Critical Infrastructure Protection (1995 – current)
Critical Infrastructure Protection (1995 – current)
Over the years, TNO has played a major role in policy preparation for the Dutch government on Critical Infrastructure Protection or CIP, and Critical Information Infrastructure Protection or CIIP. In addition, much groundbreaking research in the CIP/CIIP field has been carried out for the European Union. Both the CIP and CIIP topics are related and intertwined. For reasons of readability, however, both topics will be discussed on separate web pages from about 2004 onwards.
In the mid-1990s, the Physics and Electronics Laboratory TNO (TNO-FEL) carried out research into Cyber Warfare and Information Operations. The rapidly increasing use of information and communication technology (ICT) and the dependency on ICT in our society including the Armed Forces provide societal opportunities but also a risk: information & information systems as a target, means and weapon.
The millennium transition highlighted the potential ‘Y2K bug’ problems in ICT. We were surprised that our society continued with ‘business as usual’ where the risk of ICT disruption increased daily. This was the reason for TNO to work on the vulnerability of ICT and critical dependencies in our society.
Infodrome and the Vulnerability of the Internet (KWINT)
In the Spring of 2000, TNO developed a discussion paper for the Dutch government program Infodrome entitled ‘In Bits and Pieces‘ (Bitbreuk) about the societal impact of ICT disruptions. Infodrome aimed to provide an impetus for the possible role of the government in the information society.
As a result of this discussion, Stratix and TNO-FEL investigated the vulnerability of the (Dutch part of) Internet (KWINT) for the Dutch government in the period July and February 2001.
As a result of the Stratix/TNO KWINT report, the Netherlands was the first country in the world which conclude that the Internet is a national critical infrastructure. In addition, the KWINT program started under the public-private flag of ECP.NL in July 2001. One of the KWINT recommendations was to establish a nationally operating computer emergency response team (CERT). CERT-RO (RO being an abbreviation for the government) was established on 4 June 2002. The abbreviation RO, however, was confusing given the ISO two-letter code (ISO alpha-2) for Romania. Therefore, CERT-RO was quickly renamed into GovCERT.nl.
In May 2001, the KWINT report produced the Wijn motion in the House of Commons of the Dutch Parliament. The (second) Minister of the Interior was pressed to investigate the broader ICT vulnerabilities of the Netherlands. Lacking finances, the Minister did not carry out the motion.
Start of Critical Infrastructure Protection in the Netherlands
In the months after 11/09, the government developed a counterterrorism action plan. Action line 10 involved researching the protection of the critical infrastructure of the Netherlands, including ICT, with a focus on processes instead of objects. On 11/09, the government discovered all plans for the protection of critical objects to society still dated from the Cold War period and were not maintained. In the same period, the privatisation and deregulation of sectors like energy, telecom and rail had taken place.
In early 2002, TNO was commissioned to conduct a quick scan on critical infrastructure protection; the first phase of the government approach. We thought we could build on millennium project materials of the various ministries. Those turned out not to be archived properly and were not accessible; after all, the Y2K problem ended with a hiss. The quick-scan report, based on information from all ministries, identified ten critical sectors and 31 vital products and services. Since major chemical and nuclear incidents may impact other critical infrastructures heavily (e.g. hospitals, evacuations on the transport infrastructure), they were added as a risk factor in the next step.
National and international
The KWINT and the Quick-scan studies attracted interest from other European countries which struggled with the same questions after 11/09. Within the EU, the issue of CIP started to appear on research and policy agendas. Since then, TNO Waalsdorp worked at the forefront of developments for both the Dutch government and the European Union. TNO was involved in knowledge transfer to other nations.
For CIIP, please continue reading the CIIP page.
Below are descriptions of some of our CIP projects:
- The EU FP5 project Analysis & Assessment for Critical Infrastructure Protection (ACIP) from mid-2002 until mid-2003.
- BSIK/Next Generation Infrastructures program of the Technical University Delft (2004 – 2008): analysis of critical infrastructure dependencies and the risk of cascade failure. A key publication from this research is Van Eeten, M., Nieuwenhuijs, A., Luiijf, E., Klaver, M., Cruz, E., The State and the Threat of Cascading Failure across Critical Infrastructures: The Implications of Empirical Evidence from Media Incident Reports, Public Administration, Vol. 89, No. 2, 2011, (381-400).
