3. State of play in the governance of critical infrastructure resilience

Critical infrastructure strategies and programmes

Comprehensive multi-sectoral public policies to support the resilience or protection of critical infrastructures began to appear in the mid-2000. Out of the 34 OECD countries who responded to the Survey on the Governance of Critical Risks, 90% indicated that they have designated specific infrastructure sectors as critical (OECD, 2018[2]). Many OECD countries have defined critical infrastructure sectors, established an inventory of assets through a criticality and risk assessment process, and set-up national programmes to strengthen their resilience to shocks. Such programmes are usually built on a governance mechanism that allows information sharing between government and critical infrastructure operators and includes a combination of policy tools ranging from regulation to incentive mechanisms to support the implementation of critical infrastructure resilience objectives. A list of these national strategies or programmes is provided in Annex 1.

This section of the report goes into more details of how these national policies are designed and implemented, with the aim to provide a state-of-play across OECD countries. Country’s responses to the OECD Survey on Critical Infrastructure, conducted in 2017-2018, helped inform this section (the overall results are presented in Annexes 3.A to 3.D). Twenty-five OECD countries responded to the survey: Austria, Belgium, Canada, Czech Republic, Estonia, Finland, France, Germany, Ireland, Israel, Korea, Latvia, Luxembourg, the Netherlands, New Zealand, Norway, Poland, Portugal, Slovak Republic, Spain, Sweden, Switzerland, Turkey, the United Kingdom and the United States.

Definitions of critical infrastructure vary across countries

Defining critical infrastructure is a necessary first step in setting up a critical infrastructure security and resilience policy. As shown in Annex 3.A, official definitions of critical infrastructure vary across countries. Some definitions refer to critical infrastructure as infrastructure whose functioning is vital or essential to economic and social well-being, while others stress their importance for the functioning of the State or national security.

In half of the 28 definitions gathered from the survey and desk-research, critical infrastructure is described as a combination of both vital processes for societal well-being and a security concern of the state. The other half remain focused on societal well-being and safety only.

Another observation reveals the growing concern around interconnectedness and interdependencies of critical infrastructure and the need to adopt a system’s approach. This is found in many definitions that define in detail critical infrastructure as a combination of networks, systems, facilities, and technologies that contribute to delivering essential services or support vital functions. Other definitions also include the institutional or organisational structures supporting service delivery.

Although definitions vary, it may be agreed that an overarching notion of critical infrastructure means that a disruption will have severe consequences on socio-economic well-being and public safety, including national security. Australia, Canada, New Zealand, the United Kingdom, and the United States have developed a shared narrative and definition of critical infrastructure, also known as nationally significant infrastructure: the ‘systems, assets, facilities and networks that provide essential services and are necessary for the national security, economic security, prosperity, and health and safety of their respective nations (Critical Five, 2014[34]).

An important aspect is that definition of critical infrastructure should not be static and updating and revising this definition can be a response to a dynamic national and international risk landscape. For instance, Switzerland is currently reviewing and simplifying its definition to “Critical infrastructures are processes, systems and facilities that are essential for the functioning of the economy and the well-being of the population, respectively.” This simplification will allow to adjust the scope of its critical infrastructure programme to changing conditions more easily than before when the definition was more prescriptive. Similarly, in the United Kingdom, the definition has evolved to include impacts on national security, national defence, or the functioning of the state among the criteria to define critical national infrastructure.

What are the critical infrastructure sectors?

The aim of defining critical infrastructure is to target sectors that are most crucial to societal and economic security and stability. Along with the definitions, lists of sectors also vary across countries. A comparative table that maps out sectors deemed critical infrastructure allows to survey general trends and sectors that are more country-specific. The table in Annex 3.C presents a cross-country comparison of how countries differ on categorising critical infrastructure sectors, while Figure 3.1 makes a synthesis of the most commonly types of critical infrastructure sectors across OECD countries from the OECD survey.

Figure 3.1. Sectors of designated critical infrastructure across OECD countries

Note: Answers received from 25 OECD countries.

Source: OECD Survey on Critical Infrastructure Resilience and Security (2018)

Some countries have a large number of critical infrastructure sectors, like the United States with 16 different sectors (White House, 2013[43]). Other countries can limit their critical infrastructure policy to two sectors only, such as Portugal, with only electricity and transportation considered as critical infrastructure sectors as per the provisions of the 2008 Directive of the European Council on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (European Council, 2008[44]).

Overall, six sectors are widely classified as being critical across OECD countries: information and communication technologies, energy, finance, health, transport and water. A second group of sectors, including government, food supply, chemical industry, or public safety, is mentioned as critical in at least half of the responding countries. Other sectors appear to be more country-specific. This includes law enforcement, nuclear, dams and food defence, critical manufacturing, the defence industry of the space sector that are not considered as critical for the functioning of society for a vast majority of countries critical infrastructure policies.

Similar to the generic definition of critical infrastructure, the list of critical sectors can evolve over time to address emerging vulnerabilities and evolving risks. Some countries also have decided to define general sectors as well as sub-sectors of critical infrastructures, which leads to differences in categorisation across countries. For example, Switzerland does not provide a separate category for the nuclear sector as would be the case in the United States, instead it is a sub-category in the energy supply and distribution sector. While these differences reflect national preferences, it can be important to better harmonise approaches across countries especially to favour transboundary and international cooperation on this policy issue.

Identifying critical assets with criticality assessment

Criticality analysis should include an assessment of the impacts of the critical infrastructure disruption on a range of pre-established criteria. Several approaches are used across OECD countries. For instance, in Switzerland a first differentiation is done between the different sectors and sub-sectors with three categories of criticality (very high criticality, high criticality, normal criticality). In the Netherlands, economic, physical and social criteria enable to define the different critical infrastructure processes, but then a distinction is made between category A where disruptions can have large impacts and cascading effects and category B where impacts can be lower, in order to reflect the diversity within critical infrastructure and to set priorities. In terms of criteria, the European Commission defines a minimum set for critical infrastructure assessment, including public impacts, economic impacts, environmental impacts, interdependence, political impacts and psychological impacts (European Council, 2008[44]).

The important point in criticality assessment is to include an interdependency assessment, in order to identify the critical points of a system, or between different sectors that are essential to keep running when a crisis occurs to avoid cascading failures. Critical infrastructure dependencies and interdependencies can be physical when the state of one infrastructure is dependent on the material output of the other, but there can also be digital, geographic or logical dependencies to be considered in such assessment (Rinaldi, Peerenboom and Kelly, 2001[47]); (Macaulay, 2009[48]). Against this backdrop, it is important to develop models to estimate service loss, which requires to map out the functional links between infrastructure systems.

While interdependency analysis is an area where research is making significant progress, methodologies are not yet widely utilised across OECD countries: only 36% of the respondents to the OECD Survey indicated that they had identified dependencies (Figure 3.2). Argonne National Laboratory in the United States provides a useful overview on the different methods that governments and operators can use for such interdependency assessment of critical infrastructure (Petit et al., 2015[49]).

Figure 3.2. Mapping of critical infrastructure interdependencies across OECD countries

Note: Response to the question “Has your central government mapped interdependencies between different sectors of critical infrastructure?” across the 25 respondents to the OECD Survey

Source: OECD Survey on Critical Infrastructure Resilience and Security (2018)

Criticality assessment usually leads to the development of critical assets inventories, registers or maps, with different levels of classification according to their criticality. Most of the countries which have established critical infrastructure programmes and strategies, have set-up such inventories. For instance, in France, critical infrastructure are precisely referenced and located by the General Secretariat on Defence and national Security, and an effort to focus on the most critical ones led to reducing their number from more than 7000 to around 1500. There are also examples of transboundary mapping of critical infrastructure, such as at the European Union level, in the context of the EU Directive 2008/114/EC on identification and designation of European critical infrastructures and assessment of the need to improve their protection.

Conducting vulnerability analysis to identify weak points

Once critical assets are mapped out and hierarchically classified, vulnerability assessments enable identifying weak points where potential failures are likely to happen. A thorough vulnerability assessment of critical infrastructure provides insight into the most important risks, threats, vulnerabilities and degree of resilience of this infrastructure. To do so, it is fundamental to stress test critical infrastructure vulnerability to a series of risk scenarios of different likelihood, magnitude, or their combination, across a range of potential hazards and threats. These assessments consider the most likely scenarios, in addition to those that are less probable, but might nonetheless materialize.

A holistic, all-hazards approach can help uncover complex vulnerabilities. Canada’s national strategy for critical infrastructure equally stresses the need for an all-hazards risk analysis that takes accidental, intentional and natural hazards into account ( (Public Safety Canada, 2014[50])). It can be important also to integrate the vulnerabilities of governance systems of critical infrastructure in the analysis, as management failures during crises are all too common. The European Commission Joint Research Centre for instance has developed a stress-testing tool that focuses on these complex governance aspects with application in the nuclear and banking sectors. (Galbusera, Giannopoulos and Ward, 2014[51]).

Vulnerability assessments for critical infrastructures can be performed using a variety of methodologies. Box 3.1 provides examples of such methodologies from a series of OECD countries. These methodologies range from deterministic approaches to probabilistic methods. Deterministic approaches analyse and interpret historical disaster events and available retrospective data in light of new developments. Disaster scenarios and simulations expand on retrospective analyses.

Risk assessment as the basis for resilience investments

The identification of weak points allows prioritising where to concentrate resilience efforts in existing infrastructure systems: on failure points that would have the most severe consequences. Such prioritization can inform targeted planning and investment decisions, such as what infrastructure should be hardened or relocated first, or what infrastructure should receive priority restoration in the aftermath of a disaster to ensure rapid recovery (Verner, Petit and Kihaek, 2017[52]).

Risk assessment can be complemented to evaluate the benefits of investments in resilience or security to reduce risks, for both existing infrastructure as well as for new projects. By comparing the benefits of different resilience measures in reducing risk of failures, risk-informed cost-benefit analysis can support decision-making and resilience investment decisions.

Most OECD countries have established information-sharing platforms

Governance arrangements for strengthening critical resilience highlight the need for partnerships and platforms for facilitating information sharing and exchange of knowledge. The commitment of governments and operators to engage in dialogue about these issues through institutionalized, regular meetings has proven useful to build mutual trust based on shared interest, as well as to foster regular information sharing, joint exercises, situation awareness, coordination of actions, mutual assistance, sharing of equipment and emergency stocks.

Several countries have developed programs and approaches to foster trust-based connections between government and private owners and operators. Technical solutions, such as information sharing and collaboration web-portals can serve as a secure environment where private- and public-sector stakeholders can easily and regularly exchange data, information, and good practices relevant to critical infrastructure resilience (Bach et al., 2013[25]); (Lewis, 2006[54])).

The OECD Survey shows that 80% of the respondents have established such information-sharing mechanisms or platforms, most often on a voluntary basis. Box 3.2 provides examples of successful critical infrastructure stakeholder engagement and secure information-sharing approaches.

Challenges for effective information-sharing

Although information-sharing presents many benefits for better understanding and exchange of expertise to increase resilience of critical infrastructure, there remain several prevalent challenges.

Ensuring the security of the information shared from owners and operators of critical infrastructure is an essential component for building mutual trust, as some of this information may be important for competitiveness in the market or their image. As operators might not always be inclined to share sensitive information about their vulnerabilities and/ or their critical dependencies outside of safe circles, ensuring mutual trust and security of information shared is an important aspect to foster dialogue and exchange.

Equally important is to focus on the quality and not quantity of information that is shared through these mechanisms. The more clear and precise the information shared is, the more added-value it can offer to building resilience of critical infrastructure. All parties across government and private sector should see the benefits of this information sharing practice from their respective sides. Filtering through massive amount of information is less effective than sharing the most important elements about the security of critical infrastructure. Good quality information can create incentives to boost resilience.

Operators might be reluctant to engage in such partnership if they fear it will lead to extra costs that they will have to finance, once their vulnerabilities are known. Similarly, the risk that competitors do not engage in the process and free-ride on the increased level of resilience that it would lead can cause difficulties for operators to engage. Minimum security standards can help ensure that there are no ‘weakest links’ that could jeopardise the overall security of the system while also overcoming underinvestment in resilience and the lack of willingness to engage.

A large variety of policy tool to foster operators’ resilience investments exists

Strengthening resilience to critical infrastructure is a collaborative effort amongst several stakeholders requiring a mix of tools to gather information, prioritise resilience investments, and increase overall incentives.

Governments can choose from a variety of policy tools and mechanisms to strengthen critical infrastructure resilience. Instruments range from prescriptive regulatory tools, compensation mechanisms, to voluntary frameworks based on partnerships between government and operators. Twenty-two policy tools have been identified in the OECD Survey on critical infrastructure resilience (Table 3.1). These policy tools are further described in Annex 3.D. This comprehensive list aims to present the different policy options that government can use, once they have set up a critical infrastructure resilience programme, identified its most critical infrastructure and their vulnerability, and established an information sharing mechanism with critical infrastructure operators.

Identifying the pros and cons of these different tools in different policy contexts can be of great support for designing critical infrastructure protection and resilience policies. The OECD High Level Risk Forum, through its survey and case studies has initiated taking stocks of these policy tools. The following considerations can contribute to facilitating the choices that governments can make amongst these different options.

Regulation is an important method that provides mandatory requirements and enforcement mechanisms for critical infrastructure resilience. The regulatory approach has strengths in that it provides mandatory requirements, but it can also prove costly and create lags of time between technological developments in many sectors that require regular updates. Different regulatory approaches can be applied from prescriptive sectoral regulations to performance-based ones, which let operators define by themselves the way to achieve resilience targets.

Financial incentives provide another method to increase investments and continuity plans for critical infrastructure protection and resilience. The design of compensation mechanisms for customers in case of service disruption or other types of penalties can be used to internalise the benefits of resilience. This provides operators with the choice of the ways to increase their resilience. In Finland, the 2013 Energy Market Act provides such an incentive structure for electricity distribution operators to invest in the resilience of their network, with the combination of price incentives for improved resilience with important fees in case resilience targets are not attained (Chapter 4).

Public finance used for critical infrastructure resilience can set standards and demonstrate the value of up-front investments in resilience. Integrating resilience in major public investment projects sets an example for value and benefits of these investments, and can create incentives for other critical infrastructure owners and operators to follow suit (OECD, 2018[12]). Public procurement is increasingly factoring in climate resilience, which can serve as an approach to expand to other risks as well. For example, the Greater Paris 30 billion euro investment in public transportation was designed with specific flood resilience requirements beyond the existing regulation (OECD, 2014[7]).

Peer-pressure is another policy option that works amongst owners and operators of critical infrastructure based on holding up their image and rankings to the public. Creating public access to evaluations of critical infrastructure creates concerns for companies and their image. Rankings are important indicators of resiliency and an incentive-creating mechanism. Korea has included a mechanism of peer-pressure within its system for managing the failure of infrastructure. Every year, the Periodic Nationwide Safety Diagnosis makes a sampling diagnosis for 21 types of infrastructures. These evaluations are made public and provide rankings of the infrastructure, creating important incentives for companies to keep up their public image. Another example is found with the National Emergency Supply Agency (NESA) in Finland. The annual assessments of the business continuity plans of operators in the energy sector is presented to the pool of operators so that they can compare their performance and learn from each other (See chapter 4). While in this case, the results are not publicly disclosed, peer-pressure within the sector provides incentives for improving performance. The increasing public disclosure of climate risks can here also provide elements of reflection for critical infrastructure resilience to multiple hazards (OECD, 2018[12])

Finding the right combination between mandatory and voluntary frameworks

It is important for governments to find the right combination between mandatory and voluntary frameworks to enhance stakeholder engagement in resilience. As shown in Figure 3.3, the results of the OECD survey indicate a preference towards voluntary frameworks to strengthen critical infrastructure resilience.

Instruments such as guidance for sub-national levels of governments, awareness raiding activities and trainings, provision of hazards and threats information, resilience guidelines for critical infrastructure operators and voluntary information sharing mechanism are the policy tools that are the most commonly used by OECD governments. On the contrary, more stringent tools, such as inspections and performance assessments, sectoral prescriptive regulations, or mandatory business continuity plans, are less utilised by OECD countries to foster critical infrastructure resilience.

This preference for voluntary frameworks demonstrates that overall, critical infrastructure resilience policies are still at an early age in many OECD countries. In that context, operators’ engagement in broad multi-stakeholders partnerships with governments remains a key priority, which enables building trust between the public and the private sector. Adopting voluntary frameworks appears to be more effective to achieve this objective.

Nevertheless, this approach does not necessarily guarantee a strong enough incentive structure to ensure that sufficient investments are effectively made to attain expected resilience targets. Over the years, once the value of these partnerships will be widely acknowledged, one can expect that mandatory approaches will be more easily accepted and more largely developed, in order to guarantee that operators ensure some forms of minimum common standards of resilience. The OECD Policy Toolkit on the Governance of Critical Infrastructure Resilience proposed in Chapter 5 provides a way forward for governments aiming to strengthen progressively the resilience of critical infrastructure in their country with a staged approach based on partnerships.

Figure 3.3. Policy tools for critical infrastructure resilience across OECD countries

Note: 22 OECD countries responded to the survey as of 10 September 2018 – mandatory tools are in grey, voluntary tools are in blue.

Source: OECD Survey on Critical Infrastructure Resilience (2018)

Cost-sharing arrangements for resilient investments

Operators have a keen interest in maintaining the continuity of their services and their reputation by investing in resilience. However, investments in resilience often imply costs up front, even if these should be compensated in terms of greater reliability of service and resilience to shocks.

The question is how to find the right balance. Excessive requirements imposed by governments to strengthen resilience can result in additional costs of service borne by customers, citizens and businesses. When deciding on the policy tools best fitted to improve critical infrastructure resilience in their national contexts, governments should assess how these different options can provide effective incentives for operators to invest in resilience, while managing the repercussions on the cost of service. Solving this economic equation is the cornerstone for an efficient policy, but there is no simple solution. As shown in the Finland case-study in Chapter 4, engaging in trusted partnerships and regular dialogue between governments, regulators and operators should enable discussing cost-sharing arrangements to attain resilience objectives.