Keeping the devil out of the details

The ancient Roman aqueducts were a triumph of engineering, yet when the Empire started to crumble the graceful arches turned out to be its weakest point, most open to attack.

Today’s technology has left the aqueducts far behind, but the irony is that we are even more vulnerable than our Roman predecessors.

We rely on a sophisticated electric energy infrastructure to bring us water, light, heat, and the power to run the many tools and devices we use almost every minute of our waking lives. If it were to stop functioning, so would life as we know it.

The advent of information and communications technology (ICT) has raised this vulnerability a further notch. Smart power grids, driven by computers, make energy transmission safer as they can register any disturbance along the supply lines in real time. But they are also open to cyber-attack, be it from hackers, disgruntled employees, competitors– or terrorists.

Our energy infrastructure is definitely something we take for granted. If we are asked: what is your biggest security concern? we are likely to answer “the economic crisis”, “faltering social insurance systems”, “instability in neighbouring regions”, “uncontrolled migration”. No one is going to say they lie awake at night thinking the light switch might not go on in the morning. We might get a little worried if our coffee maker doesn’t work, the streets are dark, the trams are not running and the computers at work are all down.

The damage from a sustained attack on our infrastructure would spread very wide. One thing spills over to another – the so-called cascade effect. It may take a little time, but within days aircraft control systems would be down, transport come to a standstill, hospital life support systems cease to function.

A report released by the United States National Academy of Sciences last year stated that an attack on the national power grid could cause blackouts for months and lead to hundreds or even thousands of deaths.

The fact that such an outage might be caused by a cyber-attack adds to the danger. If the attack were on-going, standard recovery mechanisms that kicked in might cause the same damage to be done again, as long as the root cause was not eliminated.

But these scenarios are unlikely to happen. And that’s as it should be. Because if they ever did, as with the attack of the Germanic tribes on the aqueducts of Rome and Cologne, it would be too late to do much about it.

The lesson we need to learn is that it is crucial to be aware of the vulnerability of the infrastructure we rely on. We need to invest thought, time and money into its protection.

The Action against Terrorism Unit of the OSCE’s Transnational Threats Department has recently released a good practices guide to encourage just that approach among OSCE participating States. It provides governments and the private energy sector with policy guides and best practices for the protection of critical energy infrastructure, with a special focus on potential terrorist attacks coming from cyber-space.

Calculating risk

The key to ensuring that a disaster will never happen is minimizing the possibility that it could. Our critical energy infrastructures are enormously complex, with many interrelated physical, human and information systems. If we wish to be prepared for all eventualities, we need to identify and assess every dangerous event, scenario or development that could possibly occur. We need to calculate the risk.

Luckily, a lot of work has been done to make this task an easier one. The good practices guide provides valuable information on tools that are available for managing risk, such as the procedures developed by the International Organization for Standardization (ISO), including the ISO 27000 series focusing specifically on energy infrastructure. These standards are constantly evolving, as indeed they must to keep up with the fast-paced advances in energy technology.

Partnerships

As the main responsibility for maintaining infrastructure is in private hands, private-public partnerships have become the mantra of critical energy infrastructure protection.

The Swiss government and industries have set an excellent example by developing critical infrastructure protection roundtables among different public agencies on the one hand, and business continuity management among private companies on the other, and harmonizing the risk management procedures of the two.

The United States Department of Homeland Security’s National Infrastructure Protection Plan enables collaboration between private industry representatives in Sector Co-ordinating Councils and the various levels of government in Government Co-ordinating Councils.

The OSCE, as a forum that brings governments, business representatives, experts and civil society together can encourage exchange, build political will and assist with building capacity for the protection of critical energy infrastructure. And it can help raise awareness, as with this guidebook.

Its message, in a nutshell is: we need to make our infrastructure resilient. Starting from the assumption that any harmful act that can be done will eventually be attempted, we need to put the mechanisms in place to ensure that if and when that happens, it is not going to bring the infrastructure down.

Download the Good Practices Guide on Non-Nuclear Critical Energy Infrastructure Protection (NNCEIP) from Terrorist Attacks Focusing on Threats Emanating from Cyberspace at www.osce.org/atu/103500