Upload
angus
View
21
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Pro svetovanje. E UROPEAN CRITICAL INFRASTRUCTURE towards a definition. Renato Golob , mag. 1983. 1996. 2001. 2002. 2004. 2005. 2008. COMPANY. INFRASTRUCTURE. Telecommunication. DO WE HAVE TO SOLVE A PROBLEM ?. STATE, UNION (COMMUNITY). Health. INDIVIDUAL. Electricity. Transport. - PowerPoint PPT Presentation
Citation preview
Belgrade, April 2013 1
Pro svetovanje
EEUROPEAN CRITICAL UROPEAN CRITICAL INFRASTRUCTUREINFRASTRUCTURE
towards a definitiontowards a definition
Renato GolobRenato Golob, mag., mag.
Belgrade, April 2013 2
80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13
XX. CENTURY XXI. CENTURY
19831983First categorization of
infrastructure´s systems
80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13
XX. CENTURY XXI. CENTURY
1996199613010 - The President’s Commission on Critical Infrastructure Protection
80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13
XX. CENTURY XXI. CENTURY
20012001
New York, sept. 200113228 - Established the Office of Homeland Security and the Homeland Security Council13231 - Established the President’s Critical
Infrastructure Protection Board
80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13
XX. CENTURY XXI. CENTURY
20022002
The Administration released its National Strategy on Homeland Security
80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13
XX. CENTURY XXI. CENTURY
20042004
EU; Madrid, march 2004
80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13
XX. CENTURY XXI. CENTURY
20052005
EU; Green Paper on a European Programme for Critical Infrastructure Protection.
80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13
XX. CENTURY XXI. CENTURY
20082008
EU; Directive 2008/114/EC on the identification and designtion of European critical infrastructures and the assessment of the need to improve their protection
80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13
XX. CENTURY XXI. CENTURYXX. CENTURY XXI. CENTURY
80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13
The Stockholm Programme, 2009
The EU Internal Security Strategy in Action
Belgrade, April 2013 3
INFRASTRUCTURE
Telecommunication
InformationFood
Transport
HealthElectricity
...
INDIVIDUAL
COMPANY
STATE, UNION (COMMUNITY)
the
lev
el
of
TH
RE
AT
DO WE HAVE TO SOLVE A PROBLEM
?
PRIMARY INTEREST OF EACH STATELEGAL OBLIGATION
UNIFIED RULES: METHODOLOGIES, STANDARDS, CRITERIA, CONTROL
CENTRALISED COORDINATIONMOTIVATION MECHANISMS
Belgrade, April 2013 4
CRITICAL INFRASTRUCTURE:CRITICAL INFRASTRUCTURE:
1. Areas of Security
2. Establishing a Protection System
3. Risk Assessment – the indispensable condition
PROTECTION PROTECTION SYSTEMSYSTEM
Belgrade, April 2013 5
CRITICAL INFRASTRUCTURE: PROTECTION SYSTEM – Areas of Security
Private securityPrivate security: to prevent unauthorised persons from accessing the protected person or property and thus prevent a loss event (an event that would bring about harmful consequences).
Critical infrastructure protection Critical infrastructure protection systemsystem: to prevent any event that might interrupt comprehensive functionality.
The task, purpose or meaning of CI protection is considerably broader than the meaning of private security.
Private security is just a part of CI protection system.
Data Security
Information systems Security
Logistic Security
Communication Security
Security of Health at work
...
Natural Disasters
Fire Protection
Ecological Security
Private Security
Belgrade, April 2013 6
Sector TRANSPORT
SubS “road”SubS “railway”
SubS “air”
SubS “water”
CRITICAL INFRASTRUCTURE: PROTECTION SYSTEM – establishing a Protection System
Belgrade, April 2013 7
VSS
microlocation
Belgrade, April 2013 8
Incident
Vital Security Spots
Microlocations
Security Measures
RISK ASSESSMENT
Threats Vulnerability
Probability of the Incident Damage Consequences
CRITICAL INFRASTRUCTURE: PROTECTION SYSTEM – the indispensable condition
Belgrade, April 2013 9
1. CONCLUSIONS:
European Critical Infrastructure must be protected.
Critical infrastructure can only be protected using systemic solutions of security measures.
Proper security measures can only be identified on the basis of analysing the results of a security
risk assessment.
Belgrade, April 2013 10
Directive 2008/114/EC
Actual questions: Disputed starting points:
Article 3; “ ... The Commission may draw the attention of the relevant Member States to the existence of potential critical infrastructures which may be deemed to satisfy the requirements for designation as an ECI ...”
Article 3; based on what data, grounds or argumentations?
Article 7; which are the measures of ECI protection, that apply at the EU level?
Article 7; “ ... 3. Based on the reports referred to in paragraph 2, the Commission and the Member States shall assess on a sectoral basis whether further protection measures at Community level should be considered for ECIs...”
Article 8; Maner of ensuring access? What are the existing best practices and methodologies? Which of them are available?
Article 8; “... The Commission shall support, through the relevant Member State authority, the owners/operators of designated ECIs by providing access to available best practices and methodologies as well as support training and the exchange of information on new technical developments related to critical infrastructure protection... “
Article 3; a single criterion for determining ECI – damage (harmful) consequences
Article 3; “...2. The cross-cutting criteria shall comprise the following:(a) casualties criterion (assessed in terms of the potential number of fatalities or injuries);(b) economic effects criterion (assessed in terms of the significance of economic loss and/or degradation of products or services;(c) public effects criterion (assessed in terms of the impact on public confidence, physical suffering and disruption of daily life)....”
Article 5; ECI: assets important persons, machines, devices, materials, processes ?
Article 5: “ ... 1. The operator security plan ("OSP") procedure shall identify the critical infrastructure assets of the ECI and which security solutions exist or are being implemented for their protection ....”
Annex II; areas of security to be taken into account, considered and regulated
Annex II: “ ... ECI OSP PROCEDURE1. identification of important assets;2. conducting a risk analysis based on major threat scenarios, vulnerability of each asset, and potential impact; and3. identification, selection and prioritisation of counter-measures and procedures with a distinction between ...”
Belgrade, April 2013 11
Directive 2008/114/EC – European Commission´s competences:
There is no subject within European Commission with the competences to deal with European critical infrastructure protection.
Article 3/1:“The Commission may assist Member States at their request to identify potential ECIs. The Commission may draw the attention of the relevant Member States to the existence of potential critical infrastructures which may be deemed to satisfy the requirements for designation as an ECI.”
Article 3/1: “may assist ”, “may draw the attention” Article 3/2: “shall develop .. shall be optional”
Article 3/2:“ The Commission together with the Member States shall develop guidelines for the application of the cross-cutting and sectoral criteria and approximate thresholds to be used to identify ECIs. The criteria shall be classified. The use of such guidelines shall be optional for the Member States.”
Article 4/2: “may participate”
Article 4/2:“Each Member State on whose territory a potential ECI is located shall engage in bilateral and/or multilateral discussions with the other Member States which may be significantly affected by the potential ECI. The Commission may participate in these discussions but shall not have access to detailed information which would allow for the unequivocal identification of a particular infrastructure.”
Article 7/4: “may be developed”
Article 7/4.:“Common methodological guidelines for carrying out risk analyses in respect of ECIs may be developed by the Commission in cooperation with the Member States. The use of such guidelines shall be optional for the Member States.”
Article 7/2: “may be developed”
Article 7/2:“Each Member State shall report every two years to the Commission generic data on a summary basis on the types of risks, threats and vulnerabilities encountered per ECI sector in which an ECI has been designated pursuant to Article 4 and is located on its territory.A common template for these reports may be developed by the Commission in cooperation with the Member States.”
non obligatory (optional)
no competences, wihout authorization
impossible to protect
European Critical
Infrastructure
+
Belgrade, April 2013 12
2. CONCLUSIONS:
European Critical Infrastructure does not exist.
European Critical Infrastructure protection system does not exist.
The protection of ECI is the responsibility of Member States. But that is not possible.
OR
OR
Belgrade, April 2013 13
It is up to each individual State to determine:
- which complexes (premises) should form ECI (by drawing up a proposal for coordination (harmonization) with the neighbour States),
- the level of European critical infrastructure protection system,- supervisory (control) system.
The security of all states depends on the attitude of each individual state towards the issue of ECI
protection.No state can guarantee the security of its citizen
or property because decisions about this are adopted in other Member States.
Belgrade, April 2013 14
? standards used ?
? level of qualification and ability ?
? supervisory system ?
Centre for European Policy Studies:»Protecting critical infrastructure in the EU, CEPS Task Force Report«, 2010, Brussels:
Levels of identificationLevels of identification, levels of protectionlevels of protection and relationships between national authorities and proprietors of European Critical Infrastructure vary from one member state to another.
While there are individual cases of cooperation between member states, there is no common concept.
Different states use different risk assessment methodologies.
EU Level, ECI: thete is no system of cooperation and coordination.
Belgrade, April 2013 15
3. CONCLUSIONS:
However, the Directive is of significant value and important. This is the first time, that European
Union has officially referred to and pointed out the existence of European critical infrastructure
and the need to dedicate considerable attention to protecting it.
Belgrade, April 2013 16
FUTURE: Does ECI exist?
Does EU want to establish a system for its protection?
BASIC / INITIAL
CONCEPT
ECI shall be identifiedidentified and determined by ECdetermined by EC.
Centralized coordinationCentralized coordination.
Owners: have to ensure the functionalityto ensure the functionality of protection systems.
Unified rulesUnified rules for all member states.
The obligation has to be determined by lawdetermined by law.
System of motivationSystem of motivation.
Treaty on the Functioning of the European Union
Belgrade, April 2013 17
TASKS TO BE DONE:
European CommissionEuropean Commission:: - ECI Agency.
ECI Agency:- ECI identification, - ECI categorization,- uniform (common) rules (methodologies, criteria, standards, ...),- supervisory system,- ...
Owners:- risk assessment,- security measures,- operator security plan,- ECI protection system.
Belgrade, April 2013 18
detailed project proposal: “ ECI Protection System”
- preparing,
- confirmation,
- realization.
European Commission
Directorates
Member States
data
Development & Research Institutions
research, analysis
External expert´s Groups
(practice, experience)
ECI Agency
coordination
Belgrade, April 2013 19
4. CONCLUSIONS:
EU has two possibilities:
Directive 2008/114/EC:
there is no ECI
member states are entirely responsible for the protection of their CI
ECI Protection System:
centralized coordination of the ECI protection system, that has been defined and determined by law or the relevant legal act
member states are entirely responsible for the protection of their CI
Belgrade, April 2013 20
