5. Policy Toolkit on Governance of Critical Infrastructure Resilience

Definitions

It proposes to use the following definitions:

• Critical infrastructure: Critical infrastructure are systems, assets, facilities and networks that provide essential services for the functioning of the economy and the safety and well-being of the population. While definitions of critical infrastructure differ across countries, this definition is not prescriptive and aims to encompass the largest set of definitions identified in the OECD Survey on Critical Infrastructure Resilience.

• Resilience: the capacity of systems to absorb a disturbance, recover from disruptions and adapt to changing conditions while retaining essentially the same function as prior to the disruptive shock (adapted from OECD, 2014_[20]). This definition includes the ability to withstand shocks with as little loss of functionality as possible under the specific circumstances, limiting the duration of potential service interruption by minimising the recovery time, as well as adapting to new conditions and improving systems’ functionality.

Seven steps for critical infrastructure resilience policies

To strengthen critical infrastructure resilience, a comprehensive policy framework should address the following seven interrelated governance challenges:

1. 1. Setting up a multi-sector governance structure for critical infrastructure resilience

2. 2. Understanding complex interdependencies and vulnerabilities across infrastructure systems to prioritise resilience efforts

3. 3. Establishing trust between government and operators by securing risk-related information-sharing

4. 4. Building partnerships to agree on a common vision and achievable resilience objectives

5. 5. Defining the policy mix to prioritise cost-effective resilience measures across the life-cycle

6. 6. Ensuring accountability and monitoring implementation of critical infrastructure resilience policies

7. 7. Addressing the transboundary dimension of infrastructure systems

1. Setting up a multi-sector governance structure for critical infrastructure resilience

Governments should adopt a whole-of-government approach to critical infrastructure resilience. Ideally, such governance would involve the sectoral ministries and agencies overseeing infrastructure delivery and regulation in the multiple critical sectors, as well as those in charge of resilience to all-hazards and threats. Coordination at the Center-of-Government would allow to manage the interests of all stakeholders and make the relevant trade-offs for effective resilience policies.

Why is this important?

Governments have a key role to play in critical infrastructure resilience. They have a responsibility to provide security and safety to citizens, and are often infrastructure regulators. Governments, at central or sub-national level, can also be owners and operators of critical infrastructure, either directly or through publicly owned companies. Furthermore, investments in major infrastructure are often dependent upon major public funds. Finally, governments are also an important user or client of critical infrastructure, with expectations on their reliability for the continuity of government activities.

This presents governments with multiple and complex roles, across critical infrastructure sectors and for multiple hazards and threats. Risk managers and officials in charge of the governance of critical risks have to coordinate across several functions in government and ensure that, on behalf of the general interest, policy objectives can be achieved from a resilience perspective while balancing the relevant trade-offs.

Key policy questions:

• Is there a national strategy or policy document for critical infrastructure resilience?

• Is there a definition for critical infrastructure?

• Is a pre-defined list of critical infrastructure sectors in place?

• Is there a whole-of-government approach to the development of critical infrastructure resilience?

• Are all relevant hazards and threats considered in the critical infrastructure resilience policy?

• Is there a dedicated coordination entity responsible for designing, monitoring and adjusting the national critical infrastructure resilience policy?

Benchmark indicators

• National policy on critical infrastructure resilience

• Inter-departmental / ministerial committee / platform to design CI resilience policies

• Coordination entity at the Center of Government

Examples of good practices

• In the United States, the Presidential Policy Directive on Critical Infrastructure Security and Resilience tasks the Department of Homeland Security to coordinate CI policies at Federal level with sector agencies across 16 CI sectors.

• In France, the General Secretariat for Defense and National Security under the Prime Minister coordinates the CI resilience policy across 8 line Ministries for 12 infrastructure sectors and with a multi-hazard approach.

2. Understanding complex (inter-)dependencies and vulnerabilities across critical infrastructure systems to prioritise resilience efforts

Governments should adopt methodologies and metrics to identify the critical functions, systems and assets that should be prioritised for investments in building resilience. This requires a good understanding of how disruptions can affect infrastructure assets and where dependencies and interdependencies are found that could amplify their impacts. Once priority nodes and hubs are identified across interdependent systems, there is a need to assess their resilience with relevant indicators and to compare actual and expected results to see where the gaps are.

Why is this important?

Defining methodologies for risk assessment that critical infrastructure stakeholders from government and operators can use in practice and clarifying the related data requirements are fundamental steps to prioritise investments in resilience. Understanding risks and vulnerabilities of critical infrastructures is a complex task, given the underlying interdependencies and requires a systemic view. A diverse set of tools exists to identify critical assets, understand their vulnerabilities to shock events and model the potential cascading impacts through interconnected networks. Recent research has focused on system complexity, risk modelling, and interdependency mapping, which provides rich analytical materials.

Nevertheless, governments and critical infrastructure operators are grappling with the need to choose the right tools for the identification of the most critical hubs and nodes of infrastructure systems and the assessment of their level of resilience. In practice, such analysis follows a three-tier approach, for which methodologies and tools need to be standardised. First, mapping the interdependencies (physical, digital, geographic, logical) between critical infrastructure assets and systems is key to estimating the full impact of service loss in case of disruption. Second, conducting a criticality assessment allows to classify systems, networks, and asset that are truly critical, based on the impact of their disruption on a range of pre-established criteria. Third, resilience analysis and stress-tests help identify weak points where potential failures are more likely to happen. Developing relevant indicators for infrastructure assets and systems enables the best comparison of their level of resilience.

Key policy questions:

• Is there a mapping of dependencies and interdependencies across the different critical infrastructure sectors?

• Are there defined criteria to assess the criticality of infrastructures?

• Are there multi-hazards stress tests conducted to identify weak points among critical infrastructure?

Benchmark indicators

• Identification of critical assets

• Existence of resilience indicators

Examples of good practices

• In the Netherlands, the National Coordinator for Security and Counterterrorism (NCTV) developed a 3-step methodology to first identify critical infrastructure and categorise them according to their criticality (A or B), second assess their vulnerabilities to multiple risks and third set priorities for resilience investments.

• Public Safety Canada (PSC) has undertaken high-level inter-dependency analyses of individual CI sectors with examination of cascading impacts. PSC is evaluating critical infrastructure inter-dependency modelling tools developed by the research community.

3. Establishing trust between governments and operators and securing information-sharing on risks and vulnerabilities

Governments should establish information-sharing platforms with operators of critical infrastructure so that all relevant infrastructure stakeholders obtain a comprehensive and shared understanding of risks and vulnerabilities to conduct resilience analysis. It is crucial to ensure that the design of these platforms assures security and confidentiality of information shared with clear rules of access to allow a trusted sharing of sensitive information.

Why is this important?

Information exchange is fundamental for governments to gain a comprehensive understanding of critical infrastructure vulnerabilities. It also helps operators to understand their own vulnerabilities, their dependencies on other infrastructures, and how disruptions to their services could affect other infrastructures or even themselves.

The challenge to fostering information-sharing is to build trust between parties, such that the security and proprietary of information shared voluntarily will not be publicly disclosed. Operators are not inclined to share sensitive information about their vulnerabilities, their critical dependencies and any disruptive incidents outside of safe circles, as disclosure of certain information may lead to liability, be important for competitiveness in the market or do damage to a firm’s reputation. On the government side, information-sharing may involve classified information when it relates to national security. Risks of cyber threats are another concern, as they can also increase reluctance to share information on joint platforms, if guarantees on their security are not properly assured.

In some cases, disclosure of risk information can strengthen operators’ accountability and reinforce resilience measures, for climate-related risks for instance. In a world characterized by interconnected systems, the resilience of interdependent infrastructures is as strong as its weakest link. Therefore, information sharing significantly contributes to bringing infrastructure operators up to a similar understanding of what is required to reach an acceptable level of security and resilience.

Key questions:

• Are there mandatory or voluntary legislation, regulations, and policies for information sharing about risks and vulnerabilities?

• Are there information-sharing platforms for governments and critical infrastructure operators?

• Are there incentives for infrastructure operators to share qualitative information about their dependencies and vulnerabilities with the policy community?

• Are there safeguards in place to secure the confidentiality of shared information?

Benchmark indicators

• Presence of a secured information sharing mechanism

• Frequency, quantity and quality of shared information from infrastructure operators

• Utilisation/satisfaction of the information sharing platform

Examples of good practices

• The United Kingdom Data and Analytics Facility for National Infrastructure (DAFNI) provides a platform of data, models and technical tools for complex infrastructure analysis to analyse system performance and make wise investments.

• Australia Trusted Information Sharing Network (TISN) for Critical Infrastructure provides national level forums for critical infrastructure operators to share vital information on risks and mitigation strategies with in a secure, non-competitive environment, and to develop collective solutions to shared problems.

4. Building partnerships to agree on a common vision and achievable resilience objectives

Governments should partner with critical infrastructure operators from the public and the private sectors to agree on a common resilience vision for critical infrastructure nationwide and on shared and achievable resilience objectives. Developing an understanding of public expectations to potential loss of infrastructure service can be a useful way to initiate dialogue.

Why is this important?

Beyond information-sharing on risks and vulnerabilities, critical infrastructure resilience depends upon governments partnering with infrastructure operators from the public and private sectors in resilience efforts. While operators and governments agree on the need to protect critical assets and maintain their services, views can differ on the level of resilience required, the means to achieve it, and on the regulatory requirements that should apply. These measures have financial implications, and raise questions about who will take on additional costs to invest in resilience.

Establishing partnerships between governments and operators (public and private) to encourage dialogue on these issues is a useful approach to develop a common vision towards resilience in critical infrastructure and define shared objectives. Policy issues to be addressed include deciding on the acceptable duration of ‘down time’, maintaining a level-playing field between operators, and circumventing situations of free-riding in competitive sectors. Ensuring stakeholders’ engagement, including with the public, in regular meetings, institutionalized dialogues, and joint exercises can foster consensus.

Key policy questions:

• Are there institutionalised dialogues in place to engage critical infrastructure operators in resilience policy design?

• Are there processes in place to understand public expectations for critical infrastructure resilience?

• Is there a common vision of critical infrastructure resilience defined through multi-sector dialogue?

• Are there resilience objectives established to support the vision’s implementation?

Benchmark indicators

• Existence of critical infrastructure stakeholders consultation fora

• Frequency of consultation fora and level of operator’s participation

• Quality of the participatory process

Examples of good practices

• In Switzerland, the national CIP strategy coordinated by the Federal Office for Civil Protection is based on partnerships and various platforms with CI operators, federal and subnational authorities. Beyond risk analysis and information sharing, the CI Guideline is developed jointly and allows setting resilience objectives for CI operators.

• In Germany, the UP KRITIS is a National initiative between the state and carriers of Critical Infrastructures for the protection of critical information infrastructures. The UP KRITIS consists of more than 450 associates.

5. Defining the policy mix to prioritise cost-effective resilience measures across the life-cycle

Governments should define a mix of policy tools to incentivize operators’ investments in resilience and achieve shared resilience objectives. Such measures should address the entire infrastructure life-cycle from planning to operations, maintenance and renewal or retrofitting. Government prioritisation of resilience measures should be informed by cost-benefit analysis taking into account repercussions on the cost of service.

Why is this important?

Governments can choose from a variety of policy tools and mechanisms to advance implementation of resilience objectives, from voluntary frameworks and incentive mechanisms, to regulatory or legal tools. Operators have a keen interest in maintaining the continuity of their services and their reputation by investing in resilience. However, investments in resilience often imply costs up front, even if these should be compensated in terms of greater reliability of service and resilience to shocks. The question is how to find the right balance. Additional requirements imposed by governments to strengthen resilience may result in additional costs ultimately borne by customers, citizens and businesses. It is important to tailor public policy instruments to provide effective incentives for operators to invest in resilience, while managing the financial repercussions.

The regulatory approach has strengths in that it provides clear and measurable obligations, for instance setting reliability requirements, or requiring business continuity plans, insurance mechanisms, and minimum security standards. However, when to prescriptive, it can also prove costly, not be up to speed with rapid technological developments and can create compliance challenges. Imposing a compensation scheme for customers whose service is disrupted, or other types of penalties can be efficient to incentivise resilience investments, notably in public-private-partnerships. Such approach also provides operators with the choice of the ways to increase their resilience. Voluntary frameworks such as the development of resilience guidelines, awareness raising activities or the sharing of good practices, is often a preferred option to favour stakeholder engagement, but has important uncertainties. Finding a balance between public financial support and private investments for such resilience measures, can use cost-benefit analysis methods to prioritise the most effective ways to share the costs of an overall collective effort towards achieving shared resilience objectives.

Key policy questions:

• Are there resilience measures defined to increase the level of protection, robustness, redundancy or adaptability across critical infrastructure life cycle?

• Are there minimum security standards in place to ensure operators invest in resilience?

• Are sectoral regulators playing a role in incentivising critical infrastructure resilience?

• Are cost-benefit analysis used to prioritise resilience measures, evaluate their impact on costs of services, and find cost-sharing arrangements?

Benchmark indicators

• Implementation plans on critical infrastructure resilience

• Infrastructure regulations provisions on resilience

• Assessments of cost-benefits of resilience measures

Examples of good practices

• In Finland, the Energy Authority sets the requirements for business continuity and reliability standards in the electricity sector, and the National Emergency Supply Agency provides tools, guidance and methods for operators to comply with these regulations.

• In France, the State, CI operators and local authorities have agreed on measures to increase CI resilience for the risk of a major flood in Paris. This includes information-sharing, emergency preparedness and vulnerability reduction for existing and future infrastructure.

6. Ensuring accountability and monitoring implementation of critical infrastructure resilience policies

Government should monitor implementation and evaluate progress in attaining resilience objectives, and define an accountability framework for critical infrastructure operators. Reviewing the effectiveness of the resilience policy tools should allow adjustments to a dynamic risk landscape and infrastructure innovations while taking into consideration the need for predictable and stable regulatory frameworks conducive to infrastructure investments.

Why is this important?

A comprehensive policy framework is a first step towards enhancing critical infrastructure resilience. Whether critical infrastructure will actually be resilient hinges on the implementation of the objectives and requirements put forward in these policies. Accountability mechanisms need to be set-up to ensure that operators carry out the stipulated resilience measures, such as criticality and vulnerability assessments, business continuity plans, back-up operating systems, exercises and stress tests, mutual aid agreements, retrofitting of assets, or risk financing mechanisms.

Monitoring implementation can take diverse forms including regular reporting, inspections and performance assessments or peer reviews. To strengthen accountability, fines for non-compliance, recognition/awards for the implementation of good practices and peer pressure through the use of open access evaluations/rankings are other available incentives that may motivate operators to prioritize investments in resilience measures. Regular evaluations are also useful to assess the effectiveness of policy instruments to strengthen critical infrastructure resilience and adapt them to keep up with the pace of innovations and emerging risk patterns.

Key policy questions:

• Is there a regular monitoring of the implementation of resilience measures by critical infrastructure operators?

• Are there accountability frameworks in place to ensure that resilience measures are implemented?

• Are there reviews of the effectiveness of resilience policy instruments planned to adjust to a dynamic risk landscape?

• Are there joint exercises to test crisis and continuity management mechanisms?

Benchmark indicators

• Accountability frameworks for critical infrastructure stakeholders

• Revisions of critical infrastructure policies

Examples of good practices

• In Korea, the Ministry of Interior and Safety evaluates disaster response capacities of critical infrastructure operators every year, with a ranking that goes public. The peer pressure creates important incentives for operators to keep up their public image.

• 10 years after its adoption, the European Commission is evaluating its Directive on European Critical Infrastructures to assess whether it remains relevant and effective.

7. Addressing the transboundary dimension of infrastructure systems

Government should coordinate national critical infrastructure resilience policies with neighbouring countries and beyond, to address transboundary dependencies. International information-sharing mechanisms should be set up to assess risks and vulnerabilities across borders as well as to develop common approaches for critical infrastructure resilience.

Why is it important?

Interconnected and interdependent infrastructures cross borders bringing an important international dimension to resilience. Hazards and threats do not stop at national borders and integrated supply chains can propagate their consequences. In some cases, critical infrastructure provide services in multiple countries and different jurisdictions. This makes it more compelling to integrate international cooperation in critical infrastructure resilience policies. Sharing information and good practices, adopting common approaches, developing joint standards in critical infrastructure resilience are among the policy options that can foster international and transboundary cooperation in this area.

Key questions:

• Are there international forums to foster exchange of good practices and to build common approaches for critical infrastructure resilience policies?

• Are there international information sharing platforms on risks and vulnerability for interdependent critical infrastructure?

• Are there cooperation mechanisms in place to define joint standards for critical infrastructure resilience with neighbouring countries?

Benchmark indicators

• International policy frameworks for critical infrastructure resilience

• Joint critical infrastructure resilience plans

Examples of good practices

• The Canada – United States Action Plan for Critical Infrastructure promotes an integrated approach to critical infrastructure protection and resilience by enhancing coordination of activities and facilitating continuous dialogue among cross-border stakeholders.

• The European Programme for Critical Infrastructure Protection (EPCIP) is a long-term programme that encompasses various instruments for the protection of critical infrastructure in the EU, including regular meetings of national CIP Points of Contact. Its external dimension includes regular meetings with strategic partners and was recently widened to include cooperation with neighbouring countries.