Towards a Baltic Sea Region Strategy in Critical ... - Helsinki.fi

More documents

Recommendations

Info

CRITICAL INFRASTRUCTURE PROTECTION IN THE BALTIC SEA REGION This brief comparative review illustrates that the countries and organizations differ in their interpretations and definitions of what are infrastructures and how to measure their criticality. While there seem to be no antagonistic contradictions, the issue is nevertheless not only about adding this or that sector or sub-sector to the list of CI as there are more fundamental paradigmatic differences. The Nordic countries, particularly, seem to have adopted broader concepts than the EPCIP offers. This does not have to be a problem, however, if there is a way to combine these different approaches without limiting the broadness of the national concepts and widening the EPCIP concept. The Norwegian model (Figure 7) may offer a hint of how these broader functionality-based approaches could coexist smoothly, with the more limited CI approach basically matching the EU’s CI definition. 1.4 PROTECTION – AGAINST WHAT? If the above-mentioned assets, infrastructures, sectors or functions should be particularly protected, then the next question is: against what? It seems that the threat picture is more of a variable than fixed, shifting considerably depending on the country in question and its recent experiencies. Cyber threats or physical threats? While the answer to the subtitle’s question seems obvious – Both! – in practice finding the right balance is sometimes hard because the issue is largely affected by historical events. Each new catastrophe creates a learning process that is reflected in the CIP debates and strategies. Thus Moteff (2003) and Moteff et al. (2003) have argued that before 9/11 CIP in the United States mainly focused on cyber security. According to Moteff (2003), it was the 9/11 attacks and subsequent anthrax attacks that demonstrated the need to re-examine physical protection of CI. Indeed, while this description is open to interpretation, 20 if one takes a look at the key policy documents on CIP before 9/11, namely the 1997 report of the “President’s Commission on Critical Infrastructure Protection” (PCCIP 1997) and the 1988 “Presidential Decision Directive” on CIP (PDD 1998), this argument can with some qualification be defended. In analyses of the implementation of the PDD implementation on the eve of 9/11 the focus was still clearly on cyber threats 21 . Though both the above mentioned official documents carry the notion of physical threats, the spirit of them is that one should prepare in addition or perhaps in particular for previously neglected cyber threats, because of the growing technological, computerized interdependencies between the different functions and infrastructures. Thus, the PCCIP puts it as follows: 20 This argument might be somewhat too strong, if take into consideration that e.g. Hagelstam (2005), Fritzon et al. (2007) and most others, who have traced the roots of the CIP in the United States argue (somewhat in contradiction to Moteff’s claim) that the US CIP development was a direct consequence of the Oklahoma 1995 bombing. 21 See e.g. Moteff (2001) as an example of this kind of analysis. 26 NORDREGIO REPORT 2007:5
CHAPTER I: INTRODUCTION “Physical means to exploit physical vulnerabilities probably remain the most worrisome threat to our infrastructures today. But almost every group we met voiced concerns about the new cyber vulnerabilities and threats. They emphasized the importance of developing approaches to protecting our infrastructures against cyber threats before they materialize and produce major system damage.” (PCCIP 1997, p. 5) Consequently, the PCCIP states that it “looked at both physical and cyber threats; however, we concentrated on the fundamentally new security challenges presented by networked information systems.” (PCCIP 1997, p. 30) This is essentially a question of whether we should speak about CIP or Critical Information Infrastructure Protection (CIIP), or what the similarities and differences of these concepts are and how are they related. Indeed, CIP and CIIP are often used inconsistently. Dunn (2006, p. 28) defines CIP as a larger concept, and the majority of methods and models are designed and used for it. Critical Information Infrastructure (CII) is then often treated as a special part of overall CI. Dunn argues further that the concepts should not be discussed as completely separate entities. “While CIP comprises all critical sectors of a nation’s infrastructure, CIIP is only a subset of a comprehensive protection effort, as it focuses on the critical information infrastructure. The lesson from this seems to be that an exclusive focus on cyber-threats that ignores important traditional physical threats is just as dangerous as the neglect of the virtual aspect of the problem.” (Dunn 2006, p. 29) Dunn and Mauer (2006) continue this line of argument by stating that CII underpins many elements of the CI, as many information and communication technologies (ICT) have become all-embracing, connecting other infrastructure systems and making them interrelated and interdependent. CII has become more important in particular due to its growing role in the economic sector, its interlinking position between various infrastructure sectors, and it essential role for the functioning of other infrastructures. CIIP is naturally a central element of any country’s and organization’s CIP strategy (cf. Tables 2 - 8). In the EPCIP and related EU documents the crosssectoral importance of CIIP is emphasised and the issue is seen in some respect from two perspectives. On the one hand, ICT or a large part of it is an essential CI itself due to its impact on economies and societies. On the other hand, the ICT infrastructures offer new opportunities for criminal conduct that crosses many sectors and borders and causes extensive financial damage. (Commission 2000) Consequently the EU definition of CII is: “ICT systems that are critical infrastructures for themselves or that are essential for the operation of critical infrastructures (telecommunications, computers/software, Internet, satellites, etc)” (Commission 2005b). The CIIP is defined as: “The programmes and activities of infrastructure owners, operators, manufacturers, users, and regulatory authorities which aim at keeping the performance of critical information infrastructures in case of NORDREGIO REPORT 2007:5 27
Page 1:
Towards a Baltic Sea Region Strateg
Page 4 and 5:
Nordregio Report 2007:5 ISSN 1403-2
Page 6 and 7:
5.4 Impacts caused by terrorism, na
Page 8 and 9:
CRITICAL INFRASTRUCTURE PROTECTION
Page 11 and 12:
PREFACE PREFACE With the Commission
Page 13: PREFACE The study includes tens of
Page 16 and 17: CRITICAL INFRASTRUCTURE PROTECTION
Page 39: CHAPTER I: INTRODUCTION CHAPTER I:
Page 95 and 96: CHAPTER II: ELECTRICITY 2 ELECTRIC
Page 97 and 98: CHAPTER II: ELECTRICITY electricity
Page 99 and 100: CHAPTER II: ELECTRICITY Recent clim
Page 101 and 102: CHAPTER II: ELECTRICITY Figure II
Page 103 and 104: CHAPTER II: ELECTRICITY possibiliti
Page 105 and 106: CHAPTER II: ELECTRICITY continental
Page 107 and 108: CHAPTER II: ELECTRICITY Indirect Im
Page 109 and 110: CHAPTER II: ELECTRICITY fire depart
Page 111 and 112: CHAPTER II: ELECTRICITY • Local c
Page 113 and 114: CHAPTER II: ELECTRICITY these, syst
Page 115 and 116:
CHAPTER II: ELECTRICITY • long in
Page 117 and 118:
CHAPTER II: ELECTRICITY • The net
Page 119:
CHAPTER II: ELECTRICITY centres etc
Page 123 and 124:
CHAPTER III: INFORMATION AND COMMUN
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167 and 168:
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
Page 175 and 176:
Page 177:
Page 181 and 182:
CHAPTER IV: OIL TRANSPORTATION AND
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
CHAPTER IV: OIL TRANSPORTATION ANDM
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
Page 203:
CHAPTER V: GAS CHAPTER V: GAS Sven
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
Page 212 and 213:
Page 214 and 215:
Page 216 and 217:
Page 218 and 219:
Page 220 and 221:
Page 222 and 223:
Page 225:
CHAPTER VI: WATER CHAPTER VI: WATER
Page 228 and 229:
Page 230 and 231:
Page 232 and 233:
Page 234 and 235:
Page 236 and 237:
Page 238 and 239:
Page 240 and 241:
Page 242 and 243:
Page 244 and 245:
Page 246 and 247:
Page 248 and 249:
Page 250 and 251:
Page 252 and 253:
Page 254 and 255:
Page 256 and 257:
Page 258 and 259:
Page 260 and 261:
Page 262 and 263:
Page 264 and 265:
Page 266 and 267:
Page 268 and 269:
Page 270 and 271:
Page 272 and 273:
Page 274 and 275:
Page 276:
show all

Towards a Baltic Sea Region Strategy in Critical ... - Helsinki.fi

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?