Belgrade, April 2013 1

Pro svetovanje

EEUROPEAN CRITICAL UROPEAN CRITICAL INFRASTRUCTUREINFRASTRUCTURE

towards a definitiontowards a definition

Renato GolobRenato Golob, mag., mag.

Belgrade, April 2013 2

80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13

XX. CENTURY XXI. CENTURY

19831983First categorization of

infrastructure´s systems

80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13

XX. CENTURY XXI. CENTURY

1996199613010 - The President’s Commission on Critical Infrastructure Protection

80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13

XX. CENTURY XXI. CENTURY

20012001

New York, sept. 200113228 - Established the Office of Homeland Security and the Homeland Security Council13231 - Established the President’s Critical

Infrastructure Protection Board

80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13

XX. CENTURY XXI. CENTURY

20022002

The Administration released its National Strategy on Homeland Security

80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13

XX. CENTURY XXI. CENTURY

20042004

EU; Madrid, march 2004

80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13

XX. CENTURY XXI. CENTURY

20052005

EU; Green Paper on a European Programme for Critical Infrastructure Protection.

80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13

XX. CENTURY XXI. CENTURY

20082008

EU; Directive 2008/114/EC on the identification and designtion of European critical infrastructures and the assessment of the need to improve their protection

80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13

XX. CENTURY XXI. CENTURYXX. CENTURY XXI. CENTURY

80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13

The Stockholm Programme, 2009

The EU Internal Security Strategy in Action

Belgrade, April 2013 3

INFRASTRUCTURE

Telecommunication

InformationFood

Transport

HealthElectricity

...

INDIVIDUAL

COMPANY

STATE, UNION (COMMUNITY)

the

lev

el

of

TH

RE

AT

DO WE HAVE TO SOLVE A PROBLEM

?

PRIMARY INTEREST OF EACH STATELEGAL OBLIGATION

UNIFIED RULES: METHODOLOGIES, STANDARDS, CRITERIA, CONTROL

CENTRALISED COORDINATIONMOTIVATION MECHANISMS

Belgrade, April 2013 4

CRITICAL INFRASTRUCTURE:CRITICAL INFRASTRUCTURE:

1. Areas of Security

2. Establishing a Protection System

3. Risk Assessment – the indispensable condition

PROTECTION PROTECTION SYSTEMSYSTEM

Belgrade, April 2013 5

CRITICAL INFRASTRUCTURE: PROTECTION SYSTEM – Areas of Security

Private securityPrivate security: to prevent unauthorised persons from accessing the protected person or property and thus prevent a loss event (an event that would bring about harmful consequences).

Critical infrastructure protection Critical infrastructure protection systemsystem: to prevent any event that might interrupt comprehensive functionality.

The task, purpose or meaning of CI protection is considerably broader than the meaning of private security.

Private security is just a part of CI protection system.

Data Security

Information systems Security

Logistic Security

Communication Security

Security of Health at work

...

Natural Disasters

Fire Protection

Ecological Security

Private Security

Belgrade, April 2013 6

Sector TRANSPORT

SubS “road”SubS “railway”

SubS “air”

SubS “water”

CRITICAL INFRASTRUCTURE: PROTECTION SYSTEM – establishing a Protection System

Belgrade, April 2013 7

VSS

microlocation

Belgrade, April 2013 8

Incident

Vital Security Spots

Microlocations

Security Measures

RISK ASSESSMENT

Threats Vulnerability

Probability of the Incident Damage Consequences

CRITICAL INFRASTRUCTURE: PROTECTION SYSTEM – the indispensable condition

Belgrade, April 2013 9

1. CONCLUSIONS:

European Critical Infrastructure must be protected.

Critical infrastructure can only be protected using systemic solutions of security measures.

Proper security measures can only be identified on the basis of analysing the results of a security

risk assessment.

Belgrade, April 2013 10

Directive 2008/114/EC

Actual questions: Disputed starting points:

Article 3; “ ... The Commission may draw the attention of the relevant Member States to the existence of potential critical infrastructures which may be deemed to satisfy the requirements for designation as an ECI ...”

Article 3; based on what data, grounds or argumentations?

Article 7; which are the measures of ECI protection, that apply at the EU level?

Article 7; “ ... 3. Based on the reports referred to in paragraph 2, the Commission and the Member States shall assess on a sectoral basis whether further protection measures at Community level should be considered for ECIs...”

Article 8; Maner of ensuring access? What are the existing best practices and methodologies? Which of them are available?

Article 8; “... The Commission shall support, through the relevant Member State authority, the owners/operators of designated ECIs by providing access to available best practices and methodologies as well as support training and the exchange of information on new technical developments related to critical infrastructure protection... “

Article 3; a single criterion for determining ECI – damage (harmful) consequences

Article 3; “...2. The cross-cutting criteria shall comprise the following:(a) casualties criterion (assessed in terms of the potential number of fatalities or injuries);(b) economic effects criterion (assessed in terms of the significance of economic loss and/or degradation of products or services;(c) public effects criterion (assessed in terms of the impact on public confidence, physical suffering and disruption of daily life)....”

Article 5; ECI: assets important persons, machines, devices, materials, processes ?

Article 5: “ ... 1. The operator security plan ("OSP") procedure shall identify the critical infrastructure assets of the ECI and which security solutions exist or are being implemented for their protection ....”

Annex II; areas of security to be taken into account, considered and regulated

Annex II: “ ... ECI OSP PROCEDURE1. identification of important assets;2. conducting a risk analysis based on major threat scenarios, vulnerability of each asset, and potential impact; and3. identification, selection and prioritisation of counter-measures and procedures with a distinction between ...”

Belgrade, April 2013 11

Directive 2008/114/EC – European Commission´s competences:

There is no subject within European Commission with the competences to deal with European critical infrastructure protection.

Article 3/1:“The Commission may assist Member States at their request to identify potential ECIs. The Commission may draw the attention of the relevant Member States to the existence of potential critical infrastructures which may be deemed to satisfy the requirements for designation as an ECI.”

Article 3/1: “may assist ”, “may draw the attention” Article 3/2: “shall develop .. shall be optional”

Article 3/2:“ The Commission together with the Member States shall develop guidelines for the application of the cross-cutting and sectoral criteria and approximate thresholds to be used to identify ECIs. The criteria shall be classified. The use of such guidelines shall be optional for the Member States.”

Article 4/2: “may participate”

Article 4/2:“Each Member State on whose territory a potential ECI is located shall engage in bilateral and/or multilateral discussions with the other Member States which may be significantly affected by the potential ECI. The Commission may participate in these discussions but shall not have access to detailed information which would allow for the unequivocal identification of a particular infrastructure.”

Article 7/4: “may be developed”

Article 7/4.:“Common methodological guidelines for carrying out risk analyses in respect of ECIs may be developed by the Commission in cooperation with the Member States. The use of such guidelines shall be optional for the Member States.”

Article 7/2: “may be developed”

Article 7/2:“Each Member State shall report every two years to the Commission generic data on a summary basis on the types of risks, threats and vulnerabilities encountered per ECI sector in which an ECI has been designated pursuant to Article 4 and is located on its territory.A common template for these reports may be developed by the Commission in cooperation with the Member States.”

non obligatory (optional)

no competences, wihout authorization

impossible to protect

European Critical

Infrastructure

+

Belgrade, April 2013 12

2. CONCLUSIONS:

European Critical Infrastructure does not exist.

European Critical Infrastructure protection system does not exist.

The protection of ECI is the responsibility of Member States. But that is not possible.

OR

OR

Belgrade, April 2013 13

It is up to each individual State to determine:

- which complexes (premises) should form ECI (by drawing up a proposal for coordination (harmonization) with the neighbour States),

- the level of European critical infrastructure protection system,- supervisory (control) system.

The security of all states depends on the attitude of each individual state towards the issue of ECI

protection.No state can guarantee the security of its citizen

or property because decisions about this are adopted in other Member States.

Belgrade, April 2013 14

? standards used ?

? level of qualification and ability ?

? supervisory system ?

Centre for European Policy Studies:»Protecting critical infrastructure in the EU, CEPS Task Force Report«, 2010, Brussels:

Levels of identificationLevels of identification, levels of protectionlevels of protection and relationships between national authorities and proprietors of European Critical Infrastructure vary from one member state to another.

While there are individual cases of cooperation between member states, there is no common concept.

Different states use different risk assessment methodologies.

EU Level, ECI: thete is no system of cooperation and coordination.

Belgrade, April 2013 15

3. CONCLUSIONS:

However, the Directive is of significant value and important. This is the first time, that European

Union has officially referred to and pointed out the existence of European critical infrastructure

and the need to dedicate considerable attention to protecting it.

Belgrade, April 2013 16

FUTURE: Does ECI exist?

Does EU want to establish a system for its protection?

BASIC / INITIAL

CONCEPT

ECI shall be identifiedidentified and determined by ECdetermined by EC.

Centralized coordinationCentralized coordination.

Owners: have to ensure the functionalityto ensure the functionality of protection systems.

Unified rulesUnified rules for all member states.

The obligation has to be determined by lawdetermined by law.

System of motivationSystem of motivation.

Treaty on the Functioning of the European Union

Belgrade, April 2013 17

TASKS TO BE DONE:

European CommissionEuropean Commission:: - ECI Agency.

ECI Agency:- ECI identification, - ECI categorization,- uniform (common) rules (methodologies, criteria, standards, ...),- supervisory system,- ...

Owners:- risk assessment,- security measures,- operator security plan,- ECI protection system.

Belgrade, April 2013 18

detailed project proposal: “ ECI Protection System”

- preparing,

- confirmation,

- realization.

