The more industrialized countries are equipped with always more extended and sophisticated infra-structural systems, the so-called Critical National Infra-structures, (CNI). Belonging to such systems are private or public infra-structures whose correct functioning is essential for the operativeness and security of the entire nation. Their presence allows the guarantee of operative efficiency of many vital services for the society: the energy distribution, transportation, telecommunications, the protection of citizens’ health, national defence and, in general, all the public administration. The CNI can be subject to various types of malfunction tied to: technological problems, natural disasters and intentional attacks… A typical characteristic of the modern CNI is that of utilizing in an ever creasing massive way, vital services furnished by the infra-structures which manage the transfer of communication and information. We are speaking of the so-called Critical Information Infra-structures, (CII). From this point if view, the CII must guarantee, in their functioning, the regular operativeness of the CNI, both in normal functioning conditions and in emergency conditions, when crucial events put at risk the supply of fundamental services of a nation.

The European Council of June 2004, requested the preparation of a global strategy for the protection of the critical infrastructures. On the 20th October, 2004, the Commission adopted a communication relative to the protection of critical infrastructures in the fight against terrorism, which presents a series of proposals to increase the prevention, preparation and the response, at a European level, in the case of terrorist attacks which involve the critical infrastructures. (CI)
The conclusions of the Council on the prevention, preparation and response in the case of terrorist attacks and the programme of solidarity of the European Union on the consequences of the terrorist threats and attacks adopted by the Council in December of 2004, supported the intention of the Commission to propose a European programme for the protection of the critical infrastructures (European Programme for Critical Infrastructure Protection, EPCIP) and expressed its agreement to the constitution, by the Commission, of a critical structure warning information network, (Critical Infrastructure Warning Information Network, CIWIN).
In November of 2005, the Commission adopted a ‘green book’ relative to a European programme for the protection of the critical infrastructures (EPCIP), which presented various alternatives relative to the elaboration of the EPCIP and the CIWIN.
In the conclusions relative to the protection of the critical infrastructures, the ‘Justice & Internal Affairs’ Council of December, 2005, invited the Commission to present a proposal of a European programme for the protection of the critical infrastructures.
The st16932 communication presents the principles, procedures and instruments proposed to carry out the EPCIP. Such implementation will be completed, if necessary, by specific sectorial communications relative to the approach of the Commission in particular sectors of critical infrastructures.
The directive proposal st6933 (2006/0276 CNS) describes the measures foreseen by the Commission for the purpose of the identification and designation of the critical European infrastructures (CEI) and the evaluation of the necessity of improving their protection.

The general objective of the EPCIP is the improvement of the protection of the critical infrastructures in the European Union. Such a target will be realized with the creation of an EU framework for the protection of the critical infrastructures, as described in the present communication.

Although recognizing the terrorist threat as a priority, the protection of the critical infrastructures will be based on a multi-risk approach. If the level of the measures of protection in a particular sector of critical infrastructures is held to be adequate, the parties concerned must concentrate upon other dangers to which the infrastructures could be vulnerable.

The following fundamental principles will guide the implementation of the EPCIP
- Subsidiarity – In the sector of the protection of the critical infrastructures (PCI), the Commission will concentrate efforts on those structures which are critical at a European level, and not national or regional. Notwithstanding this, should it be required and taking due account of the existing Community competence, and of the available resources, the Commission can furnish support to Member States with regard to their national critical infrastructures (NCI).
- Complementarity – If at the EU, national or regional levels, certain already supplied efforts have been effective in protecting the critical infrastructures, the Commission will avoid repeating such efforts. The EPCIP, therefore, will complete the existing sectorial measures and carry on from what has already been achieved.
- Privacy – At both the EU and Member States levels, the information regarding the protection of the critical infrastructures shall be declared confidential and will be given only to those who need to know it. The sharing of the information on the critical infrastructures must come about in an atmosphere of trust and privacy.
- Cooperation of the parties concerned – Within the realm of possibility, all parties concerned – owners/operators of critical infrastructures designated as critical European infrastructures (CEI), also public authorities or other competent bodies – will be involved in the elaboration and implementation of the EPCIP.
- Proportionality – Measures will be proposed only if a necessity is found following an analysis of deficiencies existing in the matter of security. The measures will be proportionate to the risk level and to the type of threat identified.
- Sectorial approach – Since several sectors have experience, competence and particular qualifications in matters of protection of critical infrastructures, the EPCIP will be devised on a sectorial basis and will be carried out according to an established list of sectors PCI ( the proposal of which is contained in the following table).

The EPCIP will comprise:
- a procedure for the identification and designation of the European critical infrastructures and a common approach for evaluating the necessity of improving the protection, which will be carried out through a directive;
- measures directed to facilitate the implementation of the EPCIP, among which a EPCIP plan of action, Critical Infrastructure Warning Information Network (CIWIN, the recourse to groups of experts in the field of protection of critical infrastructures at EU level, procedure of information exchange on the protection of such infrastructures, and the detection and analysis of the inter-dependences;
- measures of support for the national critical infrastructures, which could be used by the Member States. A general approach to the protection of the NCI is described in the present communication;
- emergency plans;-
- an external dimension;-
- accompanying financial measures, in particular, the proposed EU programme regarding the prevention, preparation and management of the consequences of terrorism and other risks relative to security for the 2007-2013 period, which will offer opportunity of financing for the measures regarding the protection of the critical infrastructures which have a potential of transferability at the EU level.

