Foreword

In the last decades the most developed countries of the world have realized a social model characterized by a high “quality of life” of their citizens. There are, in fact, many services and opportunities available to every citizen, which contribute to satisfying their needs or expressing their attitudes.

Energy provision, healthcare, transportation and financial systems represent some of the fundamental pillars of this “quality of life” model. The availability of those services is perceived as a natural fact, to the extent that if they were no longer accessible, most of us wouldn’t know what to do in many circumstances.

The current situation has changed profoundly since the beginning of 20th Century, when every family heated its house with lumber collected by the family members and possessed autonomous transportation means (horses, mules etc.), or when an entrepreneur would have to install autonomous power generation mechanisms for its manufacture.
Moreover, in the last years there has been an increasing attention to the dependence on those infrastructures allowing the provision of services, and whose unavailability would unacceptably compromise the quality of our lives.
Those infrastructures have been dubbed as “critical,” and the need to protect their existence and enduring functioning became a synonym of the need of protecting our “quality of life.”

CI Protection Initiatives

Following the terrorist attacks that shocked the world in the first years of the new Millennium, both in North America and in Europe, many advanced countries started to consider the protection of their critical infrastructures (CI) in a more organic way, taking into account potential intentional attacks against them.

Among the first countries to take action, the U.S.A. established the Department of Homeland Security (DHS) right after the attacks of 11 September 2001. This entity immediately outlined the protection of critical infrastructures and key assets among its critical mission areas, drafting the National Infrastructures Protection Plan (NIPP), which provides a unified nation-wide strategy for its national protection.
The DHS is also mandated to guide, integrate and coordinate the national efforts for improving the protection of critical infrastructures, developing and implementing programmes and methodologies of risk assessment, inter-sector guidelines and metrics.
By the end of 2004 the European Union followed this rising interest and launched the European Programme for Critical Infrastructure Protection (EPCIP). Such programme also addresses prevention, preparedness and response to terrorist attacks, and it is still supporting many initiatives promoting critical infrastructures’ security.

The directive 114/2008 of the European Commission represents instead a first step for harmonizing the protection of European critical infrastructures (ECI) around a common baseline of measures. The first step of this baseline is the identification of the critical infrastructures, applying crosscutting criteria based on the ex ante assessment of human casualties, economic consequences and public effects due to a possible outage of candidate infrastructures.
After identifying and designating the ECIs, each of these must provide a liaison officer and complete an “operator security plan” based on the most widely accepted risk management concepts. Every EU country must also designate a national contact point on the matter and periodically report to the Commission. This directive initially applies to critical infrastructures in the energy and transportation sectors, and will be extended to other sectors in the near future.

CI Threats and Impacts

Critical infrastructures are managed by a constellation of private and public organizations which are naturally prone to a wide variety of threats that can impact the citizens’ “quality of life,” depending on their own characteristics in terms of processes, assets etc.
Some of those organizations, for example, might rely more on information systems than others and will thus be more susceptible to cyber attacks, as in the cases where SCADA (Supervisory Control And Data Acquisition) systems are involved. In this latter situation, constantly growing in number, the continuous functioning of large infrastructures (power plants, oil sewage, air traffic sensors etc.) can be consistently assigned to automated or semi-automated systems interconnected by distributed networks. Nowadays, many industrial processes (like automobile construction, food production and even goods’ distribution) are also being progressively controlled by SCADA or ICT (Information and Communication Technology) systems, which help cutting operational costs and increasing efficiency. In all of these contexts, a cyber attack could not only have the same consequences as a physical sabotage, but it could prove to be even tougher because of the possibility of reaching a large number of similar systems via remote links.

Since the ultimate goal is to protect the frequently cited “quality of life,” critical infrastructure must be protected not only against all types of intentional attacks. These may range from retaliation sabotage by a disgruntled employee up to terrorists attacks aimed at waging fear and damage in a region or country, but also from natural events and disasters to mechanical failures and the omnipresent human errors.

Every one of those threat families is composed by a vast number of possible actions performed by different actors (threat agents), which, as a part of the risk management discipline, are then connected to specific impacts. Those impacts are related to the simple question “what would happen if,” and are thus strongly coupled with threats. In any case, most of the approaches used worldwide to identify critical infrastructures are “all hazard;” this means that the criticality assessment is based on the impact of a breakdown of the infrastructure leading to the interruption of the service provision, irrespectively of the specific threat scenario that would lead to the breakdown itself.
The most widely recognized high-level impact is the loss of human lives, but the “quality of life” goes well beyond the “survival” concept, thus bringing into consideration other impacts like social and political stability, economic losses, pollution, confidence in institutions, psychological suffering and many others, which, in turn, may be generated by a large number of possible threats.

CI Protection Solutions

Prevention is a key factor and, in fact, all modern critical infrastructure protection programmes mandate in their very core some kind of risk assessment activity, identifying the critical assets, evaluating the threats to which they are prone and the effectiveness of the adopted protecting countermeasures. If the results of this activity show an insufficient protection, it must be remedied through the adoption of additional countermeasures.

Indeed, most operators of major critical infrastructures already implement effective risk management and business continuity plans. In many sectors, specific rules are in place to guarantee operational continuity. Nevertheless, due to the highly interconnected nature of critical infrastructures, a fault in a “minor” infrastructure, perhaps not properly secured, could cause an unexpected cascading affect, leading to the progressive breakdown of other infrastructures. This circumstance calls for an enhancement of the overall level of security, guaranteeing a “basic” operational continuity for all the infrastructures contributing, even indirectly, to the citizens’ “quality of life.”

Since the impacts to the life quality are so wide-ranging and different, conducting a realistic risk assessment is neither an easy task nor is it something that many organizations are used to doing. Luckily there are some contexts in which those topics are adequately addressed, as within “management systems.” Those organizational frameworks are sets of requirements, established by some national or international standard, aimed at correctly managing a specific topic in a documented and improvement-oriented way. Some examples of management systems relevant for critical infrastructures include:

• ISO 22399 on incident preparedness and operational continuity;
• ISO/IEC 27001 on information security;
• OHSAS 18001 on occupational health and safety;
• ISO 14000 on environment.

All those management systems are based on risk assessment concepts and they are interoperable between them. Moreover, they are mature objects supported by competent communities, dedicated tools and they even offer control and certification capabilities. Most importantly, every one of them separately addresses some of the relevant impacts to the “quality of life.”

Rather than inventing new solutions to already addressed problems, the correct joint application of those sound methodologies could be a huge step forward in the protection of critical infrastructures. This fact, opportunely coordinated in its application by local and interstate governments, even in a gradual step-by-step way, should ultimately be able to bring our society to a more stable and sustainable state of “quality of life.”

* Marco Carbonelli, Laura Gratta work in the Interministerial Coordination Secretariat for Critical Infrastructure Protection, within the Italian Presidency of the Council of the Ministers, and are in charge of the Critical Infrastructure modelling and the Directive 114/08 CE national implementation areas, respectively.
Luisa Franchina is Director General of the Team on CBRN attack risk of the Italian Department of National Civil Protection, and is the Head of the Interministerial Coordination Secretariat for Critical Infrastructure Protection, within Italian Presidency of the Council of the Ministers.
Fabio Guasconi is a Team Manager for @ Mediaservice.net S.r.l., a Security Advisory firm and is the chairperson of the Italian ISO/IEC JTC1/SC27 committee.
Daniele Perucchini is the Leader of the Critical Infrastructure Protection Area within Fondazione Ugo Bordoni.