Mission Critical

“Critical infrastructures” are vital to the functioning of our society as we know it, as they provide crucial services such as power, telecommunications, transportation, and water. Improving resilience of critical infrastructures has become a priority for authorities around the world.

In particular, it has become crucial to strengthen the security and resilience of vital Information and Communication Technology (ICT) infrastructures used to deliver or support Critical Infrastructures (referred to as “Critical Information Infrastructure” or “CIIP”) from rising cyber threats — either as direct targets or as a means to reach Critical Infrastructures that they support.

In 2023, the UAE Cyber Security Council (“CSC”), which is a council of the UAE Cabinet, released a policy document that aims to strengthen the cybersecurity posture of the nation’s CII. It adds to the UAE cybersecurity frameworks for CIIP, which also includes the Telecommunications and Digital Government Regulatory Authority’s Information Assurance Regulation.

“The Critical Information Infrastructure Protection (CIIP) Policy” (“Policy”), outlines a consistent and iterative approach to identifying, assessing, and building the national risk profile across its CII. The Policy also defines the governance mechanism and the protection program for CII entities, including the identification of CIIs, baseline requirements for the identified entities, and the mechanisms for the oversight and enforcement of requirements related to CII protection. The policy is based on five CIIP principles:

• Building national cyber resilience
• Sector-focused governance
• Risk-based prioritization
• Establishing best practices and standards
• Encouraging cooperation and partnerships

The Policy is applicable to the CII entities, relative sector regulators/designates, and relevant participating stakeholders in the following sectors and sub-sectors, as well as any other sector determined by the CSC: digital infrastructure, financial services, transport, energy, healthcare, electricity and water, government services, education, space, and food.

The policy categorizes the CII entities into two groups: Group A and Group B.

Group A entities are from sectors that predominantly operate within a sector context in the UAE, such as digital infrastructure, financial services, transport (air), energy (nuclear, oil, and gas), space, food, and education.

Group B entities are from sectors that predominantly operate within each Emirate, such as transport (rail, road, and maritime), electricity and water, and healthcare.

The Policy assigns different roles and responsibilities to the CSC, the Emirate leads, the designated sector leads, and the CII entities and operators, to ensure effective governance and coordination for CIIP.

The CSC is the main authority that drives the implementation of the CIIP program across all CII sectors, sub-sectors, entities, and operators, and provides oversight and guidance to them.

The Emirate leads are responsible for supporting and monitoring the CII entities within Group A within their respective Emirates.

The designated sector leads are responsible for providing guidance and direction to CII entities and operators within their respective sectors and being accountable for the implementation of the CIIP program within the sector.

The CII entities and operators are responsible for understanding their roles and responsibilities towards building a secure information infrastructure and complying with the national and sectoral cybersecurity requirements.

The Policy also outlines the key policy domains and sub-domains for CIIP, which are: governance for CIIP program, risk profile development, CII protection program, and assurance for CIIP program.

Each policy sub-domain elaborates on the objectives and policy statements that the CII stakeholders need to follow. Some of the main policy statements include:

• CII entities and operators shall set up a dedicated security management function and designate/appoint competent personnel to manage and drive the implementation of the entity’s cybersecurity requirements.
• CII entities and operators shall establish a supply chain security strategy that follows risk management principles and a cyber defense-in-depth approach.
• CII entities shall follow a structured approach for the identification and prioritization of Critical Services, based on best practice principles defined in the National Cyber Risk Management Framework.
• CII entities shall conduct annual security risk assessments focusing on critical information infrastructure components identified, to protect from failures related to integrity, availability, and confidentiality.
• CII entities shall implement any cybersecurity policies, control standards, baselines, and plans, as required and mandated by the CSC and/or sector leads and Emirate leads.
• CII entities shall address the integration of Internet of Things (IoT) devices into critical information infrastructure, and, more generally, the convergence of Information Technology (IT) and Operational Technology (OT).
• CII entities shall ensure all reasonable provisions for building capabilities to prevent CII disruption and ensure continuity of CII services, including technical and technological controls, based on the entity’s risk assessment.
• CII entities shall undergo attestation based on the defined risk profile. “High risk” entities are mandated to adhere to the Accreditation Program, while “Medium and Low risk” entities are encouraged to adopt the voluntary track defined in the Accreditation Program.
• CSC is to enforce implementation of the mandatory policies and standards and institute regular CII security inspections and audits to monitor compliance on an annual basis.