Terrorist threats, the diversity and increasing number of natural disasters, as well as technological accidents are triggering a special focus on critical infrastructure protection. The complexity and interdependency of these infrastructures impose protection measures both nationally and internationally. The concerns of national, international, regional and non-governmental bodies are focused around the development of a procedure and methodology for identifying and protecting critical infrastructures.
The globalisation process implies, among others, framing our existence within a matrix system, a multidimensional network. It is easy to understand that the disfunctionality of a single element in the network will inevitably lead to a series of events with destructive consequences. On the one side, over the past years, the more and more threatening perspective of terrorism, the increasing natural disasters and potential technological accidents with major consequences have triggered a special focus on the protection of critical infrastructures (CIP). On the other hand, national, but mostly international interdependencies of industrial, cybernetic, communication, transport, energy, banking infrastructures have brought this problem to the attention of national and international decision makers. Defining critical infrastructures and the methods of approaching their protection vary from one country to another and from one organisation to another. However, joint structural elements can be identified, as well as measures applied so far and joint functions and responsibilities.
Short history
The USA has manifested enduring concerns in the CIP. Ever since 1996, it set up the Presidential Commission on Critical Infrastructure Protection which established that security, economy, life quality and even the survival of the industrialized world depend on energy, communication and computers. The Department of Homeland Security was established in 2003 with 180,000 employees with a major task in joining all efforts in ensuring America’s security against terrorist attacks, natural disasters and human-induced disasters.
Among international organisations with critical infrastructure protection concerns, NATO was the first to take firm steps. Last year, NATO issued a series of definitions in the field, which have been accepted by all member and partner states. According to these definitions, critical infrastructures are those facilities, services or ICT systems that have such a vital importance for nations that their disarrangement or destruction can have negative impacts on national security, national economy, the people’s health condition and the efficient operation of the government. The protection of critical infrastructures includes programmes, activities and actions developed by the governments, owners, operators and shareholders with the purpose of protecting these infrastructures.
The Senior Civil Emergency Planning Committee within NATO has charged the eight committees in its suborder to find the solutions of a joint approach of the problems concerning the criteria of establishing critical infrastructures (CI), the methods of assessing risk and setting weak points, as well as their protection methods.
In the past couple of years, several European countries (especially EU Member States), as well as Australia and Canada, carried out serious activities in the CIP field, establishing responsible bodies and developing new methodologies, allocating funds and taking effective measures for the protection of critical infrastructures.
Approaches
The analysis of this field unanimously accepts two axioms: it is impossible to ensure the 100% protection of a critical infrastructure and there is no single, universal solution to this problem.
The CIP can be approached in three different ways. First, the protection of ICT critical infrastructures, which only includes the security of ICT connections and the solutions for their protection, the competences of the physical protection of other infrastructures being divided among different state or private bodies. Second, the approach type that considers both ITC networks and the physical elements of critical infrastructures. In this situation, the physical protection is an element of the national civil defence system. Currently, a tighter cooperation between the public and the private sector is attempted for reaching the highest level possible in what concerns critical infrastructure protection. In what concerns strategic planning, the cooperation is, however, almost non-existent. This type of approach has been generically called “all hazards approach”. And thirdly, the wide-spread approach which considers only the protection of the government system and the protection of certain state bodies. The approach of critical infrastructures is very difficult due to their complexity, interdependency relations and dynamics. An alternative of dealing with this problem could be one of the seven stages: sector analysis, interdependency analysis, risk analysis, threat analysis, vulnerability analysis, consequence analysis and system analysis.
Sector analysis
Generally speaking, a sector is a group of industries and infrastructures with a similar function. But how do we establish if a sector contains critical elements or not? The answer to this question must be provided by a mixed group of experts from the government, the private sector, the managers, as well as agencies specialized in physical and informational protection. No need to say that this situation requires a very efficient public-private partnership.
From the experience of other EU and NATO Member States, the critical sectors might be the financial-banking system, the government system, telecommunications, transports, energy (electricity and fuels), health, emergency and ambulance services, water supply.
An infrastructure or a component is considered critical according to its strategic position within the general system and, especially, according to the interdependencies that link it to other components or infrastructures.
Interdependency analysis
Interdependency can be seen as a bidirectional relation between two infrastructures, the state of one affecting the state of the other, while dependency is a unidirectional relation. Determining interdependencies is conditioned both by the identification of vital processes and essential components within a sector, as well as by the establishment of the knots and connections between different sectors. The identification of these connections can be made based on matrix methods or graphics by quantifying the identified interdependencies.
Risk analysis
Risk analysis is considering the processes used in evaluating the probability of events and consequences, as well as studying the implementation method of estimations in the decision making process. In fact, this phase includes the identification, quantification and measurement of risks and has to answer three questions: “Which are the potential negative effects?”, “To what extent are they probable?” and “What are the consequences?”
By answering these questions, one can evaluate, accept, avoid or manage risks. Below there is a five-step model of risk analysis (presented during the CORAS project, developed under the auspices of the European Union – The European Programme for the Technologies of an Information Society, based on the AS/NZS standard common in Australia and new Zeeland). Identifying the context consists in the identification of the interest area, evaluation of goods and identification of security needs. Identifying risks refers to the perception of the existing threats of goods and the establishment of their weak points. This process develops based on threat scenarios or undesired events. The risk analysis implies an evaluation of consequences, impact and possibilities of risk manifestation. The evaluation can be made through diagrams or tables where each element is being quantified. The risk evaluation is, in fact, the determination of the risk level, the classification and establishment of risk priorities and the identification of interdependencies between different risk types. The risk level represents the combination between the threat impact and the potentiality level.
The risk counteracting consists in the identification of the counteracting and evaluating options of an alternative approach. Counteracting options include security policies, security requirements or security architectures.
by Dan Marcel Bărbuț – Central and synthesis state inspector AFER, Crisis management, multinational operations and Euro-Atlantic security expert
Share on:
