This article needs additional citations for verification .(June 2023) |
Critical infrastructure, or critical national infrastructure (CNI) in the UK, describes infrastructure considered essential by governments for the functioning of a society and economy and deserving of special protection for national security. [1] Critical infrastructure has traditionally been viewed as under the scope of government due to its strategic importance, yet there's an observable trend towards its privatization, raising discussions about how the private sector can contribute to these essential services. [2]
Most commonly associated with the term are assets and facilities for:
The Canadian Federal Government identifies the following 10 Critical Infrastructure Sectors as a way to classify essential assets. [3] [4]
European Programme for Critical Infrastructure Protection (EPCIP) refers to the doctrine or specific programs created as a result of the European Commission's directive EU COM(2006) 786 which designates European critical infrastructure that, in case of fault, incident, or attack, could impact both the country where it is hosted and at least one other European Member State. Member states are obliged to adopt the 2006 directive into their national statutes.
It has proposed a list of European critical infrastructures based upon inputs by its member states. Each designated European Critical Infrastructures (ECI) will have to have an Operator Security Plan (OSP) covering the identification of important assets, a risk analysis based on major threat scenarios and the vulnerability of each asset, and the identification, selection and prioritisation of counter-measures and procedures.
The German critical-infrastructure protection programme KRITIS is coordinated by the Federal Ministry of the Interior. Some of its special agencies like the German Federal Office for Information Security or the Federal Office of Civil Protection and Disaster Assistance BBK deliver the respective content, e.g., about IT systems. [5]
In Singapore, critical infrastructures are mandated under the Protected Areas and Protected Places Act. [6] In 2017, the Infrastructure Protection Act was passed in Parliament, which provides for the protection of certain areas, places and other premises in Singapore against security risks. [7] It came into force in 2018. [8] [9]
In the UK, the National Protective Security Authority (NPSA) provides information, personnel and physical security advice to the businesses and organizations which make up the UK's national infrastructure, helping to reduce its vulnerability to terrorism and other threats.
It can call on resources from other government departments and agencies, including MI5, the National Cyber Security Centre (NCSC) and other government departments responsible for national infrastructure sectors.
The U.S. has had a wide-reaching critical infrastructure protection program in place since 1996. Its Patriot Act of 2001 defined critical infrastructure as those "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."
In 2014 the NIST Cybersecurity Framework was published, and quickly became a popular set of guidelines, despite the significant costs of full compliance. [10]
These have identified a number of critical infrastructures and responsible agencies:
The National Infrastructure Protection Plan (NIPP) defines critical infrastructure sector in the US. Presidential Policy Directive 21 (PPD-21), [11] issued in February 2013 entitled Critical Infrastructure Security and Resilience mandated an update to the NIPP. This revision of the plan established the following 16 critical infrastructure sectors:
National Monuments and Icons along with the postal and shipping sector were removed in 2013 update to the NIPP. The 2013 version of the NIPP has faced criticism for lacking viable risk measures. [12] [13] The plan assigns the following agencies sector-specific coordination responsibilities:
Several U.S. states have passed "critical infrastructure" bills, promoted by the American Legislative Exchange Council (ALEC), to criminalize protests against the fossil fuel industry. [14] In May 2017, Oklahoma passed legislation which created felony penalties for trespassing on land considered critical infrastructure, including oil and gas pipelines, or conspiring to do so; ALEC introduced a version of the bill as a model act and encouraged other states to adopt it. [15] In June 2020, West Virginia passed the Critical Infrastructure Protection Act, which created felony penalties for protests against oil and gas facilities. [16]
Critical infrastructure (CI) such as highways, railways, electric power networks, dams, port facilities, major gas pipelines or oil refineries are exposed to multiple natural and human-induced hazards and stressors, including earthquakes, landslides, floods, tsunami, wildfires, climate change effects or explosions. These stressors and abrupt events can cause failures and losses, and hence, can interrupt essential services for the society and the economy. [17] Therefore, CI owners and operators need to identify and quantify the risks posed by the CIs due to different stressors, in order to define mitigation strategies [18] and improve the resilience of the CIs. [19] [20] Stress tests are advanced and standardised tools for hazard and risk assessment of CIs, that include both low-probability high-consequence (LP-HC) events and so-called extreme or rare events, as well as the systematic application of these new tools to classes of CI.
Stress testing is the process of assessing the ability of a CI to maintain a certain level of functionality under unfavourable conditions, while stress tests consider LP-HC events, which are not always accounted for in the design and risk assessment procedures, commonly adopted by public authorities or industrial stakeholders. A multilevel stress test methodology for CI has been developed in the framework of the European research project STREST, [21] consisting of four phases: [22]
Phase 1: Preassessment, during which the data available on the CI (risk context) and on the phenomena of interest (hazard context) are collected. The goal and objectives, the time frame, the stress test level and the total costs of the stress test are defined.
Phase 2: Assessment, during which the stress test at the component and the system scope is performed, including fragility [23] and risk [24] analysis of the CIs for the stressors defined in Phase 1. The stress test can result in three outcomes: Pass, Partly Pass and Fail, based on the comparison of the quantified risks to acceptable risk exposure levels and a penalty system.
Phase 3: Decision, during which the results of the stress test are analyzed according to the goal and objectives defined in Phase 1. Critical events (events that most likely cause the exceedance of a given level of loss) and risk mitigation strategies are identified.
Phase 4: Report, during which the stress test outcome and risk mitigation guidelines based on the findings established in Phase 3 are formulated and presented to the stakeholders.
This stress-testing methodology has been demonstrated to six CIs in Europe at component and system level: [25] an oil refinery and petrochemical plant in Milazzo, Italy; a conceptual alpine earth-fill dam in Switzerland; the Baku–Tbilisi–Ceyhan pipeline in Turkey; part of the Gasunie national gas storage and distribution network in the Netherlands; the port infrastructure of Thessaloniki, Greece; and an industrial district in the region of Tuscany, Italy. The outcome of the stress testing included the definition of critical components and events and risk mitigation strategies, which are formulated and reported to stakeholders.
Homeland security is an American national security term for "the national effort to ensure a homeland that is safe, secure, and resilient against terrorism and other hazards where American interests, aspirations, and ways of life can thrive" to the "national effort to prevent terrorist attacks within the United States, reduce the vulnerability of the U.S. to terrorism, and minimize the damage from attacks that do occur." According to an official work published by the Congressional Research Service in 2013, the "Homeland security" term's definition has varied over time.
The United States Department of Homeland Security (DHS) is the U.S. federal executive department responsible for public security, roughly comparable to the interior or home ministries of other countries. Its stated missions involve anti-terrorism, border security, immigration and customs, cyber security, and disaster prevention and management.
Business continuity may be defined as "the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident", and business continuity planning is the process of creating systems of prevention and recovery to deal with potential threats to a company. In addition to prevention, the goal is to enable ongoing operations before and during execution of disaster recovery. Business continuity is the intended outcome of proper execution of both business continuity planning and disaster recovery.
Infrastructure is the set of facilities and systems that serve a country, city, or other area, and encompasses the services and facilities necessary for its economy, households and firms to function. Infrastructure is composed of public and private physical structures such as roads, railways, bridges, tunnels, water supply, sewers, electrical grids, and telecommunications. In general, infrastructure has been defined as "the physical components of interrelated systems providing commodities and services essential to enable, sustain, or enhance societal living conditions" and maintain the surrounding environment.
Emergency management or disaster management is a science and a system charged with creating the framework within which communities reduce vulnerability to hazards and cope with disasters. Emergency management, despite its name, does not actually focus on the management of emergencies, which can be understood as minor events with limited impacts and are managed through the day-to-day functions of a community. Instead, emergency management focuses on the management of disasters, which are events that produce more impacts than a community can handle on its own. The management of disasters tends to require some combination of activity from individuals and households, organizations, local, and/or higher levels of government. Although many different terminologies exist globally, the activities of emergency management can be generally categorized into preparedness, response, mitigation, and recovery, although other terms such as disaster risk reduction and prevention are also common. The outcome of emergency management is to prevent disasters and where this is not possible, to reduce their harmful impacts.
In the U.S., critical infrastructure protection (CIP) is a concept that relates to the preparedness and response to serious incidents that involve the critical infrastructure of a region or the nation. The American Presidential directive PDD-63 of May 1998 set up a national program of "Critical Infrastructure Protection". In 2014 the NIST Cybersecurity Framework was published after further presidential directives.
Process safety is an interdisciplinary engineering domain focusing on the study, prevention, and management of large-scale fires, explosions and chemical accidents in process plants or other facilities dealing with hazardous materials, such as refineries and oil and gas production installations. Thus, process safety is generally concerned with the prevention of, control of, mitigation of and recovery from unintentional hazardous materials releases that can have a serious effect to people, plant and/or the environment.
The Alabama Department of Homeland Security is a state agency with the executive branch of the Alabama State government designed to develop, coordinate, and implement of a state policy to secure the State of Alabama from terrorist threat or attack. It was established by the Alabama Homeland Security Act of 2003 which was signed on June 18, 2003 by Governor Bob Riley. The Director of the Alabama Department of Homeland Security is Jay Moseley.
