logging in or signing up Priorities for the EU in securing critical national infrastructure solomonconsulting Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 86 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: March 02, 2011 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: phoenixzw (12 month(s) ago) hello Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript White Paper: White Paper Critical National Infrastructure Security: Challenges & Priorities for Europe & the Union February 2011 Structures & Mechanisms Governance & Framework Policy & Strategy Intelligence SharingSlide 2: Investment in physical security is slower than expected and to a degree it has fallen victim of the current economic climate. Cyber security investment is a clear priority both within the public sector, and the private sector. There is a clear and substantial deficit in investment for the protection of critical national infrastructure. To take a macro view of the Europe and its security, reveals more about the very complex pattern of factors that need to be addressed in order to create a more secure environment for European critical infrastructure through greater investment. One conclusion is that the private sector is not investing enough to secure the national assets that they have the privileged to operate, and greater directive management from government needs to be introduced. In countries where critical infrastructure is still under public ownership there is also a lack of investment, but this may be for entirely different reasons, and points towards some consistent factors that are restraining investment among European member states. So while the problem of targeting investment at the appropriate security measures varies by country, it is a European problem and requires a coordinated European solution. I nvestment in energy transport & storage is considered critical to national energy strategies. The increasing interconnectivity of infrastructure across Europe and beyond, is exerting pressure on requirements for infrastructure security as much as political pressure on energy sourcing strategy. To create greater security requires strategy, awareness, organisation, resources, and investment. Each provides its own challenges on a national level, but not the solutions to cross-border issues. When security is approached on a European level (which it must), it is instinctive to assume that the barriers or distortions are multiplied. However, the opportunity exists to leverage the advantages of European organisation to deal with security matters. While some see this as a necessity, others are quick to point out that the ambition is fraught with barriers and complexities. Security is both a European and a global problem, and requires a large-scale solution to civil defence , infrastructure protection, energy security, and cyber attack. The greatest challenge is to act quickly to establish consensus, boost investment as security risk increases, and inject a sense of urgency that needs to effect change within three years. 2 Critical National Infrastructure Security in Europe Security in Europe requires a regional solutionSlide 3: As this issue becomes more critical the defence of European interests will increasingly require formal integration into a coordinated policy. Europe will always struggle with internal cultural & governance differences, and issues of sovereignty will always challenge efforts to integrate European efforts to create regional policy on defence & security. In spite of crisis response mechanisms that have fostered collaboration & communication, it is near-impossible to create complete alignment, with no other precedent in a European community without full political and economic integration, and conflicting priorities for foreign & domestic policies. 3 Critical National Infrastructure Security in Europe The Challenge: Weakness in European Mechanisms Structures & Mechanisms Governance & Framework Policy & Strategy Intelligence Sharing The most serious threats to critical infrastructure are trans-border and affect ‘clusters’ of member states, and the major threats that Europe will face from 2011, expose the weakness of European mechanisms and structures to deal with them. The threats are evolving faster than the steps to mitigate them, or the development of relevant scenarios to support vulnerability assessments for critical infrastructure & national networks. It is therefore unsurprising that investment in security lags the real requirements. Policy coordination is hindered by protracted multi-stakeholder dialogues and a disparate array of institutions that create ‘pockets’ of consensus, but with limited effect on the incremental progress towards integrated regional security. The constant challenge remains to balance investment in security of the assets in proportion to the investment in the infrastructure itself, but this balance is markedly absent. One of the main issues that characterise this imbalance is the lack of a uniform regulatory framework and an inadequate but evolving governance structure to address security issues. The new security threats, reflect a dangerous union of terrorists, enemy states, and organised crime, which challenge different crime, security, and intelligence organisations to combine their very different efforts and approaches to tackle security more cohesively.Slide 4: 4 Critical national infrastructure consists of many distinct but interdependent sectors with varying degrees of public and private stakeholder involvement due to the scope of private sector ownership. The goal of harmonising security & investment strategies among all security programs presents the most significant challenge. While the expansion of capacity is more naturally harmonised through demand forecasting, there are fewer incentives for developing security investment plans in tandem, and this creates sector-specific vulnerabilities where one sector can ultimately represent a liability to another. There is a existing debate around European energy sourcing and supply strategy, and this may be a leading conduit for aligning European objectives. Among member states this needs to be mirrored in security & protection strategies for critical infrastructure where the challenges and investment requirements are more immediate. By extension: this needs to fit into comprehensive national security and defence strategies; which will need to balance or integrate with regional security & defence priorities, through NATO or European Defence Agency; and then between attempts to synchronise critical infrastructure protection strategies at a European level, and member states’ individual scenario preparations that require cooperation between neighbouring states and their agencies. Critical National Infrastructure Security Strategy The Challenge: Integrating Strategy National Security & Defence Strategies European Critical Infrastructure Protection Strategy National Critical Infrastructure Protection Strategies European Defence Strategy It is doubtful whether effective national coordination can be achieved without public sector leadership. In the current financial climate, investment stimulus may be required to achieve a pace of evolution that is required to mitigate the rapidly evolving threats. Governments and relevant regulators need to take a more directive role, working with owners, operators, and firms offering security solutions, but the question remains: towards which strategy? Trying to reconcile the conflicting national priorities will lead to a diluted European position. Working top-down through a European Security Committee may be more effective.Slide 5: To boost investment and improve security requires a European strategy that will address cross-border issues, define the priorities, and set the rationale for member states to implement the appropriate steps. The cyber threat has highlighted the need for a legal framework for tackling perpetrators and for preventing & deterring attacks. This needs to be a key tenet of a security strategy whether within a national civil security paradigm or a national defence strategy. The resilience of European energy & ICT systems requires more than a tacit recognition for investment, but a broad multi-stakeholder engagement & consensus around a full risk agenda. An effective & holistic risk process will provide the rationale to justify further investment, while maintaining the balance & focus between areas of investment. The foundation of a European risk agenda needs to be risk analysis. If Europe is to develop more effective anticipation of threats, it requires greater situational awareness on the threats through technical capabilities, and shared knowledge through appropriate collaboration on risk analyses. A cornerstone of collaborative multi-agency practices needs to be the sharing of appropriate risk & threat intelligence. Europe needs to take a further step towards pan-regional cooperation on scenario-building, vulnerability assessment, contingency planning & exercises. To be effective this needs to be matched with the capabilities to define strategy, and take action. Achieving both is unlikely without a more empowered institution , or a more effective organisation of existing bodies, or a EU security committee to represent European security. The more significant challenges to European integration of efforts to secure critical infrastructure, extend through the full spectrum of legislative, organisational, & political factors. To envisage a way forward around and through all the barriers requires consensus, action, and leadership from the EU. NATO is a suitable 3rd party to facilitate change in ways that will provide both specific capabilities, and the overt leadership and identity through a long-established organisational structure for European critical infrastructure security. Decisions taken in the next 18 month will have a profound effect on the direction of the European security agenda. 5 Priorities for Europe The Priorities for European Organisation Investment Strategy Risk Agenda Intelligence & Collaboration Capabilities Organisation Member States MethodsSlide 6: On national levels, the operators are already challenged to work with many stakeholders to coordinate, objectives, and capacities to ensure safety & security. The strategic imperative for governments is to task the operators with ensuring their own organisational security as an integral part of national security. In some sectors, like transport & energy, this needs to move beyond efforts to create awareness around core business processes & benefits, and take on a more directive approach to have any hope of achieving national business continuity and risk management objectives in the next 5 years. This requires a much more coordinated dialogue through governments and European bodies to create consistency among the different sectors of national infrastructure. In some sectors where there are trans-border infrastructure development projects and more complex interdependencies, it may also be more effective to engage in defining responsibilities and coordinating interagency preparations through government channels . This is particularly the case with security and intelligence services. Governments have preferred to avoid legislation as a route to ensuring infrastructure resilience, even though it has proven effective for health & safety objectives, and compliance is seen to be an effective driver of investment in other sectors like port security . It is also far more potent in effecting rapid change than dialogue or consultation across many interdependent industries, not least because of different approaches among government departments to investment, dialogue, and security. Legislation would therefore create a homogeneous requirement and standards for tasking the private operators. In the absence of distinct legislation, the challenge for governments is to ensure that infrastructure owners are held accountable for their decisions on security investments, and for risk management of the critical infrastructure that they operate for the national good. In some sectors [like transport in the UK], where owners face the potential loss of a franchise, it is much more 6 effective for government and regulators to set expectations, and penalise failure. But there are few that advocate this approach, or believe that it can be implemented across current private sector companies without it being seen as partial re-nationalisation. Ironically the current UK government scrutiny on banking sector bonuses, subsequent to the emergency bailouts which effectively brought some banks into partial public sector ownership demonstrates what steps governments will take when faced with a crisis, and an absolute need to act. While experience is seen as the best teacher, governments can ill afford to await a catastrophic event of terrorism or sabotage before creating a framework of ownership and responsibility that will yield the necessary results of capacity growth and security. In the meantime, governments face challenges in setting objectives and standards across different interdependent sectors with different ownership structures , not least because of the potential objection to steps that may affect competitive advantage in different sectors. One of the most current issues is information assurance & cyber security, which differs considerably with physical security. The recent rise in profile of cyber risk and the rush of investment to mitigate cyber risk at the expense of physical security investment, has demonstrated that investment does respond to immediate needs , but there is the potential for inappropriate balance in trade-offs within security investment. Some oversight could ensure that cyber and physical security investment remain appropriate to the dynamic risk environment that differs within each sector. Moreover, while information & cyber risk affects all critical infrastructure operations, it is the bedrock of ICT upon which all sectors are now dependent. This creates a distinct focus on the ICT technology industry and the infrastructure operators, to lead the development of standards, and carry considerable responsibility for mitigating many national network risks which may be better achieved through government moderation or facilitation. Critical National Infrastructure Security Investment in Europe PrioritiesSlide 7: One commonly quoted priority for the EU to address is the ubiquitous term of ‘standards’. The issue of standards can apply to technical standards for systems, standards for risk assessments and standards for measurement of performance among others. This debate is well documented and this report does not intend to elaborate significantly on this point, though it is important to identify this issue as a factor that is seen to hold back investment, and divert attention from other priorities . A similar issue is evident in other sectors of industrial automation & process control. Without any intervention it has taken over 10 years of evolution for the system vendors to make any progress towards standards that enable true interoperability and plug & play capability. The reality is that some vendors do not wish industry system standards, because of the potential competitive advantage to each of their own proprietary standards, which would point to wards the need for standards to be set externally. There is no doubt that this timeframe cannot be tolerated in the current security climate. However infrastructure systems security are now considered more vulnerable because of COTS, particularly in cyber terms through SCADA, DCS, and other systems, [many of which originate from the aforementioned industrial automation vendors] and there is now a call for extra layers of customised control system to mitigate the risk. Nevertheless the right common standards will clearly accelerate the implementation of more integrated systems , and ease the trans-border, supply chain, and cross-sector cooperation required in the future. This also extends to the standards of security and BCM that need to be achieved, and a standard approach required to developing OSPs. However this needs to be accompanied by a recognition among the operators themselves that they cannot embrace more holistic risk mitigation practices if they do not find ways to collaborate with other operators, and will not achieve high levels of resilience that will assure consumers, regulators, or investors that they aspire to high standards of security preparedness and awareness. 7 While operators publicly recognise the importance of security, in practices their investment in security and awareness of more advanced capabilities demonstrates that their focus is lagging , and there is a continued reluctance to invest preventatively in countermeasures to converged risk, and many fail to implement all the recommended basic and intermediary security measures . To combat this, regulators need a common approach for evaluating current standards for security attainment, including the assessment of Security Measure Adoption Rates (SMARs), which could usefully be set more specifically at European level. Similarly, regulation that requires operators to disclose infrastructure-related security investments would encourage all operators to allocate appropriate spend to security of operations information infrastructure, and training on security hygiene factors. Where operators fail, there should be a great likelihood of public sector intervention to ensure that operators fulfil expectations for infrastructure protection. A useful step would be to ensure that demonstrating appropriate security investment becomes a prerequisite for further infrastructure investment and prices adjustments. Moreover a common approach would need to limit the detrimental impact on security investment that economic regulators could have if they set regulatory incentives that are primarily to control price rises to the public. To consider an opposing view, national bodies can provide a constructive support role in risk assessments , through strategic & intelligence assessments, while more operational assistance, particularly in the cyber domain where government cyber capabilities could potentially prove more effective and certainly more advanced than operators . It would be a positive step for the European Community to provide tax or regulatory incentives for security investment that are required to fulfil European civil protection or critical infrastructure plans, which already exist in some countries. Critical National Infrastructure Security Investment in Europe PrioritiesSlide 8: The more current issue is the need to develop a broader adoption of more comprehensive and holistic risk assessment methodologies. The focus on resilience is crucial to reducing the vulnerabilities in the system, both through awareness