CNI Cybersecurity Controls
Bahrain continues to be prosperous in an increasingly digital and
innovative world. Therefore, it is essential to have strong and
resilient cyber security measures. Moreover, as technology and internet
connectivity advance, individuals, organizations, and nations are
increasingly vulnerable to cyber threats such as crime, sabotage,
spying, and vandalism. Bahrain has prioritized establishing a secure
cyberspace by developing National Cybersecurity Strategy and
implementing many initiatives.
One of the strategy objectives is protecting Critical National
Infrastructure (CNI) entities. Critical National infrastructure is
defined as the critical assets that are essential for the Kingdom of
Bahrain for functioning purposes upon daily life dependency. Within this
infrastructure, certain elements are extremely critical to the country.
Their loss or compromise could directly result in loss of life, affect the
delivery of essential services, or otherwise cause widespread economic or
social impacts. Accordingly, the following CNI sectors were identified for
the Kingdom of Bahrain: Gas, Electricity & Oil (GEO), Financial Services,
Information & Communications Technology (ICT), Healthcare Services,
Government Services, Critical Industry, Transportation.
Therefore, National Cyber Security Center (NCSC) developed the National
Cybersecurity Framework for Bahrain and CNI cybersecurity controls to
minimize technological risks, maximize technical benefits, and enhance the
cybersecurity environment throughout the CNI sectors in Bahrain.
NCSC Core Function
Governance
Protecting the Critical National Infrastructure by enforcing effective governance.
Defense
Providing and establishing cybersecurity security measures with consideration of best practices to have a resilience Infrastructure.
Response
Having a national power to contain and eradicate the threats and incidents.
The National Cybersecurity Framework for Bahrain includes cybersecurity controls and measures and proposes appropriate required training paths, including certifications and skills that equip the teams responsible for protecting CNI. This framework was developed based on NIST standards and through nationwide efforts and consultation with Critical National Infrastructure (CNI) entities. Further, NCSC has collaborated with sector regulators and consultants to develop six additional detailed standards addressing cybersecurity requirements for each CNI sector based on distinct characteristics of the sector’s environment.
Cybersecurity Training
Cybersecurity training is an essential investment that requires adequate addressing and attention, as operating without a qualified cybersecurity workforce could threaten the overall country by providing a false sense of security. Following best practices and obtaining cyber security certification will qualify the individuals to protect entities’ information systems, networks, data, and assets. The Kingdom of Bahrain supports cybersecurity training by recommending various certifications in collaboration with private institutes and accredited certifications that are essential and required to raise the cyber security level in the kingdom. The NCSC has developed Cybersecurity Training and Certifications document that addresses the essential and accredited cybersecurity certifications for Critical National Infrastructure (CNI) sectors. The certifications are classified into three levels, “foundation, intermediate, and expert,” listed within Four cybersecurity functions according to the National Cybersecurity Framework, which aims to minimize the technological risks, maximize the technological benefit, and enhance the cyber security environment throughout the Kingdom.
Cybersecurity Training for ProfessionalCNI standards
Government Cybersecurity Controls
Government cybersecurity controls have been developed to protect government entities' information assets and IT infrastructure from cyber threats and attacks. The main nine domains are cybersecurity governance, cybersecurity of communications, cybersecurity defense, secure software development and acquisition, cloud cybersecurity, third-party cybersecurity management, acceptable usage, incident management, and audit.
Healthcare Cybersecurity Controls
Healthcare entities store sensitive patient information, which makes them a target for cyber-attacks. These attacks can significantly impact the healthcare entity's reputation and even cause harm to patients. In addition, many medical devices are connected to the internet, which makes them vulnerable to attack. Healthcare Cybersecurity Controls are a set of controls that help healthcare entities protect their information from cyber threats. The five domains are cybersecurity governance, medical devices & software management, healthcare cybersecurity defense, Incident management, and audit & compliance.
Financial Cybersecurity Controls
The financial sector is adopting new technologies to provide insurance, money exchange, point of sale, cryptocurrency, and stock exchange services to users remotely, the associated cyber security risk increased significantly, which increases the risk of cyber-attacks. NCSC has developed a document with cybersecurity controls for financial entities to follow. The seven main domains are governance, cybersecurity of financial technology, cyber defense, cybersecurity assessment, cybersecurity of third-party, cybersecurity incident management, and cybersecurity audit.
-Sector.svg){kind=icon}
Oil, Electricity, and Gas and Critical Industry Cybersecurity Controls
Cyber-attacks on industrial control systems (ICS) can have serious consequences, including physical damage to equipment, injury or death of workers, environmental damage, financial losses, and supply disruptions. To help protect ICS from cyber-attacks, a risk-based approach is needed. These controls can help to increase digital threat detection, response, and recovery capabilities and to minimize the impact of targeted and non-targeted cyber-attacks on engineering devices and ICS/IT networks. The standard contains four domains: governance, defense of ICS/IT, control system vulnerability management, ICS/IT cybersecurity industrial incident management, and Audit.
Telecommunications Cybersecurity Controls
The telecommunications sector provides essential services that allow people to communicate locally and internationally. Internet access is also possible because of the telecommunications sector. The telecommunications cybersecurity controls aim to protect the sector, which is one of the Critical National Infrastructures (CNIs), from cyber threats and attacks. The standard contains seven domains: Cybersecurity Governance, Cyber Defense, Cybersecurity Assessment and Third-Party Cyber Risk Management, Cybersecurity Operations and Incident Management, Generally Applicable Telecoms Security Controls, Peering and Interconnection, and National Infrastructure and Services.
Transportation Cybersecurity Controls
The transportation sector is essential for the economy of Bahrain, as it allows people and products to move easily from place to place. This, in turn, enables international trade. Adversaries understand the importance of the transportation sector, so they often target it with cyberattacks to disrupt operations and services. These disruptions can have a significant impact on the economy as well as on human life. Therefore, cybersecurity is essential for protecting the transportation sector from these threats. The standard includes best practices for protecting transportation systems within six domains: Cybersecurity Governance, Cybersecurity of Transportation Systems, Cybersecurity Defense, Third-party Management, Cybersecurity Incident Management, and Cybersecurity Audit.