- EU Preparatory Action for Security Research (PASR) project Vital Infrastructure Threats and Assurance (VITA) from December 2004 – August 2006. Within VITA, TNO Waalsdorp developed a unique, flexible extendable threat taxonomy for vital infrastructure. Layer 1: 200 (now 501) threats for critical infrastructures of all kinds; layer 2: the subset of threats involving a person; layer 3: the selection of deliberate human actions (vandalism, crime, terrorism, etc.).
In addition, a computer-assisted scenario exercise was developed with the failure of electricity and other utilities due to terror attacks and resulting cascading failure effects. The exercise took place in the operator training centre of the TSO Red Eléctrica de España. Part of the project also measured physiological (stress) parameters and eye movements across multiple monitor screens of the head operator with special glasses. - Introduction and organisation of the VISEGRAD seminar/workshop on Critical Infrastructure Protection, Balatonföldvár, Hungary, June 17-18, 2006.
- The EUropean Risk Assessment Methodology (EURAM) project from December 2006 to November 2007 and the FP7 follow-on project EUropean Risk Assessment and COntingency planning Methodologies for interconnected energy networks (EURACOM) from July 2009 until March 2011 (final report) worked on the development of a risk analysis method that scaled from inside a company up to and including cross-sector and across national boundaries. The methodology made it possible to incorporate results from existing risk analyses made with other methods.
- Development and exercise control of a NATO Euro-Atlantic Partnership Council/PfP/MDI/ICI Table Top eXercise (with simultaneous translation in French) about CIP in Sofia (2007).
- FP7 Integrated Risk Reduction of Information-based Infrastructure Systems (IRRIIS) from 2006 until 2009. This project coupled multiple simulated critical infrastructures using middleware. Demonstrations were held using a scenario with simulated outages of multiple dependent infrastructures in Rome, Italy.
Objectives:
- reduce the risk of cascade failures,
- improving the situational awareness between network control centres of various critical infrastructures while anticipating developing threats, e.g. flooding by a weather bomb,
- simulation of critical infrastructures, known causes of error, and infrastructure dependencies.
- Design of an Interoperable European federated Simulation network for critical InfraStructures (DIESIS) EU Infrastructures February 2008 until May 2010. In DIESIS we developed the first analysis for the establishment of an EU Infrastructure Simulation and Analysis Centre (EISAC). A small-scale CIP simulation demonstration was performed.
- Participation in the European Security Research and Innovation Forum (ESRIF) working group 2 on critical infrastructure protection (September 2008 until June 2009).
- EU Home Affairs EPCIP program: between April 2010 and June 2011, the development of RECIPE: Good Practices manual for CIP policies, for policymakers in Europe [JLS/2009/CIPS/AG/C1-036] discussing the following topics:
- How to identify CI?
- The role of dependencies in CIP
- Public-private partnerships
- Information Sharing
- The role of risk management in CIP
- The role of crisis management in CIP
- Research for WODC on ‘Intersectorale afhankelijkheden: Buitenlandse methoden en mogelijke toepasbaarheid in Nederland’ (2013).
- Research into climate adaptation and the critical infrastructure sectors of energy, ICT and transport (2014).
- An EU FP7 Network-of-Excellence project Critical Infrastructure Preparedness and Resilience research Network (CIPRNet) 2014 – 2017.
CIPRNet developed a European CIP research network, business models for a pan-European Infrastructures Simulation and Analysis Centre (a.k.a. EISAC) and performed CIP/CIIP knowledge transfer:- Managing the Complexity of Critical Infrastructures (free book)
- Glossary on CIP/CIIP terminology: CIPedia.eu
- A business model for EISAC.eu and national EISAC nodes
- The Establishment of 2E!SAC.
- The EU project RESIN (May 2015 – November 2018) was an interdisciplinary, practice-based research project investigating climate resilience in European cities. Through co-creation and knowledge brokerage between cities and researchers, the project developed practical and applicable tools to support cities in designing and implementing climate adaptation strategies for their local contexts. The project compared and evaluated the methods for climate adaptation planning to move towards formal standardisation of adaptation strategies.
- Scenario development for the EU VITEX exercise regarding disrupted critical infrastructure (2016). The after-action exercise guide with the lessons identified can be found here.
- In close collaboration between the Ministry of Justice and Security, the commission critical infrastructure of VNO-NCW, and TNO carried out research into the development of supporting instruments for the benefit of the critical infrastructure policy (VITAP project; 2015 – 2018).