Sector	Subsector
Energy	1) Production of oil and gas, refining, treatment, storage and distribution with oil and gas ducts 2) Production and transmission of electric energy
Nuclear Industry	3)Production and storage/treatment of nuclear substances
Information and communications technologies (ICT)	4) Systems of information and protection of the networksi 5) Systems of instrumentation, automation and control (SCADA etc.) 6) Internet 7) Supply of fixed telecommunication services 8) Supply of mobile telecommunication services 9) Radio-communication and navigation 10) Communication via satellite 11) Radio-television diffusion
Water	12)Supply of drinkable water 13)Water quality control 14)Management and control of the quantity of water
Food	15)Provision and safety of food
Health	16)Hospital and medical care 17)Medicines, serums, vaccines and pharmaceutical products 18)Bio-laboratories and bio-agents
Finance	19)Infrastructures and systems of payment and compensation and regulation of shares and securities 20)Market regulations
Transport	21) Road transport 22)Railway transport 23)Air transport 24)Internal navigation routes 25)Short range sea and ocean transport
Chemicals industry	26)Production and storage/treatment of chemical sustances 27)Pipeline for dangerous substances (chemical substances)
Space	28)Space
Research structures	29)Research structures

A series of sectorial measures exists, among which are: -
In the sector of the technologies of information:
(a) “Universal Service” Directive (2002/22/CE), which concerns, among other
things, the integrity of the public networks of electronic communication.
(b) “Authorizations” Directive (2002/CE), which concerns, among other things, the integrity of the public networks of electronic communications.
(c) Directive relative to the private life and to the electronic communications (2002/58/CE), which concerns, among other things, the security of the public networks of electronic communications
(d) Decision 2005/222/GAI of the Council, of 24th February, 2005, relative to attacks against the information systems.
(e) Regulation (CE) No. 460/2004, of the 10th March, 2004, which institutes the European Agency for the security of the information networks (ENISA).

In the health sector:
(a) Decision No. 2119/98/CE of the European Parliament and of the Council, of the 24th September, 1998, which institutes a network of epidemiological surveillance and control of transmissible sicknesses in the Community.
(b) Directive 2003/94/CE of the Commission, of 8th October, 2003, which establishes the principles and guidelines of good practice relative to the manufacture of medicines for human use, and to medicines in experimental phase for human use.

In the financial sector:
(a) Directive 2004/39/CE of the European Parliament and of the Council, of the 21st April, 2004, relative to the markets of the financial instruments (MIFID).
(b) Monitoring norms for the systems of retail payment in euro, adopted in
June, 2003, by the Directive Council of the Central European Bank (CEB). (c)Directive 2006/48/CE of the European Parliament and of the Council, of the 14th June, 2006, relative to the access to the activity of the credit agencies and to its exercise.
(d) Directive 2006/49/CE of the European Parliament and of the Council, of the 14th of June 2006, relative to the proprietary adequacy of the investment enterprises and of the credit corporations.
(e) Directive proposal relative to the payment services in the internal market, brings modifications to the Directives 97/7/CE, 2000/12/CE and 2002/65/CE (COM(2005) 603). (f) Directive 2000/46/CE of the European Parliament and of the Council, of the 18th September, 2000, regarding the starting up, the exercise and the precautionary surveillance of the activities of the electronic currency institutes.
(g) Directive 1998/26/CE of the European Parliament and of the Council, of the 19th May, 1998, concerning the definitive character of the regulation in the systems of payment and in the systems of the regulation of shares and securities.

In the transport sector:
(a) Regulation CE) No. 725/2004 of the European Parliament and of the Council, of 31st March, 2004, relative to the improvement of the security of the ships and port installations.
(b) Regulation (CE) No. 884/2005 of the Commission, of the 10th June, 2005, which institutes procedures for the carrying out of inspections of the Commission in the sector of the maritime security.
(c) Directive 2005/65/CE of the European Parliament and of the Council, of the 26th October, 2005, relative to the improvement of security in the ports.
(d) Regulation (CE) No. 2320/2002 of the European Parliament and of the Council, of the 16th December, 2002, which institutes common norms for the security of the civil aviation.
(e) Regulation (CE) No. 622/2003 of the Commission, of 4th April, 2003, which establishes certain measures of application of the common basic norms on the security of the aviation.
(f) Regulation (CE) No. 1217/2003 of the Commission, of the 4th June, 2003, bears common terms for the national programmes for the quality control of the security of the civil aviation.
(g) Regulation (CE) No. 1486/2003 of the Commission, of 22nd August, 2003, which institutes procedures for the carrying out of inspections by the Commission in the sector of the security of the civil aviation.
(h) Regulation (CE) No. 68/2004 of the Commission, of 15th January, 2004, which modifies the Regulation (CE) No. 622/2003 of the Commission that establishes certain measures of application of the common basic norms on the security of the aviation.
(i) Regulation (CE) No. 849/2004 of the European Parliament and of the Council, of 29th April, 2004, which modifies the Regulation (CE) No. 2320/2002 that institutes common norms for the security of the civil aviation.
(j) Regulation (CE) No. 1138/2004 of the Commission of 21st June, 2004, which establishes a common definition of the critical parts of the airports.
(k) Regulation (CE) No. 781/2005 of the Commission, of 24th March, 2005, which modifies the Regulation (CE) No. 622/2003 that establishes certain measures of application of the common basic norms on the security of the aviation.
(l) Regulation (CE) No. 857/2005 of the Commission, of 6th June, 2005 which modifies the Regulation (CE) No. 622/2003 that establishes certain measures of application of the common basic norms on the security of the aviation.
(m) Directive 2001/14/CE relative to the division of the capacity of the railway infrastructure.
(n) The transport of dangerous freight by rail is regulated by the Directive 96/49/CE (modification of the Directive 2004/110/CE, which adopts the RID 2005).
(o) Convention on the physical protection of nuclear materials (signed in 1980, adhesion in 1981 and came into force in 1987).

In the chemical sector:
(a) Dangerous installations under the Seveso II Directive ( Directive 96/82/CE of the Council of 9th December, 1996 on the control of dangerous incidents connected with certain dangerous substances) modified by the Directive 2003/105/CE of the European Parliament and of the Council of 16th December, 2003.

In the nuclear sector: (a) Directive 89/618/Euratom of the Council, of 27th November, 1989, concerning the information for the population on the measures of applicable health protection and on what actions to adopt in the case of a radioactive emergency.
(b) 87/600/Euratom: Decision of the Council of 14th December, 1987, concerning the Community modalities of a rapid exchange of information in the case of a radioactive emergency.

Article 1 – Presents the subject of the Directive. The Directive establishes a common procedure for the identification and designation of the critical European infrastructures, or rather those infrastructures whose disturbance or destruction would have consequences on two or more Member States, or on one Member State if the critical infrastructure is located in another Member State.
Furthermore, the Directive introduces a common approach for the evaluation of the necessity of improving the protection of the critical European infrastructure. Such evaluation will contribute to the preparation of specific measures of protection in the single PCI sectors.

Article 2 – Contains the following definitions:
a) “ critical infrastructure”: those structures or parts of them which are essential for the maintenance of the crucial functions of the society, among which: the food and supply chain, health, security and the economic and social well-being of the citizens;
b) “critical European infrastructure”: critical infrastructure whose disturbance or destruction would have significant consequences on two or more Member States, or on one Member State if the critical structure is located in another Member State. The effects deriving from intersectorial dependence in relation to other types of infrastructures are included;
c) “seriousness”: the impact of the disturbance or destruction of a particular infrastructure, with reference to the following aspects:
- consequences for the citizens (number of people hit);
- economic consequences (extent of the economic losses and/or of the deterioration of products or services);
- environmental consequences;
- political consequences
- psychological consequences
- consequences at the public health level;
d) “vulnerable point”: characteristic or an element of the planning, realization or functioning of a critical infrastructure which exposes it to a threat of disturbance or destruction. The dependencies in relation to other types of infrastructures are included;
e) “threat”: any indication, circumstance or event potentially able to disturb or destroy a critical infrastructure or one or more of its elements;
f) “risk”: the possibility of loss, damage or injury/lesion with regard to the value attributed to the infrastructure by its owner/operator and to the repercussions of the loss or alterations to the infrastructure, and the probability that a particular threat exploits a specific vulnerable point;
g) “information relative to the protection of the critical infrastructure”: specific facts relative to a critical infrastructure which, if disclosed, could be used to plan and carry out actions with definite damage and with unacceptable consequences for such structures.

Article 3 – Presents the procedure for the identification of the CEI, or rather, of those critical infrastructures whose disturbance or destruction would have serious consequences on two or more Member States or on one Member State if the critical infrastructure is located in another Member State.Such procedure foresees three phases. In the first place, the Commission, the Member States and the concerned parties develop together, intersectorial and sectorial standards for the identification of the CEI, which are subsequently adopted according to committee procedure. The intersectorial standards are defined in function of the seriousness of the disturbance or destruction of the CI. The seriousness of the consequences of the disturbance or destruction of a given structure should, within the realm of possibility, be evaluated on the basis of the following elements:
- consequences for the citizens (number of people hit);
- economic consequences (extent of the economic losses and/or of the
deterioration of products or services);
- environmental consequences;
- political consequences;
- psychological consequences;
- consequences at the public health level.

Subsequently, each Member State identifies the infrastructures which correspond to the established standards, and finally communicates them to the Commission. The necessary works are undertaken in the PCI sectors, selected annually by the Commission, from among those listed in Table 1, in priority of their importance. The list of the PCI sectors in Table 1 can be modified through procedure of committee, to the extent that this does not enlarge the field of application of the Directive. In particular, this means that the modifications of the list would have the scope of clarifying its content. The Commission considers the transport and energy sectors among the immediate priority of action.

Article 4 – Presents the procedure of designation of the ECI. Once the procedure of identification is finished, under Article 3, the Commission prepares a project list of the ECI, based on the communications received from the Member States and on other information important to the Commission itself. The list is subsequently adopted in conformance with committee procedure.

Article 5 – Security plans for the operators (SPO).
Article 5 obliges all the owner/operators of CI designated as ECI to establish a plan of security, identifying the structures concerned and arranging pertinent security solutions for their protection.
The Attachment II to the Directive Proposal indicates the minimum content of these SPO, which include:
- the identification of the important structures;
- an analysis of the risks based on the most serious threats, on the vulnerabilityof each structure and on the potential impact;
- the identification, selection and prioritization of counter-measures and procedures, with a distinction between:
- permanent measures of security, which would identify the investments
and the necessary instruments in matters of security which the
owners/operators cannot realize over a short period. This category will
contain information regarding the general measures, the technical
measures (including the installation of means of data collection, control of
access, protection and prevention) the organizational measures (including alarm procedures and crises management), the measures of control and
verification, the communication, the sensitization and training, and the
security of information systems;
- gradual measures of security, activated in function of the different risks and levels of threat.

Each PCI sector can elaborate specific sectorial SPO based on the minimum requirements as per Attachment II. These specific sectorial SPO can be adopted according to committee procedure.
For those sectors where analogous obligations already exist, Article 5, para. 2 provides for the possibility of exemption of the obligation of establishing security plans on the basis of an adopted decision according to committee procedure. It is considered that the Directive 2005/65/CE of the European Parliament and of the Council relative to the improvement of the security of ports, already satisfies the condition relative to the elaboration of a security plan for operators.
Once an SPO is established, each owner/operator of ECI must present it to the competent national authorities. Each Member State will arrange a system of supervision of the security plans, to guarantee that the owners/operators of the ECI receive a sufficient feedback on the quality of the plans and, in particular, on the adequacy of the evaluation of the risks and threats.

Article 6 – Liaison Official in security matters. Article 6 obliges all owners/operators of CI designated as ECI to nominate a liaison official in security matters, who would act as a contact point for security questions, between the ECI and the competent national authorities for the protection of the critical infrastructures. These officials, therefore, should receive all important information on the protection of the critical infrastructures from the national authorities and would be responsible for the transmission of important information from the ECI to the Member State.

Article 7 – Communications. Article 7 introduces a series of measures of communication. Each Member State is required to carry out an evaluation of the risks and threats regarding the ECI. This information will constitute the basis of the dialogue between Member States and the ECI on the questions of security (supervision), as indicated in Article 5. Since this Article imposes on the owners/operators of the ECI, the obligation to establish security plans and to submit them to the national authorities, it is requested of each Member State to elaborate a general picture of types of vulnerable points, threats and risks found in each PCI and to furnish such information to the Commission. On the basis of these the Commission will evaluate the need, or not, to adopt measures of supplementary protection. This information could subsequently be used for the elaboration of evaluations of impact, intended to accompany future proposals in this area. Furthermore, the Article foresees the elaboration of common methodologies to carry out the evaluations of vulnerable points, threats and risks in relation with the ECI. Such common methodologies would be adopted according to committee procedure.

Article 8 – Support of the Commission to the ECI. The Commission will support the owners/operators of ECI, furnishing them access to the best standard procedures and methodologies available in the PCI ambit. The Commission undertakes to gather such information from various sources (e.g. Member States, internal sources) and to put them at the disposition of those concerned.

Article 9 – Points of contact PCI. To guarantee the cooperation and coordination of the questions connected to the protection of critical infrastructures each Member State is required to designate a PCI point of contact. The task of such point of contact would be the coordination of the questions connected to the protection of the critical infrastructures within the Member State, with the other Member States and with the Commission.

Article 10 – Privacy and exchange of information relative to the protection of the critical infrastructures. The privacy and the exchange of information are fundamental and delicate elements of the work in the area of the protection of the critical infrastructures. Consequently, the Directive foresees that the Commission and the Member States take adequate steps to protect such information. It is opportune that all personnel who manage confidential information on the protection of the critical infrastructures be submitted to the necessary verification of security on the part of the authorities of the Member State.

Article 11 – Committee. Certain elements of the Directive will be applied according to the committee procedure. The committee will be composed of representatives of the PCI points of contact.


2. II Programme of protection of the critical infrastructures
by the United States Homeland Security Department

The United States Homeland Security Department (HSD) on the 25th May, 2007, presented a draft Programme of Protection of the Critical Infrastructures – Specific Plans of Sector to give a coordinated, effective and efficient approach to the mechanisms of federal financing aimed at reducing the vulnerable points, identifying the threats and reducing the consequences of possible attacks and/or accidents to the national critical infrastructures.
The plans will be continually up-dated with procedures of the type ‘plan’, ‘do’, ‘test’, ‘act’, and will give consistency also to the combined public/private activities, furnishing scenarios and objectives.
Their principle goals are:
- to define partner, authority, legal foundations, roles, responsibility, and inter-dependencies for each sector;
- to establish or institutionalize already existing procedures for information sharing, interaction, coordination and partnership of sectors and intra-sectorials;
- to establish the necessary processes to reach the security objectives identified for each sector;
- to open the scenarios and international considerations;
- to identify the methods of risk analysis and management consistent with the characteristics of each sector.
All the plans will have the following structure:- identification of characteristics and objectives of sector;- description of structure, systems, networks and sector functions;- evaluation of the risk;- assignment of the priorities among the infrastructures;- development and realization of protection plans;- extent of the results.

The sectors identified are 17:
1. agriculture and food;
2. banking and finance;
3. chemical;
4. commercial facilities;
5. communications;
6. dams;
7. defence industrial base;
8. emergency services;
9. energy;
10. government facilities;
11. information technology;
12. national monuments and icons;
13. nuclear reactors, materials and waste;
14. post and shipping;
15. public health and health care;
16. transportation systems;
17. water.

The draft plan carries a brief description of each sector, encompassing:
- view of sector;
- objectives;
- authority involved for the security of the sector;
- priority;- undertaking of exercising and training;
- criticality ;
- inter-dependency with other sectors.

The sector is entirely constituted by private operators (more than two million farms and as many companies). The common view is defence from contamination of the food chain which can be damaging to health, and the survival and well-being of the citizens.
Among the objectives, we have the identification of contact points of the companies for the handling of emergencies and the participation of the industry in the State operative centres of emergency management.
The critical points are identified in the rapidity of transport and distribution of produce and in the difficulty of detecting and determining eventual contamination which could manifest itself also at a considerable space-time distance from the trigger point.
The indicated inter-dependencies are towards the following sectors: water (for irrigation), transport (for the movement of produce), energy (for fuelling productive installations), financial, chemical and dams. It is interesting to note that there is no mention of communications and IT (Information technology), whereas, in the writer’s opinion, at least the IT could, on the contrary, have an influence, above all, on the control systems of companies concerned with manufacturing and processing food stuffs.

This sector represents 8% of the United States’ annual GDP (gross domestic product). The objectives are characterized by the strong inter-dependencies of other sectors, by the international characteristic of the sector and by the collaboration and dependency of the agencies in charge of the fight against crime (from fraud to money laundering). In addition, the problem of the increase in informatics crimes is strongly felt, (characterized by the difficulty of traceability and the international nature of the trigger procedures).
In particular, the objectives are:
- maintenance of the position (through resilience, redundancy, duplication and separation);
- knowledge and management of the risks deriving also from the strong dependency of the communication, IT, energy and transport sectors;
- cooperation with the forces of law and order, the Intelligence and the international counterparts, to reduce crime.
The indicated interdependencies are towards the following sectors: communications, energy and, as a second mention, IT and transport.

- The sector comprises hundreds of thousands of American industries (manufacturing and production installations, transport and distribution companies) operating in products which go from pharmaceuticals to pesticides, to health and cosmetics etc.,The threats from this sector regard equally the cyber-physical-human (also insider) aspects.
- The objectives of the plan are:
- census of the structures and of their dependencies and inter-dependencies, both national and international;
- definition of the risk profile and of the consequent priority for and between such structures;
- standardization programmes of voluntary and obligatory protection which do not invalidate the profit of the sector and the availability of the products on the market;
- continual measurement and improvement of the efficiency and of the performance of the programmes;
- information sharing and public/private cooperation;
- increase of the research and development programmes for the security of the sector.
The criticality points are connected, first of all, to the dual-use products (utilizable in normal civil activities, but also as arms of mass destruction) and to the products that could determine criticality in other sectors or directly on public health in the case of absence of markets. In general, a sector normative on the cyber-physical-human security of such installations is hoped for.
The indicated inter-dependencies are towards the following sectors: IT, communications, transport, ( and energy, in the opinion of the writer). The chemical sector is perceived also as being fundamental to the correct functioning of other sectors (above all, water and agriculture, but curiously, not health).

This sector comprises the mass media, the associations and leagues, the retail sector, the commercial enterprises, the leisure time facilities (sports, amusements, cinemas etc. It is a typical “open to pubic access” sector with few controls and few barriers to enjoyment. It is also one of the sectors which was the worst hit in the Twin Towers attack.
Since 2001, security has become a key point in guaranteeing clients and employees of the sector, all the commercial facilties have started up processes of risk analysis and management, complying to the rule of maximum flexibility and openness, but keeping security as a key point of their marking.
The exchange of information and public trust are the principle objectives of the programme. The realization of the programme like the public-private relation is, also here, made complicated by the dispersion of the private realities at stake (for example, not all reachable through associations of category).
The indicated inter-dependencies are towards the following sectors: transport and communications (energy and IT are not explicitly cited).

It is one of the most critical sectors. By itself, it holds 85% of the critical infrastructures counted in the United States.It is also one of the most inter-connected sectors at a sub-sector level (the TLC networks are very numerous, all inter-connected, with extremely diversified technologies; wireless, cable, fibre, satellite, radio, broadcasting… and not always inter-operable).
The objectives of the sector are:
- sturdiness;
- resilience;
- protection of the backbone
- speed of response and recovery at federal and region levels;
- business continuity;
- information and sensitization campaigns to clients and stake holders
- inter-sectorial cooperation (this sector is fundamental to the major part of the others).
The programme explicitly aims at creating priorities in the management of the services during the emergencies to assist the Government at a federal and regional level. Such priorities concern all the sectors of communication, above all, the mobile and satellite networks.
Furthermore, the information sharing is cited, coordinated mainly by the ISAC (Information Sharing and Analysis Centre), as a pivotal activity of prevention and protection. Also in this sector, security foresees three aspects: cyber, physical and human.
Finally, the ‘modelization’ and simulation for the analysis of the scenarios and the dependencies are indicated as priority.
The inter-dependencies indicated are towards the following sectors: transport and communications (energy and IT are not explicitly cited).
The inter-dependencies indicated are towards the following sectors: energy and IT (which in their turn depend on the TLC), while this sector is indicated as fundamental to the management of the water.

The sector of the dams and water basins, in general, is one among the most delicate. Such structures are, in fact, utilized for supplying the aqueducts, for the production of energy, for the prevention of natural disasters tied to floods of various natures, for the navigability of the internal basins and for the waterways, in general etc.
The United States have more than 80,000 dams, of which 60% are privately managed. The entire sector is very active in the area of security. The principle objectives, apart from the classic ones of prevention and protection are tied to the information sharing, to the public-private cooperation, to making a model of the scenarios of risk, to the identification of the threats and of the connected vulnerability with an accurate study of the interdependencies.
The high number of sites and their structural, functional and realizable differences, do not allow the identification of only one programme of security, but obliges an anticipative census of the state of the art to give the right priority to the interventions in relation to real threats and vulnerability, and to the possible domino effects. Much of this is still to be realized.
The indicated interdependencies are towards agriculture, transport, water and energy, which depend on this sector. No dependencies on any sector are indicated, while in the writer’s opinion, energy, communications and IT are fundamental to the systems of control (monitoring and controls) of these installations (especially if they are remote).

This sector includes hundreds of thousands of industries of various sizes tied to the production and maintenance of products, systems and services for the defence. It is a sector characterized by the ultimate client, with their security needs, instead of business needs. The major part of the operators of the sector has realized internal security procedures and systems to satisfy the requirements of the client, creating a business and a know-how which could be very useful to the other sectors.
The sector collaborates also with the defence of the Defence Department and has, therefore, a security programme connected with this Ministry.
The objectives of the programme concern:
- the reduction of the sites and structures at risk;
- security of the personnel;
- physical security;
- cyber security;
- insurance of the information (insurance of products and distribution);
- fight against the insider threat;
- monitoring and reporting;
- training and information;
All the operators of the sector are private. The necessity of standardizations is not indicated, the entire sector has already identified priority and procedure for information sharing, for the collaboration between public and private and for the cyber, human and physical security procedures.
The indicated interdependencies are towards the following sectors: energy, communications and transport (the IT has been cited more than once in the description). This sector collaborates with others for the identification of the interdependencies, the overlappings and gaps in the responsibilities and in the security of the various structures.

The sector comprises nine lines of activities:
- the forces of law and order;
- bomb disposal experts;
- tactical operations also on special arms;
- Fire brigades;
- Medical emergency services;
- National search and rescue;
- Urban search and rescue;
- Emergency management;
- Management of dangerous materials
Numerous programmes of security are active, many of which are also based on volunteers and aimed at cooperation, mutual assistance, active and passive countermeasures, the realization of strong and resilient buildings, duplication of reception structures, and the sharing of resources.
All Governments, federal, state, regional and municipal will sponsor assistance programmes.
Above all, the programmes aim at giving the operators ordinary and extraordinary protection for all types of risk, to manage coordination and responses to the emergencies and to guarantee public trust.
The objectives are:
- to grasp the national and international interdependencies at the cyber, physical and human levels;
- support to the determination of the protection between the various sectors;
- support to the protection of the sector without invalidating its own emergency and rescue activities;
- analysis and reporting on the efficiency of the interventions, through adequate criteria;
- information sharing, training and information to all sectors and within the sector.
The points of criticality are identified in the systems and methods of communication between the various levels of emergency response (above all, between the various level of government), in the public/private cooperation, in the efficient transport of men, materials and means, in the guaranteeing of an adequate level of response (realizable only through predefined and shared emergency plans and through a precise and real-time knowledge of the territory) to the different and always diversified types of threats. The indicated interdependencies are towards the following sectors: energy, IT, communications, water, transport and health.

This sector consists in hundreds of thousands of sites and companies for the production, transport and distribution of energy, gas and fuels. The cyber security plays a key role in the protection of the systems (SCADA and non-SCADA) of control of such installations; in 2006, a programme of cyber-security was launched for the sector, with four priorities:
- measure of the security of the positions;
- development and integration of the security;
- detection and response to intrusions;
- support to the coordinated increase of the security.
The principle objectives of the sector is the continuity of the service (and its supply) to the Country.
The other tacit objectives are:
- widespread awareness and information sharing;
- increase of the preparation and resilience;
- plans and tests of continuity of the service and of emergency management;
- defined and clear roles to the entire sector for the management of the responsibilities and emergencies (at public and private levels);
- analysis of the interdependencies and cooperation to manage same (Note: specific reference is made to the necessity of incorporating the interdependencies in the emergency plans);
- increase of the government and citizens’ trust in the abilities (effectiveness and efficiency) of response and continuity of the sector.
The principle points of criticality detected may be resolved by:
- continued improvement of the access and transport possibilities towards and into the areas of crises to assist aid and restoration;
- training in the intelligent use of the resources in areas of crises to avoid accidents and support the emergency relief teams;
- increase of communication resources in areas of crises (with transportable and inter-operable systems and with the determination of priority of use of the available channels);
- increase of the capabilities of coordination, realization of plans and sharing of information of prevention.
The interdependencies indicated are towards the following sectors: transport, financial, governmental, communications, IT, water and dams. Many infrastructures of this sector depend on other infrastructures of the same.

The sector is composed of an extremely high number of structures (around a billion square metres and three hundred million hectares, 87,000 separate structures) situated in the territory or abroad, some open to the public, others not, but in any case rich in information, processes, materials and highly vulnerable equipment.
The programme foresees initiatives for the census of the structures at various levels of territorial government, for information sharing, for the compilation and sharing of emergency plans and for research and development activities.
The objectives are: risk management at all government levels, cooperation between all government levels, sharing of information on the possible threats gathered by the Intelligence, integration, development of the capacities of reaction, optimization of the use of resources.
The role of the image that such structures play with respect to the citizens during a crisis is explicitly indicated: their eventual malfunction would create serious damage to the trust that the citizens have towards the Institutions.
Furthermore, the structures which are concerned with education share a programme for the instruction in the schools and for the management of the cycle of the emergency in its four parts: prevention, preparation, response and recovery.
The interdependencies indicated are towards the following sectors: energy, water, IT, communications.

The sector is highly critical, mainly because it concerns 7% of the GDP and directly influences the banking, governmental sector and the response to the emergencies. The criticality points are mainly tied to the confidentiality of information and to the continuity of the service. The programme works to guarantee that eventual interruptions or manipulations to the system are brief, infrequent, manageable, geographically isolated and with minimum consequences. To this end, the cooperation with the other sectors and the public/private integration is fundamental.
The principle objectives are:
- prevention and protection through risk management procedures;
- awareness and knowledge of the situations;
- response, recovery and restoration;
- effective and efficient investments on shared projects;
- increase of the resilience of the shared resources and of the food chain and support;
- increase of the creativity of the response to threats;
- improvement of the traceability and the identification of the actors of eventual attacks;
- coordinated management of the national and international connections between real and virtual networks;
- information sharing for the preparation against extremely variable threats;
- constant monitoring and mitigation activity of the consequences of attacks.
The interdependencies indicated are towards all sectors for the dependency of these on the IT. The intrinsic resilience of the networks, their interconnection and interdependency as factors of maximum importance, are explicitly cited. Dependency on the TLC networks has already been emphasized. In the writer’s opinion, there is also an interdependency with the energy sector.

These structures have highly representative characteristics. After the 11th of September, the Ministries concerned with such realities (chiefly the Department of Internal Affairs) have considerably increased the levels of security and protection, seeking to minimize the impacts on the public enjoyment of these structures. The balance between aesthetic, security and public benefit factors is aimed first and foremost to discourage terrorist attacks on such targets and to preserve the image that these structures transmit.
The objectives of the programmes are:
- identify the structures;
- identify roles and responsibilities;
- risk assessments on the structures;
- increase communication with Intelligence and the forces of law and order;
- assure the coordination and the cooperation of those belonging to the sector;
- realize and maintain the intersectorial coordination;
- integrate security technologies that answer the requirements of social impact of the sector;
- develop flexible programmes on the seasonal necessities and the large events of the sector;
- protection against the insiders and protection of visitors;- develop and maintain the emergency plans up to date. The sector, however, involves all levels of Government; federal, state, regional and municipal.
The investments allocated after the 11th September, now require further investments for the maintenance of the security levels reached. The interdependencies indicated are towards the following sectors: energy, water and the commercial sectors already mentioned.

The sector has had from its beginning, plans of security and extremely high standards of prevention and protection. A national Commission exists for the sector, which regulates the standards and controls the compilation, respect and performance of the security plans. The Commission has also processes, by now consolidated, for the identification of the financial strategies, allocation of the resources and the definition of priority.
The objectives of the sector programme are:
- establish collaboration and a permanent and sturdy communication between all who have the responsibility and competence for the security and for the emergencies;
- identify dependencies and interdependencies with other sectors;
- increase public awareness and knowledge of this sector, of the measures of security, of the consequences and of the actions to undertake in the case of contamination;
- improve the methods of detection and tracing of radioactive materials in order to avoid illegal use;
- develop, together with Intelligence and law and order forces at all levels, measures of preventing terrorist attacks relative to the sector;
- protect the communication networks and the ICT systems of control used by the sector;
- use defining procedures of the priorities of financing which take into account the real risks;
- increase the capabilities of response by private individuals and governments at federal, state, regional and municipal levels, to nuclear type and terrorist incidents.
The criticality points indicated concern the necessity of a response integrated to the emergencies on the part of the different actors who have competence in this regard, and the control and use of radioactive material. Finally, among the priorities, the urgency of international cooperation for the protection measures is emphasized.
The interdependencies indicated are towards the following sectors: energy (which influences and is influenced by this sector) and transport. Health is indicated as dependent on this sector for radiological applications. In the writer’s opinion, also the TLC networks and the IT sector could have great influence on the correct functioning and management of this sector ( reference is made to the monitoring and remote control systems).

