etc. Hence, this chapter constitutes a substantial input for the next step related to foresight scenario analysis.
Chapter 13. Catalogue of questions for Experts / Future Groups.
Chapter 14. Recommended resources. This chapter provides a list of recommended available online resources for preparing foresight scenario on the respective Big Theme (for use by Future Group members).
Chapter 15. Bibliography. List of all references used in this report.
The present report is based on the understanding that it provides a problem space description that naturally includes a couple of aspects, including policies and capabilities of different kind. This problem space description provides an information background and derives questions for subsequent FOCUS foresight work. FOCUS foresight work will fully take place in the context of civil security research as defined in the 7th EU Framework Programme. Because FOCUS is not defined as a policy-related project, it will not further address policies, and as a civilian security research project, it will not perform foresight related to defence and military aspects of security.
2 Short Descriptions of the themes 2.1 Critical infrastructure protection
Since historical time the fundamental function of the state is to ensure the existence and sustainable development of human society, which is not possible without ensuring the “safe space”
– a space in which the human security level is acceptable. Human security depends on several assets, including infrastructures. The term “critical infrastructure” is from the end of last century;
before, terms such as emergency supply; material and technical base of state; and emergency functions were in use.
According to the European Commission (European Commission, 2004), Critical infrastructures are those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of governments in European Union (EU) countries. Infrastructures whose incapacity or destruction could have a debilitating impact on the defense and economic security of a country (President’s Commission on Critical Infrastructure Protection, 1997). A very particular definition of Critical Infrastructure Protection is given in contexts where risk management exercises are described, i.e. to the preparedness and response to serious incidents that involve the critical infrastructure of a region or nation. More specifically, Critical Infrastructure Protection is the ability to prepare for, protect against, mitigate, respond to, and recover from critical infrastructure disruptions or destruction (European Commission, 2006).
European Critical Infrastructure may also address those infrastructures whose disruption or destruction would significantly affect two or more Member States, or a single Member State (Council Directive, 2008). In other words, the loss of a critical infrastructure element may be rated by means of three elements (European Commission, 2006):
1. The extent of the geographic area which could be affected by the loss or unavailability of a critical infrastructure element beyond three or more Member State’s national territories;
2. The effect of time (i.e. the fact that a for example a radiological cloud might, with time, cross a border);
3. The level of interdependency (i.e. electricity network failure in one MS affecting another).
The sectors covered by the critical infrastructure are (European Commission, 2006):
Energy production and shipping;
Information and communication technology, and cyber infrastructure;
Water;
Food;
Health;
Financial;
Public and legal order and safety;
Civil administration;
Transport (air, rail, road, sea, ports, mass transit networks, traffic control systems);
Chemical and nuclear industry; and Space and research.
National definitions of Critical Infrastructure – EU member states
Exploring the term of Critical infrastructure and its protection we found some slightly differences in national definitions. The list below provides an overview of national definitions found within this study:
Germany: “Critical infrastructures are organizations and facilities of major importance to the community whose failure or impairment would cause a sustained shortage of supplies, significant disruptions to public order or other dramatic consequences.” ( Federal Office for Information and Security. )
Netherlands: “Critical infrastructure refers to products, services and the accompanying processes that, in the event of disruption or failure, could cause major social disturbance.
This could be in the form of tremendous casualties and severe economic damage… ”.
(Ministry of Interior, 2005)
United Kingdom: “Critical National Infrastructure comprises those assets, services and systems that support the economic, political and social life of the UK whose importance is such that loss could: 1) cause large scale loss of life; 2) have a serious impact on the national economy; 3) have other grave social consequences for the community; or 3) be of immediate concern to the national government.” (United Kingdom Home Office Security) Bulgaria: “System of facilities, services and information systems, the braking,
malfunctioning or destruction of which, would have a serious negative impact on health and safety of population, environment, national economy or on the effective functioning of government. (Crisis Management Law). Another reference points out that Critical infrastructure is a component, system or parts thereof which are essential for the maintenance of vital societal functions, health, safety, and security, economic or social welfare of the population and the disruption, the destruction or failure to maintain these functions would have significant consequences for the Republic of Bulgaria”. (Ordnance
#18: on the establishment and designation of European Critical Infrastructures in Bulgaria and measures for their protection, 2011)
Czech Republic: “The critical infrastructures are infrastructures that are necessary for human lives in normal, emergency and critical situations. They contain the following items:
energy power supply system, above all electricity supply; water supply system; sewer system; transport net system; communication and information system; banking and financial sector; emergency services (police, fire-fighting and rescue service, health service); fundamental services (food supply, waste handling, social services, burial services), industry and agriculture; state, regional and local administration” (Czech Republic, 2002).
National definitions of Critical Infrastructure – rest of the world
Australia: “Critical infrastructure is defined as those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic well-being of the nation, or affect Australia’s ability to conduct national defence and ensure national security.” (Australian National Security)
Canada: “Canada’s critical infrastructure consists of those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of Canadians or the effective functioning of governments in Canada.” (Public Safety Canada)
United States: The general definition of critical infrastructure in the overall US critical infrastructure plan is: "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." For investment policy purposes, this definition is narrower: “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on national security." (Department of Homeland Security , 2006)
ICT Cyber security
As part of the critical infrastructure, information and communication technologies (ICT) represent the communication networks (telephone lines, wireless signals) and computers, middleware as well as other necessary software and systems to allow the storage, transmission and manipulation of information. In this context ICT systems are critical as they are essential to the minimum operations of the economy and government (PDD-63). Consequently ICT and cyber security are often mentioned as part of national Critical infrastructures (Homeland Security Presidential Directive Seven).
2.2 Supply Chain security
Supply Chain Security is a systematic and continuous process to enhance prevention, protection, preparedness, monitoring, detection, mitigation, response, and recovery from disruptive criminal and terrorist activities and incidents in the supply chain.
The definition of supply chain security management provided by Hintsa et al. (2009) shows evidently that like in any other management discipline, supply chain security management activities are constrained by rules to a great extent.
“Supply chain security management (SCSM) covers all processes, technologies and resources exploited in a systematic way to fight against end-to-end supply chain crime. The primary goal of each single SCSM measure is either to prevent a crime, to detect a crime, or to recover from a crime incident in the fastest possible time. Single SCSM measures fall typically into one of the following five categories: cargo, facility, human resources,
information technology, and management systems. The typical supply chain crime includes theft, smuggling, counterfeiting, sabotage, blackmailing for financial gain, terrorism for destruction, and any type of fraud and corruption (the detailed crime definitions subject to national and international regulations).” Hintsa et al (2009)
The definition states that supply chain security management “fights against crime”. Explicit legal rules and regulations draw boundaries between illegal and legal activity and criminalize undesired activities like theft, smuggling, counterfeiting, and sabotage. This empowers legitimate private and public supply chain actors combat against “crime” and thus protect their assets, employees and reputation from a multitude of supply chain related illicit activities.
The definition highlights that supply chain security management applies processes, technologies and resources in a systematic way to fight against crime. The definition does not address that the application of these processes, technologies and resources must done in compliance with an array of formal and informal supply chain security rules. Crime prevention tactics and strategies must be designed in accordance with explicitly proclaimed laws, regulations and conventions and implicit values, believes, norms and conventions. These rules constrain but also, as Hodgson (2006) suggests, enable supply chain security management activities by making coordinated anti-crime efforts possible.
2.3 Critical supplies – products and services
The concept of critical supplies appears to be poorly defined in the literature. However the analysis of the material collected allow to create examples of linkages between products, raw materials and services to the critical infrastructure in Europe. Hence, by logical reasoning, one angle of critical supplies can be stated as those necessary for the construction, maintenance and operation of critical infrastructure. A possible set of products and services necessary for the European Critical Infrastructure is depicted in Table 1 below. In later chapters, additional considerations will be given e.g. to critical supplies from citizen and transport perspectives.
Table 1. Examples of critical products and services.
Critical Infrastructure Critical product or service
Energy Continuous supply of products and materials to produce energy.
Electricity Continuous supply of electric power within bound frequency and voltage ranges
Oil Adequate supply of oil products with the required product specifications Natural gas Continuous supply of natural gas with the required pressure and caloric
value
IT & Telecom Uninterrupted services with the required level of quality (e.g., low blocking chance, low noise level, low jitter, low delay, fast response) Drinking water Availability of drinking water with a bacterial and chemical
contamination content below set thresholds Defence
External safety of a country by high readiness of or delivering of adequate command & control, well-trained personnel, material, infrastructure, and logistics.
From commodity / product perspective, references were found to European Commission defining a set of “critical raw materials”, in terms of metals and minerals, concentrating on Supply risk and Environmental country risk (details explained in Chapter 9 of the report).
Supply risk:
o Concentration of the production of the raw material in a given non-EU country.
o Political and economic stability of the producing countries.
o Potential for substitution and recycling rate.
Environmental country risk:
o Jeopardizing the supply of the raw materials by introducing environmental measures.
At the same time, “critical supplies” can exist in several product categories, including the following nine broad categories used commonly by customs administrations worldwide (Harmonized Tariff System; EU import analysis per category follows in Chapter 9)
1. Food and live animals 2. Beverages and tobacco
3. Crude materials, inedible, except fuel
4. Mineral fuels, lubricants and related materials 5. Animal and vegetable oils, fats and waxes 6. Chemical and related products
7. Manufactures goods classified chiefly by material 8. Machinery and transport equipment
9. Miscellaneous manufactured articles
3 Key definitions
3.1 Critical Infrastructure Protection
Main definitions related to Critical Infrastructure Protection are given in the text below and concert the following terms:
Critical.
Infrastructure.
Fundamental state function.
Basic human system assets.
Safety.
Security.
Danger.
Harm / damage.
Vulnerability.
Impact.
Inadmissible impact.
Disaster.
Hazard.
Risk.
Threat.
Vulnerability.
Scenario.
Emergency situation.
Disaster assessment, hazard assessment and risk assessment.
Risk management.
Safety management.
Crisis management.
Safe space.
Proactive management.
Reactive management.
Safety performance indicator.
Critical. The word “critical” is from nuclear domain and it means the boundary between acceptable and non-acceptable conditions with regard to given value scale. In most countries’ definitions, the word “critical” refers to infrastructure that provides an essential support for economic and social well-being, for public safety and for the functioning of key government responsibilities. For example Canada’s definition of criticality involves “serious impact on the health, safety, security or the economic well-being of Canadians or the effective functioning of governments in Canada.”
Germany refers to “significant disruptions to public order or other dramatic consequences.” The Netherlands’ critical infrastructure policy refers to infrastructure whose disruption would cause
“major social disturbance,” tremendous loss of life and “economic damage”. Thus the word critical refers to infrastructure which, if disabled or destroyed, would result in catastrophic and far-reaching damage.
Infrastructure. The definitions of infrastructure used in official descriptions of critical infrastructure tend to be broad. Most governments refer to physical infrastructure. Many also include intangible assets and/or to production or communication networks. Australia, for example, refers to “physical facilities, supply chain, information technologies, and communication networks. Canada refers to
“physical and information technology facilities, networks, services and assets. The United Kingdom refers to “assets, services and systems”.
Fundamental state function is to ensure the protection of interests (assets) of the state (country) and the permanent sustainable development of the state.
Basic human system assets (Protected interests or fundamental interests of the state) are items that are protected with priority (e.g. in Czech Republic) and in the most of the other countries there are human lives and health, property, environment, existence of the state and recently critical infrastructure) and there is pursued the care to their development.
Safety is a set of measures and activities for ensuring the security and sustainable development of assets.
Security is a forming the sense of safety, safe feeling, certainty, ensuring the public welfare, permanent development of sound environment and reliable operation of technological (physical and cyber) facilities.
Danger is a condition / situation at which it originates or can originate detriment on assets.
Harm/damage is a detriment on human life and health, property, environment and human society expressed in money.
Vulnerability is a predisposition to harm / damage origination.
Impact is adverse effect / influence of phenomenon in a given place and time on assets.
Inadmissible impact is the impact that causes or can cause damage / harm on one or more assets.
Disaster is a phenomenon that leads or can lead to damages and harms on assets of the state (i.e. phenomenon which leads or can lead to impacts on protected assets of the state). From the
view of cybernetics the disaster is one of the possible conditions of system including the human society and environment, which leads or can lead to damages / harms on one or more assets of the state. The term “disaster” is often used for phenomena with small number of victims; if number of victims is greater (usually more than 25), the term “catastrophe” is often used.
Hazard is a set of maximum disaster impacts that are expected in a given place in specified time interval with a certain probability. According to technical norms and standards the hazard is determined by identified size of disaster.
Risk expresses the probable size of undesirable and unacceptable impacts (losses, harms and detriment) of disasters with size of normative hazard on system assets or subsystems in a given time interval (e.g. 1 year) in a given site, i.e. it is always site specific.
Threat is a measure of occurrence of attack (including terrorist) in a given place. It is a probability that originates or can originate an event or set of events, quite different from desirable (originally supposed) condition or development of protected interests of the state from the viewpoint of their integrity and function. It is determined by capability of attacker, vulnerability of protected interests of the state and by attacker intent.
Vulnerability is sensitivity of asset to impacts of disaster / threat. It is inherently complex entity of the system, the dynamic, i.e. not a static variable. In the scale of time and space (egging the projection into area), certain aspects dominate at different point in time and at a different location.
Scenario (model) of disaster is a set of isolated and interconnected disaster impacts in space and time that causes or can cause the given disaster in definite site, i.e. time sequence of events affected by disaster impacts.
Emergency situation is a situation caused by disaster origination. Usually, it is classified into 5 categories (0 - 5) that for simplicity are denoted by colours (upper-most by sequence of colours - yellow, orange, red).
Disaster assessment, hazard assessment and risk assessment in a given territory, site, time interval are the risk engineering operating methods.
Risk management is a planning, organization, allocation of work tasks and check up of sources of organization so, that there might be reduced losses, damages, harms, injuries or deaths caused by various disasters. Risks are reduced by the reduction of vulnerability of objects, human population, environment, state etc. (in this connection there is used the term „impact mitigation“ for impacts that cannot be averted at disaster origin). According to majority of technical norms and standards there is performed the reduction of vulnerability at planning, designing, construction and operation of protected interests for all risks, the probability of which is equal or greater than 0.05.
By this way there is formed the inherent safety of system including the human society, objects and environment (i.e. so-called design disasters ought to be get under control by design, regulations for land-use planning and construction, operating instructions, rules for response to emergencies and by instructions for response to critical situations, and therefore, their occurrence would not threaten sustainable development).
Safety management consists in a planning, organization, allocation of work tasks and check-up of sources of organization with aim to reach requested safety level. Enhancement of safety is reached by use (application, realization, and implementation) of technical, legal, organizational, educational etc. protective measures. They are also considered risks the occurrence probabilities
of which are smaller than 0.05, but impacts are fatal (severe). Safety management belongs to a common practice at planning, designing, construction and operation of technical facilities and objects such as power plants, dams, nuclear facilities etc., and it is the basement of nuclear safety, radiation protection and protection against dangerous chemical substances that is introduced by the SEVESO II directive. In technical slang there is stipulated that this type of management considers beyond design (severe) accidents. Except of formation of inherent safety of system including the human society, objects and environment this management type also promotes so called principle of precaution, because it considers disasters or their sizes the occurrences of which are very low probable, that are unforeseen.
Crisis management is a management the purpose of which is to precede a possible critical situations, to ensure preparedness for response to possible critical situations, to ensure the getting possible critical situations under control in frame of power of crisis management authority and
Crisis management is a management the purpose of which is to precede a possible critical situations, to ensure preparedness for response to possible critical situations, to ensure the getting possible critical situations under control in frame of power of crisis management authority and