GNOSIS
Rivista italiana
diintelligence
Agenzia Informazioni
e Sicurezza Interna
HOME
EDITORIALE
PUNTO DI VISTA
ARALDICA
RECENSIONI
ARCHIVIO
» ABBONAMENTI

» CONTATTI

» DIREZIONE

» AISI




» INDICE AUTORI

Italiano Tutte le lingue Cerca i titoli o i testi con
GNOSIS 3/2008
sommariosommario
Critical Infrastructures
under protection

Luisa FRANCHINA

 
The modern Western Countries have realized, over the course of the years, a model of society which is characterized by a high “quality of life”, implying with this expression, the possibility of having access to a “fundamental” number of services and opportunities which are made available to each single citizen until he can better express his own aptitudes and satisfy his own needs. From this perspective, the elements that are part of the “quality of life” are, for example, the services of energy supply, the protection of health, the transport system, the banking system and so on.

In recent years, it has become necessary to affirm the need to better understand the real dependence of our society on those infrastructures which consent the delivery of the services that characterize the quality of our lives. ([LEW1], [HYS1]). These infrastructures are called “critical” and the necessity of protecting their existence and correct functioning is synonymous with the necessity of safeguarding the quality of life. By way of example, let us consider what happened in Italy in occasion of the strike of the road haulers, in December, 2007. Three days of strike were enough to put various systems in crisis, such as: food supplies, the emergency health services (no petrol for ambulances), the productive systems based on the movement of people, the delivery system of medicines in the large cities etc. In synthesis, the failure of a specific service (transport on tyres) caused a series of chain repercussions on sectors ‘apparently’ not correlated to the lives of the citizens.
Furthermore, it is necessary to consider that the ever-increasing impending terrorist threat makes much more complex and dramatic scenarios supposable, in which the chain collapse, normally indicated as the domino effect, could involve an even more conspicuous number of infrastructures.
These consideration are the basis of a growing activity in the international ambit, so much so that the European Commission embarked on a normative path which has recently been concluded with the approval of a Directive ([EU]) which indicates to the Member States a series of actions to guarantee the correct functionality of the European Critical Infrastructures; that is, of those infrastructures in which eventual malfunction could have impact on other EU States.
In this article, the problem of the protection of the Critical Infrastructures, of their classification and of the study of their dependencies are examined in detail. In particular: in paragraph 1, the contents of the recently negotiated Directive in the EU ambit are illustrated and the implications at a national level are discussed; in paragraph 2, the initiatives in matters of protection of the critical infrastructure in act in some Western Countries are briefly described, and in paragraph 3, a classification methodology is proposed, based on a sociological approach, useful for mapping the dependences between the Critical Infrastructures, furnishing the instruments of prevision of the domino effect.

1.The Directive of the EU on the protection
of the Critical Infrastructures

The European Council of June, 2004, asked for the preparation of a global strategy for the protection of the Critical Infrastructures.
On the 20th October, 2004, in the fight against terrorism, the Commission adopted a communication relative to the protection of the Critical Infrastructures [EU1], which presents a series of proposals to increase the prevention, preparation and response at European level in the case of terrorist attacks that involve the Critical Infrastructures.
In December, 2004, the Council approved, in its conclusions on the prevention, preparation and response in the case of terrorist attacks, the proposal of the Commission to institute a European programme for the protection of the Critical Infrastructures (European Programme for Critical Infrastructure Protection, EPCIP), and a warning information network on the Critical Infrastructures (Critical Infrastructure Warning Information Network, CIWIN).
In November, 2005, the Commission adopted a Green Book [EU2] that collects indications on the possible different alternative strategies in the matter of EPCIP.
In the conclusions relative to the protection of the Critical Infrastructures, the Council “Justice and Internal Affairs” (GAI) of December, 2005, invited the Commission to present a proposal of a European programme for the protection of the Critical Infrastructures.
The Communication of the Commission st16932 [EU3] presents the principles, procedures and instruments proposed to carry out the EPCIP. Such actuation will be completed – if possible – by specific sectorial communication relative to the approach of the Commission in particular sectors of Critical Infrastructures.
In May, 2008, the second reading of the definitive version of the Directive was approved, the publication of which is foreseen for autumn, 2008.
The Directive sets out the measures provided for by the Commission for the purpose of the individuation and designation of the European Critical Infrastructures and for the evaluation of the necessity of improving their protection.
Starting from the consideration that in the European Union there are various infrastructures, the mal-function or destruction of which could have an impact on the various Member States, the Directive furnished the following definitions:

“Critical Infrastructure” (CI):
those goods, systems or parts of them collocated in the Member States of the EU, which are essential for the maintenance of the vital social functions, of health, security and safety of the social and economic well-being of the population, where the destruction or malfunction of which would have, as a direct consequence, a significant impact on a Member State, as a result of the "loss of service" of these functions.

“European Critical Infrastructure” (ECI):
critical infrastructure collocated in the Member States of the EU and where the destruction or malfunction of which would have as a direct consequence a significant impact on at least two Member States of the EU, the significance of the impact must be established in terms of transversal (cross-cutting) criteria. This includes the effects deriving from the inter-sectorial dependence on other types of infrastructures.
Please observe that the definition of Critical Infrastructures given in the Directive is concentrated only on the aspects of loss of service.
Two viewpoints which merit consideration in the analyses that will lead to the implementation of the Directive in the various National realities are those of hazard and misuse. The first concept refers to the presence of substances or systems which are, for their nature, potentially damaging (e.g. a nuclear installation); the second concept, that of misuse, refers to improper use, accidental or deliberate, of an infrastructure; such concept can be applied also to infrastructures that do not present intrinsic elements of risk in normal conditions of utilization or operation, but that if used intentionally or accidentally in an improper way can cause damage to persons and/or things (an example could be the distribution network of drinkable water in which toxic substances can be dispersed).
The key subject addressed by the Directive is that of the definition of a common approach for the identification and protection of the European Critical Infrastructures.

Tab.1.1 - Sectors and sub-sectors identified in Annex 1 of the Directive are transcribed
Since various sectors dispose of experience, competence and particular requisites in the matter of protection of the Critical Infrastructures, the Directive is conceived on a sectorial basis and will be implemented according to an established list of CI sectors. As things stand at the present, the individuated sectors of the Directive, to which the procedure for the individuation of the European Critical Infrastructures must be applied, are those of Energy and Transport (in table 1.1 the sub-sectors identified in Annex 1 of the Directive are transcribed).The Directive recognizes the necessity of extending, in future, the list of the critical sectors, and assigning the priority to the sec
tor of Information and Communication Technology (ICT). Furthermore, it is worth remembering that, during the negotiation phases of the Directive, various additional sectors were preliminarily considered (table 1.2), which, however, were not included in the present version of the Directive itself, in order to arrive, rapidly, at a version of compromise shared between all of the Member States.
The inclusion of these further sectors in the Directive will be subject of future discussion; it is provided, in fact, that the Directive be submitted to a process of revision and up-dating, to arrive at a definitive version within three years.The Directive provides for the application of a four-step procedure before an infrastructure is designated ECI: such procedure is illustrated in fig. 1.1.
Step 1: referring to sectors defined in table 1.1, the first step requires the Member States to verify whether the potentially critical infrastructures satisfy the relative sectorial criteria.

Tab.1.2
The Directive establishes that the sectorial criteria are defined with the contribution and consensus of the involved parties, including the operators, taking note of the fact that often, in the ambit of the sectors identified as critical, consolidated criteria already exist for the analysis of the risks and the identification of the criticality. The application of the first step allows the effectuation of a first selection within each sector.
Step 2: each Member State must verify whether the infrastructures selected in the first step satisfy the definition of critical infrastructure (CI) previously recorded in this paragraph.
Step 3: each Member State must verify whether the infrastructures selected in the second step satisfy the definition of trans-nationality (cross cutting) (ECI) recorded previously; in other words, whether a potential malfunction or destruction of the infrastructure could have an impact on at least two Member States.
Step 4:it is necessary, therefore, to effect a “levelling” of the identified infrastructures, to guarantee that all and only those infrastructures that satisfy a common and homogenous criterion of criticality are designated as ECI. To this end, inter-sectorial ("cross-cutting") criteria must be applied, presently defined in general terms in the Directive, which keep the following aspects under consideration:
• consequences on the health of the citizens (potentiality of causing death or serious damage to health);

Fig.1.1 Procedure is designated ECI
• economic consequences (entity of the potential economic loss and/or deterioration of products or services, including those due to environmental damage);
• consequences on public opinion (of a socio-political or psychological nature, including those deriving from environmental damage).
As illustrated in fig.1.1, in the case in which an infrastructure passes the four steps of the procedure, a phase of a political nature follows, in which the final decision of designating such infrastructure as ECI is the competence of each Member State in whose territory the infrastructure is situated.

1.1 The fulfilments imposed
by the EU Directive
As has been said, the Directive establishes a series of procedures and actions for the individuation and protection of the European Critical Infrastructures, identifying the parts involved and attributing specific responsibilities. In particular, the actuation of the Directive entails a series of fulfilments by the Member Countries, as summarized in the following.

Individuation of the European Critical Structures
The Directive provides for the application of a procedure in various steps before an infrastructure is recognized as ECI. In particular – criteria relative to the single sectors and inter-sectorial criteria to select those infrastructures whose relevance at Community level is such to consider them of European interest – will be indicated in the Directive description. Lastly, the final designation of the infrastructure as an ECI is the competence of each Member State, by means of a communication to the Commission. As things stand at the moment, the Directive indicates as priority sectors, to which must be applied, right from the beginning, the procedure for the individuation of the European Critical Structures, those of Energy and Transport. Furthermore, the Directive recognizes the necessity of extending, in future, the list of critical sectors, and assigns the priority to the Information and Communication Technology (ICT) sectors, and in particular, to the networks of fixed and mobile communication.



© AGENZIA INFORMAZIONI E SICUREZZA INTERNA