Critical infrastructure protection, a challenge to national security (part 2)

Terrorist threats, the diversity and increasing number of natural disasters, as well as technological accidents are triggering a special focus on critical infrastructure protection. The complexity and interdependency of these infrastructures impose protection measures both nationally and internationally. The concerns of national, international, regional and non-governmental bodies are focused around the development of a procedure and methodology for identifying and protecting critical infrastructures.

Threat analysis

The USA Presidential Commission for the Critical Infrastructure Protection defines threat as “an internal or external entity that is capable to exploit the vulnerability of a critical infrastructure and the mean intention of weaken the economic security and defence”. A threat can be represented by an individual, an organisation or a nation. The threat analysis includes the identification of the internal or external nature, the identification of source and the occurrence probability.

Vulnerability analysis

Vulnerability can be defined as a characteristic of architecture, of the implementation and operation of a critical infrastructure, through which this is exposed to destruction or dysfunction faced to a threat. In this phase, the vulnerable fields are identified, as well as their interdependencies and the quantification impact is assessed (for example: insignificant, minor, major, high, and catastrophic).

Consequence analysis

The purpose is to determine the impact resulted following the successful operation of a threat on the vulnerability. The extent to which this threat affected the critical infrastructure is determined by experts familiar with the respective assets, execution people, owners or managers. The analysis can be quality-related or quantity-related, each alternative having its advantages and disadvantages.
For example, in Canada, OCIPEP, the Office of Critical Infrastructure Protection and Emergency Preparedness, has established six categories of consequences, concerning the following fields of activity: service supply, society, politics, economic, environment and interdependencies. The impact of destroyed or non-operable infrastructures is analysed based on three factors:
a) proportions: the loss of an infrastructure is quantified through the extension of the affected geographical area – local, regional, national;
b) magnitude: zero, minimum, medium or major;
c) effects in time

In Great Britain, NISCC – the National Infrastructure Security Coordination Centre – uses a graphic model of analysis with three coordinates: X: the impact area, referring to life losses, economic, social and political consequences; Y: the impact severity – with a logarithmic scale from 1 to 10; and Z: with a logarithmic scale

System analysis

In this context, the system is a complex of infrastructures, one simple, another dependent of a company or a certain system within an infrastructure, corresponding to four hierarchical levels:
a) system of systems;
b) individual infrastructures;
c) individual system or company;
d) technical components.

In this final stage, the mathematical models and computer simulated instruments are used to stress the interdependent activities. There is a series of models and types of simulations for isolated infrastructures; however, they didn’t succeed in modulating the waterfall effects that appear in reality in complex networks.
The European Union has financed several such projects among which:

a) ACIP – Analysis and Assessment of Critical Infrastructure Protection, with the purpose of modulating and simulating critical infrastructure protection. The programme has developed an algorithm for the creation and application of modulation and simulation with the following targets:
-identifying and evaluating the state of critical infrastructure protection;
-analyzing the mutual interdependencies of infrastructures and the waterfall effects in case of disturbances;
-investigating different scenarios in view of identifying gaps, deficiencies and strong points;
b) COSIN – Co-evolution and Self-organization In Dynamical Networks, with the purpose of developing a series of theoretical, graphic, analytical and computer-assisted instruments that would describe the complex behaviour of networks.
c) Safeguard, with the purpose of improving the dependency and viability of complex critical infrastructures (Large Complex Critical Infrastructures – LCCIs), such as energy distribution networks and telecommunication networks.

Concerns of international and regional organisations

More and more such organisations deal with the critical infrastructure protection issues. We have already mentioned NATO’s activities in the critical infrastructure protection area.
The Organisation for Economic Co-operation and Development (OECD) deals with the critical infrastructure protection issue from the point of view of economic incidents and catastrophes: insurances, re-establishing communications in case of earthquakes, maritime security, the effect of chemical incidents on the environment etc.
Part of the European Union’s concerns has already been mentioned. The Council of Europe has developed “The open partial agreement on major risks” with the purpose of cooperating in risk management. The institution is also involved in creating a culture of risk and security by holding university classes and masters.
In October 2004, the European Commission adopted a document on critical infrastructure protection which proposes additional measures for strengthening the existing instruments, especially the implementation of a European protection programme (EPCIP). EPCIP will represent a permanent forum dealing with maintaining a balance on the one hand, between the constraints imposed by competition, responsibility and information sensitivity and, on the other hand, between the advantages deriving from safer critical infrastructures. The Commission will also establish a critical infrastructure warning system (CIWIN – Critical Infrastructure Warning Information Network). The European Standardization Committee, together with other standardization bodies, will have to recommend sectoral security norms, uniform to all involved sectors. In February 2005, the European Commission and the European Space Agency (ESA) held a wide international forum with the participation of the world’s most important space agencies. The reunion focused on strengthening cooperation for preventing natural disasters or major technological accidents and facilitating rescue operations through a wider surveillance of the planet with the help of satellites. In fact, since 2001, the European Commission has launched the GMES initiative – Global Monitoring for Environment and Security with the purpose of achieving an autonomous environment monitoring operational capacity. The International Civil Defence Organisation (OIPC), a federation of national civil defence structures, is a communication, know-how exchange and cooperation platform. One of his main tasks was the standardization of emergency procedures. UNO’s Economic Commission for Europe has established a series of norms and standards for infrastructures, the transport of dangerous goods and cross-border accidents.
In 2003, G8 adopted a document which includes 11 driving principles, ensuring a framework for the development of critical infrastructure protection strategies, especially in informatics at both national and international level. The Organisation for Security and Cooperation in Europe (OSCE), as well as other international organisations, is currently defining its new attributions and structures that would correspond to the globalisation phenomenon and to the new types of risks and threats. At the Annual Security Conference in 2004, it was suggested to intensify information exchange on risks and the coordinated reaction in critical infrastructure protection, given its trans-national character. The first recommended measure is holding reunions of specialists with the set purpose of elaborating a set of OSCE recommendations to develop a true “OSCE territorial security”.
At the end of 2003, the Geneva Centre for Security Policy held a forum dedicated to critical infrastructure protection coordination. It was the first such forum with the participation of over 180 specialists in 28 countries.

The conclusions of the forum were extremely interesting and refer to the general tendencies of critical infrastructure protection, the wrong decision made until the moment and means of “approaching the problem in a different way”, “thinking the impossible”, and “changing mentalities”.

by Dan Marcel Bărbuț – Central and synthesis state inspector AFER, Crisis management,
multinational operations and Euro-Atlantic security expert


Share on:
Facebooktwitterlinkedinmail

 

RECOMMENDED EVENT: