The project led to IRGC developing recommendations for improving the risk governance of both critical infrastructures in general and of the five specific infrastructures that were studied.
IRGC’s general recommendations include:
• A legal mandate for specific system structures and capabilities, and independent monitoring of compliance with these requirements;
• Provision of institutions, involving all relevant players, to supervise infrastructures (while avoiding over-regulation);
• Encouragement of methods that can lead to the growth of effective standards without the need for regulation, such as certification and insurance; and
• Mandating of levels of investment in R&D that will help infrastructure providers address issues of security and reliability.
Specific recommendations for each infrastructure include:
Electric power supply
Directives and goals (e.g. the EU electricity market Directives and Regulations), national legal and regulatory institutions as well as policy provisions remain primarily market-focused. Reliability criteria are often traded-off against other important factors in liberalised markets.
Therefore:
• Security of continuous supply should be addressed more explicitly and become a new overarching principle. Strategies to ensure an appropriate level of protection and resilience need to be promoted.
• Top-down political decision- and rule-making processes should be revisited to include an appropriate level of technical analysis and dialogue with stakeholders. Different governance approaches are needed that not only embrace all major players (including end-user groups) but also address key challenges (for example tariff structures to ensure adequate levels of investment and to establish financial risk transfer mechanisms).
Gas supply
• There is a need to establish and make available an easy-to-use information system covering the location of gas pipelines, mainly to be used by civil engineering workers and emergency forces.
Water
• Develop systems and measures to improve the monitoring of water and sewage systems.
• Restrict human access to critical water system components, including water works and end-of-distribution systems.
• In particular, dams should be adequately protected against terrorist attacks.
Rail
• Revise and upgrade intergovernmental standards on security, quality assurance, education, and training, etc., in order to cope with the more challenging use of the railway system (higher density of timetables, tighter safety margins) and new threats (trans-border transport of dangerous goods and devices).
• More effective technical, organisational and socio-political measures against malicious attacks should be carefully considered and balanced against social values such as privacy, open society and comfort.
Communication and information (Internet)
• System owners, operators and users should strive for, and share the undertaking of, the organisational and technological measures needed to reduce the Internet’s vulnerabilities.
• Until efforts to increase the security of the public Internet are successful, it should not be used for any function which is vital to the supervision, operation, or control of any critical infrastructure. Instead, dedicated communication systems should be employed that involve no logical link to publicly accessible computer systems and networks.