the cybersecurity capabilities by fostering best practices, safeguard information, guiding cybersecurity activities, and managing risks within organizations as well as enabling structures to maintain the desire security posture, determining the current status of cyber preparedness, and develop operational resilience. The CI protections frameworks' future improvement can develop by a measurement system to evaluate the capabilities of assessment methods, measure the effectiveness of the activities and action plans using meaningful indicators on a

Cybersecurity Policy and Strategy
Evaluate and enhance the level of national cybersecurity strategy and resilience by improving its incident response, cyber defense, and critical infrastructure capabilities.

Dimension 2
Cybersecurity Culture and Society shared platform, shift voluntary and self-assessment methods to a more consistent and comprehensive assessment approach.

Conflicts of Interest
The author declares no conflicts of interest regarding the publication of this paper.