BookPDF Available

Critical Infrastructure Security - the ICT Dimension

Book

Critical Infrastructure Security - the ICT Dimension

Abstract and Figures

Assuring the security of critical infrastructure (CI) - vital from the point of view of the functioning of the state, society, business, and individual citizens – it is one of the most important challenges rising to face states at this moment. The Kosciuszko Institute's Report represents an analysis of the issues concerning the protection of critical infrastructure with a particular emphasis on IT security issues. The primary goal of this Report is to provide actors engaged in the protection of critical infrastructure with recommendations outlining ways to increase the level of security. The publication has been divided into two parts. The first part contains general, system-wise considerations that concern CI and assuring its security. In particular, the Report emphasizes the theme of identifying CI (which is prerequisite for its effective protection) and legal aspects concerning CI security and public-private co-operation. The second part is devoted strictly to assessing information and communications technology. The most neuralgic factors concerning the cybersecurity of CI have been shown together with best practices and courses of action allowing for more effective operations. A complex analysis of the problem of cybersecurity in CI has been included in the Report, representing an excellent source of useful information for the development of effective solutions to strengthen the security of the country's vital infrastructure. A presentation of the most important factors influencing the security of CI and recommendations and requirements, developed by the Team from the Kosciuszko Institute closes the publication, based on the individual chapters. This Report from the Kosciusko Institute was developed in co-operation with the Government Security Centre, the EY consulting firm, the offices of WKB, and the Matic company. In addition to this, individual sections of the report were completed in cooperation with experts from the Military University of Technology in Warsaw, Krakow Polytechnic, and the Cybersecurity Foundation. The National Security Bureau has also accepted the Kosciuszko Institute's invitation to participate in the work and preparation of the Report.
Content may be subject to copyright.
GrzegorzAbgarowicz, RyszardAntkiewicz, PiotrCiepiela,
MichałDyk, DominikaDziwisz, ZbigniewFałek,
PiotrGajek, RafałKasprzyk, WłodzimierzKotłowski,
MirosławMaj, AndrzejNajgebauer, DariuszPierzchała,
AleksanderPoniewierski, MaciejPyznar,
MirosławRyba, KrzysztofRzecki, JoannaŚwiątkowska,
ZbigniewTarapata, AgnieszkaWiercińska-Krużewska
Critical Infrastructure Security
– the ICT Dimension
The information and communication technology systems are increasingly
inuencing the functionality of the most important objects, installations,
devices and services being identied and designated as the components
of the state’s critical infrastructure (including energy and fuel supply
systems, communication and ICT systems as well as nancial, transport
and communication systems). Given their fundamental role in ensuring
the security of the entire state, it is mandatory they function impeccably.
Despite the magnitude of the problem, Poland lacks a
comprehensive analysis of critical infrastructure security in
cyberspace. This very Report perfectly lls this gap.
The main aim of the report is to provide the institutions
engaged in the protection of critical infrastructure with
recommendations leading to the improvement of its security.
The report has been created as part of the
KosciuszkoInstitute’sproject Target: Cybersecurity.
© The Kosciuszko Institute 2014
ISBN: 978-83-63712-15-0
Cooperation
The representatives of the National Security Bureau have participated to
the creation of the report exclusively as spectators. Any observations they
made were implemented if the authors of particular sections of the report
decided to do so. The report does not present an ocial standpoint of NSB.
Partners
Main Partner
Strategic Partner
Grzegorz Abgarowicz, Ryszard Antkiewicz, PiotrCiepiela,
Michał Dyk, Dominika Dziwisz, ZbigniewFałek,
PiotrGajek, Rafał Kasprzyk, WłodzimierzKotłowski,
Mirosław Maj, AndrzejNajgebauer, Dariusz Pierzchała,
AleksanderPoniewierski, Maciej Pyznar, Mirosław
Ryba, Krzysztof Rzecki, Joanna Świątkowska,
ZbigniewTarapata, Agnieszka Wiercińska-Krużewska
Critical Infrastructure Security
– the ICT Dimension
Critical Infrastructure Security – the ICT Dimension
Grzegorz Abgarowicz, Ryszard Antkiewicz, PiotrCiepiela, Michał Dyk, Dominika Dziwisz,
Zbigniew Fałek, Piotr Gajek, Rafał Kasprzyk, Włodzimierz Kotłowski, Mirosław Maj,
AndrzejNajgebauer, Dariusz Pierzchała, AleksanderPoniewierski, Maciej Pyznar, Mirosław
Ryba, Krzysztof Rzecki, Zbigniew Tarapata, Agnieszka Wiercińska-Krużewska
Editor: Joanna Świątkowska
Editorial assistant: Anna Hojcak
The Kosciuszko Institute’s team analysing factors inuencing security and formulating
recommendations on the basis of the chapters’ content: Joanna Świątkowska,
Zbigniew Fałek.
Translation: Justyna Kruk, Krzysztof Gajda (Introduction and Recommendations)
Graphic design: Małgorzata Kopecka
In Images 7 and 11, the following Noun Project icons have been used: Arrow by
Roman J. Sokolov, Skull and Crossbones by Andrew Cameron, Factory by Patrick
Trouvé, Key by Márcio Duarte, Settings by Luis Rodrigues, Security by mohit arora,
Route by Carlos Valério, Server Security by Roman Kovbasyuk, Laptop by Simple
Icons, Analysis by Christopher Holm-Hansen, Network by Matthew Hawdon, Flow
Chart by Jhun Capaya, Server by Jaime Carrion, Gears by Hysen Drogu, Computer by
Simple Icons, Server by Alf.
© The Kosciuszko Institute 2014. All rights reserved. Short pieces of text, no longer
than two paragraphs, are allowed to be copied in the original language, provided
the source is quoted.
Publication date: August 2014
The Kosciuszko Institute
ul. Lenartowicza 7/4
31-138 Kraków, Poland
e-mail: ik@ik.org.pl
mob.: +48 12 632 97 24
www.ik.org.pl
ISBN: 978-83-63712-22-8
If you appreciate the value of the presented publication, we kindly encourage you to
nancially support our future publishing initiatives.
Table of contents
Introduction ................................................................................................................................................................5
part I ............................................................................................................................................................................ 10
1. The role of critical infrastructure in the functioning of the state................................................ 11
2. Legal determinants of critical infrastructure protection ............................................................... 28
3. Eective public-private cooperation – success factors .................................................................. 44
4. The methodology of governing collaboration forums for
critical infrastructure protection ............................................................................................................ 51
part II ........................................................................................................................................................................... 58
5. The role of ICT components in the functioning of critical infrastructure ................................ 59
6. Threats posed to the security of critical infrastructure in the context
of the advanced application of ICT solutions – challenges for the state ................................. 63
7. ICT components of criticalinfrastructure protection ..................................................................... 68
8. The security ofindustrialcontrolsystems...........................................................................................73
9. Critical infrastructure andincident response .................................................................................... 82
10. The concept ofcapacity development i
n the critical infrastructurecybersecurityofthestate ................................................................... 88
11. The analysis of academic study programmes related to the security
of critical infrastructure’s ICT systems ................................................................................................... 98
Factors aecting security andrecommendations ...................................................................................104
Annex ........................................................................................................................................................................109
Abbreviations ........................................................................................................................................................119
Authors .....................................................................................................................................................................122
The views expressed in this publication are those of the authors
and do not necessarily reect any views held by the Kosciuszko
Institute and the publication partners. They are published
asacontribution to public debate.
Authors are responsible for their own opinions and contributions
and the authors do not necessarily support all of the opinions
made by others in the report.
5
Introduction
Joanna Świątkowska, Zbigniew Fałek
– the Kosciuszko Institute
Critical infrastructure (CI) is a key component of national security, stability and economic
growth. It also determines the functioning of societies and individuals. Even though infrastruc-
ture of special signicance for man and the communities he creates has always existed, it only
gained in importance as civilizations developed. Consequently, it has become more and more
vital to ensure its safety, especially over recent years.
A turning point in the debate over CI protection was marked by the terrorist attacks which took
place in the USA on September 11th 2001 and then in London and Madrid in 2004. The attacks
showed, rst, what terrible consequences can be brought about by targeting the most pivotal
infrastructure elements; second, how much these elements are interrelated1; and nally that
the entire state system may be put in danger not only by state- but also non-state actors. Faced
with this reality, individual states and international organisations (e.g. the European Union)
intensied their actions with the aim to protect CI.
Currently, however, we can observe yet another trend of crucial importance for ensuring CI
security – the increasing role and gravity of security in cyberspace as the basis for the func-
tioning and security of CI. The present report focuses on exactly this topic.
ICT solutions related to CI can be discussed in two dierent ways. First, ICT networks in Poland
constitute one of the country’s CI systems. Second, ICT is part of dierent CI systems supporting
them and often ensuring their proper functioning. In other words, ICT solutions may be CI in
themselves or act as components of other CI elements.
What is the danger?
The fact that CI is increasingly dependent for its functioning on ICT solutions coupled with
the changes taking place in this domain poses new challenges related to ensuring security.
Potential dangers can be caused by technical failures and human error, but also intentional,
hostile activities undertaken in cyberspace. There are at least several reasons making this last
category of threats more and more menacing.
1 See B. Hammerli, A. Renda, Protecting Critical Infrastructure in the EU. CEPS Task Force Report, 2010, p. 12.
6
CI may be disrupted or destroyed by attacking its ICT elements. Cyberspace attacks are,
among other things, relatively cheap to prepare and carry out but have potential to inict
great damage on the target. Their additional “advantage” is that it is dicult to detect the
perpetrator and prove his guilt
2
which means that he is relatively safe in the sense that
he can avoid reprisal and responsibility in all its dierent aspects. Potential severity of
damage, the ease of carrying out the attacks and shifting responsibility mean that cyber
attacks against CI may become the key weapon at the disposal of states and non-state
aggressors.
According to “ The Cyber Index. International Security Trends and Realities” prepared under the
auspices of the UN, there is a sharp increase in the number of states which set up special o-
cial agencies dedicated to cyberspace activity (also oensive) as part of their armed forces3. All
of this shows that cyberspace may become a major theatre of conict. Cyber attacks against
CI may destabilise the functioning of a state in a situation of political tension or be used as an
important element in a military campaign during an open conict.
Potential attacks may be prepared already at the time of peace. Every so often, the media
report of cyber espionage activities targeting entities operating within systems commonly
considered to be CI4. Even though such activities are mostly carried out for nancial reasons,
they do make it possible to acquire knowledge of and access to systems which may become
targets in future. There are also other methods of “paving the way” for potential aggression. It
is enough to realise that the ICT products (hardware, software, etc.) we use are produced all
over the world. As a result, it is not dicult to embed hostile elements which, activated at the
right moment, may impair the functioning of the entire system.
Today, potential sources of danger are no longer only nation states. In spite of the fact that
the scenario whereby non-state actors5 perpetrate mass-scale cyber attacks against CI with
far-reaching, nation-wide consequences may not seem very likely6, the danger is higher in the
case of individual infrastructure elements.
Finally, in addition to potential intentional threats related to the employment of digital tools,
it is critical to ensure protection from human error, technical failures or even the natural
environment.
Objectives and structure of the report
Acknowledging the fundamental importance of CI for national security, the Kosciusko Institute
decided to devote the present report to the problem of its protection focusing primarily on
2 The problem of attribution.
3 Centre for Strategic and International Studies, Institute for Peace Research and Security Policy, The Cyber Index. International Security Trends
and Realities, UNIDIR, 2013, p. 3.
4 For a list of systems covered by critical infrastructure in selected countries see for example: Haemmerli, A. Renda, CEPS Task Force Report.
Protecting Critical Infrastructure in the EU, 2010, http://www.ceps.eu/book/protecting-critical-infrastructure-eu, [accessed: 05/03/2014].
5 Single aggressors, cyber terrorists and criminal organisations, but not supported by states in this context.
6 Due to the lack of advanced knowledge necessary to carry out an attack of this type as well as other resources (broadly understood).
7
cyber security of CI due to its growing role and signicance. Our ambition is that the report
contribute to the on-going debate over CI protection especially in the context of cyber
criminality.
The main objective of the report is to provide entities directly responsible for CI protection
with recommendations improving security. The recommendations have been developed
following an analysis of factors inuencing both CI protection in its general aspect as well as
ICT security of CI. The factors were selected from individual chapters in the report and consti-
tute their most important element.
The structure of the report reects the objective presented above and the tasks set for the
authors. The report is divided into two parts. The rst contains general, systemic reections
related to CI and ensuring its security. It puts great emphasis on the problem of identifying CI
(a necessary pre-condition for its protection), legal aspects of CI security as well as cooperation
between private and public actors. Hence, this part of the report is addressed mainly to deci-
sion makers and entities responsible for national security in its entirety.
The second part is devoted specically to ICT aspects. It identies the most pivotal factors
related to cybersecurity of CI as well as good practices and strategies making for the most
eective actions. Many recommendations contain suggestions of systemic changes whereas
the others are addressed7 to CI owners and operators and are naturally more detailed.
Part One opens with chapter written by Maciej Pyznar and Grzegorz Abgarowicz, PhD, from the
Government Centre for Security. Not only does it introduce the reader to fundamental facts on
CI, but it also shows the most important, selected elements of the CI protection system from
the perspective of the state. The focal part of the chapter is devoted to reections on the CI
identication process.
The second chapter was prepared by the law rm Wierciński-Kwieciński-Baher. It analyses the
legal aspects of CI both on the national and the international level. The analysis focuses in
particular on nancing CI protection activities, public procurement issues and the problems of
establishing cooperation between the public and private sectors.
Chapters Three and Four in Part One, written by the experts from the Kosciusko Institute,
Joanna Świątkowska and Dominika Dziwisz, PhD, should be treated as complementary. They
are both devoted to the problem of public-private cooperation and the factors inuencing its
eectiveness. Currently, most of CI is either owned or managed privately. As eective coop-
eration between the state and the owner or operator of CI is a pre-condition for its ecient
protection, the topic is discussed at length in the rst part of the report.
The second part opens with a chapter by Mirosław Ryba, PhD, from EY showing the role ICT
solutions play in the context of the functioning and security of CI. The chapter highlights the
use of IT and OT systems.
7 Or directly concern.
8
Chapter Six, also prepared by an EY expert, Aleksander Poniewierski, PhD, describes major
changes which took place in the functioning of ICT solutions employed in the area of CI. The
changes happened on the economic, technological and organizational level and have a direct
impact on the challenges related to ensuring CI security. It is necessary to realise and under-
stand them in order to take ecient measures.
Chapter Seven, written by Włodzimierz Kotłowski from MATIC, shows how ICT solutions are
used to protect CI eectively.
Chapter Eight by Piotr Ciepiela form EY is devoted to the security of OT, a crucial component
in the entire system of CI cybersecurity. The chapter not only presents the most important
standards of OT (and, to a lesser degree, IT) security, but also suggests other solutions ensuring
and improving security.
Cyber security of CI also requires a well organised incident reaction process. Chapter Nine by
Mirosław Maj, the President of the Safe Cyberspace Foundation, contains good practices in this
area as well as a short analysis of incidents threatening the ICT security of CI.
Chapter Ten presents the authors’ original concept of an IT toolkit improving the eciency of
detecting, countering and neutralising the eects of cyber threats. The toolkit was developed
by a team led by Professor Najgebauer from the Military University of Technology and may be
broadly used in ways going beyond the purely military domain in such areas as crisis manage-
ment on dierent levels of central and local administration.
The last chapter prepared by Krzysztof Rzecki, PhD, from the Cracow University of Technology
contains an analysis of tertiary education curricula in the area of CI’s ICT network system
protection.
The report is concluded by recommendations.
What follows (Figure 1) is a process chart presenting the most important elements related to
ensuring CI security. The report touches upon most of the suggested elements, but has no
ambition of being an exhaustive discussion of all CI security problems. This is primarily because
the subjects of CI in general and the ICT aspect of its functioning in particular are very broad.
Having analysed the factors inuencing CI security, not only could we prepare basic recom-
mendations contained in this report, but also identify those elements which require further
study. As we are well aware that there are a lot of important issues which it was impossible to
put into a single document, we hope to continue our work and research.
Finally, since the entire report has been drafted on the basis of unclassied and generally avail-
able data, the reader should be aware that it does not provide a full account of all informa-
tion which may bear upon CI security and may omit some factors which are specic for the
resources used.
9
Figure 1a. The process of ensuring critical infrastructure security – the most important elements.
Source: own compilation
Communicating clear and
targeted messages shaping
desired attitudes of all CI
stakeholders
Determining the scope of
information to be gathered on
occuring events
CI analysis
focusing on its
individual
elements
Setting the overall strategic goal
and the scope of CI protection
Setting appropriate strategic
(supporting) objectives
For CI and its elements,
establishing key conditions
for success which must be
met in order to reach CI
protection goals
Showing relationships and coherence
between the main goal, supporting
objectives and critical conditions for
success (CI security map)
Establishing criteria for measuring results
of actions taken on the basis of critical
conditions for success
Creating a
catalogue of
threats (event
identication)
Risk assessment through
determining probability and
severity of identied events
Allocating necessary risk response
scenarios to specic CI operators
(avoiding, containing, sharing and
acceptance of events)
For CI and its elements, establishing
policies and procedures of eective
risk response (particularly those
concerning the division of
responsibilities and roles played by
individual CI operators)
part I
11
1. The role of critical infrastructure
in the functioning of the state
Maciej Pyznar, Grzegorz Abgarowicz
– the Government Centre for Security
The infrastructure development and its growth in
signicance
Human needs have always determined advances in technology. The process of taming
nature through technology intervention with the surroundings has accompanied mankind
nearly from the outset.
The development of agriculture stemmed from the need to provide food; the development
of industry was supposed to make human life easier while medical advances helped keep
life-threatening illnesses at bay.
It is human nature that determines the desire and need to create and constantly modify the
environment.
In his “Little Book About Man,” Roman Ingarden wrote: what makes us human is that in a sense
we “live beyond our means,” beyond everything we need to sustain our basic physiological life (...)
we create “things” that any physiological life considers luxurious (....). What makes us human is
that we surpass biological conditions we were born into and we use them as the basis for creating
a new dierent world.
1
As a result of human activity, the layers of culture, technology, and social solutions are
applied on Ingarden’s duality: human–nature. Those “things” are the state and infrastructure
alike. Since social or cultural concepts are inscribed in and limited by human nature, this
duality transforms into a triad: man–nature–technology.
Having been accustomed to the presence of infrastructure in his life, man fails to notice that
a widespread access to it is a relatively recent phenomenon which began with the industrial
and technological revolutions at the turn of the 19th and 20th centuries.
This revolution initiated changes in the entire social structure, being mostly determined
by the expansion of urban areas. With population growth in urban areas, the needs of the
1 R. Ingarden, Książeczka o człowieku [Little Book About Man], Wydawnictwo Literackie Kraków, Kraków 1987, p. 37.
12
Maciej Pyznar, Grzegorz Abgarowicz – the Government Centre for Security
people residing in them started growing rapidly. Those requirements stemmed not only
from the desire to satisfy individual needs of residents, but also from the demands of the
collective population with regard to protection against crime or diseases, two-way commu-
nication or transport.
Despite a heavy burden of negative historical experiences, the course of Poland’s techno-
logical advancement was similar to that of other countries.
In order to illustrate the phenomenon of technological development, it is worth tracing the
evolution of at least some of its elements. In 1929, Poland had 57 active 5 MW power plants
with a combined output of 636 MW.
2
Their combined power generation totalled 2,355 GWh.
As of 30 September 2013, the total installed capacity of all Polish power plants amounted
to 38490.1 MW
3
while power generation in 2011 was 70 times higher and totalled 163,118
GWh.
4
When analysing the data, we need to remember that prior to World War II, power plants in
Poland did not constitute an interconnected system and there was no nationwide power
network.
5
The power systems as we know them today were developed after World War II, i.e.
only 70 years ago.
At the beginning of the 19
th
century, a glass of water could either quench thirst or kill.
Currently perceived as an obvious element of everyday life, safe drinking water was scarcely
accessible while fatal water-borne diseases, such as cholera, typhoid or dysentery, posed a
constant and real threat.
6
The rst clean water was distributed to the residents of Warsaw on
3 July 1886. In 2012, Poland had 8,748 water and sewage companies supplying water to over
37 millions of people.
7
2 Mały rocznik statystyczny 1930 [1930 Small Statistical Yearbook], table 5, “Elektrownie w Polsce” [Power Plants in Poland], p. 33, http://
statlibr.stat.gov.pl/exlibris/aleph/a18_1/apache_ media/4U9MMALMHKN1ENV6KTGHPGE9HDUFM8.pdf, [accessed: 08/04/2014]. The
largest main activity producers around 1938 included Powiśle Power Plant (83 MW), Pruszków Power Plant (31.5 MW), Łaziska Power Plant
(105 MW), Będzin Power Plant (23.5 MW), Zabrze Power Plant (70.3 MW), Szombierki Power Plant (51.2 MW), Łódź Power Plant (101 MW),
Garbary Power Plant in Poznan (42 MW), Historia polskiej energetyki [The History of Polish Energy Industry], http://www.wnp.pl/artykuly/
historia-polskiej-energetyki,5327.html, [accessed: 08/04/2014]. For the sake of comparison, the nameplate capacity of Bełchatów power
plant is 5,298 MW.
3 CIRE.pl, http://www.rynek-energii-elektrycznej.cire.pl/st,33,207,tr,75,0,0,0,0,0,podstawowe-dane.html, [accessed: 10/04/2014].
4 Ibidem.
5 Historia polskiej energetyki [The History of Polish Energy Industry], http://www.wnp.pl/artykuly/historia-polskiej-energetyki,5327.html,
[accessed: 08/04/2014].
6 Greatest Engineering Achievements of the 20th Century, http://www.greatachievements.org/?id=3610, [accessed: 08/04/2014]. In order to
demonstrate how recent a development the ability to supply clean water is, we recommend analysing achievements of mankind presented
on the timeline.
7 Chief Sanitary Inspectorate, “Stan sanitarny kraju w 2012 r.” [Sanitary conditions in Poland in 2012], table 22. “Struktura przedsiębiorstw
wodociągowo-kanalizacyjnych w 2012 r.” [The structure of water and sewage companies in 2012], p. 76. The situation looks interesting in the
case of sewage disposal and treatment. According to 2013 Small Statistical Yearbook of Poland (p. 49), in 2012, wastewater treatment plants
provided service to only 69% of the country’s population (92% in urban areas and in villages, where about 39% of the country’s population
reside, as little as 33%).
13
Maciej Pyznar, Grzegorz Abgarowicz – the Government Centre for Security
In 1927, Robert Bosch GmbH launched the production of a fuel injection system for a
combustion-ignition engine
8
, constructed by Rudolf Diesel in 1893, which allowed for its
wide use in motor-driven vehicles and road transport. In the same year, Poland had only
45,500 km of hard-surface roads
9
on which diesel-engined lorries could drive. The hard-
surface road network in Poland increased to 280,000 km in 2011
10
to allow for a transport of
1,545 million tonnes of goods in 2012.
11
Between 1927 and 2012, the railway network grew from 17,146 km to 20,094 km.
12
It is a
fair observation to make that, given the period of eighty-ve years, the increase of 2,948
km seems small. It needs to be noted, however, that more than half of the railway lines have
been electried
13
and used to transport over 230 million tonnes of goods in 2012 (in 1927, it
was 73.7 million tonnes
14
).
In 1928, there were 126,000 telephone subscribers in Poland who in total made 672 million
calls.
15
In 1929, in the whole of Poland, there were 157,000 telephone sets
16
, which means
that back then only about 0.5% of the population owned a telephone set.
17
Conversely, in
2012, nearly 7.4 million subscribers (almost 20% of the population
18
) used land lines while
the combined call volume reached 13 billion minutes.
19
It goes without saying that pre-war Poland and the then contemporary world did not know
mobile telephony. In 2012, the combined volume of SIM cards registered by operators in
their databases was over 53.9 million
20
(140% of the population) whereas the total time of
outgoing calls in 2012 amounted to over 69 billion minutes.
21
It was not until the second half of the 20th century that the world rst heard about a new
means of communications – the Internet. In today’s Poland, there are over 11.6 million
8 F. DeLuca, History of fuel injection, http://www.disa.it/pdf/01HystoryOfDieselFuelInj.pdf, [accessed: 08/04/2014].
9 Mały rocznik statystyczny 1930 r. [1930 Small Statistical Yearbook], table 8, “Drogi Bite w Polsce w latach 1925 – 1928” [Hard-surface roads in
Poland in 1925–1928], p. 55.
10 Mały rocznik statystyczny Polski 2013 [2013 Small Statistical Yearbook of Poland], table 1 (237), “Sieć Komunikacyjna” [Transportation
Network], p. 379.
11 Ibidem.
12 Mały rocznik statystyczny Polski 2013 [2013 Small Statistical Yearbook of Poland], table 1 (237), “Sieć Komunikacyjna” [Transportation
Network], p. 379 and Mały rocznik statystyczny 1930 r. [1930 Small Statistical Yearbook], table 1, “D ługość linii i tabor w latach 1922–1928”
[Railway track length and rolling stock in 1922–1928], p. 52.
13 Mały rocznik statystyczny Polski 2013 [2013 Small Statistical Yearbook of Poland], table 1 (237), “Sieć Komunikacyjna” [Transportation
Network], p. 379. It is also worth bearing in mind that railway electrication in Poland only took place after World War II.
14 Mały rocznik statystyczny 1930 r. [1930 Small Statistical Yearbook], table 3, “Przewóz pasażerów i towarów w latach 1922 – 1928” [Transport
of passengers and goods in 1922–1928], p. 52.
15 Ibidem, table 24, “Telefony w Polsce w latach 1924 – 1928” [Telephones in Poland in 1924–1928], p. 61.
16 Ibidem, table 27, “Stan liczbowy telefonów w niektórych państwach w 1929 r.”[The volume of telephones in some countries in 1929], p. 62.
17 Poland’s population on the 1st January 1930 was 30.7 million. Mały rocznik statystyczny 1930 r. [1930 Small Statistical Yearbook], table 6,
“Ludność Polski w latach 1921 i 1930” [ The population of Poland in 1921 and 1930], p. 4.
18 Poland’s population on the 31st March 2011 was 38,512. Mały rocznik statystyczny Polski 2013 [2013 Small Statistical Yearbook of Poland],
table 1 (62), Ludność na podstawie spisów [Population on the basis of censuses], p. 116.
19 Raport o stanie rynku telekomunikacyjnego w Polsce w 2012 roku [Report on the telecommunications market in Poland in 2012], President of the
Oce of Electronic Communications, Warsaw, June 2013, pp. 48–49.
20 Ibidem, p. 23.
21 Ibidem, p. 27.
14
Maciej Pyznar, Grzegorz Abgarowicz – the Government Centre for Security
broadband Internet subscribers
22
, which places the Internet service saturation per house-
hold at 83.5%.
23
We also cannot forget about other services that emerged together with the
Internet, e.g. VoIP (Voice over IP). Over 1.1 million users in total used this service (for a fee)
in 2012.
24
When analysing the quantitative and qualitative development of infrastructure on the
example of Poland, two determinants need to be taken into account.
First, the service supply infrastructure is remote geographically wise.
25
It is owned by enter-
prises established specically for this purpose and end users have very little impact on how
it works. This was inuenced by at least three factors:
• The absence of suitable technologies for individual application: no technology existed in
the past that would enable individual households to become independent of the infra-
structure (the fact that people did not take advantage of the infrastructure in rural areas
has to be disregarded); likewise, the funding of technological development was out of the
range of an ordinary citizen. In contemporary times, this trend is being reversed and we
are increasingly in a possession of such technologies, e.g. electricity generating photo-
voltaic cells, on-site wastewater treatment systems, ionizers for water purication, etc.
• The cost of technological advancement: the construction and maintenance of infrastruc-
ture is expensive; therefore, the nancing of it was taken upon by the state, local authori-
ties, or private investors. Only these entities could bear the cost of investment into power
plants, wastewater treatment plants or roads;
• The need to provide a large number of consumers with the access to infrastructure: in
the past, the only means to meet this demand was the construction of a centralised infra-
structure. This stems from the fact that due to this centralisation, charges for access to the
services provided through the infrastructure are relatively low and thus widely accessible
despite the high costs of building and maintaining the infrastructure.
Second, the process in which man is becoming increasingly detached from nature and its
unpredictable power through technological development expressing the expansion of
human independence and his needs, has paradoxically introduced another threat – that of
“on-technology dependence. Nevertheless, the potential lack of access to services is not
the only consequence of human activity in this domain. The very fact that this infrastruc-
ture exists carries with it further risks. Due to the diusion of innovations
26
, these threats are
also becoming fundamental risks for the contemporary world, especially since the process of
assimilating technological novelties can no longer be counted in decades, but in months. The
22 Ibidem, p. 7.
23 Ibidem, p. 4.
24 Ibidem, p. 63.
25 For example, there are only 20 main activity producers in Poland with a nameplate capacity of over 80%, Elektrownie w Polsce [Power plants
in Poland], http://www.rynek-energii-elektrycznej.cire.pl/st,33,200,tr,67,0,0,0,0,0,elektrownie-w-polsce.html and Podstawowe dane [Basic
data], http://www. rynek-energii-elektrycznej.cire.pl/st,33,207,tr,75,0,0,0,0,0,podstawowe-dane.html [accessed: 25/05/2014].
26 More in: A. Pomykalski, Innowacje [Innovations], Wydawnictwo Politechniki Łódzkiej, Łódź 2001.
15
Maciej Pyznar, Grzegorz Abgarowicz – the Government Centre for Security
emerging new technologies quicken the pace in which the reality changes, making it impos-
sible for man to prepare for their consequences. Such a state of aairs is an oshoot of both
the rapidity of changes themselves and the unpredictability of their consequences. Being
a result of searching for ever new means to satisfy human needs, this technological devel-
opment created not only new and previously unheard of threats but also new, secondary
needs.This peculiar spiral of development has become such a natural phenomenon that it is
hard to imagine man functioning in isolation from infrastructure as well as the benets and
risks it entails.
As a consequence, it is the state that needs to take upon itself the responsibility for not so
much the functioning of infrastructure as the continuous supplies of services it oers and
the eects of threats it poses for human health, life and the natural environment. When real-
ising its basic functions, the state tends to concentrate on these issues. Out of six domains
related to the internal activity of the state, half of its functions directly pertain to the problem
of security and are closely connected to infrastructure. These elements include: safeguarding
public order and safety, citizens’ property and health protection as well as actions aimed at
ensuring the internal security of the state. The implementation of the remaining ones, i.e.
securing the system of ownership existing in the state, maintaining and developing inter-
national relations with other states, or actions facilitating the ow of information and inter-
human relations
27
, is indirectly dependent on technical infrastructure and the legal system
created and guaranteed by the state.
It is a fair observation to make that the functioning of the society and the state is contin-
gent upon infrastructure while the level of its advancement aects both the eciency and
the eectiveness of tasks that the state performs. As a consequence, technological devel-
opment creates a system of interdependences and interrelations between the state and
infrastructure.
On the one hand, the state, acting for the benet of security and public order, must secure
itself against infrastructure-induced threats, but at the same time protect it in order to
continue carrying out its infrastructure-reliant functions. On the other hand, pursuing the
goal of ensuring a continuous supply of services, vast and extensive infrastructure systems
tend to transfer some of their responsibility for it to the state.
Today, it is very hard to question the hypothesis that the ability of the state to perform its
duties (all of its functions) is closely dependent on both the level of technological develop-
ment and the quality of service provided by individual infrastructure sectors. The awareness
of these dependencies and their consequences has led to isolating its most vital components
from the entire infrastructure system – critical infrastructure (CI). Hence the emphasis that
has been put on creating systems protecting this infrastructure for several of the previous
decades.
27 J. Oniszczuk, Współczesne państwo w teorii i praktyce. Wybrane elementy [Modern state in theory and practice. Selected elements], Warsaw:
Ocyna Wydawnicza SGH, Warsaw 2008, p. 401.
16
Maciej Pyznar, Grzegorz Abgarowicz – the Government Centre for Security
What is critical infrastructure and how to identify it?
Touching upon the role CI plays in relation to the state, with the latter being perceived as a
social institution that guarantees the security of its members (citizens), it is impossible not
to allude to the concept of needs. One of the factors determining whether infrastructure is
agged as a critical component of the state system is recognising it as a basic instrument
responsible for providing services that full the needs of the state and its citizens alike.
In the literature on the subject, we can nd at least several taxonomies of human needs.
Abraham Maslow outlined a hierarchy of needs by grouping them into 5 levels (physiolog-
ical, safety, love/belonging, esteem, and self-actualization).
28
Erik Allardt divided human
needs into three spheres related to having, loving and being.
29
In turn, Andrzej Luszniewicz
distinguished 7 groups of material and cultural needs: food, shelter (housing, clothes, shoes),
health care, education, recreation (leisure time and its use), social protection, and material
security.
30
Conversely, in the studies led by Aleksander Zeliaś, a taxonomy of 9 needs was
used, including healthcare and welfare, job market and safe working conditions, adequate
salary and income, appropriate housing conditions, and public safety. In addition, other
needs were indicated such as education, recreation, culture and free time, communications,
and protection against the eects of environmental degradation.
31
The overview of the above taxonomies allows for a conclusion to be drawn that services
provided by means of infrastructure can satisfy nearly every need imaginable, thus validating
the role of CI. This perspective does not, however, warrant its criticality. In connection with
the above, it is worth considering another approach which is dened by distinguishing a set
of fundamental values among which human life undoubtedly takes prominence. Essentially,
human life can be threatened in six ways (6WTD – 6 ways to die)
32
: overheating (too hot),
hypothermia (too cold), hunger, thirst, illness, and injury.
In this approach, the role of CI is to protect the public from life and health threats as dened
by 6WTD. Following this model, infrastructure can be grouped into:
33
1. Infrastructure that provides shelter and secures its eective functioning; it is most often
under
stood as heating and power plants
2. Infrastructure that accompanies and secures the supply chain, e.g. road and waterworks
infrastructures, reneries
28 M. Panek, Podstawowe kategorie i klasykacje w badaniach poziomu i jakości życia [Basic categories and taxonomies in studies of standard and
quality of living], http://kolegia.sgh.waw.pl/pl/KAE/struktura/ISiD/ struktura/ZSS/zaklad/sklad/Documents/Statystyka_Tomasz_Panek/
Statystyka_spoleczna/Podstawowe_kategorie_i_klasykacje_w_ badaniu_poziomu_ijakosci_zycia.doc, [accessed: 08/04/ 2014].
29 Ibidem.
30 M. Dąbrowa, Badanie poziomu życia – metodologia konstrukcji wybranych wskaźników [Study in standard of living—methodology of structure
of selected indicators] – zeszyty naukowe MWSE w Tarnowie 2011, No 1(17), http://zn.mwse.edu.pl/dabrowa-maria-badanie-poziomu-
zycia-metodologia-konstrukcji-wybranych-wskaznikow/, [accessed: 08/04/2014].
31 Ibidem.
32 M. Bennett, V. Gupta, Dealing in Security understanding vital services and how they keep you safe – http://resiliencemaps.org/les/Dealing_
in_Security.July2010.en.pdf. More information about research and projects in which Vinay Gupta is engaged can be found on this website:
http://vinay. howtolivewiki.com/blog/about, [accessed: 08/04/ 2014].
33 Ibidem.
17
Maciej Pyznar, Grzegorz Abgarowicz – the Government Centre for Security
3. Infrastructure that ensures access to basic safety services, allowing for the supply of services,
e.g. telephone
switchboards, power plants, reneries, databases.
It needs to be noted that protection against 6WTD occurs at numerous layers, which is best
illustrated by the picture below.
Figure 2. The map of critical infrastructure and its layers. Source: M. Bennett, V. Gupta, D ealing in Security
understanding vital services and how they keep you safe.
world
country
region
town
village
home
person
military
police
hospital
sewage
plant
water
plant
toilet
tap
water
człowiek
cooking
kitchen
stores
food
shops
food
mkts
fuel
mkts
cooling
heating
home
power
station
energy
mkts
i
l
l
n
e
s
s
i
n
j
u
r
y
t
o
o
h
o
t
t
h
i
r
s
t
h
u
n
g
e
r
t
o
o
c
o
l
d
If we look at the map presented above, we will notice that it does not cover CI, which is not
directly linked to providing protection against 6WTD. Therefore, it appears advisable to
supplement the 6WTD concept with the infrastructure indispensable for the implementa-
tion of basic functions of the state indicated earlier in order to map the state signicant
infrastructure completely.
By delineating mutual relations between CI, the public and the state, it is possible to make
an attempt to dene what CI really is. In Poland this concept shall be understood as systems
and mutually bound functional objects contained therein, including constructions, facilities,
installations and services of key importance for the security of the state and its citizens, as well
as serving to ensure ecient functioning of public administration authorities, institutions and
18
Maciej Pyznar, Grzegorz Abgarowicz – the Government Centre for Security
enterprises.
34
Comparing the above statement with other denitions of CI used in other
countries, we discover they are akin to one another. Similarly to Poland, CI is understood in
most cases as infrastructure (e.g. facilities, services, systems, networks) whose destruction
or incapacitation would have serious eects for the citizens and the state. These impacts
pertain to dierent categories, e.g. key social functions, economic well-being of citizens,
national security, or the functional performance of the state.
35
The advantage of formulating a denition of CI, besides conferring a common meaning
to the term, is the possibility to include in it national objectives and operational priori-
ties.
36
In their paper, “Critical Infrastructure: Where we Stand Today?”, Cécilia Gallais and
Eric Filiol
37
emphasise two components that are commonly missing from the denitions
of CI, namely the human aspect and references to the political and social environment
of CI. According to the authors, none of the denitions mentions people as integral part
of CI although they are indispensable for the functioning of any infrastructure regardless
of the fact whether their criticality is acknowledged or not. Moreover, none of the deni-
tions takes into account the CI environment, e.g. its dependency on external components
(sub-contractors, suppliers, data centres, etc.), which according to the authors, results from
a very narrow-minded view of CI as a completely isolated structure. In order to ll the
gaps, Gallais and Filiol propound their own, broader denition. It states that CI can be
companies, institutions, or organisations at the regional, national, and international level
whose disruption, damage, or destruction would have a serious impact on the health,
safety, and economic well-being of citizens or the eective functioning of governments
and other infrastructures that depend on it. It also includes humans whose corruption,
preclusion, or death could result in the disruption of critical infrastructure. In addition, it
also encompasses:
• installations (access, buildings, sites, etc.)
• equipment (computer, printer, hard drive, etc.)
• physical and natural resources
• physical (electrical, water, etc.) and virtual networks (Intranet, the Internet, etc.)
• physical and virtual data (condential data, such as access codes and passwords, proce-
dures, organizational chart, etc.)
• Information and Communication technology facilities
• services
• processes
• assets, including image
• systems or their parts
• another infrastructure to which connections exists (e.g. service or products suppliers)
34 Art.3 (2) of the Act of 26 April 2007 on Crisis Management (Journal of Laws of 2013, Item 1166). The list of critical infrastructure systems,
which in the case of Poland are integral to the denition of CI, has been purposefully omitted.
35 More in: Report OECD [Report by OECD]: Protection of ‘critical infrastructure’ and the role of investment policies relating to national security,
Table 1. National Denitions of Critical Infrastructure, p. 4.
36 It needs to be noted that despite the clear advantages mentioned above, only some countries decided to take this step. Critical infrastructure
protection is being implemented through the protection of assumed values, e.g. key social functions. This group comprises the following
countries France, Sweden, Estonia, and Italy.
37 C
. Gallais, E. Filiol, Critical Infrastructure: Where we Stand Today? http://www.tevalis.fr/images/
ArticleICCWS2014.pdf, [accessed: 08/04/ 2014].
19
Maciej Pyznar, Grzegorz Abgarowicz – the Government Centre for Security
which if disrupted, damaged, stolen, or destroyed would adversely aect the health,
safety and well-being of employees and threaten the eective functioning of CI. In truth,
any element that comprises CI could potentially disrupt its functioning, damage or even
destroy it. These elements can also be found in the political and cultural environment of
the infrastructure.
38
It appears, however, that applying such a broad denition of CI is unnecessary. Apart from
the fact that practical reasons would prove its application dicult, it needs to be noted that
the shortcomings pointed out by Gallais and Filiol, although missing from the commonly
used and compressed denitions, are applicable to every organised system of CI protec-
tion. To give an example, in Poland’s National Critical Infrastructure Protection Programme,
the identication of CI environment and the resulting dependencies and interdependen-
cies is part of the risk assessment
39
while the human element is mentioned in all types
of CI protection activities.
40
Nevertheless, the considerations presented by the authors of
“Critical Infrastructure: Where we Stand Today” can be useful when identifying CI.
Regardless of the fact whether a country has developed its own concept of CI or not, the
basic and all-important process is the identication of critical infrastructure. It raises a
number of serious challenges. The rst one involves developing a common, harmonised
methodology that can be utilised to determine infrastructure’s individual components.
Another challenge is to distinguish those infrastructure components that are critical
nationally from infrastructures that are key at the local and regional levels, but do not
require central intervention. In addition, the process brings about grave consequences
related to the protection of information gathered thereby and often including not only
the list of critical infrastructures, but also sensitive critical infrastructure protection data.
41
In the process of identifying CI, two basic approaches can be observed.
42
The “bottom-
up” approach involves applying criteria to the entire national infrastructure in order to
assess its criticality. Conversely, the “top-down” approach, which is more widespread in
the world, assumes the application of pre-dened, basic list of critical sectors (systems or
services).
43
The list of critical sectors is strongly linked to the establishing of mutual rela-
tionships between CI, the society and the state – in other words, the role that was allocated
to critical infrastructure in the state. The analysis of selected examples allows for a conclu-
sion to be drawn that the list of critical sectors (systems or services) in individual countries
looks very similar.
38 Ibidem, p. 11.
39 See The National Critical Infrastructure Protection Programme – main body, p.30.
40 See Annex 2 of The National Critical Infrastructure..., op.cit.– Standards ensuring smooth functioning of critical infrastructure – good practices
and recommendations.
41 Lord Jopling (special rapporteur), Special report to NATO Parliamentary Assembly: The protection of critical infrastructures.
42 Good practices manual for CIP policies for policy makers in Europe – the publication is part of the project RECIPE (Recommended Elements of
Critical Infrastructure Protection for policy makers in Europe).
43 Ibidem, p. 16. The denition of critical infrastructure or other executive documents may comprise the list of critical sectors and sub-sectors.
20
Maciej Pyznar, Grzegorz Abgarowicz – the Government Centre for Security
Table 1. The breakdown of CI by sector in the French Republic. Source: Own compilation based on the
Decree of 2 June 2006 on establishing a list of sectors of vital importance and appointing the coordinating
ministers of the said sectors (Décret du 2 juin 2006 xant la liste des secteurs d’activités d’importance vitale).
Sector Minister–Coordinator
Government administration Minister of the Interior
Judicial system Minister of Justice
State military activity Minister of Defence
Food Minister of Agriculture
Electronic communications and information transmission Minister competent for electronic communications
Energy Minister of Industry
Space research Minister competent for research
Finance Minister of the Economy and Finances
Water management Minister of Ecology
Industry Minister of Industry
Health Minister of Health
Transportation Minister of Transport
Table 2. The breakdown of CI by sector in the United States of America. Source: Own compilation
based on the Homeland Security Presidential Directive-7 of December 17, 2003 on Critical Infrastructure
Identication, Prioritization, and Protection.
Sector Competent agency
Chemical industry
Business facilities
Lock gates
Emergency services
Nuclear Department of Homeland Security
Defense industry Department of Defense
Agriculture and food
Department of Agriculture
Department of Health and Social Services (for food
other than poultry, meat, and egg products)
Telecommunications and information technologies Bureau of ICT Protection and Telecommunications
Energy Department of Energy
Banking and nance Department of the Treasury
Water (including wastewater discharge) Environmental Protection Agency
National heritage Department of the Interior
Postal services Transportation Security Administration
Health Depar tment of Health and Social Services
Transportation
Transportation Security Administration
United States Coast Guard (maritime transport)
Government facilities
Immigration and Customs Enforcement
Federal Protective Service
21
Maciej Pyznar, Grzegorz Abgarowicz – the Government Centre for Security
Table 3. The breakdown of CI by sector in the Kingdom of the Netherlands. Source: Own compilation
based on the report published in 2005 by the Ministry of the Interior and Kingdom Relations entitled
Protection of Critical Infrastructure.
Sector Competent Minister
Energy
Minister of Economic AairsTelecommunications and information technologies
Drinking water supply
Minister of Housing, Spatial Planning and the EnvironmentChemical and nuclear industry
Food Minister of Agriculture and Food Quality
Health Minister for Health and Sport
Finance Minister of Finance
Public order and safety Minister for the Interior
Minister of Defence
Minister of Foreign AairsPublic administration
Legal order Minister of Justice
Dams and surface water management
Minister of Transport, Public Works and Water ManagementTransportation
Table 4. The breakdown of CI by sector in the United Kingdom of Great Britain and Northern Ireland.
Source: Own compilation based on Strategic Framework and Policy Statement on Improving the Resilience
of Critical Infrastructure to Disruption from Natural Hazards, 2010.
Sector Competent authority
Energy Minister of Energy and Climate Change
Communications
Minister of Business, Innovation and Skills
Minister of Culture, Media and Sport
Water Minister of Environment, Food and Rural Aairs
Food
Minister of Environment, Food and Rural Aairs
Food Standards Agency
Health Minister of Health and Sport
Finance Chancellor of the Exchequer
Emergency services and health protection
Home Secretary
Secretary of State for Health
Secretary of State for Communities and Local Government
Public administration
Cabinet Oce
Secretary of State for Communities and Local Government
Transportation Minister of Transport
In addition, as part of the “top-down” approach, the authors of the guidebook “Good practices
manual for CIP policies for policy makers in Europe” oer three methods for dierentiating
CI from other infrastructures. Firstly, the service-based method uses criteria for specifying
the level of service required, e.g. number of Megawatts delivered. Secondly, the operator-
based approach focuses on identifying critical operators who subsequently determine which
specic assets (services) are part of CI. Thirdly, the asset-based approach uses elements of both
methods described above.44
44 Good practices manual…, op. cit., p. 16.
22
Maciej Pyznar, Grzegorz Abgarowicz – the Government Centre for Security
What is common to the bottom-up” and “top-down” approaches is the use of criteria. The
attempt to determine CI solely on the basis of confronting it with its denition, especially taking
into account a universal character of those denitions, would be laden with too high uncer-
tainty as to the nal outcome. Therefore, the most frequently applied are the cross-cutting
criteria that refer to the consequences of either destruction or disruption of the functioning
of a given facility, service or operator. These criteria usually correspond to the denition of CI45
and the state’s engagement domains indicated therein as well as the state’s reaction capabili-
ties to the consequences of destruction or disruption of CI.
Other types of measures applied are sectoral criteria which serve, as it was mentioned
earlier, to determine the level of demand for a given service or to specify the thresholds
for the preliminary selection of infrastructure in a given sector, thus lowering the number
of potential CIs in the long term. Both cross-cutting and sectoral criteria can be illustrated
quantitatively (numerically) or qualitatively (descriptively). The advantage of quantita-
tive criteria is their objectivity while their biggest disadvantage is little exibility, which,
in eect, can lead to overlooking sub-threshold, yet critical, assets in the selection phase.
Conversely, the advantage of qualitative (descriptive) criteria is greater sensitivity to seem-
ingly negligible details that are impossible to quantify. Their main drawback, however, lies
in the description tending to leave too much room for interpretation, thus making it impos-
sible for the participants of the identication process to reach an agreement over the infra-
structure assessment.
In practice, to compensate for potential errors in the identication of CI, a combination of both
types of criteria and ways to present them is used. This, however, fails to resolve one of the
most serious problems in the identication process, i.e. a lack of access to credible information
to compare the value of an assumed parameter with a threshold. This refers predominantly to
cross-cutting criteria, presented both quantitatively and qualitatively. In practice, if no data on
historical events are available, the verication whether criteria are met is based, out of neces-
sity, on estimates that are more or less erroneous. What we often cannot determine, however,
is how erroneous these estimates are.
In Poland, a “top-down” approach was used to identify CI, focusing on services provided by
systems of infrastructures cited in the denition of CI.46 Where possible, both sectoral and
cross-cutting quantitative criteria as well as a denition of CI were applied. As set out in the
NCIPP, the procedure for identifying CI involves:47
1. In phase one – systemic criteria relevant for a given CI system should be applied to the
system’s infrastructure in order to make the initial selection of objects, installations, facilities
and services that could be potentially considered as CI in a given system
45 In the case of countries which do not use denitions, the cross-cutting criteria refer to assumed values that are subject to protection.
46 Article 3(2) of the Act of 26 April on Crisis Management mentions the following critical systems: energy, fuel and energy resources supply,
communication, Information and Communication Technology networks, nancial, food and water supply, health care, transportation,
emergency services, systems ensuring the continuity of public administration activities; systems for production, storage and use of chemical
and radioactive substances including pipelines transporting dangerous substances.
47 The National Critical Infrastructure…, op. cit. pp. 11–12.
23
Maciej Pyznar, Grzegorz Abgarowicz – the Government Centre for Security
2. In phase two – a denition included in the Article 3(2) of the Act on Crisis Management should
be applied to the infrastructure identied in phase one in order to investigate whether an
object, facility, installation or service is critical for the security of the state and its citizens, and
whether it aims to ensure a smooth functioning of public administration bodies, including
public institutions and companies
3. In phase three – in order to assess potential consequences of destruction or incapacitation of
potential CI, cross-cutting criteria should be applied to the infrastructure identied in phase
one and two. It is required, however, that the potential CI must meet at least two cross-cutting
criteria.
It needs to be noted that despite concentrating on services provided by infrastructure, it is
mostly specic, physical objects that have made it to the uniform list of assets, installations,
facilities and services comprising CI. Facilities that are managed by specic owners and have
a denite location allow a still young system of CI protection to be easily implemented. Given
Polish conditions, a postulated (and exercised) practice of some countries (e.g. France) of indi-
cating entire systems (e.g. power system) or even processes as CI currently appears to be too
sophisticated. The system (process) understood as e.g. a supply chain, can be implemented
in numerous locations and have multiple owners. It would generate specic problems, also
of legal nature. The issue of dependencies and co-dependencies is similarly problematic.
Currently, it is much easier to determine them for the specic physical resource rather than for
the system or process. It is quite plausible, however, that together with the development of
the CI protection system and the maturity of its participants, a change will occur in this area.
Having dened and identied CI, the next step is to ensure its protection. There are at least two
methods of protecting CI: procedural and structural. The procedural approach involves estab-
lishing a system to protect these facilities. This solution can take two forms: a mandatory or
voluntary participation in the protection system. The structural method assumes the lowering
of criticality of infrastructure. This eect can be achieved by either further enlarging infrastruc-
ture in order to lead to a situation of purposeful superuity (redundancy) or by bringing closer,
geographically-wise, a selected infrastructure to citizens.48 The concept of bringing closer” the
infrastructure assumes that an individual citizen or smaller groups of citizens have access to
infrastructure that allows them to be independent of services being provided by a more distant
infrastructure. Hence, from the point of view of the state, some services could become less
critical as this group of citizen would become more resilient and independent of CI. This model
increases the possibility for a potential response of the civil service to a disruption of a closer
infrastructure as well as creates a situation in which the number of citizens aected at any time
is radically lower. The examples of such infrastructure could be individual renewable energy
sources (solar, wind) or on-site wastewater treatment systems. The concept assumes that local
and district infrastructures are built to serve a smaller number of residents at a time in towns
and densely populated areas.49 In both infrastructure protection models, the challenge lies in
48 M. Bennett, V. Gupta, op. cit.
49 It was once suggested that a biogas plant should be built in every Polish town. This idea, regardless of its political aspects, ts in perfec tly
with the above-mentioned concept and should be considered as an interesting voice in the discussion about the means to enhance the
resilience of both the state and its citizens to crisis situations. We also disregard the fact that in a mutually connected infrastructure system,
a change in only one of them is likely to shift the threshold of “criticality” in another system.
24
Maciej Pyznar, Grzegorz Abgarowicz – the Government Centre for Security
nding an answer to the question of who should be implementing specic solutions and at
the same time take on the nancial burden. Does the responsibility for ensuring civil protec-
tion against the consequences brought about by the disrupted CI lie within entities that either
own or manage the infrastructure, or is it the responsibility of the state?
In Poland, a draft bill on crisis management was produced by drawing on experiences and
examples of countries in which the building of the infrastructure protection system that was
key to the security of the citizens and the functioning of the state had begun earlier, namely
the United States of America, the United Kingdom of Great Britain and Northern Ireland, the
Kingdom of the Netherlands, the French Republic and the Federal Republic of Germany. The
common characteristics of the CI protection system in the above-mentioned countries include:
• criteria-based identication of CI and appointing its owner or operator as the entity respon-
sible for its protection
• division into sectors (products or services) that are critical for the functioning of the state,
society and economy
• identication of administrative bodies responsible for the coordination of activities in a
given sector
• the necessity to develop facility protection plans by either a CI owner or manager
• the cooperation between CI owners, operators and competent authorities responsible
for both the coordination of activities in a given sector and civil protection and crisis
management.
Taking into account Poland’s specic character and legal culture, a regulatory solution has
been chosen that puts particular emphasis on the procedural method and a mandatory partic-
ipation in the CI protection system. In other words, provisions of the Act on Crisis Management
literally indicate an obligation to protect CI by its owners as well as sole and dependent propri-
etors, to draw up protection plans and to appoint a person responsible for contacting adminis-
tration. Conversely, the regulation of 30 April 2010 on Critical Infrastructure Protection Plans50
species in detail the contents of plans as well as the procedure and schedule for their negotia-
tion and authorisation (this mechanism allows administrative bodies to have a real inuence
on the contents of plans and a specic CI facility security system). This solution is based on a
French model51 which assumes
• appointing a CI operator and its obligation to protect it
• the obligation to draw up the Operator Security Plan
• sanctions for CI operators who fail to execute the imposed obligations
• the obligation imposed on the public administration to draw up an External Security Plan
(originally, the Act on Crisis Management imposed an obligation to draw up the National
Critical Infrastructure Protection Plan (NCIPP) as well as Provincial Critical Infrastructure
Protection Plans (PCIPP))
• specifying which sectors are considered critical due to their key importance to social and
economic processes
50 Regulation of the Council of Ministers of 30 April 2010 on Critical Infrastructure Protection Plans (Journal of Law, No. 83, item 542).
51 More about the French system and the systems used in other European countries in: Study: Stock-Taking Of Existing Critical Infrastructure
Protection Activities, http://ec.europa.eu/energy/infrastructure/studies/doc/2009_10_stock_taking.pdf, [accessed: 08/04/2014].
25
Maciej Pyznar, Grzegorz Abgarowicz – the Government Centre for Security
However, in contrast to the solution implemented in France and the Act of 22 August 1997
on the protection of people and property52, no sanctions have been envisaged for failure to
full obligations specied. The eectiveness of this solution appears to be unsatisfactory.
A repressive character of this approach has its side-eects – namely, a deep reluctance of
executors towards tasks imposed and, as a consequence, attempts undertaken by them to
either evade the execution of imposed obligations or perform them at minimal cost. On the
other hand, it forces the administration to build structures whose aim is to conduct control
activity and proceedings in case of breaches of obligations. It denotes a necessity to employ
highly-qualied workers, which poses a serious challenge in the area related to protection,
and incurs signicant nancial outlay. The assumption that underpinned the approach was
that the increase of the eectiveness of CI protection could only be achieved through opera-
tors activity being supported by the capacity and potential of public administration. At the
same time, it was based on a belief that motivation53 to sustain business continuity is a more
eective tool than sanctions to achieve a high level of protection.54 CI operators are equipped
with the best knowledge and tools to diminish threats that aect their activity. They are also
capable of making the shrewdest choice of strategy to minimise the eects of these threats.
This approach does not envisage sanctions for failure to full the obligations specied in the
Act. The absence of sanctions is not tantamount to the absence of responsibility. Owners, sole
and dependent proprietors who consciously fail to full their obligation to protect CI expose
their employees and other people to a direct risk of losing their lives or suering from severe
health consequences, which may result from a disrupted functioning of CI and be subject to
punishment of imprisonment for up to 3 years (Article 160, paragraph 1 of the Penal Code).
In 2009, amendment to the Act on Crisis Management was made on the basis of experi-
ences gathered in the period when the Act had been in force. In essence, the CI protection
model has not changed signicantly; however, the emphasis has been shifted towards the CI
owners (managers). The obligation to develop NCIPP and PCIPP has been abolished; instead,
a requirement to develop National Critical Infrastructure Protection Programme – a document
that consolidates the eorts for CI protection helping both CI operators and administration,
has been introduced. Moreover, having adopted the principle of joint responsibility and the
52 The Act of 22 August 1997 on the protection of people and property (Journal of Laws of 2005, No. 145, item 1221 with further amendments).
53 Motivation is a process that elicits, channels and sustains specic human behaviour amongst other,alternative forms of behaviour in order
to achieve certain goals. One of the theories of work motivation developed by Douglas McGregor (Massachusetts Institute of Technology)
assumes the existence of two contrasting sets of theories: X and Y. Theory X assumes that an average human being inherently dislikes work
and will avoid it if they can. They will work only to satisfy their material needs. According to Theory Y, people are mostly creative, with great
imagination and ingenuity. In appropriate conditions, such people are not only responsible but they also expect that they will be given a
responsibility for performing a task or doing work. According to McGregor, external motivating conditions such as reward and punishment,
lower intrinsic motivation. It is due to a change in the perception and placement of reasons for action (outside rather than inside of a subject)
as well as a weakened sense of authorship associated with it and a limited personal impact on the situation.
54 Disclosed incidents of security breaches seem to corroborate the fact that the occurrence of sanctions does not warrant eectiveness of the
system that is supposed to protect key assets: Bełchatów, 3 July 2007: Greenpeace activists trespassed on the premises of the power plant and
climbed a cooling tower on which they painted “Stop CO2”; Konin, 3 December 2008: environmental activists trespassed on the premises of
the power plant, climbed a tower and started protesting against greenhouse gas emissions; France, 5 December 2011: Greenpeace activists
burst into four nuclear power plants. In Nogent-sur-Seine, it took them only 15 minutes to get to the nuclear reactor. This diagnosis appears
to be corroborated by the reports being submitted to the Government Centre for Security by plenipotentiaries for critical infrastructure
protection, appointed as part of implementation of the Act of 18 March 2010 on Specic Rights Vested in the Minister in Charge of State
Treasury the exercise of such powers in certain capital companies or capital groups conducting business activities in electric power, crude oil
and gas fuel sectors (Journal of Laws No. 65, item 404).
26
Maciej Pyznar, Grzegorz Abgarowicz – the Government Centre for Security
eectiveness of cooperation55, in the amended Act the obligations resulting from the require-
ments of CI protection have been divided anew between the public administration and CI
operators. The duties of operators include:
1. CI protection by means of preparing and implementing, in line with the foreseen threats,
critical infrastructure protection plans as well as maintaining own emergency systems that
ensure the security and sustain the functioning of this infrastructure until it is fully restored
(Article 6(5) of the Act) as well as
2. appointing a person responsible for maintaining contacts with entities competent for the CI
protection (Article 6(5a) of the Act).
Conversely, the administration is obliged to include tasks associated with CI protection in the
crisis management plans at every administrative level; in the case of levels below national,
those tasks can be included in the plans on condition that CI is located in the area covered
in the plans56. In addition, as part of the civil protection against the consequences associated
with critical infrastructure failures, it ensures there is a system of support for operators that
aims to shorten the time required to restore services (tasks, functions) being delivered by CI.
When analysing solutions adopted in Poland57, one can make an observation that they have
answered at least several earlier questions. Does this mean, however, that the adopted model
has proven successful? Currently, it is impossible to provide an unequivocal answer to the
posed question as there is still too little credible data at our disposal. The experiences of the
Government Centre for Security are promising, but the real test will be the quality evaluation
of CI protection plans that have just started pouring in for authorisation.
Summary
Today, it is impossible to imagine our life without the surrounding infrastructure and solutions
it carries with it. Bringing technical novelties practically on a daily basis, the pace of techno-
logical development has ceased to surprise us while the resulting popularity and usefulness
of services have made us addicted to them. However, the questions that man has to answer in
the 21st century are not whether these changes are reasonable, but how to survive in the tech-
nology-saturated world? How to enjoy the achievements of modern times and at the same
time not fall prey to them?58 Becoming aware of new threats, man increasingly turns to the
state with expectations to reduce the risk of their occurrence. Due to the immensity of infra-
structure, its cross-border and ubiquitous character, it is states and international organizations
that are predisposed to take on themselves this responsibility. One of the tools that allows us,
at least partially, to control the threats is CI. Reducing the risk of a situation where services
55 More in: The National Critical Infrastructure…, op. cit.
56 Article 5, Paragraph 2(3) (k) and (l) of the Act on Crisis Management.
57 More in: Act of 26 April 2007 on Crisis Management (Journal of Laws of 2013, item 1166) along with executive orders and the National Critical
Infrastructure Protection Programme.
58 According to Bennett and Gupta, the disruption of a centralised infrastructure may have far more greater consequences than primary threats.
27
Maciej Pyznar, Grzegorz Abgarowicz – the Government Centre for Security
supplied become dysfunctional was possible due to drawing attention to sensitive elements
in the human environment as well as determining their specic traits, which, in consequence,
led to creating dedicated solutions.
Every solution has its limitations. Also those adopted in Poland. Despite a very recent imple-
mentation of the Act on Crisis Management, Poland has a complementary and widespread CI
protection system. Deliberations presented in this chapter show unambiguously that much
has been done already, but there is still a lot of work ahead of us.
In the case of Poland, supplementing the denition of CI so that it leave no room for doubt
whether it encompasses virtual (information) infrastructure, e.g. collection of information from
databases, is also worth considering. In the denition that is currently in force, the system and
mutually bound functional objects contained therein, including constructions, facilities, instal-
lations and services are not unequivocally indicated.
Therefore, we need to pursue the abandoning of sectoral criteria as postulated in the National
Critical Infrastructure Protection Programme, thus bringing it closer to the “bottom-up”
approach. Taking into account the diculties in applying this approach, the local administra-
tive units and CI operators should be encouraged to engage in the identication of CI as part
of the currently binding procedure. It would allow for minimising the possibility of ignoring CI
that fails to meet the criteria.
In order to obtain information and historical data about the eects of infrastructure disrup-
tion that have occurred, it would be recommendable to tighten the cooperation between
local administrative units, CI operators and other entities (e.g. market regulators), organisa-
tions (e.g. non-governmental), services and guards, which would allow the criteria to be more
adequately calibrated, thus making them more suited to real conditions.
If the currently applied, voluntary approach to cooperation turns out to be ineective, a more
formalised solution based on the compulsory collaboration with the Government Centre for
Security should be considered.
28
2. Legal determinants of critical
infrastructure protection
Agnieszka Wiercińska-Krużewska, Piotr Gajek
– WKB Wierciński, Kwieciński, Baehr
Legislation regarding critical infrastructure (CI) protection has been embedded in numerous
legal acts of a statutory and sub-statutory rank, encompassing various areas related to the
functioning of the state1. Although these acts do not apply directly to CI, the analysis of the
terminology used, including terms referring to facilities, demonstrates that the meaning they
convey is often similar if not identical2. This applies to such elds of activity as telecommunica-
tions, fuel and power production and trade, performance of defence-related tasks by entre-
preneurs, strategic reserve accumulation, the rights vested in the minister in charge of State
Treasury or the protection of persons and property3. The above cited examples corroborate the
fact that the formal and legal conditions for CI protection existed before 26 April 2007 when
the Act on Crisis Management4 (the Act) was enforced.
The Act introduced the concept of CI and comprehensively regulated the issue of CI protec-
tion. As set out in the Act, CI shall be understood as systems and mutually bound functional
objects contained therein, including constructions, facilities, installations and services of key
importance for the security of the state and its citizens, as well as serving to ensure ecient
functioning of public administration authorities, institutions and enterprises (Article 3(2) of
the Act). In total, CI comprises 11 systems (facilities and installations) that are indispensable for
sustaining the basic functioning of the economy and the state, namely
• energy, energy resources and fuel supply
• communication
1 The following legal acts can be quoted as examples: the Act of 22 August 1997 on the protection of persons and property; the Act of 23 August
2001 on the organisation of tasks for the defence of the state being executed by entrepreneurs; the Act of 16 July 2004 Telecommunications Law;
the Act of 10 April 1997 Energy Law; the Act of 9 June 2011 Geological and Mining Law; the Act of 3 July 2002 Aviation Law; the Act of 29
October 2010 on strategic reserves; the Act of 18 March 2010 on specic rights vested in the Minister in charge of State Treasury and the exercise
of such powers in certain capital companies or capital groups conducting business activities in electric power, crude oil and gas fuel sectors;
regulation of the Council of Ministers of 24 June 2003 concerning facilities of particular importance to the defence and security of the state and
their particular protection. Since a detailed discussion of the above identied legal acts goes beyond the scope of the present study, it presents
the legal conditions resulting in particular from the Act of 26 April 2007 on Crisis Management.
2 W. Lidwa, W. Krzeszowski, W. Więcek, P. Kamiński, Ochrona Infrastruktury krytycznej [Critical Infrastructure Protection], National Defence
University of Warsaw, Warsaw 2012, p. 37.
3 K. Stec, Wybrane prawne narzędzia ochrony infrastruktury krytycznej w Polsce [Selected legal instruments for protecting critical infrastructure
in Poland], Bezpieczeństwo Narodowe 2011, no 3, pp.181-197.
4 The Act of 26 April 2007 on Crisis Management (Journal of Laws of 2013, item 1166).
29
Agnieszka Wiercińska-Krużewska, Piotr Gajek – WKB Wierciński, Kwieciński, Baehr
• Information and Communication Technology networks
• nancial systems
• food supply
• water supply
• healthcare
• transportation
• rescue
• systems ensuring the continuity of public administration activities
• systems for production, storage and use of chemical and radioactive substances including
pipelines transporting dangerous substances.
CI protection should be understood as activities aiming to ensure the functionality, continuity
and integrity of CI in order to eectively counteract threats, risks and weaknesses as well as to
curtail and neutralise their eects; it also assumes taking a swift action to reconstruct the infra-
structure in the event of a failure, attack or any other event that disturbs its normal functioning.
In order to implement the assumptions underlying the Act, the entity in possession of CI
should actively seek to maintain it in a proper condition, protect it against damage and people
who could compromise the safety of the state. These entities should also make investments to
continuously enhance CI and its state.
Activities of CI owners should be centrally coordinated not only when a threat occurs, but also
when duties related to CI maintenance ensuring the performance of tasks by the state in crisis
situations are executed.
Since CI protection is one of the state’s priorities, the state should introduce mechanisms
allowing for
• monitoring and updating the list of CI’s components
• establishing mutual relationships between the components of CI
• establishing mutual relationships between the CI administrators
• launching initiatives for CI protection
• running educational campaigns to raise awareness of the role of CI in ensuring the security
of the state
• supporting CI owners by participating in costs of CI construction, maintenance and
protection.
The absence of the above-said mechanisms in place may lead to poor knowledge about the
importance of CI for the security of the state, chaos when coordinating activities, reluctance of
private entities to cover the CI-related costs.
Only developing a suitable support system for entities participating in CI maintenance
warrants the creation of an eective system of sanctions. The support elements provided to
these entities should include:
• a formal platform for exchanging experiences and knowledge about CI protection
• a public-private partnership
• special-purpose funds
30
Agnieszka Wiercińska-Krużewska, Piotr Gajek – WKB Wierciński, Kwieciński, Baehr
• facilitating the use of legal acts, e.g. the use of the Public Procurement Act
• activities aimed at supporting the self-regulation of enterprises in possession of CI with
regard to the ow of information and incurring nancial outlay on CI protection and
maintenance.
The Supreme Audit Oce (Najwyższa Izba Kontroli, NIK) has, on several occasions, audited
various government bodies and their performance of duties imposed by the Act (latest
audit results by NIK dated 20 June 2013). Audits conducted by NIK have demonstrated a
number of irregularities concerning the implementation of the statutory tasks since the
enforcement of the Act and its amendment in particular. NIK concluded that CI protection
is to a large extent based on ad hoc activities. According to NIK, the creation of the eective
CI protection system will take time to complete taking into account the necessity to update
crisis management plans regarding the implementation of CI-related tasks at the ministe-
rial and provincial levels as well as the need to develop protection plans of individual CI
facilities by the operators.
The conclusion drawn by NIK is valid, but the cause for it appears to lie elsewhere than the lack
of regulation and basis to carry out further work. The necessary framework was created in 2013
with the emergence of the “National Critical Infrastructure Protection Programme.
The European Union Level
The European programme for critical infrastructure protection / Directive
The Council Directive 2008/114/EC of 8 December 2008 on the identication and designation
of European critical infrastructures and the assessment of the need to improve their protection
(Directive)5 is the backbone of the European Programme for Critical Infrastructure Protection
(EPCIP). This document for the rst time introduces denitions of CI to EU law, European
Critical Infrastructure (ECI), CI protection, and the concept of the ECI owner (operator). The
main purpose of this legal act is to establish the means to identify and designate ECI as well as
dene fundamental duties imposed on the Member States (and indirectly on CI owners) with
regard to ECI protection.
In the Directive, it is already clearly emphasised that “the primary and ultimate responsibility for
protecting ECIs falls on the Member States and the owners/operators of such infrastructures” and
“given the very signicant private sector involvement in overseeing and managing risks, business
continuity planning and post-disaster recovery, a Community approach needs to encourage full
private sector involvement. At the same time, the Directive points to the ICT sector as a future
priority in the area of CI protection. The European Commission itself devotes plenty of atten-
tion to the above indicated sector6, which is reected in the documents it issues, including
• Communication from the Commission to the European Parliament, the Council, the
European Economic and Social Committee and the Committee of the Regions on Critical
5 OJ of the EU of 23 December 2008, L 345/75.
6 T. Szewczyk, Europejski program ochrony infrastruktury krytycznej [The European programme for critical infrastructure protection], Przegląd
Bezpieczeństwa Wewnętrznego 6/12, pp.157–168.
31
Agnieszka Wiercińska-Krużewska, Piotr Gajek – WKB Wierciński, Kwieciński, Baehr
Information Infrastructure Protection“Protecting Europe from large scale cyber-attacks
and disruptions: enhancing preparedness, security and resilience”7(Communication)
• Communication from the Commission to the European Parliament, the Council, the
European Economic and Social Committee and the Committee of the Regions on Critical
Information Infrastructure Protection “Achievements and next steps: towards global cyber-
security”8 and
• proposal for a Directive of the European Parliament and of the Council concerning measures
to ensure a high common level of network and information security across the Union.9
It is necessary to indicate that neither the Directive nor any of the remaining documents
mentioned above contain any direct regulations regarding legal instruments that Member
States could use to encourage private sector entities to participate actively in CI protection
initiatives.
ENISA – a public-private partnership
In parallel to EPCIP, activities are carried out in line with the plans included in the Communication
where it was emphasised once again that although the ultimate responsibility for dening
the CII (Critical Information Infrastructure) policy lies with Member States, its implementation
relies essentially on the engagement of the private sector which either owns or controls a large
number of CIIs. On the other hand, markets do not always suciently incentivise the private
sector to invest in the protection of CIIs at the level that would match the expectations of
governments.10
In the Communication, it is said that “to address this governance problem public-private part-
nerships (PPPs) have emerged at the national level as the reference model. However, despite the
consensus that PPPs would also be desirable on a European level, European PPPs have not mate-
rialised so far. A Europe-wide multi-stakeholder governance framework, which may include an
enhanced role of ENISA11, could foster the involvement of the private sector in the denition of stra-
tegic public policy objectives as well as operational priorities and measures. This framework would
bridge the gap between national policy-making and operational reality on the ground.12
In order to support models promoting cooperation based on PPP, ENISA has issued a guide
on the eectiveness of good practices in this area (the Guide). The Guide demonstrates that
• state authorities lack sucient nancial resources that are indispensable for providing
eective CI protection
• ensuring such protection requires mechanisms to be created to allow for engaging the
private sector.13
7 COM (2009) 149 nal, 30/03/2009.
8 COM (2011) 163 nal, 31/03/2011.
9 COM (2013) 48 nal, 07/02/2013.
10 COM (2009) 149 nal, 30/03/2009, section 3.4.2.
11 European Union Agency for Network and Information Security.
12 COM (2009) 149 nal, 30/03/2009, section 3.4.2.
13 ENISA, Cooperative Model for Eective Public Private Partnerships Good Practice Guide, 2011, p. 18.
32
Agnieszka Wiercińska-Krużewska, Piotr Gajek – WKB Wierciński, Kwieciński, Baehr
It is precisely this document which for the rst time has indicated premises that can be
perceived as an indirect incentive to promote active collaboration between private and public
sectors for the protection of CI (as part of the public-private cooperation) which involves
• the reduction of the risk of exposing CIIs to damages which generate costs for CI operators
and owners
• the reduction of administrative costs necessary to perform duties related to ensuring
adequate standards of CII protection
• ensuring access to specialist knowledge on CII protection
• signicant impact on giving a nal shape on the CI protection policy of Member States,
including the formulation of duties imposed in this respect on entities operating in the
private sector (CI operators and owners).
The above premises should be treated as general assumptions that intend to support Member
States in implementing more concrete solutions that promote PPP nationally.
The National Level
The Act on Crisis Management
The Directive should have been implemented in the national legal orders until 12 January
2011. Poland has implemented the Directive by means of the Amendment to the Act of 26
April 2007 on Crisis Management14, which constitutes a principal legal act concerning CI protec-
tion. As it was mentioned in the introduction, independently of the Act, the Polish legislator
has also included special provisions that indirectly regard the protection of CI in other legal
acts regulating specic sectors of the economy, such as telecommunications15 and aviation16.
In the area of CI protection, the Act species tasks that include the collaboration between the
public administration and the owners and operators of sole and dependent CI objects, instal-
lations, and facilities. The Act requires the CI owners and operators of sole and dependent CI
objects, installations and facilities to protect them through the preparation and implementa-
tion, proportionally to projected threats, of CI protection plans as well as the maintenance of
their own backup systems ensuring security and sustaining the functioning of this infrastruc-
ture until full reconstruction. On the other hand, the government (the Council of Ministers)
was required to adopt The National Critical Infrastructure Protection Programme” (NCIPP,
Programme). The Programme was adopted on 26 March 2013.
At the same time, it needs to be noted that similarly to legal acts at EU-level law, Polish legis-
lation does not introduce any concrete regulations that could be directly classied as instru-
ments incentivising the private sector to systematic enhancement of the standards of CI
protection, which may impair the maintenance and development of CI. Also in this case, such
instruments can potentially be found in “lean” documents.
14 The Act of 29 October 2010 on Amendment to the Act on Crisis Management (Journal of Laws of 2010, No. 240, item 1600).
15 The Act of 16 July 2004 Telecommunications Law (Journal of Laws of 2004, No. 171, item 1800).
16 The Act of 03 July 2002 Aviation Law (Journal of Laws of 2002, No. 130, item 1112).
33
Agnieszka Wiercińska-Krużewska, Piotr Gajek – WKB Wierciński, Kwieciński, Baehr
The National Critical Infrastructure Protection Programme (NCIPP)
In the Programme, it is highlighted that the majority of CI is operated by private entrepre-
neurs, independent of the public administration. The Programme provides the framework for
the collaboration of the public administration and CI operators in order to ensure the opera-
tional continuity of CI, thus protecting the economic and social foundations of our country.
The Programme sets out mechanisms for the development of partnership relations between
public administration and CI operators in the area of CI protection.17 Considering the above
and the obligation imposed on the CI operators by the Act, the Programme also targets these
entities, in particular their boards of directors. Every new CI operator automatically becomes
a target recipient of the Programme. CI operators participate in activities that protect CIs
described in the Programme.
The Programme underscores that one of the key elements ensuring smooth and comprehen-
sive protection of CI is the cooperation between the private and public sectors18 as well as
the intrasectoral collaboration with the particular emphasis being put on the cooperation
between the representatives of individual systems within the private sector. An important
element of this collaboration involves developing transparent principles and procedures to
be used by the state authorities and services as well as the owners and operators of sole and
dependent CI objects, installations and facilities.19 It needs to be emphasised, however, that
the PPP20, within the meaning of the Programme (the scope of CI protection), species only
the type of collaboration between public administration units and private entities that may
involve e.g. the exchange of information that can potentially aect the achievement of NCIPPs
objectives. This partnership, however, does not provide for entering into any agreement on
the basis of which a private partner would be paid to execute a project to the benet of the
public body.21
It is therefore justied to clearly distinguish the naming convention used to describe both
forms of cooperation, i.e. the public-private cooperation as set out in NCIPP, and the collabora-
tion in the form of PPP and within the meaning of the Act on Public-Private Partnership22 (the
PPP Act). It appears that apart from the cooperation set out in the NCIPP and understood as an
information exchange process, the PPP within the meaning of the PPP Act could signicantly
supplement the system of CI protection. Further down this article, the public-private part-
nership within the meaning of NCIPP will be referred to as “PPC” whereas the public-private
partnership within the meaning of the Public-Private Partnership Act will be referred to as
“PPP”. Taking into account the fact that the discussion about the PPP exceeds the scope of the
present publication, it will not be subject to detailed analysis in this article.
17 The National Critical Infrastructure…, op. cit. p. 6.
18 More on the prospects of the public-private cooperation in Poland can be found in Chapter 3: Eective public-private cooperation - success
factors.
19 Government Centre for Security, http://rcb.gov.pl/?page_id=257, [accessed: 12/06/2014].
20 It is about a public-private partnership denoted in the National Critical Infrastructure..., op.cit. p. 33. (cooperation).
21 The National Critical Infrastructure…, op. cit. p. 33.
22 The Act of 19 December 2008 on Public-Private Partnership (Journal of Laws of 2009, No. 19, item 100).
34
Agnieszka Wiercińska-Krużewska, Piotr Gajek – WKB Wierciński, Kwieciński, Baehr
It appears, however, that the participation in the Programme should already be considered
as a form of an incentive for private sector entities to actively engage in cooperation for CI
protection. In particular, the entities would be strongly encouraged to actively engage in the
activities of the specialist PPC forum established for the purposes of the Programme.23 The key
objectives of such a forum would include
• the creation of a platform that facilitates the exchange of opinions and collaboration on
sensitive issues regarding CI protection
• submitting and developing new legislative solutions regarding CI protection
• the exchange of opinions and observations between interested parties at an early stage of
CI legislative work
• the organisation of workshops, seminars and conferences devoted to CI protection
• the creation of a database of professionals specialising in CI protection in various systems:
nancial, communications, ICT networks, the supply of energy, energy resources and fuels, etc.
It appears that in such a scope, the PPC forum, created under the Programme, will to a large
extent replicate the fundamental assumptions dened in the Guide. As a consequence, it
will also become a vital instrument to motivate private sector entities to undertake activities
aiming to enhance standards for CI protection. The work done within the forum will contribute
to the creation of a database of professionals specialising in issues related to CI in various
systems: nancial, communications, ICT networks, the supply of energy, energy resources and
fuels, etc. Such experts will cooperate with the government, e.g. during work undertaken on
the EU forum in order to discuss EU legislative proposals with the private sector. The estab-
lishing of a specialist database will accelerate the consultation process and at the same time it
will allow the members of the public administration to take advantage of the experience and
expertise when their knowledge is insucient.24
Hence, the entities participating in the forum will be able to
• conduct an active dialogue on shaping the principles of CI protection
• exert an inuence on the shaping of nal solutions implemented in the above area, and
• consult experts on an ongoing basis.
It appears that the PPC forum could contribute to
• developing clear and transparent rules and procedures for action as well as the exchange
of information between state authorities and private partners
• developing uniform and compatible methods of collecting and processing information on
CI threats
• developing and implementing procedures to counteract CI threats when they occur
• identifying the means and mechanisms of CI protection and reconstruction
• developing optimal methods for ensuring the protection of data received from private
entities; maintaining backup systems
• developing procedures to prevent disturbances in the functioning of CI as well as to prepare
CI for crisis situations that may adversely aect it.
23 More on the management methodology, organisational structure, nancing and communication within such fora can be found in Chapter 4:
The methodology of governing collaboration forums for critical infrastructure protection
24 Government Centre for Security, http://rcb.gov.pl/?page_id=257, [accessed: 12/06/2014].
35
Agnieszka Wiercińska-Krużewska, Piotr Gajek – WKB Wierciński, Kwieciński, Baehr
In order to perform the above presented tasks and achieve expedient results, it is necessary
to undertake a number of educational, planning, coordinating and legislative activities. In the
rst instance, it is the Government Centre for Security that should undertake these activities.
In conjunction with the fact that the NCIPP was only developed in March 2013, which was
criticised for instance by the Supreme Audit Oce, it is dicult to estimate if these activi-
ties will be undertaken expeditiously. In accordance with the information made public by the
Government Centre for Security, the list of infrastructure elements has been created and is
being updated. However, since access to it is heavily restricted, it is dicult to estimate its
completeness. Currently, the very fact of establishing the Programme and creating the list of
CIs allows for further work to begin that would regulate in detail the mechanisms of eective
CI management and protection.
Financing CI protection activities in Poland
The Programme emphasises that activities related to the protection of CI are funded with the
own resources of the Programme participants and planned in their budgets (in the case of CI
operators it is regulated under Article 6 of the Act). Both the Programme and the Act do not
directly indicate that CI owners and operators can seek the renancing of costs incurred for CI
from the state budget or the EU.25
Amongst the instruments used to indirectly nance activities related to CI protection, the
Programme mentions a Council decision of 12 February 2007 establishing for the period 2007
to 2013, as part of General Programme on Security and Safeguarding Liberties, the Specic
Programme “Prevention, Preparedness and Consequence Management of Terrorism and other
Security related risks”26 – CIPS. The aim of the CIPS was to provide nancial support from the EU
budget of activities undertaken, inter alia, in the area of CI protection such as
• stimulating, promoting and supporting risk assessments of CI in order to upgrade security
systems
• stimulating, promoting and supporting the development of methodologies for the protec-
tion of CI, particularly the risk assessment methodologies
• promoting and supporting the development of security standards as well as the exchange
of know-how and experiences regarding the protection of people and CI
• promoting and supporting the Community-wide coordination and cooperation on the
protection of CI.
At the same time, the entities from the private sector could also become the beneciaries
of CI protection projects under CIPS by applying for suitable funding of initiatives that are
consistent with the fundamental objectives of the programme. The CIPS programme was
established in the period from 1 January 2007 to 31 December 2013; currently, it is supposed
to be partially replaced with the Internal Security Fund, a nancial instrument designed to
support law enforcement cooperation and crisis management as well as to prevent and
combat crime (ISF).27
25 This issue was already highlighted in 2006 in the Study of the Ministry of Infrastructure; cf. R. Piwowarczyk, Ochrona Infrastruktury Krytycznej
[Critical Infrastructure Protection].
26 OJ of the EU of 24/02/2007, L 58/1.
27 Currently, the work is under way on the Regulation of the European Parliament and of the Council aiming to set up a nancial instrument
36
Agnieszka Wiercińska-Krużewska, Piotr Gajek – WKB Wierciński, Kwieciński, Baehr
Amongst the potential indirect sources of nancing for CI projects, the CI operators may
apply from national operational programmes which use the EU funds28 (the new Financial
Perspectives 2014-2020 or the EU level nancial instrument “Connecting Europe Facility”
(CEF)).29 In terms of objectives related to telecommunications network infrastructure, the CEF
mentions, inter alia, the supporting of critical telecommunications infrastructures.
It needs to be noted that apart from information exchange on threats and a broadly under-
stood public-private cooperation, a key question remains on how to ensure the private sector
takes action to protect the CI it owns which exceeds the basic measures involving exclusively
the protection of its own resources. A valid question that is being raised is who should be
responsible for the security of CI if the private sector is insuciently motivated to invest in CI
security while the state does not undertake any initiatives in this area.30
What is being emphasised is that shareholders have little nancial incentives to invest in the
security of CIs that exceeds their stake in a given organisation; hence, private entities support
investments in CI security only to the extent they nd necessary and protable. It seems there-
fore that the market itself does not provide sucient incentives to eectively protect CIs.31 For
instance, it is said that the necessity to reduce costs and ensure security in the energy industry
may lead to contradictory objectives in the public policy and insucient incentives for private
entities to invest in increased infrastructure protection.32 Conversely, given the threats we face
today, relying exclusively on best practices and internal regulation introduced by individual
sectors (self-regulation) may turn out to be insucient.33
Introducing certain requirements in given sectors by private entities is a practice that allows for
increasing industry standards. Self-regulation is a means that enables minimum legal require-
ments to be exceeded, but it can also strengthen the understanding and conformity with the
currently binding provisions. In a competitive environment, intrasectoral cooperation proves
a strong incentive for enterprises to continually improve and raise standards in order to gain
their market share. Introducing certain requirements by private entities voluntarily enables the
state to avoid imposing obligations and responsibilities on them.
The above can also refer to the context of CI protection and security; therefore, private and
sector-specic entities that are in possession of CI should be encouraged to introduce self-
regulation in this regard.
Attention should be given to the need for developing additional, stronger incentives for a more
active engagement of the private sector in the protection of CI. Potential instruments that
the state can utilize to this end have been mentioned in Chapter 3 of the present report: tax
within the framework of the Internal Security Fund to support police cooperation, prevent and combat crime, and crisis management.
28 From the Cohesion Fund and the European Regional Development Fund in particular.
29 Connecting Europe Facility, http://ec.europa.eu/digital-agenda/en/connecting-europe-facility, [accessed: 12/06/2014].
30 P. Auerswald, L.M. Branscomb, Todd, M. La Porte, E. Michel-Kerjan, The Challenge of Protecting Critical Infrastructure, Risk Management and
Decision Process Center, Wharton University of Pennsylvania, Working Paper # 05-11, October 2005, p. 4.
31 S. Eckert, Protecting Critical Infrastructure: The Role of the Private Sector, Matthew B Ridgway Center for International Security Studies,
Pittsburgh, United States, 2005, p. 15.
32 CEPS, Task Force Report, Protecting critical infrastructure in the EU, Brussels 2010, p. 73.
33 Ibidem, p. 15.
37
Agnieszka Wiercińska-Krużewska, Piotr Gajek – WKB Wierciński, Kwieciński, Baehr
incentives, subsidies (grants), insurance discounts, certication of companies, and preferen-
tial loans. Incentives for undertaking “bottom-up” activities by private entities from individual
sectors should also be introduced (self-regulation) in order to develop and observe certain
standards and solutions for CI protection and security.
It appears that the eectiveness of the CI protection system would be considerably enhanced
if it comprised the above-mentioned elements, i.e. a broadly understood public-private coop-
eration (PPC) including information exchange, self-regulation of individual sectors, and scal
or parascal incentives.
The direction of changes concerning the CI protection requirements
The approach to CI protection so far has been predominantly based on a voluntary cooper-
ation between the private and public sectors. In the new EU-level legal regulations, a shift
towards a regulatory approach can be observed. It is particularly true of the proposal for a
Directive of the European Parliament and of the Council concerning measures to ensure a high
common level of network and information security across the Union34 (the NIS Directive). The aim
of the proposed directive is to ensure a high common level of network and information secu-
rity. The work on creating a nal version of this legal act is still in progress.
In the proposal of the NIS Directive, the European Commission adopted a regulatory (sanc-
tion-based) approach recognising that the voluntary approach followed so far had resulted
in diversied preparedness and limited collaboration. It was concluded that the current situa-
tion in the EU, reecting the purely voluntary approach, does not provide sucient protection
against network and information security incidents and risks across the EU.
According to the Commission, it is highly unlikely that all Member States should achieve
nationally a comparable level of capabilities and preparedness indispensable for enhancing
security, cooperation and the exchange of sensitive information at the EU level, by relying on
voluntary activities of the Member States and private entities.
As part of the regulatory option proposed in the NIS Directive, the competent national authori-
ties and CERTs are supposed to constitute an element of a collaborative network at the EU level.
Within this network, national authorities and CERTs would exchange information and collaborate
in order to combat threats and incidents aecting the security of networks and information in
accordance with the European cyber incident contingency plan and the European cooperation
plan that would need to be agreed upon by Member States. The Commission intends to put an
obligation on all Member States to have in place a minimum level of national capabilities (setting
up Computer Emergency Response Teams (CERTs), establishing competent authorities for NIS, and
adopting national contingency plans for cyber incidents and national cybersecurity strategies).
In the explanatory memorandum to the NIS Directive, it was pointed out that “the players
managing critical infrastructure or providing services essential to the functioning of our societies are
34 COM (2013) 48 nal, 2013/0027 (COD) 7.2.2013.
38
Agnieszka Wiercińska-Krużewska, Piotr Gajek – WKB Wierciński, Kwieciński, Baehr
not under appropriate obligations to adopt risk management measures and exchange information
with relevant authorities. On the one hand, therefore, businesses lack eective incentives to conduct
serious risk management, involving risk assessment and taking appropriate steps to ensure NIS.
35
For this reason, enterprises (with the exception of micro-enterprises) in the specic critical sectors,
such as banking, energy (electricity and gas), transportation, health care, the infrastructure of key
Internet services, and public administrations, will be required to assess the risks they face and adopt
appropriate and proportionate measures to respond to real threats. Moreover, these entities would
be required to report to competent authorities those incidents that seriously compromise the oper-
ation of their networks and information systems, thus having a signicant impact on the continuity
of services and supply of goods which depend on network and information systems.
36
The above approach is manifested in the proposed changes to the contents of Articles 14 and
15 of the NIS Directive (after amendments of the European Parliament37). In accordance with
Article 14, paragraphs 1–3:
„1. Member States shall ensure that market operators take appropriate and proportionate technical
and organisational measures to detect and eectively manage the risks posed to the security of the
networks and information systems which they control and use in their operations. Having regard to
the state of the art, those measures shall ensure a level of security appropriate to the risk presented.
In particular, measures shall be taken to prevent and minimise the impact of incidents aecting the
security of their network and information systems on the core services they provide and thus ensure
the continuity of the services underpinned by those networks and information systems.
2. Member States shall ensure that market operators notify without undue delay to the competent
authority or to the single point of contact incidents having a signicant impact on the continuity of
the core services they provide.
a) In the event of gross negligence in security and safety, commercial software producers shall be
held liable despite user agreements containing absence of liabilities clauses.
3. The requirements under paragraphs 1 and 2 apply to all market operators (and software
producers) providing services within the European Union.
In turn, according to Article 15 (3) of the Proposal for a NIS Directive, “Member States shall ensure
that competent authorities have the power to issue binding instructions to market operators and
public administrations.
35 Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high level of network and information
security across the Union, SWD(2013) 31 nal 7.2.2013, p. 3.
36 Commission sta working document, Executive Summary of the Impact Assessment, Accompanying the document: Proposal for a Directive of
the European Parliament and of the Council concerning measures to ensure a high level of network and information security across the Union,
SWD(2013) 31 nal 7.2.2013, pp. 4–6.
37 Report of the EP of 12 February 2014 on the Proposal for the Directive of the European Parliament and the Council concerning measures to ensure
a high common level of network and information security across the Union (COM (2013) 48 – C70035/2013–2013/0027(COD)).
39
Agnieszka Wiercińska-Krużewska, Piotr Gajek – WKB Wierciński, Kwieciński, Baehr
The above cited proposals rearm the position of EU administrative bodies that “tentative,
voluntary measures do not work and there needs to be strong regulatory obligations on MS to
ensure harmonisation, governance and enforcement of European NIS”38; in addition, due to a
proposed regulatory option “[...] the protection of EU consumers, business and Governments
against NIS incidents, threats and risks would improve considerably.”39
Although the above cited directive concerns only a specic area within CI, i.e. CI related to the
network and information security, it cannot be ruled out that the regulatory (sanction-based)
approach will also be applied to the protection of CI in other areas in the future. Adopting
a “top-down” (regulatory) approach, the EU authorities concluded that a purely voluntary
“bottom-up” approach was insucient to achieve the assumed objectives.
The question remains whether such methods of “incentivising” private entities actually
encourage them to act more actively in the area of CI protection or makes them act minimal-
istically, namely perform duties imposed by the law to the extent that allows them to avoid
sanctions and at the same time discourage them to undertake self-regulation activities.
The issue of public procurement in the context of CI protection
The provisions of the Act of 29 January 2004 on Public Procurement Law (Journal of Laws of 2013,
item 907 with further amendments, hereinafter “PPL”) do not directly address issues concerning
the occurrences of disruptions in the functioning of CIs.
40
It does not mean, however, that PPL
does not contain decisions appropriate to extraordinary situations including failures, attacks, and
other events that can result in disruptions aecting the functioning, continuity and integrity of CI.
From the point of view of disturbances in the functioning of CI and in the context of the public
procurement system, the key issue is the possibility to eciently award contracts of interven-
tion of an interim nature that allow for a formalised and time-consuming procedure to be
circumvented. From the data published by the President of the Public Procurement Oce, it
transpires that in 2012 (data for 2013 have not been published yet), the average duration of the
public procurement procedure (counted from the date of publication of the contract notice)
conducted as the open tendering procedure and restricted tendering amounted to
• in the case of proceedings conducted in compliance with a national procedure (with value
below the EU thresholds):
• 31 days for open tendering
• 60 days for restricted tendering
38 The opinion of the European Economic and Social Committee on the Proposal for the Directive of the European Parliament and the Council
concerning measures to ensure a high common level of network and information security across the Union, COM (2103) 48 nal – 2013/0027
(COD), 22 May 2013.
39 Commission sta working document. Executive Summary of the impact assessment, Accompanying the document Proposal for a Directive of
the European Parliament and of the Council concerning measures to ensure a high level of network and information security across the Union,
SWD (2013) 31 nal 7.2.2013, p. 8.
40 As a side note, it needs to be noted that the Act on Crisis Management does not refer to PPL provisions either.
40
Agnieszka Wiercińska-Krużewska, Piotr Gajek – WKB Wierciński, Kwieciński, Baehr
• in the case of proceedings conducted in compliance with a EU procedure (with value exceeding
the EU thresholds):
• 86 days for open tendering
• 112 days for restricted tendering.
It is quite obvious that if a contracting entity is forced to use a time-consuming tender proce-
dure, attempts to prevent disruptions in the functioning of CI can be futile. Therefore, PPL
contains solutions which, after a relevant situation has arisen and having regard to the circum-
stances invoked, entitle the contracting authority to award a contract in a manner that allows
the statutory time limits required under the procurement procedure to be shortened or use
the non-competitive procedure. Depending on how urgent an event is and what demand it
creates as a result, these solutions help prevent extraordinary situations.
The Table below presents an overview of statutory prerequisites that enable the contracting
authority to take advantage of preference warranted by PPL (under individual procedures).
Table 5. Overview of statutory prerequisites that enable the contracting authority to take advantage
of preference warranted by PPL (under individual procedures). Source: own compilation.
PREREQUISITES
RESTRICTED PROCEDURE/ NEGOTIATED
PROCEDURE WITH PRIOR PUBLICATION OF A
CONTRACT NOTICE  FASTTRACK PROCEDURE urgent need to award a contract
NEGOTIATED PROCEDURE WITHOUT PRIOR
PUBLICATION OF A CONTRACT NOTICE
need for prompt execution of the contract
need for prompt execution of a contract does not result from events brought
about by the contracting entity
inabilityto foresee the necessity to award a contract
time limits indispensable for conducting a tender procedure or a negotiated
procedure with prior publication cannot be observed
SINGLESOURCE PROCUREMENT
exceptional situation
exceptional situation does not result from events brought about by the
contracting entity
inability to foresee the occurrence of the exceptional situation
time limits provided for other procedures cannot be observed
If the requirements that enable using one of the above procedures have been met, then
• in the event of the restricted procedure/negotiated procedure with prior publication –
shorter time limits for the submission of requests to participate in a restricted tendering
procedure can be established, but not shorter than 10 or 15 days depending on the form
in which the contract notice is dispatched to the Publications Oce of the European
Union, compared to 30 or 37 days provided in the standard procedure and time limits for
submitting oers (minimum 10 days compared to at least 40 days provided in the standard
procedure)
• in the event of negotiated procedure without prior publication – negotiations can be
conducted with selected economic operators
• in the event of the single-source procurement procedure – negotiations can be conducted
only with one economic operator.
41
Agnieszka Wiercińska-Krużewska, Piotr Gajek – WKB Wierciński, Kwieciński, Baehr
It is interesting to note that if a contract is classied as utility, i.e. executed by an entity desig-
nated in Article 3, paragraph 1 (4) of PPL and exercising the activities referred to in Article 132
of PPL, the PPL provisions are applicable only if the value of the contract is equal or exceeds
the EU thresholds which currently amount to EUR 414,000 for deliveries/services and EUR
5,186,000 for construction works. However, if the value of utilities was estimated to be lower,
the contracting authority is not obliged to use the provisions of PPL.
To conclude, the above quoted procedures (negotiated procedure without prior publication
and single-source procurement in particular) may turn out to be extremely useful if a distur-
bance of CI occurred. It should be noted, however, that non- competitive procedures are excep-
tional in nature, and the presumptions justifying their use cannot be interpreted freely. In the
case of the contracting authority taking advantage of non-competitive procedures, it is inevi-
table that the competitiveness principle, fundamental for the public procurement system, will
always be violated. The contracting authority must be certain that the well-being it protects
(life, health, property) objectively requires to be given priority before competitiveness due to
its signicance.41 It is also necessary to remember that the use of one of the above procedures
is justied only in response to a specic threat that has become a reality. There will be no
grounds, however, to award a contract under either the negotiated procedure without prior
publication or a single-source procurement procedure if the contracting authority, wishing to
prevent undened future phenomenon, executes contract which could be awarded under the
competitive procedure.
Exemption from applying PPL provisions
Regardless of the procedures described above, it needs to be noted that in the event of an
occurrence that disturbs the functioning of CI, it is potentially possible to use a premise
entitling to withdraw from applying the PPL provisions in view of signicant national security
interest or protection of public security (Article 4(5) of PPL).
In accordance with the interpretation of the President of the Public Procurement Oce, the
aim of the legislator was, inter alia, to protect internal security. It is a fair observation to make
that a causal relationship must exist between the withdrawal from applying the PPL provisions
and a signicant national security interest. The explication of the exact meaning of signi-
cant national security interest may, however, be quite problematic. Following the position of
President of the PPO, a contract that is of signicant national security interest is particularly
one that concerns such values as sovereignty, international position, independence, territorial
integrity, and defence of the state. Should the disruption of the functioning of the CI exert an
inuence on the above-said values, it is reasonable to consider the use of PPL to be waived.
Although PPL does not mention this, it appears, however, that the disruption must be of real
and not only potential nature.
41 W. Dzierżanowski, Ochrona konkurencji w prawie zamówień publicznych [Protection of competition in the Public Procurement Law], Wolters
Kluwer Polska Sp. z o.o., 2012, p. 156
42
Agnieszka Wiercińska-Krużewska, Piotr Gajek – WKB Wierciński, Kwieciński, Baehr
Appeal procedure
The use of the appeal procedure in proceedings conducted in relation to the disruption of the
functioning of CI may raise certain controversies. It needs to be emphasised that in principle
the contracting authority, having lodged an appeal, cannot conclude an agreement until the
National Appeals Chamber has delivered a judgement or an order closing the appeal proce-
dures. The appeal procedure can therefore signicantly extend the duration of proceedings
leading to the conclusion of an agreement, which in the case of incidents threatening the
functioning of CI, that by nature are urgent, may negatively aect actions undertaken by the
contracting authority. PPL, however, provides a mechanism that prevents negative eects
from happening during the suspension period resulting from the appeal lodged. Hence, the
contracting authority is entitled to apply to the National Appeals Chamber for revocation of
the prohibition to conclude an agreement. The National Appeals Chamber may in turn accede
to the foregoing unless the failure to conclude a contract could cause negative eects for the
public interest which exceed the benets of safeguarding all interests likely to be harmed as a
result of actions taken by the contracting authority under procurement procedures. It appears
that in the case of CI-related threats, the justication of the application in question should not
pose any problems (as practice demonstrates, there is a strong likelihood that the National
Appeals Chamber will in fact take into account such a request). At the same time, it needs to be
highlighted that the lodging of the appeal with the National Appeals Chamber is only possible
if the public procurement procedure (regardless of the procedure selected by the contracting
authority) is conducted under the PPL regime. Therefore, if a given procedure, either due to
the value of a contract or the exemption mentioned in the Article 4(5) of PPL, is conducted
without availing itself of PPL, the procedure before the National Appeals Chamber cannot be
conducted and the appeal is rejected.
PPL does not provide for any mechanisms (other than those indicated above) which would
facilitate (accelerate) the procurement procedure in relation to the maintenance (construc-
tion) of CI in non-crisis situations. The extraordinary procedures provided for in PPL have been
derived straight from the EU directive. Therefore, introducing additional simplications for
contracting authorities without changing the directive, appears highly unlikely at this stage.
The latest EU regulations replicate the system laid down in previous directives when it comes
to tackling extraordinary situations, which also demonstrates that in view of the EU legislator,
the current solutions should be deemed sucient. What could be potentially considered is
to introduce to special Acts exemptions from using PPL in certain dened situations. Such
solutions already exist in Poland (e.g. the Act regarding investments in the liqueed natural gas
regasication terminal in Świnoujście allows contracts to be executed in accordance with Article
4, paragraph 5 of PPL (de facto without availing themselves of PPL) if signicant national secu-
rity interest so requires.
Summary
National legislation imposes concrete obligations on CI owners and operators which, in prac-
tice, can incur substantial nancial outlays. At the same time, in accordance with the provisions
of the Act, CI owners and operators correspondingly bear the costs of performing their duties.
43
Agnieszka Wiercińska-Krużewska, Piotr Gajek – WKB Wierciński, Kwieciński, Baehr
It appears, however, that these entities should be able to apply for nancing of at least partial
expenditure incurred in order to maintain CI. Amongst the potential sources of nancing for CI
projects, the CI operators may apply from national operational programmes which use the EU
funds and the nancial instrument CEF which among its objectives related to telecommuni-
cations network infrastructure mentions, inter alia, the supporting of critical telecommunica-
tions infrastructures.
Basic incentives for CI operators to encourage them to actively cooperate with state authori-
ties in the area of CI protection should be found not so much in the binding provisions of law,
but in the consequences of their collaboration with the public administration, such as
• gaining access to specialist knowledge
• identication of best practices and standards for CI protection
• participation in the shaping of and aecting the state’s policy with regard to CI protection
and at the same time aecting the nal shape of responsibilities related to CI protection.
It appears that the foregoing could contribute to reducing the costs of CI operators in certain
areas; nevertheless, a signicant incentive for a more active participation of CI operators,
besides purely statutory obligations, could be at least partial renancing of costs incurred by
CI operators, resulting explicitly from the binding provisions of law.
However, legal acts that are currently in force put a far greater emphasis on the need to protect
CI and the obligation to engage private sector entities in the process rather than on specic
instruments (nancial, PPP) that could incentivise these entities to actively participate in the
CI protection system.
The PPL provisions provide for mechanisms that facilitate the shortening or even elimination
of competitive procedures in extraordinary situations or in situations with respect to specic
utilities. However, with regard to CI maintenance and protection, the legislator does not
provide for facilitation in the acquisition of goods and services.
44
3. Eective public-private
cooperation – success factors
Joanna Świątkowska – the Kosciuszko Institute
Nowadays, a signicant part of critical infrastructure (CI) is in the hands of private entities.
Thus, in numerous cases, the state does not exert an exclusive inuence on the security and
continuity of CI. In order to maximise the eectiveness of infrastructure protection, the mecha-
nisms of cooperation between public and private entities need to be provided. The purpose of
this chapter is to indicate elements that strengthen the eectiveness of such cooperation, to
demonstrate potential diculties and to recommend solutions to overcome them. Chapter 4
complements this article by presenting good practices on CI forum governance methodologies.
Baseline conditions for eective cooperation
Mutual awareness and conviction that the responsibility for the security of the state and the
common good should be shared is a prerequisite for eective cooperation between public
and private entities and, as a consequence, is a vital component of CI security. On the one
hand, the state should treat private entities as key actors and partners whose engagement
is imperative for achieving the assumed objective. On the other hand, private entities them-
selves should be aware of the important role they play in the process of ensuring security for
both the state and its individual citizens. The responsibility is incumbent on them and they
need to be ready to embrace it. Being fully aware of these circumstances is a condition that
determines the integrity of necessary actions undertaken to ensure CI security.
The public-private cooperation is frequently a “buzzword” used in the majority of debates on
CI protection. However, it is not always clear what meaning it conveys.1 In this article, public-
private cooperation is predominantly used in the sense of initiatives aimed at a broadly
understood information sharing (between private entities themselves and between private
and public entities being supported by the state authorities) as well as the implementation of
1 In the context of public-private cooperation, it is common to nd references to public-private partnerships. If PPP, in accordance with the
Act (Act of 19 December 2008 on Public-Private Partnership) is understood as a joint undertaking (dened in very formal terms), then in the
spirit of adopted recommendations, it fails to be the most eective form of collaboration. One of the reasons is that PPPs are more project-
orientated whereas security must be viewed as a process.
45
Joanna Świątkowska – the Kosciuszko Institute
solutions recommended by the state (expressed in the form of standards) by private entities
which considerably enhance the level of security. Information sharing should be understood
as a process of collecting, analysing and exchanging information most often related to threats,
the vulnerability of infrastructure, good practices, and recommendations, etc.
In spite of focusing the deliberations on the process of information sharing, the recommen-
dations presented in this chapter may be applicable to other forms of cooperation, e.g. joint
exercises during which procedures as well as safeguards and other crucial security elements
are tested.
Eective cooperation – factors and potential challenges
One of the biggest challenges facing eective public-private cooperation is a dierence in the
understanding of objectives and priorities by the two parties. Public entities focus their activi-
ties on providing the highest level of security for the state and its citizens. Today, it is assumed
that prosperity and development are contingent upon it. In turn, private entities are mainly
prot-oriented, driven by improving nancial performance. Yet, providing security requires
material outlays such as investments, remuneration for work, the implementation of safety
measures, control, monitoring, etc. Costly investments in security are therefore an additional
load that private entities have to bear. This type of expenditure may not necessarily be in line
with their nancial strategy. Therefore, there is a risk that these entities will either minimize the
expenditure on security, or purposefully count in the risk of potential loss, or simply hope that
a problematic situation never arises.
Hence, the key to solving this problem and at the same time the main task facing the state is
to make private entities as well as CI owners and users aware that they are incumbent with a
much greater responsibility than the one which is exclusively about nancial performance.
Raising ethical or emotional arguments has little chance of success and is burdened with a
high risk; therefore, it is worth concentrating on elucidating the economic consequences of
negligence in the area of security.
A good practice is trying to persuade high-level company representatives (preferably at board
level) to invest in security. What is important is to show them potential risks signicantly
aecting security which can be minimized with the use of acceptable resources.
An often inadequate level of protection associated with cybersecurity can be a good example.
Raising awareness among the representatives of the board, who are often unaware of threats,
about how widespread and costly problem cyber threats generate improves the chances of
success.2 It is useful to demonstrate the frequency with which problems occur and the extent
of damages to nances, reputation, and the loss of credibility that occur as a consequence.
2 Good practices on the methodology of the above-mentioned raising awareness process are derived, among others, from Dutch experiences.
First of all, the process of raising awareness is most eective if it takes place during conversations held between the company and the
representatives of public entities or their associates. During such a meeting, the company’s representatives may be encouraged to take a
short knowledge test that shows on the one hand if the board of directors has knowledge and awareness of safeguards applied in their
company, and on the other hand, it allows for verifying whether these safeguards are being truly implemented. Asking simple questions
created on the basis of a standardised questionnaire can also bring good results.
46
Joanna Świątkowska – the Kosciuszko Institute
Confrontation with the prospect of potential consequences, together with an indication that
an investment in security can in fact protect the company from heavy losses and secure their
nancial performance, proves an eective instrument. In this context, a particular emphasis
should be put on promoting the advantages of the preventive approach to security instead of
adopting a reactive attitude.
Another strategy is to aim similar activities at the company’s shareholders. The underlying
assumption is that the knowledge they acquire will either prompt them to compel the board
to take action, or to express the necessity to invest in security.
Apart from the dierent perception of objectives, the eectiveness of public-private cooperation
is contingent upon resolving other potential issues. These include building mutual trust between
the collaborating parties as well as convincing them of the purposefulness and value-added of the
undertaken partnership. The processes involving information exchange provide a good example.
When it comes to trust
3
, the engaged entities need to be certain that sharing information is “safe.
The entities must be given guarantees that information will never fall into the wrong hands, be
disclosed without their consent, harm their image, or otherwise adversely aect the condence
of their customers. By analogy, the entities cannot fear retribution as a result of disclosing any
data. Security must be ensured at a contract level, mutual obligations, and in the form of tech-
nical measures that secure information sharing channels. Apart from trust, the entities involved
need to be certain that the participation in information sharing initiatives makes sense and brings
a desired eect.
4
Otherwise engagement will be perceived as an unproductive waste of time.
Eective communication must be a two-way process and feedback received by private entities
needs to translate into benets that increase security in real terms. Only the sense of purposeful-
ness of actions will make the entities engage in these activities more solidly.
Finally, the discussion of an eective form of public-private cooperation gives rise to a heated
dispute between advocates and opponents of applying voluntary and mandatory forms of
cooperation. The rst strategy draws upon the willingness of entities to participate in certain
initiatives and the belief in their value. According to the other option, it is possible to make
private sector representatives engage in given processes and, for instance, implement secu-
rity-related solutions (specic standards) under threat of broadly understood sanctions.5
The opponents of the mandatory approach argue that “enforced” forms of cooperation under-
mine trust, making entities perform tasks only to avoid punishment. With the sole aim of
completing the tasks, the entities engage minimally in the activities they perform, which often
makes these activities highly ineective. An example of such a danger is a routinely applied
approach described by “compliance” where individual entities obtain a set of standards and
requirements they have to comply with. They do not focus on actual threats or dangers (risk
based approach); instead, they solely, and often indiscriminately, “tick o” activities they have
to take in order to comply with a standard. In this scenario, the conformity with the guidelines
is erroneously considered as an aim in itself.
3 Good practices in this respect are closely related to the methodology of running and managing a forum, and as such will be presented in
Chapter 4.
4 More about it can be found in Chapter 4.
5 It is highly disputable if such a form can actually be termed cooperation.
47
Joanna Świątkowska – the Kosciuszko Institute
Successful forms of voluntary collaboration are presented as a counterargument for manda-
tory activity. Operating in the USA and Great Britain, Self Storage Associations are perfect
examples of such cooperation.6 The main aim of these organisations is to establish common,
voluntary standards. The overriding value lies in the fact that the development of these stand-
ards is a joint eort drawing upon practical knowledge and experiences of individual entities.
Being convinced of their value, the entities themselves start using and implementing them.
Conversely, the advocates of the compulsory cooperation invoke an argument that market-
based solutions are insuciently strong to persuade entities to ensure security; in fact, they
actually promote risk-taking. Numerous real-life examples of negligence in security reinforce
the view that a more “invasive” form of inuence exerted by the state is justiable. It needs
to be noted, however, that the risk resulting from employing a trust-based approach only is
enormous considering the signicance and important role of CI for the security of the state.
In addition, experts such as James Lewis from C.SIS argue that the introduction of just a few
very simple solutions may dramatically strengthen security. In this context, it is worth consid-
ering the introduction of regulation that will impose their implementation.7
To recapitulate the considerations of the mandatory and voluntary approaches, it appears
impossible to assess unequivocally which of them is more legitimate. It is one of the most chal-
lenging aspects of eective public-private cooperation, also because it touches upon world-
view issues. This publication recommends using a case-by-case method to assess the situation
and select an appropriate strategy. Applying tailored and not only “one-size-ts-all” solutions
can eventually bring a desired eect. Alternatively, a “mixed” approach allows mandatory mech-
anisms to be selected and applied in the most crucial sectors
8
where the risk is the highest.
Regardless of the option selected in the end, it is worth ensuring that basic principles such
as purposefulness of action and an action-result relationship are properly demonstrated and
fullled.9 Above all, however, any forms of collaboration should be combined with mechanisms
introduced by the state that stimulate interest in cooperation as well as aect the eciency
and engagement of the participants.
Incentives aecting the eectiveness of public-private
cooperation
There is a wide array of instruments that the state can use to encourage private entities to
cooperate and conscientiously perform security-related tasks (e.g. implement specic stand-
ards). A list of selected tools has been presented below:
6 See http://www.azselfstorage.org/, http://www.ssauk.com/.
7 Although the author refers to solutions strictly associated with ICT systems, it is worth considering his reasoning regarding this particular
example and the context of general solutions for the entire CI system. See J. A. Lewis, Raising the Bar for Cybersecurity, 12 February 2013.
http://csis.org/les/publication/130212_Lewis_RaisingBarCybersecurity.pdf, [accessed: 13/04/2013].
8 S. Eckert, Protecting Critical Infrastructure: The Role of the Private Sector, http://www.ridgway.pitt.edu/Por tals/1/pdfs/Publications/Eckert.
pdf, [accessed: 13/04/2013].
9 Which, in the voluntarily approach and the absence of sanctions, is imperative.
48
Joanna Świątkowska – the Kosciuszko Institute
Tax incentives: dedicated to entities participating in initiatives related to, inter alia, information
sharing or applying security solutions that comply with specic standards.10
Grants: introducing a system of grants for research and innovation in the area of security. One
of the examples is a USD 51 million grant awarded by the Environmental Protection Agency to
water utilities for performing vulnerability assessments and developing emergency response
plans.
11
The system of grants can work in two ways. First, as an opportunity per se to apply for
nancial resources to be spent on activities directly involving security. Second, they can indi-
rectly aect the increase in the level of protection. Undertaking specic security-related activi-
ties, such as the implementation of standards, can, in eect, be a necessary requirement that
allows companies to participate in grant competitions that are of interest to them. Therefore,
in order for the companies to be able to apply for funding and, in addition, raise funds for real
actions, they will need to implement certain solutions and take part in initiatives (active partici-
pation in information sharing forums may be one of the requirements). The foregoing mecha-
nisms, alternative to grants, can take the form of a condition upon which companies are allowed
to participate in tenders or state-funded training programmes enhancing specic skills.
Establishing insurance market12 for security-driven activities: in essence, companies which
undertake actions that increase security (e.g. by complying with standards, implementing
specic procedures, and partaking in information sharing activities) could be awarded with
signicant insurance discounts.
Awarding certicates or labelling companies in a way that would be easily recognisable for
clients, so that it is clear that these entities comply with standards and procedures promoting
security. Gradation of labels could also be introduced. As a company may be applying safe-
guards at various degrees, the more advanced actions are taken, the higher level would be
awarded.
Loans: this mechanism could make the companies which are either active on information
sharing forums or apply appropriate security measures, eligible for attractive loan oers or
nancial aid to repair damages or recover losses in case an incident should occur.
The above suggestions, to a large extent, involve nancial forms of incentivising private enti-
ties to engage in security-oriented activities. There are a number of other non-nancial factors
that can be of great importance.
Hence, the question that arises is what, besides the foregoing nancial mechanisms, can
persuade these entities to actively and robustly engage in security-related activities. The
presented examples will refer to the participation in information sharing initiatives.
10 It is mandatory that the standards should meet the criterion of timeliness and be exible enough to adjust to the prevailing conditions. Rigid
and outdated standards in conjunction with a minimalistic attitude towards implementing enforced solutions can bring disastrous results
(e.g. a false sense of security).
11 S. Eckert, op. cit.
12 This element of the potential “system of incentives” requires possible eects to be further deepened through analysis. The creation of the
insurance market alone can be very dicult. Hence, particularly at the outset, it is worth considering the idea of introducing a public system
for supporting such initiatives, for example reinsurance.
49
Joanna Świątkowska – the Kosciuszko Institute
As it was stated earlier, the belief in the value added and purposefulness of actions is the most
important factor encouraging entities to enter into cooperation. Active involvement in activi-
ties of information sharing platforms should entail the prospect for obtaining data that will
translate into a better and safer functioning of their companies. Therefore, information must
be accurate, up-to-date, and provided on time. In addition, participation in selected mecha-
nisms of information sharing could be rewarded with granting access to government informa-
tion, particularly one that cannot be obtained elsewhere. Other potential incentives include
counselling and knowledge (technical, legal, etc.) exchange between experts associated with
public bodies and private entities. By analogy, the state authorities may oer assistance to the
engaged entities in problematic situations. The belief held by participants that engaging in
such initiatives oers them a unique opportunity to conduct a dialogue on future decisions
taken by public bodies may also prove valuable. By taking part in such a discussion, private enti-
ties would have the opportunity to lobby for desired changes and point out possible negative
eects of potential decisions. Ultimately, the entities partaking in information sharing forums
and other initiatives (e.g. exercises), can be given an opportunity to participate in coaching
and training sessions held or funded by the state. They can constitute a very attractive incen-
tive as they strengthen competences and expertise as well as increase the level of knowledge.
To summarise the information on eective, mutually benecial collaborative engagement
of public and private entities, it is worth invoking a Dutch model initiative known as the ICT
Response Board.13 Consisting of the representatives of the private and public sectors, this body
convenes ad hoc in crisis situations involving cyberattacks.14 The IRB aims to provide support
to appropriate entities, be they elements of the crisis management system, or private enti-
ties. Activities undertaken by the IRB involve agging up potential threats, identifying and
interpreting threats, coordinating activities when a crisis situation occurs, counselling entities
stricken or threatened by security incidents, collecting information and distributing it among
stakeholders. In addition, the entities engaged in the initiative hold joint scenario-based exer-
cises during which they are testing procedures, specic solutions and activities.
The Future of the public-private cooperation in Poland
Prepared by the GCS, the NCIPP opts for a non-sanction-based approach to the protection of
the key components of the state’s infrastructure.15 The suggestions presented above are not
only likely to contribute to enhancing the eectiveness of voluntary forms of cooperation, but
also increase the chances for a robust execution of numerous initiatives.
At the same time, it is worth noting that in the coming months international solutions that
Poland most likely will have to implement will require certain areas of cooperation to be regu-
lated. This statement refers to a directive concerning network and information security16; at the
time when this chapter was written, the directive was passed by the European Parliament. As
13 ICT Response Board, https://www.ncsc.nl/english/services/crisis-management-reinforcement/ict-response-board.html, [accessed:
13/04/2013].
14 Alternatively, in the situation of a looming crisis.
15 GCS, National Critical Infrastructure Protection Programme, pp. 6–7.
16 Directive of The European Parliament and of The Council concerning measures to ensure a high common level of network and information security
across the Union, COM (2013) 48 nal.
50
Joanna Świątkowska – the Kosciuszko Institute
the next step, the nal text will be negotiated with the EU Council. If the directive is adopted in
its current form, it will impose mandatory elements of cooperation on public and private enti-
ties. First and foremost, the directive will force CI owners17 to implement appropriate measures
aimed at increasing security and to report on incidents that jeopardise network and informa-
tion security.18 Clearly, we need to be aware that the directive concerns only a limited segment
of tasks related to CI security – ICT security to be precise. Nevertheless, it interferes in the
manner in which public and private cooperation is established, which can aect other areas
in the future.
If the directive comes into force, Poland will be required to apply elements of the sanction-
based approach. This gives rise to a concern that private entities will realise predetermined
tasks only to avoid punishment and with minimal engagement. In order to help alleviate all
possible negative eects of the sanction-based cooperation (imposed by the directive and
any other prospective collaboration), it is advisable to consider combining these regulatory
eorts with actions supporting the private sector and presented in the list above. The imple-
mentation of the directive to national legal orders can be done in a exible manner; therefore,
there is merit in safeguarding the eectiveness of its implementation by stimulating ecient
public-private cooperation.
Summary
The understanding of dierences in the way the two parties dene security objectives and
priorities should underpin eective public-private cooperation. Another prerequisite is to
guarantee that both sectors will benet from all joint initiatives. This stipulation is particularly
relevant in the context of voluntary initiatives. The decision to adopt a mandatory approach
should be well-pondered and based upon case-by-case analysis with particular attention paid
to high-risk sectors. Lastly, private entities should be encouraged to engage in collaboration
by means of incentives, both nancial and non-nancial, which will increase the likelihood of
eective involvement.
17 See COM (2013) 48 nal, Annex II.
18 COM (2013) 48 nal, Article 14(1); Article 14(2).
51
4. The methodology of governing
collaboration forums for critical
infrastructure protection
Dominika Dziwisz – the Kosciuszko Institute
The majority of existing forms of cooperation between public and private partners are driven
by the facilitation of information sharing on risks, weaknesses, threats, and vulnerabilities as
well as best practices and recommendations for securing critical infrastructure (CI). In order
for them to be eective, they must be organised across three levels: national, systemic, and
regional.1 Information sharing at each of these levels must be conducted on an ongoing basis,
ideally with the parties staying in direct contact, so that robust and sustainable relationships
between the partners could be maintained.
The rudimentary form of information exchange leading to an increase in CI security is joint
meetings of participants who are engaged in public-private cooperation2 within CI protection
forums. Therefore, in 2013, the Government Centre for Security (GCS) recommended estab-
lishing a network of forums aimed at identifying key problems that aect CI protection and
developing suggestions for solutions.3
As ENISA identied in the report examining the eciency of forum activity, one of the biggest
barriers and challenges, apart from the low quality of information and inappropriately tailored
incentives for cooperation4, isthe poor management of forums.5
The article supplements recommendations issued by the GCS, oering concrete solutions
for governing CI forums as well as highlighting major problems involved. The analysis was
based on the examples of eective solutions applied in the United States of America, but
1 GCS, National Critical Infrastructure Protection Programme, http://rcb.gov.pl/?page_id=261 [accessed: 10/04/2014].
2 There are numerous mechanisms designed to manage the protection of CI. They range from methods where the government determines
the rules to be observed, in other words, it plays the role of the only authority that can set out security standards and execute compliance,
to approaches where the government allows the security of CI to be regulated by market-based mechanisms. In between these polarised
solutions, there are a number of other, intermediate forms of cooperation. They vary according to the extent with which the state interferes
with the work of CIs owned by private entities. For this reason, the author resigned from using the phrase “public-private partnership”,
which represents only one form of collaboration, in favour of a broader concept of “public-private cooperation.” In this context, public-private
cooperation for CI security should be understood as initiatives aimed at collecting, processing and sharing information relevant for CI security
between governmental and private sectors and between private entities themselves.
3 The National Critical Infrastructure…, op. cit.
4 Incommensurate with the risk taken.
5 ENISA, Incentives and Challenges for Information Sharing in the Context of Network and Information Security, 2010.
52
Dominika Dziwisz – the Kosciuszko Institute
predominantly on the observations and suggestions
oered by ENISA (European Network and Information
Security Agency). ENISA is a centre for sharing cybersecu-
rity experiences and information between Member States
and the EU Institutions. In reports from 2010 and 20116,
ENISA compared dierent governance models of public-
private cooperation, specically in the area of CIIP (Critical
Information Infrastructure Protection). However, ENISA’s
observations and recommendations are also used to estab-
lish general rules and the framework of cooperation for
other information sharing initiatives.
Lastly, the author would like to emphasise that the obser-
vations and recommendations refer predominantly to
managing sector-specic forums.
Forum organisational structure
In principle, in order to prevent discrimination against any
one of the parties, the principle of equality of all public and
private partners should underlie public-private coopera-
tion. In view of this fact, when setting up an information
sharing forum, all entities involved should be given similar
rights, possibilities for action and responsibilities for the
security of the “client” (public and private). At the same
time, even if we assume that all cooperating parties are on
an equal footing, as in any other organisation, it is manda-
tory to choose an entity responsible for governance and
coordination.
The rst and most commonly practised form of governance
is assigning the leadership role to one of the partners from
either the public or private sector, i.e. running by one from
within. This works best for forums where the information
is shared among partners representing the same CI sector
since they are fully familiar with the specic nature of their
activity as well as possible problems that may occur.
Another, less popular form, involves assigning the leader-
ship to a specially appointed body. This solution is most
eective when managing the collaboration of individual
sector-specic forums. It can prevent a situation where
participants, having detailed knowledge about their own
6 ENISA, Incentives and Challenges for Information Sharing in the Context of Network and Information Security, 2010, ENISA, Cooperative Models
for Eective Public Private Partnerships. Desktop Research Report, ENISA, 2011.
Figure 3, 4, 5. Forum governance types. Source:
Own compilation based on ENISA, Desktop Research
on Public Private Partnerships, 2011.
Forum run from within
Forum run by a specially appointed body
Democratically peer led forum
53
Dominika Dziwisz – the Kosciuszko Institute
sector, are unable to counteract potential threats due to a lack of a broader picture. Thus, the
coordinating body, being aware of the complexity of the problem, is able to direct the activity
of all participants in the most optimal way.
In the case of American Information Sharing and Analysis Centers (ISACs), this function has
been assigned to the National Council of ISACs that was appointed in 2003. Consisting of ISACs
sector-specic representatives, the Council convenes once a month with the aim to foster coop-
eration between them and build mutual trust as well as tackle current problems and develop
strategies for responding to existing threats. In addition, the Councilconducts training and acts
as an intermediary between the private sector and the National Infrastructure Coordinating
Center (NICC), which is part of the U.S. Department of Homeland Security, in crisis situations at
the national level. The Council also sponsors an annual Critical Infrastructure Protection (CIP)
Congress.
Democratic peer leadership is a third form of forum governance. In practical terms, this form is
not only least eective, but it is also most the conict-prone, therefore hardly used. However,
attempts are being taken to “democratise” this form of governance by appointing a rotational
chair in order to prevent one participant from gaining a dominant position and actually
leading the network.
Levels of forum organisational structure
As it was mentioned in the introduction, for CI security information sharing to be eective, it
needs to be organisedacross several levels: national, systemic, and regional. Again, American
ISACs are an example of good organisation and governance of the public and private partner
network. The Centres collect information, security data and share them with institutions
co-creating a given centre. As initially planned, there was supposed to be a single ISAC estab-
lished for all economic sectors. In practice, the solution turned out to be ineective. Therefore,
a separate centre was established for each sector mentioned in Presidential Decision Directive
No. 63 (PDD 63).7
The decision to set up a separate ISAC for every CI sector was key to the eectiveness of the
ISACs networks. In view of the specic nature of CI sectors, establishing a single “collective”
ISAC for all sectors had minimal chances for success. Also, creating general standards for coop-
eration would be highly inecient because each sector functioned in its own specic way.
Therefore, a better solution was to set up separate ISACs with responsibility for the security
of their respective sector. American ISACs were amongst the rst forums designed for sector-
specic information exchange. Today, similar solutions have been adopted by countries which,
on numerous occasions, followed the example of ISACs.8 In Poland, the Government Centre
for Security (GCS) has issued a recommendation for establishing separate, systemic forums
7 Presidential Decision Directive 63, 22.05.1998, http://www.fas.org/irp/odocs/pdd/pdd-63.htm, [accessed: 10/12/2013].
8 Sector-specic information sharing forums operate, inter alia, in Australia. Australian Trusted Information Sharing Network (TISN) is a forum
for sharing information between owners and operators of critical infrastructures. TISN consists of seven Sector Groups: two Expert Advisory
Groups as well as the Communities of Interest (CoL) and Critical Infrastructure Advisory Council (CIAC). Sector Groups serve as intermediaries
between the governmental and private sectors. After: ENISA, Cooperative Models for Eective Public Private Partnerships. Good Practice Guide,
2011, p. 49.
54
Dominika Dziwisz – the Kosciuszko Institute
for every CI sector that will convene at least biannually or more often, depending on the
circumstances. When designing forums for information sharing, the GCS employed interna-
tional sector-based standards. This solution, for reasons mentioned above, has every chance of
success and can bring the same positive eects as the American solutions.
Hierarchical vs. network governance
The problem of building eective forms of cooperation is invariably linked to the clash of two
governance cultures. Engaging multi-stakeholders, the private sector is open, predisposed to
change and governed horizontally. By contrast, the public sector is often a more rigid, hierar-
chically governed structure9 that displays less reactivity in the face of change. It has, however,
the capability to resolve complex problems over long periods of time. Currently, with the
private sector having a relative potency of action, setting ground rules for cooperation with
the government can cause numerous conicts.10 The situation is further complicated by the
fact that each of the interested groups wants to be in charge.11
Some experts argue that a solution could be to resign from traditional” forms of cooperation
and governance and replace it with network governance. According to this concept, the hier-
archical organisation of roles where some entities monitor other participants forced to coop-
erate under the threat of criminal sanctions are abandoned in favour of more complicated
network systems. What is characteristic of them are numerous centres for decision-making,
equal status of participants and sharing responsibility for initiatives undertaken as well as
voluntary involvement in developing solutions for a mutual benet. In the case of information
sharing forums, it would entail departing from thinking of the government as the monopolist
of their governance, namely issuing instructions and monitoring the fullment of tasks by a
single entity and, as a consequence, applying a model of more dispersed decision-making.
Appropriate conditions should be created in which “public administration thus becomes a
team sport where persuasion, negotiations, and mutual trust are more important than control
and regulation.12 Mutual understanding and complementary cooperation on an equal footing
will allow the private and public sectors to achieve their goals, which, as a rule, is impeded
or made impossible if control and regulation is in the hands of a single entity only. In prac-
tice, “in order to facilitate such new forms of cooperation, small and relatively homogenous
networks are required that involve all actors who will and can contribute to the fulfilment of a
public service in their own interest. Such actors, most of whom come from both the public and
the private sectors,then organize themselves quasi autonomously. They fix rules for common
action and determine the responsibilities and commitments of the individual partners.13These
various networks self-monitor their activities, which mean that a number of independent, self-
regulating networks are involved in performing public tasks. While both the public and private
9 J. Healey, Preparing for Cyber 9/12, http://www.isn.ethz.ch/DigitalLibrary/Publications/Detail/?ots591=966c9813-6e74-4e0b-b884-
8ed9f3f0978c&lng=en&id=143486, [accessed: 01/04/2014}.
10 Ibidem.
11 Ibidem.
12 M. D. Cavelty, M. Suter, Public-Private Partnerships are no silver bullet: An expanded governance for Critical Infrastructure Protection,
“International Journal of Critical Infrastructure Protection” 2009, doi:10.1016/j.ijcip.2009.08.006, p. 5.
13 R.A.W. Rhodes, The new governance: Governing without government, Political Studies 44 (1996), p. 658f, After: Ibidem, p. 5.
55
Dominika Dziwisz – the Kosciuszko Institute
sectors have their own “representatives, agencies representing the public sector resign from
their special, privileged status. The network will only function if decisions are taken through
negotiations and all parties are on an equal footing.
Forum funding
A crucial aspect of the organisation of the information sharing forum is funding its activity.
The forum can be funded either from the government budget or by participants themselves
who undertake to pay a membership subscription. In the rst scenario, the private sector is
highly incentivised to engage in participation when the government covers administrative
costs. The example of ISACs in the U.S. which are subsidised or in some cases fully funded from
the federal budget proves that the absence of fees for participants from the private sector is a
successful motivator for action. It is not by all means a common practice. The report by ENISA
shows that 24 percent of organisations studied require their members to pay subscription to
cover administrative expenses.14
Forums and other forms of information sharing can also be funded using alternative methods.
For instance, the participants can pay for real value services, such as access to expert studies, or
use a mixed method where the members cover the costs of their time and expenses whereas
the government pays for coordination costs, venue, etc.
Forms of communication
Another aspect of forum governance is the choice of a communication channel between
partners. Information sharing can occur traditionally, i.e. during regular or occasional “face-to-
face” meetings. As practice shows, this method is the most productive and eective. It is also
possible to take advantage of modern technologies, above all the Internet, which facilitates
the cooperation through video conferences or transferring information via private distribu-
tion lists. The participants can also use specically dedicated Internet platforms to publish
information that is crucial for the security of CI. This platform can consist of specic systemic
and expert groups (rooms).15 Coordination and administrative management of the forum can
be done virtually; however, decisions that are fundamental to cooperation should be taken
during direct physical meetings. According to the report by ENISA, direct contact maintained
by forum participants allows for information sharing to be more eective.
Trust among forum participants
The lack of trust among the forum participants, particularly among the representatives of the
private and public sectors may fundamentally impede the functioning of the forum. Private
enterprises are mostly concerned about insucient condentiality and security of information
shared, which can adversely aect their reputation and competitiveness. The same concerns
are harboured by the government. The culture of secrecy” and a deeply entrenched fear to
share information with non-governmental entities pose a risk of the information sharing initia-
tives ending in stalemate.
14 ENISA, Cooperative Models for Eective Public Private Partnerships. Desktop Research Report, 2011.
15 The National Critical Infrastructure…, op. cit.
56
Dominika Dziwisz – the Kosciuszko Institute
In view of this, the building of mutual trust and ensuring the highest possible security of trans-
ferred data is both a priority and a challenge for eective collaboration. Trust building should
be understood as a gradual and long-lasting “process” during which the forum participants
constantly work on strengthening their contacts. There are a number of ways to increase the
level of trust.
First, it is mandatory for the forum members to determine the type of information shared – they
must be up to date, factual and useful from the point of view of the entire group. A situation
where the forum participants themselves formulate rules for information sharing minimises a
risk of uncertainty as to the possibility for disclosing any information on the forum other than
that which was specically dened. At the same time, it is necessary to establish procedures for
removing any sensitive personal and contact details from databases.
Second, the size of the forum may be an obstacle to building relationships and trust among
forum participants. The larger the group, the more dicult it becomes to build trust among
the participants. Increasing the number of participants often goes hand in hand with a greater
variety and dissimilarity of goals and priorities that make it hard to reach a consensus. At the
same time, it is dicult to nd common benets of cooperation that are equally important for
all participants. However, it is dicult to determine how many participants should comprise
a model forum. It is dependent upon the specic nature of a given CI sector, but most of all,
upon a unanimous decision of partners.
Third, it is impossible to avoid a risk that some of the information shared may be used for
commercial purposes. Therefore, it is worth considering whether sales and marketing profes-
sionals should participate in sector-specic forums right next to security specialists and tech-
nical experts. As ENISA demonstrated in its report, the risk of commercial exploitation of con-
dential information is a barrier to building mutual trust. Hence, it is essential to specify the
exact preferences regarding target forum participants as well as to obtain their consent to
establish collaboration in the proposed composition.
Fourth, sustainability and continuity of the forum are the cornerstone of trust. Therefore, it is
essential to implement the principles that guarantee the continuity of membership, such as
detailed rules for the participation in the forum supplemented with concrete incentives for
cooperation, rules for conscientious performance of duties, declaration of rights and respon-
sibilities as well as rules that regulate the process of excluding an entity from membership. A
situation where some members take advantage of the eorts of others while oering a negli-
gible contribution of their own cannot take place. At the same time, it is necessary to prevent
unhealthy competition. Each of the forum members should be aware of the importance of
their actions and strive for optimisation of their own eorts, thus creating a value added for
the entire group.
Fifth, the choice of the method of communication between forum participants has a direct
inuence on trust within the group. Using Internet-enabled tools to share information, e.g.
Internet platforms, virtual conferences or electronic mail eectively help build the sense of
stability and assurance that cooperating entities can respond quickly if needed. It does not
change the fact that the undeniable advantage of in-person meetings of forum participants is
57
Dominika Dziwisz – the Kosciuszko Institute
their ability to overcome the barriers of uncertainty and distrust that stem from not knowing
the other members. In-person meetings help build knowledge about common objectives
and strategies for action on the basis of which the members can predict further prospective
actions. Therefore, as it was earlier emphasised, “face-to-face” communication should underlie
all forms of contacts between the forum participants.
Forms of cooperation and exibility of choice
Finally, it is worth noting that due to the specic nature and dierences between CI sectors,
no forms of collaboration should be predetermined. Again, based on the example of the
American project of collaboration, we can notice that ISACs have evolved varied structures due
to their independence of federal agencies. Every sector has its specic problems; therefore,
the exibility in the way the partnership is organised allows for designing solutions that most
adequately reect the specic character and requirements of each sector. It is precisely the
needs of a given sector and clearly formulated objectives of the partnership and not conven-
tional solutions adopted within the framework of public-private cooperation that should
aect the structure and rules governing the forum and its members.
Summary
When setting up the collaboration forum for CI security, it should be assumed from the outset
that the collaborating parties should be on an equal footing and at the same time choose
the best possible form of governance and coordination depending on whether information
sharing will take place between the participants of the same or dierent CI sectors. Due to
its own specic problems, it is important that every CI sector has its separate systemic forum.
As practice shows, establishing a single forum for all CI sectors proves ineective. However,
in order to gain a bigger picture of the situation and understand the complexity of dierent
problems, there is a need for one entity that should manage the cooperation between indi-
vidual sector-specic forums. In Poland, this function could be appointed to the GCS.
When organising and administering the forum, it is also necessary to abandon the histori-
cally-entrenched attitudes claiming that some solutions can be worked out only at a govern-
mental level. In other words, thinking of forums in terms of hierarchical subordination should
be abandoned in favour of exibility and network governance which, in practice, turns out to
be far more eective. Other important factors that determine the eectiveness of the forum
for opinion sharing include tailored mechanisms for funding its activity, appropriate types of
collaboration channels as well as the exibility in terms of the choice of the form of collabo-
ration for every sector. However, the all-important condition determining the eectiveness
of the forum is a trusting relationship between its members as well as a willingness to share
information rooted in the belief in the signicance, eectiveness, success and security of the
partnership. Even if we assume that the membership is mandatory, in the absence of willing-
ness and trust, any initiatives are bound to fall through.
part II
59
5. The role of ICT components in the
functioning of critical infrastructure
Mirosław Ryba – EY
Today, the fact of the ICT (digitization) development is no longer surprising to anyone. It is
more about the spectacular pace of this development that draws the admiration and some-
times disbelief. In the past, technological change took years whereas today modications in
ICT systems happen in the space of months. Solutions, which 10 years ago could be described
as “science-ction” concepts, are currently being implemented for not only military, but also
commercial use. An example today includes extensively tested autonomous cars1, which –
according to manufacturers’ forecasts – should be commercially available soon, not to mention
mobile devices that are launched on the market every few weeks and whose computing
power is greater than that one NASA had when landing the rst man on the Moon (e.g. AGC
computer, designed specically for this purpose at MIT, was equipped with a 64-KB memory
and clocked by 43 KHz signal).
So widespread in everyday life, ICT solutions have naturally become applicable to critical
infrastructure systems (CI) and today no one dares to question the fact that the ecient func-
tioning of CI is impossible without the proper support of ICT systems.
ICT systems used in CI
ICT systems for CI can be divided into two groups of solutions: Information Technology (IT ) and
Operational Technology (OT). The application of these solutions is closely dependent upon
the industry, or to be precise, the functioning area of CI in which they are utilised. CI systems
oering citizen-oriented services (nances, communication, emergency services, etc.), i.e.
resources where Information and Communication Technologies support business processes or
are employed to gather and process data, widely use IT solutions. Conversely, in all CI facilities
associated with technological processes (extraction, manufacturing, processing, etc.), OT solu-
tions such as devices and applications for managing production facilities and a technological
process, play a key role.
Capacity and availability of these solutions are key dierentiating features between IT and OT.
Although in the case of IT solutions an interruption of operational continuity of the system is
1 Autonomous or driverless cars – robotic, self-driving cars that are capable of navigating and sensing changes in the surrounding (other
vehicles, obstacles, trac lights, etc.) without the need for human interference.
60
Mirosław Ryba – EY
acceptable (despite often being costly business-wise), in OT we deal with real-time solutions
where the response to changes in the manufacturing environment must be instantaneous and
any delays are unacceptable.2 This is mostly dictated by economic factors (unscheduled inter-
ruption to the operational continuity of certain manufacturing installations results in multi-
million nancial losses), but above all the factors related to the safety of people. Providing
control over the manufacturing environment has a direct inuence on people’s safety (their
health and sometimes their lives) and the safety of the natural environment.
Another key dierence between IT and OT solutions is the period of time for which these solu-
tions are designed. For IT solutions, the average service life of systems/components is 3 to 5
years whereas OT solutions are planned to last for at least a decade, with an average of about
15 years. Hence, with such a long operating period, it needs to be considered that OT solutions
will undergo fewer upgrades compared to IT solutions, and that obsolete technologies that are
no longer developed will be encountered in the OT environment. This also results in limited
resources (understood as the capacity of processors, memories, disks, etc.) when it comes to
the availability of equipment components, which very often makes it impossible for the OT
system to be expanded (or additional safety enhancing components to be installed) and in
the case of pending upgrade or expansion, it requires the entire environment to be replaced.
The application of IT and OT in dierent domains leads to dierences between IT and OT in
the perception of safety aspects. From the point of view of the safety of IT solutions, the key
problem is to ensure (business) data condentiality whereas for OT, the all-important aspect
is to ensure the availability of the manufacturing process. The following picture visualises this
relationship.
Figure 6. Priorities for IT and OT security attributes. Source: own compilation.
CONFIDENTIALITY
INTEGRITY
AVAILABILITY
AVAILABILITY
INTEGRITY
CONFIDENTIALITY
It needs to be noted that inasmuch as IT solutions entered the realm of CI (e.g. telecommunica-
tions) following the technological revolution that took place at the turn of the 20th century,
the realm of OT solutions remained hermetic for long years. It was not until the beginning
of the 21st century that dramatic changes in OT started taking place involving the transfer
of IT solutions to OT, OT standardisation, abandoning closed protocols, the introduction of
virtual and mobile solutions to OT, and the implementation of ICT safety tools. It should be
remembered, however, that the decision to implement any solutions, including ICT, to critical
infrastructure must result from a conscious and careful consideration of both advantages that
the technology brings and threats it can pose to the existing environment.
2 From the perspective of IT, even such a banal action as rebooting system is very often utterly unacceptable in the case of OT solutions.
61
Mirosław Ryba – EY
Following the division of CI presented in the “National Critical Infrastructure Protection
Programme”3 it needs to be emphasised that the role, nature, and type of ICT solutions utilised
in individual CI systems are diametrically dierent. Below is a general overview and working
principles of ICT solutions used in distinct CI systems.
IT and OT solutions utilised in individual CI systems
The area that most heavily relies on OT solutions is the system of energy, energy resource and
fuel supply within which we can distinguish manufacturing, transmission and distribution of
electric power, thermal energy and natural gas, transmission and processing of crude oil, and
coal mining. OT systems that are key to entities belonging to these sectors and responsible for
monitoring and technological process control include SCADA (Supervisory Control and Data
Acquisition), DMS (Distribution Management System) or in the case of energy industry – EMS
(Energy Management System). Production facilities (e.g. power blocks in power stations or
renery installations) are controlled by means of DCS (Distributed Control System) solutions,
i.e. comprehensive and integrated systems that are responsible for the control and visualisa-
tion of the industrial process.
Occasionally, in order to increase the capacity of the production process, APC-class solutions
(Advanced Process Control) are applied, particularly those helping minimise downtime, opti-
mise installation maintenance and better adjust volumes and manufacturing methods to uc-
tuating macroeconomic needs.
Very similar solutions are utilised in the system of production, storage, and use of chemical and
radioactive substances as well as the system of water supply where SCADA systems have an
oversight over the entire technological process.
In processing plants, being part of the food supply chain, individual industrial machines are
controlled by means of dedicated PLC (Programmable Logic Controller) controllers that carry
out programmed instructions for specic production tasks. In more advanced facilities, it is MES
(Manufacturing Execution System) solutions that oversee the entire manufacturing process by
collecting real-time data sent by PLC controllers and facilitating immediate decision making
which allows for the production process to be eectively controlled and optimised as well
as any potential irregularities occurring during production to be detected and responded to.
ICT solutions utilised within the nancial system face completely dierent challenges. Here,
securing the condentiality of nancial data and providing control mechanisms warranting
the integrity of the stored and processed data is of utmost importance. As practice and recent
IT system breakdowns in the biggest banks in Poland demonstrate, temporary unavailability
of nancial services – be it a lack of access to cash on account or inability to make credit card
transactions – becomes such a common phenomenon that a great majority of users nd it
hardly concerning or astonishing.
3 GCS, National Critical Infrastructure Protection Programme, http://rcb.gov.pl/wp-content/uploads/NPOIK-dokument-g%C5%82%C3%B3wny.
pdf, [accessed: 06/06/2014].
62
Mirosław Ryba – EY
Furthermore, IT solutions used in the banking system are intended to process large volumes
of transactional data and need to possess outstanding analytical capabilities so that nancial
institutions can take informed decisions about the appropriate categorisation and stratica-
tion of their clients based on the user data collected. A similar challenge faces telecommunica-
tions entities which decide on their approach to various groups of clients based on data about
user activity in the telecommunications network, but above all they determine the develop-
ment of telecommunications infrastructure, which is crucial from the perspective of CI.
Another area where ICT technologies currently play an essential part are systems ensuring
the continuity of public administration activities. However, the multitude of IT solutions used
by separate administrative units and at the same the absence of a proper, comprehensive
approach to the security of the entire administration (e.g. based on the internationally recog-
nised methodology of SABSA – Sherwood Applied Business Security Architecture) results in
disjointed – and therefore highly ineective and costly – security solutions. Clearly, it needs to
be remembered that not all ICT systems used in public administration are equally important;
nevertheless, some of them such as ZUS (the Polish Social Insurance Institution) systems which
store information about pension savings of millions of Poles requires advanced control mecha-
nisms to be used and supported with response mechanisms to potentially adverse events.
Nevertheless, a lack of a comprehensive view on the aspects of safeguarding ICT systems
supporting the functioning of the state will lead in the long term to imminent and successful
attacks on this infrastructure and weakening its function.
Advances in technology not only impel the necessity to continuously update ICT-based solu-
tions used in CI, but also generate the need to constantly adapt legislation to the changing
environment by the government and regulators. The autonomous cars mentioned in the
introduction will become unserviceable if relevant legislative changes that put them into
service are not implemented. Such a change, however, should not be made on the spur of
the moment; its implementation must be preceded with a number of studies and decisions
determining the target model. For instance, it will be necessary to answer the question about
civil liability (what will happen if an autonomous car is the party at fault for the trac collision).
When autonomous cars become popular, thus increasing the risk of taking over the control of
the vehicle, will integrated communication systems, built upon autonomous cars, be classied
as CI elements? Therefore, when discussing CI protection, the following questions need to be
taken into account: what components currently comprise CI? How organisational, process, or
technical solutions (including ICT) suppor t CI and how to dene control mechanisms to ensure
the security of CI and, indirectly, all citizens?
Summary
This chapter has presented two groups of ICT solutions – IT and OT – applicable to CI whose
undisrupted functioning is key from the point of view of CI security. It has described funda-
mental dierence between IT and OT (i.e. systems for industrial control processes) that are
particularly important from the point of view of CI protection. The article has demonstrated
how individual IT and OT solutions are applied to particular CI systems.
63
6. Threats posed to the security of
critical infrastructure in the context
of the advanced application of ICT
solutions – challenges for the state
Aleksander Poniewierski – EY
Before setting out to analyse the threats facing critical infrastructure (CI), or to be precise its
ICT component, it is necessary to set the subject of analysis against the background of techno-
logical changes that occurred over the last three decades. These changes are fundamental to the
understanding of the essence and gravity of threats in today’s technological world, both in the
context of information technology (IT) that helps automate information and decision-making
processes and Operational Technology (OT) that serves to monitor and control industrial auto-
mation. These changes need to be considered from three main angles:
• economic change
• technological change
• organisational change
Clearly, there is a wide range of other factors that pose a threat to CI’s ICT systems, but the afore-
mentioned have a fundamental and pivotal inuence on today’s level of risk. It needs to be
emphasised here that this phenomenon is not solely limited to our country, but has a global
character and involves most installations, enterprises, and countries all over the world.
Economic change
The development of technology after World War II, especially during the 1970s and 1980s of
the previous millennium, was combined with the gradual departure from major outlays being
dedicated to research and development conducted in the USA, Western Europe, Japan, and the
countries of the Eastern Block. Such turn of events resulted in the “patenting” of complete tech-
nological solutions while maintaining a xed cost of their purchase. This complicated descrip-
tion of the automated world during the Cold War era could be simplied by comparing it to
a situation in which a country or a concern spends a fortune to discover or enhance a given
technology. As a result of long-term studies, a complete (the word has a crucial meaning) and
self-sucient technological solution would emerge. Being installed in a given enterprise, the
solution would contain producer-specic industrial automation solutions as well as the means to
control, model, and monitor it. It was quite often that IT and OT solutions developed during the
research and development process were specic to a given technology and its specic version.
Therefore, when we discuss the cost of a new installation, for instance a new switchboard, a new
power block, or a new hydrocracking system, we speak in fact about a manufacturer-specic
64
Aleksander Poniewierski – EY
“turnkey” technology. Moreover, this technology was being sold and delivered throughout the
entire depreciation and operation period, which excluded the scenario of setting up the instal-
lation in order for it to be subsequently serviced and maintained internally by the company’s IT
and OT services. It could be argued that any such interference involving these services would
result in a loss of warranty or refusal to repair the damage. Hence, until the second half of the
1980s, the economics of applying IT and OT solutions referred to technology as a whole and not
to its single IT components and industrial automation.
In addition, in the 1990s and at the beginning of the 21st century, a strong pressure to cut
costs emerged while technology-related patents started to expire. For this economic reason
(pricing pressure – cost pressure), a need arose to seek savings in technological solutions. What
happened next was a great wave of standardisation of IT and OT solutions. Instead of dedicated
operating systems and programming languages, classic and widely available corporate systems
were introduced; instead of dedicated communications solutions and galvanically isolated
transmission networks, corporate and public networks were used. This change fundamentally
reduced the costs of the solution, both its purchase and maintenance. In addition, there was
a strong tendency to look for cheap production facilities across Eastern markets, initially in
Thailand, Malaysia, and nally – China. It did not only bring down the price even further due to
the lower cost of manufacturing, but more importantly, it gave birth to cheap substitutes being
manufactured by Chinese or Korean concerns. Thus, it could be concluded that the economic
change (pricing pressure) changed altogether the technological market and was key to shaping
the IT and OT technologies applied in CI systems.
Technological change
We have analysed above the impact of the economic change resulting in IT and OT technological
modications in critical infrastructures. This section will discuss the technological change related
to the facets of scale and computing speed. This issue is often overlooked in studies devoted
to the safety of IT and OT solutions. Since these changes have a considerable impact on secu-
rity, these problems should be examined more closely. The above-mentioned, rapid technolog-
ical change that took place during the Cold War, was a peculiar type of arms race. Acting as a
barrier to technological exchanges between West and East, the CoCom (Coordinating Committee
for Multilateral Export Controls) was supposed to restrict access to technologies, particularly in
the IT and OT sectors which today are the foundation of CIs worldwide. Individual installations
(production facilities) created IT and OT technological solutions that were specic to a given plant
or renery. Throughout years of service, they generated requirements for specic technological
changes (improvement suggestions) adopted by technology producers and transferred to other
installations. Alas, technological advancement and the need for a rapid expansion of installa-
tions (following the freeing of Eastern market and the transfer of production to Asian countries
in particular) made it necessary to delocalise teams providing maintenance management solu-
tions, mainly for IT and OT systems. Remote supervision of installations was being introduced and
most importantly, producer’s wide-ranging Conguration Databases were established, containing
information about all elements of the installation. It also became necessary to provide fully
mobile installers equipped with laptops and mobile devices as well as to share the ICT systems
described above. For this reason (i.e. the scale and mobility as well as diversity of service and main-
tenance teams), the standardisation of protocols (their publication) and openness of signal-coded
65
Aleksander Poniewierski – EY
command-and-control servers (SCADA) were pursued. If we add to this an economically enforced
replacement of technology-specic operating systems and databases for generally available
market-based solutions, we get a picture of a technological environment transformed uncontrol-
lably into an architecturally incoherent conglomerate of connections that is highly susceptible to
disruption and interference. Despite this,, a popular belief prevails about the high reliability and
immunity of this environment. It is one of the most misleading pictures of the IT and OT techno-
logical environment which underlies the security of the countries’ CIs.
Organisational change
The above sections have alluded to the organisational layer on numerous occasions. In the
context of CI security, the change in this area appears particularly important. Again, if we go back
fty years, the group who maintained technological solutions was a line of their users whom the
manufacturer of the technology in question reduced to teams performing orders according to a
list available in the facility and provided by the supplier. On the other side, there was a dedicated,
highly qualied group of engineers that continuously and rotationally monitored the installation
in dierent environments.
In such an organisation, the self-controlling organism equipped with checkpoints and main-
tenance windows could operate continuously. The organisation was concerned with only one
element, namely to preserve the culture of the “mentor and apprentice. Such structuring of the
educational process was necessary and sucient to ensure the continuity of installation activity.
What it meant in practical terms was that on the one hand vocational (job training) schools
attached to plants were established in which the facility’s workers-mentors trained young
employees from the new generation (operators); on the other hand, engineering schools were
founded (mainly associated with technology producers and therefore set up in Western Europe),
educating sta who were familiar with a given technology and had potential for its develop-
ment. Unfortunately, the balance between these two elements, educational and organisational,
have been disturbed these days, which has a knock-on eect on security.
Contemporary threats associated with CI’s Information and
Communication Technologies systems
Contemporary threats are to a large extent associated with the changes described above. Being
aware of the source of threats is a prerequisite for knowing how to develop security mechanisms.
Without this knowledge and awareness, any activities undertaken to enhance security will be futile.
The diagram presented below outlines the classication of threats reecting the selection of particu-
larly important groups of threats which can be further broken down into groups specic to CI solu-
tions and areas. This article is not aimed at providing a systematic and complete description of all
groups of threats. Instead, it focuses on those constituting core elements that need to be acted upon.
Poor awareness and a lack of education pose by far the highest threat to the security of CI’s IT
and OT systems and should be mentioned rst. The owners of CI installations–facilities have poor
awareness about the ICT-related IT and OT risks and threats. Being unaware of the inuence of the
economic, technological, and organisational changes on security and, as a consequence, the lack
of knowledge about the eects they produce for the functioning of CI, constitute fundamental
66
Aleksander Poniewierski – EY
risk factors. These problems are well worth highlighting as the lack of awareness leads to insuf-
cient interest in the subject, no funds being raised for safeguarding CIs and the overall lack of
understanding of the scale of interconnections between CI facilities. This, in consequence, leads
to a situation where even a single unsecured link weakens the entire chain. Unfortunately, the
above-mentioned lack of awareness is also attributable to the ruling authorities (a large part
of business people owning enterprises that comprise CI) as well as the managerial and execu-
tive sta. This leads to the conclusion that insucient awareness in all levels lulls everyone into
a false sense of security – the worst case scenario for those involved in risk management. The
absence of systemic education provided at the levels stated above is very strongly connected to
this threat. This applies to systemic education (schools and universities) which educate manage-
rial sta, but also personnel that would be capable of preventing security incidents aecting CIs,
e.g. sabotage or hacking activity. It needs to be remembered, however, that it takes about 7 years
for an educational cycle to complete, so these are long-term actions, impossible to accomplish
over a short period of time.
Another threat group is related to change management. This concept should be understood as
a chain of actions involving the change of technology, organisation, or ownership of IT and OT
systems, but also a spectrum of factors linked to the cultural change within the organization. The
latter is a consequence of mergers and acquisitions between companies or a result of legisla-
tive and regulatory changes. Project changes that introduce complete and new technological
solutions to the chain of CIs, such as IT and OT, open solutions or smartgrids, are particularly
signicant for the security of CI. The scope of indirect IT and OT network modications is so large
that it is impossible for it to be thoroughly examined and managed accordingly without holistic
architectural planning. The last category within the group of change-related threats involve
performance testing. At present, the issue of CI’s IT and OT system testing is a highly complex
and critical problem. The absence of an appropriate methodology for testing solutions and the
behaviour of organisations in the event of an unexpected error is a serious global problem.
The third group of threats is related to the change in the IT and OT economic and material security
paradigm. Generally speaking, the threat involves a radical lowering of possible and economi-
cally justiable nancial means dedicated to safeguarding IT and OT. The change (reduction) of
outlays for IT and OT infrastructures entails the change in the economically justiable spending
on safeguards.
1
Under the scenario of economic and technological changes described above,
possible expenditure on safeguards is reduced, which at the same time results in a rapid, if not
radical, increase in needs arising from a heterogeneous architecture. As a consequence, we are
facing a problem that will increasingly re-emerge over time while conventionally appraised and
mandatory safeguards to minimize the risk will consume tens of millions Polish zloty. At the
same time, the (material) value of the infrastructure itself will increasingly diminish. We will face
a dilemma on whether we should safeguard or perhaps replace altogether particular sections of
infrastructure. We will also face (or in fact already are facing) a dilemma on whether we should
apply cheap solutions for mainstream applications (technology) such as cloud computing, use
unied solutions, or perhaps view them through the prism of potential risks. In order to under-
stand the extent of the threat, it is necessary to picture how much cloud computing is changing
the need for safeguards.
1 The economic paradigm of security assumes that the costs of safeguards can, at most, equalise the loss, but in general they should be lower.
67
Aleksander Poniewierski – EY
A fourth group of threats that are fundamental to IT and OT are technology dissemination and its
general availability. In recent years, when CI installations applied specialised and unique solutions,
their security could only be threatened by accidental errors in production, misuse of ICT systems or
deliberate sabotage by individuals having authorised access. Today, it is possible (without running
into much trouble) to take over the control of individual elements of CI without the need to be
physically present near the installation. There is a chance that even untrained individuals who are
hundreds or thousands miles away can take over the control of the production system or its indi-
vidual components. Furthermore, such activities are run by organisations either established at the
state level or supported by the state (ocially, unocially), but also by non-governmental organi-
sations and entities, which constitutes a real threat to the security of countries. It is precisely this
group of threats (involving the dissemination of technology) which the decision makers nowadays
nd most “spectacular” and persuasive. The issues described above hold the key to understanding
its essence. This group of threats has another, more complicated and unknown dimension, namely,
sourcing. Enigmatically sounding yet widely prevalent in the realms of IT and OT, the word comes
down to only one thing – those who create the technology and control its development have the
knowledge about potential problems associated with it and can take advantage of the existing
security loopholes. In the coming years, this issue (transparency of technology) will give rise to
widespread controversies and concerns. This proves a key challenge.
The last group of threats for CI’s Information and Communication Technologies systems are ICT
solutions themselves. Although OT and IT systems are critical to the functioning of CI, they are
poorly looked after (due to the lack of education on the one hand, and on the other hand the
safeguarding and monitoring solutions currently applied), thus constituting the weakest link
of the countries’ CIs. This makes them particularly vulnerable to attacks instigated by terrorists,
hostile governments, and criminal organisations whose actions may be targeted at the incapaci-
tation of CI, its destabilisation, and in the worst case scenario, its destruction.
This may seem like a bold conclusion but – guratively speaking – why should we ever assume
that the electronics applied in the latest versions of a luxury BMW or Ferrari will be their weakest
link? According to the principles of security, overcomplexity and a lack of transparency pose the
greatest risk. We are afraid of what we do not understand and cannot fully use without the neces-
sary knowledge. Then, the very object of use becomes a threat in itself. This last, slightly provoca-
tive group of threats is often touched upon at international conferences or expert forums where
questions are being raised about the scale of applying ICT solutions in CI. These questions are
about the future of such solutions and how to eectively safeguard and monitor them. These
queries are in fact questions about security.
Summary
In this chapter the author has analysed three types of changes that took place in the realm of
ICT solutions being applied to CI today. Based on these changes, four main groups of threats
have been distinguished that should be