Foresight Security Scenarios –

Mapping Research to a Comprehensive Approach to Exogenous EU Roles

Problem space report:

Critical infrastructure & supply chain
protection

Deliverable 5.1

Cross-border Research Association (CBRA)

January 2012

FOCUS is co-funded by the European Commission under the 7th Framework Programme, theme "security",
call FP7-SEC-2010-1, work programme topic 6.3-2 "Fore sighting the contribution of security research to
meet the future EU roles".
2 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

FOCUS (“Foresight Security Scenarios – Mapping Research to a Comprehensive Approach to

Exogenous EU Roles”) aims wide but with concrete policy guidance in mind: namely to define the
most plausible threat scenarios that affect the “borderline” between the EU’s external and internal
dimensions to security – and to derive guidance for the Union’s future possible security roles and
decisions to plan research in support of those roles.

The FOCUS project is co-funded under the Security Research theme of the EU’s 7th EU
Framework Programme, for the period of April 2011 to March 2013. FOCUS brings together 13
partners from 8 countries, including universities, industry, think tanks and security information
providers. For more information about FOCUS, and to download presentations and multi-lingual
project flyers, as well as to access the foresight platform with online questionnaires, please visit the
project website at http://www.focusproject.eu.

Imprint

Responsible project partner:

Cross-border Research Association (CBRA)

Authors:

Ana Lozano Lima, [email protected]

Dana Prochazkova, [email protected]
Diego Fernandez Vazquez, [email protected]
Emilio Campos, [email protected]
Fernando Kraus, [email protected]
Juha Ahokas, [email protected]
Juha Hintsa, [email protected]
Luca Urciuoli, [email protected]
Ricard Munné, [email protected]
Sangeeta Mohanty, [email protected]
Tamanna Khan, [email protected]
Todor Tagarev, [email protected]
Toni Männistö, [email protected]
Uwe Nerlich, [email protected]
Venelin Georgiev, [email protected]

FOCUS Website

http://www.focusproject.eu
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 3

Version history

0.1 01/01/2012 Partners inputs merged LU, TK, JA, TM, CBRA,
All partners

0.11 09/01/2012 Introduction, approach and report structure LU, JA, CBRA

0.12 09/01/2012 References added to introduction JA, CBRA

0.13 10/01/2012 Format, style, development of bibliography in word citation, LU, TK, SM, CBRA
APA format.
0.14 11/01/2012 EU roles updated TM, CBRA

0.15 18/01/2012 SCS edited TM, CBRA

0.16 20/01/2012 Added inputs by INTA, ATOS and ISDEFE LU, CBRA

0.17 22/01/2012 Added, list of questions JH, LU. CBRA

0.18 24/01/2012 CVUT contribution added, editing chapters 1,2,3,4,5. LU, CBRA

0.19 26/01/2012 Editing of chapters 8, 10, 11, 12, 13 LU, CBRA

0.2 26/01/2012 Conceptual analysis and supply chain security sections JH, JA, CBRA
improved
0.21 27/01/2012 Critical supplies expanded, Alexander comments followed LU, CBRA

0.22 30/01/2012 Editing of format, style, citations. New versions of chps 2,6, 8, LU, JH, JA, CBRA
and 9
1.0 31/01/2012 Version for final check by coordinator LU, CBRA

1.1 31/01/2012 Version for submission LU, CBRA

4 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Executive Summary

In industrialized societies infrastructures are highly depending on information and communication

technology (ICT). Advanced information systems enable to control logistics networks, financial
transactions, and distribution of safe drinking water, emergency services and air traffic. Developing
technologies and novel critical infrastructure solutions (e.g. smart grids) will generate new patterns
and qualities of vulnerabilities and threat options. Intrinsic complexity of critical infrastructure
systems increases its vulnerabilities - and also opportunities to exploit them for criminal purposes.
Cyber-risk countermeasures require solutions, which work fast and across disciplines, commercial
sectors and government administrations, including those of home affairs and law enforcement,
defence, economy, environment, health and legislation. Although the importance of critical
infrastructure and cyber-security is well recognized in public speeches, national programmes and
the EPCIP, benefits of current initiatives are so far limited mainly to loose cooperation and
information exchange without binding contracts. Effective cyber protection and defence need
binding international and global rules, because all major infrastructures operate internationally or
globally, and threats can originate from any place in the world. Voluntary action will not suffice.

During the last decades the discussions regarding critical infrastructure and supply chain protection
have revolved around the same topics. The discussion underlines necessity of critical infrastructure
and critical supplies for modern societies and massive impacts of disruptions and failures on
society (e.g. loss of lives, public disturbances and economic damages). Public and private
partnerships and international cooperation are recognized as a prerequisite. Previous studies have
elicited the state of the art of general risk assessments, trends, vulnerabilities and
interdependencies, different approaches in EU member states, requirements for crises
management and awareness building, deficits in organizational, technological and political
strategies and countermeasures among others. However the discussion and research lacks
realistic look into the mid-tem future concerning threats, technological and structural risks, political
strategies and countermeasures and new forms of cooperation between industry and
governments. Discussions do not consider possible changes in technology, economic and social
changes, changes in values, ideologies and beliefs that reform societies and risks in the future
timeframes.

Policy development in the fields of critical infrastructure protection, supply chain security and
security of supply calls for support by well-focused research. This problem space report has
identified three critical future themes for future EU-level research. First, there is the need to
conduct detailed assessment on interdependencies in the European Critical Infrastructure system.
Special attention should be paid on linkages between European Critical Infrastructure and
infrastructure located in third countries. Second, future research should compile a comprehensive
catalogue of critical supplies for the European economy and investigate factors that could disrupt
supply of these materials to the EU in detail. Third, more research is needed to analyse how the
new mandate of the Lisbon treaty together with enhanced capabilities of the EU could change the
EU’s role in foreign politics, and more interestingly, how the EU could use its growing political
power to secure its interests in third countries.

The entry into force, in December 2009, of the Lisbon Treaty opened up a new chapter of activities
driven by Europe in security affairs. Specifically, the Treaty set out rules and means for member
states to act as one entity. A specific area is the legal basis for humanitarian aid in third countries.
It is now possible to release quickly any urgent financial aid to these countries. In addition, the
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 5

Treaty requires the Union to consider the impact of all of its policies on less developed countries.
Despite the many advantages brought, some experts believe that hitherto the Treaty has
insufficiently addressed external dimensions of its energy policies. Therefore this report discusses
what further actions should be explored in subsequent FOCUS foresight.

A high degree of interdependencies of critical infrastructures has been pointed out in many
scientific contexts as well as in past FP7 projects. In this report we highlight the close relationship
between critical infrastructures and supply chains. By means of a realistic case of food supply
system from the National Emergency Supply Agency (NESA), in Finland, we show how supply
chains depend on transport infrastructures, energy supply and ICT. At the same time we point out
how critical infrastructures depend on the performance of supply chains. This provides innovative
ground for subsequent FOCUS foresight.

Finally, this study has shown that the definition of European critical supplies is rather
underdeveloped and need more research. In some contexts critical supplies are limited to 14
critical raw minerals whose production is concentrated in few countries outside EU. These raw
minerals are today used in the production of products or energy vital for European communities.

The deliverable is based on the understanding that it provides a problem space description that
naturally includes a couple of aspects, including policies and capabilities of different kind. This
problem space description provides an information background and derives questions for
subsequent FOCUS foresight work. FOCUS foresight work will fully take place in the context of
civil security research as defined in the 7th EU Framework Programme. Because FOCUS is not
defined as a policy-related project, it will not further address policies, and as a civilian security
research project, it will not perform foresight related to defence and military aspects of security.
6 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

CONTENTS
1 INTRODUCTION ................................................................................................................... 11
1.1 OBJECTIVES ..................................................................................................................... 11
1.2 APPROACH....................................................................................................................... 12
1.3 REPORT STRUCTURE ........................................................................................................ 13
2 SHORT DESCRIPTIONS OF THE THEMES ......................................................................... 15
2.1 CRITICAL INFRASTRUCTURE PROTECTION ........................................................................... 15
2.2 SUPPLY CHAIN SECURITY .................................................................................................. 17
2.3 CRITICAL SUPPLIES – PRODUCTS AND SERVICES ................................................................. 18
3 KEY DEFINITIONS ................................................................................................................ 20
3.1 CRITICAL INFRASTRUCTURE PROTECTION .......................................................................... 20
3.2 SUPPLY CHAIN SECURITY MANAGEMENT ............................................................................. 25
3.2.1 Supply chain security management model ............................................................... 25
3.2.2 Supply chain security programs and regulations ...................................................... 27
4 REFERENCE TO PAST PROJECTS .................................................................................... 32
4.1 CYTEX............................................................................................................................ 32
4.2 DDSI ............................................................................................................................... 33
4.3 ACIP ............................................................................................................................... 33
4.4 CI2RCO .......................................................................................................................... 34
4.5 VITA ............................................................................................................................... 35
4.6 IRRIIS ............................................................................................................................. 36
4.7 OCTAVIO ....................................................................................................................... 36
4.8 SICMA ............................................................................................................................ 37
4.9 INSPIRE ......................................................................................................................... 38
4.10 COPE ............................................................................................................................. 39
4.11 CRITDEP & CRITERIA ........................................................................................................ 39
4.12 VALUESEC ....................................................................................................................... 41
4.13 LOGSEC......................................................................................................................... 42
4.14 COUNTERACT ............................................................................................................... 42
4.15 CASSANDRA ................................................................................................................. 43
5 LIST OF RESOURCES ......................................................................................................... 44
5.1 BOOKS............................................................................................................................. 44
5.2 ARTICLES ......................................................................................................................... 48
5.3 OTHER RESOURCES.......................................................................................................... 55
6 INITIAL CONCEPTUAL FRAMEWORK ................................................................................ 57
6.1 OVERVIEW ....................................................................................................................... 57
6.2 EU AND INTERNAL SYSTEM CHANGE.................................................................................. 60
6.3 ECONOMIC AND SOCIAL CHANGE....................................................................................... 60
6.3.1 Economic changes .................................................................................................. 60
6.3.1.1 Globalization and increased government activism ................................................ 61
6.3.1.2 Savings Gap......................................................................................................... 63
6.3.1.3 Global growth of consumers ................................................................................. 63
6.3.1.4 Booms and busts ................................................................................................. 64
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 7

6.3.1.5 Changes in demand and prices of energy and natural resources ......................... 64
6.3.2 Social Changes........................................................................................................ 66
6.3.2.1 Demographics ...................................................................................................... 66
6.3.2.2 Poverty and Social Exclusion ............................................................................... 67
6.3.2.3 Active Ageing ....................................................................................................... 67
6.3.2.4 Intra-EU mobility and enlargement impact ............................................................ 67
6.4 TECHNOLOGICAL AND ENVIRONMENTAL CHANGES............................................................... 67
6.4.1 Technology .............................................................................................................. 67
6.4.2 Environment ............................................................................................................ 68
6.5 CHANGING VALUES ........................................................................................................... 69
6.5.1 EU values ................................................................................................................ 69
6.5.2 Terrorism – values and ideologies ........................................................................... 70
6.6 CONCLUSIONS.................................................................................................................. 72
7 EU ROLES ............................................................................................................................ 74
7.1 OVERVIEW ....................................................................................................................... 74
7.2 EU BODIES ASSOCIATED WITH EPCIP ................................................................................ 78
7.3 CIP-CENTRIC INSTITUTIONAL FRAMEWORK IN EU ................................................................ 79
7.4 THE FOUR POLITICAL EU INSTITUTIONS .............................................................................. 81
7.5 EU POLICY AGENCIES ....................................................................................................... 84
7.6 BODIES ASSOCIATED WITH EU........................................................................................... 85
7.7 EU BODIES CONDUCTING FOREIGN POLICY ......................................................................... 85
7.8 PETERSBERG TASKS AND CIP, SCS AND SECURITY OF SUPPLY ........................................... 87
7.9 DECISION MAKING PRECEDING CRISIS MANAGEMENT ACTION ............................................... 88
7.9.1 Dual-use capabilities of the EU ................................................................................ 90
7.10 EU FOREIGN POLICY IN PRACTICE ...................................................................................... 91
7.11 SUPPLY CHAIN SECURITY RELATED EU ADMINISTRATIONS ................................................... 93
7.12 CRITICAL SUPPLIES EU LEVEL TRADE AGREEMENTS ............................................................ 94
8 IDENTIFICATION OF EXOGENOUS THREATS/CHALLENGES .......................................... 95
8.1 CRITICAL INFRASTRUCTURE .............................................................................................. 95
8.2 ICT CYBER SECURITY....................................................................................................... 96
8.3 SUPPLY CHAIN SECURITY ................................................................................................. 99
8.3.1 Review of INTERPOL crime areas ........................................................................... 99
8.3.2 Snapshot on geographies for illicit trade and logistics flows ................................... 102
8.3.3 European perspectives on supply chain crime (LOGSEC 2011) ............................ 103
8.3.4 Identifying 15 organized crime groups in 5 continents ............................................ 105
8.3.5 Examples of 5 European crime groups .................................................................. 106
8.4 CHALLENGES ................................................................................................................. 108
8.4.1 Critical Infrastructure Protection ............................................................................. 108
8.4.2 ICT Cyber Security ................................................................................................ 109
8.4.3 Piracy and armed robberies against ships ............................................................. 111
8.4.4 Terrorism and sea piracy ....................................................................................... 111
9 METHODS FOR CONDUCTING THEME-SPECIFIC RISK ASSESSMENTS...................... 113
9.1 CRITICAL INFRASTRUCTURE ............................................................................................ 113
9.2 SUPPLY CHAIN SECURITY ................................................................................................ 114
9.2.1 SARA model .......................................................................................................... 114
9.2.2 Customs risk management .................................................................................... 115
8 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

9.2.2.1 Overview ............................................................................................................ 115

9.2.2.2 Common risk management framework (CRMF) in the EU .................................. 117
9.3 CRITICAL SUPPLIES ......................................................................................................... 119
9.3.1 End-user view with critical supplies ........................................................................ 119
9.3.2 Import (into EU) analysis of all commodities .......................................................... 120
9.3.3 Critical raw materials identified by EC .................................................................... 124
9.4 ISO STANDARDS IN RISK MANAGEMENT AND SUPPLY CHAIN SECURITY................................ 126
9.4.1 ISO 31000 series on risk management .................................................................. 126
9.4.2 ISO 28000 series on supply chain security management ....................................... 126
9.5 RISK ASSESSMENT BASED ON SECTORIAL INTERDEPENDENCIES ........................................ 127
9.5.1 Overview................................................................................................................ 127
9.5.2 Food supply system ............................................................................................... 127
9.5.3 Suggestions for further cross-sector analysis......................................................... 128
9.5.4 End-user view to cross-sectorial interdependencies .............................................. 129
10 CHANGING BORDERLINES BETWEEN INTERNAL AND EXTERNAL SECURITY .......... 131
10.1 ACTIVITIES AND COOPERATION ........................................................................................ 131
10.2 SECURITY AND DEFENCE POLICY ..................................................................................... 131
10.3 ENERGY RELATED INITIATIVES ......................................................................................... 132
11 PROPOSED METHODS FOR FORESIGHT SCENARIOS .................................................. 136
12 INPUTS FOR SUBSEQUENT FORESIGHT SCENARIO ANALYSIS.................................. 138
13 LIST OF QUESTIONS ......................................................................................................... 140
13.1 QUESTIONS FOR FORESIGHT EU SCENARIOS .................................................................... 140
13.2 QUESTIONS FOR FUTURE SECURITY RESEARCH ................................................................ 142
14 RECOMMENDED RESOURCES......................................................................................... 144
15 BIBLIOGRAPHY ................................................................................................................. 147
ANNEX 1 .................................................................................................................................... 153

FIGURES AND TABLES

FIGURE 1. FOCUS METHODOLOGY: OUTLINE PROCESS (FOCUS DELIVERABLE 2.1, 2011).

................................................................................................................................... 12

FIGURE 2. THE 8-LAYER SCS MANAGEMENT MODEL (HINTSA, 2011). ................................. 25

FIGURE 3. ANALYTICAL FRAMEWORK TO IDENTIFY AND ASSESS CHANGES IN POLITICAL

ENVIRONMENT (ADAPTED FROM KANNINEN, 2007). ........................................... 58

FIGURE 4 DISTRIBUTION OF GLOBAL MANUFACTURING AND PRODUCTION 1750–2100 (%)

(ROUVINEN;VARTIA;& YLÄ-ANTTILA, 2007) ............................................................ 62

FIGURE 5 INVESTMENT DEGREE (%, FIXED INVESTMENTS IN RELATION TO GDP)

(ROUVINEN;VARTIA;& YLÄ-ANTTILA, 2007; UNITED NATIONS STATISTICS
DIVISION, 2007). ........................................................................................................ 62

FIGURE 6 NET IMPORTS OF NATURAL GAS, OIL AND SOLIDS BASED ON THE BASELINE
SCENARIO 2009 (CAPROS, MANTZOS, DE VITA, & KOUVARITAKIS, 2009) ......... 65
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 9

FIGURE 7. TIMELINE OF EPCIP-RELATED PUBLICATIONS AND LAWS. ................................. 75

FIGURE 8. SCOPE OF EPCIP DIRECTIVE. ................................................................................. 78

FIGURE 9. CHARACTERISTICS AND ROLES OF VARIOUS BODIES IN THE EU

INSTITUTIONAL FRAMEWORK................................................................................. 79

FIGURE 10. EU INFLUENCES OWNERS AND USERS OF CRITICAL INFRASTRUCTURE. ..... 80

FIGURE 11. EU CRISIS MANAGEMENT DECISION MAKING PROCESS. SOURCE. ................ 89

FIGURE 12 CYBER RISKS THREATS ISSUES AND PLAUSIBLE IMPACTS (SYSSEC, 2012)... 98

FIGURE 13 PRESENT CRIME THREATS (LOGSEC, 2011). ..................................................... 104

FIGURE 14 TERROR THREATS IN THE WORLD (PWC, 2011). ............................................... 112

FIGURE 16 HOW FIVE SPECIFIC DATA SOURCES COULD FEED INTO UPDATING OF “HIGH
RISK INDICATORS”. ................................................................................................ 117

FIGURE 17 10-STEPS CLOSED LOOP PROCESS ON HOW EU CRMF MAY FUNCTION. ..... 119

FIGURE 18 GEOGRAPHICAL SOURCES OF CRITICAL RAW MATERIALS (DG ENTR). ........ 124

FIGURE 19 RAW MATERIALS CLASSIFIED IN TERMS OF SUPPLY RISK AND ECONOMIC

IMPORTANCE (DG ENTR)....................................................................................... 125

FIGURE 20 CROSS-SECTORIAL INTERDEPENDENCIES. ...................................................... 130

FIGURE 21 PROPORTION OF FOOD AND LIVE ANIMALS IMPORTS TO EU27 IN € (LEFT

DIAGRAM) AND 100KG (RIGHT DIAGRAM)............................................................ 153

FIGURE 22 PROPORTION OF BEVERAGES AND TOBACCO IMPORTS TO EU27 IN € (LEFT

DIAGRAM) AND 100KG (RIGHT DIAGRAM)............................................................ 154

FIGURE 23 PROPORTION OF CRUDE MATERIAL, INEDIBLE, EXCEPT FUELS, IMPORTS TO

EU27 IN € (LEFT DIAGRAM) AND 100KG (RIGHT DIAGRAM). .............................. 154

FIGURE 24 PROPORTION OF MINERAL FUELS, LUBRICANTS & RELATED MATERIALS,

IMPORTS TO EU27 IN € (LEFT DIAGRAM) AND 100KG (RIGHT DIAGRAM). ........ 155

FIGURE 25 PROPORTION OF ANIMAL AND VEGETABLE OILS, FATS AND WAXES IMPORTS
TO EU27 IN € (LEFT DIAGRAM) AND 100KG (RIGHT DIAGRAM). ......................... 156

FIGURE 26 PROPORTION OF CHEMICALS AND RELATED PRODUCTS IMPORTS TO EU27 IN

€ (LEFT DIAGRAM) AND 100KG (RIGHT DIAGRAM). ............................................. 156

FIGURE 27 PROPORTION OF MANUFACTURED GOODS IMPORTS TO EU27 IN € (LEFT

DIAGRAM) AND 100KG (RIGHT DIAGRAM)............................................................ 157

FIGURE 28 PROPORTION OF MACHINERY AND TRANSPORT EQUIPMENT IMPORTS TO

EU27 IN € (LEFT DIAGRAM) AND 100KG (RIGHT DIAGRAM). .............................. 158

FIGURE 29 PROPORTION OF MISCELLANEOUS MANUFACTURED ARTICLES IMPORTS TO

EU27 IN € (LEFT DIAGRAM) AND 100KG (RIGHT DIAGRAM). .............................. 158
10 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

FIGURE 30 PROPORTION OF MISCELLANEOUS MANUFACTURED ARTICLES IMPORTS TO

EU27 IN € (LEFT DIAGRAM) AND 100KG (RIGHT DIAGRAM). .............................. 159

TABLE 1. EXAMPLES OF CRITICAL PRODUCTS AND SERVICES. .......................................... 18

TABLE 2. EU DEFINED CRITICAL INFRASTRUCTURE SECTORS (EUROPEAN COMMISSION,

2006). ......................................................................................................................... 76

TABLE 3. THE FOUR POLITICAL EU INSTITUTIONS. ................................................................ 82

TABLE 4. DGS THAT ARE STRONGLY ASSOCIATED WITH EPCIP MATTERS. ....................... 82

TABLE 5. MOST RELEVANT EU AGENCIES DEALING WITH CIP. ............................................ 84

TABLE 6. PRIMARY EU BODIES ENGAGED WITH THE FOREIGN AFFAIRS............................ 86

TABLE 7. EXAMPLES OF PRACTICAL DECISION MAKING PROCESS IN EU CRISIS

MANAGEMENT. SOURCE. ........................................................................................ 90

TABLE 8. ROLE OF EU AND MEMBER STATES IN INTERNATIONAL POLITICAL ARENAS

(ADAPTED FROM EMERSON ET. AL 2011).............................................................. 92

TABLE 9. LINKS BETWEEN INTERPOL CRIME AREAS AND SUPPLY CHAIN SECURITY. .... 100

TABLE 10. KEY ILLICIT ACTIVITIES AND MAJOR FROM-TO GEOGRAPHICAL FLOWS
(UNODC, 2010). ....................................................................................................... 103

TABLE 12 TAXONOMY FOR CRIME TYPES IN SUPPLY CHAINS (LOGSEC, 2011). .............. 105

TABLE 13. EXAMPLES ON WHAT MIGHT BE CONSIDERED AS “HIGH RISK INDICATORS”. 116

TABLE 14. KEY SUPPLY CHAIN STAGES AND CRITICAL INFRASTRUCTURE

DEPENDENCIES. .................................................................................................... 127
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 11

1 Introduction

This report outlines the problem space for critical infrastructure protection and supply chain
security. By using a metaphor, the problem space describes “board of the board game” and
suggests appropriate “players”. Thereafter game options and main developments are outlined by
choosing combinations of players’ visions, strategies and mutual interactions. Problem space
report captures manifold information and knowledge, which can be found in multiple sources.
Sources include for example academic papers, regulations, voluntary security programme files,
newspapers and consulting papers. They can describe policy evaluations, case studies,
conceptual models, personal testimonies and opinions in social media, surveys and opinion polls,
ethnographic studies and action research, amongst other types of content.

1.1 Objectives

The main objectives of the problem space report are the following:

To identify relevant (current and emerging) sectors of infrastructure. This will be done
following the relevant sectors from the EC Green Paper (2005): Energy, nuclear industry;
information and communication technologies; water; food; health; financial; transport;
chemical industry; research facilities, added by results of European debates on what type of
infrastructure can be considered a new candidate for “critical”, which includes waste and
waste management; public crisis management services and their key assets; national
symbols.

Identify interdependences of infrastructures, including supply chain.

To depict key EU roles, regulative elements and exogenous threat impacts.

To capture and prioritise the state of the art of the discussion concerning sector-specific
threats, reviews previous risk assessments and context scenarios and their results,
identifies used methods and stakeholder-specific foresight security needs.

To recognize current policies and operational practices, which build resilience into systems
under normal conditions.

To study causes of critical infrastructure (understood as system of systems) failures.

To discuss needs and rules for system of systems operation under emergency and critical
conditions.

To conceptualize the environment, where EU operates and makes strategic decisions.

To provide main resources and key definitions related to the big themes of this report:
Critical Infrastructure protection and Supply Chain Security.

To provide different stakeholders, especially the Future Groups, with a set of data and
information to start developing future scenarios.
12 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

1.2 Approach

The approach followed to develop the problem space for Critical Infrastructure Protection and
Supply Chain Security is based on the guidelines given in the FOCUS Deliverable 2.1. As shown in
Figure 1 below, the problem space development takes place in the early stage of the process to
develop the foresight theme scenarios.

In particular, the problem space is part of the scoping phase, aiming 1) to collect specific theme
related data by means of literature searches (research reports, studies, published papers and
books etc.), and 2) to elaborate and structure the information to facilitate screening as well as re-
use for the generation of future scenarios (FOCUS Deliverable 2.1, 2011). Rooting out and
discovering relevant information is research work where only some tools, tentative search
directions and goals can be described. However, searching for the “evidence” is not the biggest
challenge but structuring information in a way that everybody can contribute work and bring new
aspects, details and material into the process of problem space creation. Additionally,
comprehensive and rigorous review process implies that different phases are described in a
transparent way so that any expert could later repeat the problem space creation process
(Tranfield, Denyer, & Smart, 2003).

Figure 1. FOCUS methodology: Outline Process (FOCUS Deliverable 2.1, 2011).

To collect the relevant data and material for the problem space, “realistic review” approach
(Pawson, Walshe, Greenhalgh, & Harley, 2006) was followed. Realistic review strategy aims at
retrieving materials purposefully to answer specific questions. Hence, within this report, the main
steps have been the following:

Preparation of review questions. Review questions can be refined later when the process
advances and new aspects are learned.

Tentative source selection – get a feel for the sources – what is there, what form it takes,
where it seems to be located, how much is there and so forth. Each beneficiary is asked to
propose sources for the review.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 13

Systematic review process - reference collection and recording, also to avoid duplication of
work. Review matrix lists source type, full reference of the source and the name of the
beneficiary.

Review questions serve as an aid to analyse systematically different kind of literature purposefully
for problem space report. It doesn’t collect material for meta-analysis purposes. Partners are asked
to help to structure and formulate questions in order that questions form practical and
comprehensive tool to perform review work (Pawson, Walshe, Greenhalgh, & Harley, 2006).

During the tentative source selection collaborators are asked to select relevant sources, which
based on their own experience bring appropriate content for the problem space report and
addresses questions. First, every partner can choose a couple or more of sources for the review.
Secondly, partners can use keywords or follow references of references (“snowballing”) to search
more relevant sources. It’s important that sources are selected based on review questions and
content description defined in this document. Partners are asked to inform other collaborators,
which source they use for the review in order to prevent unnecessary duplication of work (Pawson,
Walshe, Greenhalgh, & Harley, 2006).

During the systematic review relevant data and information are extracted from several sources.
Every extraction is expected to illuminate theme-specific problem areas. ‘Extraction form’ confines
the type of the source, full reference and description, how the extraction addresses review
questions. Extractions can resemble ‘markings with a highlighter pen’ (Pawson, Walshe,
Greenhalgh, & Harley, 2006).

1.3 Report structure

The structure of the report follows the recommendations given in D2.1 FOCUS methodology report
with some slight additions and modifications to enhance the readability and re-usage by other
partners and work packages (FOCUS Deliverable 2.1, 2011).

Chapter 1. Introduction. The report’s background, purpose and approach are introduced.

Chapter 2. Short description of the themes. The themes of Critical Infrastructure Protection
and Supply Chain Protection / Supply Chain Security (the two terms used interchangeably)
are shortly described.

Chapter 3. Key Definitions. This chapter presents key definitions to be used as a part of the
FOCUS project. Definitions serve to create a common understanding of the topic. They
must be easily communicable, sufficiently rigorous and fit the purpose.

Chapter 4. Reference to past projects. Past research projects are shortly discussed and
relevant links with FOCUS-project are identified.

Chapter 5. List of resources. Literature from specialized books and relevant journals,
studies/reports carried by institutions, stakeholders and other interested parties

Chapter 6. Initial Conceptual analysis. This chapter consists of the initial conceptual
analysis in which different factors that may be influencing the EU role in Critical
Infrastructure Protection and Supply Chain Security are taken into consideration. These
14 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

factors include economic, social, political changes, policies, technological and

environmental aspects, and values.

Chapter 7. EU roles. This section outlines main EU roles involved in Critical Infrastructure
Protection and Supply Chain Security.

Chapter 8. Identification of exogenous threats / challenges. This chapter identifies a set og

exogenous threats to critical infrastructure and supply chains based on the literature and
the expert and stakeholder interviews that have been conducted so far.

Chapter 9. Methods for conducting theme-specific risk assessments. This chapter

describes methods for conducting theme-specific risk assessments, with practical
examples.

Chapter 10. Changing borderlines between internal and external security.

Chapter 11. Propose methods for CIP and SCS scenario foresight. This chapter discusses
theme/stakeholder-specific foresight scenario needs/methods to consider in this report.

Chapter 12. Inputs for subsequent foresight scenario analysis. Conclusions are drawn from
the collected material, to develop possible future changes of security, economy, technology
etc. Hence, this chapter constitutes a substantial input for the next step related to foresight
scenario analysis.

Chapter 13. Catalogue of questions for Experts / Future Groups.

Chapter 14. Recommended resources. This chapter provides a list of recommended

available online resources for preparing foresight scenario on the respective Big Theme (for
use by Future Group members).

Chapter 15. Bibliography. List of all references used in this report.

The present report is based on the understanding that it provides a problem space description that
naturally includes a couple of aspects, including policies and capabilities of different kind. This
problem space description provides an information background and derives questions for
subsequent FOCUS foresight work. FOCUS foresight work will fully take place in the context of
civil security research as defined in the 7th EU Framework Programme. Because FOCUS is not
defined as a policy-related project, it will not further address policies, and as a civilian security
research project, it will not perform foresight related to defence and military aspects of security.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 15

2 Short Descriptions of the themes

2.1 Critical infrastructure protection

Since historical time the fundamental function of the state is to ensure the existence and
sustainable development of human society, which is not possible without ensuring the “safe space”
– a space in which the human security level is acceptable. Human security depends on several
assets, including infrastructures. The term “critical infrastructure” is from the end of last century;
before, terms such as emergency supply; material and technical base of state; and emergency
functions were in use.

According to the European Commission (European Commission, 2004), Critical infrastructures are
those physical and information technology facilities, networks, services and assets which, if
disrupted or destroyed, would have a serious impact on the health, safety, security or economic
well-being of citizens or the effective functioning of governments in European Union (EU)
countries. Infrastructures whose incapacity or destruction could have a debilitating impact on the
defense and economic security of a country (President’s Commission on Critical Infrastructure
Protection, 1997). A very particular definition of Critical Infrastructure Protection is given in contexts
where risk management exercises are described, i.e. to the preparedness and response to serious
incidents that involve the critical infrastructure of a region or nation. More specifically, Critical
Infrastructure Protection is the ability to prepare for, protect against, mitigate, respond to, and
recover from critical infrastructure disruptions or destruction (European Commission, 2006).

European Critical Infrastructure may also address those infrastructures whose disruption or
destruction would significantly affect two or more Member States, or a single Member State
(Council Directive, 2008). In other words, the loss of a critical infrastructure element may be rated
by means of three elements (European Commission, 2006):

1. The extent of the geographic area which could be affected by the loss or unavailability of a
critical infrastructure element beyond three or more Member State’s national territories;
2. The effect of time (i.e. the fact that a for example a radiological cloud might, with time, cross
a border);
3. The level of interdependency (i.e. electricity network failure in one MS affecting another).

The sectors covered by the critical infrastructure are (European Commission, 2006):

Energy production and shipping;

Information and communication technology, and cyber infrastructure;

Water;

Food;

Health;

Financial;

Public and legal order and safety;

Civil administration;
16 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Transport (air, rail, road, sea, ports, mass transit networks, traffic control systems);

Chemical and nuclear industry; and

Space and research.

National definitions of Critical Infrastructure – EU member states

Exploring the term of Critical infrastructure and its protection we found some slightly differences in
national definitions. The list below provides an overview of national definitions found within this
study:

Germany: “Critical infrastructures are organizations and facilities of major importance to the
community whose failure or impairment would cause a sustained shortage of supplies,
significant disruptions to public order or other dramatic consequences.” ( Federal Office for
Information and Security. )

Netherlands: “Critical infrastructure refers to products, services and the accompanying

processes that, in the event of disruption or failure, could cause major social disturbance.
This could be in the form of tremendous casualties and severe economic damage… ”.
(Ministry of Interior, 2005)

United Kingdom: “Critical National Infrastructure comprises those assets, services and
systems that support the economic, political and social life of the UK whose importance is
such that loss could: 1) cause large scale loss of life; 2) have a serious impact on the
national economy; 3) have other grave social consequences for the community; or 3) be of
immediate concern to the national government.” (United Kingdom Home Office Security)

Bulgaria: “System of facilities, services and information systems, the braking,

malfunctioning or destruction of which, would have a serious negative impact on health and
safety of population, environment, national economy or on the effective functioning of
government. (Crisis Management Law). Another reference points out that Critical
infrastructure is a component, system or parts thereof which are essential for the
maintenance of vital societal functions, health, safety, and security, economic or social
welfare of the population and the disruption, the destruction or failure to maintain these
functions would have significant consequences for the Republic of Bulgaria”. (Ordnance
#18: on the establishment and designation of European Critical Infrastructures in Bulgaria
and measures for their protection, 2011)

Czech Republic: “The critical infrastructures are infrastructures that are necessary for
human lives in normal, emergency and critical situations. They contain the following items:
energy power supply system, above all electricity supply; water supply system; sewer
system; transport net system; communication and information system; banking and
financial sector; emergency services (police, fire-fighting and rescue service, health
service); fundamental services (food supply, waste handling, social services, burial
services), industry and agriculture; state, regional and local administration” (Czech
Republic, 2002).
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 17

National definitions of Critical Infrastructure – rest of the world

Australia: “Critical infrastructure is defined as those physical facilities, supply chains,

information technologies and communication networks which, if destroyed, degraded or
rendered unavailable for an extended period, would significantly impact on the social or
economic well-being of the nation, or affect Australia’s ability to conduct national defence
and ensure national security.” (Australian National Security)

Canada: “Canada’s critical infrastructure consists of those physical and information

technology facilities, networks, services and assets which, if disrupted or destroyed, would
have a serious impact on the health, safety, security or economic well-being of Canadians
or the effective functioning of governments in Canada.” (Public Safety Canada)

United States: The general definition of critical infrastructure in the overall US critical
infrastructure plan is: "systems and assets, whether physical or virtual, so vital to the
United States that the incapacity or destruction of such systems and assets would have a
debilitating impact on security, national economic security, national public health or safety,
or any combination of those matters." For investment policy purposes, this definition is
narrower: “systems and assets, whether physical or virtual, so vital to the United States
that the incapacity or destruction of such systems and assets would have a debilitating
impact on national security." (Department of Homeland Security , 2006)

ICT Cyber security

As part of the critical infrastructure, information and communication technologies (ICT) represent
the communication networks (telephone lines, wireless signals) and computers, middleware as well
as other necessary software and systems to allow the storage, transmission and manipulation of
information. In this context ICT systems are critical as they are essential to the minimum
operations of the economy and government (PDD-63). Consequently ICT and cyber security are
often mentioned as part of national Critical infrastructures (Homeland Security Presidential
Directive Seven).

2.2 Supply Chain security

Supply Chain Security is a systematic and continuous process to enhance prevention, protection,
preparedness, monitoring, detection, mitigation, response, and recovery from disruptive criminal
and terrorist activities and incidents in the supply chain.

The definition of supply chain security management provided by Hintsa et al. (2009) shows
evidently that like in any other management discipline, supply chain security management activities
are constrained by rules to a great extent.

“Supply chain security management (SCSM) covers all processes, technologies and
resources exploited in a systematic way to fight against end-to-end supply chain crime. The
primary goal of each single SCSM measure is either to prevent a crime, to detect a crime,
or to recover from a crime incident in the fastest possible time. Single SCSM measures fall
typically into one of the following five categories: cargo, facility, human resources,
18 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

information technology, and management systems. The typical supply chain crime includes
theft, smuggling, counterfeiting, sabotage, blackmailing for financial gain, terrorism for
destruction, and any type of fraud and corruption (the detailed crime definitions subject to
national and international regulations).” Hintsa et al (2009)

The definition states that supply chain security management “fights against crime”. Explicit legal
rules and regulations draw boundaries between illegal and legal activity and criminalize undesired
activities like theft, smuggling, counterfeiting, and sabotage. This empowers legitimate private and
public supply chain actors combat against “crime” and thus protect their assets, employees and
reputation from a multitude of supply chain related illicit activities.

The definition highlights that supply chain security management applies processes, technologies
and resources in a systematic way to fight against crime. The definition does not address that the
application of these processes, technologies and resources must done in compliance with an array
of formal and informal supply chain security rules. Crime prevention tactics and strategies must be
designed in accordance with explicitly proclaimed laws, regulations and conventions and implicit
values, believes, norms and conventions. These rules constrain but also, as Hodgson (2006)
suggests, enable supply chain security management activities by making coordinated anti-crime
efforts possible.

2.3 Critical supplies – products and services

The concept of critical supplies appears to be poorly defined in the literature. However the analysis
of the material collected allow to create examples of linkages between products, raw materials and
services to the critical infrastructure in Europe. Hence, by logical reasoning, one angle of critical
supplies can be stated as those necessary for the construction, maintenance and operation of
critical infrastructure. A possible set of products and services necessary for the European Critical
Infrastructure is depicted in Table 1 below. In later chapters, additional considerations will be given
e.g. to critical supplies from citizen and transport perspectives.

Table 1. Examples of critical products and services.

Critical Infrastructure Critical product or service

Energy Continuous supply of products and materials to produce energy.

Continuous supply of electric power within bound frequency and
Electricity
voltage ranges
Oil Adequate supply of oil products with the required product specifications
Continuous supply of natural gas with the required pressure and caloric
Natural gas
value
Uninterrupted services with the required level of quality (e.g., low
IT & Telecom
blocking chance, low noise level, low jitter, low delay, fast response)
Availability of drinking water with a bacterial and chemical
Drinking water
contamination content below set thresholds
External safety of a country by high readiness of or delivering of
Defence adequate command & control, well-trained personnel, material,
infrastructure, and logistics.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 19

From commodity / product perspective, references were found to European Commission defining a
set of “critical raw materials”, in terms of metals and minerals, concentrating on Supply risk and
Environmental country risk (details explained in Chapter 9 of the report).

Supply risk:

o Concentration of the production of the raw material in a given non-EU country.

o Political and economic stability of the producing countries.

o Potential for substitution and recycling rate.

Environmental country risk:

o Jeopardizing the supply of the raw materials by introducing environmental

measures.

At the same time, “critical supplies” can exist in several product categories, including the following
nine broad categories used commonly by customs administrations worldwide (Harmonized Tariff
System; EU import analysis per category follows in Chapter 9)

1. Food and live animals

2. Beverages and tobacco

3. Crude materials, inedible, except fuel

4. Mineral fuels, lubricants and related materials

5. Animal and vegetable oils, fats and waxes

6. Chemical and related products

7. Manufactures goods classified chiefly by material

8. Machinery and transport equipment

9. Miscellaneous manufactured articles

20 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

3 Key definitions
3.1 Critical Infrastructure Protection

Main definitions related to Critical Infrastructure Protection are given in the text below and concert
the following terms:

Critical.

Infrastructure.

Fundamental state function.

Basic human system assets.

Safety.

Security.

Danger.

Harm / damage.

Vulnerability.

Impact.

Inadmissible impact.

Disaster.

Hazard.

Risk.

Threat.

Vulnerability.

Scenario.

Emergency situation.

Disaster assessment, hazard assessment and risk assessment.

Risk management.

Safety management.

Crisis management.

Safe space.

Proactive management.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 21

Reactive management.

Safety performance indicator.

Critical. The word “critical” is from nuclear domain and it means the boundary between acceptable
and non-acceptable conditions with regard to given value scale. In most countries’ definitions, the
word “critical” refers to infrastructure that provides an essential support for economic and social
well-being, for public safety and for the functioning of key government responsibilities. For example
Canada’s definition of criticality involves “serious impact on the health, safety, security or the
economic well-being of Canadians or the effective functioning of governments in Canada.”
Germany refers to “significant disruptions to public order or other dramatic consequences.” The
Netherlands’ critical infrastructure policy refers to infrastructure whose disruption would cause
“major social disturbance,” tremendous loss of life and “economic damage”. Thus the word critical
refers to infrastructure which, if disabled or destroyed, would result in catastrophic and far-reaching
damage.

Infrastructure. The definitions of infrastructure used in official descriptions of critical infrastructure

tend to be broad. Most governments refer to physical infrastructure. Many also include intangible
assets and/or to production or communication networks. Australia, for example, refers to “physical
facilities, supply chain, information technologies, and communication networks. Canada refers to
“physical and information technology facilities, networks, services and assets. The United
Kingdom refers to “assets, services and systems”.

Fundamental state function is to ensure the protection of interests (assets) of the state (country)
and the permanent sustainable development of the state.

Basic human system assets (Protected interests or fundamental interests of the state) are items
that are protected with priority (e.g. in Czech Republic) and in the most of the other countries there
are human lives and health, property, environment, existence of the state and recently critical
infrastructure) and there is pursued the care to their development.

Safety is a set of measures and activities for ensuring the security and sustainable development of
assets.

Security is a forming the sense of safety, safe feeling, certainty, ensuring the public welfare,
permanent development of sound environment and reliable operation of technological (physical
and cyber) facilities.

Danger is a condition / situation at which it originates or can originate detriment on assets.

Harm/damage is a detriment on human life and health, property, environment and human society
expressed in money.

Vulnerability is a predisposition to harm / damage origination.

Impact is adverse effect / influence of phenomenon in a given place and time on assets.

Inadmissible impact is the impact that causes or can cause damage / harm on one or more
assets.

Disaster is a phenomenon that leads or can lead to damages and harms on assets of the state
(i.e. phenomenon which leads or can lead to impacts on protected assets of the state). From the
22 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

view of cybernetics the disaster is one of the possible conditions of system including the human
society and environment, which leads or can lead to damages / harms on one or more assets of
the state. The term “disaster” is often used for phenomena with small number of victims; if number
of victims is greater (usually more than 25), the term “catastrophe” is often used.

Hazard is a set of maximum disaster impacts that are expected in a given place in specified time
interval with a certain probability. According to technical norms and standards the hazard is
determined by identified size of disaster.

Risk expresses the probable size of undesirable and unacceptable impacts (losses, harms and
detriment) of disasters with size of normative hazard on system assets or subsystems in a given
time interval (e.g. 1 year) in a given site, i.e. it is always site specific.

Threat is a measure of occurrence of attack (including terrorist) in a given place. It is a probability

that originates or can originate an event or set of events, quite different from desirable (originally
supposed) condition or development of protected interests of the state from the viewpoint of their
integrity and function. It is determined by capability of attacker, vulnerability of protected interests
of the state and by attacker intent.

Vulnerability is sensitivity of asset to impacts of disaster / threat. It is inherently complex entity of

the system, the dynamic, i.e. not a static variable. In the scale of time and space (egging the
projection into area), certain aspects dominate at different point in time and at a different location.

Scenario (model) of disaster is a set of isolated and interconnected disaster impacts in space and
time that causes or can cause the given disaster in definite site, i.e. time sequence of events
affected by disaster impacts.

Emergency situation is a situation caused by disaster origination. Usually, it is classified into 5

categories (0 - 5) that for simplicity are denoted by colours (upper-most by sequence of colours -
yellow, orange, red).

Disaster assessment, hazard assessment and risk assessment in a given territory, site, time
interval are the risk engineering operating methods.

Risk management is a planning, organization, allocation of work tasks and check up of sources
of organization so, that there might be reduced losses, damages, harms, injuries or deaths
caused by various disasters. Risks are reduced by the reduction of vulnerability of objects, human
population, environment, state etc. (in this connection there is used the term „impact mitigation“ for
impacts that cannot be averted at disaster origin). According to majority of technical norms and
standards there is performed the reduction of vulnerability at planning, designing, construction and
operation of protected interests for all risks, the probability of which is equal or greater than 0.05.
By this way there is formed the inherent safety of system including the human society, objects and
environment (i.e. so-called design disasters ought to be get under control by design, regulations
for land-use planning and construction, operating instructions, rules for response to emergencies
and by instructions for response to critical situations, and therefore, their occurrence would not
threaten sustainable development).

Safety management consists in a planning, organization, allocation of work tasks and check-up of
sources of organization with aim to reach requested safety level. Enhancement of safety is
reached by use (application, realization, and implementation) of technical, legal, organizational,
educational etc. protective measures. They are also considered risks the occurrence probabilities
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 23

of which are smaller than 0.05, but impacts are fatal (severe). Safety management belongs to a
common practice at planning, designing, construction and operation of technical facilities and
objects such as power plants, dams, nuclear facilities etc., and it is the basement of nuclear safety,
radiation protection and protection against dangerous chemical substances that is introduced by
the SEVESO II directive. In technical slang there is stipulated that this type of management
considers beyond design (severe) accidents. Except of formation of inherent safety of system
including the human society, objects and environment this management type also promotes so
called principle of precaution, because it considers disasters or their sizes the occurrences of
which are very low probable, that are unforeseen.

Crisis management is a management the purpose of which is to precede a possible critical

situations, to ensure preparedness for response to possible critical situations, to ensure the getting
possible critical situations under control in frame of power of crisis management authority and
executing measures and tasks of line higher crisis management authorities (for getting situation
under control there is used legal measure „declaration of crisis situation“ that temporarily enables
to limit rights and civil liberties of humans and use beyond standard sources), to start renovation
and next development. Fundamental phases are the prevention, preparedness, response and
renovation. In some conceptions there is the crisis management a part of safety management, in
others the crisis management is only used for the getting critical situations caused by disasters
under control and for the getting current emergency situations under control there is used
emergency management.

Safe space is a space in which the safety level is acceptable. [Below mottoes "Europe - safe
space" the EU started after attack in Madrid on March 2004 the research programme for 1 billion
EUR].

Proactive management is a management type, in which there are in advance performed

measures for averting or at least mitigation of some undesirable phenomena, and ensured
preparedness for the effective response to undesirable phenomena.

Reactive management is a management type, in which there are solved problems when they
occur.

Safety performance indicator is a quantity that measures level of safety in a given subsystem /
system. (Usually there are used types - outcome indicators and activity indicators).

Critical infrastructure are physical, cybernetic and organizational (service) systems, that are
necessary for ensuring the protection of human lives and health, property, minimum function of
economy and administration of the state.

Cyber security. The term “cyber infrastructure” was first used at a press conference in May
1998 by U.S. government’s National Coordinator for Security, Infrastructure Protection, and
Counter-terrorism (PDD-63) Richard A. Clarke and the founding director of the Critical
Infrastructure Assurance Office Jeffrey Hunker. Cyber infrastructure is derived from the concept of
National Information Infrastructure promoted by Vice-President Al Gore in the 1990’s as part of the
Presidential Decision Directive NSC-63 on the American Critical Infrastructure, on which American
armed forces and the economic wellbeing of Americans depend, such as the power grid, pipelines,
roads, drinking water and wastewater pipes, etc. “Cyber infrastructure” was then adopted by the
USA National Science Foundation (NSF) in 2003 and gradually became part of IT slang.
24 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Cyber infrastructure means both hardware in the strict sense and the global super network of more
than a billion computers as well as mobile devices and radio networks, mutually linked together
and forming the Internet or the cyberspace.

Cyber security can be defined with the following seven terms (North Atlantic Electronic Reliability
Corporation):

Cyber Security: Critical Cyber Asset Identification: The identification and protection of
Critical Cyber Assets to support reliable operation of the Bulk Electric System.

Cyber Security: Security Management Controls: It requires that Responsible Entities

have minimum security management controls in place to protect Critical Cyber Assets.

Cyber Security: Personnel & Training: Personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets, including contractors and service
vendors, have an appropriate level of personnel risk assessment, training, and security
awareness.

Cyber Security: Electronic Security Perimeter(s): The identification and protection of the
Electronic Security Perimeter(s) inside which all Critical Cyber Assets reside, as well as all
access points on the perimeter.

Cyber Security: Physical Security of Critical Cyber Assets: It intended to ensure the
implementation of a physical security programme for the protection of Critical Cyber Assets.

Cyber Security: Incident Reporting and Response Planning: The identification,

classification, response, and reporting of Cyber Security Incidents related to Critical Cyber
Assets.

Cyber Security: Recovery Plans for Critical Cyber Assets: It ensures that recovery
plan(s) are put in place for Critical Cyber Assets and that these plans follow established
business continuity and disaster recovery techniques and practices.

Cybercrime has come a long way since the days when it mostly involved only a digital form of
vandalism. It has evolved into an activity that aims at profit making and cyber terrorism and that
requires billions of dollars to fight against. Attacks on electronic data have become a special
branch of science where specific groups focus on different jobs – each group specialises in a
different aspect of the matter.

Cyber terrorism and its potential bed fellow cyber warfare are emerging as a new threat that we
must face and get ready for – both in terms of technology, personal readiness and, most
importantly, in terms of adequate knowledge.

There is a real risk that future attacks will blur the line between cybercrime and cyber terrorism and
the words applied to each specific case will depend only on personal interpretation of the incident.
Military clashes may eventually lose their conventional dimension and we will experience non-
conventional wars where neither party will have to resort to traditional weapons. In fact, some day
in the future all one will need to destroy an enemy state will be a group of specialists targeting its
critical infrastructure (banks, insurance companies, communication networks, nation-wide
information system, state administration information systems, population databases, corporate
management systems, energy distribution networks, etc.) and achieving a destabilisation or even
destruction of the state from within.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 25

The United States seems to be the most aware of this possibility. On June 22, 2011, President
Barack Obama signed an executive order setting out the rules of cyber warfare that the U.S. Army
and secret services may wage abroad. The presidential order defined which actions need White
House approval and which rules they must observe. Obama’s decision is the culmination of two
years of efforts by the American Defence Department to get its cyber “ammunition” in order.
Furthermore, it comes at a time when the USA and its allies are starting to work on global rules of
computer warfare.

3.2 Supply chain security management

3.2.1 Supply chain security management model

There are few attempts in the literature to explain what supply chain security (SCS) “is made of”,
i.e. which are the different options to design and implement security measures into supply chain
systems. One comprehensive model known as the 8-layer SCS management model, is visualized
below, and explained afterwards (Hintsa, 2011).

Figure 2. The 8-layer SCS management model (Hintsa, 2011).

Brief explanations of the eight layers are as follows:

26 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

1. Risk Management layer: Assesses the threats and vulnerabilities in the supply chain.
Looks at risk likelihoods and consequences. Provides the baseline for actual security
investments and interventions in the supply chain.

2. Design and planning layer: Designs supply chain structures, including points for sourcing,
transport routes and warehouse locations, in order to minimize criminal risks. Also security,
disaster recovery, security training and security auditing plans are performed in this layer.

3. Process control layer: Manages and controls key business processes in the supply chain,
while establishing visibility into them for continuous monitoring purposes. Provides stability
in the processes, while minimizing variations in lead-times, quality and other critical
performance aspects.

4. Supply chain assets layer: Deals with many aspects of physical security, while securing
facilities, vehicles, shipments, products, data systems, and data itself. Exploits a broad set
of security procedures, technologies, and solutions.

5. Human resources layer: Focuses on the problematic of human resources as a weak link
in the supply chain. Carries out background checks, training, and personnel motivation.
Protects personnel against blackmailing, violence, kidnapping, etc. Minimizes the risk of
insider crime.

6. Business partners layer: Defines selection process for business partners, and
requirements for partner security certifications. Carries out continuous monitoring and audit
activities within the business partner network, in particular with suppliers of materials and
logistics services.

7. Aftermath capabilities layer: Ensures post-incident recovery with minimum supply chain
disruptions. Develops competences for criminal investigations, evidence collection, and
facilitation of liability and criminal court procedures.

8. Disrupting criminal activities layer: Causes problems in the illicit supply chains, by
hammering supply, production, logistics operations, distribution, marketing and sales
criminal functions.

Further elaboration on layer-4 of the 8-layer SCS model

As stated above, Layer-4, the Supply chain assets layer, deals with many aspects of physical
security, while securing facilities, vehicles, shipments, products, data systems, and data itself.
Technologies, if well designed and operated, can assist in crime and terrorism prevention and
detection phases, as well as post-incident recovery phase. More specifically, as part of the Layer-
4, security technologies can deliver and/or facilitate one or more of the following functionalities:

Secure designs, e.g. anti-counterfeit or anti-theft functionalities are embedded into a

consumer product already at the product design phase.

Entry protection, e.g. access to facilities, cargo, vehicles and IT-systems is protected with
a combination of anti-intrusion solutions, including CCTV- and alarm-systems.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 27

Authentication, e.g. data, document and product originality are guaranteed by various
techniques, including codes verifiable against databases; inks, nano-fractals and holograms
etc.

Auditing, e.g. facility, vehicle and data system audits are made more efficient and accurate
with the help of IT-tools.

Monitoring, e.g. global transportation networks for sea, air and land based cargo are
constantly under surveillance, to detect any deviations from the standard procedures,
routes and schedules.

Tracking, e.g. cargo is tracked throughout the logistics chain as an anti-theft measure (e.g.
for consumer electronics); or, products are tracked throughout their life-time as an anti-
counterfeit measure (e.g. for pharmaceuticals)

Inspection, e.g. taking and assessing images from cargo-in-transit, including maritime and
air containers, with x-ray, gamma-ray and other relevant (non-intrusive, where applicable)
inspection technologies.

Testing, e.g. products subject to counterfeit activities or to sabotage and terrorism are
tested by applicable physical, chemical and other possible techniques.

Crime reward decrease activities, e.g. a stolen consumer electronics product stops
functioning after one hour/day/week, when it is no longer connected to the web-based
service (password protected.)

3.2.2 Supply chain security programs and regulations

Definitions related to supply chain security are given in this section and include terms that are
being used by supply chain operators to describe their internal security standards and
requirements. In addition, terms close to customs certifications and regulations are explained.

AEO Authorized Economic Operator: Authorized Economic Operator is a voluntary EU supply

chain security certification. The main goal of the certification is to enhance the security of supply
chains against such threats as smuggling, contraband, human trafficking, terrorism etc. Benefits as
reduced data to be submitted in customs declarations, fewer customs inspections, request of a
place for customs checks etc., are offered to operators.

AEO-C The status of Authorised Economic Operator with scope limited to Customs
processes and procedures: An AEO Certificate - Customs Simplifications is issued to any
economic operator established in the Community who fulfils the criteria of customs compliance,
appropriate record-keeping standards and financial solvency. The holder of this certificate is
entitled to:

easier admittance to customs simplifications listed in Article 14b (1) of CCIP;

fewer physical and document-based controls;
priority treatment if selected for control;
possibility to request a specific place for such control.

AEO-S The status of Authorised Economic Operator with scope limited to Safety and
Security related processes and procedures: An AEO Certificate – Security and Safety is issued
to any economic operator established in the Community who fulfils the criteria of customs
28 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

compliance, appropriate record-keeping standards, financial solvency, and maintains appropriate

security and safety standards. The holder of this certificate is entitled to:

possibility of prior notification as described in Article 14b (2) of CCIP;

reduced data set for summary declarations as specified in Article 14b (3) of CCIP;
fewer physical and document-based controls;
priority treatment if selected for control;
possibility to request a specific place for such control

AEO-F The full status of Authorised Economic Operator: An AEO Certificate Customs
Simplifications / Security and Safety is issued to any economic operator established in the
Community who fulfils the criteria of customs compliance, appropriate record-keeping standards,
financial solvency, and maintains appropriate security and safety standards and who wants to
benefit from all AEO benefits.

CSD Container Security Device: The CSD is a small, low-cost device mounted on or within a
container that detects the opening or removal of container doors and reports its status to the
authority (Department of Homeland Security)

CSI Container Security Initiative: CSI is a programme intended to help increase security for
maritime containerized cargo shipped to the United States from around the world. CSI addresses
the threat to border security and global trade posed by the potential for terrorist use of a maritime
container to deliver a weapon. (CBP website)

C-TPAT Customs-Trade Partnership Against Terrorism: C-TPAT is a voluntary government-

business initiative to build cooperative relationships that strengthen and improve overall
international supply chain and U.S. border security. C-TPAT recognizes that U.S. Customs and
Border Protection (CBP) can provide the highest level of cargo security only through close
cooperation with the ultimate owners of the international supply chain such as importers, carriers,
consolidators, licensed customs brokers, and manufacturers. Through this initiative, CBP is asking
businesses to ensure the integrity of their security practices and communicate and verify the
security guidelines of their business partners within the supply chain (CBP Website).

DHS Department of Homeland Security (US): The Department of Homeland Security is formed
after the terrorist attack of September 11, 2001 in the U.S. The Department's mission is to ensure
a homeland that is safe, secure, and resilient against terrorism and other hazards. The efforts of
DHS are supported by an ever-expanding set of partners. Every day, the more than 230,000 men
and women of the Department contribute their skills and experiences to this important mission
(Department of Homeland Security Website).

Entry/Exit summary declaration: According to Art. 3(3) Commission Regulation (EC)

No 1875/2006 in conjunction with Art. 1 and 2 Commission Regulation (EC) No 273/2009, from
1 January 2011 on the economic operator shall be obliged to lodge electronic entry or exit
summary declarations for goods imported into the Community customs territory or exported from
there in order to enable the authorities to carry out EDP- based risk analyses based on the basis of
such data before the goods enter or leave the Community customs territory (zoll Germany).

Entry summary declaration: According to Art. 36 b) (3) CCC in conjunction with

Art. 181 b) CCC-IP, the entry summary declaration has to be lodged in principle by the
forwarder or the person importing the goods into the Community customs territory or taking
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 29

responsibility for the transfer of the goods into the Community customs territory. As a rule,
this is the shipping company, the forwarding agency, the airline or the railway company.

The information required for the entry summary declaration as well as the respective notes
are indicated in Annex 30 A CCC-IP (Art. 183 (1) CCC-IP).Acc. Art. 36 b) (4) CCC the entry
summary declaration may be lodged by:

the person in whose name the forwarder is acting, or

any person that is able to present the respective goods to the competent customs office or
have them presented there;

a representative of the forwarder's; or

a representative of the persons mentioned above (first and second indent) instead of by the
forwarder himself.

Exit summary declaration: For the provisions referring to the lodging of exit summary
declarations, please see the information sheet for the participants, as amended. In this
context, it should be noted that lodging an exit summary declaration for goods to be
exported is required only in cases where the goods do not have to be placed under the
electronic export procedure.

Import Control System (ICS): ICS (Import Control System) is the electronic security declaration
management system for the importation of goods into the European Union customs territory. ICS
(Import Control System) comes within the scope of the EU eCUSTOMS programme. Developed in
the framework of the standards for international trade advocated by the World Customs
Organisation, its aim is to further ensure the protection of importation movements into the EU. The
new regulation requires that a certain number of data elements be sent to the EU customs office of
first entry before the merchandise enters the territory and in most cases, even before leaving the
country of export. This EU regulation came into force at the end of 2010. (Conex Website)

Export Control System (ECS): The EU has implemented an Export Control System (ECS) which
introduces new EU procedures to computerise and control indirect exports (where an export leaves
the EU from a Member State (MS) other than the MS of export) and to implement the EU safety
and security regulations set out in the European Parliament and Council Regulation (EC) No
648/2005 and the Commission Regulation 1875/2006/EC. ECS is the first stage of an Automated
Export System (AES) aiming for a computerised EU export system to common standards.

ISPS code International Ship and Port Facility Security code: The International Ship and Port
Facility Security Code (ISPS Code) is a comprehensive set of measures to enhance the security of
ships and port facilities, developed in response to the perceived threats to ships and port facilities
in the wake of the 9/11 attacks in the United States. The purpose of the Code is to provide a
standardised, consistent framework for evaluating risk, enabling Governments to offset changes in
threat with changes in vulnerability for ships and port facilities through determination of appropriate
security levels and corresponding security measures. (International Maritime Organization
Website)

ISO28000: ISO 28000:2007 specifies the requirements for a security management system,
including those aspects critical to security assurance of the supply chain. Security management is
linked to many other aspects of business management. Aspects include all activities controlled or
influenced by organizations that impact on supply chain security. These other aspects should be
30 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

considered directly, where and when they have an impact on security management, including
transporting these goods along the supply chain. (International Organization for Standardization
Website)

SAFE World Customs Organization (WCO) Framework of Standards to Secure and Facilitate
Global Trade: At the June 2005 annual Council Sessions in Brussels, Directors General of
Customs representing the Members of the World Customs Organization (WCO) adopted the SAFE
Framework of Standards by unanimous acclamation. The SAFE Framework aims to (World
Customs Organization, 2007):

Establish standards that provide supply chain security and facilitation at a global level to
promote certainty and predictability.
Enable integrated supply chain management for all modes of transport.
Enhance the role, functions and capabilities of Customs to meet the challenges and
opportunities of the 21st Century.
Strengthen co-operation between Customs administrations to improve their capability to
detect high-risk consignments.
Strengthen Customs/Business co-operation.
Promote the seamless movement of goods through secure international trade supply
chains.

SOLAS: International Convention for the Safety of Life at Sea (SOLAS) is the most significant
treaty addressing the safety of cargo vessels. The first version was adopted in 1914, in response to
the Titanic disaster, the second in 1929, the third in 1948, and the fourth in 1960. The 1974 version
includes the tacit acceptance procedure - which provides that an amendment shall enter into force
on a specified date unless, before that date, objections to the amendment are received from an
agreed number of Parties (International Maritime Organization).

TAPA EMEA: Transported Asset Protection Association is a global association of companies that
has drawn up security standards, principally for road transports of high-value goods. However
standards for parking places and air cargo security are also considered by the association. Another
goal of TAPA is to provide a forum for responsible managers and share professional information
for mutual benefit. The Goal is to identify target areas where losses are perceived as occurring and
share industry "Best Practices" (TAPA EMEA)

TAPA FSR: TAPA Freight Security Requirements: The Freight Security Requirements (FSR) have
been established by to address the nature by which high-tech products and materials are handled,
warehoused and transported as they move throughout the world. The FSR specifies the minimum
acceptable security standards for assets travelling throughout the supply chain and the methods to
be used in maintaining those standards (TAPA EMEA).

TAPA TRS: TAPA Trucking Security Requirements: The Trucking Security Requirements (TSR)
have been established to address the nature by which high-tech products and materials are
transported by road. The TSR specifies the minimum acceptable security standards for assets
travelling throughout the supply chain and the methods to be used in maintaining those standards.
In contradiction to the FSR, TSR is a compliance programme and is carried out by a self-
assessment program. The TSR outlines the processes and specifications for Suppliers to attain
TAPA compliance to the TSR on their transport operations. It is the intention of TAPA members to
select Suppliers which meet or exceed TAPA TSR compliance requirements. Successful
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 31

implementation of the TSR is dependent upon Suppliers and Buyers working in concert to
accurately interpret, adopt and audit against these requirements (TAPA EMEA).
32 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

4 Reference to past projects

In this section relevant past and parallel European research projects from the perspective of
Critical Infrastructure Protection and Supply Chain Security are listed. For each of the projects we
define, whenever possible, main objectives, context, perspective, methods, gaps and challenges.

4.1 CYTEX

Objectives: CYTEX was a table top exercise supported by a computer tool which simulated
massive and coordinated cyber based attacks against the main infrastructures of a city like Berlin.

The players, mostly security experts and chief security officers from these Infrastructures, had to
monitor and assess the developing disaster, plan their mitigation actions and coordinate with peer
stakeholders from other dependent sectors.

Context: The context was the different infrastructures of a metropolitan area like Berlin, and the
criticality of the dependence of these infrastructures on information and communications
technology. Infrastructures investigated included

The Telecommunications Network

The IT-Infrastructure of the Largest Bank

The Air Traffic Management System

The Local and Wide Area Railway System

The Street Traffic Control System

The Electrical Power Supply System

The Federal Agency on IT-Security

Perspectives: It became obvious that the management of critical infrastructure protection requires
well organized and fast reacting coordination and collaboration between the security managers of
all critical infrastructures involved.

What is new: Exercised already in 2001, the experiment was far ahead of times. It was the first
time in Germany that actors from different public and private critical infrastructure sectors jointly
developed, agreed upon and executed an exercise with a then futuristic, today realistic, spectrum
of concerted cyber-attacks. The scenario was found to be of serious impact on the overall
functionality of the city and its industries, people and administrations. It demonstrated the often
strong interdependencies between critical infrastructures, and that such a crisis would require new
public-private partnerships of collaboration. This should include both, preventive measures as well
as concerted reaction in case of crisis.

Methods: The scenario and script development was supported by a planning and scheduling tool,
the AKSIS script tool, developed in-house. Interdependencies between critical infrastructures were
visualized and assessed with the network interdependence tool GAMMA. The scenario based
exercise runs were supported by a networked PC infrastructure.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 33

Gaps and challenges: A big challenge was to create an atmosphere of trust and confidence
between the representatives of the different sector, with partially conflicting interests. Gaps were
that some sectors were not willing to participate because of confidentiality policy reasons and that
structures and rules for cooperation in such a crisis were (and still are) lacking.

Links to FOCUS: the project puts into evidence the several links and interdependencies between
different critical infrastructures. Hence, FOCUS starts from the experience and knowledge built
within this project and develop it further by establishing the links with the needs for future roles on
EU level to manage emergency situations.

4.2 DDSI

Objectives: The DDSI project aimed at supporting the development of dependability policies for
CIs across Europe and across sectorial boundaries by:

Establishing networks of interest among the leading European and international

stakeholders (European institutions, national governments, industry and civil society)

Providing baseline data about dependability initiatives around the world

Preparing policy roadmaps targeted at industry, national governments and European

institutions

Context: The study covered the whole set of critical infrastructures with a focus on what could and
should be done in Europe. Based on an overview of national and international organizations, and
of national policies, thematic roadmaps were developed addressing the background material and
the required future steps in

Public-Private cooperation,

Warning and Information Sharing

Future Research and Development Policy

Link to FOCUS: the policies concerning the dependability between Critical Infrastructures and
across sectorial boundaries are also relevant contributions to the interdependency analysis
performed in FOCUS. However, FOCUS has the ambition to determine these interdependencies
by means of foresight scenario techniques.

Reference: http://www.ddsi.org/htdocs/DDSI-F/main-fs.htm

4.3 ACIP

Objectives: ACIP was a logical continuation of the DDSI (No.2. above) work but elaborating more
into the methodological support of CIP analysis. The aim of ACIP was to provide a roadmap for the
development and application of methods, including modelling and simulation, gaming and further
adequate methodologies for the

identification and evaluation of the state of the art of critical infrastructures protection;
34 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

analysis of interdependencies and cascading effects of infrastructures;

investigation of scenarios in order to determine deficiencies and robustness of information

infrastructures; as well as identification of technological development and protective
measures for CIP

Context: Infrastructures such as information and communication, banking and finance, energy,
transportation, and others are relying on ICT and are mutually dependent. The project analyzed the
general methodological requirements across the networked CI sectors including communication,
banking and finance, energy, transportation, at a European scale.

What is New: The project was to our knowledge the first one at EU level which systematically
analyzed the vulnerabilities and interdependencies of CIs.

Methods: ACIP identified and recommended concrete methodological action and an architecture
of methods and tools, including CIP-related scenario techniques.

Link to FOCUS: as for the previous projects, also ACIP has the main goal to examine the
interdependencies and cascading effects of Critical Infrastructures. FOCUS builds upon the
knowledge provided by considering the application of the CIP-related scenario techniques. The
outcome will be a set of future scenarios and suggested EU roles.

Reference:
http://cordis.europa.eu/fetch?CALLER=PROJ_ICT&ACTION=D&CAT=PROJ&RCN=63046

4.4 CI2RCO

Objectives: The main objective of the CI2RCO project was to create and coordinate a European
Task force to encourage a coordinated Europe-wide approach for research and development on
CIIP, and to establish a European Research Area (ERA) on CIIP as part of the larger IST1
Strategic Objective.

Context: The focus was on activities across the EU-25 and ACC (Association of Corporate
Council) that are essential to be carried out at European level and that require collaborative efforts
involving the relevant players of research, research funding actors, policy-makers and CI-
stakeholders. This was achieved by improvement of networking and coordination of national and
European research policies, programmes and funding schemes, namely:

Establishment of a CIIP-network of the relevant players,

Preparation and evaluation of CIIP R&D programmes' inventory in the EU-25 including a
roadmap towards a coordinated European CIIP research agenda,
Calibration of the CIIP activities within the network and
Concrete networking and dissemination actions.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 35

Link to FOCUS: the networks of relevant players as well as the inventory of R&D programmes will
be exploited to create and involve experts in the process of the creation of future scenarios. In
addition, the experience built in CI2RCO will be used to identify future security research needed in
EU.

Reference:

http://www.ist-world.org/ProjectDetails.aspx?ProjectId=788d112ab6934b259f38d9ed3bdb7826

http://cordis.europa.eu/fetch?CALLER=PROJ_ICT&ACTION=D&CAT=PROJ&RCN=79305

4.5 VITA

Objectives: The VITA project aimed at delivering assessment on the threats to and assurance and
protection of, highly networked CIs, most of which are operating trans-nationally, and disruption of
which is critical to Europe’s security. The project should provide methods to raise awareness and
the sense of urgency of CIP, an approach on methods, tools and technologies required for the
protection improvement and a demonstrator experiment by a scenario exercise with focus on
energy.

Context: The main contexts were the Europe-wide CI interdependencies. One result of relevance
and provided to FOCUS is the VITA Threat Taxonomy. A heavy threat scenario was demonstrated
in the sector of electrical energy, with the facilities of a real transmission support operator (TSO) in
the loop.

Perspectives: In the exercise, the transnational effects and public-private crisis cooperation were
focused

What is new: First time, a mixed experiment of a major synthetic CI threat scenario was
integrated with the operating and training centre of an energy provider.

Key drivers: One key issue was the demonstration and exercising of close cooperation between
a private, internationally operating enterprise with public security services, in a simulated disaster
scenario.

Methods: Two methods are worth mentioning: the systematic structuring of the huge number of
threats to CIs (treat taxonomy), and the exercise support system developed for the project, based
on the Microsoft MS-Project software. The tool supports the development of scenarios, the
detailing scheduling and verification of the scenario script, and it serves as exercise scheduling,
control and event recording system.

Link to FOCUS: the VITA taxonomy is one of the main sources used in this deliverable to identify
and point out the main catastrophic events that could hit the critical infrastructure and supply
chains. Also, the scenario developed in the VITA project is a valuable example of
interdependencies between sectors of the CI that will be studied in FOCUS.

Reference: http://vita.iabg.eu
36 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

4.6 IRRIIS

Objectives: IRRIIS aimed at dependability, survivability and resilience of CIs on underlying

information-based infrastructures. It should develop the requirements, software middleware
components and simulation to support system recovery in case of IT-based attacks

Context: Focus was on providing practical IT solutions for reducing attack consequences, in the
energy and ICT sector.

Key drivers: The project started from realizing that key vulnerabilities of CIs will result from their
dependency on IT systems and services

Trends in CI: The increasing dependency of CIs on ICT. Properties like openness, complexity,
reliance on COTS lead to increased vulnerabilities.

Methods: IRRIS developed a set of MIT (Middleware Improved Technology), a collection of

software components, which facilitates IT-based communication between different infrastructures
and different infrastructure providers. By supporting recovery actions and increasing service
stability in case of critical situations, MIT components could substantially enhance the security of
large complex critical infrastructures.

A simulation environment for controlled experimentation with a special focus on CIs

interdependencies was built. The simulator was used to deepen the understanding of critical
infrastructures and their interdependencies, to identify possible problems, to develop appropriate
solutions, and to validate and test the MIT components.

Link to FOCUS: similarly FOCUS considers threats and scenarios related to cybersecurity. Hence,
this study contributes in the sense of building knowledge about threats and IT solutions to protect
CI and supply chains. In addition, FOCUS will consider these threats and security solutions in the
development of future scenarios where it will be pointed out whether existing bodies and agencies
on EU level will be able to cope emergency situations.

Reference: http://www.irriis.org

4.7 OCTAVIO

Objective: OCTAVIO addressed the lack of a common strategic vision to protect energy critical
infrastructure, and standardization weaknesses in the energy industry position against potential
threats (for example terrorist attacks). So the project, based on experience of industry players,
needed to establish criteria and methodology to asses, audit and mitigates risks for electrical
control centres and their interdependent ICT infrastructures.

Context: The focus was on energy /natural gas and electrical systems control centres.

Perspectives: The OCTAVIO result could serve as a role model or input to future government or
private or PPP base security regulations of CI control systems.

Key drivers: Realizing the requirement for better security standards in CI control systems.

Methods:
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 37

Structure analysis: An accurate assessment regarding electricity sector control centres’

cyber structure requirements.
Security analysis: Identifing survivability and resilience requirements for every functionality
in electricity control centres.
Defining security audit protocols for different control centre levels; Testing the audit
protocols in at least three different functionality levels.

Link to FOCUS: this project is relevant to review of methods for conducting theme specific risk
assessment. FOCUS will however move beyond because it will evaluate and select those
approaches that are more suitable to the identification of risks in future threat scenarios.

Reference:http://ensec.org/index.php?option=com_content&view=article&id=219:european-
energy-infrastructure-protectionaddressing-the-cyber-warfare-
threat&catid=100:issuecontent&Itemid=352

4.8 SICMA

Objectives: The project objective was to improve Health Service crisis managers’ decision-making
capabilities. This was to be achieved through development of SICMA which is an integrated suite
of modelling and analysis tools. SICMA shall provide insight into the collective behaviour of the
whole organisation in preparation and response to crisis scenarios.

Context: The context of SICMA was the support of crisis response forces with the focus on health
services; performance of SICMA tools was demonstrated in a sophisticated infrastructure scenario
(Explosions in a sensitive/ vulnerable industry complex.

Perspectives: The perspective developed was that there is an urgent requirement for effective
and efficient disaster response support. This could and should be achieved by the establishment of
security competence and training and disaster management support capabilities/centres which
should be jointly planned and implemented by the different public and private security
stakeholders.

Methods: SICMA developed a set of closely interacting, partially integrated tools for scenario
development and exercising, for simulation of complex disaster scenarios, and advanced dynamic
virtual situation visualization. This suite of tools was demonstrated and tested in a simulated
realistic scenario. The scenario was derived from the data from the real (Enschede) catastrophic
explosion scenario of 2000.

Link to FOCUS: the SICMA is exploited to understand and develop scenarios describing the
typical response of organizations in crisis situations. In addition, FOCUS will also look at
exogenous threats and will match the security gaps with roles and responsibilities to be established
by the EU politicians.

Reference: http://www.sicmaproject.eu/SicmaProjectSite2008/index.html
38 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

4.9 INSPIRE

Objectives: The INSPIRE project aimed at identifying techniques to enhance the reliability of
communications over unreliable and/or insecure links (WAN, wireless), so that critical control loops
become possible over a WAN.

Context: The CIs and their providers as investigated in this project were the sectors energy, their
interdependencies and the underlying SCADA and communications networks. Particularly, the
components of Sensors, remote terminal units (RTU), and the control room supervisory stations
were subject to improvement.

Perspectives: The perspective was to provide powerful technologies (software support tools) to
the SCADA an SCADA communications networks and operators

What is new: A number of detailed and sophisticated malicious software threats.

Key drivers: The ever increasing vulnerability of SCADA systems.

Trends: Improved automated or semi-automated resilience and self-configuration capabilities of

SCADA communications systems.

Methods: The project designed and implemented IT traffic engineering algorithms in SCADA
communications to provide SCADA traffic with quantitative guarantees of service quality. Peer-to-
peer overlay routing mechanisms for improving the resilience of SCADA systems were exploited,
and a self-reconfigurable architecture for SCADA systems was designed. Finally, diagnosis and
recovery techniques for SCADA systems were developed.

A large number of detailed IT attacks were specified, against a selection of which the INSPIRE-IT
solutions were verified and tested, in a distributed testbed environment.

Furthermore, the process of the EU on approaching the domain of CIP, defining their role and
initiating EU actions was systematically analysed, followed by an assessment of how the results of
the INSPIRE project could contribute to this EU process and the consequential actions and
measures of the EPCIP (European Programme for Critical Infrastructure Protection).

Gaps: The move from proprietary technologies to more standardised and open solutions together
with the increased number of connections between SCADA systems and office networks and the
Internet has made them more vulnerable to cyber attacks. Because of the mission-critical nature of
many SCADA systems, successful attacks could cause massive financial (and possible material)
losses through loss of data or actual physical destruction, misuse or theft.

Link to FOCUS: FOCUS will take into account the IT threats that could hit critical infrastructure
and supply chains. In particular, major attention will be given to threats perpetrated from countries
outside the EU. In addition, FOCUS considers natural threats and other physical attacks that could
take place in the future and link everything to the development of an EU organ that is able to
quickly respond to crisis situations.

Reference: http://www.inspire-strep.eu
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 39

4.10 COPE

Objectives: The objective of the Common Operation Picture Exploitation (COPE) project was to
achieve a significant improvement in emergency response management command and control
performance, reliability, and cost. New solutions need to be created by combining a user oriented
human factors approach with the technology development. The aim was a step improvement in
information flow both from and to the first responder in order to increase situational awareness
across agencies and at all levels of the command chain in emergency management situations.

Context: The context was a real training and exercising site where a physical attack against real-
estate and chemical-like production infrastructures were physically produced. Focus was on
disaster management in a CIP scenario.

Methods: The basic technological concept and COPE solution was the generation of an
integrated common operational picture (COP). This picture was part of the command and control
system and integrated numerous heterogeneous sensor and other information sources. Reversely,
filtered information was fed back to the first responders for the purpose of reducing their risks,
prioritizing their tasks, and making their operations on site more efficient and effective. The large
and very realistic scenario was partially exercised live on site, and partially by a real-time tabletop
exercise (TTE) which was coupled and synchronized to the live exercise.

Gaps: In homeland security (compared to military standards), there are large deficiencies in
necessary and technologically advanced command and control support and lacks of
standardization.

Link to FOCUS: Besides physical attacks to the infrastructure and supply chains, FOCUS
considers cyber threats and catastrophic events. By looking at these threats in future context, the
FOCUS team of researchers and experts will point out what policies and EU bodies will be needed
to ensure the safety and security of citizens.

Reference: http://cope.vtt.fi

4.11 CritDep & Criteria

Objectives:

a) Critical Dependencies: The main purpose of this study was to develop criteria and a
methodology to identify the criticality of the infrastructures energy, finance and transport,
originating from their dependencies on ICT systems, technologies, services and support.
The commonalities, differences and synergy potential between different sectors should be
elaborated

b) CRITERIA: The general objective of the study was to support the process in the EU to
define sectoral criteria to identify European Critical Infrastructures in the ICT sector, with a
particular focus on the sub-sectors of Internet and fixed and mobile telecommunications.

Context: (a) the sectors energy, finance, and transport and (b) the sectors internet and
telecommunications
40 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Perspectives: These projects and a series of further ones were tasked and executed in the
framework of the EPCIP, the European Programme for Critical Infrastructure Protection

What is New: The novel approach at EU level (and the consequences for future EU-national
cooperation) was to

Develop and agree on infrastructure and dependency models and criteria

Systematically define and derive the critical ICT dependencies

Develop a catalogue of threats and associated vulnerabilities

Extract and agree on commonalities in vulnerabilities, risks, procedures and strategies (e.g.
disruption recovery, business continuity) of the different CIs and derive the synergy potential

Derive typical security measures as decision support, and assess against selected scenarios

Give recommendations for a future EU-level approach

Provide recommendations for EU policy initiatives and assess against the technological,
economical and policy trends and obstacles. (See also EPCIP)

Key drivers:

The dependencies of Critical Infrastructures (CI) on ICT, but also the dependency of ICT on
CIs, particularly on energy, and the associated feedback effects and instabilities in case of
disturbance

International phenomena of threats and possible scenarios and risks involved,

The spectrum of potential direct effects, cascading effects caused by the netted structure of
infrastructures and (inter)dependencies

The fast changes of threats, CI systems technologies and architectures, and of vulnerabilities
over time

The often heterogeneous system structures, technologies and procedures

The various and different regulatory and contractual frameworks (responsibilities, liabilities)
among nations and in the different CI sectors

The communications and cooperation means between sectors and organisations involved in
CIP (cross-sector and cross-border)

The different levels and types of technical and organisational dependencies of CIs on ICT
technologies and services

The spectrum of possible, protection (prevention, reaction) and mitigation measures

The requirements of the EU to frame their future role and responsibility, and collaboration
model in CIP

Methods: A rather comprehensive and logically structured system of tabular ranking and empirical
evaluations of CI dependencies on ICT, of vulnerabilities, of protection and mitigation standards,
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 41

and of recommended future measures. The methodology is particularly suited for policy and
management decision support.

The CIIP approaches of 16 EU member states and 65 organizations/ authorities were screened,
analysed and compared. A structured process was developed on how a future EU working group
should approach the definition of ECI criteria on a case by case basis.

Gaps: The catalogue of evaluated and recommended measures reflects the vulnerability and
protection gaps identified in these infrastructure.

Link to FOCUS: FOCUS will benefit of the knowledge developed in this project to enhance the
understanding of interdependencies between sectors of critical infrastructure. These relationships
will be addressed in the scenario formulation and analysis of EU roles.

4.12 ValueSec

Objectives: The VALUESEC project aims at providing public authorities with a set of decision
support tools for analysing different aspects of decision processes and to make decisions based on
a sound economic analysis. Decisions here are defined as policy decisions on security measures
and investments, not operational decisions in case of disaster or crisis. The methodology and tools
should allow the decision maker to come to conclusions which a balance of all criteria relevant for
a decision, including risk reduction, cost (investments and savings), and the complete set of
societal, ethical and political criteria.

Context: Focus of the project is not directly CIP but related decision support. The decision
support tools will be evaluated in so called use cases. Use cases are security decisions or sets of
decisions which may be planned for 5 different scenario contexts:

1) Public mass event: Formula 1 race track; terrorist attack

2) Mass transportation: Metropolitan train/subway system; different terrorist threat options

3) Air transportation: Major European airport; the threat model is still to be defined

4) Communal security: A major flood threatening/affecting a metropolitan area

5) Cyber Security: Serious attacks of SCADA systems by malware (e.g. Stuxnet-like)

All context scenarios represent critical infrastructures.

Perspectives: The project will reveal and assess the different and often conflicting technological,
legal, political, societal etc. interests and underlying criteria when it comes to decide on CIP
measures.

Methods: The project will develop a set of tools and an ontology based architecture for decision
support, possibly including

Cost benefit analysis and utility analysis

Risk analysis

Multi-criteria method to evaluate “soft” factors (social, political, environmental etc.)

42 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Simulation and gaming

Gaps: Security decisions are often based on short term policy aspects and not on a long-term
strategy and systematic and transparent analysis and balanced assessment of all technical,
economic, fiscal, political and societal factors.

Link to FOCUS: the results of the ValueSec project will be considered in FOCUS during the
determination of EU roles and responsibilities. More specifically, the outcomes of ValueSec will be
used to support the choices made in terms of EU roles and responsibilities.

Reference: http://www.valuesec.eu

4.13 LOGSEC

Objectives: LOGSEC, the EU FP7 project that developed the Strategic Roadmap for Supply chain
security (SCS), analysed importance of political, regulatory and technological aspects in security
research, and produced recommendations on cost-efficient measures for enhancing Supply chain
security in a European context.

Context: the project analyses existing governmental and industrial security requirements.
Thereafter, it determines gaps in securing supply chains and security areas in which research and
development are necessary.

Methods: qualitative data collected by means of interviews and workshops.

What is new: the project presents gaps and requirements of industrial users. The analysis of the
data collected unveils a set of gaps that need to be filled to enhance the security of supply chains.

Link to FOCUS: the LOGSEC project will mainly contribute in terms of the identification main
developments of supply chain security that will take place in the future. These issues will be
fundamental to generate future scenarios and related EU roles.

Reference: http://www.logsec.org

4.14 COUNTERACT

Objective: The EU COUNTERACT Programme was set up to improve security against terrorist
attacks aimed at public passenger transport, intermodal freight transport and energy production
and transmission infrastructure. The project reviewed existing security policies, procedures,
methodologies and technologies to identify best practices. A number of case studies were
identified and executed.

Context: COUNTERACT was set up to improve security against terrorist attacks aimed at energy
production and transmission infrastructure, public passenger transport and intermodal freight
transport. The project has reviewed existing security policies, procedures, methodologies and
technologies to identify the best practices which, in turn, will be promoted throughout the relevant
security community. The three industry clusters covering public passenger transport, intermodal
freight transport and energy will exchange experiences and views.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 43

Trends in CI: the project shows how terror attacks may be perpetrated against critical
infrastructure, i.e. passengers and goods transportation.

Link to FOCUS: the COUNTERACT project unveils typical terror threats that may be perpetrated
to critical infrastructure. Hence, these threats will be used to generate future scenarios. In addition,
the best practices identified in the project will be used to support the decisions made in terms of
EU roles necessary to cope with the scenarios.

4.15 CASSANDRA

Objective: CASSANDRA’s main strategic goal is to enhance supply chain visibility in order to
simultaneously improve business operations and the efficiency and effectiveness of government
security inspections. This will be facilitated by a novel data-sharing concept and a new approach
towards risk assessment. Information is combined from existing sources in supply chains, enabling
improved visibility and assessment of risks by both business and government.

Method: the whole project is based on the risk based concept which consists of techniques and
tools to allow customs accessing goods and shipment information. Thereafter high risk containers
and shipment may be targeted in a cost-efficient manner.

Link to FOCUS: the CASSANDRA project shows the possibility to adopt a risk based approach to
identify threats in supply chains in a cost-effective manner. This contributes to FOCUS with the
understanding of how customs and supply chain stakeholders perform risk assessment of security
threats.

Reference: http://www.cassandra-project.eu/
44 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

5 List of resources
5.1 Books

Reference Abstract
Olsson, Stefan (Ed.) (2009). In less than a decade, Europe has witnessed a series of
Crisis Management in the large-scale natural disasters and two major terrorist
European Union: attacks. Growing concern about the trans-national effects
Cooperation in the Face of of these incidents has caused the EU Member States to
Emergencies. XII, 171 p. 13 seek more multilateral cooperation. As a result, a system of
illus. common arrangements for handling large-scale
emergencies or disasters has emerged, which, due to its
quick and ad-hoc development, may seem almost
impenetrable to newcomers to the field. This book seeks to
provide a much-needed overview of disaster and crisis
management systems in the EU. It provides a basic
understanding of how EU policy has evolved, the EU’s
mandate, and above all, a concise and hands-on
description of the most central crisis management
arrangements. Written by some of Europe’s main experts
and consultants in the field, this book represents a unique
and comprehensive source of information for everyone
involved or interested in the European Union crisis
management system.
"This book will quickly become an indispensable resource
for two groups: Practitioners will enjoy its accessible and
comprehensive style. Academics curious about this
emerging field will turn to it for an introductory overview. As
someone who closely studies this field, I find the book
engaging, detailed, and accurate, and I read every line with
great interest. The authors are to be commended for the
quality of research that went into this work."
Gheorghe, A.V., Masera, Europe witnessed in the last years a number of significant
M., Weijnen, M., De Vries, power contingencies. Some of them revealed the
L.J.(2006).Critical potentiality of vast impact on the welfare of society and
Infrastructures at Risk: triggered pressing questions on the reliability of electric
Securing the European power systems. Society has incorporated electricity as an
Electric Power System inherent component, indispensable for achieving the
Series: Topics in Safety, expected level of quality of life. Therefore, any
Risk, Reliability and Quality, impingement on the continuity of the electricity service
Vol. 9, XXIX, 371 p. would be able to distress society as a whole, affecting
individuals, social and economic activities, other
infrastructures and essential government functions. It would
be possible to hypothesize that in extreme situations this
could even upset national security.
This book explores the potential risks and vulnerabilities of
the European electricity infrastructure, other infrastructures
and our society as whole increasingly depend on. The work
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 45

was initiated by the need to verify the potential effects of

the ongoing market and technical transformation of the
infrastructure, which is fundamentally changing its
operation and performance. The final aim is to set the basis
for an appropriate industrial and political European-wide
response to the risk challenges.
Didier Bigo, Elspeth This volume presents the final results of the CHALLENGE
Guild, Sergio Carrera, R. B. research project (The Changing Landscape of European
J. Walker (2010). Europe's Liberty and Security) - a five-year project funded by the
21st Century Sixth Framework Programme of DG Research of the
Challenge: Delivering European Commission.
Liberty. Ashgate Publishing, The book critically appraises the liberties of citizens and
Ltd., 2010 - 330 pages others within the EU, and the different ways in which they
are affected by the proliferation of discourses, practices
and norms of insecurity enacted in the name of collective
and individual safety. It analyses from an interdisciplinary
perspective the impacts of new techniques of surveillance
and control on the liberty and security of the citizen. The
book studies illiberal practices of liberal regimes in the field
of security, and the relationship between the internal and
external effects of these practices in an increasingly
interconnected world, as well as the effects in relation to
the place of the EU in world politics.
Menoni, Scira; Margottini, This book comprises the main results of the Scenario
Claudio (Eds.) (2011). Inside (Support on Common European Strategy for sustainable
Risk: A Strategy for natural and induced technological hazards mitigation)
Sustainable Risk project, funded as a Specific Support Action under the VI
Mitigation.1st Edition., 2011, FP. This book addresses three main needs: first, it
X, 190 p. 35 illus. constitutes an assessment of the situation of Europe as far
as natural na-tech risks are considered; second, it suggests
future research themes to be opened of widened so as to
tackle new and emerging threats as well as changes in the
potential response to risk governance, in order to improve
the way scientific and technical expertise informs decision
making regarding all fields of mitigation, ranging from
structural to non structural measures, such as training,
education and land use planning.
Naim, Moises (2005). Pick up a newspaper anywhere, any day, and you will find
Illicit: How Smugglers, reports of illegal migrants, drug busts, smuggled weapons,
Traffickers and Copycats laundered money, or counterfeit goods. Illicit trades are
are Hijacking the Global booming and so are the traffickers' revenues—and their
Economy. ISBN: 0385513925 political influence. Black-market networks are stealthily
transforming global politics and economics. ILLICIT shows
how we got to this dangerous point—and stresses the
interconnections between these illegal enterprises, and
how they endlessly recombine to breed new lines of
business, distort the economy of entire countries and
industries, enable terrorists and even take over
46 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

governments. From pirated movies to weapons of mass

destruction, from human organs to endangered species,
drugs, or stolen art, ILLICIT reveals the inner workings of
these amazingly efficient international organizations and
shows why it is so hard—and so necessary—to contain
them. ILLICIT offers a fresh, ingenious and compelling
vision of this untold story of globalization. It provides a
powerful new lens with which to assess how today's world
really works and where it may be headed. Illicit will surely
ignite urgent debate at the highest levels—and change the
way you think about the world.
David Spence (2007). The The September 11 attacks in the USA lent huge impetus to
European Union and efforts to coordinate and expand the EU's counter-terrorism
Terrorism role, bringing about far-reaching cooperation and pushing
the EU down the track of further European integration. In
setting out the EU's achievements in the fight against
terrorism, the chapters in this book explain how and why
this has come about and the mechanisms involved. They
also critically assess the limits of such integration and
explore the tensions between co-operation and the issue of
individual human rights. A selection of key documents
rounds out the book with a valuable reference dimension.
"This book brings together key thinkers and is a welcome
analysis of terrorism challenges. David Spence has
succeeded in giving us a timely and thoughtful complement
to the terrorism debate" - Franco Frattini, EU
Commissioner for Justice, Freedom and Security, in the
preface.
Marc Houben, Klaus The European Security Forum is a joint initiative of the
Becher, Michael (2002). In Centre for European Policy Studies (CEPS) and the
European Security (Vol. I), International Institute for Strategic Studies (IISS), launched
Pages: 304 in late 2000. The objective of the Forum is to bring together
senior officials and experts from EU and Euro-Atlantic
Partnership countries, including the United States and
Russia, to discuss security issues of strategic importance
to Europe. The Forum is jointly directed by CEPS and the
IISS and is hosted by CEPS in Brussels.
This first volume of Readings in European Security
contains the complete set of working papers commissioned
by the Forum since its founding through November 2002
(Nos. 1-9). Each set of papers is prefaced by an
Introduction by the Chairman, François Heisbourg, Director
of the Fondation pour la Recherche Stratégique in Paris.
The papers are written by independent experts presenting
EU, US and Russian viewpoints on the topic.
Bures, Oldrich (2011). EU Although there is a vast body of literature covering the on-
Counterterrorism Policy: A going debates concerning the novelty and gravity of the
Paper Tiger? contemporary terrorist threat, as well as the most
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 47

appropriate response to it, few authors have thus far

analysed the complex set of counterterrorism measures
that both the individual Member States and the European
Union (EU) have attempted to develop. This volume offers
a critical analysis of the measures the European Union has
taken to combat terrorism and how, in a number of key
areas, EU counterterrorism policy is more of a paper tiger
than an effective counterterrorism device. Several legal EU
counterterrorism instruments have not been properly
implemented at the national level and questions have been
raised regarding their effectiveness, appropriateness, and
proportionality. The capabilities of EU agencies in the area
of counterterrorism remain rather weak and the EU
Counterterrorism Coordinator does not have any real
powers apart from persuasion. However, this does not
mean that EU level action cannot offer any value-added in
the fight against terrorism. There are several areas where
the EU can provide genuine value-added in the fight
against terrorism due to the transnational nature of the
contemporary terrorist threat and the nature of a
“borderless” Europe.
Donner, M., Kruk, C. (Hintsa This Supply Chain Security Guide is intended for Trade and
as a technical contributor) Transport Government officials, Port Authorities and
(2009). Supply Chain Transport, Cargo and Logistics Communities, in particular
Security Guide, World Bank. in developing countries. The guide will in broad terms
http://siteresources.worldba describe all components of SCS and will preliminarily be
nk.org/INTPRAL/Resources/ directed toward Port and Trading Communities at large, but
SCS_Guide_Final.pdf making references to other modes and nodal points as
well. This document is not an exhaustive encyclopaedia of
all the aspects of supply chain security. Following the
prevailing trend in the industry, the guide gives more
attention to the maritime containerized transport than to
other sectors or modes of transport, as it is currently the
most evaluative sector. The purpose of the guide is to
make concerned trade and transport-related officials,
managers and personnel in developing countries
acquainted with, and aware of, the many initiatives
mushrooming in the field of supply chain security, what
these will mean for their respective organizations, and how
to tackle the inlaid challenges
Kirchner , E.J., EU Security Governance links the challenges of governing
Sperling, J(2007). EU Europe’s security to the changing nature of the state, the
Security Governance. evolutionary expansion of the security agenda, the growing
Manchester University obsolescence of the traditional forms and concepts of
Press, 280 pages security cooperation, and assesses the effectiveness of the
EU as a security actor. The book has two distinct features.
Firstly, it is the first systematic study of the different
economic, political, and military instruments employed by
48 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

the EU in the performance of four different security

functions. Secondly, the book represents an important step
towards redressing conceptual gaps in the study of security
governance, particularly as it pertains to the European
Union. The book demonstrates that the EU has emerged
as an important security actor.
White book: Emerging ICT The report identifies 28 current and future ICT-related
threats, Deliverable 3.1 of threats to critical infrastructures and classifies them in the
FP7 project Managing following eight categories: (1) Networking; (2) Hardware
Emerging Threats in ICT and Virtualization; (3) Weak Devices; (4) Complexity; (5)
Infrastructures (Forward), Data Manipulation; (6) Attack Infrastructure; (7) Human
GA 216331, January 2010, Factors; and (8) Insufficient Security Requirements. The
<www.ict- report then presents ten scenarios, showing how
forward.eu/media/publicatio adversaries can leverage the identified threats to realize
ns/forward-whitebook.pdf> their malicious goals, covering, inert alia, financial, energy,
and water infrastructures.

First Report on Threats on The first part of the report presents the results from
the Future Internet and exploration of current and emerging threats in cyberattacks,
Research Roadmap, smart environments, malware and fraud. In the second part
Deliverable 4.1 of the FP7 of this document authors try to distil the list of threats
project “A European presented so far into two comprehensive attack scenarios.
Network of Excellence in Each scenario is represented by a short story that
Managing Threats and describes a hypothetical, but plausible situation. The goal is
Vulnerabilities in the Future to group together threats in different areas and explain how
Internet: Europe for the an attacker can exploit a sequence of vulnerabilities to
World” (SysSec, September perpetuate his malicious plan.
2011), <www.syssec-
project.eu/media/page-
media/3/syssec-d4.1-future-
threats-roadmap.pdf>

5.2 Articles

Reference Abstract
Boin, A. and McConnell, A. (2007). Modern societies are widely considered to
Preparing for Critical Infrastructure harbour an increased propensity for
Breakdowns: The Limits of Crisis breakdowns of their critical infrastructure (CI)
Management and the Need for Resilience. systems. While such breakdowns have
Journal of Contingencies and Crisis proven rather rare, Hurricane Katrina has
Management, 15: 50–59. demonstrated the catastrophic
consequences of such breakdowns. This
article explores how public authorities can
effectively prepare to cope with these rare
events. Drawing from the literature on crisis
and disaster management, we examine the
strengths and weaknesses of traditional
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 49

approaches to crisis preparation and crisis

response. We argue that the established
ways of organising for critical decision-
making will not suffice in the case of a
catastrophic breakdown. In the immediate
aftermath of such a breakdown, an effective
response will depend on the adaptive
behaviour of citizens, front-line workers and
middle managers. In this article, we
formulate a set of strategies that enhance
societal resilience and identify the strong
barriers to their implementation.
De Bruijne, M. and Van Eeten, M. (2007), Recent years have witnessed major
Systems that Should Have Failed: Critical governmental initiatives regarding critical
Infrastructure Protection in an infrastructure protection (CIP). During that
Institutionally Fragmented Environment. same time, critical infrastructures (CIs) have
Journal of Contingencies and Crisis undergone massive institutional restructuring
Management, 15: 18–29. under the headings of privatization,
deregulation and liberalization. Little
research has gone into understanding the
interactions between these two
developments. In this article, we outline the
consequences of institutional restructuring
for the changing ways in which CIs ensure
the reliability and security of their networks
and services. Neither Normal Accident
Theory nor High-Reliability Theory can
account for reliability under these conditions.
We then investigate the implications of these
findings for CIP.
Belluck, D.A., Hull, R.N., Benjamin, S.L., Population growth, needed economic growth,
Alcorn, J. and Linkov, I. (2006). and social pressures for improved
Environmental Security and infrastructure coupled to the need for human
Environmental Management: The Role of health and ecological protection and
Risk Assessment. NATO Security through environmental security make systematic and
Science Series, 1-16. transparent environmental decision making a
complex and often difficult task. Evaluating
complex technical data and developing
feasible risk management options requires
procedural flexibility that may not be part of
existing evaluative structures. Experience
has demonstrated that direct transposition of
risk assessment and risk management
frameworks (e.g. those developed in the
United States and European Union) may not
work in regions whose social, legal,
historical, political and economic situations
are not suitable or prepared for acceptance
50 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

of these methodologies. Flexible decision-

making, including the use and development
of acceptable or unacceptable risk levels
based on the critical nature of an
infrastructure type, is one potential approach
to assist risk managers in their decision-
making. Unfortunately, the newness of the
discussions on the interrelatedness of
environmental security and critical
infrastructure has yet to produce a unified
and comprehensive treatment of the fields.
As a result, this paper will describe and
define these terms in order to set the stage
for discussions of human health and
ecological risk assessment and risk
management later in the paper. This paper
reviews basic concepts defined in the field of
risk assessment and extends its applicability
to the areas of environmental security and
critical infrastructure protection.
Sousek, R., Dvorak, Z (n.d). Risk The article describes experiences of authors
identification in critical transport with risk identification in critical transport
infrastructure in case of central Europe infrastructure in the Czech Republic and
with focus on transport of dangerous Slovakia.
shipments.
Bennett, D., Jahankhani, H., Dastbaz, M., In developed economies, electronic
Jahankhani, H.(2011). A Secure Hybrid communication infrastructures are crucial for
Network Solution to Enhance the daily public, private, and business
Resilience of the UK Government interactions. Cellular systems are extensively
National Critical Infrastructure TETRA used for business communications, private
Deployment. International Journal of interaction, and in some cases, public
Information Security and Privacy, 5(1), 1- information services, via such uses as mass
13. SMS messaging. The Public Switched
Telephone Network (PSTN) is at the core of
all communications platforms. It was used
primarily for voice communication purposes,
but with current technological advances, this
platform has been transformed from a voice
to voice interface to a web enabled
multimedia platform that provides
commercial, business, and e-commerce
services to the public. In response to the
September 11, 2001, terrorist acts in New
York City, the UK government introduced a
policy of separating and transferring all
emergency communication traffic
from the PSTN to a digital public safety
network based on the TETRA architecture.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 51

This paper extends the utilisation of the

TETRA deployment by discussing a secure
MANET hybrid solution for use in extreme
situations as a short/mid-term EMS
organisational communication platform for
emergency and rescue operations.
Pursiainena, C. (2009). The Challenges for Critical Infrastructure Protection has become
European Critical Infrastructure a new field of European integration. This
Protection. Journal of European article identifies some of the challenges on
Integration, Volume 31, Issue 6,pages this road towards a more shared approach. It
721-739. argues that while the very concept of critical
infrastructure is in flux, the whole approach is
challenged by the more general approach
that concentrates on resilience of societal
functions instead of mere protection of
infrastructures. The article also claims that it
is not completely clear against what kind of
threats the critical infrastructures should be
protected and by whom. The article further
points out the limits of the regulatory efforts
of the governments or the EU in trying to
protect infrastructures that are mostly owned
and operated by private actors.
Whalley, R. (2010). Chapter Five: Critical In the twenty-first century, the European
Infrastructure Adelphi Series. Special Union is confronted by myriad security
Issue: Europe and Global Security. problems that demand concerted action and
Volume 50, Issue 414-415, pages 103-122 cooperation. As a negotiating power, it seeks
to persuade Iran to forswear a nuclear
weapons programme. As a crisis manager it
seeks to contribute to global peace and
stability through civilian and military
operations. Closer to home, it is wrestling
with questions about membership
enlargement, large-scale migration and
terrorist threats to the security of its
populations and infrastructure. European
governments, already under financial strain
from ageing workforces and welfare
systems, face ever more difficult choices
about budget cuts in security and defence
after the near-collapse of the global banking
system. Will it be possible to enhance
cooperation between member states? How
can the EU complete its transition from a
security actor with great potential to a player
that credibly aligns available policy
instruments and resources?
These and other issues about the very
52 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

nature and identity of the Union are explored

in this Adelphi. From the need to establish its
hard-power credentials, overcome its
reluctance to demonstrate them against non-
compliant states, and leverage its
relationships with other great powers, to
attempts to break its dependence on
Russian energy, it is clear the EU has its
work cut out. But, by affirming its
commitment to multilateralism and defining a
careful balance between closer cooperation
and the national security concerns of EU
member states, this book suggests, the
European Union can build on its status as a
global security power in the making.
van der Vleuten, E ; Lagendijk, V (2010). Recent transnational blackouts exposed two
Interpreting radically opposed interpretations of Europe’s
transnational infrastructure vulnerability: electricity infrastructure, which inform recent
European blackout and the historical and on-going negotiations on transnational
dynamics of transnational electricity electricity governance. To EU policy makers
governance. Energy policy, 2010 APR, such blackouts revealed the fragility of
Vol.38(4), p.2053-2062. Europe’s power grids and the need of a more
centralized form of governance, thus
legitimizing recent EU interventions. Yet to
power sector spokespersons, these events
confirmed the reliability of transnational
power grids and the traditional decentralized
governance model: the disturbances were
quickly contained and repaired. This paper
inquires the historic legacies at work in these
conflicting interpretations and associated
transnational governance preferences. It
traces the power sector’s interpretation to its
building of a secure transnational power grid
from the 1950s through the era of
neoliberalization. Next it places the EU
interpretation and associated policy
measures against the historical record of EU
attempts at transnational infrastructure
governance. Uncovering the historical roots
and embedding of both interpretations, we
conclude that their divergence is of a
surprisingly recent date and relates to the
current era of security thinking. Finally we
recommend transnational, interpretative, and
historical analysis to the field of critical
infrastructure studies.
Aradau, C. (2010). Security That Critical infrastructure protection is
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 53

Matters: Critical Infrastructure and prominently concerned with objects that

Objects of Protection. Security dialogue, appear indispensable for the functioning of
2010 OCT, Vol.41(5), p.491-514 . social and political life. However, the analysis
of material objects in discussions of critical
infrastructure protection has remained
largely within the remit of managerial
responses, which see matter as simply
passive, a blank slate. In security studies,
critical approaches have focused on social
and cultural values, forms of life,
technologies of risk or structures of
neoliberal globalization. This article engages
with the role of ‘things’ or of materiality for
theories of securitization. Drawing on the
materialist feminism of Karen Barad, it shows
how critical infrastructure in Europe neither is
an empty receptacle of discourse nor has
‘essential’ characteristics; rather, it emerges
out of material-discursive practices.
Understanding the securitization of critical
infrastructure protection as a process of
materialization allows for a
reconceptualization of how security matters
and its effects.
Egan, M. J. (2007), Anticipating Future The world's ‘Critical Infrastructure’ (CI) has
Vulnerability: Defining Characteristics of increased in size during the three decades
Increasingly Critical Infrastructure-like between 1975–2006. CIs are those systems
Systems. Journal of Contingencies and that provide critical support services to a
Crisis Management, 15: 4–17. country, geographic area for a corporate
entity; when they fail, there is potentially a
large cost in human life, the environment or
economic markets. This article examines the
characteristics of new technologies or
services that are becoming a part of the CI,
but are not yet. The article attempts to
systematically define the characteristics of
‘criticality’ in order to better anticipate the
types of vulnerabilities these new
technologies or services create.
D. Procházková: Ground works for critical The paper concentrates the attention to the
infrastructure protection. In Czech. In: vulnerabilities of energy and of water
Krizový management. RVO VA Brno 2004, supplies, mainly their infrastructures to
ISBN 80-85960-71-0, 313-321. different disasters and their impacts including
questions connected with the
countermeasures linked with infrastructure
organisations (centralized and
decentralized).
D. Procházková: Real problems of critical The paper describes the specific properties
54 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

infrastructure threatening the region of the Critical Infrastructure (CI). By help of

safety. In: Reliability, Risk and Safety – analyses of selected cases of CI failures and
Ale, Papazoglou & Zio (eds) © 2010 Taylor by theoretical analysis of behaviour of the
& Francis Group, London, ISBN 978-0- System of Systems (SoS) partial systems
415-60427-7, 2387-2394. and the whole CI with the What, If method
and with the All Hazard Approach use there
are determined for 6 important disasters in
the Czech Republic both, the direct impacts
on partial infrastructures and the impacts at
which the failure of one infrastructure was
transferred by cascade form to another
infrastructures. With regard to these data
there are identified on the technical and
operating / managerial levels the
corresponding sources of risks. Because the
CI is complex SoS, the responsibilities for
critical infrastructure safety in a region have
all stakeholders. On the data set used there
are specified problems in 5 professional
domains and in each of them there are
determined critical items. From the
comprehensible reasons the special
attention is devoted to the public protection.
D. Procházková: Safety Management of The critical infrastructure is a set of mutually
Critical Infrastructure. In: Critical interconnected networks, i.e. the systems of
Infrastructure Safety and Security (CrlSS- various sectors of human system. An
Dessert´11). ISBN 978-966-662-226-9. interconnection of systems means the
mutual dependence. Therefore, in linkage
with the safe critical infrastructure and with
sustainable development potential there is
necessary to solve several problems, namely
safety of partial infrastructures and safety of
a set of mutually dependent infrastructures.
With regard to a present knowledge we know
that the optimum safety of the set of
infrastructures there is not the set of
optimum safeties of partial infrastructures,
and therefore, we must search for solution by
other way. The work indicates a possible
approach for solution acquisition.
Steven M. Rinaldi, James P. Peerenboom, This is a fundamental source on the
and Terrence K. Kelly, “Identifying, analytical foundations of critical infrastructure
Understanding and Analyzing Critical protection. It reviews accepted definitions.
Infrastructure Interdependencies,” IEEE Then it proposes dimensions for describing
Control Systems Magazine 21, no. 6 infrastructure dependencies and examines in
(December 2011): 11-25. detail each dimension, providing numerous,
real-world examples.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 55

Todor Tagarev and Nikolay Pavlov, “Main The authors provide a structured description
Tasks and Relationships in the Analysis of goals, objectives, and tasks in
and the Protection of Critical approaching the problem of critical
Infrastructure”, Military Journal, vol. 113, infrastructure protection and how they relate
no. 1 (2006): 84-96. [in Bulgarian]. to other public policy decisions, thus setting
the foundation for a rigorous decision-making
process including threat and vulnerabilities
assessment, sectoral analysis, assessment
of interdependencies and potential
cascading effects, developing and
comparative analysis of strategies and
measures for critical infrastructure protection

5.3 Other resources

Resource Name Summary

The (German) national plan for the It was issued by the German Federal
protection of information infrastructures Ministry of the Interior in Aug. 2005, after
(NPSI) approximately 5 years of analysis,
http://www.bmi.bund.de/SharedDocs/Dow assessment of policy options, and
nloads/DE/Themen/OED_Verwaltung/Infor consultation between the private and public
mationsgesellschaft/Nationaler_Plan_Sch sector. It gives a political assessment of the
utz_Informationsinfrastrukturen.html?nn vulnerabilities of and threats to, Germany’s
=105406 critical information infrastructure. It defines
the strategic goals and responsibilities in
CIIP, in both, prevention and reaction. It
gives the framework for cooperation
between the industries and the federal
government discusses the role of citizens
and society and the importance of
international cooperation. It defines 10
operational and political objectives for
preventive and reactive measures and 5
objectives of supportive measures.
The implementation plan (UP KRITS) of Defines the individual measure for
2007 implementing the NPSI, with particular
http://www.bmi.bund.de/SharedDocs/Dow emphasis on cooperation across the
nloads/DE/Broschueren/2007/Kritis.pdf?_ different CII sectors, and across borders.
_blob=publicationFile Explicitly addressed are the sectors of
Transportation and traffic
Energy
Hazardous material
Finance and insurance
Supply (health, disaster protection,
food, water and waste)
Administration and justice, and
Media, large scale research and
56 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

symbolic/ cultural objects

The Plan gives recommendations on
implementation of concrete measures and
structures of cooperation and
communication. The final chapter contains a
roadmap of further implementation.
“Terrorism Tracker”, a joint initiative / A risk management tool for security
service between Aon and Janusian practitioners, analysts and researchers.
https://www.terrorismtracker.com/ Comprehensive global database of terrorist
attacks and plots, where each event is geo-
tagged, with daily updates.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 57

6 Initial conceptual framework

6.1 Overview

Events and developments are impossible to forecast for the following next decades – and foresight
scenarios are not aimed to predict the future. They describe grounded stories where the main
attention is not focused on the ends but rather on the means and the pathways. In other words,
foresight is based on the plausibility of the discussion. Extrapolation based on present threats fails
to capture root causes and their changes that depict weak, warning signals about changes in the
landscape. Additionally, extrapolation hides past decisions and developments that limit future
alternatives. Thus, the discussion needs to consider following points (Aaltonen, 2007):

- which perspectives are presented

- which issues, mechanisms and development paths are considered worthy of attention and
which are absent in the discussion

- what is the relation of the subject to time

- in what kind of landscape is the sense-making assumed to have taken place

Besides, the discussion is always context-depend: scenarios, drivers, changes and pathways
cannot be extracted from the problem field (e.g. critical infrastructure protection and supply chain
security) or placed in another time-frame.

This chapter aims at making more explicit how to assess changes and trends in the context of
Critical Infrastructure Protection and Supply Chain Security. It doesn’t provide profound analysis
but instead aims at structuring a platform and facilitating comprehensive discussions by bringing
technology experts, social and political scientists, practitioners and policy makers around the same
table. The number of categories and connections are limited on purpose to increase usefulness
and feasibility of the approach.

The test of usefulness of the framework is (Kanninen, 2007):

- whether it helps to understand world problems in a comprehensive, interrelated manner:

- whether it elicits key variables, relations and chain reactions in a way, which we would not
be intuitively inclined to do;

- whether it could be used as a checklist of the most pertinent variables and their
relationships in order to make reliable analysis of the future trends; and

- whether it could provide a useful agenda for global and regional monitoring of trends,
threats and their required responses by decision-makers.

To structure and support the development of the conceptual analysis, the conceptual framework
developed in (Kanninen, 2007) - visualized in Figure 3 – is used. The main linkages deal with how
(i) economic and social factors, (ii) technology development and (iii) changes in citizens’ values
drive changes in EU decision making (system change).
58 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Figure 3. Analytical framework to identify and assess changes in political environment

(adapted from Kanninen, 2007).

The next sections of this chapter will describe each of the boxes represented in the figure:

1. EU and international system change. This section describes main political drivers that
effect on future policies regarding critical infrastructure and supply chain security. EU
institutions, bodies and agencies working within Critical Infrastructure Protection and
Supply Chain Security are described in a separate chapter.

2. Economic and social change. This section captures economic and social drivers that limit
or expand alternatives to protect critical infrastructures and secure the supply chain.

3. Technological and environmental changes. Technology includes tools, methods,

services, capabilities and other new assets used to produce goods and services to meet
human needs (e.g. manufacturing and transportation of goods and raw materials).
Technology can be used to exploit new or present energy resources more efficient. Natural
catastrophes and climate change can constrain endeavours to satisfy human needs. This
section includes changes “around us”.

4. Changes in values. “Values” include all personal and cultural values that form a baseline
for human action (e.g. environmental values, democratic values, consumer values, terrorist
values and so forth). The “change in values” predicts human needs and actions in the
future.

The arrows in Figure 3 present the interactions between the above listed four elements. For
instance, increasing terrorist values may increase the need for international co-operation and may
increase prevention costs in societies. Likewise, new energy technology can increase energy
efficiency or help to exploit new energy sources. Or consumer value that emphasize low prize of
commodities can be a key driver for current sourcing and supply chain management practices and
new technology development.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 59

Following example based on perceptions during London riots in 2011 describes the framework in
supply chain security context (see box below).

Supply chain breaches caused by man-made actions can seem to be very unpredictable.
However, when it is studied in a broader strategic contextual framework, disruptions seem to
better just matter of time to realize. London riots give a good example. London riots was erupted
as a protest over the shooting of a local man by the police. Over 170 people were arrested over
the two nights of rioting, and fires gutted several stores, buildings, and cars.

According the initial framework, the root causes can be divided in a following way:

accumulation of social and economic problems - long-term social disparity intensified with
financial crises (economic and social change)

increasing amount of unemployment among the youth and lack of future alternatives
(social change)

low confidence in the democratic authorities (change in beliefs and values)

social media as a new communication and leadership tool during the riots (technology
development)

As a result of chain of actions:

due to fear of violence, people refuse to leave homes and go to work;

isolation of roads and hindering movements of people and transport in general;

parents don’t allow children to attend schools;

ultimately leading to manufacturing and transportation problems in supply chains

Only emerging social problems were not enough to initiate unwanted chain of actions. The
prerequisite for the harmful event can be derived from social and economic changes, changes in
values and beliefs and technology development. The government’s response highlights best
incapability to understand in a comprehensive way the problem field:

Prime Minister Cameron: “We need parents to have a real stake in the discipline of their
children, to face real consequences if their children continually misbehave” ( Porter & Paton,
2011)

Security problems cannot be solved only by means of discipline or by means of technology.

Commissionaire V.P. Verheuheugen expressed the challenge in his opening speech at SRC09.
“Putting EU security research in the right perspectives”

“I also have to add, that research is not to be limited to technology but also need to address
political, social and human factors relevant to European security. We also need to look at the
acceptability of technologies and as to how that perception might need to be adaptable to the
diverse cultural and institutional settings we have in the EU.”
60 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

6.2 EU and Internal System Change

In this chapter we describe some political changes on a very general level. The comprehensive
analysis can be found in FOCUS deliverable “EU as a global actor based on the wider Petersberg
Tasks”.

The present financial and economic crisis in Europe has originated bad sentiment in Europe and
finally determined national egoism, self-contemplation and unilateral political reactions in the
Member States. The major risks of this context concern the standstill of the European construction
and also an obstacle to social cohesion (Balfour, Emmanouilidis, & Zuleeg, 2010). The current
situation is fairly complex and future development should aim to solve the lack of a unified and
coherent strategic orientation (Balfour, Emmanouilidis, & Zuleeg, 2010). This issue is delaying the
consensus and agreement in Europe to determine and implement consistent political and
economic manoeuvres to recover from the present crisis. In view of this situation, developments
influencing EU role and decision making found in the literature consist of the following (Balfour,
Emmanouilidis, & Zuleeg, 2010):

Increasing EU interdependence. Past events have demonstrated the high degree of

interdependences between EU countries. Debt and financial crises in some countries have
shown the potential to transfer to other countries as well as the need for assistance and
intervention from Europe. These events have also emphasized the lack of a robust crisis
mechanism that could allow member states to quickly and effectively respond to these
crises.

Internationalization of issues. Many issues that in the past were primarily considered as
domestic have now undertaken an international dimension. Some of these are
consequences of the globalization and fall into the areas of migration, fluctuating
commodity and consumer prices, climate change, trade imbalances, supply chain security,
food security, increasing dependency on imports and energy, limited natural resources and
illicit global trade. Hence, there is a need for international agreements in the broad areas of
life.

Reassessment of EU policies. The issues mentioned will require also a reassessment of

EU policies to check first if they are still feasible and eventually modify them.

6.3 Economic and Social Change

In this section general economic and social trends on global and European level are outlined.

6.3.1 Economic changes

Europe has managed to advance on achieving a Single Market as well as on abolishing the
borders introducing the Euro as a single currency in many EU countries. At the same time, the
economic globalization has been promoted within the EU countries and contributed to the growth
and competitiveness of European industries, although economic realities with the global impact of
the financial crisis and the burden of debt is bringing new pressures to the social cohesion (Balfour,
Emmanouilidis, & Zuleeg, 2010).
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 61

The European economy is threatened by a long and complex economic crisis, which “has wiped
out years of economic and social progress and exposed structural weaknesses in Europe’s
economy” (COM 2020, 2010). Public finances have been severely affected, with high deficits and
debt levels, investment plans face lack of funding and unemployment rates have strongly risen.
The crisis is affecting EU countries differently, suffering eastern and southern European countries
the hardest consequences. Greece, Portugal and Ireland required a EU financial intervention to
prevent the collapse of their economies (Balfour, Emmanouilidis, & Zuleeg, 2010).

Main trends related to the European economy are the following ones (Bhimani):

- Globalization and increased government activism.

- Savings Gap.

- Global Growth of Consumers.

- Boom and busts.

- Changes in demand and prices of energy and natural resources.

6.3.1.1 Globalization and increased government activism

Flows of goods, people, information, energy and money are today globally connected and
interdependent. Global supply chains, social media and internet, global banking and insurance
systems, global energy sourcing and distribution system, are examples of systems used to
manage the global flows. In economic sense, speed, development and direction of globalization
can be assessed by measuring the trans-border movements of goods, people and private capital.
Factors such as the flexibility of production technologies, support of politicians and cross-border
trade have facilitated the integration of supply chains across geographical boundaries (Bhimani).
The redistribution of global manufacturing, production and investments has occurred fast in the
beginning of the 21th century (see Figure 4 and Figure 5). The trend of globalization has
contributed to the strong economic growth of countries such as China and India. According to
Goldman Sachs, the so called BRIC countries (Brazil, Russia, India and China), as well as Mexico,
Korea, Turkey and Indonesia, are the economies that are most likely to experience rising
productivity. By 2020, the four BRIC economies will be responsible for almost 50% of the increase
in global GDP (Goldman Sachs, 2011). Countries that were not prepared to take opportunities of
global markets and investments missed the opportunity to reform economic structures. Although,
globalization may have reached a turning point, it is evidently a driver that continues to take new
shapes and patterns during the next decades (Far East = China, Japan, India (magenta) ; North
America = United States of America, Canada (cyan) ; Europe = Germany, Great Britain, France,
Italy, Spain, Sweden, Belgian, the Switzerland (yellow).
62 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Figure 4 Distribution of global manufacturing and production 1750–2100 (%)

(Rouvinen;Vartia;& Ylä-Anttila, 2007)

Figure 5 Investment degree (%, fixed investments in relation to GDP)

(Rouvinen;Vartia;& Ylä-Anttila, 2007; United Nations Statistics Division, 2007).

If the trade and assets are globalized so are also the risks. If one aims to keep the same risk level
(calculated as product of likelihood and consequences) security level may have to be increased,
because consequences due to interconnectedness can be higher. If governments want to delimit
harmful impacts they might have to build more collaboration and early warning systems.

Globalization has moved goods and materials from distanced places, but even more efficient it
transfers information, which is loaded with values and beliefs. Evidently, the movement of values,
ideologies and beliefs continues to accelerate in the Internet and social media that reinforces
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 63

outcomes of social and political changes, especially in those countries where citizens perceive
more negative than positive impacts of globalization. Likewise, social media is the platform of
normal daily communication it can be the boiling pot for growing social frustrations.

Geopolitical instability is increasing as trust in international institutions and the US is decreasing.

There are existing tensions between ‘old’ and ‘new’ powers, for example, between China and
Japan, the US and Russia, Brazil, India, as well as new emerging economies as the global
economy shifts towards East. The current global economic crisis will not stop the shift eastwards –
in fact, the world is depending on China to be the powerhouse of global economic recovery (Atos
Consulting, 2010).

Globalization is driving new dimensions of power; its definition has extended far beyond its military
connotations to include economics, resources, and technology. Globalization is not only causing a
relative power shift among nation-states, but also an increase in relative power of non-state actors
such as businesses, tribes, religious organisations, and even criminal networks. (Atos Consulting,
2010).

This is also leading to increased government activism. Governments are taking a new look at the
balance between the state and the market, as well as a regulation versus laissez faire attitude.
Further regulation, however, will almost certainly be brought in (Atos Consulting, 2010).

Credit crisis, economic downturn, green thinking and health and safety are some of the issues that
seem to be leading to increased government activism. Measures taken by governments in reaction
to the credit crunch and economic downturn have really brought the issue of government activism
or intervention to the forefront. We have been witnessing unprecedented government interventions
such as relief packages for financial institutions, nationalizations, economic stimulus packages,
and regulatory interventions (Atos Consulting, 2010).

6.3.1.2 Savings Gap

This trend concerns the fact that population in Western Europe is aging and the growth has slowed
down. Often elderly people do not need household savings. At the same time, younger individuals
do not save because of different lifestyle, unemployment, and premature entrance in the job
market. This phenomenon determines scarcity of liquidity and also access to capital available for
investments (Bhimani, 2011).

How to ensure social security and services in an affordable way remains still tight on the political
agenda. This applies even more in the light of the fact that governments are having difficulties to
pay for stimulus packages to the economy and therefore having to shoulder increasing budget
deficits. The reaction to this is an increasing tendency towards cost reduction, and the result will
inevitably be lean government (Atos Consulting, 2010).

6.3.1.3 Global growth of consumers

It is expected that billions of new consumers from developing countries will soon enter the
marketplace. Over 5 billion people live in 37 countries where nominal GDP per capita is in most
cases less than $1,000 a year (McKinsey Analysis, 2011). Over the next 10 years, consumer
spending in emerging markets is expected to grow three times faster than consumer spending in
64 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

developed nations, reaching a total of $6 trillion by 2020 (Severin, Hirose, Kopka, Moulik,
Nordheider, & Stul, 2011). Over 65% of total growth in consumer spending is estimated to come
from BRIC countries, Argentina, Indonesia, Iran, Mexico, Poland, South Africa, South Korea,
Thailand, Turkey, and Ukraine.

6.3.1.4 Booms and busts

Recent political and economic trends have favored low rates of inflation characterized by interest
rates kept artificially low and also speculative bubbles like those in the real estate sector. When
bubbles burst recession may be triggered causing a drop in expenditures. This causes more
frequent and extreme booms and bursts (Bhimani, 2011).

6.3.1.5 Changes in demand and prices of energy and natural resources

From the viewpoint of the European Critical Infrastructure, major changes are expected in demand,
and prices of energy and resources and finally dependency on energy importation.

As long-term economic growth accelerates, especially in emerging markets such as the BRIC
countries (Brazil, Russia, India, and China), - despite the current economic downturn - natural
resources and energy sources are used at increasing rates. This leads to increasing competition
over needed resources such as oil, water, energy, grain, and raw materials. Demand for oil is
projected to grow by 50% in the next two decades. Without significant new discoveries or radical
innovations, supply is unlikely to keep up. There are similar surges in demand across a broad
range of commodities. The world’s resources are increasingly strained. Water shortages in
particular will be the key constraint to growth in many countries (Atos Consulting, 2010).

Energy demand is expected to rise by 50% between 2006 and 2030 in the world. Fossil fuels are
destined to remain the primary sources of energy with the use of nuclear energy set to decline in
developed countries but set to increase in developing nations. A two-thirds majority of the demand
growth is expected to stem from rising energy needs of developing countries. While energy
resources are expected to be sufficient to meet the growth in demand, their effective exploitation
will become more difficult with a potential to drive up energy prices (Capros, Mantzos, De Vita, &
Kouvaritakis, 2009).

Fossil fuels will remain, for some time, at the center of the world’s energy system. This is due to
asymmetries between the geography of petroleum production and the geography of consumption.
The use of natural gas globally is also growing, a resource which is much more dispersed around
the globe than oil. In 2003, oil provided 95% of the fuel transportation globally, and it was projected
that demand in this sector was likely to increase by 57% in the next twenty years (Capros,
Mantzos, De Vita, & Kouvaritakis, 2009).

In the report “EU Energy Trends to 2030” EU’s future energy scenarios are described by means of
two scenarios: Baseline 2009 and Reference scenario. The Baseline 2009 scenario determines the
development of the EU energy system under current trends on population and economic
development including the recent economic downturn. Besides, it takes into account the volatile
energy import prices. Reference scenario includes policies adopted between April 2009 and
December 2009 and assumes that national targets under the Renewables directive 2009/28/EC
and the GHG Effort sharing decision 2009/406/EC are achieved in 2020.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 65

The economic downturn and the energy efficiency policies are expected to cause lower electricity
demand than previously anticipated (Capros, Mantzos, De Vita, & Kouvaritakis, 2009). According
the report:

“The economic crisis and the new efficiency policies included in the Baseline 2009 induce a
significant slowdown of demand for electricity with cumulative electricity sales (2005-2030) being
some 7% lower compared to the 2007 Baseline.

“Electrification in final energy demand continues to be a dominant trend with the share of electricity
in final energy demand reaching 24.9% in 2030 (from 23.2% in the 2007 Baseline).

The projected changes in the 27 Member States of the EU (EU27) power sector also have
significant impacts on energy costs and electricity prices. Total cumulative investment expenditure
for power generation in the period 2006-2030 are projected to reach 1.1 trillion. Auction payments
and increasing fuel prices and higher capital costs (for Renewable Energy Sources, RES, and
Carbon Capture and Storage, CCS) are the factors explaining the electricity price rise (Capros,
Mantzos, De Vita, & Kouvaritakis, 2009).

EU is depend on foreign energy sources and makes EU vulnerable to supply disruptions and
energy price volatility. Import dependency amounts to 59% in 2030 according to Baseline 2009
scenario. The EU will require 24% more gas to be imported by 2030 compared with level in 2010
(see Figure 6). Oil imports are projected to be close to the 2010 levels in 2030 (Capros, Mantzos,
De Vita, & Kouvaritakis, 2009).

Figure 6 Net imports of natural gas, oil and solids based on the Baseline scenario 2009
(Capros, Mantzos, De Vita, & Kouvaritakis, 2009)

According the World Energy Council the global transportation sector will face significant challenges
due to demographic changes, urbanization, pressure to minimize and dislocate emissions outside
urban centres, congestion of aging transport infrastructure and growth in fuel demand (World
Energy Council, 2011).Scenarios are based on two possible developments: “Freeway” and
“Tollway”. The “Freeway” scenario depicts a world where pure market forces reigns. The “Tollway”
scenario describes a more regulated world where governments decide to intervene in markets to
promote technology solutions and infrastructure development from common premises. Total fuel
demand in all transport modes is expected increase by 30% (Tollway) to 82% (Freeway) over the
2010 levels.
66 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

6.3.2 Social Changes

Social trends developing in European countries are being heavily influenced by the financial crisis.
As stated before, the present economic situation is generating political conflicts and ambiguity in
strategies and consensus (Balfour, Emmanouilidis, & Zuleeg, 2010). This has contributed in
amplifying national egoism and thereafter the social divergences between the EU member states.
The need for more efficient and targeted strategies is crucial not only to stabilize the European
financial situation but also to mitigate the social consequences for our communities in terms of
reduced poverty and exclusion from society and labour market (European Union, 2010). Main
indicators that could be used to frame the context of changing values in Europe are the following
(European Union, 2010):

Demographics.

Poverty and social exclusion.

Active ageing.

Intra-EU mobility and enlargement impact.

6.3.2.1 Demographics

Relevant trends related to demographics changes are:

Migration: The number of international migrants has been increasing as a result of

destabilizing conflicts, environmental degradation, and the prospect of better socio-
economic conditions in developing countries. The most migrants are expected to come
from Africa, but also from the Middle East, South-East Asia and Eastern Europe.

Ageing population: The average lifespan in industrialized countries is increasing, along

with the proportion of persons over 65. A declining population of young and working-age
people raises questions about financing social security, health care systems, and even the
size and structure of military forces. In 2025, Europe will account for roughly 6% of the
world’s population. Some predictions see the EU’s population peaking at 470 million in
2025 before beginning to decrease. The fertility rate in Europe is expected to average 1.5.
Long life expectancy will lead to 37.4% of the population to be aged from 65-79 years.
Demographic growth in the EU has been more a product of immigration than internal
dynamics.

Increase of world’s population: Demographers have predicted that the world population
may grow to 7.9 billion in 2025, and to about 9 or 10 billion by 2050. More than 95% of that
growth is expected to take place in developing countries. The context of this explosion may
well be a shortage of water, energy, and rabid industrialization, and the accompanying
intensification of efforts to secure these resources for the national interest. In 2030, more
than 60% of the world population will live in urbanized centres. Urbanisation will present a
number of challenges including environmental degradation, and the spread as well as
emergence of epidemic diseases.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 67

6.3.2.2 Poverty and Social Exclusion

As a consequence of the economic crisis we have seen unemployment rates growing in Europe
during the last years. Overall in Europe the unemployment rate has been around 9.5%. This
phenomenon is particularly alarming if considering that 5 million young individuals in Europe are
still unemployed (20% of the young labour market). The main consequences of this long-term trend
are declining wages, deprivation, income inequalities and rising poverty. Also the prolonged lack of
job determines exclusion from the labour market and society. “In 2009, 114 million Europeans were
at risk of poverty or social exclusion” (23% of the EU population). In addition, in some cases
poverty conditions could be determined by low wages. The phenomenon of material deprivation is
more typical of Eastern European countries. While exclusion from the labour market prevails in
Northern and Western Member States (European Union, 2010).

6.3.2.3 Active Ageing

During the last years the European Union has managed to successfully raise the employment rate
of older workers to about 50%. However, elderly people are expected to increase and also to live
longer in the future which will also put more pressure on the sustainability of the European Social
Model and national pension systems. Active policies are required to encourage older people to
work for a longer time (European Union, 2010).

6.3.2.4 Intra-EU mobility and enlargement impact

A total of 3.6 million individuals have moved to other European countries from the new Member
States. Some risks were expected in the receiving countries in terms of increased unemployment
rates as well as in the origin countries in view of the loss of workforce for example in research and
development. Despite this, the impact of this phenomenon seems to be limited, at least for the time
being (European Union, 2010).

6.4 Technological and environmental changes

6.4.1 Technology

From a technological viewpoint, cybercrime and cyber security are high on the agenda under
discussion in the EU. The EU may become a key target for cybercrime notably because of its
advanced internet infrastructure, widespread usage and increasingly internet-mediated economies
and payment systems. As a consequence of the pace and sophistication of technological
development, cybercrime is constantly evolving. New technology trends, such as the growth of
cloud computing and increased use of mobile devices, give rise to additional threats to users and
compound the challenges faced by law enforcement. The widespread usage of internet technology
in the EU has also prompted an unprecedented expansion in the markets for child abuse material
and intellectual property theft. The internet knows no boundaries, but jurisdiction for prosecuting
cybercrime still stops at national borders. Member States need to pool their efforts at EU level in
order to put in place a common response. This would also entail more extensive use of existing
68 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

capabilities of EU agencies. Cooperation with international partners will also reinforce the EU's
ability to tackle cybercrime.

In 2011 achievements have been made to prepare the ground for the European Cyber Crime
Centre as well as for supporting the Member States in setting up National/Governmental Computer
Emergency Response Teams. The EU/US working group on cyber has been successful in
delivering results, from cooperation on combating child pornography to joint exercises on how to
prevent cyber-attacks.

In following years, Internet identity theft will continue to rise as well as the use of the Internet as a
channel for organised crime. Web 2.0 principals are giving ePolitics more traction. Large numbers
are willing and be able to register their opinions almost instantaneously with very little effort.

The Internet is enabling better access to information, which can be accessed at any time, from
anywhere, by anybody. This transparency is empowering the consumer. It has also enabled the
rise of peer-to-peer (P2P) trading we are seeing at the present time, and increasing possibilities for
organised criminal activities.

Technology increases security risks, but it has always been important enabler. Especially, efficient
use of new energy sources is depend on available technological support and means.

Availability of new technology innovation is not enough. Efficient adaption of new technology
requires common rules and standards.

6.4.2 Environment

From the environment viewpoint we see three main trends:

Industrialisation and urbanisation: As industrialisation and urbanisation in developing

countries continue the emission of greenhouse gases and general pollution will increase,
contributing to global warming and a general deterioration in current ecological conditions.
The International Energy Agency expects the growth in energy consumption to accelerate
by 1.6% per year at least until 2030.

Temperature average rise: The most important environmental consequences for Europe
will be temperature rises – between 0.1 and 0.4 degrees Celsius per decade. Precipitation
is expected to increase in southern Europe and heat and cold waves will impact on existing
electricity supply and infrastructure. It seems unavoidable that Europe will face a more
polluted world in the future.

Global warming: The impact of global warming will be most severe in Africa and Asia.
Continuing industrialisation and urbanisation will be the main causes of environmental
degradation. Developments in the fields of science and technology will be most important
in information technology, nanotechnology, and biotechnology. Research and development
investments should be directed accordingly. Sustainability, or Green politics, has again
risen on the political agenda, driven by the global economic downturn. Green initiatives –
such as carbon footprint reduction and energy saving – are now being linked with plans to
combat the downturn (Atos Consulting, 2010).
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 69

Impact on public services. In some countries, the financial crisis has deteriorated the
quality of many public services offered to citizens as well as increased the unemployment
rate and threatened economic growth. In this context, the cost to follow environmental
friendly initiatives is raising and burdening companies. The debate now is how to recover
from this situation and who will bear the costs for bring back the present state to stable
conditions, i.e. reduce unemployment, increase innovation etc. (Balfour, Emmanouilidis, &
Zuleeg, 2010). This is even truer in the light of the fact that governments are having to pay
for stimulus packages to the economy and therefore having to shoulder increasing budget
deficits. The reaction to this is an increasing tendency towards cost reduction, and the
result will inevitably be lean government.

6.5 Changing values

Values of interest for the scope of this study are those related to the following aspects:

1. EU values;

2. Terrorism values and ideologies; and

3. Transparency and radicalization.

6.5.1 EU values

There is no central document for Human Rights and Democratic Values in the EU. A constant
series of cases in the 1970s and 1980s gradually built upon the idea that certain fundamental
rights existed. The EU constitution was to enshrine these rights into a codified document, but has
unfortunately been derailed. Nevertheless there are various documents that are pertinent in the
discussion of values and rights, including the following ones:

1. EU Charter of Fundamental Rights (2000) which updates the Convention of Human

Rights (1950). This was included as Part II of the EU constitution. The Charter combines
and declares EU values and fundamental rights. It brings such values to the fore and
clarifies them, but establishes nothing that was not already present in EU documents. It is
not a legally binding but a "political declaration"

2. Article 6 of the Treaty on European Union (TEU): First codified in the Maastricht Treaty
of 1991, it represents the most authoritative and clear statement of the constitutive liberal
values of the Western community: '1. The Union is founded on the principles of liberty,
democracy, respect for human rights and fundamental freedoms, and the rule of law,
principles which are common to the Member States.'

3. Article 49 of the TEU specifically linked membership with these values: the Copenhagen
criteria of enlargement agreed at the European council of June 1993, requires of
prospective members the stability of institutions guaranteeing democracy, the rule of law,
human rights and respect for and protection of minorities and 'the existence of a functioning
market economy.
70 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

From these documents, legal precedents, and realities of European culture, has emerged a set of
values some of which are set out at the beginning of the Treaty of Lisbon and include (Outcome of
the European Convention):

Human dignity.

Freedom.

Democracy.

Equality.

Rule of Law.

Respect for human rights.

Political values and rights:

Free speech

Separation of the Powers

Social values:

Equality and non-discrimination

Social security

Protection against corporate abuse

Other values deemed in high esteem by the European citizens are:

Respect for the environment

Protection of animal rights

A way to support these values is to promote social justice and protection, while simultaneously
fighting against social exclusion. The attractiveness of European values and ideological model is
unpredictable at the global scene, especially then, if European future is driven by national interest
of member states.

6.5.2 Terrorism – values and ideologies

Belief and ideologies related to terrorism and violent radicalization are not easy to categorize as
they can be the outcome of subjective interpretations of analysts. According to (Rapoport, 2004)
religion and political philosophies stand behind terror related ideologies. Examples from the past
show the influence of Anarchism to nationalism and Marxist ideologies, and aiming to increase the
self-determination and faith of followers Instrumentality plays an important role as it changes
ideologies and narratives according to evolving circumstances dictated by politics and conflicts
(both internally and externally to a country).
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 71

Literature identifies a total of 14 beliefs, ideologies and narratives that characterize terrorism.
These are the following (The Change Institute for the European Commission, 2008):

1. Marxism. Marxist ideology sees violence as the central means to achieve its ends. It is
often characterized by small groups that operate without a broad support and believing that
they are working towards an event that is inevitable and for which they are the most
prepared. Examples of groups affiliated with Marxism are the IRA, South American
revolutionaries, Baader-Meinhoff and Palestinian organizations.

2. Self-Determination or nationalism. Also in this case groups make use of violence as a

necessity in view of the lack of confidence in the state and its ability to serve the interests of
the group. Nationalism may be based upon territorial claims or even oppositional identifies
that are built upon selective interpretations of history.

3. Faith. In this category fall the abusive interpretations of religion. In these contexts, faith is
often combined with death and violence.

4. Collective identities. Groups’ identities have a central role in the development of

organizations or movements employing violence. Faith and ethnic identities also
characterize groups. Examples are: the Liberation Tigers of Tamil Eelam that supports the
Tamil diaspora and receives funding through criminal activity; the IRA that receive support
from a large part of the Irish population as well as from the US in the past.

5. Grievance and victim hood. Beliefs related to grievance and victimhood are developed
slowly over time and most of all as a consequence of the perception of economic, political
and cultural discrimination against a group of the population.

6. Events, individuals and martyrs. Events are used to develop the identity of the group and
its grievance.

7. Territory and self-determination. Territorial claims are often a central tenet of beliefs,
ideologies and narratives behind many violent radical groups. Claims of territories can also
be used as a tactical political approach to ensure the defence of cultural or religious
identities.

8. History. History is used not only to tell a past story but also to foresee the future. Past
events tell the evolution of things and may be used to strengthen the importance of a
particular belief or ideology.

9. Violence and radicalism. Some groups may see violence as a last resource, while others
see it as central, e.g. Baader-Meinhoff. The groups may use history and narratives to
promote the virtue of sacrifice and violence, and ultimately support political aims.

10. Duty and responsibility. Duty and responsibilities are highly necessary to ensure personal
motivations to violent actions of the groups’ members. These could be developed by using
narratives of individuals’ personal story or family experiences.

11. Social justice, empowerment and emancipation. Social justice sentiments are often
interrelated to grievance and victimhood sentiments. Empowerment and use of violence are
seen as dominant in contrast to non-violent approaches that are seen as failing.
72 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

12. Vanguard. The concept of vanguard is essential to bring a revolution or justify religious
ideologies. In the latter case, vanguard may manifest in the form of “chosen individuals”
working to God’s will.

13. Cultural participation and transmission. In this case, the group finds its cohesion
through participation and transmission of cultural, social and political values.

14. Martyrdom. Martyrdom and self-sacrifice are powerful actions that are used for narratives
influencing beliefs, ideologies of terrorists and suicide attacks. Historically, this concept is
predominantly adopted by religion, and claims that self-sacrifice is the most dramatic act to
gain redemption (after life) and purity.

Transparency and radicalization

Transparency of government is important for gaining trust as the citizen is empowered in a world
where people expect service-orientated government, focused on their needs. Accountability and
transparency are used synonymously with such concepts as enforcement, responsibility, liability,
and other terms associated with the expectation of account-giving. The public demand for
transparency and accountability is not confined just to politics and government. It is also
increasingly central in discussions related to problems in the administrative, managerial, marketing,
legal, professional, security, and moral arenas (Atos Consulting, 2010).

Turmoil in several Arabic countries has displayed a chain of action what can happen when new
values break through social media despite of the hostile measures of authoritarian regimes to
uphold censorship. Because corrupted regimes were totally unprepared, social dissatisfaction and
economic destitution was directed also towards radical ideologies and organizations that were
eager to present own alternative to uncontrolled situation.

6.6 Conclusions

In globalized world goods, people, information, energy and capital cross over international borders,
cultures, political systems and economic areas. The man-made processes and services direct
flows across between different nodes. Processes and services are mounted on the infrastructures
and platforms. Infrastructures and processes form networks where every node can be a part of
several other networks. Increased dependencies have made citizens and societies more
vulnerable to distant conflicts, fluctuations of prices, energy and transport disruptions and changes
in economic wealth of neighbouring countries and economic areas. The likelihood of harmful
events has not dramatically increased but their affects can now be perceived on wider geographic
areas and economic sectors. Under unfavourable conditions events can even cause significant
disruptions leading to loss of lives, major public disturbances or remarkable economic damages.
On the other words, impacts are critical for society.

The development has not been coincidental. Information technology has enabled to manage global
energy distribution and logistics networks. New energy technology has helped to exploit energy
sources that were found expensive or useless in the past. Political decisions have provided
adequate resources for research and education. International agreements have removed trade
barriers, established control measures and created a baseline for solving disagreements and
conflicts. Uneven distribution of economic welfare, social disparity and prevalent environmental
problems has diminished belief in political decision making as a tool to solve world problems.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 73

Changed values and beliefs have generated alternative movements against dominant economic
order e.g. Occupy Wall Street movement. Supply chain networks, information and energy
infrastructures are not develop randomly. Access to energy sources or raw materials is not self-
evident in the future. They are all dependent on political systems and decision making, values and
beliefs, economic and social development and emergence of technological innovations. The future
will be man-made.

European Union will face significant challenges during the next decades. Natural resources and
energy sources are used at increasing rates leading to increasing competition over resources such
as oil, water, energy, grain, and raw materials. New developing countries, global institutions (e.g.
Putin’s Eurasian Union), non-state actors (e.g. global private corporations and international
organized groups) increase competition on the international level. New technologies, such as cloud
computing and mobile devices, give rise to new forms of cyber threats. The complexity and
interdependences of critical infrastructure has generated systems that are increasingly less
predictable and controllable under crisis situations. There is evident need for new adaptive
systems, actions plans and international co-operation models. Solutions cannot be limited to
technology but also economic, political, social and human factors need to be addressed.
74 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

7 EU roles
7.1 Overview

Over the past decade, the EU has taken substantial steps to formulate integrated policies designed
to enhance protection of European Critical Infrastructure (ECI) and this way reduce their
vulnerability for a variety of threats including terrorism, criminal activities and natural disasters.

The most significant advancement on CIP matters has been the introduction of a legislative
framework named European Programme for Critical Infrastructure Protection (EPCIP). The
development of the framework was originally initiated in response to threat of terrorist attacks on
European Critical Infrastructure. Despite of the original focus on terrorism, EPCIP embraces an all-
hazards approach that covers also natural disasters together with intentional man-made hazards.

The EPCIP comprises following elements (EPCIP, 2007):

A procedure for identifying and designating European Critical Infrastructure and a common
approach to assessing the need to improve the protection of such infrastructure;

Measures designed to facilitate the implementation of EPCIP, including an EPCIP action

plan, the Critical Infrastructure Warning Information Network (CIWIN), the setting up of
Critical Infrastructure Protection (CIP) expert groups at EU level, CIP information sharing
processes, and the identification and analysis of interdependencies;

Support for EU countries regarding National Critical Infrastructures (NCIs) that may
optionally be used by a particular EU country, and contingency planning;

An external dimension; and

Accompanying financial measures, in particular the Specific EU Programme on

"Prevention, Preparedness and Consequence Management of Terrorism and other Security
Related Risks" for the period 2007-13, which will provide funding opportunities for CIP
related measures.

The EPCIP is an outcome of the following EU policy making procedure: In June 2004, the
European Council gave the initial impetus for European Critical Infrastructure Protection policy
development. Consequently, the Commission took the lead in preparing overall strategy on the
subject. Over the following years, the Commission published a set of green papers,
communications and legislative proposals that set the foundation for the European Programme for
Critical Infrastructure Protection (EPCIP). The EU policy making procedure culminated to the
Council directive 2008/114/EC “Identification and designation of European critical infrastructures
and the assessment the need to improve their protection” obliging the member states to identify
and designate European critical infrastructure in transport and energy sectors.

The Directive is based on the principle of all-hazards approach but with priority given to threat from
terrorism. It is to be implemented through a step-by-step, sector-based, approach with current
focus being on Transport and Energy. The ultimate responsibility for ECI protection lies with the
Member States and the infrastructure operators. The Directive defines Critical Infrastructure and
European Critical Infrastructure as follows:

‘Critical infrastructure’ means an asset, system or part thereof located in Member States which is
essential for the maintenance of vital societal functions, health, safety, security, economic or social
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 75

well-being of people, and the disruption or destruction of which would have a significant impact in a
Member State as a result of the failure to maintain those functions.

‘European critical infrastructure’ or ‘ECI’ means critical infra- structure located in Member States
the disruption or destruction of which would have a significant impact on at least two Member
States. The significance of the impact shall be assessed in terms of cross-cutting criteria. This
includes effects resulting from cross-sector dependencies on other types of infrastructure.
(Directive 2008/114/EC)

Figure 7. Timeline of EPCIP-related publications and laws.

The definitions refer to cross-sector and multi-country dependencies implying that Critical
Infrastructure Protection responsibilities fall on multiple industry sectors, all Member States and
countries beyond the EU borders.

The directive introduces a methodology how ECIs should be identified and designated by means of
a common procedure. The evaluation of security requirements for such infrastructures should be
done under a common minimum approach. Each Member State will identify potential ECIs which
both satisfy cross-cutting and sectorial criteria. The procedure is implemented by each Member
State according to the following steps:

Step 1: each Member State shall apply the sectorial criteria in order to make a first
selection of critical infrastructures within a sector.

Step 2: each Member State shall apply the definition of critical infrastructure to the potential
ECI identified under step 1.

Step 3: each Member State shall apply the trans boundary element of the definition of ECI
to the potential ECI.
76 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Step 4: each Member State shall apply the cross-cutting criteria to the remaining potential
ECIs.

The European Commission has compiled an indicative list of critical infrastructure sectors implying
high relevance of Critical Infrastructure Protection for many functions of modern society (Table 2).

Table 2. EU defined Critical Infrastructure Sectors (European Commission, 2006).

Sector Product or service

I Energy 1 Oil and gas production, refining, treatment and storage,

including pipelines

2 Electricity generation

3 Transmission of electricity, gas and oil

4 Distribution of electricity, gas and oil

II Information, Communication 5 Information system and network protection

Technologies, ICT
6 Instrumentation, automation and control systems
(SCADA etc.)

7 Internet

8 Provision of fixed telecommunications

9 Provision of mobile telecommunications

10 Radio communication and navigation

11 Satellite communication

12 Broadcasting

III Water 13 Provision of drinking water

14 Control of water quality

15 Stemming and control of water quantity

IV Food 16 Provision of food and safeguarding food safety and

security

VI Financial 20 Payment services/payment structures (private)

21 Government financial assignment

VII Public & Legal Order and 22 Maintaining public & legal order, safety and security
Safety
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 77

23 Administration of justice and detention

VIII Civil administration 24 Government functions

25 Armed forces

26 Civil administration services

27 Emergency services

28 Postal and courier services

IX Transport 29 Road transport

30 Rail transport

31 Air traffic

32 Inland waterways transport

33 Ocean and short-sea shipping

X Chemical and nuclear 34 Production and storage/processing of chemical and

industry nuclear substances

35 Pipelines of dangerous goods (chemical substances)

XI Space and Research 36 Space

37 Research

Many other sector-specific EU policies and legislative frameworks endorse principles of security,
risk management, resiliency and preparedness and support therefore share the same goals with
the EPCIP policy. For example, following initiatives and pieces of EU legislation have some
elements of EPCIP embedded:

Regulation (EC) No 300/2008 on common rules in the field of civil aviation security

Directive 2005/65/EC on enhancing port security

Council Decision 2007/124/EC setting the Specific Programme "Prevention, Preparedness

and Consequence Management of Terrorism and other Security related risks".
78 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Even though the EPCIP Directive is a significant milestone in current EU level legislation, it has
many gaps. The EPCIP framework includes much more elements that are currently covered by the
directive 2008/114/EC that remains the sole piece of EU level legislation on the topic.

Figure 8. Scope of EPCIP directive.

First of all, the scope of the directive is limited only to two sectors of critical infrastructure, i.e.
transport and energy, leaving nine of eleven critical infrastructure sectors unregulated (Table 2).
Secondly, as the Figure 8 suggests, the directive does not set requirements beyond the
identification and designation of critical infrastructure. The EPCIP directive does not address
techniques needed to assess threats and vulnerabilities, assess the need to protect and practical
measures to carry out protection. Some of the gaps in the current EU legislation may be filled in
the forthcoming years as a great deal of preparatory work is under progress, especially in the ICT
sector. When the EPCIP directive comes under review in January 2012, the scope of directive will
be most likely expanded to cover also the ICT sector. Altogether, further steps in the
implementation of EPCIP will have implications on multiple industry sectors and policy making
areas linked with the broad concept of European Critical Infrastructure Protection.

7.2 EU bodies associated with EPCIP

A multitude of EU bodies are involved with CIP matters. These bodies vary in terms of their role in
the EU policy-making procedure, scope of their activity and their position in relation to other EU
bodies, member states, foreign countries as well as owners and users of critical infrastructure.
Together these bodies constitute the institutional framework of EU that governs the European
Critical Infrastructure policy EPCIP.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 79

7.3 CIP-centric institutional framework in EU

Role of all EU bodies is closely linked with the EU policy making cycle that comprises of five
subsequent stages: agenda setting, policy development, legitimization, implementation /
enforcement and evaluation. While only the Council and the Parliament have power to pass laws,
normally most – if not all - EU agencies are involved to some extent with the policy development
stage.

EU bodies have different characteristics in terms of their relationships with other EU bodies, their
level of focus on the EPCIP policy, and the range of policies they manage. For instance, EU
agencies are standalone legal entities unlike majority of committees that are subordinate to the
four main political EU institutions. The degree of commitment between various EU bodies on
Critical Infrastructure Protection matters varies. DG ENERG (energy) is nowadays more focusing
to CIP issues than for example DG ENV (environment). The bodies may be involved with one or
more aspects of Critical Infrastructure Protection. EU agencies are focusing for example on critical
infrastructure in their narrow areas of specialty while the Commission DGs (departments), without
mentioning the Parliament and the Council, tackle the CIP problem more broadly, addressing
cross-sector and international dimensions of Critical Infrastructure Protection.

Figure 9 helps to understand characteristics of various bodies in the European institutional

framework.

Figure 9. Characteristics and roles of various bodies in the EU institutional framework.

The EU has many ways to implement its policies in its 27 Member States. The mandating
approach uses legislative instruments of the EU, regulations, directives and decisions, to force the
Member States to adopt EU policies and related laws. The EU can also apply voluntary approach
80 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

to promote union level policies on national level. The EU has a general non-binding EPCIP
framework which is complemented by a legally binding ECI-directive.

In the policy area of European Critical Infrastructure Protection, the role of the EU is to coordinate
CIP activities between the Member States. This is a crucial mission from the European Critical
Infrastructure standpoint because each member state governs Critical Infrastructure in their
territories. There are advanced programs and plans for protection of National Infrastructure in most
of the Member States. However, due to frictions in international cooperation and information
sharing the national programs do not always address, let alone solve, problems emerging from
interdependencies between national and foreign infrastructure. The EU’s EPCIP policy plays a
pivotal role in encouraging collaboration between the Member States. `

In modern European economies, majority of critical Infrastructure is owned and used by private
actors. This implies that successfulness of CIP policies depends heavily on participation and
commitment of the private sector parties. In many countries, national authorities have established
public-private partnership (PPP) models to facilitate implementation of CIP policies in practice. In
addition to voluntary public private collaboration models, governments typically impose binding
legislation on owners and operators of critical infrastructure.

The EU has published so far only one piece of binding legislation, the Council directive
2008/114/EC, on Critical Infrastructure Protection. Most of the requirements postulated in this
directive are addressed to the owners of the critical infrastructure in the member states.
Technically speaking, the directive does not set any legally binding requirements on critical
infrastructure in the member states per se. However, because the EU treaties oblige the member
states to adopt principles of EU directives to their national statuses, owners of critical infrastructure
are influenced by EU decisions via national legislation.

Figure 10. EU influences owners and users of critical infrastructure.

FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 81

The EU bodies engage owners and users of critical Infrastructure closely in the EU level
policy making process. The European Commission and its DGs (departments, or directorates
generals) consult interest groups including national authorities, industry associations and NGOs
during policy development process.

The Commission sustains also active dialog with relevant EU policy agencies such as EMSA
(maritime) and ENISA (information and data). The owners and the users of critical infrastructure
can also influence via many other channels.

Failures of critical infrastructure in non-EU member states could have significant impact on the
economic and societal well-being in the EU. For instance European gas and oil deliveries are
heavily dependent on the pipeline network that is to a great extent located outside of the EU
territory. For this reason foreign politics play a key role in the European Critical Infrastructure
Protection.

7.4 The four political EU institutions

The European Union is based on treaties that set the preconditions and constraints for the function
of the EU and its bodies. The treaties are the primary legislation for the EU and they are the basis
for the secondary EU legislation (directives, regulations and decisions) that has an impact on lives
of the European citizens (Europe, 2011). Technically everything the EU does must be derived from
these treaties. In these treaties the EU member states have transferred some of their sovereign
policy authority to the EU institutions in a range of policy-making areas. Many of these policy
areas, in particular the “Justice, freedom and security” policy, are strongly associated with Critical
Infrastructure Protection.

The formal decision making power in the EU is in the hands of the four political institutions2: the
Council of the European Union, The European Parliament, the European Commission and
the European Council. The latter one, The European Council, involving the heads of member
states, sets the agenda for the EU policy making but the body is not empowered to pass laws. The
actual law-making process is the responsibility of the institutional triangle of the EU comprising of
the European Commission (the Commission), the European Parliament and the Council of the
European Union (the Council). The Commission has the right for initiative that empowers it to
prepare and submit proposals of legislation to the Council and the European Parliament. The
Council and the European Parliament share the power to pass binding EU legislation in forms of
directives, regulations and decisions. The legitimatization of EU policies is known as the “Ordinary
legislative procedure” (formerly known as the co-decision). Typically a regulatory proposal goes
through multiple reviews and amendments before both the European Parliament and the Council of
the European Union are satisfied to pass the law.

2 There are also a group of “non-political” EU institutions that have important role in EU institutional
framework e.g. Court of Justice, Court of Auditors, European Economic and Social Committees.
82 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Table 3. The four political EU institutions.

Entity Role Policy Domain

The European Council (the Sets directions for EU level policy-making. All EU policy areas
Council) Does not have legitimacy to pass laws.

The European Parliament Adopts laws together with the Council of the All EU policy areas
European Union
The Council of the Adopts laws together with the European All EU policy areas
European Union (the Parliament. Sets outlines for Common foreign
Council) and security policy
The European Commission Policy development, proposition of laws, All EU policy areas
(the Commission) implementation, enforcement

The four main EU institutions are supported by a large number of commissions, agencies,
secretariats and expert groups at all stages of the EU policy making process. These supportive
EU bodies do not have supreme authority in the EU policy-making procedure but they nevertheless
play a pivotal role in formulation, implementation and evaluation of EU policies. These bodies are
typically made up of civil servants, technical experts and representatives of interest parties that
have skills and knowledge to deal with technical, legal, and administrative tasks.

The European Commission is divided into 33 directorates-generals (DGs) and 11 services3 that
have specific functions and police areas to manage. Many DGs are involved with the EPCIP, Table
4 below presenting the most relevant ones. In the policy development process the DGs of the
Commission consult actively various committees of experts before drawing up draft legislation.
Currently, the Commission employs around 60 advisory committees covering all policy areas,
though around half of them deal with agriculture issues.

Table 4. DGs that are strongly associated with EPCIP matters.

Directorate-general (DG) CIP related policy area Recent activities

on CIP
Energy (ENERG) Energy DG ENERG has
recently set up
Thematic Network
on Critical Energy
Infrastructure
Protection
(TNCEIP) that
facilitates
communication and
best practice of
critical energy
infrastructure
operators from
electricity, gas, and

3 http://ec.europa.eu/about/ds_en.htm
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 83

oil sectors at the

European level
Enterprise and Industry Involved with policy making in a range of -
(ENTR) industries that many of them have been
classified as Critical Infrastructure Sectors
(e.g. chemical industry)
Foreign Policy Instruments Manages foreign policy issues within the External
Service (EEAS) mandate of the Commission relationships
Health and Consumers Provision of food, food safety -
(SANCO)
Home Affairs (HOME) Internal security Strategy, Police Cooperation, The DG HOME is
Organized crime, Crisis and Terrorism, the engine for
International Affairs preparation of ECIP
policies
Joint Research Centre Research activities on CIP Projects on a wide
(JRC) range of CIP topics.
Focused on ICT
infrastructure.
Maritime Affairs and Port, maritime traffic control systems and ship -
Fisheries (MARE)
Mobility and Transport Active work on improving CIP in the transport -
(MOVE) domain
Regional Policy (REGIO) Overall economic performance of EU -

754 Members of the European Parliament (MEPs), elected by citizens of the EU member states,
have the decision making power in the European Parliament. Most of the MEPs are organized
according their political affiliation into political groups (currently the Parliament has seven political
parties). Each MEP has a vote in the General Assembly session where official decisions of the
Parliament are done. However, the MEPs prepare legislation in the Parliamentary Committees
which work is supported by a variety of legal, technical, administrative and scientific expert
groups, working parties and task forces. Both Parliamentary committees and their supporting
bodies have critical roles in the Parliament decision making. The most important Parliamentary
standing committees (referring to permanent committee that meets on a regular basis) for the
Critical Infrastructure Protection are the commissions of “Security and Defence”, “Industry,
Research and Energy”, “Transport and Tourism” and “Civil Liberties, Justice and Home Affairs”.

The work and tasks of the Council of the European Union is prepared by the Committee of
Permanent Representatives (COREPER) comprising of high rank civil servant representatives of
the Member States. The COREPER oversees and coordinates activity of around 250 Council
Committees and working parties focusing on scrutinizing technical details of law proposals.

Standing Committee on Operational Cooperation on Internal Security (COSI) is one of the

most important Council Committees with respect to European Critical Infrastructure Protection. The
COSI was established in February 2011 on the basis of the Lisbon Treaty Provision. The purpose
of the COSI is to facilitate operational cooperation between Member States’ authorities responsible
for internal security. The committee is empowered to coordinate the activities of the national
police, customs and civil protection authorities, external border protection authorities, and in some
circumstances judiciary bodies linked to internal security. COSI is responsible for identifying
84 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

shortcomings and making recommendations of EU’s internal security policies. The COSI will also
assist the Council in applying the solidarity clause, which compels the Member States to
collaborate in the event of a natural disaster or a terrorist attack in any other Member State. The
COSI also shares responsible for developing, monitoring and implementing EU’s internal Security
Strategy (ISS) with the Commission. The committee is made up of representatives from the
Member States.

To summarize, COSI has the following responsibilities:

to facilitate and ensure effective operational cooperation and coordination in the field of EU
internal security;

to evaluate the general direction and efficiency of operational cooperation; and

to assist the Council in reacting to terrorist attacks or other man-made or natural disasters.

7.5 EU policy agencies

In addition to the wide range of committees, working parties and experts groups, the EU policy
making process is supported by 24 EU policy agencies. These agencies are separate bodies
from the four political EU institutions. The agencies take part in policy formulation, implementation
and enforcement of EU laws and support the EU policy making process by conducting tasks that
require profound understanding on technical and legal issues. The EU agencies are involved in
many ways in the EPCIP. Typically, the role of the EU agencies in the critical infrastructure
protection is to support adoption of common standards in their industry in terms of safety, security,
and efficiency. They also monitor implementation of the EU policies in their respective policy areas.

Table 5. Most relevant EU agencies dealing with CIP.

Name of the agency CIP related policy area Recent activities

on CIP
European Network and ICT Development of
Information Security European-level
Agency (ENISA) cyber security
programs and
Critical
Information
Infrastructure
Protection (CIIP)
policies.
European Aviation Civil aviation Security
Safety Agency (EASA) improvements
regarding
European civil air
traffic control
systems and
airports.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 85

European Maritime Maritime transport -

Safety Agency (EMSA)
European Railway Railways -
Agency (ERA)

There are also executive agencies that are set up to support implementation of one or more EU
policies over a fixed period. From the CIP standpoint, the Trans-European Transport Network
Executive Agency (TEN-TEA) is the most relevant. The agency aims to facilitate interoperability
and collaboration of the transport systems between the Member States. The Research Executive
Agency (REA) is supporting and coordinating research activities in the EU in multiple areas
including security.

Finally, the EU has set up a set of agencies on police and judicial cooperation on criminal
matters. The role of the European Police Office (EUROPOL) is to facilitate cooperation between
EU law enforcement authorities. EUROPOL coordinates operational activities and information
sharing between national law enforcement forces.

7.6 Bodies associated with EU

There are numerous other non-EU agencies that have close relationships with the EU bodies. In
many cases these non-EU agencies are dependent on the EU in terms of funding, services or
expertise. European police collaboration agencies are good examples of such self-governing
bodies that have close relationships with the EU. The European Networks of Railway Police
(RAILPOL), Traffic Police (TISPOL) and Water police (AQUAPOL) get a substantial share of their
funding from the EU Commission, majority of their members come from EU member states and
their activity is aligned to support policies of the EU, the Internal Security Strategy in particular.
These police organizations coordinate collaboration of the national police forces of their member
countries in their respective sectors, RAILPOL in the rail transport, TISPOL in the road transport
and the AQUAPOL in the maritime and inland navigation domains.

7.7 EU bodies conducting foreign policy

The European External Action Service (EEAS) is the front institution of the EU’s foreign affairs.
The institution supports the EU High Representative (sometimes informally titled “EU foreign
minister”) to conduct the Common Foreign and Security Policy (CFSP), closely related the
Common Security and Defense Policy (CSDP).

The Council forms the outlines for these both central EU-level foreign policies according the
political agenda set by the European Council. The Commission’s Foreign Policy Instrument
Service manages the foreign policy areas that remain outside the mandate of the EEAS. The most
relevant EU bodies involved with the foreign politics are presented in Table 6.

The Joint European Union Situation Centre (SitCen) is an ‘intelligence body’ of the European
Union. It monitors the international security situation and assesses terrorist threats to the EU. It
functions under the authority of the EU’s High Representative Ms. Catherine Ashton, becoming
86 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

part of the European External Action Service (EEAS) on 1 December 2010. The SitCen has
following functions:

SitCen monitors world events on a 24-h basis and produces daily press summaries. It alerts
the appropriate people in case of major events, while serving as the point of contact for
monitoring of developments in times of crisis.

It drafts and circulates official SitCen reports, which are available to all 27 EU countries via
the Political and Security Committee (PSC) in Brussels. These reports serve as a basis for
discussion, exchange of views and decision between the representatives of the PSC as
well as the working groups dealing with security related issues, such as the Terrorism
Working Group (TWG), CivCom, Military Committee, Politico-Military Group etc. The
reports also contribute to the further development of counterterrorist measures within the
EU and provide a basis for political recommendations.

SitCen maintains regular contact with national security services of its Member States, as
well as the EU Common Security and Defence Policy (CSDP) crisis management missions
and personnel deployed, and initiates immediate actions in response to serious incidents
involving the CSDP missions.

SitCen operates the COREU system used by Member States to circulate non-public EU
documents as well as the New Communications Network, which handles links with EU
delegations abroad.

It uses images from EU Member States’ satellites, namely France's Helios and Pleiades
systems, Germany's SAR-Lupe and Italy's Cosmo-SkyMed, on top of existing data from
US-owned commercial satellites.

SitCen also accompanies the High Representative, EU Special Representatives and other
high EU officials when travelling.

It also assists in the coordination between Member States in consular assistance during
crises which affect citizens of multiple EU Member States (e.g. Libya, Egypt, Haiti, and
Iceland’s volcanic ash cloud).

Table 6. Primary EU bodies engaged with the foreign affairs.

Entity Type of organization Brief description of role

The European External EU institution Helps the High Representative of the
Action Service (EEAS) Union for Foreign affairs and security
policy to conduct EU Common foreign
and security policy (CFSP) and
Common Security and Defence Policy
Foreign Policy Commission DG
Instruments Service
The Joint European Intelligence agency under Monitors the international security
Union Situation Centre the control of European situation and assesses terrorist
(SitCen) External Action Service threats to the EU.
(EEAS) and the High
Presentative of the EU
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 87

European Defense Common Security and Improve the EU's defence capabilities
Agency (EDA) Defence Policy agency especially in the field of crisis
management
European Institute for EU agency Develops the CFSP, especially by
Security Studies (ISS) providing analyses and
recommendations for the policy

7.8 Petersberg tasks and CIP, SCS and security of supply

A wide catalogue of political, diplomatic, coercive, civilian and financial foreign policy instruments
give a great flexibility to the EU to select the most suitable means to manage international crises.
Possible security missions, with recourse to different kinds of capabilities, that the
European Union is authorized to perform outside its own territory are described in the
“Petersberg tasks”. This is addressed in detail in FOCUS Work Package 6 and the related
problem space description in Deliverable 6.1.

The first series of Petersberg tasks were adopted in the Ministerial Council of the Western
European Union (WEU) meeting in 1992. They introduced three types of civil-military approaches
for crisis management: humanitarian and rescue tasks, peacekeeping tasks and tasks of
combat forces in crisis management, including peace-making.4 The tasks were included in the
legal framework of the the European Union in the Treaty of the European Union (TEU) in 1997. In
2003, the European Security Strategy presented a set of general guidelines for practical
application of the Petersberg tasks as a part of the Common Foreign and Security Policy (CFSP)
and the Common Security and Defence Policy (CSDP). Later the Lisbon Treaty updated the
Petersberg tasks by adding three new types of civil-military missions: joint disarmament
operations, military advice and assistance tasks and post conflict stabilization tasks.

The Lisbon Treaty and especially the extended list of Petersberg tasks enable the EU to protect its
interests internationally also in the fields of supply chain security, critical infrastructure protection
and critical supply protection. Interestingly, the Lisbon Trety also states “[…] All these tasks
[referring to the updated catalogue of the Petersberg tasks] may contribute to the fight against
terrorism, including by supporting third countries in combating terrorism in their territories”. The
clause theoretically allows the EU to launch missions to combat terrorism in third countries but
does not state whether these actions could be initiated only reactively in the face of imminent
terrorist threat or also in a proactive manner.

The Petersberg tasks allow the EU to take necessary actions to secure international trade flows.
For example the EU NAVFOR Somalia - operation ATALANTA is a good example of a mission that
among other tasks contributes to security of European merchant vessels in the international
waters. Dual-use capabilities can be used to protect EU critical infrastructure in third
countries, especially from a terrorist threat. In principle, the EU could also use military power to
secure undisrupted supply of critical resources to its territory. The EU has carried out two
military and three civil missions in the Democratic Republic of the Congo (DRC) where the
stabilization of the country, by means of peace-keeping, promotion of democracy and
establishment of functioning governmental institutes, has been undeniably the main goal. However,

4 Western European Union, Petersberg Declaration, Bonn, 19 June 1992.

88 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

the position of the DRC as an important supplier of several vital minerals for the EU economy, such
as coltan and cobalt, could be understood as a partial explanation for the EU’s active presence in
the DRC.

7.9 Decision making preceding crisis management action

The EU has a formal procedure in place to plan and launch its crisis management missions.
According to a report “Handbook on the Common Security and Defence Policy of the European
Union” published by the Directorate for Security Policy of the Federal Ministry of Defence and
Sports of the Republic of Austria5, the procedure has six phases. In the first routine phase, the
Political and Security Committee (PSC) monitors development of the world affairs with the
support of geographic and thematic working groups and the European External Action Service. In
the second phase, a crisis builds up and the Political and Security Committee formulates a
Crisis Management Concept (CMC) that outlines strategic policy options to respond to the crisis
and declares EU’s political interests and objectives related to the crisis management activities. In
the third phase, the Political and Security Committee passes the Crisis Management
Concept to the Council which adopts the document and assigns appropriate Council
Committees to develop strategic options further. At this stage, the EU Military Committee
(EUMC) takes typically the lead in the preparation of strategic military responses while the
Committee for Civilian Aspects on Crisis Management (CIVCOM) takes over the development of
strategic civilian crisis management options. In the fourth phase, the Council makes a formal
decions to act and initiates the development of the Concepts of Operations (CONOPS) and the
Operation Plan (OPLAN) planning documents. The Concepts of Operations document sketches
blueprints for implementation of the operation while the latter Operation Plan elaborates in detail
how the operation is going to be organized. The fifth implementation phase follows the approval
of the two planning documents. The Political Security Committee monitors the operation
continuously during its implementation phase. In the sixth and final phase the Council makes a
decision to refocus or terminate the operation.

The main decisions in the EU crisis management process are:

1. Decisions that EU action is appropriate (Political and Security Committee)

2. Approval of the Crisis Management Concept (Council)

3. Decision to take action (Council)

4. Approval of the Concepts of Operations (Council)

5. Approval of the Operations Plan (Council)

The Council is the main decision making body in the decision making process by having the
ultimate power to approve plans and launch missions. However, the Political and Security
Committee wields a great power as a monitoring and preparatory body. The Political and
Security Committee gives the initial impetus for EU crisis management activities by lifting the topic

5 Directorate for Security Policy of the Federal Ministry of Defence and Sports of the Republic of Austria,
Handbook on the Common Security and Defence Policy of the European Union, Vienna, Austria, 2010
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 89

on the Council’s agenda. It should be also remembered that the EU’s decisions to launch crisis
management operations are in many cases preceded by resolutions of the United Nations Security
Council. The figure summaries the formal decision making process in the EU on crisis
management matters.

Figure 11. EU crisis management decision making process. Source6.

Sometimes a crisis escalates rapidly leaving no time for the formal decision making procedure.
Like the table below suggests, this has often been the reality in the EU. The Council has many
times neglected stages in the formal decision making process in order to compress time
between the Political and Security Committee’s initial notification and the launch of a
mission. The table shows that the EU spent 10 months to go through the formal decision making
process and start the ACEH monitoring mission in Indonesia. In contrast, the operation Artemis in
the Democratic Republic of the Congo was launched only in three weeks. Obviously, the significant
time reduction was achieved by bypassing many stages in the formal decision making process.

6 Directorate for Security Policy of the Federal Ministry of Defence and Sports of the Republic of Austria,
Handbook on the Common Security and Defence Policy of the European Union, Vienna, Austria, 2010
90 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Table 7. Examples of practical decision making process in EU crisis management. Source7.

7.9.1 Dual-use capabilities of the EU8

The EU has been active on building up necessary capabilities to perform all the Petersberg tasks
and other tasks described in the Lisbon Treaty. Related dual-use capabilities are of relevance for
FOCUS. The progress has been satisfying according to the final conclusion of the Council’s
Progress Catalogue 2007: “The EU […] has the capability to conduct the full spectrum of
military CSDP operations within the parameters of the Strategic Planning Assumptions, with
different levels of operational risk arising from the identified shortfalls”9. The EU’s track record of
more than twenty successful civilian and military operations lends support to this view.

The EU has relied on ad hoc force generation in its previous military operations. This means
in practice that EU forces for each mission have been assembled from voluntary troop
contributions of EU member states and some non-EU countries. Even though national militaries
are the main pool of forces for the EU, there certain European multinational forces that could be
deployed in EU military operations.

Since 1 January 2007, the Council of European Union has had fully operational rapid response
forces, EU Battle groups, under its direct control. The EU battle groups consist of approximately
1500 troops capable of starting a mission autonomously in the target location within 5 – 10 days
following a decision of the Council. Two individual battle groups are always on standby giving the

7 Directorate for Security Policy of the Federal Ministry of Defence and Sports of the Republic of Austria,
Handbook on the Common Security and Defence Policy of the European Union, Vienna, Austria, 2010
8 European Security and Defense Assembly - Assembly of the Western European Union. Document
A/2100. The Common Security and Defense Policy: the next steps – reply to the annual report of the
Council, 9 May 2011, available at http://www.assembly-weu.org/en/2100.pdf
9 http://www.consilium.europa.eu/eeas/security-defence/capabilities/military-capabilities?lang=en
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 91

Council the power to launch two single military operations simultaneously. So far, EU battle
groups have not participated in military operations.

Eurocorps is a European main multinational standing army governed by its framework nations
Belgium, France, Germany, Luxembourg and Spain. The Eurocorps consists of 60 000 troops
rapid response troops that can be made available for the EU or NATO on request.

Euromarfor, the European Maritime Force, is a European multinational naval force that can be
formed at five days notice to be deployed in a mission of the EU or NATO. The force comprises of
naval units of its four member states France, Italy, Portugal and Spain.

Eurofor, the European Rapid Reaction Force, are composed of land forces of its member states
France, Italy, Portugal and Spain. Eurofor forces can be formed in short notice to perform military
operations for the EU and NATO. In 2011, Eurofor forces will act as one of the EU’s battle groups.

7.10 EU foreign policy in practice

The European Foreign and Security Policy (CFSP) is described as a “soft instrument” of foreign
politics. It uses diplomacy and when necessary appropriate trade, development aid and
peacekeeping measures to resolve conflicts, to support international understanding and to guard
EU interests in international political arenas. The EU treaties enable the EU institutions also to use
a range of sanctions or restrictive measures as part of the Common and Foreign Security Policy.
These measures can be imposed on third countries, individuals and non-state actors such as
terrorist networks in order to influence their policies and activities that violate international law,
human rights and/or pose a threat to the EU society.

According to the list provided by the European Commission (2008), the EU can apply at least
following restrictive measures and sanctions when implementing its foreign policy10:

Diplomatic sanctions (expulsion of diplomats, severing of diplomatic ties, suspension of

official visits);

Suspension of cooperation with a third country;

Boycotts of sport or cultural events;

Trade sanctions (general or specific trade sanctions, arms embargoes);

Financial sanctions (freezing of funds or economic resources, prohibition on financial

transactions, restrictions on export credits or investment);

Flight bans; and

Restrictions on admission

10 Precise guidance how to impose these restrictions is explained in the ”Guidelines on Implementation
and Evaluation of Restrictive Measures (Sanctions) in the Framework of the EU Common Foreign and
Security Policy” document published in 2005.
92 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

The EU has been taking more active role in the global politics over the past few years as a result of
reformulated Common Security and Defence Policy (CSDP). In addition to diplomacy, the EU has
applied especially arms embargoes, economic and financial restrictions and restrictions on
admissions as restrictive measures of foreign policy implementation. Following table (adapted from
Emerson et. al 2011) reveals roles of the EU and the member states in international political
arenas that have close links with the CIP and SCS policy areas.

Table 8. Role of EU and member states in international political arenas (adapted from Emerson et. al 2011).

Policy area International Role of the EU and member states (MS)

organization /
convention
Foreign, security and UN General Assembly EU observer; MS members
defence policies UN Security Council 2 permanent MS + 2-3 rotating
OSCE EU observer, MS members
NATO 24 MS
Non-Proliferation MS
Treaty EU observer, MS members
Council of Europe EU participant, some MS
G7/8/20
Freedom, security and International Court of -
justice Justice (ICJ) EU observer; MS state parties
International Criminal MS, and in future EU, parties
Court (ICC) EU observer; MS members
European Convention MS parties, EU plans to accede
of Human Rights EU & MS contracting parties
UN High Commission EU & MS contracting parties
for Refugees
Geneva Convention on
Status of Refugees
UN Convention Against
Illicit Traffic of Drugs
UN Convention Against
Transnational Crime
Transport International Civil EU observer, MS members
Aviation Organisation EU observer, MS members
(ICAO) EU & 21 MS members
International Maritime
Organisation (IMO)
Eurocontrol
Energy International Atomic EU observer, MS members
Energy Agency (IAEA) EU participates; 17 MS members
International Energy EU and MS members
Agency (IEA)
Energy Charter Treaty
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 93

7.11 Supply chain security related EU administrations

According to FP7-project LOGSEC, following twelve EU administrations have vested interests in

the security of the supply chain.

DG MOVE, with their focus on transport security, including maritime, aviation and road transport
modes; specifically: ship and port facility security regulation (EC 725/2004) and Directive
(2005/65/EC) 27 ; Council Directive 2008/114/EC of 8 December 2008 on the identification and
designation of European critical infrastructures and the assessment of the need to improve their
protection; the Known Consignors and Regulated Agents principles contained in Regulation (EC)
No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in
the field of civil aviation security and repealing Regulation (EC) No 2320/2002; secure parking
areas as suggested by Directive 2008/96/EC of the European Parliament and of the Council of 19
November 2008 on road infrastructure safety management, etc.

DG TAXUD, with their focus on trade compliance and supply chain security issues; specifically:
Safety and Security Amendment’ to the Community Customs Code (Regulations 648/2005 and
1875/2006) containing the principles for advance security filing Export Control System / Import
Control System (ECS/ICS); and the European Union Authorized Economic Operator (EU AEO);
Risk Management Framework; etc.

DG HOME, with their focus on fight against terrorism and organised crime; specifically: stricter
rules against illicit trafficking of firearms, as well as the revision of the present legislation on fighting
against trafficking in human beings; the fight against terrorism and the Internal Security Strategy,
strictly linked to the broader European Security Strategy; cooperation in law enforcement, border
management, civil protection, and disaster management; etc.

DG JUSTICE, with their focus on the fundamental objective of the EU to offer its citizens an area of
freedom, security and justice without internal borders; specifically: judicial cooperation in civil and
criminal matters; drugs policy coordination; contract law and consumer rights; and data protection;
etc.

EUROPOL, with their focus on improving the effectiveness and co–operation of the competent
authorities in the Member States in preventing and combating terrorism, unlawful drug trafficking
and other serious forms of organised crime.

FRONTEX, with their focus on border security and prevention of organized immigration crime, and
human trafficking.

OLAF, with their focus on protecting the financial interests of the Community; specifically: activities
concerning the detection and monitoring of fraud in the customs field, misappropriation of subsidies
and tax evasion, insofar as the Community budget is affected by it, as well as the fight against
corruption and any other illegal activity harmful to the financial interests of the Community.

EUROJUST, with their judicial focus to help to provide safety within an area of freedom, security
and justice.

DG TRADE, with the focus on enforcement of UNCR 1540, as adopted with COUNCIL
REGULATION (EC) No 428/2009 of 5TH May 2009 setting up a Community regime for the control
94 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

of exports, transfer, brokering and transit of dual-use items, which is addressing the issue of the
proliferation of weapons of mass destruction.

DG ENTR, with their focus on facilitating security research and development, including the
Framework Programme 7 (FP7) activities, as well as their laudable effort in conjunction with DG
TRADE on the enforcement of UNCR 1540 (see above).

DG INFSO, with their focus on information and data security.

JRC, with their focus on executing security research and development works.

7.12 Critical supplies EU level trade agreements

Global level negotiations followed by the EU and relevant for critical supplies are specified by the
World Trade Organization in the “Doha Development Agenda”. Specifically, the focus of the
agenda is given by three main topics (EU & WTO, u.d.):

Reforming agricultural subsidies;

Improving the access to global markets; and

Ensuring that new liberalisation in the global economy respects the need for sustainable
economic growth in developing countries.

In addition, the EU is also developing their own trade policies and trade agreements with countries
and regions all over the world. A detailed list of countries, regions and related agreements is made
available by (DG-TRADE). In general, Free Trade Agreements are negotiated by the EU by
following the guidelines set by the WTO. This is also stated in (European Commission, 2011):

“The EU trade strategy for raw materials must be sensitive and flexible enough. Since the real
trade takes place on the bi-lateral, individual member state basis, mostly, it is even more difficult to
have a single EU trade policy. Apparently, nothing too much can be expected from the WTO,
although the mutually agreed rules should be observed in the process of building credibility.”

These are always beneficial for both the parties, and from the EU perspective the main objectives
consist of (European Commission):

Open new opportunities for trading goods and services.

Increase investments opportunities.

Reduce customs duties and facilitate transit.

Set common rules about technical and sanitary standards.

Facilitate the understanding of policies, i.e. intellectual property rights, competition rules
etc.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 95

8 Identification of exogenous threats/challenges

8.1 Critical Infrastructure

Threats on the Critical Infrastructure could be of various nature, accidental or (man-made)

intentional. Possible accidental threats determined by natural events have been summarized from
the VITA taxonomy:

1. Threat on Earth: This is a natural threat related to the earth that arises as a result of
earthquake, landslide, volcanic eruption, and slow natural process.

2. Threat on Air: This is a natural threat on air that occurs due to hurricane, storm surges, hot
wind, fire induced storm, cyclone/tornado, material movement such as sandstorm, dust storm,
snow dunes etc. consequence of no wind power, and temperature such as cold wave and heat
wave.

3. Threat on Water: This is a natural threat related to water that arises as a result of snow (such
as slipperiness, obstruction by piling-up/snow dunes, static force (weight and pressure) of piling up,
blizzard, and dynamic force of moving snow such as avalanche), hail (such as slipperiness, static
force (weight and pressure) of piling up and dynamic force of impact), ice, ice rain, black ice (such
as static force, obstruction, slipperiness), static pressure of water that works against the
construction of dam, dike etc. dynamic pressure of water that brings erosion/grinding and tidal
waves, thermal water, and fog/moisture.

4. Threat on Space: This is a natural threat related to space that arises as a result of meteorite
impact and comet shock-wave/collision.

5. Threat of natural radiation/natural EM-effects “ether”: This is a natural threat that occurs due
to electro-magnetic/geomagnetic storm, thunderstorm, ultra-violet radiation, sudden earth-magnetic
change, and high energy particles such as cosmic radiation.

6. Threat of Fire: This is a natural threat that occurs due to smoke that creates bad visibility,
breath problem, toxic cloud etc., fire induced storms, and physical disintegration such as melting,
overheated and material destruction.

7. Biological Threat: This is a natural threat that can arise from vegetation and forest, bacteria
(animal/human epidemic disease, vegetation disease/disaster), virus, fungi, and animals.

8. Ecological Threat: This is a human induced threat that arises from the toxic abundance,
corrosive/flammable/explosive material spill, deficiency, and biological contamination in the soil, air
quality/ air pollution due to visibility inhibitors/aerosols, air pollution/particles, toxic substances,
reactive substances, explosive gas concentration, nuclear pollution, biological contamination etc,
water quality/water pollution due to water pollution/particles, toxic substances, reactive substances,
nuclear pollution, biological contamination, too high water temperature etc, and composition
change in the troposphere.

9. Incorrect produce/ products quality Threat: This is a human induced threat that arises from
contamination of crop, food, chemicals, lubricants, wrong parts etc, overdose/under dose/wrong
size, wrong temperature/humidity control, carcinomic content, shortage, safety breach, human
factors, technical fail factors, and insufficient quality control.
96 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

10. Economic/Political Threat: This is a human induced threat that arises in the sectors by bad
image of the sector, strike/labour unrest, bankruptcy etc. in the society by civil
disorder/riots/insurrections, migration of people, psychological threat, stock up goods/products,
state of terror, state of war etc. and in the economy by large scale counterfeiting, instable
economy/banking system, monetary policy change, inappropriate or lacking laws and regulations,
politically unacceptable technical solution, relocation of critical services, nationalisation of key
assets, and disruption of base material flow.

11. Person(s) Threat: This is a human induced threat that arises due to insufficient training, low
attention level, lapses in attention, epidemic illness, staff turnover (too fast), mismanagement,
human error, psycho-physical and physical affecting.

12. Technical Threat: This is a human induced threat that arises from static and dynamic force,
non-natural fire, electromagnetic, hardware, and information and communication technologies.

13. Lack of critical service Threat: This is a human induced threat that arises from failed
distribution, failed transport and filed generation in the energy sector, failed fixed infrastructure,
failed mobile telecommunication, failed satellite services, and failed postal and courier services in
the telecommunication sector etc. This threat also occurs in the information technology sector, food
sector, transport sector, drinking water, government services, public security and safety sector,
health sector, financial sector (bank, insurances etc.), justice, social security system, special
industry (chemical, defence etc.), collateral damage etc.

8.2 ICT Cyber Security

Nowadays, Internet appears to be an indispensable part of EU citizen everyday life. According to

recent CISCO statistical data (CISCO, 2011) more than 90 per cent of the Internet users do not
see their life without WWW technologies. At the same time, most of them use also mobile
technologies for accessing the global network. There are already more than 2 billion aggregated
(static and mobile) users. Thus, the new technologies are practically changing our priorities and life
in the new information century (Ackerman & Guizzo, 2011).

This situation generates a dual problem of usefulness of IT that at the same time opens the
problems of cyber security and the need to cope with resulting cyber risks.

By 2010 this topic became vast and of increasing importance to be officially placed in the new
Digital Agenda for Europe – DAE (Digital Agenda for Europe, 2010). DAE was followed by initiation
of a number of joint initiatives with the industry, transatlantic cooperation, e.g. between ENISA and
the NATO Cyber Defence Policy, with the BRICS countries, the EU Future Internet Assembly (FIA)
and Building International Cooperation for Trustworthy ICT: Security, Privacy and Trust in Global
Networks & Services.11

WWW-related FIA efforts already address problems like volume and nature of data, mobile
devices, physical objects on the net, commercial services and societal expectations. Apart of this,
the technological influence has produced a number of social phenomena like social revolutions
attributed to WikiLeaks and Facebook. These developments have already attracted the attention

11 Detailed information on these and other related initiatives is available at European Future Internet Portal,
www.future-internet.eu , and www.bic-trust.eu .
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 97

and are being addressed not only by technologists, but also by policy and NGO communities (cf.
Buckland, Schreier & Winkler, 2010; Ghannam, 2011; Schreier, Weekes & Winkler, 2011).

Regarding cyber threats per se, two official documents have been published recently by Sophos
(Sophos Security Threat Report, 2011) and Symantec (Symantec Internet Security Threat Report,
2011). These reports identify some common threats for 2010 and 2011 that will continue to have a
major impact in the future. Among them are social networks, mobile internet access, malware,
additionally accentuating Stuxnet worm and role of insiders, both important for SCADA
(Supervisory Control and Data Acquisition) production systems and thus for Critical Infrastructure
Protection, and zero-day threats, i.e. threats of software bugs (intentional and non-intentional).

Taking into account the dynamics of cyber environment and the abundant flow of information, the
cyber security research community in Europe was successfully was around the SySSec European
Network of Excellence in Managing Threats and Vulnerabilities in the Future Internet: Europe for
the World (SysSec, 2012). Several analytical reports were published in 2011 in the SySSec
framework, addressing cyber security in several areas: cyber-attacks, threats to the future Internet,
malware and fraud, and sensor networks.

Structured research within SySSec aggregated available information on cyber threats in the future
Internet. The latest SysSec report summarized cyber risks threats issues and plausible impact on a
number of ‘assets’: “personal” - human rights, digital identity, financial assets, health safety;
“societal” - critical infrastructure, GRIDS, clouds; and “professional” – data sales and others assets
(Balzarotti, 2011). The negative impact was rated using a scale of three-grades: “low”, “medium”
and “high” (Figure 12).
98 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Figure 12 Cyber risks threats issues and plausible impacts (Syssec, 2012).

However, this classification of threats vs. assets is based on experts’ opinion and experience and,
most importantly, is static. The dynamics of cyber risks and threats is context dependent. Its
exploration for the purposes of identification, assessment and prediction of risks is much more
interesting, as well as challenging.

One of the possible approaches to solving this problem is through implementation of the “multiple
futures scenario method” with some modifications (Minchev & Shalamanov, 2010). In this regard,
several scenario ideas concerning cyber security and CIP are already available in the FORWARD
(FORWARD Consortium, 2010) and SysSec initiatives.

As of this point there is no exhaustive list of possible scenarios and risks derivatives from the
identified threats. The creation of such encompassing set would require studying the dynamic
behaviour of cyber threats and at least partial validation in a cyber-threats and risks exploration
environment (Minchev & Shalamanov, 2010).

Recent studies by academic organisations and industry surveys (cf. Symantec, 2011; Sophos,
2011; Balzarotti, 2011) indicate a number of upcoming fields of study, including privacy, targeted
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 99

attacks, emerging technologies security, mobility, usable security in three key assets: personal,
professional and societal assets.

This short overview of cyber threats and their consideration in certain scenario contexts for risks
identification and analysis is intended to support the elaboration of a roadmap for research in the
field of cyber security.

8.3 Supply Chain Security

The “threat side of the Supply chain security equation” – including exogenous threats to EU - is not
well covered in the literature today. Instead, most of the literature refers vaguely to “terrorism
threat” or “cargo crime” as main reasons behind Supply chain security programs, standards and
regulations. The intention of this sub-chapter is to lay out mode broadly the variety of illicit activities
in the supply chain context, in particular what can be identified as “deliberate violations of supply
chain related regulations”.

8.3.1 Review of INTERPOL crime areas

INTERPOL, the International Criminal Police Commission, aims to facilitate international police
cooperation between its 188 member countries through secure global communications services,
database support, operational police support services and police training and development. It is
most known for its Red Notices, which are issued on persons wanted by national jurisdictions (or
the International Criminal Tribunals). INTERPOL’s role is to assist the national police forces in in
identifying or locating those persons with a view to arrest and extradition. INTERPOL and the EU
have a strategic partnership in which INTERPOL supports and supplements efforts at the EU level
in the effective management of both physical and virtual borders. According to INTERPOL
Secretary General Ronald K. Noble, lines of information, expertise and resources flow both ways,
in crime areas as diverse as maritime piracy, human trafficking and counterfeiting (INTERPOL,
2012).

According to INTERPOL web-site, total of 16 crime areas are in the scope of their crime prevention
and law enforcement activities. The table below summarizes the outcomes of Cross-border
Research Association (CBRA) analysis on how these crime areas may link to the discipline of
Supply chain security.
100 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Table 9. Links between INTERPOL Crime areas and Supply chain security.

Crime area INTERPOL Examples of supply chain linkages – Cross-border Research

Association (CBRA) analysis

Corruption Corruption is a big problem within the context supply chain security.
In many parts of the world, private sector actors pay bribes to
authorities in order to keep their (licit) goods moving, i.e. not getting
stuck for days and weeks at border crossing points. Bribes can be
paid also when to objective is to have authorities to “turn the blind
eye”, e.g. in a case of illicit narcotics or illicit weapons shipment.

At the same time, lot of corruption takes place in the world without
supply chain relevance.

Crimes against Crimes against children take partially place in supply chain security
children context. Child labor is commonly exploited in many developing
countries at farms and plantations (e.g. cocoa supply chain) as well
as factories and sweatshops (e.g. in textiles). Second linkage is the
usage of the supply chain system to transport child victims to target
markets, e.g. from Africa, Latin America and (poor) Asian countries
to the industrial regions of the world.

At the same time, lots of crimes against children take place in the
world without supply chain relevance.

Cybercrime Cybercrime is a growing concern in the context of supply chain

security. Worries range from criminals stealing data about valuable
shipments for cargo crime purposes, to fake companies appearing
at freight exchanges to win transport contracts (which end up in
cargo theft of full loads). Also sabotage by competitors or former
employees is a concern for supply chain security management.
Cyber terrorism could lead into serious problems with critical supply
chain infrastructure, and so forth.

At the same time, large parts of cybercrime do not have direct links
to supply chain security.

Drugs Export, transit and import of illicit drugs takes commonly place
inside supply chain systems, where drugs are concealed within the
cargo, containers, conveyances etc.

At the same time, lot of illicit narcotics are being transported

outside the actual supply chain systems, e.g. with passenger travel
(air, ship, rail, road).

Environmental crime Parts of environmental crime, e.g. CITES violations, illicit export of
metals bearing waste, and ship waste dumbing, take place in the
context of supply chain security.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 101

At the same time, many types of environmental crime have no

tangible supply chain linkages.

Financial crime Parts of financial crimes take place in supply chain security context,
especially when it comes to fraud in customs duties and taxes.

At the same time, the majority of what is understood by financial

crime, is outside the scope of supply chain security.

Firearms Illicit trade, export, transit, import and transport activities of firearms
take place in supply chain security context.

At the same time, firearms can be dealt with outside the usual
supply chain systems.

Fugitive investigations Fugitive investigations are not part of supply chain security (even if
the fugitive has been committing “supply chain crimes”)

Intellectual property Parts of counterfeiting activities happen in supply chain security

crime and context, including manufacturing, export/transit/import, distribution
counterfeiting and sales of counterfeit products.

At the same time, some product counterfeit activities take place

fully outside the mainstream supply chains. And, intellectual
property crime in non-physical goods, falls also outside the scope
of supply chain security.

Maritime piracy Maritime piracy happens partially in the context of supply chain
security, when it comes to attacks and armed robberies e.g. against
commercial container and bulk ships.

At the same time, maritime piracy against private boats is not part
of supply chain security (fishing boats are in the border line).

Organized crime Organized crime is more about the criminal actors, who might be
carrying out one or more types of criminal activities in the supply
chain.

At the same time, many organized crime activities take place

without linkages to supply chain security.

Pharmaceutical crime Pharmaceutical crime, when it comes to illicit sales, counterfeiting,

theft and product diversion, are strongly linked to supply chain
security, in terms of authentication, tracking, transport security,
warehouse security and so forth.

It is challenging to formulate a pharmaceutical crime case for

supply chain security would not be somehow involved.

Terrorism When it comes to terrorism and supply chain security, one can
separate with two angles: (1) terrorists exploiting the supply chain,
to transfer (illicit) materials and people towards the target area, and
102 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

(2) to destroy supply chain assets and systems. These two aspects
can also be combined.

It appears that terrorist acts, so far it is publicly known, do not have

strong links to supply chain security as such.

Trafficking in human Some part of trafficking in human beings happens in the context of
beings supply chain security, especially when containers and ships,
planes, trains and trucks are used for moving people towards target
destinations.

At the same time, large parts of human trafficking take place

outside mainstream supply chain systems, i.e. by private
passenger boats, by private vehicles etc.

Vehicle crime Vehicle crime has at least two connections to supply chain security:
(1) Transport equipment, including trucks, are an object of theft,
hijack, sabotage etc.; and (2) Stolen vehicles are being exported,
transited, imported and transported through the supply chain
system.

At the same time, vehicle crime takes place with no supply chain
security relevance.

Works of art Works of art has supply chain security relevance when it comes to
export, transit, import and transport of stolen, looted, or otherwise
“illicitly owned” works of art.

At the same time, illicit activities with works of art happen without
supply chain security linkages.

8.3.2 Snapshot on geographies for illicit trade and logistics flows

The United Nations Office on Drugs and Crime (UNODC) is a United Nations agency that was
established in 1997 as the Office for Drug Control and Crime Prevention by combining the United
Nations International Drug Control Programme (UNDCP) and the Crime Prevention and Criminal
Justice Division in the United Nations Office at Vienna. It is a member of the United Nations
Development Group and was renamed the United Nations Office on Drugs and Crime in 2002. The
agency, employing about 500 staff members worldwide, is headquartered in Vienna/Austria, with
21 field offices and two liaison offices in Brussels and New York City. UNODC was established to
assist the UN in better addressing a coordinated, comprehensive response to the interrelated
issues of illicit trafficking in and abuse of drugs, crime prevention and criminal justice, international
terrorism, and corruption. UNODC work programme is based on:

- Technical cooperation projects;

- Research and analytical work; and

FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 103

- Assisting member states in the implementation of international treaties and developing

appropriate domestic legislation on drugs, crime and terrorism.

Following table summarizes key illicit activities, and major from-to geographical flows, as identified
in UNODC book “The Globalization of Crime - A Transnational Organized Crime Threat
Assessment” (UNODC, 2010).

