Frag Out! Magazine
Issue link: https://fragout.uberflip.com/i/1517379
defined as sector criteria, describing the possible ramifica- tions involved in the destruction, or loss of the given facili- ty, system, or hardware, in particular referring to the loss of human life, financial effects, international impact, or uniqu- eness. Hence, one may suspect - since, again, the list of facilities is classified - not every element of the natural gas system is counted as critical infrastructure. However, the transship- ment terminal in Świnoujście is certainly listed as a part of Critical Infrastructure. It is the only facility as such, and it meets the „uniqueness" criterion. The energy grid is similar. A local switching station would not be listed as an element of critical infrastructure, which probably cannot be said abo- ut the power plants (especially the biggest ones). To make the matter even more convoluted, one needs to mention the third type of objects considered to bear a critical significance. Based on the regulations applicable in the domain of national defense (Act on Homeland Defense these days, Act on Universal Duty to Defend the Republic of Poland in the past), the term defining particularly impor- tant objects, in the area of state defense and security, exists. That group includes, among other facilities: • Facilities that manufacture, overhaul, and store arma- ment, military equipment, and munitions, • Facilities of the Polish Ministry of Defense, bodies subordinated to, and supervised by the Polish Ministry of Defense, facilities of the military and civil intelligence services, • Bridges, viaducts, and tunnels, that are a part of road and railway network portions relevant for defense, • Communications infrastructure elements, including postal service and ICT enterprise facilities, destined to fulfill national security or defense tasks,Key elements of the infrastructure used to transport crude oil, fuels, and natural gas, facilities for storing LNG, • Power plants, and CHP power plants, power grid sub- stations that bear a strategic relevance for the national power grid. The additional division into 1st and 2nd cate- gories applies to facilities significant in the defense and security domain. It is obvious that many of the aforesaid categories rema- in similar to, or aligned with the provisions outlined in the regulations pertaining to critical infrastructure. Whereas, similarly as in the case of critical infrastructure, for the given facility to be viewed as relevant for defense or state security, it needs to be entered into a relevant list, managed by the Minister of Defense. The above is not exhaustive, as other categories are also relevant here. „Railway of state signifi- cance" exists in Polish law, but it is not synonymous with a railway that bears defense significance. Finally, to make matters even more convoluted (maybe for the enemy to be unable to grasp the nature of the critical infrastructure), the cybersecurity space defines a legal category of key servi- ce providers. But that does not refer to businesses working solely in the ICT domain, but also enterprises working in mi- ning, pharmaceuticals, air transport, or energy. Again, certa- in categories apply here, defining whether the given mine or airline renders the key services, or not. And this time these criteria are included in a public regulation. However, the matter is not limited to Polish law. The European law now includes a directive on resilience of the critical entities, also known as the Critical Entities Resilience Directive. It features a set of definitions somewhat different from the Polish law. The critical infrastructure is defined the- re, as the infrastructure required to render the essential (key) „service which is crucial for the maintenance of vital socie- tal functions, economic activities, public health, and safety, or the environment", while entities rendering those services are referred to as „critical". The directive is important because it introduces pan- -European standards for identifying essential services, risk management, and resilience - although a description of its impact is already a topic for a separate article. One should note, however, that the level of legal com- plexity, and the sheer number of names of facilities is a major and obvious issue here. And this is not limited just to the formal issues. In general, any facility mentioned here requires some kind of protection. This involves the prepa- ration of security plans, and then the application of listed measures - from both physical security point of view, as well as when it comes to technical means (such as CCTV), not to mention other activities. For instance, when we are dealing with cybersecurity, the operating entity is responsible for assessing the risk and implementing adequate security means. Furthermore, the said entity shall also bear responsibility for detecting and reporting the incidents. In other words, if the given enterpri- se or institution manages a critical/essential system, it is its responsibility to employ efficient ICT hardware, use softwa- re that is up to date, employ adequate security means, and react to attempts made to hack into the system that they are managing. www.fragoutmag.com