3. State of play in the governance of critical infrastructure resilience

This chapter provides an overview of critical infrastructure resilience policies across OECD countries. Based on a cross-country survey, the chapter takes stock of the various approaches taken by countries to define critical infrastructure, target specific infrastructure sectors and assess their criticality. The chapter also discusses the different forms of partnerships between government and operators and reviews the policy tools used by governments to foster critical infrastructure resilience.

    

Government critical infrastructure policies in OECD countries

Critical infrastructure strategies and programmes

Comprehensive multi-sectoral public policies to support the resilience or protection of critical infrastructures began to appear in the mid-2000. Out of the 34 OECD countries who responded to the Survey on the Governance of Critical Risks, 90% indicated that they have designated specific infrastructure sectors as critical (OECD, 2018[2]). Many OECD countries have defined critical infrastructure sectors, established an inventory of assets through a criticality and risk assessment process, and set-up national programmes to strengthen their resilience to shocks. Such programmes are usually built on a governance mechanism that allows information sharing between government and critical infrastructure operators and includes a combination of policy tools ranging from regulation to incentive mechanisms to support the implementation of critical infrastructure resilience objectives. A list of these national strategies or programmes is provided in Annex 1.

This section of the report goes into more details of how these national policies are designed and implemented, with the aim to provide a state-of-play across OECD countries. Country’s responses to the OECD Survey on Critical Infrastructure, conducted in 2017-2018, helped inform this section (the overall results are presented in Annexes 3.A to 3.D). Twenty-five OECD countries responded to the survey: Austria, Belgium, Canada, Czech Republic, Estonia, Finland, France, Germany, Ireland, Israel, Korea, Latvia, Luxembourg, the Netherlands, New Zealand, Norway, Poland, Portugal, Slovak Republic, Spain, Sweden, Switzerland, Turkey, the United Kingdom and the United States.

Definitions of critical infrastructure vary across countries

Defining critical infrastructure is a necessary first step in setting up a critical infrastructure security and resilience policy. As shown in Annex 3.A, official definitions of critical infrastructure vary across countries. Some definitions refer to critical infrastructure as infrastructure whose functioning is vital or essential to economic and social well-being, while others stress their importance for the functioning of the State or national security.

In half of the 28 definitions gathered from the survey and desk-research, critical infrastructure is described as a combination of both vital processes for societal well-being and a security concern of the state. The other half remain focused on societal well-being and safety only.

Another observation reveals the growing concern around interconnectedness and interdependencies of critical infrastructure and the need to adopt a system’s approach. This is found in many definitions that define in detail critical infrastructure as a combination of networks, systems, facilities, and technologies that contribute to delivering essential services or support vital functions. Other definitions also include the institutional or organisational structures supporting service delivery.

Although definitions vary, it may be agreed that an overarching notion of critical infrastructure means that a disruption will have severe consequences on socio-economic well-being and public safety, including national security. Australia, Canada, New Zealand, the United Kingdom, and the United States have developed a shared narrative and definition of critical infrastructure, also known as nationally significant infrastructure: the ‘systems, assets, facilities and networks that provide essential services and are necessary for the national security, economic security, prosperity, and health and safety of their respective nations (Critical Five, 2014[34]).

An important aspect is that definition of critical infrastructure should not be static and updating and revising this definition can be a response to a dynamic national and international risk landscape. For instance, Switzerland is currently reviewing and simplifying its definition to “Critical infrastructures are processes, systems and facilities that are essential for the functioning of the economy and the well-being of the population, respectively.” This simplification will allow to adjust the scope of its critical infrastructure programme to changing conditions more easily than before when the definition was more prescriptive. Similarly, in the United Kingdom, the definition has evolved to include impacts on national security, national defence, or the functioning of the state among the criteria to define critical national infrastructure.

What are the critical infrastructure sectors?

The aim of defining critical infrastructure is to target sectors that are most crucial to societal and economic security and stability. Along with the definitions, lists of sectors also vary across countries. A comparative table that maps out sectors deemed critical infrastructure allows to survey general trends and sectors that are more country-specific. The table in Annex 3.C presents a cross-country comparison of how countries differ on categorising critical infrastructure sectors, while Figure 3.1 makes a synthesis of the most commonly types of critical infrastructure sectors across OECD countries from the OECD survey.

Figure 3.1. Sectors of designated critical infrastructure across OECD countries
Figure 3.1. Sectors of designated critical infrastructure across OECD countries

Note: Answers received from 25 OECD countries.

Source: OECD Survey on Critical Infrastructure Resilience and Security (2018)

Some countries have a large number of critical infrastructure sectors, like the United States with 16 different sectors (White House, 2013[43]). Other countries can limit their critical infrastructure policy to two sectors only, such as Portugal, with only electricity and transportation considered as critical infrastructure sectors as per the provisions of the 2008 Directive of the European Council on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (European Council, 2008[44]).

Overall, six sectors are widely classified as being critical across OECD countries: information and communication technologies, energy, finance, health, transport and water. A second group of sectors, including government, food supply, chemical industry, or public safety, is mentioned as critical in at least half of the responding countries. Other sectors appear to be more country-specific. This includes law enforcement, nuclear, dams and food defence, critical manufacturing, the defence industry of the space sector that are not considered as critical for the functioning of society for a vast majority of countries critical infrastructure policies.

Similar to the generic definition of critical infrastructure, the list of critical sectors can evolve over time to address emerging vulnerabilities and evolving risks. Some countries also have decided to define general sectors as well as sub-sectors of critical infrastructures, which leads to differences in categorisation across countries. For example, Switzerland does not provide a separate category for the nuclear sector as would be the case in the United States, instead it is a sub-category in the energy supply and distribution sector. While these differences reflect national preferences, it can be important to better harmonise approaches across countries especially to favour transboundary and international cooperation on this policy issue.

Identifying critical assets and assessing their vulnerabilities

The next step of a comprehensive critical infrastructure policy is to define a systematic analytical approach to prioritise resilience measures for critical infrastructure. A prioritisation process includes several steps of assessment and can inform targeted planning and investment decisions. First, not all infrastructure assets have the same level of criticality. Criticality assessments should be conducted to identify assets, systems, and networks that are truly critical (DHS, 2013[45]); (Theocharidou and Giannopoulos, 2015[46]).

Identifying critical assets with criticality assessment

Criticality analysis should include an assessment of the impacts of the critical infrastructure disruption on a range of pre-established criteria. Several approaches are used across OECD countries. For instance, in Switzerland a first differentiation is done between the different sectors and sub-sectors with three categories of criticality (very high criticality, high criticality, normal criticality). In the Netherlands, economic, physical and social criteria enable to define the different critical infrastructure processes, but then a distinction is made between category A where disruptions can have large impacts and cascading effects and category B where impacts can be lower, in order to reflect the diversity within critical infrastructure and to set priorities. In terms of criteria, the European Commission defines a minimum set for critical infrastructure assessment, including public impacts, economic impacts, environmental impacts, interdependence, political impacts and psychological impacts (European Council, 2008[44]).

The important point in criticality assessment is to include an interdependency assessment, in order to identify the critical points of a system, or between different sectors that are essential to keep running when a crisis occurs to avoid cascading failures. Critical infrastructure dependencies and interdependencies can be physical when the state of one infrastructure is dependent on the material output of the other, but there can also be digital, geographic or logical dependencies to be considered in such assessment (Rinaldi, Peerenboom and Kelly, 2001[47]); (Macaulay, 2009[48]). Against this backdrop, it is important to develop models to estimate service loss, which requires to map out the functional links between infrastructure systems.

While interdependency analysis is an area where research is making significant progress, methodologies are not yet widely utilised across OECD countries: only 36% of the respondents to the OECD Survey indicated that they had identified dependencies (Figure 3.2). Argonne National Laboratory in the United States provides a useful overview on the different methods that governments and operators can use for such interdependency assessment of critical infrastructure (Petit et al., 2015[49]).

Figure 3.2. Mapping of critical infrastructure interdependencies across OECD countries
Figure 3.2. Mapping of critical infrastructure interdependencies across OECD countries

Note: Response to the question “Has your central government mapped interdependencies between different sectors of critical infrastructure?” across the 25 respondents to the OECD Survey

Source: OECD Survey on Critical Infrastructure Resilience and Security (2018)

Criticality assessment usually leads to the development of critical assets inventories, registers or maps, with different levels of classification according to their criticality. Most of the countries which have established critical infrastructure programmes and strategies, have set-up such inventories. For instance, in France, critical infrastructure are precisely referenced and located by the General Secretariat on Defence and national Security, and an effort to focus on the most critical ones led to reducing their number from more than 7000 to around 1500. There are also examples of transboundary mapping of critical infrastructure, such as at the European Union level, in the context of the EU Directive 2008/114/EC on identification and designation of European critical infrastructures and assessment of the need to improve their protection.

Conducting vulnerability analysis to identify weak points

Once critical assets are mapped out and hierarchically classified, vulnerability assessments enable identifying weak points where potential failures are likely to happen. A thorough vulnerability assessment of critical infrastructure provides insight into the most important risks, threats, vulnerabilities and degree of resilience of this infrastructure. To do so, it is fundamental to stress test critical infrastructure vulnerability to a series of risk scenarios of different likelihood, magnitude, or their combination, across a range of potential hazards and threats. These assessments consider the most likely scenarios, in addition to those that are less probable, but might nonetheless materialize.

A holistic, all-hazards approach can help uncover complex vulnerabilities. Canada’s national strategy for critical infrastructure equally stresses the need for an all-hazards risk analysis that takes accidental, intentional and natural hazards into account ( (Public Safety Canada, 2014[50])). It can be important also to integrate the vulnerabilities of governance systems of critical infrastructure in the analysis, as management failures during crises are all too common. The European Commission Joint Research Centre for instance has developed a stress-testing tool that focuses on these complex governance aspects with application in the nuclear and banking sectors. (Galbusera, Giannopoulos and Ward, 2014[51]).

Vulnerability assessments for critical infrastructures can be performed using a variety of methodologies. Box 3.1 provides examples of such methodologies from a series of OECD countries. These methodologies range from deterministic approaches to probabilistic methods. Deterministic approaches analyse and interpret historical disaster events and available retrospective data in light of new developments. Disaster scenarios and simulations expand on retrospective analyses.

Risk assessment as the basis for resilience investments

The identification of weak points allows prioritising where to concentrate resilience efforts in existing infrastructure systems: on failure points that would have the most severe consequences. Such prioritization can inform targeted planning and investment decisions, such as what infrastructure should be hardened or relocated first, or what infrastructure should receive priority restoration in the aftermath of a disaster to ensure rapid recovery (Verner, Petit and Kihaek, 2017[52]).

Risk assessment can be complemented to evaluate the benefits of investments in resilience or security to reduce risks, for both existing infrastructure as well as for new projects. By comparing the benefits of different resilience measures in reducing risk of failures, risk-informed cost-benefit analysis can support decision-making and resilience investment decisions.

Box 3.1. Critical Infrastructure Risk Assessment Methodologies in OECD countries

Critical Infrastructures and Systems Risk and Resilience Assessment Methodology (CRISRRAM).

CRISRRAM is a methodology developed by the European Commission. It takes an all-hazards and systems of systems approach, addressing risks and vulnerabilities of critical infrastructure at asset level, system level and society level. To tackle the complexity of risk assessments, CRISRRAM takes a scenario-based approach and recommends the assessment of all relevant single- and multi-hazard scenarios. To select the appropriate scenarios, Threat Likelihood Assessments should be done.

RAMCAP-Plus

The RAMCAP-Plus methodology was developed by the American Society of Civil Engineers as an all-hazards risk and resilience assessment approach. It encompasses all infrastructures factoring in the dual objectives of protection and resilience. The seven steps in the methodology are: asset characterization; threat characterization; consequence analysis; vulnerability analysis; threat assessment; risk and resilience assessment; and risks and resilience management. The tool has been designed for use by critical infrastructure operators and decision-makers alike.

DHS Regional Resiliency Assessment Program (RRAP)

The Regional Resiliency Assessment Program (RRAP) is a cooperative assessment of specific critical infrastructure within a designated geographic area and a regional analysis of the surrounding infrastructure to address a range of infrastructure resilience issues that could have regionally and nationally significant consequences. These voluntary, non-regulatory RRAP projects are led by the US Department of Homeland Security and are selected each year by the Department with input and guidance from federal, state, and local partners. This approach is being replicated in Canada.

Source: (Giannopoulos, Filippini and Schimmer, 2012[53]); (Theocharidou and Giannopoulos, 2015[46])

Sharing information on risks and vulnerabilities

Most OECD countries have established information-sharing platforms

Governance arrangements for strengthening critical resilience highlight the need for partnerships and platforms for facilitating information sharing and exchange of knowledge. The commitment of governments and operators to engage in dialogue about these issues through institutionalized, regular meetings has proven useful to build mutual trust based on shared interest, as well as to foster regular information sharing, joint exercises, situation awareness, coordination of actions, mutual assistance, sharing of equipment and emergency stocks.

Several countries have developed programs and approaches to foster trust-based connections between government and private owners and operators. Technical solutions, such as information sharing and collaboration web-portals can serve as a secure environment where private- and public-sector stakeholders can easily and regularly exchange data, information, and good practices relevant to critical infrastructure resilience (Bach et al., 2013[25]); (Lewis, 2006[54])).

The OECD Survey shows that 80% of the respondents have established such information-sharing mechanisms or platforms, most often on a voluntary basis. Box 3.2 provides examples of successful critical infrastructure stakeholder engagement and secure information-sharing approaches.

Challenges for effective information-sharing

Although information-sharing presents many benefits for better understanding and exchange of expertise to increase resilience of critical infrastructure, there remain several prevalent challenges.

Ensuring the security of the information shared from owners and operators of critical infrastructure is an essential component for building mutual trust, as some of this information may be important for competitiveness in the market or their image. As operators might not always be inclined to share sensitive information about their vulnerabilities and/ or their critical dependencies outside of safe circles, ensuring mutual trust and security of information shared is an important aspect to foster dialogue and exchange.

Equally important is to focus on the quality and not quantity of information that is shared through these mechanisms. The more clear and precise the information shared is, the more added-value it can offer to building resilience of critical infrastructure. All parties across government and private sector should see the benefits of this information sharing practice from their respective sides. Filtering through massive amount of information is less effective than sharing the most important elements about the security of critical infrastructure. Good quality information can create incentives to boost resilience.

Operators might be reluctant to engage in such partnership if they fear it will lead to extra costs that they will have to finance, once their vulnerabilities are known. Similarly, the risk that competitors do not engage in the process and free-ride on the increased level of resilience that it would lead can cause difficulties for operators to engage. Minimum security standards can help ensure that there are no ‘weakest links’ that could jeopardise the overall security of the system while also overcoming underinvestment in resilience and the lack of willingness to engage.

Box 3.2. Critical Infrastructure Stakeholder Engagement and Information Sharing

Seeking to facilitate efficient and effective relationships across stakeholder groups with shared responsibility for critical infrastructure resilience, several countries have developed programs and approaches to foster trust-based connections between government and private owners and operators.

• Australia’s Trusted Information Sharing Network (TISN) for Critical Infrastructure Resilience

The TISN provides a secure, non-competitive environment in which all critical infrastructure stakeholders can collaborate and engage in resilience building initiatives. The Network allows owners and operators across sector groups to regularly share information and cooperate within and across sectors to address security and business continuity challenges.

• Canada Critical Infrastructure Gateway

The Gateway meets one of the objectives under the Canadian National Strategy and Action Plan for Critical Infrastructure is the timely advancement of information sharing and protection among critical infrastructure partners. It is a collaborative, unclassified web-based workspace that includes members of the critical infrastructure community.

The European Union’s Critical Infrastructure Warning Information Network (CIWIN)

CIWIN is an information sharing system developed as a supporting component of the European Programme for critical Infrastructure Protection. The CIWIN facilitates the exchange of information on shared threats, vulnerabilities and appropriate measures and strategies to mitigate risk to critical infrastructure among European Union members and the European Commission. In addition to its information-sharing function, the CIWIN serves as a rapid alert system for early warnings regarding acute risks and threats.

• United States Information Sharing and Analysis Centers (ISACs)

Sector-specific ISACs may be extensions of the national-level government, as in the case of the U.S. Telecommunications ISAC, which is managed by the National Communications System within the U.S. Department of Homeland Security, or entirely run by industry as the is the U.S. Water ISAC, a non-profit extension of the water sector’s professional society. ISACs are viewed as a source for security-related best practices and for hazard and threat indications, warnings, and assessments.

• United States Department of Homeland Security Protective Security Advisor (PSA) Program

The program provides for proactive engagement among government partners and private sector owners and operators with responsibility for critical infrastructure. PSAs plan, coordinate, and conduct security and resilience surveys and assessments of nationally significant critical infrastructure. The program also delivers outreach activities and provides owners, operators, and other stakeholders with access to critical infrastructure security and resilience resources, training, and information. During and after an incident, Advisors serve as liaisons between government officials and private sector critical infrastructure owners and operators.

Sources: Australian Government, Trusted Information Sharing Network, http://www.tisn.gov.au ; Canadian Critical Infrastructure Information Gateway, https://cigateways.ps.gc.ca ; EU Critical Infrastructure Warning Information Network, http://ec.europa.eu/dgs/home-affairs/what-we-do/networks/critical_infrastructure_warning_information_network/index_en.htm ; U.S. Department of Homeland Security, Partnering for Critical Infrastructure Security and Resilience, https://www.dhs.gov/publication/nipp-2013-partnering-critical-infrastructure-security-and-resilience; US DHS, Protective Security Advisors, https://www.dhs.gov/protective-security-advisors

Prioritising resilience measures and policy instruments

A large variety of policy tool to foster operators’ resilience investments exists

Strengthening resilience to critical infrastructure is a collaborative effort amongst several stakeholders requiring a mix of tools to gather information, prioritise resilience investments, and increase overall incentives.

Governments can choose from a variety of policy tools and mechanisms to strengthen critical infrastructure resilience. Instruments range from prescriptive regulatory tools, compensation mechanisms, to voluntary frameworks based on partnerships between government and operators. Twenty-two policy tools have been identified in the OECD Survey on critical infrastructure resilience (Table 3.1). These policy tools are further described in Annex 3.D. This comprehensive list aims to present the different policy options that government can use, once they have set up a critical infrastructure resilience programme, identified its most critical infrastructure and their vulnerability, and established an information sharing mechanism with critical infrastructure operators.

Table 3.1. Policy tools to foster critical infrastructure resilience

1. Provision of hazards and threats information

2. Voluntary information-sharing mechanisms or platforms

3. Mandatory information-sharing mechanisms or platforms

4. Awareness raising activities and trainings

5. Resilience guidelines for critical infrastructure operators

6. Fostering the development/use of professional standards

7. Incentive mechanism to assess risks and vulnerabilities

8. Incentive mechanisms for investing in resilience

9. Sectoral prescriptive regulations dedicated to CIP

10. Performance-based regulations on business continuity

11. Mandatory business continuity plans

12. Inspections and performance assessments

13. Fines for non-compliance with resilience requirements

14. Other types of penalties for non-compliance

15. Ranking based on inspection / performance results

16. Reporting on operators resilience

17. Sharing best practices

18. Public investments in infrastructure resilience

19. Guidance for sub-national levels of government

20. Mandatory insurance for critical infrastructure

21. Peer-reviews, monitoring and evaluation

22. Sectoral mutual aid agreements

Note: This listing of policy tools was prepared by the OECD Secretariat, based on approaches presented at the OECD High Level Risk Forum and desk research

Source: OECD Secretariat

Identifying the pros and cons of these different tools in different policy contexts can be of great support for designing critical infrastructure protection and resilience policies. The OECD High Level Risk Forum, through its survey and case studies has initiated taking stocks of these policy tools. The following considerations can contribute to facilitating the choices that governments can make amongst these different options.

Regulation is an important method that provides mandatory requirements and enforcement mechanisms for critical infrastructure resilience. The regulatory approach has strengths in that it provides mandatory requirements, but it can also prove costly and create lags of time between technological developments in many sectors that require regular updates. Different regulatory approaches can be applied from prescriptive sectoral regulations to performance-based ones, which let operators define by themselves the way to achieve resilience targets.

Financial incentives provide another method to increase investments and continuity plans for critical infrastructure protection and resilience. The design of compensation mechanisms for customers in case of service disruption or other types of penalties can be used to internalise the benefits of resilience. This provides operators with the choice of the ways to increase their resilience. In Finland, the 2013 Energy Market Act provides such an incentive structure for electricity distribution operators to invest in the resilience of their network, with the combination of price incentives for improved resilience with important fees in case resilience targets are not attained (Chapter 4).

Public finance used for critical infrastructure resilience can set standards and demonstrate the value of up-front investments in resilience. Integrating resilience in major public investment projects sets an example for value and benefits of these investments, and can create incentives for other critical infrastructure owners and operators to follow suit (OECD, 2018[12]). Public procurement is increasingly factoring in climate resilience, which can serve as an approach to expand to other risks as well. For example, the Greater Paris 30 billion euro investment in public transportation was designed with specific flood resilience requirements beyond the existing regulation (OECD, 2014[7]).

Peer-pressure is another policy option that works amongst owners and operators of critical infrastructure based on holding up their image and rankings to the public. Creating public access to evaluations of critical infrastructure creates concerns for companies and their image. Rankings are important indicators of resiliency and an incentive-creating mechanism. Korea has included a mechanism of peer-pressure within its system for managing the failure of infrastructure. Every year, the Periodic Nationwide Safety Diagnosis makes a sampling diagnosis for 21 types of infrastructures. These evaluations are made public and provide rankings of the infrastructure, creating important incentives for companies to keep up their public image. Another example is found with the National Emergency Supply Agency (NESA) in Finland. The annual assessments of the business continuity plans of operators in the energy sector is presented to the pool of operators so that they can compare their performance and learn from each other (See chapter 4). While in this case, the results are not publicly disclosed, peer-pressure within the sector provides incentives for improving performance. The increasing public disclosure of climate risks can here also provide elements of reflection for critical infrastructure resilience to multiple hazards (OECD, 2018[12])

Finding the right combination between mandatory and voluntary frameworks

It is important for governments to find the right combination between mandatory and voluntary frameworks to enhance stakeholder engagement in resilience. As shown in Figure 3.3, the results of the OECD survey indicate a preference towards voluntary frameworks to strengthen critical infrastructure resilience.

Instruments such as guidance for sub-national levels of governments, awareness raiding activities and trainings, provision of hazards and threats information, resilience guidelines for critical infrastructure operators and voluntary information sharing mechanism are the policy tools that are the most commonly used by OECD governments. On the contrary, more stringent tools, such as inspections and performance assessments, sectoral prescriptive regulations, or mandatory business continuity plans, are less utilised by OECD countries to foster critical infrastructure resilience.

This preference for voluntary frameworks demonstrates that overall, critical infrastructure resilience policies are still at an early age in many OECD countries. In that context, operators’ engagement in broad multi-stakeholders partnerships with governments remains a key priority, which enables building trust between the public and the private sector. Adopting voluntary frameworks appears to be more effective to achieve this objective.

Nevertheless, this approach does not necessarily guarantee a strong enough incentive structure to ensure that sufficient investments are effectively made to attain expected resilience targets. Over the years, once the value of these partnerships will be widely acknowledged, one can expect that mandatory approaches will be more easily accepted and more largely developed, in order to guarantee that operators ensure some forms of minimum common standards of resilience. The OECD Policy Toolkit on the Governance of Critical Infrastructure Resilience proposed in Chapter 5 provides a way forward for governments aiming to strengthen progressively the resilience of critical infrastructure in their country with a staged approach based on partnerships.

Figure 3.3. Policy tools for critical infrastructure resilience across OECD countries
Figure 3.3. Policy tools for critical infrastructure resilience across OECD countries

Note: 22 OECD countries responded to the survey as of 10 September 2018 – mandatory tools are in grey, voluntary tools are in blue.

Source: OECD Survey on Critical Infrastructure Resilience (2018)

Cost-sharing arrangements for resilient investments

Operators have a keen interest in maintaining the continuity of their services and their reputation by investing in resilience. However, investments in resilience often imply costs up front, even if these should be compensated in terms of greater reliability of service and resilience to shocks.

The question is how to find the right balance. Excessive requirements imposed by governments to strengthen resilience can result in additional costs of service borne by customers, citizens and businesses. When deciding on the policy tools best fitted to improve critical infrastructure resilience in their national contexts, governments should assess how these different options can provide effective incentives for operators to invest in resilience, while managing the repercussions on the cost of service. Solving this economic equation is the cornerstone for an efficient policy, but there is no simple solution. As shown in the Finland case-study in Chapter 4, engaging in trusted partnerships and regular dialogue between governments, regulators and operators should enable discussing cost-sharing arrangements to attain resilience objectives.

References

[25] Bach, C. et al. (2013), “Adding value to critical infrastructure research and disaster risk management: the resilience concept”, http://journals.openedition.org/sapiens 6.1, https://journals.openedition.org/sapiens/1626 (accessed on 25 February 2019).

[36] Barami, B. (2013), Infrastructure Resiliency: A Risk-Based Framework, US Department of Transportation, https://www.volpe.dot.gov/sites/volpe.dot.gov/files/docs/Infrastructure%20Resiliency_A%20Risk-Based%20Framework.pdf (accessed on 25 February 2019).

[37] Chang, S. et al. (2014), “Toward Disaster-Resilient Cities: Characterizing Resilience of Infrastructure Systems with Expert Judgments”, Risk Analysis, Vol. 34/3, pp. 416-434, http://dx.doi.org/10.1111/risa.12133.

[34] Critical Five (2014), Forging a Common Understanding for Critical Infrastructure Shared Narrative, https://www.dhs.gov/sites/default/files/publications/critical-five-shared-narrative-critical-infrastructure-2014-508.pdf (accessed on 25 February 2019).

[45] DHS (2013), NIPP 2013: Partnering for Critical Infrastructure Security and Resilience | Homeland Security, https://www.dhs.gov/publication/nipp-2013-partnering-critical-infrastructure-security-and-resilience (accessed on 25 February 2019).

[44] European Council (2008), COUNCIL DIRECTIVE 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:345:0075:0082:EN:PDF (accessed on 26 February 2019).

[19] Flynn, S. (2015), Bolstering Critical Infrastructure Resilience After Superstorm Sandy: Lessons for New York and the Nation, Northeastern University, Boston, Massachusetts, http://dx.doi.org/10.17760/D20241717.

[35] Flynn, S. (2008), “America the Resilient, Defying Terrorism and Mitigating Natural Disasters”, Foreign Affairs, https://www.foreignaffairs.com/articles/2008-03-02/america-resilient (accessed on 25 February 2019).

[51] Galbusera, L., G. Giannopoulos and D. Ward (2014), Developing stress tests to improve the resilience of critical infrastructures: a feasibility analysis, European Commission Joint Research Centre, http://dx.doi.org/10.2788/954065.

[53] Giannopoulos, G., R. Filippini and M. Schimmer (2012), Risk assessment methodologies for Critical Infrastructure Protection. Part I: A state of the art, European Commission Joint Research Centre, http://dx.doi.org/10.2788/22260.

[54] Lewis, T. (2006), Critical infrastructure protection in homeland security : defending a networked nation, Wiley-Interscience.

[48] Macaulay, T. (2009), Critical infrastructure : understanding its component parts, vulnerabilities, operating risks, and interdependencies, CRC Press, https://www.crcpress.com/Critical-Infrastructure-Understanding-Its-Component-Parts-Vulnerabilities/Macaulay/p/book/9781420068351 (accessed on 26 February 2019).

[42] Moteff, J. (2012), CRS Report for Congress Critical Infrastructure Resilience: The Evolution of Policy and Programs and Issues for Congress, Congressional Research Service, https://fas.org/sgp/crs/homesec/R42683.pdf (accessed on 25 February 2019).

[2] OECD (2018), Assessing Global Progress in the Governance of Critical Risks, OECD Reviews of Risk Management Policies, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264309272-en.

[12] OECD (2018), “Climate-resilient Infrastructure”, OECD Environment Policy Paper, No. 14, OECD, Paris, http://www.oecd.org/environment/cc/policy-perspectives-climate-resilient-infrastructure.pdf (accessed on 25 February 2019).

[7] OECD (2014), Seine Basin, Île-de-France, 2014: Resilience to Major Floods, OECD Reviews of Risk Management Policies, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264208728-en.

[9] OECD (2011), Future Global Shocks: Improving Risk Governance, OECD Reviews of Risk Management Policies, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264114586-en.

[41] OECD and EU JRC (2018), System thinking for critical infrastructure resilience and security - OECD/ JRC Workshop - OECD, http://www.oecd.org/gov/risk/workshop-oecd-jrc-system-thinking-for-critical-infrastructure-resilience-and-security.htm (accessed on 25 February 2019).

[49] Petit, F. et al. (2015), Analysis of Critical Infrastructure Dependencies and Interdependencies, Argonne National Laboratory, https://publications.anl.gov/anlpubs/2015/06/111906.pdf (accessed on 26 February 2019).

[50] Public Safety Canada (2014), Action Plan for Critical Infrastructure 2014-2017, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/pln-crtcl-nfrstrctr-2014-17/pln-crtcl-nfrstrctr-2014-17-eng.pdf (accessed on 26 February 2019).

[47] Rinaldi, S., J. Peerenboom and T. Kelly (2001), Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies, https://pdfs.semanticscholar.org/b1b7/d1e0bb39badc3592373427840a4039d9717d.pdf (accessed on 26 February 2019).

[46] Theocharidou, M. and G. Giannopoulos (2015), “Risk assessment methodologies for critical infrastructure protection. Part II: A new approach”, http://dx.doi.org/10.2788/621843.

[52] Verner, D., F. Petit and K. Kihaek (2017), “Incorporating Prioritization in Critical Infrastructure Security and Resilience Programs - HOMELAND SECURITY AFFAIRS”, Homeland Security Affaits, Vol. 13, https://www.hsaj.org/articles/14091 (accessed on 26 February 2019).

[43] White House (2013), Presidential Policy Directive -- Critical Infrastructure Security and Resilience | whitehouse.gov, https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil (accessed on 25 February 2019).

Annex 3.A. Critical infrastructure strategy or programme and lead institution in charge

Country

Y/N*

Critical infrastructure strategy or programme

Lead institution in charge

Australia

Yes

Critical Infrastructure Resilience Strategy (2015) https://www.tisn.gov.au/Documents/CriticalInfrastructureResilienceStrategyPlan.PDF

Attorney-General’s Department / Critical Infrastructure Centre

Austria

Yes

Austrian Program for Critical Infrastructure Protection –Masterplan 2014 http://archiv.bundeskanzleramt.at/DocView.axd?CobId=58907

Federal Chancellery

Federal Ministry of the Interior

Belgium

Yes

 Belgium Critical Infrastructure Protection Strategy

https://crisiscentrum.be/nl/inhoud/kritieke-infrastructuur-0

Federal Public Service Home Affairs, National Crisis Centre (directorate CIPRA)

Canada

Yes

National Strategy for Critical Infrastructure

www.publicsafety.gc.ca/cnt/ntnl-scrt/crtcl-nfrstrctr/index-en.aspx

Public Safety Canada

Chile

No

 

 

Czech Republic

Yes

 National Programme for Critical Infrastructure Protection (2010), Comprehensive strategy of the Czech Republic for Critical Infrastructure (2010) -

 Ministry of the Interior of the Czech Republic

Denmark

No

 

 

Estonia

Yes

Internal Security Development Plan 2015 – 2020

https://valitsus.ee/sites/default/files/content-editors/arengukavad/taiendatud_siseturvalisuse_arengukava_2015-2020.pdf

 Ministry of the Interior

Finland

Yes

Government decision on the security of supply (2013) https://www.nesa.fi/security-of-supply/objectives/

National Emergency Supply Agency http://www.nesa.fi/

France

Yes

Instruction générale interministérielle relative à la sécurité des activités d’importance vitale http://circulaire.legifrance.gouv.fr/pdf/2014/01/cir_37828.pdf

Critical infrastructure protection strategy defined in the law (defence code – articles L. 1332-1 to L. 1332-7, R. 1332-1 to R. 1332-42

Secrétariat Général de la Défense et de la Sécurité Nationale (SGDSN) www.sgdsn.fr

Germany

Yes

National Strategy for Critical Infrastructure Protection (2009) https://www.bmi.bund.de/SharedDocs/downloads/EN/publikationen/2009/kritis_englisch.pdf?__blob=publicationFile&v=1

Federal Ministry of Interior

Greece

Yes

 

 

Hungary

N/A

 

 

Iceland

Yes

 

 

Ireland

Yes

 

 

Israel

Yes

 

National Emergency Management Authority in the Ministry of Defense

Italy

N/A

 

 

Japan

No

 

 

Korea

Yes

National Infrastructure Protection Plan

https://opengov.seoul.go.kr/sanction/10812531

Ministry of the Interior and Safety (MOIS)

Latvia

Yes

Procedures for the identification of critical infrastructures Cabinet of Ministers Regulation No. 496, adopted on 1 June 2010 http://likumi.lv/doc.php?id=212031

; Procedures for planning and implementation of security measures for the critical infrastructure Regulation No. 100 (2017) http://likumi.lv/doc.php?id=225776 Regulation on Civil Protection plans structure Cabinet of Ministers Regulation No. 658, adopted on 7 November 2017

https://likumi.lv/ta/id/294938-noteikumi-par-civilas-aizsardzibas-planu-strukturu-un-tajos-ieklaujamo-informaciju

National Security Interinstitutional Commission

Secretariat: Ministry of Interior

Luxembourg

Yes

Grand-ducal regulation of 21 February 2018 laying down the identification and designation of critical infrastructure http://data.legilux.public.lu/eli/etat/leg/rgd/2018/02/21/a152/jo

Grand-ducal regulation of 21 February 2018 specifying the structure for security and business continuity plans of critical infrastructure http://data.legilux.public.lu/eli/etat/leg/rgd/2018/02/21/a151/jo

High Commission for National Protection https://hcpn.gouvernement.lu/en/service/attributions.html

Mexico

Yes

 

 

Netherlands

Yes

Critical Infrastructure Protection, January 2018

https://english.nctv.nl/binaries/Factsheet%20Vitaal%20ENG%202016%20(web)_tcm32-240750.pdf

National Coordinator for Security and Counterterrorism (NCTV)https://english.nctv.nl/

New Zealand

Yes

Obligations on infrastructure providers are required by the Civil Defence Emergency Management Act 2002 and secondary legislation including the National Civil Defence Emergency Management Plan Order 2015 and Guidance, specifically “Lifeline Utilities and CDEM – Director’s Guideline for Lifeline Utilities and Civil Defence Emergency Management Groups” [DGL 16/14]. The Thirty Year New Zealand Infrastructure Plan 2015 sets out central Government’s long-term vision for infrastructure to be resilient, coordinated and contributing to a strong economy and high living standards.

The Ministry of Civil Defence and Emergency Management (MCDEM)

Norway

Yes

Vital functions in society https://www.dsb.no/globalassets/dokumenter/rapporter/kiks-ii_english_version.pdf

Directorate for Civil Protection (DSB) https://www.dsb.no/menyartikler/english/

Poland

Yes

The National Critical Infrastructure Protection Programme http://rcb.gov.pl/wp-content/uploads/NPOIK-2015_eng-1.pdf

Government Security Center (RCB)

Portugal

No

There is no specific national programme or strategy, but there is the national regulation on CIP (Law-Decree 62/2011, of 9th May)

http://www.prociv.pt/bk/RISCOSPREV/INFRAESTRUTURASCRITICAS/Documents/DL_62_2011_identificacao_e_protecao_de_infraestruturas_essenciais.pdf

National Authority for Civil Protection (ANPC) the Internal Security System (SSI)

Slovak Republic

No

 Act on Critical Infrastructure No 45/2011

 Ministry of Interior

Slovenia

Yes

 

 

Spain

Yes

Law 8/2011 of 28 April, “Establishing measures for the protection of critical infrastructures” and Royal Decree 704/2011 of 20 May http://www.cnpic.es/

National Plan for Critical Infrastructure Protection (updated in February 2016 – Classified information)

Spanish Critical Infrastructure Protection Planning System (classified) http://www.cnpic.es/en/Preguntas_Frecuentes/que_es_el_sistema_de_planificacion_PIC/index.html

National Center for Infrastructure Protection & Cybersecurity (CNPIC)

Sweden

Yes

Action Plan for the Protection of Vital Societal Functions & Critical Infrastructure

https://www.msb.se/RibData/Filer/pdf/27412.pdf

Swedish Civil Contingencies Agency (MSB)

Switzerland

Yes

New CIP strategy to be adopted by Federal Council on December 8, 2017

www.infraprotection.ch

Federal Office for Civil Protection (FOCP)

Turkey

Yes

 2014-2023 Technological Disasters Roadmap Document

2018-2022 AFAD Strategic Plan

Disaster and Emergency Management Presidency

United Kingdom

Yes

2015 National Security Strategy and Strategic Defence and Security Review http://www.cpni.gov.uk/about/cni/

Centre for the Protection of National Infrastructure (CPNI)

National Cyber Security Centre (NCSC)

United States

Yes

NIPP 2013: Partnering for Critical Infrastructure Security and Resilience and 2015 Sector-Specific Plans

https://www.dhs.gov/2015-sector-specific-plans

Department of Homeland Security (DHS)

*: Yes or No response to the question “Has your national government adopted a critical infrastructure strategy or programme?”

