Frag Out! Magazine
Issue link: https://fragout.uberflip.com/i/1446249
The Critical Infrastructure protection system consists of six components: 1. Actual security activities - organi- zational and technical security meas- ures minimizing the risk of disruption of the operation of critical infrastructure caused by persons potentially commit- ting the act of trespassing; 2. Technical security - procedures mini- mizing the risk of disruption of processes taking place at such facilities; 3. Personal security - activities aimed at mitigating the risk of an employee or authorized parties disrupting the func- tioning of the enterprise, or the system; 4. ICT security - activities aimed at min- imizing the risk of disruption of critical infrastructure, as a result of the impact on control systems, ICT systems, and networks; 5. Legal security - actions and proce- dures protecting the given enterprise from legal actions taken by third parties; 6. Plans for continuity of operations and recovery are understood as a set of organizational and technical activities aimed at maintaining and recovering the functioning of the critical infrastructure. The protection of the critical infrastruc- ture involves, on one hand, the operators of the said infrastructure, and on the oth- er, the Ministers responsible for the crit- ical infrastructure systems, the Council of Ministers, Voivodeship authorities, se- cret services (Internal Security Agency [ABW] above all), as well as local author- ities. The primary role is assigned to the Government Center of Security, defining the directions and coordinating the activ- ities around the security of the Critical Infrastructure. One needs to mention the fact that security shall be handled, primarily, by the operator, or the own- er of the given facility. In the case of the Critical Infrastructure the non-sanction approach may be used - a rarity in the Polish practice - where the public admin- istration and the operators are co-re- sponsible, and work together and trust each other, when securing such facilities. The Crisis Management act quoted here imposes an obligation on the operators of the Critical Infrastructure to develop security procedures, including a security plan for the Critical Infrastructure. The relevant requirements within that scope are regulated by a Regulation issued by the Council of Ministers [Cabinet] on April 30th, 2010. The plan is co-arranged with several entities at the Voivodeship level, and with the relevant Ministry. Ul- timately, it is subject to the approval of the Government Center of Security. This is important, given the fact that meas- urement of the security level applicable to Critical Infrastructure is complex. No credible assessment model is available here. Currently, the following measure- ment tools are employed to define the ac- complishment of the National Programme for Protection of the Critical Infrastruc- ture objectives: approved security plan, critical infrastructure security status audit, structural and budgetary changes, exercise operations involving security and rescue services. The critical infrastructure is not under- stood well at the social level. The secu- rity experts often mistake the Critical Infrastructure for the category of facil- ities that shall be protected by obliga- tion (Act issued on Aug. 22nd, 1997, on Protection of Persons and Property), or suppliers of key services (Act issued on July 5th, 2018, on National Cybersecu- rity System). Interestingly, the current statutory law defines an industrial facil- ity, such as a pipeline plant, power sta- tion, or transport infrastructure like an airport, as Critical Infrastructure, being a subject to obligatory protection, but it also may serve as a supplier of the so- called key services. The very same facil- ities may be classified as ones having a peculiar meaning for national defense and security (as the so-called Category II ob- jects, as per Regulation of the Council of Ministers issued on June 24th, 2003). In a situation as such, a layman cannot dif- ferentiate between these terms. Mean- while, any security expert employed by the given enterprise needs to be aware of the situation, and fulfill several obliga- tions imposed on the owner or the man- aging party. When speaking of airborne threats that the critical infrastructure is exposed to, one needs to remember that these are varied depending on circumstances: peacetime, crisis, and wartime. ANALYSIS