Industrial Cybersecurity and Critical Infrastructures: When Standards and Regulations are not Enough

Critical Infrastructures are vital to nations, states and societies. Disruption or destruction of such infrastructures or their services would have a devastating impact on national economy, security, public health or safety. Following existing standards, approaches and methodologies, implementing common solutions or complying with regulatory frameworks are not enough to protect these infrastructures. The threat landscape, threat actors, and objectives are completely different. The black swan effects, lack of objective historical and relevant data about cybersecurity incidents, and the irrelevance of likelihood to calculate the related risks, make the need to take different approaches and methodologies to risk evaluations. The variety projects and depth of supply chains make challenging how to establish and track cybersecurity requirements throughout all the stakeholders and projects. In this session, we will analyze why the protection of critical infrastructures require specific and different approaches, methodologies and solutions. We will challenge existing risk management approaches and methodologies, and defend why Likelihood should be considered as 1 for critical infrastructures. We will provide real examples and numbers of the problems and challenges injecting cybersecurity in critical infrastructures protection mega-projects, and finally, we will propose specific approaches and key takeaways to improve the industrial cybersecurity posture in critical infrastructures.