24.10.2018.

Critical infrastructure protection is a continuing story

To begin with, please tell us exactly which critical business related tasks you are doing.


KATRI:  I work for National Emergency Supply Agency that is affiliated with the Ministry of Economic Affairs and Employment of Finland. Our Agency is responsible for Critical infrastructure Protection (CIP), which in Finland belongs under the headline Security of Supply.
In practice the security of supply and CIP is implemented through a PPP organisation, called National Emergency Supply Organisation. There we have more than 1000 critical companies from different sectors cooperating with us and also the public sector representatives from ministries and Defence Forces as well. My role is to develop that organisation together with representatives of all industries, make sure there is enough information exchange and cooperation. 
In addition to this, I represent our Agency in European Commission’s EPCIP and ERNCIP programmes.

IVANA: Although within the National Protection and Rescue Directorate (as the coordinator of Critical infrastructure protection system in Republic of Croatia) there is no formally established department for CI, in Sector for civil protection which is engaged on this kind of tasks, I work on the framework for the implementation of activities linked to CIP on national level as well as the tasks related to the requirements of the European Union towards all Member States.

ISABELLA: Within the Department for Security Policy I´m in charge of the coordinative implementation and development of the Austrian Program for Critical Infrastructure Protection (APCIP) on the strategic level together with the Austrian Federal Chancellery. The operational implementation takes place in close cooperation with the Unit for CIP at the Federal Agency for State Protection and Counter Terrorism, which is part of the Ministry of the Interior. Additionally I´m also working on the topic Cyber Security and in the editorial team of the Ministry´s own management strategy.


The area of critical infrastructure have no specific area of education  how did you educate yourself and trained for the work you do in critical infrastructure and what do you think you need to upgrade your personal competencies?

KATRI: My background includes academic studies in both Economics and Military Sciences. I truly believe that this combination for my specific tasks is ideal, because it combines the business understanding from my economic studies, that the critical companies require, and the understanding of national security and societal security from the military sciences the state is responsible for.
What I would like to learn in the future relates to understanding critical infrastructure as a system and all its interdependencies. This requires deepening my knowledge of each critical sector, so that I identify the connections, supply chains and areas that require development.
Whoever works with critical infrastructure protection, must understand the relevance of the infrastructure to the citizens and services they depend on. It is also important to understand the interdependencies between different sectors. In terms of education and training, I think a good combination is to have expertise in one critical sector from the industry side and on top of that some training on the national or societal security perspective.

IVANA: During the undergraduate study at the University of Applied Sciences Velika Gorica where I have obtained diploma on crisis management, "critical infrastructure" was one of courses where basic knowledge of the significance of CI and threats to the system was given, but only as an insight on the complex field that critical infrastructure represents. I had the opportunity to learn from professor Damir Čemerin, who in the Republic of Croatia gave a great contribution to the normative establishment of the critical infrastructure protection framework. My master's thesis at the Libertas University while I was studying International Relations and Diplomacy was related to the Critical Infrastructures, so it was always present during my higher education. The development of personal competences is important, and because of the lack of options on national level, it is possible to turn to the international possibilities which I certainly consider, especially in the segment of cyber security.

ISABELLA: Due to my previous career – I was soldier in the Austrian Armed Forces, Police Officer and studied law at the university – I already had a basic understanding for CIP and enhancing resilience of the state. At the beginning of course, I was extensively instructed by my supervisor and other colleagues and I studied all relevant documents regarding this topic. But I achieved a large part of my competencies by doing. It is indispensable to continue one´s education by attending relevant courses, conferences, exchange ideas with other experts and be in close cooperation with research institution and academia on this topic.


How do you evaluate the development of critical infrastructure systems in your country and what are the following activities that are planned for the development of the system since the story about CIP is never ending story?


KATRI: This is a very important question, because it is very true that critical infrastructure protection is a continuing story.
The overall goal of our National Emergency Supply Agency is to develop the National Emergency Supply Organisation along with the changes in the Finnish society. Right now we have 7 critical sectors under which we have 21 pools of critical companies. Maybe in the future the world changes and there is a need for a new pool, or two pools need to be merged together because of changes in the global market structures.
In addition to monitoring Finnish society and global market conditions we need to increase our ability to follow the big changes in the world, so developing our foresight skills. We developed 6 alternative scenarios for the future and how the security of supply could change related to them. Now we are going to start monitoring the global environment to understand if those scenarios are becoming true or not. This monitoring process helps us to develop the National Emergency Supply Organisation.

IVANA: In the Republic of Croatia, due to insufficient awareness of the risks to the critical infrastructure and low interest of stakeholders (government bodies) in fulfilling the tasks assigned to them by the Critical Infrastructure Act (2013), the whole process is insufficiently active. Still, the main motive is to have a confirmed list of identified critical infrastructures in the Republic of Croatia, and at this point we are having concrete results after an intense work and long period. In order to better fulfill our goals, we have decided to revise the normative framework after it has been noticed that in the five years period it was not functioning as expected. We started with the „Rules on the methodology for drafting business risk analysis of critical infrastructure“ which was revised in 2016, and same will be done with Critical Infrastructure Act.

ISABELLA: Within APCIP we have a clearly defined work plan, which is regularly evaluated by the “CIP Core Team”. This team meets on average once a month and discusses all relevant CIP related topics. Once a year the evaluation of the annual work plan and the work plan for the upcoming year is presented to the “CIP Advisory Board” and approved by the “CIP Steering Committee”. Our main activities are the implementation of risk analysis on the sectorial level, finalizing the revision of the Guide “Security in companies of strategic importance” (a self-assessment tool for CI), further expansion of APCIP in the Federal Provinces and the harmonization with the upcoming Austrian Act on Security of Network and Information Systems (NIS-Act).


In the short lines, describe the models of public-private partnerships in strengthening resilience and protecting critical infrastructure in your country?

KATRI:  The finnish PPP- model is actually the National Emergency Supply Organisation. The earliest activities of this organisation take back to 1950s, so it’s a very old concept. It is also the reason why in Finland we don’t talk about CIP and CIP programmes so much, because CIP is a concept that came very much after our Security of Supply. For us Security of Supply includes CIP. 
I think it is also very important for countries to understand that national approaches to CIP are necessary, because countries are so different. There is no way that one model would fit all countries. The key is to understand the relationship between national approach and for example the EU approach and why they are different. In this case different is not wrong at all.

IVANA: Public private partnership in Republic of Croatia for long time has been perceived as a long-term contractual relationship between the public and the private partner, subject of which is construction and/or reconstruction of public infrastructure, for the purpose of rendering public services within the area of the public partner's competence. The perspective has gradually expanded to private security services, in term of safety and security, and the new National Security Strategy (2017) was the one that has emphasized coordinated comprehensive co-operation of public and the private sector in increasing the resilience of national critical infrastructure. I both acts (Critical Infrastructure Act and Public Private Partnership Act), PPP should be emphasized in the context of the protection of critical infrastructures, in order to regulate this relationship, and thereby gain additional levels of trust and "openness" for such cooperation on both sides.

ISABELLA: We, as the state authority, have succeeded in building up a good and voluntary cooperation with operators of CI that is characterized by mutual trust. For example our experts give advice for physical protection, risk management, crisis management and cyber security by discussing with the responsible Chief Security Officers of the CI operators. Additionally operators are invited to special public-private partnership events as an annual “Risk assessment” Conference or sector-specific Management Circles. As a general principle, APCIP is fostering the cooperation of all stakeholders; that means operators, public administration and regulators, but also research and standardization institutions have an appropriate contribution to the further development and implementation of APCIP.


What are the key bilateral and regional focuses of your country's cooperation in critical infrastructure?

KATRI: We cooperate a lot with our Nordic neighbors, Sweden and Norway. Also Estonia is a good partner for us. Sweden and Norway are important due to the Baltic Sea and the Northern parts of our countries where we have many shared interests. Estonia has been a good partner to look into ICT and Cyber- topics where we both have high competence in. 

IVANA: Until now, the Republic of Croatia has been through implementation of Directive 2008/114/EC on the identification and designation of European Critical Infrastructure (critical infrastructure located in Member States the disruption or destruction of which would have a significant impact on at least two Member States) and the assessment of the need to improve their protection, collaborated with Slovenia and Hungary. With countries that are not members of the European Union and who are considered to be "neighboring countries" (Western Balkans), Serbia and Bosnia and Herzegovina, we cooperate through the exchange of knowledge, we had an experience of implementing EU project with Serbia and engagement of experts from these countries at international conferences which are organized in the Republic of Croatia, such as the conference of the journal Zaštita and Tectus.

ISABELLA: On the operational level, we maintain cooperation to neighboring countries, depending on a specific security related occasion. This cooperation is of course confidential.
On the strategic level we have good trilateral cooperation with Germany and Switzerland. But we are looking forward to establishing cooperation also with other (neighboring) countries. During the current Austrian Presidency of the Council of the European Union we focus on promoting strong relationship especially to the Western Balkan and East European Countries.


How is your country participating in EU cooperation and information exchange regarding critical infrastructure protection?


KATRI: We participate in EPCIP and ERNCIP programmes and we of course apply the NIS directive as well.

IVANA: Cooperation and exchange of information at EU level is primarily done through meetings of national points of contact for critical infrastructure (which each Member State assigns) organized by the European Commission, as well as workshops for "neighboring countries" and meetings for exchange of knowledge and experience with Canada and the United States. There is also cooperation through the European Reference Network for Critical Infrastructure Protection (ERNCIP).

ISABELLA: My colleague from the Austrian Federal Chancellery and I are nominated as Points of Contact for Critical Infrastructure Protection at the European Commission (DG HOME). We attach great importance to the further development of the European Program for Critical Infrastructure Protection (EPCIP) and therefore we actively participate in every meeting. On our suggestion, we organized the “EU-External Partners Meeting on CIP” together with the European Commission during our EU Presidency in Vienna this summer.

Describe one of the key activities, platforms, projects or achievements that have been made in your country, which you think might be best practice in other countries.

KATRI: I think our PPP organisation with its critical sectors and pools of critical companies is something very interesting to note. Because the history of the organisation is so long, the pools are very well established and there is genuine trust between the companies involved. The numerous development projects and exercises are good evidence of the companies’ ambition to work together to keep the infrastructure safe.
Another example could be the extranet- portal our Agency provides for the National Emergency Supply organisation and all its critical companies to use for the exchange of information related to CIP. We fund it because we want to make sure the companies have a neutral but secure channel to exchange information in and to plan cooperation between sectors.

IVANA: The EU project "RECIPE" was implemented during 2015/2016, with the aim of establishing a platform for exchange of experiences and best practices between experts and countries at different levels in critical infrastructure protection (Croatia, Sweden, Serbia). The project also produced a "Guidelines for more efficient risk management of critical infrastructures" which was publicly available to all Member States for use, and the European Commission itself recognized and declared this project “as the project with the best results ratio in relation of given founds”, for that year. This is a motivator for similar projects in other countries.

ISABELLA: This year, we started with an encrypted communication & secure information exchange and we handed over a digital radio device to the most relevant critical infrastructure operators. These radio devices are used by the Austrian Federal Police, rescue services and firefighters, and the radio network is operated by the Federal Ministry of the Interior. These digital radio devices enable the companies to communicate with authorities and also with each other in cases of a blackout or if the normal telecommunication network is malfunctioning. It also enables us to communicate encrypted, in cases of sending or receiving sensitive information.
Another best-practice example, that I do not want to withhold from readers of “Zaštita”, is the Austrian Security Research Program KIRAS (running from 2005-2020). It supports national research projects whose results contribute to the security of critical infrastructures.


How do you evaluate the conference on Critical Infrastructure in Zagreb on 28/29 September 2018 and what are your suggestions for next conferences of this type?

KATRI: I was so happy to be there in Zagreb, because I could see how much there has been development in 3 years. I visited Croatia in 2015 to learn about the critical infrastructure protection and then the law related to CIP was still new and the discussion was mainly about trying to find the right ways to implement it. Now there are already additional laws and documents, especially the cyber- related ones, to reinforce the original law. For me, this shows that you have really thought about the topic and advanced in your thinking. It shows that the topic is important to you. 
I was also impressed by the level of private sector presence in the conference. It is so difficult to get the companies to come to the table and start negotiations about how to protect the critical infrastructure together. Both parties have to bring something, especially the public sectors, because private sector is already bringing the infrastructure, which it owns.
Regulation is a good departure point to create common understanding of the objectives, but the ways how we reach those objectives must come through cooperation. And cooperation needs good motivation. For public sector motivation can be keeping the society and citizens safe through well protected critical infrastructure, and for public sector it is about fulfilling customer promises and providing reliable service to customers cost efficiently. This requires well-functioning and protected critical infrastructure.
My suggestion for the future is to continue these kinds of events, because they seem to be developing every year. This means that it is working!
Hopefully at some point you can add more concrete ideas of PPP into the conference; maybe you will have a joint CIP exercise and then use some time in the conference to talk about what was good and what needs development.
Another idea would be to ask someone from the private sector to present what CIP means for them, and I don’t mean a company presentation but why they would want to participate in PPP and what they expect or have already gained from it and how the cooperation should be developed.

IVANA: The conference was an excellent opportunity to have the insight to the best national practices, it has given unified international experience and offered opportunities for further (extended) co-operation among the participants. The added value of the conference was inclusion of the cybernetic security component that in today's era of high technology and the interdependence for all critical infrastructure systems, in many respects, becomes the primary security challenge. Future conferences should maintain a level of expertise with lectures that take into account all the changes and additional challenges to the functionality of critical infrastructures.

ISABELLA: Once again I want to congratulate the organizers for arranging this great conference. It gave all the participants an appropriate opportunity to share good practice and exchange ideas on the field of CIP. This exchange between participants is indispensable for the development of new strategies regarding the enhancement of resilience of CI. We should definitely continue with this cooperation. An approach/proposal for the next time could be that participants should define in advance, which challenges regarding CIP their countries are currently facing, in order to find possible solutions conjointly during the conference.

Finally, tell us something about yourself, your hobbies, and your plans for the future.

KATRI: Traveling is my favourite hobby. Someone wise said that traveling is the only thing you spend money on that makes you richer. Balkans is such an interesting area to travel in and your nature is amazing! I've now been to Croatia, Serbia and Montenegro. Maybe my next travel will explore Bosnia- Herzegovina, Albania or Macedonia.

IVANA: Active life through sport activities is one of my main choices of spending free time, and I am considering starting with some foreign language course. In the near future, I'm planning a continuation of my education with doctoral study.

ISABELLA: The exchange of ideas and emotions with inspiring people but also physical training, especially outdoors in nature, are, apart from my family of course, essential factors for my work life balance. I want to deepen my knowledge and expand my horizon steadily and contribute to the security of our society also in the future. Living in a secure environment is not self-evident and therefore achieving that goal requires the effort of all of us.

Nataša Gajski Kovačić