Lately, our life has become more and more dependent from a number of infrastructure assets, from physical assets – such as roads and electricity networks – to network systems – financial or internet. We are developing many activities taking into account the advantages generated by the existence of these infrastructures: the trust in critical infrastructures allows us to take action in a way more economical and more efficient. This means that the disruption of some infrastructure can substantially damage our economy and can conduct to natural disasters and human life loss.
Critical Infrastructures (CI), such as telecommunications, power supply and transport, fulfill essential functions in a modern state. If any failure occurs in these vital services or if essential elements of infrastructure should break down, the impact could spread to other sectors as well, because of their interdependencies. In today’s networked world, it is possible for serious damage to extend beyond national frontiers and harm other states as well. Infrastructures’ protection has, therefore, become a global challenge that needs to be addressed. Today no state can close its eyes to the need for continual review and improvement of infrastructures’ protection. However, the definitions of critical infrastructures in different countries are as diverse as the concepts of the infrastructure’s protection are, because it may be possible to find some common structural elements between countries: the measures taken so far, the functions performed by the responsible organizations and the degree of protection achieved.
There are 2 universal statements that can be made about the protection of critical infrastructures all over the world: it is simply not possible to achieve 100% security of critical infrastructures in any country and there is no single idea way of tackling the problem. But although in every country the approaches adopted are heterogeneous, nevertheless three main categories can be identified.
The first of these is Critical Information Infrastructure Protection (CIP) approach. Content-wise, this refers exclusively to the security and protection of the IT connections and IT solutions within and between the individual infrastructure sectors. Protection of the physical components is ensured in a separate organizational framework. Functions and competencies relating to critical infrastructures’ protection (CIP) are divided between different state bodies. Moreover, an attempt is made to integrate the private sector at all levels of CIP.
The second approach entails both the protection of critical IT infrastructures and the physical protection of critical infrastructures. Physical protection is part of the national civil defense model and the central co-ordination and strategy organs are simultaneously centers of competence in IT security, civil defense and disaster control. There is no clear separation between the individual components. This approach is recently called the All Hazards approach.
Both approaches attempt to integrate both state and private players into the national organizational model, but co-operation between the public and private sectors, at the strategic planning level, is often totally absent or else only of a rudimentary nature.
The third approach is a special case, as the only instance of this is the Chinese model. Here there is no co-operation between the public and private sectors. The model serves less to protect the national critical infrastructures than to keep the system of government and the organs that represent the interests of the state.
One of the yardsticks against which one can test the approaches of different countries is the question of whether a national, compelling strategy for critical infrastructure protection exists or not. At this point I would say that it exists only in the US’s and is totally absent in all other countries.
In this context, I refer to the absence of clear definitions about what needs to be achieved in national critical infrastructure protection. Functions and competencies are seldom clearly delineated and localized. The fact that most countries are not carrying out any independent, national threat analysis is viewed as another shortcoming. In the American perception of the threat, a definition is adopted without change and other authors attribute to the US a pioneering role in almost every area of CIP. All the other states are in fact trying to match their approaches to those of the USA, without adequately taking country-specific differences into consideration. Often in these countries the only analysis undertaken is of dependencies and interdependencies; asset analysis programmes are otherwise confined solely to the public sector.
The inclusion of the private sector is imperative. I EU, approx. 90% of the national critical infrastructures are actually in the hands of private sector. Moreover, the companies in the private sector are best placed to assess what systems and subsystems within their own business or sector need special protection. There is a need of greater co-operation due to the importance of strategic controlling, i.e. the merging together of the elements involved in critical infrastructure protection. Countries that have adopted the All Hazards approach are viewed as being particular week as regards to the co-operation with the private sector.
Another aspect relevant to consideration of private sector is the degree of the organization and co-operation. Whereas, in the USA, this is relatively well established, thanks to the information Sharing Analysis Centers (ISACs), such organizational forms are almost absent in other countries or, they are copied with minimal tailoring to country-specific circumstances. However, specialists underline to the difficulties of the establishment and efficiency of ISACs.
The fundamental questions on the division of competencies and functions and of information, co-operation and reporting procedures have not been yet adequately clarified. Particularly in countries that have adopted this CIP approach, overlaps are often found along with inadequate delineation of areas of responsibility.
The transparency of the national system for the protection of a state’s own critical infrastructure is viewed as vitally. It is essential to the attainment of adequate critical infrastructures’ protection that proper awareness of the problem is created at all levels of the industry, state and society. When it comes to information campaigns, the USA and the Netherlands are the clear leaders. In countries that have adopted the All Hazards approach, the most significant shortcomings result from the prominent role played by the national ministry of defense. Every country is only at an elementary stage as regards to the protection of their critical infrastructures; there is a massive need for action here. It is especially important that national critical infrastructures’ protection should not be confined to the public sector and it should not stop at the national frontiers either. International co-operation to date has been of only a rudimentary nature and must be stepped up as a matter of urgency.
The US has made a lot of progress, relatively speaking, as regards to a strategic architecture for critical infrastructures and their protection. Access to resources has been almost unfettered since 11 September, and many organizations in the US are concerned with critical infrastructures. In the meantime, the aim of achieving all-embracing critical infrastructure protection has been set aside.
The Department of Homeland Security (DHS) is bow coordinating all the US government’s critical infrastructure protection initiatives at governmental level and has incorporated a number of governmental agencies. This should help to unify responsibilities in the US in the CIP area and thus avoid situation where similar programmes are initiated by more than one agency. Co-operation with the private sector is working, and the idea of creating ISACs originated in the US. The American system can now be described as transparent.
I the UK, until the end of the 1990s, the critical infrastructures protection was not a concern at the highest level. In the last few years functions and competencies on the protection of national critical infrastructure have been transferred to existing organisations; there is no strategic overall concept. The critical organs are the National Infrastructure Security coordination Centre (NISCC) on the state side and the Information Assurance Advisory Council (IAAC), a public-private forum. Parallels with the USA must not be overlooked. The question of greatest responsibility has not been yet clarified in the UK. Moreover, neither in the public nor in the private sector is there any programme for examining the criticality of each system. Bringing together those with responsibilities for CIP (CESG, MI5, the police, the Ministry of Defense) in the NISCC’s management board means that an organ exists for the exchange of information which can then be merged into national overall picture by NISCC. Since the establishment of The Government Liaison Panel in 2001, the private sector has been integrated into the national structure. Nevertheless, most programmes are still geared up towards the public sector. The British model can only be viewed as transparent up to a point. There is a total absence of any virtual information campaigns.
The protection of critical infrastructures comes under Information Operations within NATO and since 1997 it has been the responsibility of a working party whose members are military staff. With a view to the security of the CTI infrastructures of NATO, the NATO Consultation, Command and Control Agency (NC3A) has published important studies on its work in the field of security. These studies are concerned with encryption technologies and PKI concepts, firewalls and the flagging of penetration.
Building on the goals and requirements of the eEurope Action Plan 2002, the European Council of Barcelona asked the Commission to develop a further action plan that would improve the security of ICT infrastructures and push forward services such as e-government, e-learning, e-business and e-health. With a view to ensuring a secure information structure, the EU has already introduced a wide-ranging strategy that is based on eEurope 2002, notifications about the security of IT networks, computer criminality and present and future directives on the protection of the personal sphere in the area of electronic communication.
I Russia, as yet there is no real competent central coordination mechanism in place for the area of national critical infrastructures. In addition to the Russian Security Council, two other government agencies are concerned with the subject of IT security: the Federal Security Service (FSB) and the Federal Agency for Government Communications and Intelligence (FAPSI). In the private sector, a few initiatives have taken place but these are not very effective.
The Chinese approach is involved in the protection of critical infrastructures and it should be viewed as trying to reconcile the internal security endeavors of the state with the necessity of economic modernization, with regard to information technology. The Chinese regime views the country’s CI assets more in terms of being threatened from outside.
The action Plan on Building Infrastructures to Counter Hackers and Other Cyber-Threats, published in January 2000, constituted the foundation stone for the coordinated protection of critical infrastructures in Japan. As a central document, the Special Plan on Fighting Cyber terrorism against CI defines the Japanese approach to the protection of CI. The central coordinating point for critical infrastructure protection in Japan is the Cabinet Secretariat.
In Germany, the critical infrastructures protection working party are the Federal Ministries. The system was set up by the time of the report of the American President’s Commission for CIP (PCCIP) in 1997, under the leadership of the Federal Ministry of the Interior (BMI). Since then the protection of CI has gained in importance. Various campaigns, such as security on the Internet and the setting up of special commissions are intended to increase awareness of the protection of critical infrastructures. The Federal Office for Information Security has a coordinating function here, as well as making available suitable security technologies and solutions.
The CERTs are playing an increasingly important role in the protection of critical infrastructure as a result of their preventive measures against IT security vulnerabilities and the capability of responding to threats to outsiders. Since the spring of 2010, the United States and Russia, followed by other six countries, have attempted to negotiate a treaty on Internet security and the restriction of the military use of the Internet.
Any concept of cyber security must include the protection of vital infrastructure(electricity, gas, fuel, transport, telecommunications, emergency networks, etc.),which depend almost entirely on control and communication systems. A cyber weapon can be designed or used anywhere, by anyone, with or without a motive, such as a hacker, political or religious extremist, terrorist, discontented ex-employee, competitor, conflict state, ‘madman’,etc. A cyber weapon leaves very little time for anticipation, prevention, detection or reaction due to the electronic speed of action conferred by its vectors, namely the IT architectures and data transmission networks.
The fragility of energy infrastructures and the possibility of cascading failures due to such problems with control systems hardware or software, is another concern. Most developed countries depend upon three distinct grids to distribute energy from where it is generated to where it is consumed: the electric grid, a natural gas pipeline network, and a network of pipelines for distribution of petroleum and petroleum products. The flow of materials through these grids or networks is controlled via generators, switches, valves, compressors, oxidizing stations, and pumps that utilize various types of SCADA devices and software. Because most companies use the same computers and networks to control internal operations and for contacting with the outside world, the control systems are vulnerable to any intruder who can penetrate a company’s firewall (or to unintentional intrusions). In addition, many systems have multiple wireless points of access that an intruder can exploit. Insider and third-party engineer access is also always a concern.