What is Critical Infrastructure? How the 'Critical Five' countries compare

One of the most common questions raised when it comes to defending critical infrastructure is "who decides what needs protecting?"

In 2023, German researchers set out to examine what 193 United Nations member states and Taiwan perceived as critical infrastructure (CI). Energy, water, and food may seem obvious to most humans - we need power in the modern age and a protected source of sustenance to survive.

But it turned out that views varied by member state and there was no agreement on a common global definition for critical infrastructure sectors.

One hundred nations had published a statement on key industries and the top six are unsurprising:

• Energy - 96%
• Information and communications technology (ICT) - 95%
• Transport - 93%
• Finance - 89%
• Public services - 84%
• Health - 83%

Food and water were way down the list. And whilst almost all countries in Europe and North America did define CI sectors, Asia, Latin America, and Oceania were far behind.

How do FVEY countries view national security and resilience?

A year after the German report, the Critical 5 (C5), an international forum made up of the Five Eyes intelligence sharing network of Australia, Canada, New Zealand, the United Kingdom, and the United States published a summary report - Adapting to Evolving Threats - on how each nation approached critical infrastructure security and resilience and the efforts being made to strengthen national security in an age of cyber security threats.

Here's a quick summary for each member state:

Australia

In 2018, Australia implemented its primary critical infrastructure security legislation, the Security of Critical Infrastructure Act 2018 (SOCI Act) and has evolved its approach in the last seven years through further amendments covering 11 key sectors.

In 2023, the Critical Infrastructure Resilience Strategy and Critical Infrastructure Resilience Plan now guide Australia’s approach out to 2028.

Canada

Canada is in the process of modernising its approach to critical infrastructure with Bill C-26 slowly working its way through Parliament since 2022. The Critical Cyber Systems Protection Act may now be closer to being finalised following a prorogation and the recent election.

New Zealand

New Zealand is also working to update its CI settings to deliver a more resilient critical infrastructure system, updating the 2002-era Civil Defence Emergency Management Act and looking to establish a broader range of critical sectors.

United Kingdom

The U.K. added two new sectors, Space and Defence, in 2015 to its Critical National Infrastructure definitions and provides a CNI Knowledge Base to cleared government officials. It published a Resilience Framework in December 2022 and is committed to introducing CNI standards by 2030.

United States

Post 9/11, the U.S. Homeland Security Presidential Directive 7 set out a national approach to securing critical assets. There are now 16 critical infrastructure sectors and Sector-Specific Plans have been in place for a decade. Last year, National Security Memorandum (NSM-22) on Critical Infrastructure Security and Resilience set out further requirements and established the importance of minimum security and resilience requirements.

How the C5 nations define their CNI sectors:

Understanding this variance across nations is a good lesson to learn - not every country is yet mature enough (or as well resourced) to meet the high regulatory bar of the U.S.

Overcyte can assist you to assess risk where it matters most AND meet compliance requirements in your country. Talk to us about the security frameworks we support today and will deliver very soon.