Table 10. Key illicit activities and major from-to geographical flows (UNODC, 2010).

Illicit activity From To

Smuggling of migrants Latin America North America

Smuggling of migrants Africa Europe

Cocaine smuggling Andean region North America

Cocaine smuggling Andean region Europe

Heroin smuggling Afghanistan Russian Federation

Heroin smuggling Afghanistan Europe

Firearms smuggling United States Mexico

Firearms smuggling Eastern Europe Rest of the world

Environmental resources Africa and Asia

- wildlife South-East Asia

Environmental resources South-East Asia Europe and Asia

- timber

Counterfeit goods – East Asia Europe

consumer goods

Counterfeit goods - South- and East South-East Asia and Africa

medicines Asia

Maritime piracy Horn of Africa Horn of Africa

8.3.3 European perspectives on supply chain crime (LOGSEC 2011)

Diverse types of security threats may take place in supply chains moving goods and raw materials
to Europe. According to data collected within the LOGSEC project, major crimes affecting supply
chains include (Figure 13): theft in transit (23%), data theft/cybercrime (11%), bogus companies
(10%), and insider fraud (10%). Other relevant crimes that have been indicated during the data
collection process include: smuggling (9%), counterfeiting (9%), and terrorism (6%) (LOGSEC,
2011).
104 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Figure 13 Present Crime threats (LOGSEC, 2011).

Product specification Environmental

fraud 3 % crime 2 %
Other 3 % Theft (in transit) 22 %
Product Diversion 5
%
Sabotage 5 %
Illegal
Immigration 5 %
Terrorism 6 %

Data theft / cyber

crime 11 %

Counterfeiting 9 %

Bogus companies 10
Smuggling 9 % %
Insider fraud 10 %

The above criminal activities may be grouped into the following categories (Hintsa, 2011):

1. Economic crime: focuses on illicit revenue creation, illicit cost savings, or both;

2. Other crime types: consists of idealogical, ad-hoc, revenge, and up- and downstream crime
types; and

3. Facilitating crime: consists of crime types that do not deliver direct benefits to the criminal
actors, but help them to commit the ”main crimes”, with economic, ideological, and possibly
other goals.

This categorization allows also to classify the main motivations driving criminal behaviour as well
as their direct and indirect relationship with the physical supply chain. For instance, the economic
crime concerns the type of crimes in which cargo and supply chain stakeholders are directly
affected and the outcome of the actions has direct monetary benefits for the criminals. The
facilitating crime concerns activities that are necessary to perform to allow criminal to reach their
goals. Other crime types include these crimes that are motivated by ideologies, sabotage of
unsatisfied employees etc. (LOGSEC, 2011).
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 105

Table 11 Taxonomy for crime types in supply chains (LOGSEC, 2011).

1. Economic crime (revenue generating and/or 2. Other crime types: ideological,

cost saving) political, ad-hoc, up/downstream
-Theft (including robbery, larceny, hijacking,
looting etc.)
- Terrorism (attacking supply chain,
- Organized immigration crime
exploiting supply chain etc.)
(human trafficking, illegal immigration)
- Sabotage
- IPR violations and counterfeiting
- Vandalism
- Customs law violations (tax fraud, prohibited goods)
- Gross negligence
- Other tax fraud (including sales tax / VAT)
(with criminal charges)
- Other fraud (including insurance, commercial
- Supplier crime(s),
contracts etc.)
raw material fraud etc.
- Other government agency law violations
- Sales channel crime(s), violations,
- Parallel trade
fraud etc
- Environmental crime (pollution, wildlife)
- Sea piracy
- Extortion, blackmailing

3. Facilitating other crime(s)

- Document forgery - Identity theft - Espionage
- Bogus companies - Cyber crime - Corruption

8.3.4 Identifying 15 organized crime groups in 5 continents

Wired Magazine published a specific issue (February 2011) focusing on organized crime. This
issue identified 15 organized crime groups active in 5 continents. The spectrum of their activities
including female trafficking, counterfeit goods, heroin, wild life, gold, piracy, firearms, cocaine,
migrant smuggling are also drawn in the map. According to Wired Magazine, the total estimated
value of organized crime is $128 billion. The value of bringing cocaine to North America is $38
billion, bringing cocaine to Europe is $34 billion, bringing heroin to Europe is $20 billion, bringing
heroin to Russia is $13 billion, bringing counterfeit goods to Europe is $8.2 billion, smuggling
migrants from Latin America is $6.6 billion, smuggling illicit timber from southeast Asia is $3.5
billion, counterfeit medicine is $1.5 billion, trafficking human to Europe is $1.25 billion, identity theft
is $1 billion, Marine piracy is $100 million, bringing ivory to Asia is $62 million, moving firearms
from eastern Europe is $33 million, and others are $28 million (Wired, 2011).The major 15
organized crime groups on 5 continents are the following ones:

1. Mexican Cartels: The Tijuana, Juarez, and Gulf cartels. They bring Colombian cocaine to north,
worth $38 Billion USD. They are currently engaged in an all-out war with the Mexican government.

2. Norte Del Valle: It was once Colombia’s leading drug cartels. Now its leadership is mostly
dismantled, and cocaine is smuggled primarily by smaller organizations.

3. La Cosa Nostra: This US group is tied to Italian Mafia and involved in labour racketeering,
money laundering, cybercrime, and drug and cigarette smuggling.

4. Nigerian Organized Crime: They are the inventors of the 419 bank scam. Nigerian workers in
South Asia give the mob street-level access to 90 percent of the worlds heroin.

5. Italian Mafia: Responsible for money laundering and smuggling heroin and arms.

6. Albanian mob: one of the world’s largest oranized crime groups. They provide drugs, arms, sex
workers and cigarette globally.
106 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

7. Russian Mafia: Career criminals who cozied up to government officials after the Soviet Union’s
collapse. Eastern Europe has become a hub for human trafficking.

8. Israeli Mafia: Non-hierarchical and egalitarian group includes Arabs and Russians. They are
one of the world’s largest ecstasy traffickers.

9. Red WA: Originally part of the Burmese Community Party’s military, now produces and exports
methamphetamine and heroin on the Myanmar-Thailand border.

10. Jao Pho: Ethnic Chinese group live in Thailand. It uses legitimate businesses as fronts for
crime and infiltration of the police, military, and government.

11. Combodian Organized Crime: Authorities are reluctant to crack down on trafficking abuses in
this group’s sex industry because it attracts tourists and their money.

12. Triads: Hong Kong based gangs have tens of thousands of members. They are active in loan
sharking, car theft, protection rackets and other criminal enterprises.

13. Heijin: Taiwanese gangsters. They run multinational corporations. About a third of the
governmentt’s officials are current or former member of this gang.

14. Filipino Organized Crime: Involved in prostituion and women are smuggled by using
entertainer visas to leave the politically unsuitable Philippines.

15. Yakuza: Historically composed of low-caste Japanese peddlers. They bill themselves as the
protector of ordinary people.

8.3.5 Examples of 5 European crime groups

In this sub-chapter fairly random European criminal groups are introduced briefly, as examples of
“EU import players” in illicit supply chains (UNODC, 2010).

Verhagen Group – Netherlands: The Verhagen Group was involved mainly in trafficking hashish
into the ‘Randstadt’ (The Hague, Rotterdam, Amsterdam and Utrecht). Key characteristics of this
loosely organized group were the extensive use of trans-border smuggling operations and the
occasional use of violence and corruption. Apart from drug smuggling, however, the group
engaged in a diversity of other illegal activities. The group imported hashish by sea from Morocco,
Lebanon and Pakistan and then distributed it to the Dutch, Danish, British, Belgian and Swiss
markets. Other activities of this criminal network included large-scale fraud/embezzlement, theft of
large quantities of electronic goods, fraud involving precious materials, trafficking in expensive
jewellery as well as fraudulent real estate transactions. Nevertheless, drug trafficking has been the
group’s primary activity with its estimated annual income from illicit activities estimated at more
than US$ 10 million. The amount of smuggled and distributed hashish is estimated at 30,000
kilograms a year. The core members of the group were exclusively Dutch, other members being
German, British Asian, African and American.

The Orange Case – The Netherlands / Caribbean. A loosely organized criminal group that
smuggled cannabis and cocaine from the Netherlands Antilles to the Netherlands. In doing so, the
group engaged in extensive trans-border activities and cooperated with other organized criminal
groups. Drug smuggling activities were facilitated through extensive corruption. The group’s
members were drawn from a similar social background, and little use was made of violence. The
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 107

group bought drugs (cannabis and cocaine) from three Colombian individuals and transported the
drugs by a Dutch navy ship to the Netherlands where the drugs were distributed and sold. The
accumulated profits were then laundered.

Clan Paviglianiti – Italy. The Clan Paviglianiti is organized on a hierarchical basis and operates
mainly in Lombardia and Calabria, specifically in the cities of Cermenate and San Lorenzo. The
group is involved primarily in the trafficking of drugs, especially cocaine. Clan Paviglianiti has a
strong regional ethnic identity. The group makes use of violence (or the threat thereof) and is
involved in significant levels of trans-border activity, cooperating closely with a variety of other
criminal groups. The group has achieved a dominant role in the drug market in the regions where
it is active. Other illicit activities include forgery, large scale fraud and embezzlement, armed
robbery, vehicle theft and trafficking, manufacturing of firearms and ammunition as well as illegal
trafficking in explosives.

Vasi Iliev Security-2 – Bulgaria. VIS-2 is a criminal group operating in the south-eastern region of
Bulgaria. The group is involved primarily in insurance scams, illegal gambling, illegal import and
export of food, equipment, alcohol and cigarettes. The group has a hierarchical structure and is
characterized by a high level of violence. The group has made extensive use of corruption and is
regarded as having some political influence at a local level. VIS-2 has achieved substantial
penetration into the legal economic sector. Its activities are facilitated through extensive contacts
with other criminal groups. Apart from its core activities VIS-2 is engaged in numerous other
activities. These include counterfeiting, forgery, large scale fraud and embezzlement, money
laundering, armed robbery, vehicle theft and trafficking, theft of antiques and jewellery, smuggling
of cultural artefacts, trafficking in women/children for sexual exploitation and forced labour, illegal
immigration, illegal activities surrounding prostitution, kidnapping for ransom, extortion, smuggling
of firearms and the illegal trafficking of explosives.

The Cock Group – Lithuania. The Cock Group operates mainly in the western part of Lithuania, is
hierarchically organized and has a distinct social identity. The group is engaged in various
activities, predominantly extortion, trafficking in heroin, vehicle theft and organized prostitution.
These activities extend to at least three other countries and involve other organized criminal
groups. Key features of the group are an extensive use of violence and corruption, a high degree
of penetration into the legitimate economy and some political influence at both local and regional
levels. Apart from the activities outlined above, the Cock group is engaged in counterfeiting,
forgery, large scale fraud and embezzlement, bank fraud, money laundering, armed robbery,
trafficking in women and children for the sex industry, loan sharking and usury, smuggling of
firearms, illegal traffic of explosives and illegal gambling schemes.
108 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

8.4 Challenges
8.4.1 Critical Infrastructure Protection

Since more than 10 years, most sources, national and on EU level on CIP continue to more or less
repeat the same things in terms of threats, vulnerabilities, interdependencies, criticality to society
and necessity for governmental and private action, for public-private partnerships and required
international cooperation and standards. The FOCUS assessment of sources should be more than
just “reporting” but also point out the gaps and deficiencies in the whole CIP domain and more so
their expected development in the near and longer term, and the requirements to overcome them.

The big questions FOCUS should point out are not those repeated from existing sources but those
derived from a courageous but realistic look into the mid-tem future concerning threats,
technological and associated structural changes, related risks, deficits in organizational,
technological and political strategies and countermeasures, cooperation of industry and
Governments/EU; new forms of Command and control and many more.

The number of source projects analysed in chapter 4 of this report has described the phenomena
of CIP from various aspects, including:

Assessment of general situations and trends.

Analysis of the different approaches in EU member states.

Development of EU roadmaps and approaches to the EU’s future role.

Analysis of threats, vulnerabilities and risks.

Performing exercises for awareness raising, analysis of risks and assessment of system
behaviour.

Analysis of interdependencies of CIs.

Development of technology solutions for improving resilience.

Improvement of crisis and disaster management with focus on CIP.

Looking from this inventory of findings into the future, the big challenges in CIP for the EU are:

The dependence of societies – people, industries, administrations, - on CIs is increasing;

disruptions can cause massive impact on well-being of societies and stability of states.

Threats and risks in some cases are approaching the level of war-like effects.

The complexity and interdependences of CIs tend to generate systems which are
increasingly less predictable and controllable in crisis situations.

The global dimension of most CIs require an international coordinated strategy, action plan
and rules for cooperation.

The lack of industry cooperation must be overcome through a balanced mix of regulations
and incentives.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 109

The fast development of technologies, particularly in the ICT sector, require a flexible and
adaptive strategy.

Threats and risks are generally increasing; in ICT they develop progressively (in a
mathematical sense).

The most sensitive CIs are Energy and ICT.

Developing technologies and novel CI solutions (e.g. smart grids) will generate new
qualities of vulnerabilities and threat options.

National programs and the EPCIP are mainly limited so far to lose cooperation and
information exchange with no binding contracts. In case of major CI disruptions, a regime of
cooperation between the CI providers, homeland security and the military will be required.

Other challenged that we believe are relevant in CIP for the EU are:

The dependence of societies – people, industries, administrations, - on CIs is increasing;

disruptions can cause massive impact on well-being of societies and stability of states.

Threats and risks in some cases are approaching the level of war-like effects.

The complexity and interdependences of CIs tend to generate systems which are
increasingly less predictable and controllable in crisis situations.

The global dimension of most CIs require an international coordinated strategy, action plan
and rules for cooperation.

The lack of industry cooperation must be overcome through a balanced mix of regulations
and incentives.

Developing technologies and novel CI solutions (e.g. smart grids) will generate new
qualities of vulnerabilities and threat options.

National programs and the EPCIP are mainly limited so far to lose cooperation and
information exchange with no binding contracts. In case of major CI disruptions, a regime of
cooperation between the CI providers, homeland security and the military will be required.

8.4.2 ICT Cyber Security

The Cyber domain is one of the most critical, possibly the most critical infrastructure. Cyber risks
have escalated in the past years. The main reasons are:

a) The pace of technological and organizational development is very high and accelerating,
and so are vulnerabilities and threats, and

b) All major infrastructures in industrialized societies are highly depending on ICT. ICT is
ubiquitous in all sectors of society. Therefore ICTs seem to require special attention and
specialised preventive end protective action.

The rationale:
110 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

1. Since about 15 years, ICT technology, ubiquity and complexity have dramatically changed.
The main conclusions and actions, particularly at governmental level have only marginally
improved in the same time. The gap between developing risks and preventive and
protective capabilities seems to become bigger and bigger.

2. Compared to the dependency of societies on ICT, programs to prevent and encounter

upcoming threats are marginal.

3. All notable national and international organizations have somehow taken notice, formulated
resolutions, strategies etc. Concrete and adequate protection, defence, and counter
measures are missing.

4. What happened in Cyber Space so far is only a modest beginning.

o All trends in threats, complexity of ICT systems and vulnerabilities show an

exponential increase over time.

o These trends are true for both, numbers and quality.

o Treat trends clearly move into the direction of state or stat-enabled actors and
serious international crime.

o Die Moore’s Law and complexity support the increases of vulnerabilities and of the
opportunities to exploit them.

5. Cyber terrorism is not there yet, but has to be taken a serious option.

6. Cyber risks do not only originate in the conventional “attack-a- target-and-defend” picture.

There is an increasing potential for movements (good but also bad ones) in societies which
are strongly supported by so called social media. It is hard to impossible to identify causes,
origins, leaders, organizations of movements of people and thus negotiations are denied.

7. Cyber risks require a dynamic strategy which is able to react in time. Resolutions every
several years are demonstrations of willingness but not of action, competence and
capability.

8. Cyber-risk countermeasures require solutions which work fast and across disciplines,
commercial sectors and government administrations, including those of home affairs and
law enforcement, defence, economy, environment, health, legislation.

9. Governments and economy/industry need to act jointly and in an integrated approach. This
is a new Security Paradigm, and necessary because:

o The most critical elements are the big infrastructures (CIs).

o Most of them have been privatized and are commercial businesses.

o Voluntary agreements between governments and the private sector don’t work.

This will work only in a new concept of Public-private partnership, PPP, and will require
really joint and integrated Command and Control across all services and CI sectors.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 111

10. Cyber „War“ is not defined. But when Cyber based conflicts reach the threshold of war-like
effects, it can only be won with a strong offensive cyber component. A first massive cyber
strike may destroy the IT infrastructure of the attacked party within extremely short time.
Consequently, this will deny the victim to retaliate via cyber means. Which will be the
remaining options? Economic pressure? Military escalation?

11. The escalation thresholds for military action in a cyber-based conflict are unknown.

12. A strategy of de-netting of societies, administrations and critical infrastructures, of building

massive redundancies and fall-back positions (even manual ones) will become mandatory.
But they can scarcely be found in present cyber security strategies and concepts.

13. Cyber threat counter programs will increasingly require governmental and EU legislation
and regulation. To wait for voluntary action will not suffice.

14. Effective cyber protection and defence need binding international and global rules because
all major infrastructures operate internationally or globally, and threats can originate from
any place in the world.

8.4.3 Piracy and armed robberies against ships

Acts of piracy and armed robbery against ships are of tremendous concern to IMO and to shipping
in general. IMO is implementing an anti-piracy project, a long-term project which began in 1998.
Phase one consisted of a number of regional seminars and workshops attended by Government
representatives from countries in piracy-infested areas of the world; while phase two consisted of a
number of evaluation and assessment missions to different regions. IMO's aim has been to foster
the development of regional agreements on implementation of counter piracy measures. Regional
cooperation among States has an important role to play in solving the problem of piracy and armed
robbery against ships, as evidenced by the success of the regional anti-piracy operation in the
Straits of Malacca and Singapore. Today, the deteriorating security situation in the seas off war-
torn Somalia and the Gulf of Aden (and in the increasingly volatile Gulf of Guinea) are at the heart
of the problem (IMO, 2012).

8.4.4 Terrorism and sea piracy

Terrorism is a clear example of an exogenous threat that could exploit supply chains to deliver
weapons of mass effect or terrorist actors or both into EU. Especially the proliferation of weapons
of mass effect, encompassing nuclear, biological and chemical weapons, is a potential threat to the
EU security. The countries where global supply chains are mostly at risk are those that are less
stable from an economic and polittical viewpoint. Figure 14 (PWC, 2011) shows a map of the
world, where different colors represent different levels of terrorism threats in the countries. At the
same time, the map unveils logistics hubs where the largest flows of cargo are handled (black
dots). Finally, maritime transport routes and chokepoints are depicted. This is relevant in particular
due to increased risk of sea piracy (PWC, 2011). In the future combined illicit activities by terrorists
and sea pirates could lead into new types of disruptive and/or destructive situations.
112 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Figure 14 Terror threats in the world (PWC, 2011).

Finally, according to AON (2012), terrorist attacks are now regarded as a foreseeable risk. “An
attack not only on, but near (supply chain) premises could result in human casualties, property
damage, business interruption, legal liability issues and long term damage to brand and
reputation”.. AON claims further that in today’s litigious society, businesses need to ensure
corporate governance and duty of care responsibilities, as integral to their crisis management
strategy.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 113

9 Methods for conducting theme-specific risk assessments

9.1 Critical Infrastructure

For the investigation of system of systems, their behaviour and failure there are apart from
analytical methods, classical methods of risk analysis, scenarios determination, deterministic and
probabilistic safety analysis, security network analysis, reliability analysis, expert judgment, risk
matrix, criticality matrix, Monte Carlo method etc. Specifically in the System of Systems model
construction the following methods are used:

Bayesian Method;

Bayesian Network;

Mixed Bayesian Network;

Fuzzy Bayesian Network Model;

Bayesian Reliability Model;

Fuzzy Rule-based Bayesian Reasoning (FuRBaR);

Petri Nets (PN);

Coloured Petri Nets (CPN);

Stochastic Petri Nets (SPN);

Coloured Stochastic Petri Nets (CSPN);

Case Study (CS);

Multi-Attribute Utility Theory (MAUT);

Multi-Criteria Analysis (MCA);

Weighted Sum Approach (WSA);

Concordance, Discordance Analysis (CDA);

Technique for Order Preference by Similarity to Ideal Solution (TOPSIS);

Ideal Point Analysis (IPA);

Aggregation Preferences (AGREPREF);

Preference Ranking Organisation Method for Enrichment Evaluations (PROMETHEE);

Markov Chain (MC);

Multi-Objective Genetic Algorithm (MOGA);

Multiplicative Intuitionist Linear Logic (MILL).

114 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Some of these methods are being applied in context related to Critical Infrastructure Protection. In
addition it has been found that beyond these approaches it is important to consider
interdependences between EU member countries as well as to establish public-policy frameworks
to communicate risks to all stakeholders involved in critical infrastructure protection. In Menoni &
Margottini (2011) risk management is combined with future scenario developments. In particular,
the authors attempt:

To construct a picture of Europe at risk, not as individual states, but at a European level by
analysing the impact and losses of natural and na-tech disasters in Europe.

To outline the present risks, scenarios regarding future risks including climate change,
suggestions for the future.

Moreover, the guiding principles outlined by the American Society of Civil Engineering define risk
as the probability of an event that may occur multiplied by the magnitude of the consequences that
could result (ASCE, 2009). The ASCE highlights the importance for a shift in thinking to effectively
integrate risk assessment, risk management and risk communication strategies into national
infrastructure programs. Hence, beyond the well-known techniques and mathematical models to
perform risk computations it has to be kept in mind that 1) best practices should be developed and
made available to enhance risk communication, 2) a public policy framework should be established
to determine guidelines and identify costs to manage risks and their consequences, 3) education
and training should be provided to interested stakeholders (ASCE, 2009).

9.2 Supply chain security

9.2.1 SARA model

SARA: The SARA model, originally developed by Eck and Spelman as a simple problem-solving
tool that can help in addressing any crime or disorder problem stands for Scanning, Analysis,
Response and Assessment, constituting the four key stages in the problem-solving process. Its
elements are described below (Center for Problem Oriented Policing, 2012):

Scanning:

Identifying recurring problems of concern to the public and the police.

Identifying the consequences of the problem for the community and the police.

Prioritizing those problems.

Developing broad goals.

Confirming that the problems exist.

Determining how frequently the problem occurs and how long it has been taking
place.

Selecting problems for closer examination.

Analysis:
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 115

Identifying and understanding the events and conditions that precede and
accompany the problem.

Identifying relevant data to be collected.

Researching what is known about the problem type.

Taking inventory of how the problem is currently addressed and the strengths and
limitations of the current response.

Narrowing the scope of the problem as specifically as possible.

Identifying a variety of resources that may be of assistance in developing a deeper

understanding of the problem.

Developing a working hypothesis about why the problem is occurring.

Response:

Brainstorming for new interventions.

Searching for what other communities with similar problems have done.

Choosing among the alternative interventions.

Outlining a response plan and identifying responsible parties.

Stating the specific objectives for the response plan.

Carrying out the planned activities.

Assessment:

Determining whether the plan was implemented (a process evaluation).

Collecting pre– and post–response qualitative and quantitative data.

Determining whether broad goals and specific objectives were attained.

Identifying any new strategies needed to augment the original plan.

Conducting ongoing assessment to ensure continued effectiveness.

9.2.2 Customs risk management

9.2.2.1 Overview

Customs administrations collect and process information and data in order to identify bad
shipments and movements in the supply chain. Customs prefers naturally to work with reliable,
accurate, detailed and timely information when they are looking for signs of on-going customs
related illicit activities – assuming such information and data quality would be available to them.
116 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Customs administrations collect information and data for risk analysis purposes from three main
sources: (i) they collaborate with other authorities, both domestic and foreign, in order to get
intelligence about bad actors, bad shipments and movements as well as emerging threats in the
supply chain; (ii) they oblige supply chain actors to submit certain information about the shipments
– this can be before, during and after the physical flow crosses customs borders; and (iii) they also
search information about customs related illicit activities from external sources, i.e. third party
sources such as media and individual citizens. The information customs administrations look for
pertains to supply chain actors; characteristics of shipments and movements; and external factors
that might have an effect on a shipment and movement risk level. Authorities as a source of
information

Much of relevant data is gathered from various governmental bodies. In many case, authorities that
issue various licenses, permits and certificates maintain electronic databases of certified operators
(e.g. Authorized Economic Operator and Known Shipper, and Regulated Agent databases in the
European Union). Other governmental actors, whether national, foreign or international, may share
intelligence on risky shipments, suspicious supply chain actors or on-going criminal activities that
might help customs to identify and intercept risky shipments and movements.

Table below provides 14 illustrative examples on what might be considered as “high risk indicators”
by customs administrations, based on the information and data they might have about the shipper;
commodity; country of origin; carrier; container; routing and transhipments; and the importer.

Table 12. Examples on what might be considered as “high risk indicators”.

Supply chain actor Illustration on what might be considered as “high risk indicators”
/ stage
Shipper - Shipper has not exported the specific commodity before
- Shipper information cannot be found from commercial registers or
from the Internet
Commodity - Hazardous materials which may be used for terrorist acts: e.g.
Sulphur Dioxide and Iridium 192
- Common materials which may be used for concealment purposes:
e.g. sugar and auto parts
Country of origin - High level of corruption in the country
- Non-existing (or low) level of export controls: e.g. pre-cursor
chemicals, narcotics, and dual use goods.
Carrier - Specific crew associated with organized crime
- Carrier history of frequent violations of customs enforced regulations
Container - Goods description does not match with the container type or with the
total weight of the container.
- Discrepancies in seal numbers (documents versus actual seal)
Routing and - Routing of shipment is not cost effective
transhipments - Transhipment cost paid with cash
Importer - The frequency of imports does not support a “sustainable business”.
- A suspect employee is working for the importer.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 117

The next diagram visualizes how five specific data sources – corruption barometers; terrorist
activity reports; seizure records; shipper profiles; and crime trend reports – could feed into updating
of “high risk indicators”. Again, this is purely for illustrative purposes only.

Figure 15 How five specific data sources could feed into updating of “high risk indicators”.

9.2.2.2 Common risk management framework (CRMF) in the EU

Common risk management framework, CRMF, has its basis laid out in the Internal Security
Strategy, ISS, of the European Union (EU Commission, 2011). As part of Objective 4 of the ISS
document - Strengthen security through border management – CRMF basics are explained in
Action 3: Common risk management for movement of goods across external borders. ISS
reference to CRMF is presented in the box below.

Significant legal and structural developments have taken place in recent years to improve the
security and safety of international supply chains and movement of goods crossing the EU border.
The Common Risk Management Framework (CRMF), implemented by customs authorities, entails
continuous screening of electronic pre-arrival (and pre-departure) trade data to identify the risk of
security and safety threats to the EU and its inhabitants, as well as dealing with these risks
appropriately. The CRMF also provides for application of more intensive controls targeting
identified priority areas, including trade policy and financial risks. It also requires systematic
exchange of risk information at EU level.

A challenge in the coming years is to ensure uniform, high-quality performance of risk

management, associated risk analysis, and risk-based controls in all Member States. In addition
to the annual report on the smuggling of illicit goods referred to above, the Commission will
develop EU level customs assessments to address common risks. Pooling information at EU-level
should be used to reinforce border security. In order to strengthen customs security to the
required level at external borders, the Commission will work in 2011 on options to improve EU
level capabilities for risk analysis and targeting and come forward with proposals as appropriate
(EU Commission, 2011).
118 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

High-level illustration on how CRMF may be meant to function, is explained in the form of a 10-step
closed loop process, and visualized right after the numbered list.

1. Customs has data on the supply chain actor (e.g. is the company EU AEO or not; previous
record of compliance etc.)

2. Customs receives Pre-departure and/or pre-arrival data sets on the shipment (data set
defined in the legislation)

3. Customs receives intelligence from a variety of sources (other national agencies, foreign
customs, informants etc.)

4. Customs has (in their targeting system) the EU Common risk criteria and priorities (”EU risk
rules”)

5. Customs has (in their targeting system) the national risk criteria and priorities (”national risk
rules”)

6. National customs administration Receives pre-departure / pre-arrival data, through ICS and
ECS; and Carries out risk assessment, in a national targeting system.

7. Customs identifies ”risky” supply chain actors and/or ”risky” shipments, and takes
appropriate actions

8. Results are passed to the Communication network

9. Customs shares the results with DG TAXUD and the other Member state customs
administrations through the Secure communication network

10. EU common risk criteria and priorities and/or national risk criteria and priorities are being
updated.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 119

Figure 16 10-steps closed loop process on how EU CRMF may function.

9.3 Critical supplies

When it comes to “critical supplies” and “security of supply” the literature, including regulations,
lack definitions and (theme-specific) risk management methodologies – contradictory to Critical
Infrastructure Protection and Supply Chain Security. In this sub-chapter, following three angles are
presented, in order to provide a starting point for further critical supplies analysis work in FOCUS-
project:

- “End-user” view with critical supplies

- “All commodities” import (into EU) analysis

- EC identification of actual critical raw materials (in terms of metals and minerals)

9.3.1 End-user view with critical supplies

The first question when considering about “critical supplies” can be: “critical” to whom, and why?
One option is to take the “end-user” view, i.e. look at the points in the consumption, supply chain
and infrastructure itself, while identifying which commodities – in particular imported from outside
EU – is each “end-user” most dependent on.

The following list suggest a systematic way of starting with the citizen view (e.g. food and shelter,
pharmacy and heating etc.) and proceeding throughout the main supply chain stages (retail,
manufacturing, transport), and finally to the core infrastructure (energy, water, ICT).

1. Consumer / citizen perspective: What do European consumers really need (to

live), and how it flows back in the supply chain, to outside EU.
120 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

2. Retail and distribution perspective: What do European retail outlets and

distribution centres really need (to operate), and how it flows back in the supply
chain, to outside EU.

3. Manufacturing perspective: What do European factories really need (to operate),

and how it flows back in the supply chain, to outside EU.

4. Transportation vehicle & equipment perspective: What do European transport

vehicle and equipment really need (to operate), and how it flows back in the supply
chain, to outside EU.

5. Transportation network perspective: What does European transportation network

really need (to be operable), and how it flows back in the supply chain, to outside
EU.

6. Energy (distribution) network perspective: What does European energy network

really need (to be operable), and how it flows back in the supply chain, to outside
EU.

7. Water (distribution) network perspective: What does European water network

really need (to be operable), and how it flows back in the supply chain, to outside
EU.

8. Information and communication technology (ICT): What do European

information systems (to operate) and network (to be operable) really need, and how
it flows back in the supply chain, to outside EU.

9.3.2 Import (into EU) analysis of all commodities

In this section – complemented by Annex 1 - statistical data about products, materials, live
animals, minerals etc. imported to EU27 (Eurostat, 2012) is presented, while classified according
to the Standard International Trading Categories (SITC). As there is no EU standard on
categorization of these products and raw materials in terms of criticality, the impact on criticality is
analysed and discussed in terms of 1) the concentration of production and import from outside the
EU27, 2) Value in € of imported products (CBRA working paper No. 114, 2012). In a similar
manner as it was done in (EU Commission, 2010), in this brief analysis we strive to compute a
more comprehensive and well-rounded criticality index or score by coupling these two parameters
with other qualitative considerations as:

Political and economic stability of the producing country.

Security threats of the producing country.

EU27 Economy impacts in case of flow disruptions. In particular, the estimation of the
impact on economy is limited to the extra expenditures necessary to substitute a product or
raw material with a more expensive one.

The categories and related sub-categories given in the SITC and assessed in the analysis are the
following (Eurostat, 2012):

1. Food and live animals

FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 121

a. Live animals other than animals of division 03

b. Meat and meat preparations

c. Dairy products and birds’ eggs

d. Fish (not marine mammals), crustaceans, molluscs and aqua

e. Cereals and cereal preparations

f. Vegetables and fruit

g. Sugars, sugar preparations and honey

h. Coffee, tea, cocoa, spices, and manufactures thereof

i. Feeding stuff for animals (not including unmilled cereals)

j. Miscellaneous edible products and preparations

2. Beverages and Tobacco

a. Beverages

b. Tobacco and tobacco manufacturers

c. Adjustments (Trade broken down at chapter NC level only)

3. Crude materials, inedible, except fuel

a. Hides, skins and fur skins, raw

b. Oil-seeds and oleaginous fruits

c. Crude rubber (including synthetic and reclaimed)

d. Cork and wood

e. Pulp and waste paper

f. Textile fibres (other than wool tops and other combed wool) and their waste (not
manufactured into yarn or fabric)

g. Crude fertilizers, other than those of division 56, and crude minerals (excluding coal,
petroleum and precious stone)

h. Metalliferous ores and metal scrap

i. Crude animal and vegetable materials, N.E.S.

