ECI - Risk Assessement
A new directive to protect European Critical Infrastructures and potential fallouts on Risk Assessment tools, by Davide Ottonello from STAM
Why do we need a new approach for protecting Critical Infrastructure?
On 16th December 2020, the European Commission made a proposal for the adoption of a new Directive on the resilience of critical entities. This new regulatory framework will replace the European Critical Infrastructure (ECI) Directive, adopted by EC in 2008, which provides a procedure for identifying and designating ECIs, the disruption or destruction of which would have significant cross-border impacts in at least two Member States, and sets out specific protection requirements on ECI operators and competent Member State authorities. However, to date the ECI Directive seems no longer sufficient to address the current challenges to critical infrastructures and the entities that operate them. Specifically, the ECI Directive cannot approach the following issues in a proper way:
Today’s risk landscape is more complex than in 2008: natural hazards are exacerbated by climate change (e.g. flashflood), terrorism attacks in EU have increased in the last decade, new threats have been experienced (Covid-19 pandemic and devastating explosion in Beirut) with severe consequences worldwide;
Emerging technologies lead to new vulnerabilities: 5G network, drones, IoT, blockchain and other stuffs are increasingly used by stakeholders and services providers to support the business, but at the same time they could potentially create new weaknesses which can cause incidents or exploited by attackers;
Interdependent nature of stakeholders and sectors: we live in an increasingly interconnected world, therefore disruption affecting the service provision by one operator in one sector has the potential to generate cascading effects on service provision in other sectors, and also potentially in other Member States or across the entire Union;
Non-uniformity of requirements among Member States: given the interconnected framework described in the previous point, the fact that requirements and government support to Critical Infrastructure operators varies from one Member State to another creates obstacles when acting across borders, notably for those stakeholders operating in Member States with more stringent frameworks;
Negative implications on citizens, business and governments: main services which underpin our daily life are usually provided by tightly interconnected networks of European businesses; indeed, disruption of one node of the network can have negative effects on provision of essential services (like healthcare), public safety and citizens’ rights (e.g. freedom of travel or work).
Therefore, the new Directive on resilience of critical entities aims to address all the points above in order to better reflects the current and anticipated future risk landscape, the increasingly tight interdependencies between different sectors, and also the increasingly interdependent relationships between physical and digital infrastructures.
What does the new Directive on resilience of critical entities state?
This directive lays down obligations for Member States to take a series of measures aimed at ensuring the provision of services essential to maintain vital societal functions and socioeconomic activities. Specifically, each Member State shall:
Identify critical entities: establish a list of the critical entities, notify them about their identification and inform them about obligations;
Adopt a strategy for reinforcing the resilience of critical entities: this strategy shall set out strategic objectives, a governance framework and policy measures with a view to achieving and maintaining a high level of resilience of critical entities;
Carry out a national assessment of all relevant risks that may affect the provision of essential services: risk assessment should be performed when necessary and at least every four years, considering both natural and man-made risks. Risks identified, as well as other outcomes of the national risk assessment should be reported to European Commission;
Support identified critical entities: in carrying out a risk assessment on their own services (on the basis of the national one), in defining and applying a resilience plan describing technical and organizational measures for physical protection of sensitive infrastructures, prevention of incidents, mitigation of consequences and recovery of business, in notifying without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations.
In order to undertake the previous obligations, Member States should designate one or more competent authorities responsible for the correct application and, where necessary, enforcement of the rules of this Directive at national level.
Are we ready to perform an effective and reliable risk assessment under this Directive?
Indeed, Directive on resilience of critical entities requires that two kinds of risk assessment shall be carried out: one at national level, to identify critical entities which provide essential services in many sectors and the related relevant risks, and one considering the singular critical entity and peculiarities of its business and infrastructure.
But do our current methodologies and tools support stakeholders in performing a risk assessment which can be considered compliant with the objectives of the directive and generate reliable outcomes? As the ECI Directive adopted on 2008 seems no more suitable to date and should be replaced by a new one, also the approach of most of our tools should be significantly revised to cope with the issues described in the first paragraph. In the following, I’ve selected a bunch of features (at least the most important) that could be essential for leading the development of suitable applications to enable competent authorities and stakeholders in accomplishing obligations foreseen by the Directive.
Assess negative implications on intangible assets
It is not accidental the transition from critical infrastructures to critical entities. In fact, this new definition includes not only physical elements, such as building or plants, but also valuable intangible assets whose loss could generate significant disruption in business and in provision of essential services. As a consequence, new methodologies and tools should be capable to assess the risk and estimate the size of potential negative implications also on cyber infrastructure, human capital, knowledge, continuity of business, bran, company reputation, customer relationships, etc.
Adopt a cross-sectoral approach
While ECI Directive of 2008 is limited only to Energy and Transportation sectors, the new one will be extended also to banking, healthcare, drinking water, waste water, digital infrastructures, public administration and space. Indeed, it is clear that Member States, in order to perform a national risk assessment of all the aforementioned entities, need to adopt cross-sectoral and comprehensive methodologies and tools suitable for all the sectors, while taking in account different threats and vulnerabilities due to their peculiarities.
Model intra-entity and extra-entity interconnections
Directive on resilience of critical entities puts a lot of stress on interdependencies and interconnections. Taking in account these complex relationships is a compulsory requirement to allow tools to simulate cascading effect and estimate potential impacts whom, otherwise, could not easily recognized. Indeed, risk assessment tools should rely on proper data models suitable to define interdependencies not only among elements of the same entity, but also among entities themselves and even among entities and the surrounding community (citizens, government, other Member States).
Analise risk landscape almost in real-time
Under the new Directive, critical entities are forced to notify any incident which could to significantly disruption of their operations. However, it could be difficult to immediately estimate the impacts of an incident and retrieve precious data about potential implications in order to mitigate the consequences. Indeed, risk assessment tools should be able also to carry out targeted analysis considering the current risk landscape, even gathering data from sensors and other information systems.
Evaluate resilience through common indicators
While the classical risk formulation (likelihood x impact) is quite well-known and accepted in scientific and industrial communities, the same is not true for resilience. This property can be measured in several ways, depending on the sector and the type of service or infrastructure. Therefore, common indicators should be defined and then computed to have a uniform evaluation of resilience across sectors; those indicators should be also clear and understandable for stakeholders, quantifiable, computable and reliable.
Only methodologies and tools taking in account these five key points will be capable to deal with the risk landscape of the next ten years. It is an investment of money, time, people and skills which we should made now, not years from today, to avoid tragic consequences on our community daily life, support Member States in recovering economic and social damages caused by pandemic and make European Union ready to face current and forthcoming challenges.