Critical Infrastructures and adaptive security
In this article we wish to give a logical representation, through the mechanism of the conceptual map, to the overall vision of the subject of Critical Infrastructures (CIs).
In Figure 1 a conceptual map is shown that starts from the concept of CIs and unfolds, without ties of cause and effect, but only with conceptual ties, the entire gamma of aspects which, according to the writer – author of the same map – are related to the identification, understanding, protection and management of critical infrastructures.
If we start from the concept of ICs, we see, immediately, two distinct branches of the map, the one relative to the infrastructure concept and the one relative to the concept of criticality.
The first is tied to the activities of the Economic and Productive System of the Country and to the structures that are its constitutive backbone. It concerns assets/goods/properties or services, defined by their “use” (or more precisely by their possible multiple uses) understood as “functional specification of purpose”.
For our purposes, the concepts of supply possibility are fundamental to our description of a property or a service: (energy and telecommunications which do not have storage capabilities, are defined as ultra-critical in the United States), alternatives: (possibility of obtaining the same property or service from other operators) and fungibility: (possibility of obtaining the same final result, e.g. a transportation from one place to another, utilizing other non-homologous assets, goods or products).
All those who deal with the issue of the CIs have faced the subject of the taxonomy of the infrastructures, many starting from the bottom-up methods, almost all flocking to top-down methods, which start from the definition of “critical sectors” and from there they deduce, by association, the possible CIs. Prerequisite of any taxonomic reasoning is the space photography that one wishes to represent (State, Region, City, district etc.)..In the following figure we show some examples of taxonomies, in particular, the European, the G8, the American, Russian, British, Dutch, French and German. The coloured items refer to Countries that differentiate the definition of a sector from the others (the corresponding Country has the colour symbol of the definition)
Information is tied to the concept of infrastructure (moreover, a sensitive issue for the management of what could be non-public information). Information concerns geographical, geological, anthropological and social aspects and not only, but naturally, also the use (or the uses), the possession, (which determines mission and vision), by the interested persons.
We find again the concept of use, and to this we tie the lasting and fundamental science of the quality of the service/product, the basis of contracts and the connection link to the user of the production chain, the end-user [QOS – Quality of Service].
Normally, the measure of the quality indicates a measure of the characteristics or properties of an entity (a person, a product, a process or project) compared to what is expected from such entity, for a particular use/service etc.
The concept of quality is a general concept, but applicable to all human realities; what changes is the measurement yardstick, which depends on two subjects: who supplies the product and who commissions and/or uses it.
Here, therefore, it is necessary to identify what the subjects and the basic elements of the quality of a product/service are, and the relative processes: those who express the requirements and needs are, normally, the clients and those who furnish the product/service are businesses, institutions or public/private organizations.
The product must have a defined quality. In other words, to have been projected and realized in accordance with specifications and defined standards and be without non-compliances or defects. Facts which are perceived to constitute the principal instrument by which the client can evaluate whether, or not, requirements have been fulfilled in a satisfactory way. The document that summarizes the characteristics of the product/service is usually the contract, the specifications, the agreement, the list of services, and/or the quality plan. In such documents, the relative criteria for acceptance must also be specified. In accordance with the ITU E.800 Recommendation, the quality of service (QOS) in telecommunications is defined as “The overall effect of the performance of the service that determines the degree of satisfaction expected by the user of the service”. From the point of view of the telecommunications network, the quality of the service represents the ability of the network to guarantee a certain level of service.
The other branch is that of the concept of criticality. To define the word ‘criticality’ (or ‘vitality’, as the French call it), it is necessary to have primarily defined one’s own role, interests and objectives. Typical examples of objectives in the case of a private individual are shown in the following Figure 2 [GNOSIS].
The primary definition of interests defines the strategy with respect to one’s mission and to the vision one has of one’s role (the State, businesses, persons, professional associations, each has its own definition of interests from which derives the choice of strategic objectives and, therefore, protection of same).
The analysis of criticality is an analysis of the risks and that is, of threats, vulnerability and exposure. The threats are notoriously natural (tied to territory and space) and anthropogenic (voluntary or accidental). These latter constitute a panoply of possible forms, from cybernetic to nuclear, biological and chemical, to economic. Often, in the evaluation of threats, the so-called black swans are omitted, and these are events of the lowest probability and the highest impact [TALEB].In recent years, alongside the risk analysis and the last legislation, also the methodology of evaluation of impact [DOMINO] has taken root, both on the crater and for the domino effect. All the analysis and evaluation methods are founded on the theory of measurement [STR].
Typical metrics of impact measurement are shown in the following Table:
Disruption of daily life
Faith in the institutions
Disruption of the democracy
Impact on the social order
Impact on the work of the institutions
Violation of territory
Public disorder and panic
Negative effect on trademarks and national businesses
National Gross Happiness
The metrics shown in capital letters are those indicated by the Council Directive relative to the identification and designation of the European Critical Infrastructures and to the evaluation of the necessity to improve the protection, N░ 114/08 CE [DIR] those indicated in cursive script are some of those used (besides the first two) in the United States [DHS1], where the definition of the CIs is “the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, National economic security, public health or safety, or any combination thereof”.
The last metric is used in Bhutan. Bhutan is a parliamentary constitutional monarchy of a predominantly rural kind. The families are used to living in an autarkic way, with food reserves that can outlast even six months of isolation, due to the snow, the heights and the precariousness of the roads (the only means of transport). The King, Jigme Khesar Namgyel Wangchuck, declared that the value to be preserved in the State is the rate of average happiness and to this has attached (almost as a kind of CI) the possibility of practicing collective participation in the Buddhist religious events.