Literature and sources:1. CEPS (Centre for European policy studies), 2010: Protecting critical infrastructure in the European Union, Brussels.2. European Commission, 2005: Green Paper on a European Programme for Critical Infrastructure Protection, Brussels.3. European Commission, 2012; On the review of the European Programme for critical infrastructure protection (EPCIP), SWD(2012) 190 final,Brussels,4. European Council, 2009: The Stockholm Programme – An open and secure Europe serving and protecting citizens, Official Journal of the European Union,C 115/1,5. European Council, 2011: The EU Internal Security Strategy in Action: Five steps towards a more secure Europe, COM(2010) 673 final,6. Koubatis, A, Schonberger J.Y., 2005: Risk Management of Complex Critical Systems. International Journal of Critical Infrastructures, br. 1 / 2,3.7. Michel-Kerjan, E., 2003: New Challenges in Critical Infrastructures: A US Perspective, Journal of Contingencies and Crisis Management, br. 11 / 3, John Wiley & Sons, Inc., New York.8. Nozick, L., Turnquist, M, 2005: Assessing the Performance if Interdependent Infrastructures and 5. Optimising Investments, International Journal of Critical Infrastructures, br. 1 / 2,3.9. Prezelj, I., 2008; Definicija in zaščita kritične infrastrukture Republike Slovenije, Fakulteta za družbene vede, Obramboslovni raziskovalni center, Ljubljana.10. Svet Evropske skupnosti, 2008: Direktiva o ugotavljanju in določanju evropske kritične infrastrukture ter o oceni potrebe za izboljšanje njenega varovanja, Bruselj,
Photo 1, slide 5: http://www.google.si/imgres?imgurl=http://www.borutgorenjak.com/UserFiles/Image/dogodki/balon14.jpg&imgrefurl=http://www.borutgorenjak.com/objava.aspx?id%3D38&h=307&w=460&sz=111&tbnid=mi1g-zkFK7bpZM:&tbnh=90&tbnw=135&prev=/search%3Fq%3Dletali%25C5%25A1%25C4%258De%2Bmaribor%2Bfoto%2Bphoto%26tbm%3Disch%26tbo%3Du&zoom=1&q=letali%C5%A1%C4%8De+maribor+foto+photo&usg=__E1ZlZZGtOFpVEg3bX_o9zvX1nc=&docid=rigH9cqeA8xhjM&hl=en&sa=X&ei=yML1UOfiHo6RhQfdtYDQAg&ved=0CDsQ9QEwBQ&dur=9359Photo 2, slide 5: http://www.google.si/imgres?imgurl=http://mw2.google.com/mwpanoramio/photos/medium/57570669.jpg&imgrefurl=http://www.panoramio.com/photo/57570669&h=332&w=500&sz=33&tbnid=1AqHaIyHe-ilDM:&tbnh=90&tbnw=136&prev=/search%3Fq%3Dtunel%2Btrojane%2Bfoto%2Bphoto%26tbm%3Disch%26tbo%3Du&zoom=1&q=tunel+trojane+foto+photo&usg=__ybIwPGycmS7jVTC2NHGyez267D8=&docid=bt8U1qVg3oDAM&itg=1&hl=en&sa=X&ei=HLL1UPO_GNS1hAfCzID4Bw&ved=0CEkQ9QEwCQ&dur=11000Photo 1, slide 6:http://www.google.si/imgres?imgurl=http://www.planetware.com/i/map/TR/troy-ground-plan-map.jpg&imgrefurl=http://www.planetware.com/map/troyground-plan-map-tr-troy2.htm&h=737&w=700&sz=288&tbnid=L2XS3OTkdSJtfM:&tbnh=85&tbnw=81&prev=/search%3Fq%3Dground%2Bplan%2Bphoto%26tbm%3Disch%26tbo%3Du&zoom=1&q=ground+plan+photo&usg=__y60MSOffP4_Vz8doe_llVKrj94Q=&docid=wzvkNEd4YTQAQM&sa=X&ei=A9v2UMSXL4ZhQe58YHwAg&ved=0CC4Q9QEwAQ&dur=110Photo 2, slide 6:http://www.google.si/imgres?imgurl=http://www.museum.ky/dsn/wwwmuseumky/Content/Images/ground-floor.jpg&imgrefurl=http://www.museum.ky/116/Museum-Maps.htm&h=318&w=499&sz=65&tbnid=QdLBOuipIARJRM:&tbnh=76&tbnw=119&prev=/search%3Fq%3Dground%2Bplan%2Bphoto%2Bmuseum%26tbm%3Disch%26tbo%3Du&zoom=1&q=ground+plan+photo+museum&usg=__nk1UZKlYIv9B2gi3ibLyYLjtiRE=&docid=tCTX4CzHmg7UDM&sa=X&eOdv2UJepKZO3hAfW34DoBQ&ved=0CDQQ9QEwAw&dur=5656
Belgrade, April 2013 21
Renato Golob, mag.Pro svetovanje d.o.o.
[email protected] 386 41 767 237
Thank you for your attention.