of the potential threats, but through security surveys and audits which will always prove more effective than internal reviews, and will increase transparency & confidence. To take a more comprehensive view of risk, operators require more detailed situational awareness and tactical understanding of the threats they face , throughout their supply chain, and through cross-sector dependencies at national and international levels. Pan-European transport and energy systems in particular require planning and investments in contingency and crisis management capabilities, as trans-border connectivity grows. National government agencies can support operators and associations with risk and vulnerability analyses, but the greater challenge lies in creating a effective European forum for the sharing and exchange of confidential or classified intelligence on critical infrastructure risk and trans-border scenarios. However a successful framework will require a more broad and effective system of governance as the is a current lack of adequate institutional support for networks and forums for exchanging classified information on risk and vulnerability. In the current threat climate it is increasingly important to focus attention of detection & prevention, more than response. The urgent focus on risk needs to tackle difference among member states about what constitutes a risk, how probability and vulnerability should be measured, and effective modelling of potential impacts. Consensus on these aspects are a precursor to reaching conclusions upon which member states can develop policy, and Europe can coordinate action. To further support risk assessments, a final endorsement of a common European risk assessment methodology would support all operators and play a key role in broadening the effectiveness and scope of risk and vulnerability analyses. 8 As there is a direct correlation between the conduct of effective risk assessments, effective scenario exercises, crisis simulation, and the justification for investment in security, as well as redundancy. More direct national and European support and coordination in this would therefore support the investment outlook. Similarly a collaborative approach to conducting regular cross-border exercises, that test the capabilities and limitation of multi-agency coordination and response to an attack on a critical infrastructure node need to be based on real scenarios, and conducted against common assessment criteria. This would not only be evident between interdependent sectors like ICT and electricity companies to identify, assess, and address shared vulnerabilities, but also for operators to engage with tier-one clients, to identify risks and shared concerns. While individual operators can and should conduct increasingly elaborate exercises based on realistic operational scenarios, government has a vested interest in ensuring that scenarios test the effectiveness of command & control systems which can prove difficult to integrate with a multitude of external agencies that may be relied upon to respond to an incident. Current control room technology is deficient in terms of providing advanced joint situational awareness, functionality, and integration. Hence this is one specific area where investment should be prioritised, common standards & protocols agreed, and integrated risk & contingency planning harmonised, and evolved under the auspices of relevant national and European bodies. Well structured exercises can highlight the exact interdependencies of a scenario, and inform stakeholders of the intricacies of those relationships that need to be managed under crisis conditions to avoid ‘cascade’ effects of an incident affecting one piece of infrastructure. The increasing call for ‘resilience’ either by design or by effective response to crisis, calls into question the assumptions that underlie current risk assessments, and the validity of current risk-informed decision-making. Critical National Infrastructure Security Investment in Europe PrioritiesSlide 9: 9 www.solomon-consulting.com About The Solomon Barnes Consultancy The Solomon Barnes Consultancy is a European-based analysis & consultancy group. The group’s capabilities are built on a trusted European network of associates: all defence & security analysts, with subject matter expertise across a wide variety of different markets & disciplines for major companies and organisations requiring analysis & consulting on the defence and security domains. Our staff have held positions within, leading consulting & strategy firms, and leading vendors, and with public sector, military, & security service organisations. Our expertise in applying intelligence to generate up-to-date assessments of risk and opportunities across technology, solutions, and threat domains builds on our access to unique sources, and relevant experience in defence & security operations, and planning. Readers of this report may be interested in the follow services for Critical Infrastructure Security Risk & Resilience Consulting Workshops & Scenario-Building ‘ Red Team ’ Exercises Strategy Consulting Added Value Analytics Airport Security Border Security Cyber Security Seaport & Maritime Security Critical Infrastructure Security Energy Infrastructure Security Mobile & Transport Security Mass Events Security Building Security For more information contact: info@solomon-consulting.com Disclaimer The facts of this report are believed to be correct at the time of publication but cannot be guaranteed. The data, findings, and conclusions that the Solomon Barnes Consultancy produces are based on intelligence in good faith from both primary, sources and trusted secondary sources whose accuracy we are not always in a position to guarantee. As such the Solomon Barnes Consultancy can accept no liability whatever for actions taken based on any information that may subsequently prove to be incorrect. All Rights Reserved. This report has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, Solomon Barnes Consulting, its directors, associates and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. All Rights Reserved. © Solomon Barnes ConsultancySlide 10: 10 Join us at Critical Infrastructure Protection 2011 for a Workshop on Converged Risk Assessments & Exercises You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Priorities for the EU in securing critical national infrastructure solomonconsulting Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 86 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: March 02, 2011 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: phoenixzw (12 month(s) ago) hello Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript White Paper: White Paper Critical National Infrastructure Security: Challenges & Priorities for Europe & the Union February 2011 Structures & Mechanisms Governance & Framework Policy & Strategy Intelligence SharingSlide 2: Investment in physical security is slower than expected and to a degree it has fallen victim of the current economic climate. Cyber security investment is a clear priority both within the public sector, and the private sector. There is a clear and substantial deficit in investment for the protection of critical national infrastructure. To take a macro view of the Europe and its security, reveals more about the very complex pattern of factors that need to be addressed in order to create a more secure environment for European critical infrastructure through greater investment. One conclusion is that the private sector is not investing enough to secure the national assets that they have the privileged to operate, and greater directive management from government needs to be introduced. In countries where critical infrastructure is still under public ownership there is also a lack of investment, but this may be for entirely different reasons, and points towards some consistent factors that are restraining investment among European member states. So while the problem of targeting investment at the appropriate security measures varies by country, it is a European problem and requires a coordinated European solution. I nvestment in energy transport & storage is considered critical to national energy strategies. The increasing interconnectivity of infrastructure across Europe and beyond, is exerting pressure on requirements for infrastructure security as much as political pressure on energy sourcing strategy. To create greater security requires strategy, awareness, organisation, resources, and investment. Each provides its own challenges on a national level, but not the solutions to cross-border issues. When security is approached on a European level (which it must), it is instinctive to assume that the barriers or distortions are multiplied. However, the opportunity exists to leverage the advantages of European organisation to deal with security matters. While some see this as a necessity, others are quick to point out that the ambition is fraught with barriers and complexities. Security is both a European and a global problem, and requires a large-scale solution to civil defence , infrastructure protection, energy security, and cyber attack. The greatest challenge is to act quickly to establish consensus, boost investment as security risk increases, and inject a sense of urgency that needs to effect change within three years. 2 Critical National Infrastructure Security in Europe Security in Europe requires a regional solutionSlide 3: As this issue becomes more critical the defence of European interests will increasingly require formal integration into a coordinated policy. Europe will always struggle with internal cultural & governance differences, and issues of sovereignty will always challenge efforts to integrate European efforts to create regional policy on defence & security. In spite of crisis response mechanisms that have fostered collaboration & communication, it is near-impossible to create complete alignment, with no other precedent in a European community without full political and economic integration, and conflicting priorities for foreign & domestic policies. 3 Critical National Infrastructure Security in Europe The Challenge: Weakness in European Mechanisms Structures & Mechanisms Governance & Framework Policy & Strategy Intelligence Sharing The most serious threats to critical infrastructure are trans-border and affect ‘clusters’ of member states, and the major threats that Europe will face from 2011, expose the weakness of European mechanisms and structures to deal with them. The threats are evolving faster than the steps to mitigate them, or the development of relevant scenarios to support vulnerability assessments for critical infrastructure & national networks. It is therefore unsurprising that investment in security lags the real requirements. Policy coordination is hindered by protracted multi-stakeholder dialogues and a disparate array of institutions that create ‘pockets’ of consensus, but with limited effect on the incremental progress towards integrated regional security. The constant challenge remains to balance investment in security of the assets in proportion to the investment in the infrastructure itself, but this balance is markedly absent. One of the main issues that characterise this imbalance is the lack of a uniform regulatory framework and an inadequate but evolving governance structure to address security issues. The new security threats, reflect a dangerous union of terrorists, enemy states, and organised crime, which challenge different crime, security, and intelligence organisations to combine their very different efforts and approaches to tackle security more cohesively.Slide 4: 4 Critical national infrastructure consists of many distinct but interdependent sectors with varying degrees of public and private stakeholder involvement due to the scope of private sector ownership. The goal of harmonising security & investment strategies among all security programs presents the most significant challenge. While the expansion of capacity is more naturally harmonised through demand forecasting, there are fewer incentives for developing security investment plans in tandem, and this creates sector-specific vulnerabilities where one sector can ultimately represent a liability to another. There is a existing debate around European energy sourcing and supply strategy, and this may be a leading conduit for aligning European objectives. Among member states this needs to be mirrored in security & protection strategies for critical infrastructure where the challenges and investment requirements are more immediate. By extension: this needs to fit into comprehensive national security and defence strategies; which will need to balance or integrate with regional security & defence priorities, through NATO or European Defence Agency; and then between attempts to synchronise critical infrastructure protection strategies at a European level, and member states’ individual scenario preparations that require cooperation between neighbouring states and their agencies. Critical National Infrastructure Security Strategy The Challenge: Integrating Strategy National Security & Defence Strategies European Critical Infrastructure Protection Strategy National Critical Infrastructure Protection Strategies European Defence Strategy It is doubtful whether effective national coordination can be achieved without public sector leadership. In the current financial climate, investment stimulus may be required to achieve a pace of evolution that is required to mitigate the rapidly evolving threats. Governments and relevant regulators need to take a more directive role, working with owners, operators, and firms offering security solutions, but the question remains: towards which strategy? Trying to reconcile the conflicting national priorities will lead to a diluted European position. Working top-down through a European Security Committee may be more effective.Slide 5: To boost investment and improve security requires a European strategy that will address cross-border issues, define the priorities, and set the rationale for member states to implement the appropriate steps. The cyber threat has highlighted the need for a legal framework for tackling perpetrators and for preventing & deterring attacks. This needs to be a key tenet of a security strategy whether within a national civil security paradigm or a national defence strategy. The resilience of European energy & ICT systems requires more than a tacit recognition for investment, but a broad multi-stakeholder engagement & consensus around a full risk agenda. An effective & holistic risk process will provide the rationale to justify further investment, while maintaining the balance & focus between areas of investment. The foundation of a European risk agenda needs to be risk analysis. If Europe is to develop more effective anticipation of threats, it requires greater situational awareness on the threats through technical capabilities, and shared knowledge through appropriate collaboration on risk analyses. A cornerstone of collaborative multi-agency practices needs to be the sharing of appropriate risk & threat intelligence. Europe needs to take a further step towards pan-regional cooperation on scenario-building, vulnerability assessment, contingency planning & exercises. To be effective this needs to be matched with the capabilities to define strategy, and take action. Achieving both is unlikely without a more empowered institution , or a more effective organisation of existing bodies, or a EU security committee to represent European security. The more significant challenges to European integration of efforts to secure critical infrastructure, extend through the full spectrum of legislative, organisational, & political factors. To envisage a way forward around and through all the barriers requires consensus, action, and leadership from the EU. NATO is a suitable 3rd party to facilitate change in ways that will provide both specific capabilities, and the overt leadership and identity through a long-established organisational structure for European critical infrastructure security. Decisions taken in the next 18 month will have a profound effect on the direction of the European security agenda. 5 Priorities for Europe The Priorities for European Organisation Investment Strategy Risk Agenda Intelligence & Collaboration Capabilities Organisation Member States MethodsSlide 6: On national levels, the operators are already challenged to work with many stakeholders to coordinate, objectives, and capacities to ensure safety & security. The strategic imperative for governments is to task the operators with ensuring their own organisational security as an integral part of national security. In some sectors, like transport & energy, this needs to move beyond efforts to create awareness around core business processes & benefits, and take on a more directive approach to have any hope of achieving national business continuity and risk management objectives in the next 5 years. This requires a much more coordinated dialogue through governments and European bodies to create consistency among the different sectors of national infrastructure. In some sectors where there are trans-border infrastructure development projects and more complex interdependencies, it may also be more effective to engage in defining responsibilities and coordinating interagency preparations through government channels . This is particularly the case with security and intelligence services. Governments have preferred to avoid legislation as a route to ensuring infrastructure resilience, even though it has proven effective for health & safety objectives, and compliance is seen to be an effective driver of investment in other sectors like port security . It is also far more potent in effecting rapid change than dialogue or consultation across many interdependent industries, not least because of different approaches among government departments to investment, dialogue, and security. Legislation would therefore create a homogeneous requirement and standards for tasking the private operators. In the absence of distinct legislation, the challenge for governments is to ensure that infrastructure owners are held accountable for their decisions on security investments, and for risk management of the critical infrastructure that they operate for the national good. In some sectors [like transport in the UK], where owners face the potential loss of a franchise, it is much more 6 effective for government and regulators to set expectations, and penalise failure. But there are few that advocate this approach, or believe that it can be implemented across current private sector companies without it being seen as partial re-nationalisation. Ironically the current UK government scrutiny on banking sector bonuses, subsequent to the emergency bailouts which effectively brought some banks into partial public sector ownership demonstrates what steps governments will take when faced with a crisis, and an absolute need to act. While experience is seen as the best teacher, governments can ill afford to await a catastrophic event of terrorism or sabotage before creating a framework of ownership and responsibility that will yield the necessary results of capacity growth and security. In the meantime, governments face challenges in setting objectives and standards across different interdependent sectors with different ownership structures , not least because of the potential objection to steps that may affect competitive advantage in different sectors. One of the most current issues is information assurance & cyber security, which differs considerably with physical security. The recent rise in profile of cyber risk and the rush of investment to mitigate cyber risk at the expense of physical security investment, has demonstrated that investment does respond to immediate needs , but there is the potential for inappropriate balance in trade-offs within security investment. Some oversight could ensure that cyber and physical security investment remain appropriate to the dynamic risk environment that differs within each sector. Moreover, while information & cyber risk affects all critical infrastructure operations, it is the bedrock of ICT upon which all sectors are now dependent. This creates a distinct focus on the ICT technology industry and the infrastructure operators, to lead the development of standards, and carry considerable responsibility for mitigating many national network risks which may be better achieved through government moderation or facilitation. Critical National Infrastructure Security Investment in Europe PrioritiesSlide 7: One commonly quoted priority for the EU to address is the ubiquitous term of ‘standards’. The issue of standards can apply to technical standards for systems, standards for risk assessments and standards for measurement of performance among others. This debate is well documented and this report does not intend to elaborate significantly on this point, though it is important to identify this issue as a factor that is seen to hold back investment, and divert attention from other priorities . A similar issue is evident in other sectors of industrial automation & process control. Without any intervention it has taken over 10 years of evolution for the system vendors to make any progress towards standards that enable true interoperability and plug & play capability. The reality is that some vendors do not wish industry system standards, because of the potential competitive advantage to each of their own proprietary standards, which would point to wards the need for standards to be set externally. There is no doubt that this timeframe cannot be tolerated in the current security climate. However infrastructure systems security are now considered more vulnerable because of COTS, particularly in cyber terms through SCADA, DCS, and other systems, [many of which originate from the aforementioned industrial automation vendors] and there is now a call for extra layers of customised control system to mitigate the risk. Nevertheless the right common standards will clearly accelerate the implementation of more integrated systems , and ease the trans-border, supply chain, and cross-sector cooperation required in the future. This also extends to the standards of security and BCM that need to be achieved, and a standard approach required to developing OSPs. However this needs to be accompanied by a recognition among the operators themselves that they cannot embrace more holistic risk mitigation practices if they do not find ways to collaborate with other operators, and will not achieve high levels of resilience that will assure consumers, regulators, or investors that they aspire to high standards of security preparedness and awareness. 7 While operators publicly recognise the importance of security, in practices their investment in security and awareness of more advanced capabilities demonstrates that their focus is lagging , and there is a continued reluctance to invest preventatively in countermeasures to converged risk, and many fail to implement all the recommended basic and intermediary security measures . To combat this, regulators need a common approach for evaluating current standards for security attainment, including the assessment of Security Measure Adoption Rates (SMARs), which could usefully be set more specifically at European level. Similarly, regulation that requires operators to disclose infrastructure-related security investments would encourage all operators to allocate appropriate spend to security of operations information infrastructure, and training on security hygiene factors. Where operators fail, there should be a great likelihood of public sector intervention to ensure that operators fulfil expectations for infrastructure protection. A useful step would be to ensure that demonstrating appropriate security investment becomes a prerequisite for further infrastructure investment and prices adjustments. Moreover a common approach would need to limit the detrimental impact on security investment that economic regulators could have if they set regulatory incentives that are primarily to control price rises to the public. To consider an opposing view, national bodies can provide a constructive support role in risk assessments , through strategic & intelligence assessments, while more operational assistance, particularly in the cyber domain where government cyber capabilities could potentially prove more effective and certainly more advanced than operators . It would be a positive step for the European Community to provide tax or regulatory incentives for security investment that are required to fulfil European civil protection or critical infrastructure plans, which already exist in some countries. Critical National Infrastructure Security Investment in Europe PrioritiesSlide 8: The more current issue is the need to develop a broader adoption of more comprehensive and holistic risk assessment methodologies. The focus on resilience is crucial to reducing the vulnerabilities in the system, both