This sector comprises numerous networks (mono and multi-type) of collection, transport and distribution. These networks can serve single predefined territorial areas or very vast areas at international level.
Due to the vastness and numerousness of the involved structures in the sector, it is impossible and not economically sustainable to make all the sectors sturdy and resilient. The objective, therefore, is to realize a strong sector, where the detection of the threats, the localization of the consequences and the minimization of the damage is easy and rapid.
The sector must guarantee the continuity of the service, facility of use and the trust of the consumers in the security of their own activities.
The objectives include:
- create a mechanism together with Intelligence and law and order forces of incident reporting;
- insure that Intelligence and law and order forces give prompt communication of the threats to the operators of the sector;
- develop mechanisms of intersectorial coordination for the operative aspects and for the protection measures;
- realize security measures based on the real risk;
- forestall the possibility that terrorists enter the critical sites of the sector;
- detect and neutralize eventual RBC (radiological, biological and chemical) attacks;
- develop public/private cooperation;
- identify the actions and the sector priorities for the management of national and regional emergencies;
- reinforce the cooperation with other sectors to allow also the rapid detection, identification and decontamination of eventual agents;
- create communication protocol to the public at federal, state, regional and municipal levels for prompt information on eventual incidents to the sector and for the minimization of the effects of the consequences.
The priority of the sector is the resilience of the networks to obtain, through information sharing, the collaboration and the efficiency in the use of the resources. The criticality is tied to the dimensions of the sector (255 billion cash flow every year) and to the influence which the times and the efficacy of the system determine on sectors like the pharmaceutical, the financial and the productive activities in general.
The interdependencies indicated are towards the following sectors: IT and communications ( the sector has one of the most sophisticated mechanisms of data processing and tracing, originated for the e-commerce and the logistics) and transport. On this sector depend sectors like health, chemicals, financial and the governmental structures. A dependency on the energy sector appears evident.

This sector concerns all the citizens (mass health activities, vaccinations, emergency services, mortuary services, etc., and alone concerns 15% of the gross domestic product (GDP).
The priorities are tied to an efficient coordination both at the international level and within the sector.
The sector must always be ready for the defence of the population against deliberate attacks, natural disasters and epidemics, also those originating abroad.
The general objective is the resilience of the system and the maintenance of the capacity of response from the operators and from the ordinary and extraordinary emergency structures. The specific objectives are placed in three categories:
- security of the work force:
- impede terrorist attacks on the work force, including attacks on the food chain and on water, on the pharmaceutical supplies and radiological materials;
- impede terrorist attacks aimed at surveillance mechanisms of public health, detection of epidemics, protection from pathogenic agents, and on the work force during the performance of their tasks in the field;- protection of personnel from natural and anthropogenic disasters;
- physical security;
- foresee and forestall attacks from the insider;
- protect the structures from natural and anthropogenic disasters;
- cyber security;
- forestall illegal use of the information and data systems;
- defend the structures from deliberate cyber attacks;
- protect the systems from natural and anthropogenic disasters.
The principle criticality points are tied to the cooperation between public and private, to the fragmentation of the sectors and to the multi-faceted characteristics and features of the concerned structures, to the involvement of all the various levels of Government and to the relation with law and order forces and with other public authorities for the management of mass quarantine and vaccinations.
In addition, during national emergencies all sectors are dependent on the aforementioned. The interdependencies indicated are towards the following sectors: transport, energy, communications, IT, water, emergency services, governmental structures.

This sector comprises four million miles of roads and expressways, one hundred thousand miles of railway lines, five hundred thousand railway stations, six hundred thousand bridges, five hundred civil airports etc., After the 11th September, this sector has had to drastically increase its levels of security and surveillance and this has imposed major cooperation between the various sectors.
The general objective is the security and resilience of the transport systems in guaranteeing the availability of movement of citizens and goods.The specific objectives are:
- prevention and detection of terrorist attacks;
- resilience of the transport systems;
- improvement of the performance of cost relation and efficiency of the sector in terms of security.
In the use of the resources and in the allocation of funding, budget priorities must be assigned on these objectives. The importance must be underlined of the reporting activities regarding the extent of the results, of the research and development and of the international intra-sectorial, national intra-sectorial public/private collaboration.
The interdependencies indicated are towards the following sectors: energy (which, in its turn, also depends on the transportation systems sector). Almost all the sectors depend on the energy sector, while this sector strongly depends on the international and world cooperation of the present transport networks.

This sector has more than 160,000 production companies of drinkable water and 16,000 companies for the management of the reflux waters.
84% of the population receive drinkable water from these structures and 75% has the treatment of waste and drain water from these structures. Many plans of protection of the sector for the physical-human-cyber security, have been developed over the years. Data bases exist at the Environmental Protection Agency on the drinkable water and on the treatment of the reflux waters: these data bases will be fundamental in the census of the sites and in the process of evaluation of the security levels of the sector. The general objective is the sturdiness and resilience of the sector, efficient mechanisms of prevention, detection and widespread capacity of recovery.
The specific objectives are:
- sustain the protection of the environment and public health;
- recognize and reduce the risks of the sector;
- maintain the resilience of the infrastructures;
- increase the communication and information to the public.
The plan also defines certain priorities of action:- identify a manageable list based on the priorities of the threats of contaminants and of the consequent scenarios which could concern the sector;
- develop system of identification of contaminants;
- develop innovative technologies of monitoring;
- increase the surveillance and detection systems of intrusions.
Furthermore, the priorities are centred on the sites that serve more than one hundred people. The criticality points are tied to the intra-sectorial competition in the assignment of the resources: the security is not understood as a cooperative instrument, but as a competitor of other cost items, generally tied to the maintenance of the installations, to the communication and information sharing, and to the intersectorial cooperation (shared sources of the sector do not exist).
The interdependencies indicated are towards the following sectors: energy, chemical, health, IT, TLC and dams. On the other side, the emergency and health services depend on this sector.
Observing the summarized table of the interdependencies, we note that the most crucial sectors for the stability of the system are communications, energy, information technology, public health and transportation. In particular, for the Homeland Security Department, the more strategic sectors (100% of interdependency) are the public health (without the work force, all the other sectors would be in difficulty) and information technology, followed by energy (70%) communications (65%) and transport (60%).
According to the writer, the percentages of interdependencies of energy and communications are even more: energy (100%), and communications (76%).
Let us look at a parallel between the sectors identified by the European Union and those identified by the HSD:
ICT and Water are divided in two in the American case, many others have a clear parallelism, even though the American definitions are larger in the chemical and nuclear cases. A direct parallelism with Space and Structure of research is lacking (which in part, comes under government facilities) on the American side, while numerous items are lacking (among which are public administration and emergency services) on the European side.


3. A close examination of the information security
and outsourcing aspects of these services.

We have seen that the ICT (information technology and communications) is of fundamental importance for all the other sectors.
The major part of the ICT users are not able to fulfil their own needs in a completely autonomous manner (supporting themselves partially on commercial telecommunications). Furthermore, very often, also the system/service of ICT security is acquired from outside, entrusting abroad the definition of policies and procedures of security and their control

UE	USA
tecnologie informazione e comunicazione	information technology+comunications
acqua	water + dams
energia	energy
industria nucleare	nuclear reactors, materials and waste
alimenti	agriculture and food
salute	public health and healthcare
finanze	banking and finance
trasporti	transportation systems
industria chimica	chemical
spazio	----
Struttura di ricerca	-----
-----	national monuments and icons
-----	government facilities
-----	postal and shipping
-----	defence industrial base
-----	commercial facilities
-----	emergency services

<br>

In all the cases of outsourcing (of services and ICT products and/or of ICY security), the security aspects on which to focus attention in the ‘contractualization’ process are the following:
- definition of the perimeter of Physical and Logical actions of the provider;
- definition of the Responsibilities of Security, in the ambit of the specificity of the service offered;
- protection of the informative structures and implementation and maintenance of suitable logical, physical and organizational countermeasures, with relative guarantee of performance and reporting modality;
- unilateral/bilateral confidentiality and intellectual propriety;
- management of the Sub-contracting: forbidden to sub-contract or guarantee with respect to security on the part of the sub-contractors;
- conformity with legislative requirements and reference standards;
- Privacy Responsibility, according to that stated by law;
- definition of a suitable process for the management of incidents;
- Right of the Organization or its delegates to Audit and Monitor;
- Requirements of Business Continuity;- Flexibility of the services connected to the change of business and/or security requisites and definition of a process of management of the change;
- Level of training and sensitivity to the question of security of the resources employed;
- Control of turnover frequency.

An SLA must contain the sections listed as follows.

on the part of the client for the management of each service, which assures that the agreements on the services are respected.

This section contains a detailed description of the services and of the respective agreements for each of them, with sub-sections for the commercial attributes or the practices of security which are independent of the specific service and are applied to more than one service.
For each service are included the key descriptions of the service, as follows:
1) Definition: a precise, unambiguous description of the service which is about to be allocated, measured and documented.
2) Temporal intervals of measurement: instants of time (day, date and times) from the time the measurements of the service are carried out.
3) Responsibilities: specify the roles and the responsibilities of the client and the provider that must in conclusion be in accordance with the agreements of the service. Identify who is responsible for undertaking the measurement and how each measurement is validated. Identify the primary and secondary contact points for both the organizations, and in the same way, for all the eventual sub-providers.
4) Metrics of the level of service: the measurements and the intervals of measurement for the service under contract such as time of response and availability of the service. Normally, the levels of service are described with the respective percentage of probability over an arc of time. These metrics must be calculated on the basis of the performances of the single resources and not on aggregates of multiple resources.
5) Formulae of measurement: describe the equations which will be utilized and the instrument of measurement used by the provider, subject to the document of confirmation from the client that the instrument is acceptable
6) Shared Services: when multiple clients share the same resources of service from a provider, an excessive consumption by a client could have effect on the services of another client. This could be directed with the guarantee of the provider on the adequate capacity, on the realization of a blockage devise when the demand exceeds service limits or with an option to acquire exclusive access to the service.
7) Information sources: this section describes where the measurement data is collected, what is collected, how it is memorized and who is responsible for the collecting.
8) Activity of escalation: describes what to notify when situations outside specification are verified.
9) Contractual exceptions, admissions and penalties: this section describes all the exceptions, admissions and negotiated penalties which are included in the SLA and are applied to the service examined. It indicates the reporting responsibilities of clients and providers.
10) Formula of calculation of admission/penalty: it describes the mathematic formula used and an example. If the client or the provider use codes of priority or severity, these are included in this section.

It documents the following processes necessary for the management of the levels of service. Furthermore, it includes the event or the interval of time which triggers the execution of the process.
1) Tracing of the measurements and account of same
2) Escalation problem and resolution of the disputes
3) Request of change of the service, which includes the re-negotiation of the terms of measurement of the service.
4) Implementation of new services and new levels of service.
5) Revision process of the level of service.
6) Process of approval.

This section describes the general roles and responsibilities of all the parts which are not covered by the above cited definition of the service levels. This includes the clients, the providers, each sub-provider and each governmental committee or key stake holder who manages this contract.
In particular the clients, being the principle actors, as a part of their responsibilities, should furnish:
- complete and detailed information relative to their infrastructure and to the environments in which the services of the provider will be placed;
- complete and prompt information on eventual changes or problems ( such as up-dating configuration of the network, problems with the Internet connection, eventual identification of vulnerable points, activity of network anomalies, etc).
To do this an approach which considers also the following aspects is suggested:
- disaster recovery plan,
- data-centre for the back-up,
- physical security,
- protection of people and goods,
- management of the policies.