Annex 3.B. Definition of Critical Infrastructure in OECD countries

Country

Official definition of critical infrastructure

Australia

Those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security

Source: Critical Infrastructure Resilience Strategy (2010) and Critical Infrastructure Resilience Strategy: Plan (2015)

Austria

Critical infrastructures are those infrastructures (systems, facilities, processes, networks or parts thereof) that are essential for the maintenance of important social functions and whose disruption or destruction seriously affects the health, safety or economic and social well-being of large parts of the population or the effective functioning of state institutions

Source: http://archiv.bundeskanzleramt.at/DocView.axd?CobId=58907

Belgium

A critical infrastructure is being defined in Belgian law as “an asset, system or part thereof, of federal importance, which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact as a result of the failure to maintain those functions”

Source: https://crisiscentrum.be/sites/default/files/loi_du_1er_juillet_2011_sur_les_ic.pdf

Canada

Critical infrastructure refers to processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government.

Source: National Strategy for Critical Infrastructure (2009) and Action Plan for Critical Infrastructure 2014-2017

Czech Republic

Critical infrastructure shall denote the element of critical infrastructure or the system of elements of critical infrastructure, disruption of which would have a significant impact on the State security, on ensuring the basic living needs of the population, on health of people and State economy - (CRISIS MANAGEMENT ACT N. 240/2000 Coll).

Estonia

Adopt same definition as the European Council Directive 2008. In addition, Estonia has introduced the term “vital service” into domestic legislation. A vital service is a service that has an overwhelming impact on the functioning of society and the interruption of which is an immediate threat to the life or health of people or to the operation of another vital service or service of general interest. A vital service is regarded in its entirety together with a building, piece of equipment, staff, reserves and other similar facilities indispensable to the operation of the vital service.

Source: Republic of Estonia Information System Authority https://www.ria.ee/en/ciip.html

European Union

Critical infrastructure ‘means an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions. European critical infrastructure’ or ‘ECI’ means critical infrastructure located in Member States the disruption or destruction of which would have a significant impact on at least two Member States.

Source: Council Directive 2008/114/EC

France

The institutions, structures or facilities that provide the essential goods and services forming the backbone of French society and its way of life

Source: General Secretariat for Defence and National Security (SGDSN), January 2017 http://cache.media.education.gouv.fr/file/2017/54/5/SGDSN-PLAQUETTE_SAIV_ANG_12012017_763545.pdf

Finland

Infrastructures that are most crucial to the functioning of society are called critical infrastructures. In the Security Strategy for Society, critical infrastructures are defined as the structures and functions that are vital for the continuous functioning of society. Critical infrastructure includes physical facilities and structures as well as online functions and services

Source: The Security Committee, 2015; https://www.turvallisuuskomitea.fi/index.php/fi/files/26/.../Secure%20Finland.pdf

Germany

Critical infrastructures (CI) are organizational and physical structures and facilities of such vital importance to a nation's society and economy that their failure or degradation would result in sustained supply shortages, significant disruption of public safety and security, or other dramatic consequences.

Source: National Strategy for Critical Infrastructure Protection (2009)

Israel

A complex of buildings and infrastructure, technological systems, logistical equipment, computing and communications systems, that are institutionally activated and controlled, that provides a vital service to the population and economy.

Source: 2017 OECD High Level Risk Forum Critical Infrastructure Questionnaire

Korea

National infrastructure implies that the facilities are deemed necessary to be continuously managed to protect the national infrastructure, according to the following standards,

1. Ripple effects on other infrastructure, systems, etc.;

2. Necessity for at least two central administrative agencies to jointly respond to disasters;

3. The scale and scope of damage that is caused by any disaster to the national security, the economy, and the society;

4. The possibility that a disaster can occur and the easiness of recovering from such disaster.

Source: Framework Act on the Management of Disasters and Safety

Latvia

Objects, systems or parts of systems located on the territory of Republic of Latvia, which are important for implementation of functions vital to society and for provision of health protection, security, economic and social welfare, and destruction or malfunction of which would significantly affect the functions of the State.

Source: National Security Law, 2010

Luxembourg

Critical infrastructure means any point, system or part of it which is indispensable for the safeguarding of vital interests or essential needs of all or part of the country or population or which is likely to be subject to a particular threat

Source: Loi 23 juillet, 2016 http://legilux.public.lu/eli/etat/leg/memorial/2016/137

Mexico

Strategic infrastructure is defined as infrastructure that is indispensable for the provision of public goods and services and whose destruction or disruption is a threat to national security.

Netherlands

Certain processes are very critical for the Dutch society. The failure or disruption of such processes would result in severe social disruption and poses a threat to national security. These processes together form the critical infrastructure of The Netherlands.

Source: National Coordinator for Security and Counterterrorism, January 2018, https://english.nctv.nl/binaries/Factsheet%20Critical%20Infrastructure%20ENG%202018_tcm32-240750.pdf

New Zealand

Critical infrastructure, also referred to as nationally significant infrastructure, can be broadly defined as the systems, assets, facilities and networks that provide essential services and are necessary for the national security, economic security, prosperity, and health and safety of their respective nations.

Source: Critical 5 – Forging a Common Understanding for Critical Infrastructure, shared narrative, March 2014, New Zealand treasury.

Norway

Critical infrastructure is the facilities and systems that are absolutely necessary to maintain the community's critical functions which again covers society's basic needs and the population sense of security

Source: OECD Survey on critical infrastructure (2017)

Poland

The Act of 26 April 2007 on Crisis Management (Dz. U. [Journal of Laws] of 2013, item 1166 and of 2015, item 1485 – hereinafter referred to as: “the Act on Crisis Management”) defines the critical infrastructure as the systems and functional sites forming their part which are mutually related, such as building sites, facilities, installations, key services for the safety of the state and its citizens and serving to ensure efficient functioning of the public administration authorities, as well as institutions and entrepreneurs

Source: National Critical Infrastructure Protection Programme Poland, 2015

Portugal

Critical Infrastructure is the component, system or part thereof, which is essential for the maintenance of vital functions to society, health, safety and economic or social well-being and whose disruption or destruction would have a significant impact, given the circumstance that the infrastructure will be unable to continue performing those functions.

Source: OECD Survey on critical infrastructure (2017)

Slovak Republic

a) Critical infrastructure element (hereinafter referred to as the “element”) means mainly an engineering building, public service and information system in the critical infrastructure sector whose disruption or destruction should, according to the sectoral criteria and cross-cutting criteria, have adverse effect on the performance of economic and social functions of the state, and thus on the quality of life of residents in terms of the protection of their life, health, safety, property, as well as the environment;

b) Critical infrastructure sector (hereinafter referred to as the “sector”) means part of the critical infrastructure which includes the elements; the sector may comprise one or more critical infrastructure sub-sectors (hereinafter referred to as the “subsector”);

c) Critical infrastructure means a system, which is divided into sectors and elements

Source: Slovak law No 45/2011

Spain

Critical Infrastructures are those strategic infrastructures (facilities, networks, systems and physical equipment, on which operation of essential services rest) which are indispensable, and where alternative solution is not possible, so that their disruption or destruction would seriously impact essential services.

Source : CNPIC (2017) http://www.cnpic.es/en/Legislacion_Aplicable/Generico/index.html

Sweden

Those assets, systems or parts thereof located in the EU Member States which are essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions. The term Critical Infrastructure (CI) refers to the activities, facilities, nodes, infrastructure and services that maintain Vital Societal Functions (VSF). Vital Societal Functions (VSF) is the term for the activities that maintain a given functionality. Each such function is included in one or more societal sectors

Source: Swedish Civil Contingencies Agency, 2016; Action Plan for the Protection of Vital Societal Functions & Critical Infrastructure (2014)

Switzerland

Critical infrastructures are processes, systems and facilities that are essential for the functioning of the economy and the well-being of the population, respectively

Source: OECD Survey on critical infrastructure (2017)

Turkey

Whole of networks, assets, systems and structures that would form serious impacts on safety, economy, health of citizens as a result of negative effect on conduct of environment, social order and public service in case it fails to fulfil its function partially or completely.

Source: OECD Survey on critical infrastructure (2017)

United Kingdom

Those critical elements of infrastructure (namely assets, facilities, systems, networks or processes and the essential workers that operate and facilitate them), the loss or compromise of which could result in:

a) Major detrimental impact on the availability, integrity or delivery of essential services – including those services whose integrity, if compromised, could result in significant loss of life or casualties – taking into account significant economic or social impacts; and/or

b) Significant impact on national security, national defence, or the functioning of the state.

Source: OECD Survey on critical infrastructure (2017)

United States

Critical infrastructure represents systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

Source: The National Infrastructure Protection Plan 2013 Partnering for Critical Infrastructure Security and Resilience

United Nations

The physical structures, facilities, networks and other assets, which provide services that, are essential to the social and economic functioning of a community or society.

Source: UNISDR Terminology on Disaster Risk Reduction https://www.unisdr.org/we/inform/terminology

Annex 3.C. List of critical sectors per OECD countries

AUS

AUT

BEL

CAN

CHE

CHL

CZE

DEU

ESP

EST

FIN

FRA

GBR

GRC

IRL

ISL

ISR

ITA

KOR

LAT

LUX

MEX

NLD

NOR

NZL

POL

PRT

SVK

SVN

SWE

TUR

USA

Energy

Nuclear sector

ICT

Transportation

Water

Dams & flood defence

Food supply & dist.

Health

Finance & banking

Government

Public safety

Law enforcement

Chemical industry

Space sector

Defence industry

Critical manufacturing

Other

Annex 3.D. List and descriptions of policy tools to strengthen critical infrastructures resilience

Policy tool

Description

Provision of hazards and threats information

Governments provide the results of national or infrastructure-specific hazard and threats assessments to owners and operators of critical infrastructure.

Voluntary information-sharing mechanisms or platforms

Governments encourage critical infrastructure owners and operators to share information relevant to the security and resilience of assets and systems amongst each other and with the government on a voluntary basis.

Mandatory information-sharing mechanisms or platforms

Laws and regulations require critical infrastructure operators to share information relevant to the security and resilience of assets and systems with the government.

Awareness raising activities and trainings

Awareness raising activities and trainings promote a risk culture within critical infrastructure. Trainings and exercises test the emergency management systems of critical infrastructure, and create familiarity with corresponding responsibilities during crises.

Resilience guidelines for critical infrastructure operators

Resilience guidelines outline steps and methods that operators of critical infrastructure should carry out to improve the resilience of their assets and systems at large. Such guidelines can be narrow in scope, providing e.g. only guidance for hazard assessments at operator level, or wide in scope, listing multiple tools and measures.

Fostering the development/use of professional standard

Development of professional standards for critical infrastructure resilience such as codes and benchmarks for capabilities and standards of operations.

Incentive mechanism to assess risks and vulnerabilities

Governments provide incentives that encourage operators of critical infrastructure to carry out hazard, risk and vulnerabilities assessments. Incentives could be the provision of technical support and guidance documents, or reward mechanisms, such as publicized reviews of meeting resiliency targets or certifications.

Incentive mechanisms for investing in resilience

Governments provide incentives that encourage operators of critical infrastructure to invest in critical infrastructure resilience include: subsidies, cost-benefit analysis, or government participating in insurance schemes.

Sectoral prescriptive regulations dedicated to CIP

Governments design regulations that specify operators of critical infrastructure to carry out certain This tool sets mandatory obligations for critical infrastructure to meet to ensure protection and resilience based on s77ectoral specificities.

Performance-based regulations on business continuity

Regulations that provide incentives for critical infrastructure operators to reach a targeted level of performance for maintaining services during disruptions.

Mandatory business continuity plans

Governments require operators of critical infrastructure to develop business continuity plans. Such plans feature prevention and preparedness measures (incl. contingency plans) that operators can rely on during hazardous events to ensure that business operations can keep running.

Inspections and performance assessments

Mandated inspectors check that operators of critical infrastructure have implemented the required resilience measures.

Fines for non-compliance with resilience requirements

In cases where inspections find that operators of critical infrastructure have not carried out the required resilience measures, the government issues fines (see incentive mechanisms).

Other types of penalties for non-compliance

Other types of penalties for non-compliance can include: revoking an operational license or temporary removal from service until requirements are met.

Ranking based on inspection / performance results

The government ranks and advertises the results of inspection/performances. Operators have an interest in doing well in such rankings, as maintaining their image and reputation is an important business success factor.

Reporting on operators resilience

Self-assessments on the resilience of operators of critical infrastructure and sharing the results with government and/or the wider public.

Sharing best practices

Using case-studies and results from events can indicate good practices for making critical infrastructure more resilient. Sharing best practices is an effective information tool to indicate how similar critical infrastructure owners and operators may address sectoral security issues, including relevant interdependencies on other sectors.

Public investments in infrastructure resilience

Government investments in resilience are applied to new public infrastructure in addition to ensuring that resilience gaps are being met where there are needs. Public financing for building resilient critical infrastructure systems can set standards for industry and demonstrate the value of these up-front investments in resilience.

Guidance for sub-national levels of government

Guidelines for sub-national level of government on awareness about critical infrastructure in their respective jurisdictions and close by that may pose transboundary risks, and how to strengthen resilience of these systems.

Mandatory insurance for critical infrastructure

Obligations set for critical infrastructure owners and operators to purchase insurance ex-ante a situation of shock or disruption of services.

Peer-reviews, monitoring and evaluation

Experts review and evaluate progress based on agreed upon evaluation criteria according sector-specific resilience guidelines... The outcome may identify potential gaps and provide suggestions for areas of improvement.

Annex 3.E. Country practices on critical infrastructure resilience identified in the OECD Toolkit on Risk Governance (TRIG)

Trusted Information Sharing Network for Critical Infrastructure in Australia

The Trusted Information Sharing Network (TISN) for Critical Infrastructure Resilience was established by the Australian Government in 2003, with the aim of assisting critical infrastructure organisations to better prevent, prepare, respond to and recover from disruptions and adverse events. The TISN provides national level forums for owners and operators of critical infrastructure to discuss critical infrastructure vulnerabilities with relevant government agencies and to work together in developing strategies and solutions to mitigate risk. Led by the Attorney-General’s Department, and supported by a number of Australian Government agencies, the TISN now encompasses hundreds of members, including representatives from many of Australia’s largest and best known companies, and state and territory governments. The TISN operates on an all-hazards basis. It comprises seven critical infrastructure Sector Groups (Energy, Water, Communications, Banking and Finance, Health, Transport, Food) and two Expert Advisory Groups. TISN members meet regularly within their sector groups in a secure, non-competitive environment to share vital information on risks and mitigation strategies, and to develop collective solutions to shared problems. In addition, there are regular meetings and exercises between groups, and with governments.

Rationale

Critical infrastructure delivers essential services such as food, water, healthcare, electricity, communications, transportation and banking. Without these services, Australia's social cohesion, economic prosperity and public safety are threatened. The Trusted Information Sharing Network responds to this by providing a forum for public and private stakeholders to cooperate towards critical infrastructure resilience.

Objectives

  • Operate an effective business-government partnership with critical infrastructure owners and operators;

  • Sharing information and techniques required to assess and mitigate risks to critical infrastructure;

  • Building resilience capacity within organisations.

Results

  • Since its creation, the TISN has influenced the national debate on critical infrastructure issues by partnering with key stakeholders to enable change;

  • The TISN has fostered a cohesive approach to addressing shared threats and vulnerabilities and building resilience across critical infrastructure sectors;

  • TISN initiatives include the development of shared frameworks, guides and planning documents, the preparation of large-scale exercises, and the organisation of workshops. These initiatives have contributed to enhance the resilience of critical infrastructure systems in Australia.

Lessons Learned

  • There are major benefits to setting up platforms for information sharing among policy makers and owners and operators of critical infrastructure

  • Business-government partnerships are key to encourage the private sector to address mutual interests, such as business continuity and resilience.

  • There are major benefits to setting up platforms for information sharing among policy makers and owners and operators of critical infrastructure.

  • Business-government partnerships are key to encourage the private sector to address mutual interests, such as business continuity and resilience.

Source: https://www.oecd.org/governance/toolkit-on-risk-governance/goodpractices/page/trustedinformationsharingnetworkforcriticalinfrastructureinaustralia.htm

Integrated approach for Critical Infrastructure Protection in the Netherlands

A new integrated approach for critical infrastructure protection was established in May 2015 as part of the National Safety and Security Strategy, developed by the Dutch Ministry for Security and Justice. The approach contains three steps. First, the approach identifies what is critical infrastructure, based on economic, physical and social impact criteria. Criteria were developed based on the National Risk Assessment process. The degree of criticality depends upon the consequences of a failure of the critical sectors identified. A distinction is made between category A where disruptions can have large impacts and cascading effects and category B where impacts can be lower, in order to reflect the diversity within critical infrastructure and to set priorities. Secondly, a vulnerability assessment provides insight into the most important risks, threats, vulnerabilities and degree of resilience of this infrastructure. The third step of the approach is to make agreements on maintaining or, where needed, increasing the resilience of the vital infrastructure. This enables a customized approach for resilience enhancement, based on risks, threats and vulnerabilities. In addition, critical infrastructure will be incorporated into the national crisis management structures.

Rationale

Guaranteeing the continuity of critical infrastructure is of common interest to both infrastructures operators (usually private) and to society in the Netherlands. Critical infrastructure includes products, services and underlying processes which, should they fail, could cause large-scale social disruption. That is why the government and critical organisations in the Netherlands cooperate in protecting this infrastructure. An integrated approach is required, due to the number of parties, networks and levels involved. This is a dynamic and complex domain due to technological developments and interconnectedness of critical processes. Society has become more dependent on critical infrastructure while the failure of such infrastructure has become less accepted in society. Infrastructure has become more dependent and has become more vulnerable to (deliberate) cyber incidents. Moreover, the interconnectedness of critical processes makes it difficult to predict cascade effects. Cascading effects caused by failing processes leads to higher impact on society.

Objectives

  • Resilient critical infrastructure

  • Impacted based identification of critical infrastructure

  • Understanding of risk, threats and vulnerabilities

  • Development of customized agreements

Results

  • Impact based identification methodology

  • From sectorial approach to a process approach

  • Identification of critical infrastructure at the national level

  • national level prioritised list of critical infrastructure

  • Tailor made agreements per critical process

  • Monitoring and evaluation methodology

Lessons Learned

  • Fostering an all-hazard approach is a good way to engage with private operators as they may be particularly interested in one specific threat without having the largest view on risks

  • Having clear and transparent criteria well established for the identification of critical infrastructure helps engaging the different stakeholders.

  • It requires a political decision what impact criteria are regarded as disruptive. There is a risk that changes in societal preferences may lead to changes in the thresholds, which would ask for a reassessment of critical infrastructure.

  • Developing partnerships with private operators requires developing trust across the public and the private sector and a common understanding of the challenges, which develops over the long-term.

Source: https://www.oecd.org/governance/toolkit-on-risk-governance/goodpractices/page/integratedapproachforcriticalinfrastructureprotectioninthenetherlands.htm

National Strategy for Critical Infrastructure Protection in Germany

The German National Strategy for Critical Infrastructure Protection summarizes the Federal Administration's aims and objectives and its political-strategic approach to actively address matters of critical infrastructure protection (CIP). The strategy is guided by the principle of joint action by the state, society, and business and industry. The state co-operates with other public and private actors in developing analyses and protection concepts. The Strategy first defines critical infrastructure, as organizational and physical structures and facilities of such vital importance to a nation's society and economy that their failure or degradation would result in sustained supply shortages, significant disruption of public safety and security, or other dramatic consequences. It also identifies main threats, risks and vulnerabilities of critical infrastructure systems in Germany. Its guiding principle is that the responsibility for the security, reliability and availability of such infrastructure is a shared-responsibility. The Strategy takes stock of existing measures, and suggests a way forward to structure the different initiatives and further improve the protection of critical infrastructure systems. It develops guidelines in the prevention, response and sustainability areas, based on three pillars: (1) Preventing and mitigating loss of services (2) Promoting back-up systems (redundancies) and emergency capacity (3) Enhancing self-protection capabilities. Developments are currently ongoing with regard to the protection of critical infrastructures in Germany

Rationale

Infrastructure in general and critical infrastructure in particular are vital to the functioning and well-being of modern and efficient societies. Germany is among the leading industrial and technology-oriented nations. Germany is also an important location for business activities and industry. Ensuring the country’s competitiveness in a globalized economic and technological setting is highly dependent on the availability of high-performance and well-functioning infrastructure. Therefore, ensuring the protection of this infrastructure is a key function of security-related preparedness measures taken by industry and government agencies, and is a central issue of the country's security policy.

Objectives

  • Guiding the Federal Government but also the Länder, municipalities and enterprises in their critical infrastructure protection efforts. 

  • Promote critical infrastructure resilience in a coordinated manner 

  • Strengthen public safety and security

  • Foster  joint action performed by the Government, companies and/or operations and the civil society for critical infrastructure protection

Results

  • Implementation of work packages within the Federation, Lander and local governments involving (1) the definition of general protection targets, (2) an analysis of threats, vulnerabilities and management capabilities, (3) the assessment of threats, (4) the specification of protection targets, taking into account existing protective measures; analysis of existing regulations and, where applicable, identification of additional measures contributing to goal attainment; and where required, legislation.

  • Development of programmes and Plans (such as the National Plan for Information Infrastructure Protection), specific recommendations for action (such as the National Baseline Protection Concept, the Risk and Crisis Management Guide for Critical Infrastructure Operations, and standards, norms and regulations (such as BSI Information Security Standards, or the regulations of the German Gas and Water Supply Association on risk management in the field of drinking water supply).

Lessons Learned

  • Preserving critical infrastructure protection is of growing importance, particularly in the context of increasingly interdependent economies.

  • Co-operations and partnerships in the area of critical infrastructure both with authorities and in particular with private service providers is vital to guarantee successful work.

  • The aim of a critical infrastructure strategy should not be absolute protection, but implementing measures that foster resilience.

  • Cross-sectoral cooperation and coordination is key to achieving resilience of critical infrastructure.

Source: https://www.oecd.org/governance/toolkit-on-risk-governance/goodpractices/page/nationalstrategyforcriticalinfrastructureprotectioningermany.htm

Swiss Basic Strategy for Critical Infrastructure Protection

The Swiss National Strategy for the Protection of Critical Infrastructure was established in 2012, drawing upon the “Basic Strategy for Critical Infrastructure Protection” (2009). The overarching goal of the Strategy is to improve the resilience of Switzerland’s critical infrastructures. The Strategy outlines strategic goals as well as key principles, and describes the measures to be taken in the area of critical infrastructure. These measures include the improvement of the overall critical infrastructure resiliency, and the enhancement of the general framework for cross-sectoral collaboration. The Strategy covers the definition of comprehensive protection approaches, the identification and compilation of critical infrastructure elements and objects in a classified inventory, the establishment of cross-sectoral, public-private platforms, and information sharing on risks, notably risk assessment and warning systems, among stakeholders. The Strategy also addresses federal support to handle disruptions to critical infrastructure, if the operators’ and substate actors’ resources are overwhelmed. It establishes a permanent process to improve the resilience of critical infrastructure systems by facilitating a coordinated approach among the relevant CI operators as well as specialised and regulatory agencies. Ten sectors are considered critical at the national level, including energy, transport, information and communication technologies, financial services, public administration, public health, public safety, and transport. They are subdivided into 28 subsectors like natural gas supply, oil supply and power supply in the sector energy supply.

Rationale

Switzerland is highly dependent on the continuous operation of critical infrastructures that ensure the supply of vital goods and services. Disruptions may have rapid repercussions for the population and the basis of its livelihood, and can affect other critical infrastructure through cascading effects. In the different critical sector, protection measures are already implemented on an individual basis. However, the lack of cross-sectoral coordination among critical infrastructure stakeholders and the need to promote a consolidated approach at the national level created the need for an integrated national strategy.

Objectives

  • Contributing to maintain the operability of critical infrastructure systems,

  • Identifying critical infrastructure systems to be protected,

  • Facilitating risk analysis procedures,

  • Initiating cross-sectoral collaboration by setting up coordination and information sharing platforms.

Results

  • Classified critical infrastructure inventory

  • Created a critical infrastructure guideline

  • Conducted sub-sectoral risk and vulnerability assessments

  • Established  supporting tools (e.g. methodology, scenarios, etc.)

Lessons Learned

  • Critical infrastructure protection is becoming more and more important today, in particular in major cities and small interdependent countries such as Switzerland.

  • The aim of a critical infrastructure strategy should not be absolute protection, but implementing measures to foster resilience.

  • Cross-sectoral cooperation and coordination is key.

  • Cross-country cooperation should be encouraged in an increasingly globalised world.

Source: https://www.oecd.org/governance/toolkit-on-risk-governance/goodpractices/page/swissbasicstrategyforcriticalinfrastructureprotection.htm

Public Private Partnerships for Critical Infrastructures Resilience in Finland

The National Emergency Supply Agency (NESA), created in 1993, is tasked with planning, developing and maintaining the security of supply in Finland. While its historic role of maintaining reserve stockpiles to protect the livelihoods of the population as well as the functioning of the economy remains part of its strategic tasks, NESA is more and more active in mainstreaming business continuity and resilience in various sectors of the economy through public-private partnerships. NESA has established a network of thematic clusters where key stakeholders of critical sectors, such as: food supply, energy, transportation, health or industry, develop partnerships in order to assess vulnerability and performance and plan for resilience. NESA also proposes dedicated tools, such as information systems, storage and transport facilities to support business continuity on these domains. NESA also finances specific activities related to business continuity and critical infrastructure protection. The agency prepares annual reports that evaluate the performance of companies in the critical sectors including ranking and specific recommendations

Rationale

Finland faces specific vulnerabilities regarding the disruption of supply chains and critical infrastructures which constitute a major challenge. Harsh winter conditions, high dependence on sea transportation and international markets, interdependencies and the complexity of critical networks are among the key challenges to security of supplies in Finland. Consequently, Finland has invested significant efforts to secure supplies and maintain continuity of services. This is a primary concern of its Security Strategy for Society, in which the functioning of the economy and the infrastructure is one of the seven vital functions of Finnish society. NESA contributes to the implementation of the functioning of society in times of crisis by keeping reserve stockpiles but also by guiding critical infrastructure providers the necessary knowledge about preparedness and continuity planning.

Objectives

  • Securing supplies to ensure the continuity of the economic activities and the functioning of critical infrastructure in cases of serious disturbances and exceptional circumstances;

  • Setting-up private-public partnerships as the primary method for securing supply and developing business continuity;

  • Implementing technical and financial measures to support the development of business continuity efforts across society production of goods and services necessary in exceptional conditions.

Results

  • Increased public-private partnerships with companies in critical sectors (now more than 1000) which all yielded a business continuity plan specific to their activities and sector;

  • Established 7 thematic clusters and dedicated pools to discuss and implement sector-specific supply security and business continuity policies;

  • Developed continuity-management tools designed to support organizations in their continuity management efforts.

Lessons Learned

  • Public bodies within countries should not take full responsibility to maintain the continuity of services, but also the private sector should invest some efforts into preparedness in order to achieve a whole-of-society approach of risk prevention

  • Incentivizing private sector’s efforts in business continuity is essential to facilitate their involvement in these efforts. Evaluating the performance of individual companies is a complementary and efficient way to stir progress.

  • As security of supplies and continuity of critical infrastructures is market-dependent, specific attention to issues related to fair competition, non-discrimination and equal treatment are fundamental when designing policies

Source: https://www.oecd.org/governance/toolkit-on-risk-governance/goodpractices/page/publicprivatepartnershipsforcriticalinfrastructuresresilienceinfinland.htm

National Critical Infrastructure Protection Programme in Poland

The Polish National Critical Infrastructure Protection Programme (NCIPP) was adopted in March 2013 by the Polish Council of Ministers, with the main objective of ensuring the protection of critical infrastructure systems. The NCIPP defines the vision and the objectives behind critical infrastructure protection processes and covers all the phases of the risk management cycle: it aims not only to ensure critical infrastructure’s protection against threats (prevention), but also to contribute to reduce the impact and length of the potential damages (preparedness and response). The NCIPP addresses the following infrastructure systems: energy, communication, ICTs, financial, food supply, water supply, health protection, transportation, rescue, public administration and the production, storage and use of chemical and radioactive substances. The NCIPP describes the cooperation to be set between individuals, and sets out roles and responsibilities for each stakeholder. The NCIPP pays particular attention to building partnerships between stakeholders. Information and knowledge sharing between all levels of the administration as well as between the public and the private sector are key in protecting infrastructure systems. The NCIPP also identifies a number of good practices and recommendations to ensure the smooth functioning of critical infrastructure, in several areas such as technical protection, IT/OT protection, legal protection, business continuity/recovery plans. The good practices and recommendations have been broadened, especially in the area of IT/OT protection. In November 2015, the NCIPP has been updated. It now includes new priorities and tasks for the 2015-2017 period

Rationale

Critical infrastructure is key to the smooth functioning of the public and private sectors. Protecting critical infrastructure in Poland is therefore essential for the smooth functioning of the economic system; Critical infrastructure resilience is also a priority as it can negatively impact the lives of the Polish citizens.

Objectives

  • Increase the resilience of critical infrastructure systems in Poland;

  • Raise awareness about the importance of critical infrastructure and enhance risk assessment frameworks;

  • Allow coordinated and risk-based partnerships for the protection of critical infrastructure

Results

  • Three meetings of the National Forum for Infrastructure Protection have been organised, gathering representatives from the private sector and the administration to exchange on the resilience of critical infrastructure in Poland.

  • Four textbooks were developed: on verifying the authenticity of the documents, on explosive threats to critical infrastructure, on applying biometrics to critical infrastructure, and on technical protection of critical infrastructure systems

  • Over 800 individuals were trained in the fields covered by these textbooks.

Lessons Learned

  • People are the most valuable resource for protecting critical infrastructure. Their knowledge, experience and commitment are key to achieve determined goals.

  • A strategy related to risk management must encompass clear objectives and action plans, and precisely define the roles of each stakeholder.

  • Broad-based partnerships and information sharing are essential to promote critical infrastructure protection.

Source: https://www.oecd.org/governance/toolkit-on-risk-governance/goodpractices/page/nationalcriticalinfrastructureprotectionprogrammeinpoland.htm

Canada’s National Strategy for Critical Infrastructure

The National Strategy for Critical Infrastructure sets the direction for enhancing the resilience of Canada’s critical infrastructure against current and emerging hazards. The Strategy presents a collaborative approach to strengthening the resilience of critical infrastructure, by ensuring that federal, provincial and territorial critical infrastructure activities are complementary and respect… [More] the laws of each jurisdiction. It outlines mechanisms for enhanced information sharing and information protection, and identifies the importance of a risk management approach to strengthen the resilience of critical infrastructure in Canada. Enhancing the resilience of critical infrastructure can be achieved through the appropriate combination of security measures to address intentional and accidental incidents, business continuity practices to deal with disruptions and ensure the continuation of essential services. It also addresses the importance of emergency management planning to ensure adequate response procedures are in place to deal with unforeseen disruptions and natural disasters.. At the national level, the Strategy classifies critical infrastructure within the 10 following sectors: energy and utilities, finance, food, transportation, government, information and communication technology, health, safety, water, manufacturing

Rationale

As the risks to critical infrastructure cut across jurisdictions and sectors, the Strategy provides a comprehensive and collaborative federal, provincial and territorial approach to enhancing the resilience of critical infrastructure. This common approach enables partners to respond collectively to risks and target resources to the most vulnerable areas of critical infrastructure.

Objectives

  • Building partnerships at all levels of government, and with the private sector;

  • Implementing an all-hazards risk management approach;

  • Advancing the timely sharing of information among partners

Results

The National Strategy was accompanied by an Action Plan for Critical Infrastructure (2010), which set out action items for each of the three strategic objectives. A summary of progress achieved under the original Action Plan is contained in the renewed Action Plan for Critical Infrastructure (2014-2017). The next phase of the Action Plan involves taking additional steps for each of the three strategic objectives outlined in the National Strategy, building on what was already achieved under the original Action Plan (2010), with an emphasis on tangible risk management activities

Lessons Learned

  • Critical infrastructure protection is becoming more and more important today, in particular in the context of increasingly interdependent economies.

  • The aim of a critical infrastructure strategy should not be absolute protection, but implementing measures that foster resilience.

  • Cross-sectoral cooperation and coordination is key.

Source: https://www.oecd.org/governance/toolkit-on-risk-governance/goodpractices/page/canadasnationalstrategyforcriticalinfrastructure.htm

US Critical Infrastructure Protection and Resilience Toolkit

The U.S. Department of Homeland Security created the Critical Infrastructure Protection and Resilience Toolkit for owners and operators of critical infrastructure at the local and regional levels to enhance their ability to prepare for, protect against, respond to, and recover from the full range of 21st-century hazards and threats. The toolkit is designed to help critical infrastructure owners and operators incorporate key concepts of the US National Infrastructure Protection Plan (NIPP) into their day-to-day activities. The toolkit includes: A brief video that highlights the role of local and regional communities and the private sector in national infrastructure protection efforts. An exercise planning resource that provides simple tools to help owners and operators plan a discussion-based “table top” exercise to evaluate infrastructure protection and resilience. Frequently asked questions about the role of owners and operators in critical infrastructure protection and resilience. Links to additional online reference materials and training resources related to infrastructure protection and resilience. Information on critical infrastructure protection partnerships and information sharing.

Rationale

As critical infrastructure systems, essential health services must remain available to communities and individuals during and immediately following extreme weather events, even during extended utility outages and transportation infrastructure disturbances. Resilient health care organizations must anticipate extreme weather risks and transcend limitations of regional public policy, local development vulnerabilities, and community infrastructure challenges as they site, construct, and retrofit health care facilities. The disruptions and losses incurred by the U.S. health care sector following recent extreme weather events demonstrate the need for specific guidance on ways to manage the new and evolving hazards presented by climate change. During Super Storm Sandy in New York, for example, several hospitals had to be evacuated because their back-up electricity generators were located in the basement and ended up being flooded, or because there was no plan to fuel them during a longer period than 24 h. In addition some of their most expensive equipment, such as X-Rays were also in the hospital’s basement and contributed to large losses in the sector. These events have also provided opportunities to learn from past disasters so that health care facilities, and the communities they serve, can be more resilient in the future. For these reasons, the Department of Health and Human Services has developed the Sustainable and Climate Resilient Health Care Facilities Toolkit to support building resilience in the health care sector.

Objectives

  • Share best practices for health care providers, design professionals, policy makers, and others to promote continuity of care before, during, and after extreme weather events.

  • Assess the current status of health care infrastructure to extreme weather risks, and policy options that can be adopted to improve climate readiness.

  • Assist organizations engaged in health care facility climate resilience to improve their resilience to extreme weather events.

Results

  • The Toolkit contains a set of checklists for each of the five elements of climate resilience. These checklists can assist health care organizations in assessing climate-related infrastructure and care-delivery vulnerabilities at both a system and facility level and evaluating the results of their resiliency policies.

  • The Climate Resilience Toolkit also includes tools and processes for converting the results of the checklist exercise into a practical plan for improved resilience, and will facilitate identification of policies to implement based on the assessment provided by the checklist.

Lessons Learned

  • Sectorial plans that provide sector-specific guidance on risk preparedness and resiliency are useful to ensure the relevance and the appropriation of policy options.

Source: https://www.oecd.org/governance/toolkit-on-risk-governance/goodpractices/page/uscriticalinfrastructureprotectionandresiliencetoolkit.htm

UK Centre for the Protection of National Infrastructure (CPNI)

The Centre for the Protection of National Infrastructure (CPNI) protects national security by providing advice to the UK national infrastructure organisations, covering physical, personnel and cyber security. To achieve protective security in the national infrastructure sectors, the CPNI supports vulnerability reduction efforts to terrorism and other threats, keeping the UK's essential services (delivered by communications, emergency services, energy, finance, food, government, health, transport and water sectors) safer. Without these services, the UK could suffer serious consequences, including severe economic damage, grave social disruption, or even large scale loss of life. CPNI advice primarily targets critical national infrastructure organisations, which are crucial to the continued delivery of essential services to the UK. CPNI works both with private and public sector partners. Key partners include as the National Technical Authority for Information Assurance (CESG) and the police - National Counter Terrorism Security Office (NaCTSO) and the Counter Terrorism Security Advisor (CTSA) network, as well as critical national infrastructure businesses and organisations. CPNI was formed on 1 February 2007 from the merger of the National Infrastructure Security Co-ordination Centre (NISCC) and the National Security Advice Centre (NSAC). NISCC used to provide advice to companies operating in critical national infrastructure, while NSAC was a unit within MI5 that provided security advice to other parts of the UK government.

Rationale

National critical infrastructure is recognized as “‘those critical elements of infrastructure” (namely assets, facilities, systems, networks or processes and the essential workers that operate and facilitate them), the loss or compromise of which could result in: a) major detrimental impact on the availability, integrity or delivery of essential services – including those services, whose integrity, if compromised, could result in significant loss of life or casualties – taking into account significant economic or social impacts; and/or b) significant impact on national security, national defence, or the functioning of the state. Achieving protective security, i.e. 'putting in place, or building into design, security measures or protocols such that threats may be deterred, detected, or the consequences of an attack minimized', in critical infrastructure is therefore crucial to prevent severe economic damage, social disruption or large scale loss of lives.

Objectives

  • Support vulnerability reduction efforts to terrorism and other threats in the UK’s critical infrastructure

  • Address major threats as identified in the UK National Security Strategy, i.e. espionage, terrorism, cyber and other threats

  • Provide security advice and security planning services to critical infrastructure operators

  • Protect national security

Results

In recent years, the CPNI has issued periodic warnings about increasing levels of cybercrime. Securing digital systems, including open wireless access points, implementing strong firewalls and encrypting communications are all important priorities, analogous to securing physical property and facilities.

Lessons Learned

Offering centralized advice to critical national infrastructure organisations on vulnerability and security aspects, is an essential component of raising awareness on the matter. In this way guidance helps infrastructure make better informed decisions and respond to early warning signs.

Source: https://www.oecd.org/governance/toolkit-on-risk-governance/goodpractices/page/centrefortheprotectionofnationalinfrastructurecpni.htm

End of the section – Back to iLibrary publication page