through awareness of the potential threats, but through security surveys and audits which will always prove more effective than internal reviews, and will increase transparency & confidence. To take a more comprehensive view of risk, operators require more detailed situational awareness and tactical understanding of the threats they face , throughout their supply chain, and through cross-sector dependencies at national and international levels. Pan-European transport and energy systems in particular require planning and investments in contingency and crisis management capabilities, as trans-border connectivity grows. National government agencies can support operators and associations with risk and vulnerability analyses, but the greater challenge lies in creating a effective European forum for the sharing and exchange of confidential or classified intelligence on critical infrastructure risk and trans-border scenarios. However a successful framework will require a more broad and effective system of governance as the is a current lack of adequate institutional support for networks and forums for exchanging classified information on risk and vulnerability. In the current threat climate it is increasingly important to focus attention of detection & prevention, more than response. The urgent focus on risk needs to tackle difference among member states about what constitutes a risk, how probability and vulnerability should be measured, and effective modelling of potential impacts. Consensus on these aspects are a precursor to reaching conclusions upon which member states can develop policy, and Europe can coordinate action. To further support risk assessments, a final endorsement of a common European risk assessment methodology would support all operators and play a key role in broadening the effectiveness and scope of risk and vulnerability analyses. 8 As there is a direct correlation between the conduct of effective risk assessments, effective scenario exercises, crisis simulation, and the justification for investment in security, as well as redundancy. More direct national and European support and coordination in this would therefore support the investment outlook. Similarly a collaborative approach to conducting regular cross-border exercises, that test the capabilities and limitation of multi-agency coordination and response to an attack on a critical infrastructure node need to be based on real scenarios, and conducted against common assessment criteria. This would not only be evident between interdependent sectors like ICT and electricity companies to identify, assess, and address shared vulnerabilities, but also for operators to engage with tier-one clients, to identify risks and shared concerns. While individual operators can and should conduct increasingly elaborate exercises based on realistic operational scenarios, government has a vested interest in ensuring that scenarios test the effectiveness of command & control systems which can prove difficult to integrate with a multitude of external agencies that may be relied upon to respond to an incident. Current control room technology is deficient in terms of providing advanced joint situational awareness, functionality, and integration. Hence this is one specific area where investment should be prioritised, common standards & protocols agreed, and integrated risk & contingency planning harmonised, and evolved under the auspices of relevant national and European bodies. Well structured exercises can highlight the exact interdependencies of a scenario, and inform stakeholders of the intricacies of those relationships that need to be managed under crisis conditions to avoid ‘cascade’ effects of an incident affecting one piece of infrastructure. The increasing call for ‘resilience’ either by design or by effective response to crisis, calls into question the assumptions that underlie current risk assessments, and the validity of current risk-informed decision-making. Critical National Infrastructure Security Investment in Europe PrioritiesSlide 9: 9 www.solomon-consulting.com About The Solomon Barnes Consultancy The Solomon Barnes Consultancy is a European-based analysis & consultancy group. The group’s capabilities are built on a trusted European network of associates: all defence & security analysts, with subject matter expertise across a wide variety of different markets & disciplines for major companies and organisations requiring analysis & consulting on the defence and security domains. Our staff have held positions within, leading consulting & strategy firms, and leading vendors, and with public sector, military, & security service organisations. Our expertise in applying intelligence to generate up-to-date assessments of risk and opportunities across technology, solutions, and threat domains builds on our access to unique sources, and relevant experience in defence & security operations, and planning. Readers of this report may be interested in the follow services for Critical Infrastructure Security Risk & Resilience Consulting Workshops & Scenario-Building ‘ Red Team ’ Exercises Strategy Consulting Added Value Analytics Airport Security Border Security Cyber Security Seaport & Maritime Security Critical Infrastructure Security Energy Infrastructure Security Mobile & Transport Security Mass Events Security Building Security For more information contact: info@solomon-consulting.com Disclaimer The facts of this report are believed to be correct at the time of publication but cannot be guaranteed. The data, findings, and conclusions that the Solomon Barnes Consultancy produces are based on intelligence in good faith from both primary, sources and trusted secondary sources whose accuracy we are not always in a position to guarantee. As such the Solomon Barnes Consultancy can accept no liability whatever for actions taken based on any information that may subsequently prove to be incorrect. All Rights Reserved. This report has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, Solomon Barnes Consulting, its directors, associates and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. All Rights Reserved. © Solomon Barnes ConsultancySlide 10: 10 Join us at Critical Infrastructure Protection 2011 for a Workshop on Converged Risk Assessments & Exercises