CPNI recommendations for Critical Infrastructure Protection: Security Framework

Proactive and coordinated cyber security effort is mandated for protecting critical infrastructures. There are security guidelines and frameworks recommended by apex bodies in respective geographies to secure the critical infrastructures. The cyber security recommendations of Department of Homeland Security (DHS), National Institute of Standards and Technology (NIST), North American Electric Reliability Corporation (NERC), and Centre for Protection of National Infrastructure, UK (CPNI) have a lot in common but are distinct in detailing them.

Center for Protection of National Infrastructure, CPNI, UK, recommends a security framework based on best practices from the field of Industrial Control Systems and IT Systems. The core elements of the proposed framework are:

  1. Establish governance
  2. Manage the business risk
  3. Manage the industrial control system life cycle
  4. Improve on awareness and skills
  5. Select and implement security improvements
  6. Manage vulnerabilities
  7. Manage third party risks
  8. Establish response capabilities

The guiding principles for this proposed framework are:

  1. Protect, detect and Respond
  2. Defence in Depth
  3. Technical, procedural and managerial protection measures


CPNI recommends following critical cyber security controls for security of industrial control systems:

  1. Inventory of authorised devices/components
  2. Inventory of authorized software
  3. Appropriate security configuration of the control system components
  4. Continual vulnerability assessment and remediation
  5. Antivirus and antimalware
  6. Application software security
  7. Controlled wireless access
  8. Data recovery control
  9. Security awareness and trainings
  10. Network security controls
  11. Controlled use of Administrative privileges
  12. Security controls for data exchanges
  13. Audit Logs
  14. Access Control
  15. SCADA system lifecycle security management
  16. Data protection
  17. Incidence response and management
  18. Penetration tests


Needless to mention that having followed and implemented these recommendations, the attack surface would be considerably brought down.

Views by Suhas Rautmare

Rate this article: 
Average: 1 (1 vote)
Article category: