Proiectul de lege privind securitatea cibernetica, aprobata de Guvern

“Proiectul a fost prezentat in dezbatere publica de catre Ministerul pentru Societate Informationala.

“Proiectul de lege adoptat de Guvern va permite operationalizarea Sistemului National de Securitate Cibernetica – SNSC, care va facilita adoptarea de masuri proactive si reactive privind informarea, monitorizarea, diseminarea, analizarea, avertizarea, coordonarea, decizia, reactia, refacerea si constientizarea. De asemenea, actul normativ defineste o terminologie unitara in domeniul securitatii cibernetice si a unui cadru armonizat de actiune a autoritatilor si institutiilor publice”, se arata in comunicat.

La inceputul lunii aprilie, Consiliul Suprem de Aparare a Tarii a decis luarea unor masuri care sa permita contracararea amenintarilor cibernetice la adresa Romaniei, in conditiile in care in ultima perioada acestea s-au diversificat.

“S-a apreciat ca in ultima perioada aceste amenintari s-au diversificat, devenind o optiune tot mai atractiva pentru actorii statali sau nonstatali intrucat nu implica resurse foarte mari. Membrii CSAT au decis luarea unor masuri care sa permita urgentarea adoptarii cadrului normativ si operationalizarii Agendei Digitale 2020 ca parte integranta a efortului european de dezvoltare a societatii informationale si implicit a actiunilor subsecvente ce sunt dedicate securitatii cibernetice”, informa un comunicat al Administratiei Prezidentiale.”

Critical infrastructure protection

Critical infrastructure protection

The European Commission proposes measures to strengthen the European Union’s (EU) prevention, preparedness and response to terrorist attacks on critical infrastructure.

ACT

Communication from the Commission to the Council and the European Parliament of 20 October 2004 – Critical Infrastructure Protection in the fight against terrorism [COM(2004) 702 final – Not published in the Official Journal].

SUMMARY

The European Council of June 2004 asked the Commission and the High Representative to prepare an overall strategy to strengthen the protection of critical infrastructure.

This communication gives an overview of the actions taken by the Commission to protect critical infrastructure and proposes additional measures to strengthen existing instruments.

The potential for catastrophic terrorist attacks that affect critical infrastructure is increasing. The consequences of an attack on the control systems of critical infrastructure could vary widely. It is commonly assumed that a successful cyber attack would cause few, if any, casualties but might result in the loss of vital infrastructure service. For example, a successful cyber attack on the public telephone switching network might deprive customers of telephone services while technicians reset and repair the switching network. An attack on the control systems of a chemical or liquid gas facility might lead to more widespread loss of life as well as significant physical damage.

The failure of part of the infrastructure (even in different European countries – see the example of electricity blackouts in Europe over the past two years) could lead to failures in other sectors, causing a cascade effect because of the synergistic effect of infrastructure industries on each other. A simple example might be an attack on electrical utilities where electricity distribution is disrupted; sewage treatment plants and waterworks could also fail as the turbines and other electrical apparatuses in those facilities might shut down.

Critical infrastructure can be owned or operated by both the public and the private sector but, in any case, the public sector has a fundamental role to play in making it secure.

Definition and criteria for identifying critical infrastructure

Critical infrastructures are those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of governments in European Union (EU) countries.

Critical infrastructure includes:

  • energy installations and networks;
  • communications and information technology;
  • finance (banking, securities and investment);
  • health care;
  • food;
  • water (dams, storage, treatment and networks);
  • transport (airports, ports, intermodal facilities, railway and mass transit networks and traffic control systems);
  • production, storage and transport of dangerous goods (e.g. chemical, biological, radiological and nuclear materials);
  • government (e.g. critical services, facilities, information networks, assets and key national sites and monuments).

The communication also suggests three criteria for identifying potential critical infrastructure: the extent of the geographical area that could be affected, magnitude and effects with respect to time.

EU countries must list the infrastructure critical to them, according to an EU harmonised formula and in conjunction with the organisations or persons in charge of security.

As regards security management, the first thing to note is that it is impossible to protect all infrastructures against the threat of terrorist attacks. However, by applying risk management techniques, attention can be focused on areas of greatest risk. Security management is a deliberate process of determining the risk and deciding upon and implementing actions to reduce risk to a defined and acceptable level, at an acceptable cost.

Progress so far in protecting critical infrastructure at European level

As a complement to the measures that have been taken at national level, the EU has already adopted a number of legislative measures setting minimum standards for infrastructure protection in the framework of its different policies. This is notably the case in the transport, communication, energy, occupational health and safety, and public health sectors.

A further step towards communication security is being made with the creation of the European Network and Information Security Agency (ENISA). In addition, in sectors like aviation and maritime security, inspection services have been created within the Commission to monitor the implementation of security legislation by EU countries.

European Programme for Critical Infrastructure Protection

The EU must focus on protecting infrastructure with a transnational dimension. A European Programme for Critical Infrastructure Protection (EPCIP) will be set up with a view to identifying critical infrastructure, analysing vulnerability and interdependence, and coming forward with solutions to protect from, and prepare for, all hazards. The programme should include helping industrial sectors to determine the terrorist threat and potential consequences in their risk assessments. EU countries’ law enforcement bodies and civil protection services should ensure that EPCIP forms an integral part of their planning and awareness-raising activities.

A Critical Infrastructure Warning Information Network (CIWIN) that brings together critical infrastructure protection specialists from EU countries should be set up as soon as possible. This infrastructure warning network should assist the Commission in drawing up the programme.

In conclusion, the goal of EPCIP and the duty of the Commission would be to ensure that there are adequate and uniform levels of protective security on critical infrastructure, minimal points of failure and tested rapid reaction arrangements throughout the EU.

Background and follow-up

On 17 and 18 June 2004, the European Council asked the Commission to prepare an overall strategy to enhance the protection of critical infrastructure. In response, the Commission published this communication on 22 October 2004.

The Commission’s intention to propose a European Programme for Critical Infrastructure Protection (EPCIP) and a Critical Infrastructure Warning Information Network (CIWIN) was accepted by the European Council of 16 and 17 December 2004, both in its conclusions on prevention, preparedness and response to terrorist attacks and in the Solidarity Programme, adopted by the Council on 2 December 2004.

Throughout 2005, intensive work was carried out on the EPCIP. On 17 November 2005, the Commission adopted a Green Paper on a European Programme for Critical Infrastructure Protection.

On 15 September 2005, a decision on the financing of a pilot project containing a set of preparatory actions with a view to strengthening the fight against terrorism was adopted.

Lastly, the Commission presented on 12 December 2006, a proposal for a directive on the identification and designation of European critical infrastructure and a common approach to assess the need to improve their protection. On the same day, it adopted a communication on a European Programme for Critical Infrastructure Protection. These documents give a clear idea of how the Commission proposes to address the issue of critical infrastructure protection in the EU.

RELATED ACTS

Green Paper of 17 November 2005 on a European programme for critical infrastructure protection [COM(2005) 576 final – Not published in the Official Journal].

Communication from the Commission to the Council and the European Parliament of 20 October 2004 – Preparedness and consequence management in the fight against terrorism [COM(2004) 701 final – Not published in the Official Journal].

Communication from the Commission to the Council and the European Parliament of 20 October 2004 – Prevention, preparedness and response to terrorist attacks [COM(2004) 698 final – Not published in the Official Journal].

 

European critical infrastructures

European critical infrastructures

This directive sets up a procedure for identifying and designating European critical infrastructures (ECIs) *. At the same time, it provides a common approach for assessing these infrastructures, with a view to improving them to better protect the needs of citizens.

Member States must go through a process of identifying potential ECIs, with the help of the Commission if required. Member States should make use of a series of criteria to identify these potential ECIs. The cross-cutting criteria take into account possible casualties and economic and public effects, while the sectoral criteria consider the specificities of each ECI sector. This directive currently concerns only the energy and transport sectors and their subsectors as identified in Annex I. Additional sectors might be added with the review of the directive.

Each Member State should go through a cooperative designation process for potential ECIs located on its territory. This process involves discussions with other Member States, which could be significantly affected in case of the loss of service provided by an infrastructure. In order for an infrastructure to be formally designated as an ECI, the Member State on whose territory it is located must give its assent.

The identification and designation of ECIs by Member States must be completed before 12 January 2011, after which they are to be reviewed regularly.

The Member State on whose territory an ECI is located must inform the Commission annually of the number of potential and designated ECIs for each sector.

Member States must ensure that an operator security plan (OSP) or an equivalent measure is in place for each designated ECI. The purpose of the OSP process is to identify the critical assets of the ECI as well as the existing security solutions for protecting them. The minimum content to be covered is defined in Annex II of the directive. The OSPs must be reviewed regularly.

Member States must also ensure that a security liaison officer or equivalent is designated for each ECI. The officer serves as the contact point between the owner/operator of the ECI and the Member State authority concerned. The purpose is to allow for the exchange of information regarding the risks and threats relating to the ECI.

Within a year from designating an ECI in the subsectors, Member States are to conduct an assessment of the threats relating to it. In addition, Member States are to report to the Commission every two years on the risks, threats and vulnerabilities the different ECI sectors are facing. The need for additional Community measures to protect ECIs will be assessed on the basis of these reports.

To support the owners/operators of ECIs, the Commission provides access to best practices and methodologies regarding the protection of critical infrastructure. Furthermore, it supports the related training activities and exchanges of new technical information.

Any sensitive information regarding the protection of ECIs may be treated only by persons having the appropriate level of security clearance and only for the purposes the information was originally intended.

A European critical infrastructure contact point (ECIP contact point) is to be appointed in each Member State. Their purpose is to coordinate any ECI-related issues among Member States and the Commission.

Background

On 12 December 2006, the Commission adopted the communication on a European Programme for Critical Infrastructure Protection (EPCIP), which sets out an overall framework for critical infrastructure protection activities at EU level. The process of identifying and designating ECIs is one of the key elements of EPCIP.

The Council conclusions of April 2007 reaffirmed Member States’ responsibility in managing the protection of critical infrastructures located on their respective territories. Simultaneously, the Council welcomed the Commission’s efforts in developing a European procedure to identify and designate ECIs and in assessing them with a view to improving their protection.

  • Critical infrastructure: an asset, system or part thereof located in Member States that is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact on a Member State as a result of the failure to maintain those functions.
  • European critical infrastructure (ECI): critical infrastructure in Member States, the disruption or destruction of which would have a significant impact on at least two Member States.

Directive 2008/114/EC

RELATED DOCUMENTS:

http://ec.europa.eu/dgs/home-affairs/e-library/documents/policies/crisis-and-terrorism/critical-infrastructure/index_en.htm

European Commission on PIC

European Commission on PIC

Critical infrastructure is an asset or system which is essential for the maintenance of vital societal functions. The damage to a critical infrastructure, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behaviour, may have a significant negative impact for the security of the EU and the well-being of its citizens.

Reducing the vulnerabilities of critical infrastructure and increasing their resilience is one of the major objectives of the EU. An adequate level of protection must be ensured and the detrimental effects of disruptions on the society and citizens must be limited as far as possible.

The European Programme for Critical Infrastructure Protection (EPCIP)  sets the overall framework for activities aimed at improving the protection of critical infrastructure in Europe – across all EU States and in all relevant sectors of economic activity. The threats to which the programme aims to respond are not only confined to terrorism, but also include criminal activities, natural disasters and other causes of accidents. In short, it seeks to provide an all-hazards cross-sectoral approach. The EPCIP is supported by regular exchanges of information between EU States in the frame of the CIP Contact Points meetings.

A key pillar of this programme is the 2008 Directive on European Critical Infrastructures . It establishes a procedure for identifying and designating European Critical Infrastructures (ECI) and a common approach for assessing the need to improve their protection. The Directive has a sectoral scope, applying only to the energy and transport sectors.

The Directive also requires owners/operators of designated ECI to prepare Operator Security Plans (advanced business continuity plans) and nominate Security Liaison Officers (linking the owner/operator with the national authority responsible for critical infrastructure protection).

FUNDING:

The Commission has funded over 100 diverse projects under the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks programme (CIPS), during the 2007-2012 period. The programme is designed to protect citizens and critical infrastructures from terrorist attacks and other security incidents by fostering prevention and preparedness, namely by improving the protection of critical infrastructures and addressing crisis management. The key objective is to support CIP policy priorities by providing expert knowledge and a scientific basis for a better understanding of criticalities and interdependencies at all levels.

LINKING RESOURCES:

The Commission has developed a Critical Infrastructure Warning Information Network (CIWIN), providing an internet based multi-level system for exchanging critical infrastructure protection ideas, studies and good practices. The CIWIN portal, which has been up and running since mid-January 2013, also serves as a repository for CIP related information. This initiative seeks to raise awareness and contribute to the protection of critical infrastructure in Europe.

European Reference Network for Critical Infrastructure Protection (ERN-CIP) has also been created by the Commission to ‘foster the emergence of innovative, qualified, efficient and competitive security solutions, through networking of European experimental capabilities’. It aims to link together existing European laboratories and facilities, in order to carry out critical infrastructure-related security experiments and test new technology, such as detection equipment.

REVIEW:

Taking into account the developments since the adoption of the 2006 EPCIP Communication, an updated approach to the EU CIP policy has become necessary. Moreover, Article 11 of the Directive 2008/114/EC on the identification and designation of European Critical Infrastructures refers to a specific review process of the Directive. Therefore, a comprehensive review has been conducted in close cooperation with the Member States and stakeholders during 2012. The preliminary results of this review have been summarised in a Commission Staff Working Document pdf - 2 MB [2 MB] . Based on the results of this review and considering other elements of the current programme, the Commission adopted a 2013 Staff Working Document on a new approach to the European Programme for Critical Infrastructure Protection pdf - 128 KB [128 KB] . It sets out a revised and more practical implementation of activities under the three main work streams – prevention, preparedness and response. The new approach aims at building common tools and a common approach in the EU to critical infrastructure protection and resilience, taking better account of interdependencies.