Everyday citizen life and functioning of civil society are very much dependent on the proper functioning of national critical infrastructures. Their impact is significant, and a real understanding of the role and impact of critical infrastructures in the country is of the utmost importance for every government. For most of the people who live in the western hemisphere, infrastructures that run their daily life are taken for granted. In essence, there are expectations that there will be electricity, clean water, means of communication like phones, emails, or dependable transportation services. Those expectations also became dependability on those services – if services are not present or reliable our daily activities are becoming impossible – threatening the very existence of the society or nation, having a substantial impact on the sustainability of the government or other civil services that support the nation or state.
For European Union, critical infrastructures are described as “critical infrastructures are those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of governments in European Union countries”. Most of the Governments, including the European Union, developed national programs or directives that are aimed to protect national critical infrastructures against the attacks and threats, like EU Directive on Security of Network and Information Systems from 2016[1].
National critical infrastructures today typically include:
- Energy Infrastructure: energy installations, power networks, electrical power, storage facilities and refineries, transmission and distribution of energy, supporting multiple other critical infrastructures
- Finance Infrastructure: banking facilities, securities and investment facilities, auxiliary vendors that provide elements of financial transactions
- Information and Communication Technologies: telecommunication networks, broadcasting systems and different hardware, network and software systems that are a platform for critical infrastructures
- Healthcare Infrastructure: hospitals, laboratories and pharmaceutical institutions, but also emergency services and search and rescue services that are degraded to limit their effectiveness due to the broader threat activities toward other critical infrastructures
- Food and Water Infrastructure: production and safety of the food production, infrastructure of food and water distribution but also dams, water storage facilities and networks of distribution
- Transport Infrastructure: airports, ports, railways and other means of mass transportation including transport control systems
- Government Infrastructure: management of critical services, government information networks, government administration capabilities and capacity, essential national / state history and geopolitical resources, etc.
Infrastructures are owned and operated by public and private sectors and built and managed mostly by the platforms and technologies that are developed and maintained by the private sector. There are ongoing research and discussion on how to protect those critical infrastructures – they are a vital part of the social and economic development of any nation.
Risk Environments and Security Threats affecting national critical infrastructures are growing more complex and uncertain. In essence, there is an ever-evolving list of threats, vulnerabilities, and consequences that critical infrastructure has to deal with. Critical infrastructure threats were connected to physical threats and natural disasters, but now the focus is increasingly shifting toward cyber risks.
One of most catastrophic threats related to national critical infrastructures is a threat of terrorist attacks, most recently with the intense focus on industrial control systems with an emphasis on destroying or limiting the functionality of infrastructure services – where risks are focused either toward a single infrastructure service provider, but that could impact other, interdependent infrastructure services.
Given that most of the national critical infrastructures today are based on the technology platforms and solutions that command and control their operations, most of the threats are coming not from the physical but from the virtual, programmable environment that is used for control. The use of technology platform is widespread, and we see more and more use of shared, globally available resources that are used by multiple customers but also adversaries, making threats more impactful. Out of all technology platforms and solutions, the ones that are part of the information and communication technology infrastructure are the most vulnerable – but they also make other interdependent systems vulnerable too.
Threats to National Stability today is managed on two different, yet collaborative level – one that is deployed on the vendor, a usually multinational corporation providing software, technology, platforms and services and the organizational capability of the nation that is implementing protection and resilience of national critical infrastructures. Capabilities of most of the National Critical Infrastructure Systems today strongly depend on the skills and capacity of the governing agencies to adopt, understand, manage and execute on those systems – which are sophisticated and with ever-growing multiple devices attached to it representing a threat end-point.
One of the major threats today is cybersecurity (or cyberthreats). But, lets leave that to another article.
[1] Source: https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive