Skip to main content
SpringerLink
Log in

Introduction

  • Chapter
  • First Online:
European Critical Infrastructure Protection

  • 537 Accesses

Abstract

This chapter explores some theories about risk, as variable rooted in the human evolution. Further, it tries to discover how many of those theories are still applicable to modern society. Theories developed by sociologists, as Ulrich Beck and Niklas Luhmann, constitute the path followed to describe and contextualize the evolution of human interaction with risk and the variables affecting its perception and acceptance in the world as it behaves today. The fact that modern society has transferred routine and risky activities from man to machine (where ‘machine’ now also includes computers, networks of computers, and their control) is considered to confirm how past theories about risk also apply with minor modification to issues such as cyber defense, preparedness, and crisis management; all seen as noble attempt of the EU Legislators and other stakeholders to preserve modern social life.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 16.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Insurance companies, in particular, are considered as a necessary factor because of their direct intervention in assuring the financial resilience of the Operators, helping them to “bounce back” after an event (e.g., industrial accident, natural event) that has interrupted the continuity of an infrastructure’s services or production of goods.

  2. 2.

    Rinaldi et al. (2009), pp. 499–513.

  3. 3.

    PCCIP – President’s Commission on Critical Infrastructure Protection (1997).

  4. 4.

    Department of Homeland Security – US Government (2012).

  5. 5.

    Communication from the Commission to the Council and the European Parliament – Critical Infrastructure Protection in the fight against terrorism COM/2004/0702 final.

  6. 6.

    Council Directive 2008/114/EC of December 8, 2008 on “the identification and designation of European critical infrastructures and the assessment of the need to improve their protection”.

  7. 7.

    The complexity of the new challenges where the EU MSs are directly engaged in the attempt of protecting “ECI”, is self-explained by the Council preliminary considerations to the Directive 114/08/EC: “There are a certain number of critical infrastructures in the Community, the disruption or destruction of which would have significant cross-border impacts. This may include trans-boundary cross-sector effects resulting from interdependencies between interconnected infrastructures. Such ECIs should be identified and designated by means of a common procedure. The evaluation of security requirements for such infrastructures should be done under a common minimum approach. Bilateral schemes for cooperation between Member States in the field of critical infrastructure protection constitute a well-established and efficient means of dealing with trans boundary critical infrastructures. EPCIP should build on such cooperation. Information pertaining to the designation of a particular infrastructure as an ECI should be classified at an appropriate level in accordance with existing Community and Member State legislation.”

  8. 8.

    NATO Committee Reports (2007).

  9. 9.

    National definitions differ slightly in the criteria used to define the criticality of an infrastructure. Most countries and institutions use crosscutting criteria, which cover all infrastructures in all sectors. Sectoral criteria are then used to refine this definition for each specific sector. In some countries, those criteria stress the finality or purpose of the infrastructure (i.e. the infrastructure is critical because it performs a function that is vital to society), whereas in others, they stress the severity or effects of the disruption or destruction of a given infrastructure on society (i.e. the infrastructure is critical because its loss would be extremely disruptive).

  10. 10.

    The US Government is known to be very active in informing citizens about the threats priorities, the level of alerts, and also on how to be proactive in helping the country recover after an event that may decrease the nation’s security, the public health, etc. Another example of awareness rising at public level also comes from the academia where the US shows a very deep commitment for the safety of the citizens. On this topic, it is worthy to mention the “Personal Resilience certificate” released by the George Mason University of Fairfax—VA (http://www.resilienceisreal.com. 25.10.2013).

  11. 11.

    The list has been drafted by the US Department of Homeland Security, which is in charge of “identifying gaps in existing critical infrastructure sectors and establishing new sectors to fill these gaps” (http://www.dhs.gov/critical-infrastructure-sectors. 23.10.2013).

  12. 12.

    The road, railroads, and bridges were not considered as “critical” just for the transportation of goods and passengers across the country, but also vital for the continuity of the postal services. This circumstance also testifies the very first appearance of the dependency between critical infrastructures and services such as supply chain and post delivery. Further information on the topic can be found in Brown (2006).

  13. 13.

    An example being the terrorist attacks in New York (2001), London (2005) and Madrid (2004) as well as the manmade/natural disasters of Chernobyl (1986), Fukushima (2011), New Orleans (2005).

  14. 14.

    “National monuments and icons” are part of the USA National Critical Infrastructures Protection Plan developed by the Department of Homeland Security. The plan contains in deep details on how to assure the protection of monuments and iconic building placed in the US territory. This specific plan, as for the other US CIP sectors, covers all the strategies for the protection of elements that fall in the field of interest as well as the precise identification of the agencies and law enforcement involved in the protection lifecycle. In particular, each sector (falling into the National Plan) is managed by a Sector-Specific Agency that provides sector-level performance feedback to the Department of Homeland Security.

  15. 15.

    Those limits reflect how wide is the set of variables that each government, infrastructure operator, security officer, and law enforcement, have to try to keep under control.

  16. 16.

    The threshold of what is considered as an acceptable risk, is a variable always affected by the degree of perception. The perception of the risk, at the same moment, is tied to the degree of specialization of the operator involved in such evaluation.

  17. 17.

    According to Niklas Luhmann, the “threshold of catastrophe” is perceived as the threshold below which all the predictions and evaluations about the risks are acceptable, while, in case of crossing the line of acceptability, the consequent events may lead to a catastrophe. Luhmann (1996).

  18. 18.

    Niklas Luhmann in his “Soziologie des Risikos” explicitly refers to the fact that the “threshold of disaster” is perceived in a very different way depending on how someone is involved in the risk: as decision maker or someone who is subject to risky decisions taken by others.

  19. 19.

    In the field of CIP, most of the time, the concept of what is acceptable and what is not is tied to the variable of cost-effectiveness. The cost-effective variable of acceptability of risks characterizes, in particular, those critical infrastructures that are not owned and operated by a government and, for this reason, run the business for profits (e.g., Banks, transport companies, internet service providers, telecommunication providers, etc.). The privately owned infrastructures, during their risk evaluation processes, use to take business-driven decisions that include the lack of commitment where they perceive an “uncontrolled” waste of financial resources, e.g., in the field of security, that may not bring any benefit to the business continuity, while, in fact, may seriously affect their competitiveness on the global market.

  20. 20.

    E.g., the disruption, failure or destruction of a Critical Infrastructure or asset is therefore mitigated or amplified depending on the quality of the decision and its timely execution.

  21. 21.

    International experiences in the field of Critical Infrastructure Protection and Resilience are producing new definition and identification of “relevant infrastructures” that may be “critical” at “regional” level but not at national level. Those infrastructures are considered “important” as their disruption of failure could have effects which propagation would be limited to certain regions or areas, whose services continuity could be immediately granted by recurring to redundant services offered by neighboring infrastructures. For further information on the topic of “regional critical infrastructures”, refer to the case of the “Bay Area Center for Regional Disaster Resilience”: http://quake.abag.ca.gov/resilience/ (23.10.2013).

  22. 22.

    The Fukushima Daiichi it is the largest nuclear disaster since the Chernobyl of 1986. It was characterized by a cascading series of equipment failures, nuclear meltdowns, and releases of radioactive materials at the Fukushima Nuclear Power Plant, following the earthquake and consequent tsunami happened in the Tōhoku region of Japan on March 11, 2011.

  23. 23.

    Hurricane Katrina was one of the five deadliest hurricanes in the history of the United States of America. At least 1,833 people died in the hurricane and subsequent floods; total property damage was estimated at $81 billion USD. Hurricane Katrina formed over the Bahamas on August 23, 2005 and crossed southern Florida as a moderate “Category 1” hurricane before strengthening in the Gulf of Mexico. The hurricane strengthened to a “Category 5” hurricane over the warm Gulf water, but weakened before making its second landfall as a “Category 3” hurricane on the morning of Monday, August 29 in southeast Louisiana. The most significant number of deaths occurred in New Orleans, Louisiana, which flooded as the level system catastrophically failed, in many cases, hours after the storm had moved inland. Eighty percent of the city of New Orleans became flooded. The hurricane surge protection failures in New Orleans are considered the worst civil engineering disaster in US history. (http://en.wikipedia.org/wiki/Hurricane_Katrina. 14.10.2013).

  24. 24.

    E.g., terrorism, cyber attacks, inside attacks or other deliberate attacks.

  25. 25.

    Infrastructures can be linked to one or more causes of dependence (unilateral) or interdependence (multilateral), which may have multiple effects on the continuity of the same Infrastructures. From the technical point of view, these examples can be considered as the main sources of dependence/interdependence: (1) Physical interdependency: two infrastructures are physically interdependent if the state of an Infrastructure is dependent on the output of the other; (2) Informatics/telematics interdependency: an infrastructure is characterized by this type of dependence/interdependence when its status is closely related to the operational continuity of computer systems as well as the telecommunications networks, especially in cases where the same computers and networks of computers allow a remote control of the infrastructure (e.g., Supervisory Control And Data Acquisition—SCADA); (3) Geographical interdependence: two or more infrastructures are geographically interdependent if a local event can lead to changes in the status of other infrastructures (such as sharing the same physical location. Every natural disaster or malicious one affecting a given physical location may cause a simultaneous failure of multiple infrastructures); (4) Logical interdependence: two or more infrastructures are logically interdependent if the state of each of them depends on the state of the other through a mechanism, which is not typical of any of the models previously mentioned. This type of interdependence can cover any links related to socio-economic phenomena, cultural or arising from legislative and regulatory constraints.

  26. 26.

    A clear example of Public Private Partnership could be the “President’s Commission on Critical Infrastructure Protection (PCCIP)” that was established in July 1996 with the specific tasks of reporting to the President the scope and nature of the vulnerabilities and threats to the nation’s critical infrastructures; recommend a comprehensive national policy and implementation plan for protecting critical infrastructures; determine legal and policy issues raised by proposals to increase protections; and propose statutory and regulatory changes necessary to effect recommendations.

  27. 27.

    The achievements of USA, in terms of efforts for securing CI’s, are further described and analyzed in the following chapters. It is worthy to mention the proactivity of the US Federal Government that lets all the stakeholders gather together in discussing the National Program for Critical Infrastructure Protection to have a 360° view to avoid promulgating any law or policy that may have brought further and unnecessary “pressure” to the CIs’ lifecycle.

  28. 28.

    As for the French experience in CIP, it is worthy to mention the important activities carried out by both the Government and the Infrastructures Operators in defining, analyzing, and protecting the “point d’importance vitale” as defined in the Art. 17 of the “Décret no 2006-212 du 23 février 2006 relatif à la sécurité des activités d’importance vitale” of which is worth here pasting the integral formulation: “Art. 17 . − A compter de la date de notification des directives nationales de sécurité à l’opérateur d’importance vitale, celui-ci dispose d’un délai maximal de deux ans pour présenter le plan particulier de protection de chaque point d’importance vitale au préfet du département dans le ressort duquel se trouve ce point. (1) Les opérateurs d’importance vitale relevant du ministre de la défense présentent le plan particulier de protection de chaque point d’importance vitale à l’autorité militaire désignée par le chef d’état-major des armées, dans des délais identiques à ceux de l’alinéa précédent. Les directives nationales de sécurité peuvent prévoir un délai différent de celui mentionné au premier alinéa.” The text of the article gives a crystal clear example of two important aspects of the French approach to the protection of certain point of vital importance, being the first, the importance of the infrastructure’s owner evaluation of which are the “point d’importance vitale” and then the importance of notifying such assessment to the government’s local departments so as they can take measures and help the infrastructures’ operators in securing them.

  29. 29.

    A good example of specific risks may involve a wide set of sectors like the Chemical, Biological, Radiological, or Nuclear (CBRN) ones, or an attack to physical or logical infrastructures.

  30. 30.

    Acronym of: Emergency Position-Indicating Radio Beacon.

  31. 31.

    The “Costa Concordia” cruise ship has sunk on January 13, 2012 at 21.42 CET while navigating in the surroundings of “Isola del Giglio” (42.36486°N 10.92124°E). There were 4,229 passengers on board. Among them 110 were seriously injured, 30 died, and 2 are still missing.

  32. 32.

    Literally the word “inchino” means “curtsey” and is used to define a maneuver performed by the captains of cruise ships while navigating nearby an area of particular interest (such as harbors, etc.) that makes the ship navigate extremely close to the coast to increase both its visibility for the people hanging on the coast and to increase the visibility of the surrounding places to the passengers on board.

  33. 33.

    Many industrial sectors utilize and employ services known as “SCADA” or “System Control and Data Acquisition systems”. SCADA represents something called “industrial control systems” that may be linked to a controlling system and may be connected to a network, or the Internet. SCADA systems are affected by the same vulnerabilities and failures that affect computer systems and because of these critical issues, they are subject to a continuous lifecycle composed of updates and renovations. All these efforts are taken to keep those systems more up-to-date and more secure. Most of the people are completely unaware of how critical are the SCADA-controlled devices even because of their larger and larger introduction in most of the vital services normally expected by citizens across the globe. For example, in the electric power industry, SCADA can manage and control the delivery of electric power.

  34. 34.

    In fact, this shift has created a “problem in the problem”, because of the “race for logical protection”, which has created the premises for a decrease of attention on the “physical side” of the infrastructures. Experiences around the globe have explained how important is to reach a good balance in the efforts for logical and physical security.

  35. 35.

    Examples of “misuse” involving deep intervention of human factor, from unpreparedness, lack of prevention, lack of perception of risks, inside attacks and external attacks, such as terrorism (both conventional and cyber).

  36. 36.

    This is why the international Scientific Community is asking for a complete review and rethinking of the information technology services, from “the email to the control systems of a nuclear plant”, to make them more secure and reliable “by design.”

  37. 37.

    The “Stuxnet” worm may well be used as an example. The worm, between the end of 2009 and the middle of 2010, has infected Iranian nuclear plants that were enriching the uranium, making their centrifuges misbehave. This very sophisticated attack has had the result of stopping Iranian Nuclear Program many times before the Programmable Logic Controller were restored to a fully functional level through the complete removal of the Stuxnet worm and its variants.

  38. 38.

    Beck (1986) and also Beck (2000, 2003).

  39. 39.

    CBRN is the acronym of Chemical Biological Radiological Nuclear.

  40. 40.

    Sofsky (2005), p. 80. Giddens (1994), p. 20.

  41. 41.

    “Horizon scanning” is a technique for detecting early signs of potentially important developments through a systematic examination of potential threats and opportunities, with emphasis on new technology and its effects on the issue at hand. The method explores novel and unexpected issues as well as persistent problems and trends, including matters at the margins of current thinking that challenge past assumptions. The proper usage of “scan of the horizon” tools can provide the basis to develop strategies for anticipating future developments. It can also be a way to assess trends to feed into a scenario development process. More information on the topics can be found on the Horizon Scanning Centre, UK Government Office for Science: http://hsctoolkit.bis.gov.uk (05.11.2013).

References

Download references

Author information

Authors and Affiliations

  1. Department of Systems and Informatics, University of Florence, Firenze, Italy

    Alessandro Lazari

Authors
  1. Alessandro Lazari
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Lazari, A. (2014). Introduction. In: European Critical Infrastructure Protection. Springer, Cham. https://doi.org/10.1007/978-3-319-07497-9_1

Download citation

Publish with us

Policies and ethics

Search

Navigation