The European Council of June 2004 asked the Commission and the High Representative to prepare an overall strategy to strengthen the protection of critical infrastructure.
This communication gives an overview of the actions taken by the Commission to protect critical infrastructure and proposes additional measures to strengthen existing instruments.
The potential for catastrophic terrorist attacks that affect critical infrastructure is increasing. The consequences of an attack on the control systems of critical infrastructure could vary widely. It is commonly assumed that a successful cyber attack would cause few, if any, casualties but might result in the loss of vital infrastructure service. For example, a successful cyber attack on the public telephone switching network might deprive customers of telephone services while technicians reset and repair the switching network. An attack on the control systems of a chemical or liquid gas facility might lead to more widespread loss of life as well as significant physical damage.
The failure of part of the infrastructure (even in different European countries – see the example of electricity blackouts in Europe over the past two years) could lead to failures in other sectors, causing a cascade effect because of the synergistic effect of infrastructure industries on each other. A simple example might be an attack on electrical utilities where electricity distribution is disrupted; sewage treatment plants and waterworks could also fail as the turbines and other electrical apparatuses in those facilities might shut down.
Critical infrastructure can be owned or operated by both the public and the private sector but, in any case, the public sector has a fundamental role to play in making it secure.
Definition and criteria for identifying critical infrastructure
Critical infrastructures are those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of governments in European Union (EU) countries.
Critical infrastructure includes:
- energy installations and networks;
- communications and information technology;
- finance (banking, securities and investment);
- health care;
- water (dams, storage, treatment and networks);
- transport (airports, ports, intermodal facilities, railway and mass transit networks and traffic control systems);
- production, storage and transport of dangerous goods (e.g. chemical, biological, radiological and nuclear materials);
- government (e.g. critical services, facilities, information networks, assets and key national sites and monuments).
The communication also suggests three criteria for identifying potential critical infrastructure: the extent of the geographical area that could be affected, magnitude and effects with respect to time.
EU countries must list the infrastructure critical to them, according to an EU harmonised formula and in conjunction with the organisations or persons in charge of security.
As regards security management, the first thing to note is that it is impossible to protect all infrastructures against the threat of terrorist attacks. However, by applying risk management techniques, attention can be focused on areas of greatest risk. Security management is a deliberate process of determining the risk and deciding upon and implementing actions to reduce risk to a defined and acceptable level, at an acceptable cost.
Progress so far in protecting critical infrastructure at European level
As a complement to the measures that have been taken at national level, the EU has already adopted a number of legislative measures setting minimum standards for infrastructure protection in the framework of its different policies. This is notably the case in the transport, communication, energy, occupational health and safety, and public health sectors.
A further step towards communication security is being made with the creation of the European Network and Information Security Agency (ENISA). In addition, in sectors like aviation and maritime security, inspection services have been created within the Commission to monitor the implementation of security legislation by EU countries.
European Programme for Critical Infrastructure Protection
The EU must focus on protecting infrastructure with a transnational dimension. A European Programme for Critical Infrastructure Protection (EPCIP) will be set up with a view to identifying critical infrastructure, analysing vulnerability and interdependence, and coming forward with solutions to protect from, and prepare for, all hazards. The programme should include helping industrial sectors to determine the terrorist threat and potential consequences in their risk assessments. EU countries’ law enforcement bodies and civil protection services should ensure that EPCIP forms an integral part of their planning and awareness-raising activities.
A Critical Infrastructure Warning Information Network (CIWIN) that brings together critical infrastructure protection specialists from EU countries should be set up as soon as possible. This infrastructure warning network should assist the Commission in drawing up the programme.
In conclusion, the goal of EPCIP and the duty of the Commission would be to ensure that there are adequate and uniform levels of protective security on critical infrastructure, minimal points of failure and tested rapid reaction arrangements throughout the EU.
Background and follow-up
On 17 and 18 June 2004, the European Council asked the Commission to prepare an overall strategy to enhance the protection of critical infrastructure. In response, the Commission published this communication on 22 October 2004.
The Commission’s intention to propose a European Programme for Critical Infrastructure Protection (EPCIP) and a Critical Infrastructure Warning Information Network (CIWIN) was accepted by the European Council of 16 and 17 December 2004, both in its conclusions on prevention, preparedness and response to terrorist attacks and in the Solidarity Programme, adopted by the Council on 2 December 2004.
Throughout 2005, intensive work was carried out on the EPCIP. On 17 November 2005, the Commission adopted a Green Paper on a European Programme for Critical Infrastructure Protection.
On 15 September 2005, a decision on the financing of a pilot project containing a set of preparatory actions with a view to strengthening the fight against terrorism was adopted.
Lastly, the Commission presented on 12 December 2006, a proposal for a directive on the identification and designation of European critical infrastructure and a common approach to assess the need to improve their protection. On the same day, it adopted a communication on a European Programme for Critical Infrastructure Protection. These documents give a clear idea of how the Commission proposes to address the issue of critical infrastructure protection in the EU.