Measures to Improve the Cybersecurity of Critical Infrastructure in Brazil

In the current context of global interconnectivity, the cybersecurity of critical infrastructures (CI) is of utmost importance to the private and public sectors. In this regard, based on the analysis of elaborated guidelines and norms, gaps were identified that may hinder the implementation of CI protection measures, facing threats of all kinds, affecting population well-being, economic power and contributing to weakening the reputation of a country in the concert of nations. Considering the dynamic nature and the speed of technological evolution, this study aims to raise subsidies for the improvement of the cybersecurity of CI in Brazil, pointing out norms to be elaborated or adopted, good practices and strategic actions to be followed. The methodology used in the development of this work begins with bibliographic and document research, and through comparative analysis, points out the most relevant, existing standards and initiatives. A diagnosis of the Brazilian situation is provided including field research, a solution proposal and finally an analytical discussion of proposed actions.


Introduction
In Brazil, the issue of Cybersecurity for Critical Infrastructures started to be addressed in 2007, with the publication of Resolution 2 of the Chamber of Foreign Affairs and NationalDefense of the Government Council (CREDEN), Resolution 2, which mentioned the critical sectors of critical infrastructures (CIs) that would be initially studied by the Critical Infrastructure Safety Technical Groups (GTSIC), namely: Energy, Transport, Water and Telecommunications (Brazil, 2007). In the following year, Ordinance No. 02 of the Institutional Security Office of the Presidency of the Republic (GSI/PR) instituted these GTSICs, including the Finance sector among the priority CI areas, without prejudice to others that may be defined. Currently, there are five GTSICs, corresponding to the critical sectors mentioned above, each containing two or more subgroups, in which several bodies participate.
To deal with cyber threats to CIs, the Presidency of the Republic of Brazil currently has member bodies, among which the Institutional Security Office of the Presidency of theRepublic (GSI/PR) instituted stands out; immediate https://ojs.vvg.hr/index.php/adrs/article/view/37/33 2/9 advisory bodies, such as the Governing Council; and consultation bodies, among which the National Defense Council deserves mention. Within the GSI/PR, the matter is dealt mainly at the Secretariat for Defense andNational Security Affairs (Brazil, 2019 (Brazil, 2018). The National Strategy for the Safety of Critical Infrastructures will consolidate the concepts, identify the main challenges for the activity of security of CIs and will serve as strategic guidance and reference for the formulation of the National Plan for the Safety of Critical Infrastructures (Brazil, 2018).
Existing Brazilian standards address information security for organizations in general, with no particularities regarding cybersecurity for CIs. Among these standards, it can be mentioned those that were based on the International Standards Organization (ISO) family, in its NBR versions.
In the area of Defense, the protection of CIs is supported by the National Defense Strategy (Brazil, 2012), which makes reference to the critical sectors to be protected and the use of cyber powers in support of the protection of CIs. It also mentions that the Ministry of Defense and the Ministry of Science, Technology, and Innovation will promote actions for the defense of the industrial base with two objectives: knowledge acquisition and job creation. It will also provide for the protection of strategic infrastructure, with an emphasis on the development of innovative national solutions, including systems, tools, simulators, and cryptographic algorithms.