4. Mineral fuels, lubricants and related materials

a. Coal, coke and briquettes

b. Petroleum, Petroleum products and related material

c. Gas, natural and manufactured

122 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

d. Electric current

e. Confidential trade of group 39 and/or estimations

5. Animal and vegetable oils, fats and waxes

a. Animal oils and fats

b. Fixed vegetable fats and oils, crude, refined or fractionated

c. Animal or vegetable fats and oils, processed; waxes of animal and vegetable origin,
inedible mixtures or preparations of animal or vegetable fats or oil, N.E.S

d. Adjustments (Trade broken down at chapter NC level only)

6. Chemical and related products, N.E.S.

a. Organic Chemicals

b. Inorganic chemicals

c. Dyeing, tanning and colouring materials

d. Medicinal and pharmaceutical products

e. Essential oils and retinoid and perfume materials; toilet, polishing and cleansing
preparations

f. Fertilizers (other than those of group 272)

g. Plastics in primary forms

h. Plastics in non-primary forms

i. Chemical materials and products, N.E.S

7. Manufactures goods classified chiefly by material

a. Complete industrial plant appropriate to section 6

b. Leather, leather manufactures (excluding furniture)

c. Paper, paperboard and articles of paper pulp, of paper or of paperboard

d. Textile yarn, fabrics, made-up articles, N.E.S., and related products

e. Non-metallic mineral manufactures, N.E.S.

f. Iron and steel

g. Non-Ferrous metals

h. Manufactures of metals, N.E.S.

8. Machinery and transport equipment

a. Complete industrial plant appropriate to section 7

FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 123

b. Power-generating machinery and equipment

c. Machinery specialized for particular industries

d. Metalworking machinery

e. General industrial machinery and equipment, N.E.S. and machine parts, N.E.S.

f. Office machines and automatic data-processing machines

g. Telecommunications and sound-recording and reproducing apparatus and

equipment

h. Electrical machinery, apparatus and appliances, N.E.S., and electrical parts thereof
(including non-electrical counterparts, N.E.S., of electrical house-hold type
equipment)

i. Road vehicles (including air-cushion vehicles)

j. Other transport equipment

9. Miscellaneous manufactured articles

a. Complete industrial plant appropriate to section 8

b. Prefabricated buildings; sanitary, plumbing, heating and lighting fixtures and fittings,
N.E.S.

c. Furniture and parts thereof; bedding, mattresses, mattress support, cushions and
similar stuffed furnishings

d. Travel goods, handbags and similar containers

e. Articles of apparel and clothing accessories

f. Footwear

g. Professional, scientific and controlling instruments and apparatus, N.E.S.

h. Photographic apparatus, equipment and supplies and optical goods, N.E.S.;

watches and clocks

i. Miscellaneous manufactured articles, N.E.S.

10. Commodities and transactions not classified elsewhere in the SITC

a. Postal packages not classified according to kind

b. Special transactions and commodities not classified according to kind

c. Complete industrial plant not elsewhere specified

d. Confidential trade

e. Coin (other than gold coin), not being legal tender

124 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

f. Gold, non-monetary (excluding gold, ores and concentrates)

g. Confidential trade

The outcome of the analysis is reported in Annex 1 of this report.

9.3.3 Critical raw materials identified by EC

A report published by the European Commission classifies raw materials as critical as a

combination of the high risks related to the supply interruption and the impact on economy. To
assess risks two criteria are used in this report: supply and environmental country risk.

Supply risk is given by the following:

o Concentration of the production of the raw material in a given non-EU country.

o Political and economic stability of the producing countries.

o Potential for substitution and recycling rate.

Environmental country risk:

o Jeopardizing the supply of the raw materials by introducing environmental

measures.

Figure 17 Geographical sources of critical raw materials (DG ENTR).

FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 125

Figure 18 shows that the Group with 14 raw materials falling within the top right cluster of the
diagram are critical. These include:

Antimony from China

Beryllium from China and US

Cobalt from Canada and DRC

Indium from China and Japan

Fluorspar from Mexico and China

Gallium from China

Germanium from China

Graphite from India and China

Magnesium from China

Niobium from Brazil

Platinum Group Metals from Russia

Rare earths from China

Tantalum from Brazil, DRC and Rwanda

Tungsten from China

Figure 18 Raw materials classified in terms of supply risk and economic importance (DG ENTR).
126 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

9.4 ISO standards in risk management and supply chain security

9.4.1 ISO 31000 series on risk management

ISO 31000:2009 provides principles and generic guidelines on risk management. ISO 31000:2009
can be used by any public, private or community enterprise, association, group or individual.
Therefore, ISO 31000:2009 is not specific to any industry or sector. ISO 31000:2009 can be
applied throughout the life of an organization, and to a wide range of activities, including strategies
and decisions, operations, processes, functions, projects, products, services and assets. ISO
31000:2009 can be applied to any type of risk, whatever its nature, whether having positive or
negative consequences. Although ISO 31000:2009 provides generic guidelines, it is not intended
to promote uniformity of risk management across organizations. The design and implementation of
risk management plans and frameworks will need to take into account the varying needs of a
specific organization, its particular objectives, context, structure, operations, processes, functions,
projects, products, services, or assets and specific practices employed. It is intended that ISO
31000:2009 be utilized to harmonize risk management processes in existing and future standards.
It provides a common approach in support of standards dealing with specific risks and/or sectors,
and does not replace those standards. ISO 31000:2009 is not intended for the purpose of
certification (ISO, 2012).

Regarding FOCUS-project, ISO 31000 can be used as a generic risk management model,
facilitating the further process of foresight scenario creation.

9.4.2 ISO 28000 series on supply chain security management

The ISO 28000 series of standards on supply chain security management systems helps to reduce
risks to people and cargo within the supply chain. The standards address potential security issues
at all stages of the supply process, thus targeting threats such as terrorism, fraud and piracy.
According to ISO Secretary-General, Alan Bryden, “Threats in the international market-place know
no borders. The ISO 28000 series provides a global solution to this global problem. With an
internationally recognized security management system, stakeholders in the supply chain can
ensure the safety of cargo and people, while facilitating international trade, thus contributing to the
welfare of society as a whole.” The ISO 28000 series of International Standards specifies the
requirements for a security management system to ensure safety in the supply chain. Its standards
can be applied by organizations of all sizes involved in manufacturing, service, storage or
transportation by air, rail, road and sea at any stage of the production or supply process. The
series includes provisions to (ISO 28000, 2012):

- establish, implement, maintain and improve a security management system;

- assure conformity with security management policy;

- demonstrate such conformity;

- seek certification/registration of conformity by an accredited third party organization; or

- make a self-determination and self-declaration of conformity.

Regarding FOCUS-project, ISO 28000 series can be used as a generic supply chain security
management model, facilitating the further process of foresight scenario creation.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 127

9.5 Risk Assessment based on sectorial interdependencies

9.5.1 Overview

In practical terms, critical infrastructures and supply chains are highly dependent on each other.
Supply chain flows depend on transport infrastructures, energy supply, and information and
communication technologies, just to name few obvious examples. And critical infrastructures
depend on supply chain performance for installations, maintenance, spare parts and so forth. The
objective of this sub-chapter is to provide a concrete example of the multitude of interdependencies
between the two, by using a realistic case of food supply system from the National Emergency
Supply Agency (NESA) in Finland (linked to the Government decision on the targets of security of
supply in Finland (539/21.8.2008) ). This is followed by suggestion for FOCUS-project to include oil
supply chain as the second interdependency / cross-sector analysis object.

9.5.2 Food supply system

The table below presents key supply chain stages, actors, management aspects and critical
infrastructure dependencies (Sivonen, 2010). For a lack of better common heading, these are all
titled as “Elements”, followed by “Sub-elements” and/or “Detailed elements” of the food supply
system. The main purpose is to illustrate the complexity for a proper risk assessment process,
while highlighting the necessity of Public-private partnership approach.

Table 13. Key supply chain stages and critical infrastructure dependencies.

Element Sub-element Detailed elements

Food safety - -

Primary Plant production Grain; grass; oil plant; sugar beet;

production potato; other plant production

Primary Domestic animal production Milk; pork; beef; poultry production;

production fishing and fish breeding

Processing - Grain based industry; drink and

nutrition fat industry; meat, fish and
ready meal industry; vegetable based
and sweetener industry

Logistics and - Central warehouses, logistics centres;

distribution distribution centres and terminals;
hotel, restaurant and catering
operators; distribution systems in
cities, towns and sparsely populated
areas; distribution transport
128 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Input - Grain import (rye); feed and feed raw

productions materials import; pesticide import;
and fertilizer import; fertilizer production;
indispensable meat (beef) import; prepared food
import import

Administrative - -
preparedness

Support Energy supply Electricity supply; fuel supply; heating

function

Support Information systems Order and delivery systems; production

function control systems; administrative
systems

Support Communications Data communication; fixed telephone

function network; mobile telephone network;
email; mail

Support Transport subcontractors Forwarding; sea transport; air

function transport; land transport (including
refrigerated transports)

Support Maintenance -
function

Support Water supply and sewage -

function

Support Waste management -

function

Support Financial services Payment systems; insurance services

function

Support Mass media -

function

9.5.3 Suggestions for further cross-sector analysis

Based on the importance of oil supply for the EU economy, a recommendation is made to include
oil supply chain as the second sector in the further cross-sector analysis in the FOCUS-project. As
a starting point, the following simplistic supply chain description may be used – naturally to be
expanded with many details about the oil supply chain stages, and their dependencies on the
critical infrastructure and critical supplies:
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 129

- Exploration

- Production

- Crude pipelines

- Shipping

- Trading

- Refining

- Product pipelines

- Storage terminals

- Product distribution

o Industrial markets

o Retail markets

o Commercial markets

Next to food and oil supply systems, critical cross-sectorial analysis and scenario development
could also include metals and minerals (building on EC´s current assessment, section 9.3.3.
above); chemicals, pharmaceuticals; nuclear power production and distribution; amongst other
possible “critical sectors”.

Finally, next to the current 11 European Critical Infrastructure (ECI) areas outlined in this report
(Chapters 2 and 7), waste management could become part of ECI in the future, and could thus be
included in the cross-sectorial analysis of further FOCUS-project work.

9.5.4 End-user view to cross-sectorial interdependencies

The final illustration of Chapter 9 positions EU citizen as the “end-user” or “end-beneficiary” of the
supply systems requiring proper management of:

1. Critical infrastructure protection;

2. Supply chain security; and
3. Critical supplies.

The underlying key conceptual interdependencies are the following four:

A. Critical infrastructure performance is dependent on (specific) critical supplies.

B. Supply chain performance is dependent on (specific) critical supplies.
C. Critical infrastructure performance is dependent on supply chain performance.
D. Supply chain performance is dependent on critical infrastructure performance.
130 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Whatever is finally defined to be critical for the citizen – food, pharmaceuticals, shelter, energy,
heat, and so forth – needs to be ranked high, both on EU political agenda, as well as part of further
FOCUS foresight scenario development work.

Figure 19 Cross-sectorial interdependencies.

FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 131

10 Changing borderlines between internal and external security

A series of initiatives are aiming to fostering cooperation between the internal and external aspects
of EU security. Some of these have already been outlined in chapter 7 in relation to the EU
relevant bodies working in the fields of CIP and SCS. Other relevant sources depicting the foreign
politics of EU are classified in this section as:

Activities and cooperation.

Security and defence policy.

Energy related initiatives.

10.1 Activities and cooperation

Regular inter-institutional information meetings: in order to ensure closer cooperation and

coordination in the field of EU security and to improve planning and information flow in the area of
EU security.

Standing committee on operational cooperation on Internal Security: First meeting between

Standing Committee on operational cooperation on internal security (COSI) and the Political and
Security Committee; held on 1 June 2011 in order to exchange views on how to improve the
synergy between the internal and external aspects of EU security.

Cooperation between the CSDP police missions and Europol. The Council has acknowledged
on many occasions that CSDP’s and JHA’s external actions have many shared or complementary
objectives. CSDP missions have also made an important contribution to the EU’s internal security
in their efforts to support the fight against serious transnational crime in their host countries and to
build respect for the rule of law. The European Council encouraged greater cooperation between
JHA and CSDP in developing these shared objectives. The Stockholm Programme, as adopted by
the European Council, states that Europol should work more closely with the CSDP police
missions and help promote standards and good practice for European law enforcement
cooperation in countries outside the EU (EU Commission, 2011; Europol, 2011).

The visa liberalisation dialogue and the post-visa liberalisation mechanism: substantially
contributed to the implementation of reforms in Western Balkan countries.

10.2 Security and Defence policy

EEAS and Commission Joint Paper: EEAS and the Commission drew up a Joint Paper on
enhancing ties between the Common Security and Defence Policy (CSDP) and the Freedom,
Security and Justice (JHA) actors, which support the idea that closer cooperation between civilian
CSDP missions and JHA actors could yield tangible improvements in terms of European security.
The specific recommendations in the Joint Paper single out sharing of information as being
important and needing improvement in order to find ways of anticipating rather than reacting to
132 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

events. Secondly, coordination in planning EU external action needs to be fostered, as it is

essential for cooperating upstream in the planning of the missions.

EU enlargement policy: key elements contributing to the EU internal security. The enlargement
process provides for important incentives for relevant countries to deliver on reforms enhancing
their law enforcement and judicial capacities.

Lisbon Treaty: Lisbon Treaty entering into force on 1 December 2009: opening up a new chapter
in European foreign policy with more authority of Brussels; upgrading of the “High Representative
of the Union for Foreign Affairs and Security Policy” (sitting in the Commission and chairing the EU
Council of Foreign Ministers) with her own new European External Action Service. With the EU’s
foreign policy becoming more Europeanized, external energy policy needs to follow logically.

10.3 Energy related initiatives

Guidelines for trans-European energy infrastructure: Increasing transnational energy

infrastructure being build: internal gas pipelines (connecting member states for supplying each
other as a crisis mechanisms for supply disruptions and a pre-condition for a functioning united
internal market) and external gas pipelines for new suppliers (Azerbaijan, Turkmenistan, Iraq etc.);
grid system for electricity transports; in the future CO2 pipelines etc. This new transnational energy
infrastructure demands a common energy (foreign) policy.

On 19 October 2011, the European Commission unveiled its proposal for a Regulation on
"Guidelines for trans-European energy infrastructure". This proposal aims at ensuring that
strategic energy networks and storage facilities are completed by 2020.

To this end, the Commission has identified 12 priority corridors and areas covering electricity, gas,
oil and carbon dioxide transport networks. It proposes a regime of "common interest" for projects
contributing to implementing these priorities and having obtained this label.

According to the Commission’s estimates, some €210 billion needs to be invested in building
cross-border energy infrastructure in Europe by 2020: €140 billion for high-voltage electricity grids
and the development of “smart grids”; €70 billion for high pressure gas pipelines; and €2.5 billion
for a CO2 transport infrastructure tied for the development of CCS.

Presents examples of a Coordinating Role of the Commission of Regional Energy Projects with
third Countries and Regions: synchronizing the Baltic Electricity Networks with the EU’s Power
System (hitherto integrated into the Russian network);

Seeking a tripartite agreement with Ukraine, Russia and the EU to ensure stable and uninterrupted
gas supplies to Europe from Russia through Ukraine (EU will support Ukraine’s aging gas
transmission network);

Mediterranean Energy Partnership both for fossil fuels and renewables (i.e. electricity imports by
the Desertec project).

EU’s New Strategy for its Energy External Dimensions. Legislative proposal for all member
states to sign all new and existing bilateral energy deals with third countries need to inform the
Commission. The only reporting obligation that exists to date is for member states to report gas
deals to the Commission under a 2009 gas security of supply regulation. The proposal given by the
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 133

European Commission (2011) strengthens and extends the reporting obligation and transparency
to all intergovernmental deals “which are likely to have an impact on the internal market for energy
or on the security of energy supply” (about gas, oil, electricity or renewables) (European
Commission, 2011). Information of new contracts “in the course of negotiation”; Oettinger: “The
Commission will be aware of what’s going on before negotiations start and how negotiations are
going”. The new rules would also apply to intercompany agreements insofar as these are explicitly
referred to in intergovernmental agreements. The Commission would have the right to carry out a
“compatibility check” to verify all agreements that the deal being formulated is in compatible with
the EU law (energy regulation and policy). In addition, the proposal suggests (European
Commission, 2011):

Establishing a “Strategic Group for International Energy Cooperation”, composed of

representatives from member states and the Commission. This Group would coordinate the
EU’s external energy position and speak on its behalf in international for such as the IEA,
G8 and G20.

Diversifying supply sources and routes (Expansion of Renewables; LNG; Southern

Corridor/Nabucco project, Trans Caspian pipeline, MENA region/North Africa etc.);

Supporting a tripartite agreement with Ukraine, Russia and the EU to ensure stable and
uninterrupted gas supplies to Europe from Russia through Ukraine (EU will support
Ukraine’s aging gas transmission network);

Market Integration with Neighbouring States: Norway, Switzerland, Energy Community

Treaty (recent accession of Moldova and Ukraine), Baku Initiative and Eastern Energy
Security Platform, Southern Mediterranean;

Energy Integration with Russia (increasing convergence of the two energy markets);

Strengthening Energy Partnerships with Other Energy Suppliers (Norway, Algeria, Saudi
Arabia, Libya, LNG suppliers of Qatar, Australia, Trinidad and Tobago);

Partnerships with Industrialized and Fast Growing Economies (USA via the EU-US Energy
Council established in 2009; Japan, China, India, Brazil; whereas Canada has not been
mentioned despite having the second largest oil reserves in the world and many other
energy resources and raw materials);

Aligning the EU internal and external development policy with its energy policy.

Suggestion of creating a database of energy projects in partner countries funded by the EU,
member states, or multilateral EU institutions (such as the European Investment Bank) in
order to maximise synergies and minimise duplication of effort.

Commission’s Proposals for Strengthening the EU’s External Dimensions and Speaking
with “One Voice”. The EU is only as strong as its member states make it. Thus many criticism at
Brussels for a failing coherence in its energy foreign policies and speaking with “one voice” needs
to be redirected towards the main and largest member states (i.e. Germany, France and Great
Britain) rather than Brussels. This Germany’s energy policies are the best example because
Germany had never a majority for its gas, coal, and nuclear energy policies within the EU-27. It has
rather followed its unilateral energy policies and often at the expense of other member states (i.e.
Nordstream, present energy change) and overlooking how its national energy policies have direct
134 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

and indirect impacts on neighbouring countries or the EU’s common energy policies. Thus it is
hardly surprising that some larger member states (like Germany, France, Great Britain etc.) are still
unwilling politically to pass more power and authority to Brussels. Critics have argued that the EU
does not need an “external energy policy” and particularly not based on geopolitical designs; it
should rather rely on a strong market approach and only focus on a liberalized, united internal
market with strong regulations. Energy companies and some experts have criticized in particular
the information obligation of energy contracts and agreements to the Commission. In their view, it
is exact the opposite of achieving a competitive internal market, which the Commission wants to
export to neighbouring countries.

Instead the Commission has argued that bilateral energy agreements without any consultation with
the Commission have often resulted “in a fragmentation of the internal market rather than
strengthening of the EU’s energy supply and competitiveness.” Therefore, the EU’s energy policies
need to reflect “the interconnectedness of the internal market and the interdependence of the EU
member states.” Indeed, as past experiences have shown repeatedly, relying on the market alone
cannot guarantee the objective of energy (supply) security. Private companies (or International Oil
Companies/IOCs in contrast to National Oil Companies/NOCs) have first and foremost to follow
their vested business interests, such as making profits for its shareholders. Understandably, their
prime objective is not and cannot be the national or EU wide energy (supply) security. Hence
markets need a certain regulation, oversight and control as part of a systematic approach and
institutionalized public-private partnership consultations.

Setting up an information exchange mechanism on intergovernmental agreements between

member states and third countries is a pre-condition for its effective functioning, complement the
gas security directive that already introduced the notification procedure to gas agreements. The
latest new Polish-Russian gas agreement of 2010 can be seen as an example when the
Commission got involved and secured it. However, that involvement came very late at the end of
the bilateral negotiations. If the Commission is not involved (by information) from the beginning of
those bilateral negotiations, the often made concessions in those bilateral agreements were often
not reconcilable with the EU’s internal community law such as the unbundling clause or the third
party access clause. An early involvement of the Commission, however, cannot only improve the
transparency, but also provide investors and third parties with important legal certainty and shorten
the negotiation process instead of re-negotiation because of concession-made clauses which are
contradicts EU laws.

In some cases, the Commission has even claimed the right to negotiate not alongside but instead
of member states. In Öttinger’s words: “Negotiating mandates for the EU may be necessary where
agreements have a large bearing of the EU energy policy objectives and where there is a clear
common EU added-value” and the ability to pool its supply capacities and to engage “in
coordinated energy purchasing”. Of course, the larger member states in particular won’t give such
a mandate in general, but might be willing to do it under very specific circumstances. A present
example, for instance, is the unprecedented mandate the Commission has to negotiate with
Azerbaijan and Turkmenistan for a trans-Caspian pipeline after Turkmenistan explicitly requested
EU involvement in this and EU Council of Ministers have given the Commission a formal mandate
for these negotiations (against strong Russian protests and warnings).

In conclusion, the Commission’s proposals have requested a much stronger mandate for itself and
Brussels. But it is in line with many of the European Parliament’s positions, the Lisbon Treaty and
critical expert analyses of the hitherto insufficiently addressed external dimensions of its energy
policies. If those proposals of the Commissions are sported and implemented by the member
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 135

states, it would dramatically transform the EU’s energy (foreign) policies with strong implications for
its overall Common Foreign and Security Policies (CFSP) and the ability to speak with “one voice”
and to pool its capacities as well as common strategic interests in the international arena.
136 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

11 Proposed methods for foresight scenarios

Foresight studies on Critical Infrastructure Protection, unless they pursue very narrow objectives,
involve a combination of quantitative models, based experience and design data, and methods
eliciting expert opinion, which by default is subjective. Usually, different sets of methods and
models are applied at different stages of the study, depending on the particular task. A telling
example is the recent study on evolving European security that looked into evolving threats, drivers
and trends in order to support the shaping of the European security research policy. The study
covered several areas of concern for EU security, including the protection of critical infrastructures.
In its first research phase, the study team implemented the Delphi method engaging more than
300 security experts from almost all EU Member States (FORESEC, 2009). It served to identify
change factors and their impact, while consequent analysis brought forward risks and drives with
highest consequences. This served the scenario building process, conducted through parallel
workshops in different EU countries. It utilized a workshop methodology, designed by the team
from the Swedish Defence Research Agency (FOI, Stockholm). The participants in each workshop
were asked to:

Map the main risk areas into a likelihood/impact matrix;

Identify the top risk areas in relation to the security agenda of the country;

Identify possible policy options and actions in order to meet and mitigate the impact of the
identified risks.

The specific of the approach here was that assessments were made vis-à-vis three narratives, or
context scenarios, each on a coherent and plausible version of the future that were developed by
FOI in advance. Following that, participating experts with varying scientific and/or professional
background were brought together in a conference to identify interdisciplinary research needs
(FORESEC, 2009).

Similar methods find application in identifying and understanding the impact of threats to specific
areas of interest, such as critical infrastructures and supply chains, as well as trends and drivers
with impact on the political, social, economic, and technological environment in which attacks on
critical infrastructures take place and their effects are estimated. The FP7 project FORWARD
Consortium (2010) for example, used the judgment of IT savvy experts to foresee, rank and
prioritize threats to critical infrastructures utilizing IT means and/or vulnerabilities of infrastructures.
It thus recommends main threat categories, and for each one delivers a plausible scenario with
assessment of impact.

A number of methodological approaches developed for understanding the behaviour of critical

infrastructures under certain assumptions on the future are based on the understanding that CI
often behave as complex adaptive systems and apply rigorous modelling techniques to
complement expert judgment. One such model is known as Gamma (Niemeyer, 2005), used to
identify value drivers and visualize the interrelations of components in complex systems. In
combination with soliciting the judgment of a group of experts from each related area, it assists the
development of model inputs and descriptive factors. It applies essentially a top-down approach of
system analysis, starting from a holistic point of view. Gamma provides tools for interactive
visualization and analysis of complex interrelationships of systems. The graphical toolset
generates a net diagram as a result of the thinking process of session participants and captures
parameters and values of identified links between system elements, thus affording understanding
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 137

cause and effect relationships. Niemeyer (2005) provides further details and examples of
application.

Another related method is known as Preliminary Interdependency Analysis (PIA), developed by the
Centre for Software Reliability, City University London (Popov, 2011). It addresses what many
consider the greatest challenges in enhancing the protection of Critical Infrastructures against
accidents, natural disasters, and acts of terrorism, i.e. the understanding of the interdependencies
between infrastructures and the dynamic nature of these interdependencies. The first phase in the
application of the method is qualitative; it leads to a fairly abstract model of interacting
infrastructures. More detailed models are built via refinement steps, thus allowing quantifying
interdependencies. A number of implementation tools allow analysts to build quickly models at the
appropriate level of abstraction for the particular domain, to parameterize and use the built in
stochastic simulations. PIA has been used for interdependency analysis for the UK Treasury in a
relatively large scale case-study with more than 800 modelling elements.
138 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

12 Inputs for subsequent foresight scenario analysis

This chapter is an attempt to analyse the collected data and develop logical deduction about
possible inputs for foresight scenario analysis. In particular, this analysis is meant to provide a first
brainstorming about the interrelationships between the elements of the Kanninen framework
depicted in Chapter 6. The framework is fed with input derived from several interviews, expert
meetings and internal discussions within the leading team. Questions for the Future Groups are
prepared in a way that they provide systematically input for the model. Here, we list possible future
scenarios that include identified changes and drivers. They are provided to facilitate discussion.

Supply chain security maintains important role during the next decade. Several raw
materials and new markets are still outside the European borders. Transportation routes
pass through vulnerable straits and chokepoint e.g. Suez Canal and unstable countries.
Northwest Passage can be a new alternative during the next decades, but contains
unpredictable risks and challenges. Recently, Iran’s publicly expressed threat to close key
oil shipping lane through Strait of Hormuz has increased military readiness on the area and
raised the price of crude oil. Piracy off the coast of Somalia has made a multinational
coalition task force to establish a Maritime Security Patrol Area within the Gulf of Aden.
Globalization determines fluent and predictable flow of goods, components and raw
materials to Europe, consequently security of supply chains remains on the common
agenda of different economic areas and countries. Frequent disruptions and threats require
new conceptualizations e.g. in a form of public-private partnerships.

Critical Infrastructure remains as a one of the key concerns in the future. Critical
infrastructure can be characterized as complex system that means increasing diversity
among its components and non-linear interactions. Critical energy infrastructure is open
and responsive to changes in global framework, which makes it harder to define boundaries
for political decisions. Additionally, EU is increasingly more dependent on non-EU energy
sources and technology that decreases visibility over energy production and distribution
and increase need for international agreements and policies.

Prolonged foreign political conflicts without reasonable political exit generate almost
systematically new terrorist attacks and new terrorist organizations with or without political
agenda (incorrigible terrorism). Increasing incorrigible terrorism can be extreme
challenging, because there is no belief in finding political or diplomatic pathways out of the
problems by addressing its underlying causes. EU and international organizations are
forced to develop new concepts (possibly combination of several political, technological and
social measures) in order to be able to respond to threats and stop vicious development in
unstable countries.

Criminal organizations are not organisations that can be studied outside of the system, thus
they are players inside the international system. According Europol criminal groups exploit
efficiently commercial and passenger transport infrastructure and shorten supply chains by
means of container shipments, air freight, light aircraft and the Internet (OCTA, 2010). As a
result, counterfeit commodities e.g. cigarettes, toys, brand clothes, medicines, toothpaste,
deodorants, condoms, washing products, electrical items, food and beverages find their
routes to Europe more efficient and often than ever before. Consumers and retailers
participate unintentionally in criminal market operations. Because criminal organizations
operate as part of the international system they are capable to influence economies of
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 139

sovereign states, change values and beliefs of citizens and invest in new technology
development that benefits their own aims in the future. Combatting against international
organized crime requires new forms and concepts that collects citizens, companies and
authorities together broader than before.

Economic development (economic and social change), especially in new developed

countries, increases demand for meat products (changes in values), which leads to
increasing use of natural resources. Population growth in developing countries increases
demand for grain (also raw material for meat production) that accelerate unsustainable use
of natural resources (environmental change) and leads to higher food and oil prices
(economic and social change). Fair and sustainable use of limited natural resources
requires international policies, regulations and action forces.

The system of human values has become broader than ever and as a result we can expect
that the technological and environmental changes will be used for different (positive and
negative) goals. As example human beings can be more capable and willing to create new
CI objects and to destroy this system of objects and relations. As a result, EU should have
capabilities to stimulate the positive and to react against the negative changes.

Technological changes are much more intensive, with shorter life cycle, while changes in
the environment are slower and the results become visible after a longer period of time.
This feature should be considered when evaluating the impact of technological change and
changes in the environment on economic and social environment, value system and EU
and international system change. EU must implement active (not adaptive) management
policy against the changes in the economic and social sphere. The focus of this policy
should be efforts to prevent and protect, mitigate risk and build capabilities for response in
case of crises of various kinds

EU is under structural debates what makes it special challenge to anticipate the future. As
a result of weak European leadership public economic discipline was undone, which led to
low economic resistance against unpredictable economic changes. Increasing financial
constraint may reduce the resources available to public authorities to combat internal
security threats. Differences within Europe can cause weak spots that organized criminals
can use for illegal immigration and smuggling (south east of the EU, the Western Balkan
countries). European security strategy must consider different financial capabilities and
asymmetries between Member States.

Individual major EU members have rather different areas of core interests, leverage and
outreach, (see UK, F, GE) and they change, partly contracting (e.g. UKs East-of-Suez
policy), partly expanding (e.g. through anti-piracy-operations). For the EU as “Institutional
Europe” it would be premature to define geographic characteristics of outreach etc. It will
become decisive in the future, but in the absence of EU global strategies it will be driven by
major MSs or be non-existent.
140 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

13 List of Questions

13.1 Questions for foresight EU scenarios

EU roles and international system

What will be the level of interdependences between EU countries in the future? (will some EU
countries try to exit the EU?)

How well you believe that the EU will be able to act and reassess policies in complex situations as
financial crises and/or emergency situations? (how easy will be to develop common plans and
strategies?)

The Council directive 2008/114/EC “Identification and designation of European critical

infrastructures and the assessment the need to improve their protection” covers elements that are
not addressed by the European Programme for Critical Infrastructure Protection (EPCIP).

Which other elements need to be prioritized and regulated by legislation?

What new EU roles are needed for the neglected elements?

Is there a need for special roles to address ICT and SCS?

Need for specific legislation?

Describe 4 most important geopolitical changes you are expecting outside the EU?

In view of the above answers, what main changes you expect to happen in terms of foreign EU
policy? What will be the role of the following bodies:

The European External Action Service.

The Joint European Union Situation Centre.

European Defence Agency.

European Institute for Security Studies.

Economy and social

Globalization has increased the competitiveness of European industries:

Do you see any future changes of this trend?

Will the EU continue stimulating it?

What main changes in EU economy you expect from globalization?

Do you expect changes in migration to EU? What would be the impact on EU economy?

What do you believe are the main consequences of saving gaps on EU economy?
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 141

What is the impact on EU economy of booms and bursts?

What changes you expect in demand and prices of energy and natural resources?

What will the EU do to reduce poverty and social exclusion?

Technology

What main technology areas are relevant from the perspective of CIP? What main changes will
take place in the future?

What main technology areas are relevant from the perspective of SCS? What main changes will
take place in the future?

What technology progresses will be done in the area of ICT/Cyber security?

Environment

Are you expecting a rise of the average temperature in the future?

What could be the main environmental consequences of global warming in the future?

What would be the impact of global warming on Critical Infrastructure/Supply chains/ICT?

Values

Do you know any significant changes of values in EU that should be taken into account in our
foresight scenario analysis?

Do you expect significant religious changes in EU?

Do you expect significant ideologies changes in global terrorism?

Security

What security threats on CIP you expect in the future?

What cybersecurity threats you expect in the future?

What supply chain security threats you expect in the future?

What security threats are relevant for critical supplies to EU?

What will be the threats relevant for EU customs or Law enforcement agencies?

In which situations will use of dual-use capabilities be required?

Use the answers given above and ask experts to establish links in the matrix:
142 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Environment
Technology
Economy &

EU ROLES

POLICIES
Security

Politics

Values
Social
Security

Politics

Economy
and Social

Technology

Environment

Values

EU ROLES

EU
POLICIES

The above impacts should have a central emphasis: changes in EU roles.

When the impact on EU roles will be depicted we may ask:

Do you believe that today's EU roles already address the issues? or do we need new roles and
responsibilities?

13.2 Questions for future security research

What is the on-going research studying the following:

Security of CIP.

Security of ICT.

Security of critical supplies.

What are the gaps of existing research in the following areas:

FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 143

Security of CIP.

Security of ICT.

Security of critical supplies.

In view of these gaps what sort of research is needed?

Which disciplines should address these gaps and how?

What is the status of research and which disciplines are involved in current security research
studying EU roles in security?

How do you believe that current research can support the new roles, responsibilities and policies
identified in previous section?

What difficulties you expect?

How can these difficulties be overcome? (new disciplines involved, methodologies, collaborative
projects etc.)
144 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

14 Recommended Resources

AGD, 2007. Critical Infrastructure Protection Modelling and Analysis Program, