While several challenges were identified as common to all sectors, recommendations coming from one sector need to be handled very carefully before applying them to other sectors. read more

For example, the Energy sector requires a more global approach; the Transport sector focuses mainly on safety rather than security. In the ICT sector there is a strong need to secure the entire supply chain, down to the individual component. This is a main concern shared across sectors, as ICT has a direct impact on all other CI sectors. Despite such differences, there were several challenges which emerged commonly among the workgroups.

read less

With regards to legislation, an overall framework of existing or upcoming laws and regulations on national as well as European levels would offer the basis for a qualified assessment and would support the operators in their decision-making process, with respect to security technological solutions. read more

During the workshop this request was particularly well illustrated in the Transport sector. In this sector, a legislative framework would need to take into account interoperability and inter-modality and to cover different areas and sectors within transport. A more fragmented approach would not benefit the operators as intermodality is required when considering an overall intelligent transport scheme. The Energy sector also highlighted a need for a comprehensive inventory of current legislation due to the uncertainty caused by the lack of harmonised European or international legislation.

Procedures and legislation need to be harmonised on a European level in order to improve coordination both at the European and the global level. Harmonisation legislation is a pre-requisite to reach a common level of security-related requirements within a sector and at the same time provide for a fair financial burden for the operators’ business.

read less

The current work performed within the ERNCIP project was presented to the operators. The operators highlighted that the existing thematic areas appear scattered and that a clear structure linking the thematic groups on the basis of sectoral importance and relevance is missing. read more

As a result, operators encouraged ERNCIP to identify new thematic areas more related to the overall theme of Critical Infrastructure Protection. Moreover, the operators welcomed the idea of a process for establishing new thematic areas which also takes into account the input of CI operators.

The CI operators proposed that new thematic areas could address, topics like:

• Modelling, Simulation & Analysis (MS&A) of:
1. interdependencies between CIs
2. security vulnerability identification, assessment & optimisation
3. evaluation of security solutions, etc.;
• Human factors and security culture;
• The threat landscape in the energy sector, in particular the cybersecurity of smart grids and renewable energy.

read less

The workshop participants pointed out that EU-wide harmonised training for operators’ staff does not exist, nor does a certification scheme for qualified CIP personnel. There is a need to support such efforts through relevant professional education and training/ research budgets. read more

The implementation of an EU-wide security certification of qualified staff was also requested. This would allow experts to work within different CI sectors throughout the EU, and make it easier for the owners of the CIs to recruit staff.

The participating CI operators asked ERNCIP to facilitate the creation of such an EU-wide harmonised training scheme for CI operator staff. The training scheme should include training on realistic threat scenarios and vulnerabilities of CIs, meaning that an applied, hands-on approach should be favoured.

Participants also underlined that the proposed training schemes should be addressed to senior staff (engineers as well as managers). At the same time the creation of academic curricula for critical infrastructure protection at an undergraduate and postgraduate level was requested. This request is in line with the obligations and mandate of the Academic Committee of ERNCIP. The ERNCIP Office is asked to keep both operators and academia informed and facilitate the exchange of ideas between these two stakeholder groups. This exchange could be an interesting topic to address in a future ERNCIP operators’ workshop.

Also in terms of regulation policies, ERNCIP can help in communication among operators aiming at requesting DG Home Affairs to coordinate its CIP policy areas with those in other policy areas. It was stressed that at national levels politicians need strategy, management boards need regulations, and technicians need reference manuals for appropriate guidance on the assessment, selection and deployment of technological security solutions. There is also a need to create an EU-wide auditing scheme for operators of critical infrastructures, based on a harmonised methodology.

ERNCIP can also facilitate the efficient and effective bi-directional communication between operators and research bodies, and link the relevant stakeholders within the standardisation community to ensure standards are created rapidly and effectively.

read less

Information sharing regarding threats and vulnerabilities, as well as available/needed tools and instruments, is still a huge challenge because of a missing central reliable point of trust. read more

For example, CI operators recommended the establishment of an EU database of incidents, which should be updated on a regular basis. Such a central tool (as a single point of reference) would allow operators to stay informed about potential threats in an effective and timely manner. This activity could also be combined with training programs.

In the same context, operators invited ERNCIP to launch a systematic assessment of past events like the earthquake in Haiti, Hurricane Katrina in New Orleans, the oil crisis in the Gulf coast of the United States and the tsunami damage to the Fukushima nuclear plant in Japan. The focus should be placed on cross-sectoral interdependencies (e.g. between energy, communication, transportation, water supply) and the identified cascade effects.

Participants followed an all-hazards approach, discussing various threats ranging from terrorist attacks to natural hazards ranging from high probability/low impact threats to low probability/high impact threats. It was underlined that the probability may be perceived as less important in comparison to the consequences of failures of components of complex systems or sectors of CIs. Hence guidance is requested regarding low probability but potentially high impact risks. In such scenarios, operators may ignore the risk of unavailability for critical services (e.g. lack of energy due to extreme space weather, which would result in an inability to manage water supply).

There was common agreement among participants that exercises on a national and EU-wide scale, based on common threat scenarios, would be needed. ERNCIP is invited to facilitate such exercises, as well as support the design of scenarios.

The need for Modelling, Simulation & Analysis (MS&A), based on the assessment of past events and monitoring of threats to CIs reported worldwide, was also reported. MS&A efforts could drive the development of scenarios to be used for analysing possible cascade effects.

read less

Operators feel that there is not enough information available about security research efforts at EU or national level. read more

Operators of CIs need information about European and national research results, as well as ongoing research projects, in order to be aware of emerging technologies, validation results concerning existing technologies and gaps in innovation which need to be communicated to the managers of research programmes. It was felt that at best, only promotional project leaflets are available. In particular, operators would like to be informed about the research results, and how these can be exploited in order to to increase security.

Participants invited ERNCIP to facilitate the production of this information and a dialogue between the managers of the research programmes and CI operators. By doing so, gaps and needs for further research can be established and the innovation process, the core of Horizon 2020, can be promoted.

There was common agreement among participants that exercises on a national and EU-wide scale, based on common threat scenarios, would be needed. ERNCIP is invited to facilitate such exercises, as well as support the design of scenarios.

read less

A major challenge consists in assessing risks, as well as calculating or estimating related costs. Scenario-oriented approaches, related but not limited to risk assessment, would enable a more structured process, as would new models for risk and costs estimation. Financing and related investments are challenges which have a direct impact on the business, and hence also on competiveness. read more

A significant part of the discussion was related to the risk assessment of CIs. Risks are not easily quantified, particularly if they concern rare probability events. CI-related risk definition and assessment have to be reconsidered to ensure that all those involved are speaking the same language (with reference to ISO 31000:2009 and ISO Guide 73: 2009).

Building a comprehensive risk picture for CIP should include both accidental and intentional threats, should cover a wide range of security-related objectives (namely availability and safety), should look at multiple dimensions (physical infrastructures, information, technical systems, organisational artefacts and people); and it should follow a scenario-oriented approach, which can assist the operators to perform comprehensive exercises.

read less

The operators underline the need to link security with existing safety efforts. More specifically, the Transport sector working group presented the new concept of ‘safeurity’ as an example of a concept being developed within the rail sector and aiming at the protection of infrastructures and operations of any kind.