José Luis Pérez Pajuelo (CNPI): The operation of critical infrastructure is indispensable

What types of infrastructures and facilities can be considered critical in Spain? 

Critical infrastructures are defined in Article 2 of Law 8/2011 of 28 April, which establishes protective measures for them. They are strategic infrastructures whose functioning is indispensable and for which no alternative solutions exist—meaning that their disruption or destruction would have a grave impact on essential services.

As stated in Article 5 of Royal Decree 704/2011 of 20 May, which approves the Regulation on the Protection of Critical Infrastructures, the Ministry of the Interior, through the Secretary of State for Security, is responsible for classifying an infrastructure as strategic and, where applicable, as a critical infrastructure or European critical infrastructure, and for including it for the first time in the National Catalogue, after verifying that it meets one or more of the horizontal criticality criteria outlined in Article 2(h) of Law 8/2011.

The process of identifying an infrastructure as critical is carried out by the CNPIC, which may request the participation and advice of the infrastructure operator and of other agents within the Critical Infrastructure Protection System, who will later be informed of the result. All of this is done based on horizontal criticality criteria, meaning the parameters used to determine the level of criticality, severity, and consequences of the disruption or destruction of a critical infrastructure, within any of the State’s strategic sectors: energy, health, transport, food, etc.

How should security of these infrastructures be reinforced?

Law 8/2011 establishes that, as an essential requirement for the designation of critical operators—whether public or private—at least one of the infrastructures they manage must be considered critical infrastructure. This designation is based on a proposal, which the CNPIC will always communicate to the operator before proceeding with its final classification and inclusion in the National Catalogue of Strategic Infrastructures.

In this regard, the Regulation on the Protection of Critical Infrastructures lays out the procedure for the designation of critical operators. Once this status is determined, the operators must develop specific protection plans to ensure adequate protection of the infrastructures identified. These plans must include an appropriate risk analysis, from which action plans and the implementation of protective measures will be derived, aligned with the results of the analysis. This is complemented by an action plan developed by the security force responsible for protecting that specific infrastructure. Therefore, the security plan for each infrastructure differs from that of others; each requires its own specific plan.

What is the sequence of these plans? 

On one hand, there is the Operator Security Plan (OSP), which must be periodically updated. These plans are strategic documents outlining the general policies of critical operators to ensure the security of all installations or systems under their ownership or management. As stated in Article 22.3 of Royal Decree 704/2011 of 20 May, “The Operator Security Plans must establish a risk analysis methodology that ensures the continuity of the services provided by the operator and must include the criteria for applying the different security measures to address the physical and cyber threats identified for each type of asset.”

On the other hand, a Specific Protection Plan (SPP) must be created for each infrastructure deemed critical and included in the National Catalogue for the Protection of Strategic Infrastructures, and these must also be regularly updated. These plans, as set out in Article 25 of Royal Decree 704/2011 of 20 May, are “the operational documents in which the specific measures already adopted and those to be adopted by critical operators must be defined to guarantee the comprehensive (physical and logical) security of their critical infrastructures.” Moreover, “the Specific Protection Plans for the various critical infrastructures shall include all measures that the respective critical operators deem necessary based on risk analyses carried out regarding threats—particularly those of terrorist origin—on their assets, including information systems.”

The Resolution of 8 September 2015, by the Secretary of State for Security, establishes the minimum contents that a critical operator must consider when designing and developing their Operator Security Plan (OSP). This resolution states that the critical operator must set out in the OSP the risk analysis methodology or methodologies used, as well as, in the Specific Protection Plan (SPP), the results of the comprehensive risk analysis conducted on the critical infrastructure to be protected.

With these planning tools, critical operators take on the obligation to collaborate in the identification of such infrastructures, specify the security policies to be implemented, and implement general protection measures—both permanent and temporary—that may be adopted to prevent, protect against, and respond to potential deliberate attacks.

What role do companies and security equipment suppliers play in this field?

According to Ministerial Order (MO) 316/2011 of 1 February on the operation of alarm systems in the field of private security, Article 2.1.d, the systems to be installed in critical infrastructures must be Security Grade 4. This corresponds to high-risk installations, as defined by UNE-EN 50131-1 Standard (Section 6). Thus, all equipment included in the design of these installations must be certified in accordance with this standard, wherever possible.

Additionally, given the nature of the facilities being protected, the protection level assigned according to UNE 50131-7 will also be Grade 4, equivalent to high risk, where security takes priority over all other factors.

As established in Transitional Provision One of MO 316/2011, when a security system requires the use of components that are not available on the market at the time of installation, according to the standards outlined in Article 3.1 of that Order ("Any element or device forming part of an alarm system covered by private security regulations must meet at least the grade and characteristics established in UNE-EN Standards 50130, 50131, 50132, 50133, 50136, and UNE CLC/TS 50398, or those replacing these standards, as applicable and in force"), their use will be permitted, provided their absence does not negatively affect the system’s operational performance. The continued use of other elements in the system will be subject to the future publication of technical specifications regulating them and their availability in the market.

According to Article 46 of the Private Security Regulations, to connect devices, equipment, or systems to alarm centres or control centres, the installation must be carried out by a security company registered in the appropriate registry and must comply with Articles 40, 42, and 43 of said Regulation and the provisions of MO 316/2011.

Regarding the installation project, Article 42 of the Regulation specifies that it must be prepared in accordance with the UNE-CLC/TS 50131-7 Standard, which sets out the design, installation, operation, and maintenance features of intrusion alarm systems, aimed at achieving systems with minimal false alarms.

The mandatory installation certificate referred to in Article 42 must ensure that the project has been carried out in accordance with the aforementioned UNE Standard and complies with the intended objectives outlined in that article.

What prevention and protection measures are required?

The Resolution of 15 November 2011, by the Secretary of State for Security, which sets the minimum contents of Operator Security Plans and Specific Protection Plans in accordance with Royal Decree 704/2011, states in Annex II, Article 4 (Minimum Content Guide for Specific Protection Plans) that the Operator must describe the security measures (protection of facilities, equipment, data, base software and applications, personnel, and documentation) implemented. Among these, examples of prevention and detection measures are provided.

These include physical and electronic security measures and elements for perimeter protection and access control, such as fences, security zones, intrusion detectors, video surveillance/CCTV cameras, gates and locks, number plate readers, security arches, turnstiles, scanners, active cards, card readers, etc., and logical security measures and elements such as firewalls, DMZs, IPSs, network segmentation and isolation, encryption, VPNs, user access control elements and measures (tokens, biometric controls, etc.), secure installation and configuration of technical elements, event and log correlators, malware protection, etc.

Regarding Coordination and Monitoring, the regulation refers to the Security Control Centre (alarm control, image reception and viewing, etc.), surveillance teams (shifts, patrols, staffing levels, etc.), and communication systems, among others.