European Commission

Directorates

Member States

data

Development & Research Institutions

research, analysis

External expert´s Groups

(practice, experience)

ECI Agency

coordination

Belgrade, April 2013 19

4. CONCLUSIONS:

EU has two possibilities:

Directive 2008/114/EC:

there is no ECI

member states are entirely responsible for the protection of their CI

ECI Protection System:

centralized coordination of the ECI protection system, that has been defined and determined by law or the relevant legal act

member states are entirely responsible for the protection of their CI

Belgrade, April 2013 20

Literature and sources:1. CEPS (Centre for European policy studies), 2010: Protecting critical infrastructure in the European Union, Brussels.2. European Commission, 2005: Green Paper on a European Programme for Critical Infrastructure Protection, Brussels.3. European Commission, 2012; On the review of the European Programme for critical infrastructure protection (EPCIP), SWD(2012) 190 final,Brussels,4. European Council, 2009: The Stockholm Programme – An open and secure Europe serving and protecting citizens, Official Journal of the European Union,C 115/1,5. European Council, 2011: The EU Internal Security Strategy in Action: Five steps towards a more secure Europe, COM(2010) 673 final,6. Koubatis, A, Schonberger J.Y., 2005: Risk Management of Complex Critical Systems. International Journal of Critical Infrastructures, br. 1 / 2,3.7. Michel-Kerjan, E., 2003: New Challenges in Critical Infrastructures: A US Perspective, Journal of Contingencies and Crisis Management, br. 11 / 3, John Wiley & Sons, Inc., New York.8. Nozick, L., Turnquist, M, 2005: Assessing the Performance if Interdependent Infrastructures and 5. Optimising Investments, International Journal of Critical Infrastructures, br. 1 / 2,3.9. Prezelj, I., 2008; Definicija in zaščita kritične infrastrukture Republike Slovenije, Fakulteta za družbene vede, Obramboslovni raziskovalni center, Ljubljana.10. Svet Evropske skupnosti, 2008: Direktiva o ugotavljanju in določanju evropske kritične infrastrukture ter o oceni potrebe za izboljšanje njenega varovanja, Bruselj,

Photo 1, slide 5: http://www.google.si/imgres?imgurl=http://www.borutgorenjak.com/UserFiles/Image/dogodki/balon14.jpg&imgrefurl=http://www.borutgorenjak.com/objava.aspx?id%3D38&h=307&w=460&sz=111&tbnid=mi1g-zkFK7bpZM:&tbnh=90&tbnw=135&prev=/search%3Fq%3Dletali%25C5%25A1%25C4%258De%2Bmaribor%2Bfoto%2Bphoto%26tbm%3Disch%26tbo%3Du&zoom=1&q=letali%C5%A1%C4%8De+maribor+foto+photo&usg=__E1ZlZZGtOFpVEg3bX_o9zvX1nc=&docid=rigH9cqeA8xhjM&hl=en&sa=X&ei=yML1UOfiHo6RhQfdtYDQAg&ved=0CDsQ9QEwBQ&dur=9359Photo 2, slide 5: http://www.google.si/imgres?imgurl=http://mw2.google.com/mwpanoramio/photos/medium/57570669.jpg&imgrefurl=http://www.panoramio.com/photo/57570669&h=332&w=500&sz=33&tbnid=1AqHaIyHe-ilDM:&tbnh=90&tbnw=136&prev=/search%3Fq%3Dtunel%2Btrojane%2Bfoto%2Bphoto%26tbm%3Disch%26tbo%3Du&zoom=1&q=tunel+trojane+foto+photo&usg=__ybIwPGycmS7jVTC2NHGyez267D8=&docid=bt8U1qVg3oDAM&itg=1&hl=en&sa=X&ei=HLL1UPO_GNS1hAfCzID4Bw&ved=0CEkQ9QEwCQ&dur=11000Photo 1, slide 6:http://www.google.si/imgres?imgurl=http://www.planetware.com/i/map/TR/troy-ground-plan-map.jpg&imgrefurl=http://www.planetware.com/map/troyground-plan-map-tr-troy2.htm&h=737&w=700&sz=288&tbnid=L2XS3OTkdSJtfM:&tbnh=85&tbnw=81&prev=/search%3Fq%3Dground%2Bplan%2Bphoto%26tbm%3Disch%26tbo%3Du&zoom=1&q=ground+plan+photo&usg=__y60MSOffP4_Vz8doe_llVKrj94Q=&docid=wzvkNEd4YTQAQM&sa=X&ei=A9v2UMSXL4ZhQe58YHwAg&ved=0CC4Q9QEwAQ&dur=110Photo 2, slide 6:http://www.google.si/imgres?imgurl=http://www.museum.ky/dsn/wwwmuseumky/Content/Images/ground-floor.jpg&imgrefurl=http://www.museum.ky/116/Museum-Maps.htm&h=318&w=499&sz=65&tbnid=QdLBOuipIARJRM:&tbnh=76&tbnw=119&prev=/search%3Fq%3Dground%2Bplan%2Bphoto%2Bmuseum%26tbm%3Disch%26tbo%3Du&zoom=1&q=ground+plan+photo+museum&usg=__nk1UZKlYIv9B2gi3ibLyYLjtiRE=&docid=tCTX4CzHmg7UDM&sa=X&eOdv2UJepKZO3hAfW34DoBQ&ved=0CDQQ9QEwAw&dur=5656

Belgrade, April 2013 21

Renato Golob, mag.Pro svetovanje d.o.o.

pro.svetovanje@s5.net00 386 41 767 237

Thank you for your attention.