Naturally, from the definition of the objectives comes the answer to the question “what do I protect?” and from this, the evaluation and acceptance of the residual risk and the definition of the tactic of “how do I protect?” (opting for actions that increase the robustness, the resilience – namely the ability of partial or total recovery following incidents or attacks or, for example, creating mechanisms of insurance protection). All choices made on what and how to protect go to influence the management of an eventual crisis which, in the map, is found in a section by itself.
The branch of the crisis is essential in treating the CIs. The moments of activity relative to the crisis are distinct from the occurrence of the event. Preparation, prediction, protection, sharing of the so-called “social pact” based on the residual territorial risk, are all activities which are made in “peacetime”. Management, attenuation and recovery are a series of actions that are organized and defined in peacetime to face the event of crisis. Whatever the activity related to the crisis (in whatever geographical expansion of the crisis itself), it can never be separated from the communication – vertical between actors of the reaction system and horizontal towards the citizens.
Finally, there are some specific branches of the concept of CIs. Among these we include: the methods of information sharing; the methods to date scientifically proposed for the treatment of the subject and, naturally, the history. A typical problem which, still today, is far from reliable solution is that of the construction of scenarios and modeling of the interdependences between infrastructures.
The scientific community is working for the realization of predictive and simulation models [DOMINO].
The map is completed with two branches of no lesser importance. The economic factors, subject of field studies for the understanding and identification of the best practices in terms of public-private relationship and of incentives, and the regulatory factors tied to concepts of legitimacy and legality, and also to control mechanisms sustainable by the whole community (hence, sanctions, compulsoriness and responsible actors). Certifications and de facto standards are also tied to the subject of legislation.
Shown in the following figure is a synoptic table of the national regulations that speak (explicitly or implicitly) of CIs.
The table shows, in abscissa, the rules (without claiming completeness), and, in ordinate, those sectors of table 1 which are influenced by at least one rule. Only “general” rules are analyzed, obviously not the sectorial ones. At the foot of the table some columns of comments are shown. First of all, one asks whether there is a definition of CI in the cited regulation: often the regulations start from the concept that it has already being established (universally known) and are concerned only to establish activity and/or related performances. One then asks whether the cited regulations are perceived by the operators (in a general sense) as improvements of the general level of protection (robustness and resilience) of the National Economic and Productive System and whether they impose obligations and sanctions on the operators. Where NN is shown (not known) or “?”, (perhaps) it is understood that the topic could be the subject of further study.
Alongside the subject of the regulations that govern and, in a certain way, support the task of protection of the CIs in a Nation, is the issue of the standards. The ongoing extensive European debate in occasion of the revision of the Directive 114/08 EC is related precisely to the following question: “Is it more advantageous to formulate compulsory regulations and impose, in some way, specific levels of protection, or, on the contrary, work towards a public-private collaboration which favours raising the minimum general protection level of the National Economic and Productive System through voluntary measures and de facto standards?”. The debate is in full swing and it is presumed that in a year the European Union will formulate the new version of the Directive and accompanying measures.
The United States has a Law on the protection of the CIs, which establishes the minimum level of protection with reference to the standards of the NIST (www.nist.org). In this way, the regulation does not necessitate continual updating, but imposes on the persons involved, adaptation of their measures to the standards in force published from time to time by the NIST.
Great Britain adopts a philosophy which is based, decisively, on public-private collaboration, and limits to the maximum the compulsoriness of laws, basing the minimum levels of security on adaptation de facto to market demands (also through involved supply chains, through contracts and by the maintenance of the minimum levels required by the users).
The national legislation is, however, deficient also in the definition of the professional profiles tied to the security (the security managers, the related offices, the skills, the responsibilities …). The ISO bodies are moving towards standardization also in this sense and the community sectors – especially sectors which are particularly vital because of the amount of direct dependency and for the timing of action of this dependency (such as electrical and energy in general) – are “organizing” in fact, to optimize the cost/benefit ratio of their actions, also in regard to protection.
The UNI – Italian Organization for Standardization, has developed a Standard licensed as “Italian Standard UNI 10459 - Functions and profile of the Corporate Security professional”(2), for the purpose of the evaluation and qualification of such professional.
The concept of Security is thus summarized: “Study, development and implementation of the strategies, policies and operational plans designed to prevent, cope with, and overcome events that are prevalently of a willful and/or negligent nature, which can damage tangible, intangible, organizational and human resources of which the company disposes or necessitates to guarantee an adequate competitive capacity in the short, medium and long term”. The standard is currently under revision.
The profession of security, above all, in the sphere of companies and Public Administrations which can represent, for various reasons, a critical or, in any case, a vital infrastructure, cannot be without regulatory or training aspects. On the one hand, the standard must provide for the professional requirements, on the other, the provision of training should increasingly meet the demand that satisfies these requirements, whether they are sanctioned by standards or de facto. The writer asked the President of the SIOI (the Italian Society of International Organization), the Honourable Franco Frattini, his opinion on the importance of the topic “critical infrastructure protection” and, in particular, the necessity of a new extremely specific training provision, as well as a possible update of the national and European regulatory panorama. In fact, under the supervision of the President of the SIOI, starting from 2013, a Master on the “Strategic Protection of the National Economic and Productive System – the Critical Infrastructures” will begin in SIOI. It is particularly innovative because it combines the “engineering” vision of protection with geopolitical and predictive analysis of an economic, strategic, anthropological and sociological nature. “With regard to the first point, it was the time to start promoting an analysis and strategic training on the issue of the protection of the critical infrastructures and the work we have done together here at the SIOI to promote the first Master in the “Strategic Protection of the National Economic and Productive System - The Critical Infrastructures” is the sign that Italy as a whole is getting together to take this matter seriously.It is a matter of high strategic importance because it concerns the security of the Country in all its junctures, not only security, in the traditional sense, but obviously, all the infrastructures that form the backbone of a Country, the physical ones, those of knowledge, those of communication and those of research. They are very vulnerable infrastructures because the threat is diversified. There are examples, also recently, of important attacks on a State, not on a single company. I remember, as European Commissioner (European Commissioner for Justice, Freedom and Security from 2004 to 2008 – author’s note), I promoted – having also the security delegation – a communication on the subject of protection of the critical infrastructures (from which the Directive 114/08EC derives – author’s note) when the attack against the informatics systems of a State took place, that is, against Estonia. It became, if only for a number of hours, a Country which was totally unable to function. If we imagine a repetition, on a larger scale, of an informatics attack on the junctions of a Country which regulates the services to the citizens, i.e. the banking system, the water and electrical supply, we should then see how the critical infrastructures are truly crucial, totally interconnected and, unfortunately, all vulnerable. The strategic importance derives from this. We shall have powerful cooperation in the Master among personalities and teachers who come not only from the world of theory, but from the world of profound knowledge in the matter, who are professionals and can raise all the questions in a practical way, also those related to the single sectors. Regarding the second point. What is lacking in the national regulatory panorama? … It must be said that protection of the infrastructures is not achieved by passing a new Law. The Laws can certainly be reviewed, certainly this or that network or infrastructure can be defined as strategic interest, but it is not “by Law” that a prevention and protection strategy is achieved. It is achieved by the circulation of information, by collaboration, by sharing tools with which to act and, therefore, by a better use of Intelligence, from economic Intelligence to targeted Intelligence, from SIGINT to HUMINT, both Intelligence tools must be involved. What has probably been lacking in the Italian system, up to this point, is a specific focus, which would be very interesting to create in a permanent way, both within the Intelligence structures – which are, obviously, already involved for institutional purposes – and by putting together all the strategic actors and disseminating knowledge and sharing strategies and methods. To be clear, this is a matter where, besides the Intelligence apparatuses, central administrations must also be protagonists. The Treasury, with its financial security committee; The Ministry of Foreign Affairs, with its strategic committee for sovereign wealth funds, (which I constituted in 2009); The Ministry for Economic Development, with its centers of strategic analysis on what can affect or damage, for example, the national energy and transport infrastructures. A synergy is indispensable. The private individuals are necessary; also the business associations must increasingly become sharers of this national strategy. I offered to the then President of Confidustria a permanent space with the Ministry of Foreign Affairs to analyze, in this case, the protection needs of the Italian interests when Italy invests in this or that Country: to know the fabric of the place where one goes to invest is a precious element for the “made in Italy” that invests in the world; but, at the same time, this should be done also because of the effects that foreign presence in Italy may have on the infrastructural panorama. Important and sensitive infrastructures require all this and I believe that, thanks also to this Master, we shall be able to focus on the necessity of an Italian economic and productive system which is aware that the critical infrastructures are the backbone of a modern Country and as such must be protected. There can be no room for vulnerability. For example, we imagine that the analysis on threats conducted by the Intelligence apparatuses takes into consideration also non-conventional attacks, but the non-conventional attacks presuppose prevention. In the event of a non-conventional attack, the reaction is always delayed, since, if one speaks of a biological or cyber-attack, either the prevention functions, or the reaction does not always allow the repair of the damage perpetrated against the infrastructural network”.
The process of risk analysis and preparation for the incidents in terms of robustness and resilience is based on the PDCA [ANR], [ANR2]. Very many standards like the UNI CEI ISO/IEC 27001:2006 Standard (Technology of information – Security techniques – Information Security Management System - Requirements) which is an international standard that defines the requirements for setting up and managing an information security management system (SGSI o ISMS from the English, Information Security Management System), and includes aspects related to the physical, logical and organizational security, are based on the PDCA cycle:
- Planning and Design,
- Maintenance and improvement,
similar to what is provided by the quality management systems. In the design phase, however, the provision of a risk assessment is required, schematized as follows:
- Identification of the risks,
- Analysis and evaluation,
- Selection of the objectives of control and activity of control for the management of the risks,
- Assumption by the Management of the residual risk,
- Definition of the Statement of Applicability..
- the ISO 22399 Standard, issued in 2007, describes the good practices in CO matters. It concerns an ISO/PAS (that is, a “Publicly Available Specification”, which makes this standard even more tenuous in terms of compliance and makes it a mere indication of opportunity), which has the title of “Societal security - Guideline for incident preparedness and operational continuity management”;
-the ISO 22301 Standard (“Societal security - Preparedness and continuity management systems - Requirements”), which will be issued during 2012 is based on the second part of the BS 25999 (issued by the English Standardization Body, equivalent to the Italian UNI) and deals with the management system of the CO and of the verifications, to create and manage a Business Continuity Management System (BCMS). All the existing standards have shown, in the application to the threats and incidents during these last years, that they have had to be combined de facto with processes of predictive analysis to allow the companies to turn towards an “adaptive” security.
The World Economic Forum, in its 7th Report, Global Risk 2012, analyzes the ten major risks in five different categories (Figure 4), identifying, in this way, risks of an economic, environmental, geopolitical, social and technological nature. The Report was made through a survey which consulted 469 experts and leaders in the sector.
The following figures show the graphics of the 10 major risks divided into the 5 different categories, graphing their impact in function of the probability of their occurrence.
Fig.4 10 major risks divided into the 5 categories
In the figure that follows (Figure 5), all the risks identified in the 5 different areas are shown, graphing them, as always, in function of their impact and probability. The figure shows the interconnections between the various risks as they emerged in the survey.
In the survey, it was also asked to identify 5 “gravity centers”, one for each category.
The figure that follows (Figure 6) shows the entire network of interconnections between the global risks.
From the results of the survey, the gravity centers mostly indicated are:
- Chronic fiscal imbalances (economic)
- Greenhouse gas emissions (environmental)
- Global governance failure (geopolitical)
- Unsustainable popolutaion growth (societal)
- Critical systems failure (technological)
The analysis of the 2012 Global Risk Map shows that there are 4 risks that play a significant role in connecting the gravity centers to each other.
- Severe income disparity (economic)
- Major systemic financial failure (economic)
- Unforeseen negative consequences of regulation (economic)
- Extreme volatility in energy and agriculture prices (economic)
Also the Weak Signals emerge from the figure, defined as the least connected risks in the network (on the basis of the number of connections and on how many times they were chosen by the interviewed). They are:
- Vulnerability to geomagnetic storms (environmental)
- Proliferation of orbital debris (technological)
- Unintended consequences of nanotechnology (technological)
- Ineffective drug policies (societal)
- Militarization of space (geopolitical)
In the preparation of their business strategies and in the focusing of their investments in security and protection, the large companies and multinationals must face also these “macro” risks and the consequences that could affect their business and operability.
The necessity emerges for a smart predictive analysis of the economic, technological, geopolitical, social and environmental type (also in an anthropological sense), to understand and predict the future scenarios in which we may have to operate.
On a reduced scale, the small and medium businesses (SMEs) face the same problem, but with less resources to allocate. The analysis approach to the risk, typically PDCA, is perfect but static and should be integrated with a vision and “adaptive” organization in real time to the threats, to reduce costs and organizational energies. To do this, cycles analogous to the PDCA must be provided, but reduced in times and speeds in the counter-measures to be adopted, which must be predefined and ‘real time ready’, where the real time is to be determined prior to the activity to be implemented, to the threat being studied, or to the risk one wants to attenuate.
It is an innovative and extremely effective method in reducing the costs and in increasing the results of the implemented measures of robustness and resilience, as well as being capable of supporting the strategic and tactical decision on the so-called “residual risk” (i.e. on which countermeasures, in terms of robustness and resilience, are not implemented, but in the best of cases, insurance coverage is made).
Naturally, a process of this kind requires a continual analysis of scenario (a kind of reasoned OSINT and economic and risk intelligence made in an insourced o outsourced way and shared through sharing and analysis Centers of information ISAC [ISA1] [ENISA] or other forms of information sharing at a sectorial and supra-sectorial level).
Generally, the predictive analysis supports, especially among some governments, the strategic decision and the tactical formulation also from the economic point of view. Today, we often speak of ‘cognitive warfare’, based on the use (and not only on the appropriation) of information and knowledge that is reasoned, analyzed, synthesized in possible scenarios and forecasts.
Il Professor Alessio Piccirilli, lecturer at numerous universities and expert in geopolitics and economic Intelligence, describes the matter of predictive analysis applied to the CIs, in this way. What is meant by predictive analysis of the geopolitical type in the area of CI protection depends, obviously, on the single infrastructure and its intrinsic organization. And, in fact, on outsourcing and direct dependences (supplies, raw materials, enabling factors etc.). Geopolitics is a particular methodology that individuates, identifies and analyses the conflictual phenomena and the offensive and defensive strategies centered on the possession of a territory (a space, a dimension) under the triple gaze of influence of the geographical environment, in both the physical and human senses, of the political, economic, cultural and religious argumentations of the contenders and of the constant tendencies of history (from the Viconian perspective). In this sense the analysis is phenomenalized in the Noosphere (world of thought that is realized through the human capacity of profound reflection, sphere of knowledge and awareness) in which one reaches out towards the Omega Point (definable as the maximum level of complexity and informative consciousness and point of no return). In the CI context, increasing emphasis will be placed on information war and on the new frontier of the cognitive war (which literally ‘broke out’ with the technological revolution of information, with the nanotechnologies and with the exceeding of corporeal limitations). Today, the economic Intelligence and critical infrastructures connection is evident, and together, constitute the ‘Sun of the future’. In this respect, there is no doubt that the information war is of fundamental importance in the economic arena; new front of the contemporary societies. Without going too far into the argument, we can mention the fact that, today, the Economy of Knowledge is not spoken of as a new frontier, but as an obligatory path for survival; the life and victory in the global competitive scenario within the most diverse areas, from the social to the scientific, placing the accent on how the intangible capitals have become a fundamental part of corporate policies and not on changing old paradigms of thought that saw them only as a waste and a futility. The Knowledge Economy is directly inter-connected with the Society of Information in which we are immersed, but while this last term indicates a resource, to make Knowledge Economy means to valorize it, transform it from raw metal to gold, and then to use it, to make of it a tool to increase our well-being. Knowledge, therefore, is the fundamental precondition; it is the vital lymph for any activity that leads to success, but alone, it is not sufficient. It is nothing without its predictive analysis. In fact, it must be carefully supported by a correct planning of the objectives and by a subsequent process of transformation of the data into useful information. The analysis and management of the information becomes much more necessary when, as in the present period, with the increase of the quantity of available data, the uncertainty tied to it increases in parallel. It is misunderstanding that dominates the world scenario. Our economies, like our social structures, will be more and more digitalized/interconnected and will present significant vulnerability tied to the structural need to which the economic system, present and future, cannot but be open and fluid. Since the 90’s, it has become increasingly clear that the logics of conflict present in the geopolitical ambit have moved within the context of economic conflict, where all the actors must be able to put in place strategies of dominance founded on the control of the information infrastructures and flows of technological, cultural and economic flows. A true strategic plan, or rather, a strategy par excellence, which recognizes the new modern needs, must, by now, take into serious consideration the vulnerability of the critical infrastructures in the information ambit. Although the use of discredit and disinformation campaigns have always existed in the political-economic context, nevertheless, the real exponential acceleration of the informative digitalization has determined the necessity on the part of the States and the non-State actors to equip themselves with a defensive and offensive apparatus to meet the challenges. As scholars of psychological warfare know, disinformation is an offensive weapon that has particular characteristics, because it is one-way. Its effects are particularly insidious and can come to light only after the event; but especially, the objectives of disinformation are, on the one side, aimed at loss of reputation and legitimacy of the adversary and, on the other, to impede financial support. While in the traditional conflicts, the economy of the powers rested on an inertial dimension and the logistics supremacy constituted the natural dimension for the victory or defeat, in the cognitive war, it is not possible to impose a systemic symmetry and, contrary to the conventional conflicts, those informative conflicts are autonomously independent of those who construct or send the message. Destroying the spokesman of the message does not change the dimension of the cognitive conflict, but has the diametrically opposite effect, in that it finishes by reinforcing the adversary. In this strategic perspective, the absolute control of the information infrastructures becomes fundamental. However, it is obvious that the control of the global information infrastructures is incompatible with its broad and unstructured way of unfolding in the world of today. Furthermore, the exponential growth of the information infrastructures does not allow the possibility of a coordination of the vertical and hierarchical kind. What has been said starts from the assumption that the global control of the infrastructure of the information flows would permit a global dominance of the infrastructure of the economy and political sphere.However, this conception is na´ve since it ignores the fact that the control of information is different from the formation of judgments or beliefs. Today, in face of the emergence of the cognitive war and the complexity and fluidity of information, the traditional Intelligence does not have an adequate culture, since the system of beliefs on which it is founded on information gathering and on the analysis in two stages, which is no longer suited to the extreme speed of the cognitive conflicts. In other words the capacity to give an informative sense in real time is the foundation itself of the cognitive war and, therefore, the system of control needs to be improved and accelerated. The control of the informative flows is decisive for the victory and it is obsolete to maintain that the destruction of information infrastructures can really liquidate the adversary. It is much more realistic, if anything, to establish the counter information-poisoning. In a liberalized and balkanized context, dispersion exists. Efficiency is decided more and more on the mastery of the decentralized cognitive ability and increasingly less on the ‘sentry’ type control of the information infrastructure. The economy of forces, in the ambit of modern political conflict rests on a mastery of cognitive systems, very different one from another, but interconnected. The possible imposition of a single scheme of interpretation is not a strategy, but is the death of the strategy itself. Before us, we have the days of the future….”.
The predictive analysis also supports the activity of marketing, the creation and protection of images and brands, the evaluation of the probability of interest on the part of competitors, on their know-how, the possibility of operating the so-called jamming or information poisoning etc., Furthermore, it allows operation of a reverse engineering (a kind of engineering analysis that from the final result goes back to the initial project) for the understanding, from all points of view, of the possible suffered “attacks”.
The writer asked Engineers Giancarlo Caroti and Marino Sforna, experts in critical infrastructure protection, and members of the Italian Association of Critical Infrastructure Experts (AIIC), their opinions on the concept of “adaptive” security and of the use of predictive analysis. “Starting from a generic, but effective definition (a defence strategy is held to be “adaptive” inasmuch as it is flexible, in the sense that it is constantly appropriate for the risk situation), The objective is to identify, in a context of vital services for the community, what organizational mechanisms and technologies can raise security practices – historically rooted in the corporate fabric – to the adaptive level. Let us take, for example, the Energy sector and, in particular, the large networks integrated on the supranational basis for the transport of electric energy. In this regard, it concerns, essentially, the outlining of a new philosophy of protection and to make it feasible and practical within the many initiatives and advanced processes which the European electricity operators have always implemented for their operational activities. NIn the experience of the operators of the large European electricity networks, there are, at least, two operational plans of analysis: -1- the management plan in conditions of “grid” security which is increasingly interconnected and exercised under conditions of growing stress and -2- the security plan of the ICT layer in support of the activities of daily operation, within which is rapidly representing a component of high criticality, that is, the new cyber-security issue. Historically, plan-1- has had a great tradition and has led to the study and introduction, over time, of increasingly sophisticated instruments and methodologies, among which the most recent designed to implement schemes aimed at anticipating conditioning elements for the dependability of the electric infrastructure. An example is the protection systems like the Wide Area Measurements – WAMS, based on the use, in the field, of high sensitivity apparatuses called Phasor Measurement Units - PMUs. The principle is that of the simultaneous and synchronized control of some indicative parameter (Key index) in several points of the same network. In the case of electrical power, the WAMS electric system controls amplitude and phase of the voltage vector in different electrical nodes. The diagnosis of the functioning of the electrical system derives from the comparison between the various vectors, the single vector being without significance. This example can be borrowed in all complex systems, whether they are informatics systems or communication networks. The objective is to detect a variable of control in the various nodes of the system and effect a periodic monitoring, attributing a parameter of comparison to the findings, like a time tag. With regard to plan -2-, in recent years, the progressive pervasiveness of the new technologies in the processes of monitoring, control and defence of the large electricity systems has evidenced, alongside the historic aspects of ICT reliability, more structured issues of ICT reliability & security, with the race towards increasingly sophisticated organizational measures –physical and logical – oriented to influence in prevention phases and detection of the informatics incidents, intentional or not. At National level, as at public and private CI levels, the cyber-security strategies have, thus, begun to intersect more and more often, the strategies of combat against cybercrime, creating the conditions for a reinforcement of the specialized defences and models of governance, and the search for instruments that can anticipate emergency or crisis conditions of the networks and industrial systems. On the other hand, it is undeniable that the increased awareness of the role of the CIs in the life of a Country makes them become, more and more, targets of attack, in a kind of “low intensity war” operation. There are two lines of action common to -1- and -2-: the strengthening of the techniques of simulation and diagnosing of the operating status – on the one side, of the electric network and, on the other, of the ICT networks – and methods of analysis of the boundary conditions and of the listening to a multitude of signals which could trigger dangerous situations and disturbances in the state of the security. It is easy to guess that the effectiveness of the initiatives depends largely on the possibility of acting in synergy with the public and private subjects who live with the identical risk conditions: on the plan -1- front, therefore, the subjects that participate in the operation of the national electricity system and those across borders are mutually dependent; on the plan -2- front, instead, with a very much greater number of subjects who populate that vast area of “interaction” which represents the dominion of the cyber-space. For the innovative dynamics that characterize it, level -2- represents the area that lends itself more to certain considerations on the present and the future. Obviously, for the vastness of the context of influence and for it being, in fact, an area in which one can meet, also randomly, elements that have totally different objectives, the interactions and sharing with the communities that face identical problems will be elements of strength: all this, obviously, on the assumption that the currently reduced level of aggregation grows, prompted, perhaps, by European and national institutional initiatives and synergies generated on the research front, cooperation on regulations and standards, and exchanges of incident experiences and so on. The concept must be grasped at every level that in the security area, only the sharing of efforts, experiences and information can give positive results; structures that facilitate public-private cooperation play an extremely important role – also through the constitution of information sharing and analysis centers of the sector (see Electricity Sector Information Sharing and Analysis Center - ES- ISAC) or on a local basis (see Pennsylvania Information Sharing and Analysis Center - PA-ISAC). Pending this “facilitator” scenario, the companies that want to strengthen their defenses against risks originating from the cyber-space must act independently, using, at first, some outside authoritative support, but as a priority they must provide themselves with an adequate structure at the organizational level and, subsequently, create a systemic process supported by the new technologies, capable of anticipating every type of possible analysis during the moments before the incident. The organization, in this way, also without rapid relations with all the other potentially interested entities, but counting on an essential and very focused team, can start up various activities of weak signal listening - from the events that can be captured on the perimetral security systems and correlated rapidly in huge volumes (ref. SIEM or SEM) also with data coming from other sources, to the specialized information sources, to the more generalized public sources, supported by suitable technologies. As a conclusion and, in part, as a hope, to go towards the adoption of software with “open source” code would allow mechanisms of knowledge sharing and collaboration which are not possible in the present day scenario, which is characterized by owner and/or closed software”.
It results then, from what has been said, that Companies are increasingly moving towards a security that is based on continual information analysis; analysis which requires unquestionable efforts both from the point of view of procuring the information and from the reasoned analysis of same.
Often the predictive analysis must be integrated, for economic an efficiency reasons, with contributions of the outsourcing type (externalization of all or part of the activities) and of the cooperative type (sectorial, inter-sectorial, public-private), as has been stated also by the above mentioned colleagues. In this respect many States have organized Centers of Sharing and Analysis of Information (ISAC) at sectorial and inter-sectorial levels, realizing public-private partnerships for the sharing of the non-classified information[ENISA] and [WP-017].
Professor Umberto Saccone, Senior Vice President, Corporate Security of Eni divides the subject in the following ways:
1. CIs and adaptive protection
The concept of protection, in the sense of activities of security intended to defend infrastructures, assets, persons and guarantee continuity of productive processes, is intrinsically connected to the concept of flexibility. To the extent to which the protection of an infrastructure (to be effective) must also take into account the evolution of the vulnerability conditions and risk scenarios, the flexibility becomes a method of implementation indispensable to the strategy of risk mitigation and the adjustment of the security device. In complex companies, this “evolutionary” approach in the protection of infrastructures, processes and persons is implemented by a management model of the security risks which is suitable to analyze – with cyclical continuity – the vulnerability conditions and risk scenarios, for the purpose of For an enterprise – particularly of the oil & gas sector – the management of infrastructures, businesses and processes in many Countries and/or local contexts strongly diversified one from the other, makes the environmental variable a determining factor for the adaptive-evolutionary approach in the evaluation of the risks and in the preparation of appropriate measures of protection. In fact, the international dimensions and the consequent local characteristics, from the point of view of criminal, social and political factors, delineate potentially diversified operative scenarios for each infrastructure/asset, which impose the adoption of appropriately adapted risk mitigation strategies, also in conformity with the applicable national and international regulations. In this context, the adoption of instruments and methodologies which, applied with great care, allow the anticipation of the likely developments of the factors that condition the risk scenarios; it offers a valid support to the decisional process of security, in which the predictive knowledge could be used to optimize, in advance, the protection of the infrastructures, placing the security action before the event. The analysis on the development of the scenarios assumes an even more concrete significance, especially when it is considered that the contexts in which one operates are often characterized by high volatility (3). ). Likewise, the adaptive modality of the security strategies is such an important principle that it is implemented in the regulatory documents of the highest ranking legislation, wherein it is stated that, for the purposes of an effective management of the security risk, one of the elements to be considered is precisely that of the “flexibility, insofar as it takes into account the human factors and is able to respond to the changes of scenario …”. Therefore, in a protection approach of infrastructures which is based on the centrality of the analysis of scenarios, in function of the objective of adaptive modulation of the security measures, the use of the instruments underlying the main methodologies of predictive analysis (competitive Intelligence, business Intelligence, Open Source Intelligence, to mention some) allows the acquisition of information which, appropriately appraised, elaborated and correlated, offers a cognitive framework of support to the decision making process of security, also guiding the related investments. In this context, the security manager, using the knowledge of particular scenarios and conditions of vulnerability, can optimize the investment of security (4) by recourse to the typification of the scenarios, to which “standardized” packages of security measures correspond, and favouring the use of “scalable”, integrable, and adjustable intensity security devices, in function of the presumable developments of the scenarios (5).
2. Desirable instruments in Italy
In consideration of the inter-dependence of the infrastructures, as a potential source of domino effects in case of critical events pertaining to the functionality, continuity and integrity of the infrastructures themselves, and also considering the instrumentality of some infrastructures, including that of energy(6) – of national interest, a moment for a “methodology meeting” is deemed useful among the Actors of various kinds, both public and private, involved in the management and protection of the infrastructures. In fact, by virtue of the common national interest, it is considered that in the first instance, a standardization of language, models and methods is necessary between the Actors involved in the risk analyses; that a common language is shared that would facilitate the coordination, effectiveness and timeliness of interaction, in case of emergencies and/or crises. In the second instance, the constitution of permanent PPP bodies (public-private partnerships) is favourable, in which the public and private Actors involved in the protection of critical infrastructures are invited to participate, in a structural form, in the sharing of information, coordination with other Actors, and for the implementation of a completed info-operational collaboration with the State Bodies (Ministry of Internal Affairs, Security Services, local Police Forces, to mention just a few). All this in order to favour the integration of the private security devices with those of the public ones; to share early warnings; composing synergistically, the protection of the single infrastructure with the common objective of protection of the security and interests of the National Economic and Productive System.The promotion of collaboration with the Interlocutors of security, be they public or private, from which reciprocal benefits can derive, enters fully into the Eni policies, which pursue in a socially responsible way, the maximum public-private integration. Furthermore, to the extent that critical infrastructure protection lies within the broader framework of the so-called homeland security and of the protection of the strategic industrial sectors of the Country, it can be assessed as the use of Intelligence in support of the decision-making process and of possible State intervention, in the presence of important financial-economic operations which involve – exactly – the strategic infrastructures. IIn fact, it cannot be excluded that investments or acquisitions of national economic assets of high strategic importance, by physical or juridical foreign entities, disguise phenomena of industrial espionage, or however, the desire to transfer critical assets under the control of foreign entities, thus depriving the Country of technological In this context, the enhancement of Intelligence is considered useful as a tool which – in the case of corporate transactions and/or foreign investments in national strategic infrastructures – can furnish an adequate information outline to the Government (8), enabling the latter to understand what the real intentions of the foreign investors are and whether their actions are “hostile” to the national security and interests. This approach could prove to be particularly advantageous to the sectors characterized by strong international competition, among which, that of energy.
3. More effective methodologies (technological) for CI protection, and regulatory, technical, investment, collaboration deficiencies
In terms of the methodologies which are deemed to be more effective for the protection of the critical infrastructures, the concept of integration appears fundamental, in the meaning that the effectiveness must be assessed globally, and referred to an integrated whole – balanced and interconnected – of security measures (active, passive and organizational, defined according to the particular operational scenario of the infrastructure) rather than to individual components considered in isolation. Government intervention is considered desirable to encourage, on a national scale and with the necessary international coordination: - the definition of standards and specifications of a technical and/or engineering character, which precisely defines the minimum contents of the security technologies usable for the protection of infrastructures; - the research and development of technological solutions of security focused on the particulars of the infrastructures (specificity of the risks, territorial extension, interconnection with other infrastructures etc.); - the use of modular and “open” technological platforms, for the purpose of maximizing the flexibility management of security and the integration between security systems of interconnected infrastructures; - the development of technologies for the protection of the IT networks, instrumentally underlying the operations of the infrastructures, on the basis of the growing criticality of the cyber type (9); - the creation of ad hoc certifications for the organizational-managerial models of the security and for the related expertize; - the diffusion of initiatives in the involved public-private areas, of a security culture (personnel training, sensitization and initiative of preparedness & awareness gauged in the sector of the critical infrastructures); - the definition of guide lines and/or Standards and Manuals Cataloguing for the preparation of security plans, taking due account of the possible convergence of different national and supranational regulatory requirements on the matter.
The protection of the critical infrastructures is one of the aspects of the strategic protection of the National Economic and Productive System and of its operational continuity.
The definition of CI is, however, a “relative” concept (to time, space, contingencies, to who effects the definition, to the interests to be protected, to the regulations etc.) and in any case, to any activity in a National Economic and Productive System which can, in certain cases, be critical at various levels. Commonly, however, every activity is ‘critical’ for its operator, who lives by it and through it guarantees the survival of his own enterprise, with all the connected aspects (employees, users and clients, GDP contribution etc.). Having said this, any company, from the multinationals to the SMEs, could be interested to analyze scenarios relative, for example, to the possession – also partial by foreign actors – or relative to the influence, the interference and to the profiling of customers and employees, which competitors – foreign and not – can perpetrate in its regard.
The predictive analysis (whether operated inside the company, in outsourcing or in sharing with companies of the sector, through information sharing mechanisms) is a fundamental activity in any protection/security process to make the allocation of the available resources efficient and effective and to optimize the cost/performance ratio of the activity of increasing the robustness and resilience of one’s own business, as well as to make reasoned decisions on the residual risk.
Per approfondimenti l’autore suggerisce…
- Umberto Saccone, La security aziendale nell’ordinamento italiano, Gruppo Il Sole 24 Ore, 2010.
- Umberto Saccone, Il ruolo del Security manager, Rassegna dell’Arma dei Carabinieri, giugno 2010.
- Umberto Saccone, Il dovere di protezione dei lavoratori, Orizzonti, 2012.
- Nassim Nicholas Taleb, Il cigno nero, Saggiatore, 2007.
- [IDSEC] Luisa Franchina, Alessia Amodio, L’identitÓ digitale e le infrastrutture critiche - intervento 2░ ID Security - Mostra convegno sulla sicurezza dell’identitÓ digitale, Information Security (www.edisef.it).
- [DOMINO] Luisa Franchina, Marco Carbonelli, Maria Crisci, Laura Gratta, Daniele Perucchini, An impact-based approach for the analysis of cascading effects in Critical infrastructures, Int. J. Critical Infrastructures, Vol. 7, No. 1, 2011, pp. 73-90.
- [QOS] Linea Guida su: QualitÓ del servizio nelle reti TLC, ISCOM, AA.VV. 2005.
- [STR] Giancarlo Ciccarella, Piero Marietti, Alessandro Trifiletti, Strumentazione e misure elettroniche, Masson 1993.
- [DIR] Direttiva del Consiglio relativa all’individuazione e alla designazione delle Infrastrutture Critiche europee e alla valutazione della necessitÓ di migliorarne la protezione, n. 114/08 CE, Bruxelles, dicembre 2008.
- [DHS1] National Infrastructures Protection Plan, Department of Homeland Security, 2009, http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf .
- [ANR] Linea Guida su: Sicurezza delle reti e dell’Informazione, dalla analisi alla gestione del rischio, ISCOM, AA.VV. 2005.
- [ANR2] Linea Guida su: Approfondimenti dell’analisi dei rischi, ISCOM, AA.VV. 2006.
- [ISA1] A Functional Model for Critical Infrastructure Information Sharing and Analysis, ISAC Council White Paper, January 31 2004.
- [ENISA] Cooperative Models for Effective Public Private Partnerships - Good Practice Guide 2011.
(1) The message was contained in the attached leaflet and furnished instructions to the Roman citizens to prepare and facilitate the work of the Allied troops who were approaching Rome.
(2) In the attached Annex B of the Ministerial Decree, 1st December 2010, N░ 269 (Regulation governing characteristics of the organizational project and of the minimum requisites of quality required by the Institutes of Private Security, as well as the professional and technical expertise requisites required by the Direction of the same Institutes and for the execution of organizational tasks) The UNI STANDARD 10459:2005 is included as a minimum requisite.
(3) One thinks, by way of example, of the North African Countries involved in the so-called Arab spring, starting from December 2010.
(4) In terms of a set of active, passive and managerial security measures.
(5) In this context is taken into account that the Directive 200/114/CE of the 8th December 2008, relative to the individuation and designation of the European Critical Infrastructures and to the necessity of improving protection, makes express reference to gradual measures of security that can be activated according to the different levels of risk and threat.
(6) But also the infrastructures of transport, telecommunications, health, emergency services, financial sector, water supplies and food supplies, to mention only a few.
(7) In this sense a more detailed study could be made of the Report on the Policy of Information for Security 2011, Presidency for the Council of Ministers – System of Information for the Security of the Republic, pgs. 25-26.
(8) Since 1975, in the United States, a Committee on Foreign Investment in the United States, has been active (CFIUS). An inter-governmental committee with the task of assessing the risks to national security connected to foreign operations and/or investments in companies in the United States.
(9) The document Global Risks 2012, 7th Edition of the World Economic Forum counts the cyber-attacks in the Top 5 of the risk perceived as the most probable in the next decade. Likewise, the attention on the subject of cyber-criticality, also connected to the protection of the critical infrastructures is attested to by initiatives like the Top Twenty Critical Security Controls of the noted SANS Institute, one of the most known references in the sector of informatics security. Sources: http://www3.weforum.org/docs/WEF_Globalrisks_Report_2012.pdf and http://www.sans.org/critical-security-controls/.