![]()
PART 1: CRITICAL INFRASTRUCTURE![]()
CHAPTER 1: CRITICAL INFRASTRUCTURE SERVICES
āThe next Pearl Harbor we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems. ā4 ā Leon Panetta
People have a variety of needs in their daily lives: water, food, clean air, a home and electricity. We also consume many other benefits such as transport services, communication services, television and radio programmes, medical services and banking services. Without some of them, we probably wouldnāt survive ā not for long, anyway. Some services are more important to different people at different times ā transport connections, communications and medical services may be more or less essential, depending on your circumstances. A common understanding of primary needs is relatively easy to achieve, but when pinpointing vital services we may often end up with different opinions. Defining such services depends on geographic location, climate, season, peopleās way of life and other factors. There are services that people have become used to over decades, and their absence causes uncertainty or puts our security at risk. Mobile communication is a good example of this: it is important for people to be in contact with their loved ones, but 30 years ago we managed just fine without mobile phones. Weāve become increasingly used to them and our dependence on them has grown. Many of us feel like we canāt live without social networks.
The lines between vital, socially important and other services consumed by us cannot be clearly and unequivocally defined. From the viewpoint of protecting critical infrastructure, it is important that such services are defined and written down somewhere. Every country should have a specific law that regulates this field. Defining critical services is bound to lead to discussions and possibly arguments about whether or not a specific service is critical, or why one service is critical and another is not. Preparing the list of services is still in its early stages in terms of the entire process of protecting critical infrastructure and CII, and there is still a lot to do. The law can be amended if an important service was left out or a service that was deemed critical shouldnāt actually be regarded as such.
These critical services must be operational:
ā¢ power supply
ā¢ oil and gas supply
ā¢ water supply and sewerage
ā¢ harbours
ā¢ rail traffic
ā¢ air traffic
ā¢ data telephony
ā¢ data communication
ā¢ settlements and cash withdrawals
ā¢ law enforcement
ā¢ medical assistance.
The list is not final, and the circumstances, characteristics and needs of each country should be taken into account.
Lesson 1: Define critical infrastructure services.
4 www.huffingtonpost.com/2011/06/13/panetta-cyberattack-next-pearl-harbor_n_875889 .html
![]()
CHAPTER 2: DESCRIPTION OF SERVICE AND SERVICE LEVEL
āCritical infrastructure is vitally important to all of us because it provides the necessities: water and food; the electricity and gas; the telecommunications and broadcasting services that keep us in touch and help us to conduct our business; the health services that keep us alive; the banking and finance system that keeps our economy running; and the transport system that gets us ā and the goods we need ā from A to B. ā5 ā George Brandis
Preparing the list of critical infrastructure services described in the previous chapter is the first step. However, the list alone is not enough for planning the activities that follow. It is also important to describe the critical infrastructure services. How and on what basis can we say that a critical infrastructure service is functioning? How do we know what a specific critical service is and what characterises it? If we donāt know what a functioning service looks like, then itās impossible for us to objectively assess whether or not it is functioning. Does a service function as needed?
Every critical service should be described. The description of a critical infrastructure service should allow the service provider, consumers and other stakeholders to understand what can and cannot be expected from the specific service. All critical infrastructure services can be characterised with different criteria and parameters. The requirements for and service level of a critical infrastructure service should also be determined. Power coming from the grid always has the same tension and frequency, and weāre used to this. Itās possible that these parameters have been determined in regulations. Power supply companies enter into contracts with their clients. These contracts or the general conditions of services may also contain other aspects that describe the service and service level. They might contain the number to call in the event of faults, determine how quickly the company has to react to faults, how quickly faults have to be eliminated, etc. Sometimes they state the length of a power cut from which the client is not charged for the service. In these cases, we can say that a service level has been determined between the service provider and the client. However, the service level of a critical infrastructure service should be determined from the viewpoint of the state.
Itās likely that there are many services that have not been adequately described and for which the necessary service level has not been determined. Or, if a service level has been determined, it was not done in consideration of the fact that the service is a critical infrastructure service and its consumers may have higher expectations regarding the continuous operation of the service.
These parameters should be determined for every critical infrastructure service:
ā¢ maximum tolerable downtime
ā¢ recovery time objective.
Maximum tolerable downtime is the downtime that an organisation, specific sector or country can tolerate. āMaximum tolerableā can be defined at business, sector or country level and these could be different. A critical infrastructure service provider should follow the shortest defined downtime.
Recovery time objective is the defined time during which systems and services should be brought up and running.
Service-specific indicators that characterise the operating level of the service must be defined for the majority of services: a minimal quantity of calls in a mobile communications network, the quantity of banknotes withdrawn from an ATM in a certain unit of time, the guaranteed minimal water pressure at specific measurement points, the minimal number of passengers served by a harbour in a certain unit of time, etc.
The above is the so-called primary requirement in the process of building a critical infrastructure protection system. We should then think about the operational needs of critical services in the event of crises of different severity and define them if possible. What are the critical infrastructure services that should definitely work in the event of a crisis and at what level should they operate?
Lesson 2: Describe the critical infrastructure service and determine its service level.
5 www.attorneygeneral.gov.au/Speeches/Pages/2014/Second%20Quarter%202014/6June2014-OpeningAddressOfTheCriticalInfrastructureResilienceConference.aspx
![]()
CHAPTER 3: PROVIDERS OF CRITICAL INFRASTRUCTURE SERVICES
āCritical infrastructure is diverse and complex not only because of the variety of sectors it covers, from communications, emergency services, information technology to nuclear reactors and transportation systems; it is complex also due to the special nature of its ownership.ā6 ā Dean Thompson
Once the list of critical infrastructure services has been prepared, they have all been described and their service levels determined, the next step is to identify the providers. Critical infrastructure service providers are not only public-sector organisations. In many countries, essential elements of critical infrastructure are owned and operated by private companies. Depending on the service, market, regulations and many other factors, a service may be provided by one or several service providers. Some countries may only have one provider of a certain service if the service provider is a monopoly, or only one service provider may have the right to provide a certain service in a certain region. The number of monopolies has decreased in the past 20 or 30 years. Many countries have opened their markets in the communication and energy sectors, which in the past were often controlled by monopolies.
In the case of a monopoly when there is only one service provider on the market, this service provider must be considered the critical infrastructure service provider.
What happens when there is more than one service provider on the market? Many other factors should be considered, such as the number of clients to whom the service is provided, market share, production volume and capacity, number of clients in a certain geographic region, etc.
Which service providers will be considered critical infrastructure service providers and which ones will not? Depending on the sector, services and possible criteria for defining critical infrastructure services, as well as reaching the relevant agreements, identifying these service providers may take a lot of time.
For example, if there are many voice telephony service providers, which of them should be considered critical infrastructure service providers? There may also be situations where some providers only operate in a certain geographic region and donāt provide their service nationwide. Some of these service providers may have the biggest market share in a specific region and not provide their services in another. This means that geography must be considered when defining the criteria f...
