Critical infrastructure


Critical infrastructure, or critical national infrastructure in the UK, describes infrastructure considered essential by governments for the functioning of a society and economy and deserving of special protection for national security. Critical infrastructure has traditionally been viewed as under the scope of government due to its strategic importance, yet there is an observable trend towards its privatization, raising discussions about how the private sector can contribute to these essential services. It is important to distinct between critical maritime infrastructure and critical terrestrial infrastructure because CMI reflects the maritime dimension of critical infrastructure while CRI reflects the land-based dimension.

Items

Most commonly associated with the term are assets and facilities for:

Canada

The Canadian Federal Government identifies the following 10 Critical Infrastructure Sectors as a way to classify essential assets.
  1. Energy & Utilities: Electricity providers; off-shore/on-shore oil & gas; coal supplies, natural gas providers; home fuel oil; gas station supplies; alternative energy suppliers
  2. Information and Communication Technology: Broadcast Media; telecommunication providers ; Postal services;
  3. Finance: Banking services, government finance/aid departments; taxation
  4. Health: Public health & wellness programs, hospital/clinic facilities; blood & blood products
  5. Food: Food supply chains; food inspectors; import/export programs; grocery stores; Agri & Aqua culture; farmers markets
  6. Water: Water supply & protection; wastewater management; fisheries & ocean protection programs
  7. Transportation: Roads, bridges, railways, aviation/airports; shipping & ports; transit
  8. Safety: Emergency responders; public safety programs
  9. Government: Military; Continuity of governance
  10. Manufacturing: Industry, economic development

    European Union

refers to the doctrine or specific programs created as a result of the European Commission's directive EU COM 786 which designates European critical infrastructure that, in case of fault, incident, or attack, could impact both the country where it is hosted and at least one other European Member State. Member states are obliged to adopt the 2006 directive into their national statutes.
It has proposed a list of European critical infrastructures based upon inputs by its member states.
Each designated European Critical Infrastructures will have to have an Operator Security Plan covering the identification of important assets, a risk analysis based on major threat scenarios and the vulnerability of each asset, and the identification, selection and prioritisation of counter-measures and procedures.

Germany

The German critical-infrastructure protection programme KRITIS is coordinated by the Federal Ministry of the Interior. Some of its special agencies like the German Federal Office for Information Security or the Federal Office of Civil Protection and Disaster Assistance BBK deliver the respective content, e.g., about IT systems.

Singapore

In Singapore, critical infrastructures are mandated under the Protected Areas and Protected Places Act. In 2017, the Infrastructure Protection Act was passed in Parliament, which provides for the protection of certain areas, places and other premises in Singapore against security risks. It came into force in 2018.

United Kingdom

In the UK, the National Protective Security Authority provides information, personnel and physical security advice to the businesses and organizations which make up the UK's national infrastructure, helping to reduce its vulnerability to terrorism and other threats.
It can call on resources from other government departments and agencies, including MI5, the National Cyber Security Centre and other government departments responsible for national infrastructure sectors.

United States

The U.S. has had a wide-reaching critical infrastructure protection program in place since 1996. Its Patriot Act of 2001 defined critical infrastructure as those "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."
In 2014 the NIST Cybersecurity Framework was published, and quickly became a popular set of guidelines, despite the significant costs of full compliance.
These have identified a number of critical infrastructures and responsible agencies:
  1. Agriculture and food – Departments of Agriculture and Health and Human Services
  2. Water – Environmental Protection Agency
  3. Public Health – Department of Health and Human Services
  4. Emergency Services – Department of Homeland Security
  5. Government – Department of Homeland Security
  6. Defense Industrial BaseDepartment of Defense
  7. Information and TelecommunicationsDepartment of Commerce
  8. Energy – Department of Energy
  9. Transportation and ShippingDepartment of Transportation
  10. Banking and FinanceDepartment of the Treasury
  11. Chemical Industry and Hazardous Materials – Department of Homeland Security
  12. Post – Department of Homeland Security
  13. National monuments and icons - Department of the Interior
  14. Critical manufacturing - Department of Homeland Security

    National Infrastructure Protection Plan

The National Infrastructure Protection Plan defines critical infrastructure sector in the US. Presidential Policy Directive 21, issued in February 2013 entitled Critical Infrastructure Security and Resilience mandated an update to the NIPP. This revision of the plan established the following 16 critical infrastructure sectors:
  1. Chemical
  2. Commercial facilities
  3. Communications
  4. Critical manufacturing
  5. Dams
  6. Defense industrial base
  7. Emergency services
  8. Energy
  9. Financial services
  10. Food and agriculture
  11. Government facilities
  12. Healthcare and public health
  13. Information technology
  14. Nuclear reactors, materials, and waste
  15. Transportation systems
  16. Water and wastewater systems
National Monuments and Icons along with the postal and shipping sector were removed in 2013 update to the NIPP. The 2013 version of the NIPP has faced criticism for lacking viable risk measures. The plan assigns the following agencies sector-specific coordination responsibilities:
; Department of Homeland Security
  • Chemical
  • Commercial facilities
  • Communications
  • Critical manufacturing
  • Dams
  • Emergency services
  • Government facilities
  • Information technology
  • Nuclear reactors, materials, and waste
  • Transportation systems
; Department of Defense
  • Defense industrial base
; Department of Energy
  • Energy
; Department of the Treasury
  • Financial services
; Department of Agriculture
  • Food and agriculture
; General Services Administration
  • Government facilities
; Department of Health and Human Services
  • Healthcare and Public Health
; Department of Transportation
  • Transportation systems
; Environmental Protection Agency
  • Water and wastewater systems

    State-level legislation

Several U.S. states have passed "critical infrastructure" bills, promoted by the American Legislative Exchange Council, to criminalize protests against the fossil fuel industry. In May 2017, Oklahoma passed legislation which created felony penalties for trespassing on land considered critical infrastructure, including oil and gas pipelines, or conspiring to do so; ALEC introduced a version of the bill as a model act and encouraged other states to adopt it. In June 2020, West Virginia passed the Critical Infrastructure Protection Act, which created felony penalties for protests against oil and gas facilities.

Stress testing

Critical infrastructure such as highways, railways, electric power networks, dams, port facilities, major gas pipelines or oil refineries are exposed to multiple natural and human-induced hazards and stressors, including earthquakes, landslides, floods, tsunami, wildfires, climate change effects or explosions. These stressors and abrupt events can cause failures and losses, and hence, can interrupt essential services for the society and the economy. Therefore, CI owners and operators need to identify and quantify the risks posed by the CIs due to different stressors, in order to define mitigation strategies and improve the resilience of the CIs. Stress tests are advanced and standardised tools for hazard and risk assessment of CIs, that include both low-probability high-consequence events and so-called extreme or rare events, as well as the systematic application of these new tools to classes of CI.
Stress testing is the process of assessing the ability of a CI to maintain a certain level of functionality under unfavourable conditions, while stress tests consider LP-HC events, which are not always accounted for in the design and risk assessment procedures, commonly adopted by public authorities or industrial stakeholders. A multilevel stress test methodology for CI has been developed in the framework of the European research project STREST, consisting of four phases:
Phase 1: Preassessment, during which the data available on the CI and on the phenomena of interest are collected. The goal and objectives, the time frame, the stress test level and the total costs of the stress test are defined.
Phase 2: Assessment, during which the stress test at the component and the system scope is performed, including fragility and risk analysis of the CIs for the stressors defined in Phase 1. The stress test can result in three outcomes: Pass, Partly Pass and Fail, based on the comparison of the quantified risks to acceptable risk exposure levels and a penalty system.
Phase 3: Decision, during which the results of the stress test are analyzed according to the goal and objectives defined in Phase 1. Critical events and risk mitigation strategies are identified.
Phase 4: Report, during which the stress test outcome and risk mitigation guidelines based on the findings established in Phase 3 are formulated and presented to the stakeholders.
This stress-testing methodology has been demonstrated to six CIs in Europe at component and system level: an oil refinery and petrochemical plant in Milazzo, Italy; a conceptual alpine earth-fill dam in Switzerland; the Baku–Tbilisi–Ceyhan pipeline in Turkey; part of the Gasunie national gas storage and distribution network in the Netherlands; the port infrastructure of Thessaloniki, Greece; and an industrial district in the region of Tuscany, Italy. The outcome of the stress testing included the definition of critical components and events and risk mitigation strategies, which are formulated and reported to stakeholders.