Unfinished Business for Critical Infrastructure
Although Spain has extensive regulations on critical infrastructure protection, it still faces significant challenges in this area, such as coordinating responsibilities, updating the risk catalogue, periodic audits, training plans and comprehensive security management. Representatives of several associations and the Ministry of the Interior explain the major challenges facing the sector.
Spain has extensive regulation on critical infrastructure protection (CIP) that has developed continuously but still suffers from significant shortcomings in this area. Eduard Zamora is Chairman of ADSI, the Association of Integrated Security Managers. He says that one of the current challenges is to “coordinate and clearly define the responsibilities of the CISO (Chief Information Security Officer) and the CSO (Chief Security Officer) in each critical operator’s organisation charts.” In his opinion, “they should clarify how to coordinate and distribute their scopes to achieve the best integrated management of the risks under their responsibility.”
He also believes that there is a need to clarify ambiguities and duplication of functions: both existing responsibilities those added by each new regulation. “It’s not about which of the two should lead the overall process, and it could well be their shared superior officer rather than one of them, but about clearly assigning their scopes of action.” A second challenge for the sector is to update the risks catalogue, “not just conventional incidents like natural disasters, sabotage, vandalism or terrorism, but adding specific precautions against things like biological attacks, bioterrorism, drones, and computer attacks”, says Zamora.
There are other challenges, such as “periodically auditing the integrated safety management organisation for these infrastructures,” and having “comprehensive training plans adapted to each sector and critical operator, and keeping them periodically updated.”
Business Continuity Plans
According to sources at CEUSS (Business Confederation of Security and Service Users) Law 8/2011, Establishing Measures For the Protection Of Critical Infrastructure, refers to these as “the set of activities to ensure the functionality, continuity and integrity, to prevent, mitigate and neutralise the damage caused by a deliberate attack.”
Events during the first few months of the pandemic highlighted the importance of “all essential services reviewing our business continuity plans, both business-specific and corporate.” Secondly, he says that Coronavirus has shown us that society needs to re-evaluate essential services, “so it’s foreseeable and desirable that there should be a new cataloguing of critical operators and infrastructures.”
Finally, he emphasises that changing from the specific protection plans model to one based on certification will be “an opportunity to make company boards aware of the importance of integrated security management, both physical and of industrial information and control systems.” As well as “maintaining investment levels, even during an economic crisis, strengthening the corporate structures and departments in this area, and keeping planned projects on time and on budget.”
Essential Services
Fernando José Sánchez Gómez is Director of the National Centre for Critical Infrastructure Protection (Ministry of the Interior). He reminds us that today’s society is increasingly dependent on essential services, most of which are provided by critical infrastructure (CI). And he warns that “the interruption or destruction of a CI can lead to a cascade of adverse effects, dragging in its wake other systems or facilities, with a severe impact on essential services to citizens and the functioning of government.
In this context, he points out that “it’s precisely this situation of mutual dependence, typical of today’s globalised society, which presents the greatest risk to the security of our critical infrastructure system. So, it’s essential that all the agents involved in providing essential services and ensuring their security (both critical operators and the authorities) play their part, as the security of the entire chain is only as strong as the weakest link.”
As the years go by, he explains, new risks arise, primarily arising from advances in technology, which “threaten the industrial operating technologies and control systems of our infrastructures, or through external factors that are difficult to control, such as RPAs or drones.” However, “the greatest danger is the lack of overall vision and generosity of some operators and authorities who fail to understand that preventing and reacting to a global threat implies developing comprehensive and wide-ranging strategies, beyond narrow corporate and personal interests.”
Thus, he concludes that there is a need to act fundamentally on the organisation itself, creating integrated and robust security structures and departments. “It’s about uniting capabilities, not splitting them up, about seeing what’s good for the whole organisation, not creating, or maintaining separate fiefdoms.”