The National Infrastructure Advisory Council (NIAC) is a United States government advisory council, which advises the President of the United States on the security of information systems in banking, finance, transportation, energy, manufacturing, and emergency government services. The George W. Bush Administration's executive order 13231 of October 16, 2001 created the NIAC, and its functioning was last extended until September 30, 2023 by executive order 14048 of the Biden Administration.
A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).
The Cyber Security Division (CSD) is a division of the Science and Technology Directorate (S&T Directorate) of the United States Department of Homeland Security (DHS). Within the Homeland Security Advanced Research Projects Agency, CSD develops technologies to enhance the security and resilience of the United States' critical information infrastructure from acts of terrorism. S&T supports DHS component operational and critical infrastructure protections, including the finance, energy, and public utility sectors, as well as the first responder community.
RAE Systems, Inc., or RAE System by Honeywell, is a provider of wireless, gas and radiation detection instruments and systems that enable real-time safety and security threat detection to help mitigate risk, and protect workers, contractors, the public, and assets. RAE Systems is located in San Jose, California. The company was founded in 1991 by Robert I. Chen and Peter Hsi.
The Critical Infrastructure Research and Development Advancement Act of 2013 is a bill that would require the United States Department of Homeland Security (DHS) to transmit to the Congress a strategic plan for research and development efforts addressing the protection of critical infrastructure and a report on departmental use of public-private consortiums to develop technology to protect such infrastructure. The bill also would direct the Government Accountability Office (GAO), within two years of enactment, to evaluate the effectiveness of clearinghouses established by DHS to share technological innovation.
The National Cybersecurity and Critical Infrastructure Protection Act of 2013 is a bill that would amend the Homeland Security Act of 2002 to require the Secretary of the Department of Homeland Security (DHS) to conduct cybersecurity activities on behalf of the federal government and would codify the role of DHS in preventing and responding to cybersecurity incidents involving the Information Technology (IT) systems of federal civilian agencies and critical infrastructure in the United States.
Wolfgang Kröger has been full professor of Safety Technology at the ETH Zurich since 1990 and director of the Laboratory of Safety Analysis simultaneously. Before being elected Founding Rector of International Risk Governance Council (IRGC) in 2003, he headed research in nuclear energy and safety at the Paul Scherrer Institut (PSI). After his retirement early 2011 he became the Executive Director of the newly established ETH Risk Center. He has both Swiss and German citizenship and lives in Kilchberg, Zürich. His seminal work lies in the general area of reliability, risk and vulnerability analysis of large-scale technical systems, initially single complicated systems like nuclear power plants of different types and finally complex engineered networks like power supply systems, the latter coupled to other critical infrastructure and controlled by cyber-physical systems. He is known for his continuing efforts to advance related frameworks, methodology, and tools, to communicate results including uncertainties as well as for his successful endeavor in stimulating trans-boundary cooperation to improve governance of emerging systemic risks. His contributions to shape and operationalize the concept of sustainability and - more recently - the concept of resilience are highly valued. Furthermore, he is in engaged in the evaluation of smart clean, secure, and affordable energy systems and future technologies, including new ways of exploiting nuclear energy. The development and certification of cooperative automated vehicles, regarded as a cornerstone of future mobility concepts, are matter of growing interest.
An Information Sharing and Analysis Center(ISAC) is a nonprofit organization that provides a central resource for gathering information on cyber and related threats to critical infrastructure and providing two-way sharing of information between the private and public sectors.
ISO 22300:2021, Security and resilience – Vocabulary, is an international standard developed by ISO/TC 292 Security and resilience. This document defines terms used in security and resilience standards and includes 360 terms and definitions. This edition was published in the beginning of 2021 and replaces the second edition from 2018.
Offshore installation security is the protection of maritime installations from intentional harm. As part of general maritime security, offshore installation security is defined as the installation's ability to combat unauthorized acts designed to cause intentional harm to the installation. The security of offshore installations is vital as not only may a threat result in personal, economic, and financial losses, but it also concerns the strategic aspects of the petroleum market and geopolitics.
Operational collaboration is a cyber resilience framework that leverages public-private partnerships to reduce the risk of cyber threats and the impact of cyberattacks on United States cyberspace. This operational collaboration framework for cyber is similar to the Federal Emergency Management Agency (FEMA)'s National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world.
Stress testing is a form of deliberately intense or thorough testing, used to determine the stability of a given system, critical infrastructure or entity. It involves testing beyond normal operational capacity, often to a breaking point, in order to observe the results.