Europe's program for critical infrastructure protection

Timon Singh

When it comes to a country or a region preparing itself and its response to serious incidents, its critical infrastructure protection and contingencies are key. In America, this generally falls under the American President directive of PDD-63 or Homeland Security, but in Europe it all falls under the 'European Programme for Critical Infrastructure Protection' or EPCIP.

In June 2004, the European Council asked for preparation of an overall strategy to protect critical infrastructure. The Commission adopted on 20 October 2004 a Communication on Critical Infrastructure Protection in the Fight against Terrorism which put forward suggestions on what would enhance European prevention, preparedness and response to terrorist attacks involving Critical Infrastructures (CI).

The Council conclusions on "Prevention, Preparedness and Response to Terrorist Attacks"and the "EU Solidarity Programme on the Consequences of Terrorist Threats and Attacks" adopted by Council in December 2004 endorsed the intention of the Commission to propose a European Programme for Critical Infrastructure Protection (EPCIP) and agreed to the setting up by the Commission of a Critical Infrastructure Warning Information Network (CIWIN).

As a result of the European Commission's directive EU COM(2006) 786 which designates European critical infrastructure that, in case of fault, incident or attack, could impact both the country where it is hosted and at least one other European Member State, all member states were obliged to adopt the 2006 directive into their national statutes.

This not only applied to the main area of the EU, but also to the main European Economic Area.

New threats

While the European Programme for Critical Infrastructure Protection was a reaction to the 9/11 attacks in New York, the Madrid train bombing in 2004 and the London Underground attacks in July 2005, the threat to the continent's transport, energy and communication infrastructure has continued to change and evolve over the past few years and now doesn't just cover terrorist attacks or potential natural disasters but also cyber security.

On 30 March 2009, European Commission Directorate General Information Society and Media released a communication on Critical Information Infrastructure Protection that would symbolise cooperation between both the US and EU.

The proposal stated that;

Apart from the declarations, we need to define the building blocks of international cooperation. In particular:

a. Research funds that can be obtained by international consortia (all US and UE funds are closed only to US or EU members)

b. Cooperation legislation framework: a new legislation framework should be defined in order to allow exchange of data (data sets for researchers), information sharing (threats, vulnerabilities, incidents) and information exchanges between operators and government agencies from the same sectors

c. Establish clear point of contacts and responsibilities: who do you contact in US or EU in case of incidents/attacks

d. Exercises and simulations

With cyber attacks becoming more frequent such as attacks on Google and Yahoo, they now fall under the umbrella term of critical infrastructure protection which aims to protect all the main elements of society's infrastructure, which today is the internet.

In 2004, the Commission used this broad description.

"Critical infrastructures consist of those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of governments in the member states. Critical infrastructures extend across many sectors of the economy, including banking and finance, transport and distribution, energy, utilities, health, food supply and communications, as well as key government services."

Of course critical infrastructure protection also covers the likes of the continent's energy, nuclear, information, water and food, health, financial, transport (including air and maritime), chemical and space research sectors.

However it is not the only sector under threat. In a article by Bruce Averill and Eric A.M. Luiijf for the Journal of Energy Security, it was noted that over the past decade, a series of events has highlighted the vulnerability of the electric grid and other energy infrastructures to both cyber disruptions (due, e.g., to malware) and from outside attacks using cyber methods.

"Perhaps the most compelling examples have been the extensive blackouts in the Northeastern US and Western Europe during the late summer and early fall of 2003. They demonstrated in a convincing way the fragility of the energy infrastructure and the possibility of cascading failures due to problems with control system hardware and/or software."

To read the rest of 'Canvassing the Cyber Security Landscape: Why Energy Companies Need To Pay Attention', click here.

Relevant articles:

The future of Europe's gas infrastructure | Green Infrastructure | How the World Cup fuels infrastructure inv...