Within the Army, the Strategic Project Proteger deserves mention, aimed at the military protection of national terrestrial CIs, which includes the development of systems that will share data with the Military Cyber Defense System (SMDC) (EME, 2015).
Between the years of 2014 and 2016, major events such as the World Cup and the Olympics contributed to the advance of the security of Cyber Protection of CIs in Brazil, with the collaborative action of civilians and the military. The host cities had cyber detachments from the Cyber Defense Command, and several CIs received Security Technical Guidance Visits (VOT). Among the services provided, the following stand out: risk and vulnerability analysis in IT assets; cyber intelligence, automatic incident detection; incident analysis; support for incident recovery; coordination of the incident response; and distribution of alerts, recommendations (based on a guide), and statistics (ComDCiber, 2016).
Since 2018, the exercise called Cyber Guardian has been carried out annually, which has promoted training and simulations involving bodies related to CIs, with the main objectives: coordinating and integrating, in an interagency environment, cybersecurity and defense for the protection of CIs in the electrical, financial, nuclear and telecommunication sectors; verify the effectiveness of procedures for handling incidents in CIs; and contribute to collaborative activities between government, defense, academia, and the private sector. The exercise included the organization of study groups, a tabletop exercise, and the use of simulation and information-sharing tools (ComDCiber, 2019).
https://ojs.vvg.hr/index.php/adrs/article/view/37/33 3/9 To seek the improvement of Brazilian initiatives for cyber protection of CIs, a literature review was initially carried out on some strategic actions existing in other countries, and the references considered most relevant are presented as following: Creation of a National Center for the Protection of Critical Infrastructures (CNPIC): some countries already have a CNPIC, which provides a better response to various security incidents; and more effective mediation between public and private bodies. Creation of an ad hoc CSIRT for each critical sector: these centers have the ICs under its critical sector as its constituency and report to CNPIC. Information exchange network: in Europe, the Critical Infrastructure Warning Information Network (CWIN) aims to exchange knowledge related to the protection of CIs (Spain, 2013: 19).
Public-private partnerships: its establishment is essential for the full functioning of a CNPIC and the adhoc CSIRTs for the critical sectors, contributing to the strengthening of the protection of CIs (United States, 2018).
Regarding the standards, the following foreign selected norms may provide subsidies to the Brazilian regulatory framework.
ISA-62443 presents a series of standards, technical reports and information for the implementation of electronically protected Industrial Automation Control Systems(IACS). This family of standards is organized into four categories: General; Policies and Procedures, Systems; and Components (ANSI/ISA, 2009). NIST standards, mainly the SP 800-82 -Guide to Industrial Control Systems (ICS) security (NIST, 2015), in which safety policies, countermeasures, and specific procedures for Industrial Control Systems (ICS) are suggested. The Framework for Improving Critical Infrastructure Cybersecurity (NIST, 2018) deserves special mention, which provides five functions to manage and express cybersecurity risk for internal and external parties interested in cybersecurity for CIs. (Spain, 2010), consisting of seven modules, which provide the principles of good practices for security in process control systems and Supervisory Control and Data Acquisition (SCADA).

Methods
After this brief overview of the initiatives for cyber protection of CIs implemented in Brazil and in other countries, the methodological aspects of this study become more evident. The theme of the present work can be problematized by asking the following question: which norms, good practices, and strategic actions could serve as subsidies for the improvement of cybersecurity of CIs in Brazil?
As a hypothesis, it will be considered that such international initiatives could serve as subsidies for improving the cybersecurity of CIs in Brazil.
As for the approach, the research is classified as qualitative, as it refers to the deepening of the understanding of organizations -CIs, in the case under study - (Goldenberg, 1997: 34) and quantitative because "it considers that reality can only be understood based on in the analysis of raw data, collected with the help of standardized and neutral instruments". The combined use of qualitative and quantitative research allows us to collect more information than could be achieved in isolation (Fonseca, 2002).
The nature of the research is applied since the objective is to generate knowledge for practical applications, aimed at solving specific problems in these CIs.
As for the objectives, the research is descriptive, since its purpose is to describe the facts and phenomena of a given reality (Triviños, 1987 other publications, as it is characterized by investigations in which, in addition to bibliographic and documentary research, data collection is carried out with people, thus crossing data from different types of research (Fonseca, 2002).

Diagnosis
The Reference Guide for the Security of Critical Information Infrastructures (SICI)presented "methods and instruments, aiming to guarantee the security of critical information infrastructures" (Brazil, 2010), representing the first step to increase culture, security, and resilience of information CIs. Notwithstanding the success, in the context of its purpose, SICI needs to be updated today. There is also a need for more norms, standards and specific frameworks to compose the Brazilian normative framework in this area.
From reading the PNSIC, it can be seen that it deals with the topic of security comprehensively, however, it does not emphasize cybersecurity in CIs. Likewise, when addressing information systems in general, the NBR standards are not specific to CIs. Besides, there is a need for a National Cyber Protection Plan for CIs.
Good practices should be present not only in guides and other publications, but also in practice, including greater information sharing and establishment of public-private partnerships aimed at ICs protection.
In the area of education, certification, and awareness, it stands out the need of increasing coverage of the activities at the National School of Cyber Defense (ENaDCiber), among other higher education institutions like the Federal University of Rio Grande do Sul (UFRGS), in order to seek a greater degree of improvement in the CI area.
On the other hand, the practice of the Cyber Guardian exercise, in recent years, is a positive aspect that needs to be maintained and expanded. Other critical sectors may also be included in the next exercises, in addition to improvements in intersectoral cases and greater use of simulation tools. Internal exercises for each critical sector are also a recommended good practice.
In order to have a more accurate diagnosis of the degree of importance that Brazilian experts attach to the issues addressed in the present study, a questionnaire was prepared and applied to fifty organizations that operate CIs in Brazil. The valid results are presented below.

Objectives
The present study has the general objective of raising the level of cybersecurity of Brazilian CIs and presents the following specific objectives, listed according to the following steps.
Step 1 -Short-term goals: Creation of a National Policy for the Cyber Protection of Critical Infrastructures and a National Plan for the Cyber Protection of Critical Infrastructures; Establishment of CI policies, strategies, and cybersecurity plan; Definition of foreign standards that must be adopted in the short term by all organizations responsible for mapped CIs; Creation of national norms, standards and frameworks for cybersecurity in CIs in Brazil.
Step 2 -Medium-term objectives: Creation of a National Critical Infrastructure Protection Center (CNPIC); Creation of an ad hoc Computer Security Incident Response Team (CSIRT) for each critical sector; Establishment of a network of information and alerts between CIs.
Step 3 -Permanent objectives over time: Public-private collaboration to protect CIs in Brazil; Conducting incident response exercises in CIs using scenario simulation technologies; CI cybersecurity education and awareness program.
It is noteworthy that the execution of these steps constitutes a cycle of continuous improvement for the security of Brazilian CIs.

Discussion and Conclusion
After bibliographic research, field research and cross-examination of the collected data, it appears that it is essential to develop new norms and regulatory instructions on cybersecurity of CIs, which are adapted to the Brazilian reality and culture.
The evolution of intrinsic threats to the cyber sector requires constant improvement of the legal and normative framework, as well as the adoption of internationally established procedures and instruments. The GSI has been playing a standardizing role, being primarily responsible for the preparation and publication of documents. It is argued, however, that Brazilian regulation should complement foreign standards, and these should be adapted to the national policy. It is expected that the PNSIC and, subsequently, the National Information Security Strategy and its modules will be more effective, with a view to elevating Brazil to a higher level, with regard to the cybersecurity of CIs.
The proposal of the present study presented in section 3.2.1 includes initiatives organized in three stages to meet the objectives that lead to the improvement of cyber protection of CIs in Brazil.
Through field research, it was verified that, in general, more than 70% of the interviewees considered the initiatives important or very important, and when implementing them, Brazil will be following the trend of the countries that have presented a greater degree of maturity regarding the cybersecurity of CIs. Thus, the proposal can be considered relevant, but its viability still needs to be confirmed through the corresponding study.
It is worth noting that the cyber protection of CIs depends on the collaborative and multisectoral action of public and private agents, at the national and international levels, as well as the academia, emphasizing the integrating role of the GSI, in cooperation with the Cyber Defense Command and partner bodies, such as CERT.br; CTIR Gov; Federal Police Department; Brazilian Intelligence Agency; Federal Data Processing Service; NationalResearch Network (RNP), among others.
From the above, it is confirmed the hypothesis formulated that the international initiatives presented in this work may serve as subsidies for the improvement of cybersecurity of CIs in Brazil, provided that national peculiarities are observed. Future works will lead to further studies on cyber protection measures for CIs adopted in other countries, including the need for more accurate estimates on resources for implementing the proposed measures.