Critical Infrastructure Protection in Europe – Prof. Mitat Çelikpala

CIP in Europe

Critical infrastructures (CI) are those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of governments. From energy systems that power our neighborhoods, to transportation networks that move us around our communities and the country, to facilities that provide our families with safe drinking water, critical infrastructure and key resources impacts nearly every aspect of our daily lives. In short, CI is an umbrella term referring to; the assets of country’s essential to the nation’s security, public health and safety, economic vitality, and way of life.

CIs extend across many sectors of the economy, including banking and finance, transport and distribution, energy, utilities, health, food supply and communications, as well as key government services. Some critical elements in these sectors are not strictly speaking “infrastructure”, but are in fact, networks or supply chains that support the delivery of an essential product or service. For example, the supply of food or water to our major urban areas is dependent on some key facilities, but also a complex network of producers, processors, manufacturers, distributors and retailers.

These infrastructures are owned or operated by both the public and the private sector. However, “The reinforcement of certain security measures by the public authorities in the wake of attacks directed against society as a whole and not at the industry players must be borne by the State.” The public sector has therefore a fundamental role to play.

Why is Critical Infrastructure Important?

Any disruption or attack on CI could significantly disrupt the functioning of government and business alike and produce cascading effects far beyond the targeted sector and physical location of the incident. Direct terrorist attacks and natural, manmade, or technological hazards could produce catastrophic losses in terms of human casualties, property destruction, and economic effects, as well as profound damage to public morale and confidence. The consequences of an attack on the industrial control systems of CI could vary widely. It is commonly assumed that a successful cyber-attack would cause few, if any, casualties, but might result in loss of vital infrastructure service. For example, a successful cyber-attack on the public telephone switching network might deprive customers of telephone service while technicians reset and repaired the switching network. An attack on a chemical or liquid natural gas facility’s control systems might lead to more widespread loss of lives as well as significant physical damage.

Another type of catastrophic infrastructure failure might be when one part of the infrastructure leads to the failure of other parts, causing widespread cascade effect. Such failure might occur due to the synergistic effect of infrastructure industries on each other. A simple example might be an attack on electrical utilities where electricity distribution was disrupted; sewage treatment plants and waterworks could also fail, as the turbines and other electrical apparatuses in these facilities might shut down.

Cascade events can be very damaging too, causing widespread utility outages. The blackouts for example have put in evidence the vulnerability of energy infrastructures and consequently the need to find effective measures to prevent/or to mitigate the consequences derived from a major supply disruption. This use of cyber-terrorism could also result in an amplification of the physical attack’s effects. An example of this might be a conventional bombing attack on a building combined with a temporary denial of electrical or telephone service. The resulting degradation of emergency response, until back-up electrical or communication systems can be brought into place and used, could increase the number of casualties and public panic.

How to Identify and Prioritize

Information from a number of sources is needed to conduct threat, incident and vulnerability analysis of the states’ critical infrastructure elements and their dependencies. Each sector and the state will need to identify infrastructure critical to them, within their respective jurisdictions according to a harmonized formula and the organizations or persons in charge of security.

Not all infrastructures can be protected from all threats. For example, electricity transmission networks are too large to fence or guard. By applying risk management techniques, attention can be focused on areas of greatest risk, taking into account the threat, relative criticality, the existing level of protective security and the effectiveness of available mitigation strategies for business continuity.

The criteria for determining the factors that make a particular infrastructure or element of an infrastructure critical need to be studied. These selection criteria should also be based on a sectoral and collective expertise. Three factors might be suggested for identifying potential critical infrastructure:

Scope – The loss of a critical infrastructure element is rated by the extent of the geographic area which could be affected by its loss or unavailability – international, national, provincial/territorial or local.

Magnitude – The degree of the impact or loss can be assessed as None, Minimal, Moderate or Major. Among the criteria which could be used to assess potential magnitude are: (a) Public impact (amount of population affected, loss of life, medical illness, serious injury, evacuation); (b) Economic (GDP effect, significance of economic loss and/or degradation of products or services); (c) Environmental (impact on the public and surrounding location); (d) Interdependency (between other critical infrastructure elements); and (e) political (confidence in the ability of government);

Effects of time – This criteria ascertains at what point the loss of an element could have a serious impact (i.e. immediate, 24-48 hours, one week, other). However, in many cases, psychological effects may escalate otherwise minor events.

There are serious threats and we can classify those threats under two main headlines: Malignant and Malevolent threats. Malignant Forces are mostly natural forces that deteriorate infrastructure.

Threats and Protection: What to do?

Critical infrastructure protection (CIP) requires a consistent, cooperative partnership between the owners and operators of critical infrastructure and the authorities. The responsibility for managing risk within physical facilities, supply chains, information technologies and communication networks primarily rests with the owners and operators.

Alerts, advisories and information notes must be issued to help public and private sector stakeholders protect key infrastructure systems. From time to time specific risks or threats of a terrorist attack may emerge that require an immediate response. On these occasions a well-coordinated operationally focused response will be required from state authorities and industry. In these circumstances the responsible official body coordinate the necessary political responses, and on that basis detailed supporting arrangements will be agreed with stakeholders on a case-by-case basis.

Even the best security management plans and legislation which compel to their enforcement are worthless without proper implementation. Experience proves that independent Commission security inspections of their implementation are the only efficient instrument to guarantee the correct implementation of security requirements.

We need to raise awareness about the importance of country’s critical infrastructure, and strengthen our ability to protect it.  Well-designed official body may oversee programs and resources that foster public-private partnerships, enhance protective programs, and build resiliency to withstand natural disasters and terrorist threats. Key activities in those areas include mainly these elements: Assessing vulnerabilities, implementing protective programs, and improving security protocols; enhancing preparedness through training and exercises

Assisting with contingency planning, response, and recovery; implementing real-time information sharing; implementing cyber security measures; assisting with infrastructure data collection and management; implementing regulations for high-risk chemical facilities; and, developing standards for government building security.

Regulatory Framework: Some Examples

Many nations and international organizations are interested in CIP since in 2001 and has been progressively consolidated in several policy documents and programs. Especially the US and NATO bodies are dealing with CIP in a coordinated manner. Some examples are:

• The US: Homeland Security PD-7 (2003) Critical Infrastructure Identification, Prioritization, and Protection,
• NATO Parliamentary Assembly Special Report on “The Protection of Critical Infrastructure» (2007), “Energy Security” and “Civil Emergency Planning”,
• UN General Assembly Resolution A/RES/58/199 on “Creation of a global culture of cybersecurity and the protection of critical information infrastructures”,
• UN Counter-Terrorism Implementation Task Force (CTITF) Working Group on PCI54,
• UNSC Resolution 2341 Threats to International Peace and Security caused by Terrorist Acts (2017),
• Inter-American Committee Against Terrorism of the Organization of American States (OAS/ CICTE), “Protection of Critical Infrastructure against Emerging Threats” and “Tourism Security Programme”,
• INTERPOL Major Event Support Teams (IMEST) and INTERPOL Incident Response Teams (IRT),
• OSCE “Non-Nuclear Critical Energy Infrastructure Protection from Terrorist Attacks”,
• Regional Cooperation Council “Integrated Infrastructure Planning”.

EU as a Security Union and CIP

As a complement to the measures that have been taken at national level, the EU has already adopted a number of legislative measures setting minimum standards for infrastructure protection in the framework of its different policies. This is notably the case in the transport, communication, energy, occupational health and safety, and public health sectors.

The EU COM786 (dated 2006) European Programme for Critical Infrastructure Protection (EPCIP) designates European critical infrastructure that, in case of fault, incident or attack, could impact both the country where it is hosted and at least one other EU member State. Member states are obliged to adopt the 2006 directive into their national statutes.

A further step towards communication security is being made with the creation of the European Network and Information Security Agency (ENISA). In addition, in sectors like aviation and maritime security, inspection services have been created within the Commission to monitor the implementation of security legislation by EU countries.

A European Programme for Critical Infrastructure Protection (EPCIP) will be set up with a view to identifying critical infrastructure, analyzing vulnerability and interdependence, and coming forward with solutions to protect from, and prepare for, all hazards. The programme should include helping industrial sectors to determine the terrorist threat and potential consequences in their risk assessments. EU countries’ law enforcement bodies and civil protection services should ensure that EPCIP forms an integral part of their planning and awareness-raising activities.

A Critical Infrastructure Warning Information Network (CIWIN) that brings together critical infrastructure protection specialists from EU countries. This infrastructure warning network assist the Commission in drawing up the programme. In conclusion, the goal of EPCIP and the duty of the Commission would be to ensure that there are adequate and uniform levels of protective security on critical infrastructure, minimal points of failure and tested rapid reaction arrangements throughout the EU.

On the 24 July 2020, the European Commission set out the new for the period 2020 to 2025, focusing on priority areas where the EU can bring value to support Member States in fostering security for all those living in Europe. From combatting terrorism and organized crime, to preventing and detecting hybrid threats and increasing the resilience of European critical infrastructure, to promoting cybersecurity and fostering research and innovation, the strategy lays out the tools and measures to be developed over the next 5 years to ensure security in European physical and digital environment.

The new Security Union Strategy is built around the following objectives: to build capabilities and capacities for early detection, prevention and rapid response to security crisis; to focus on results; and to link all players in the public and private sectors in a common effort.

This strategy lays out 4 strategic priorities for action at EU level: A future-proof security environment; tackling evolving threats; protecting Europeans from terrorism and organized crime; and, a strong European security ecosystem.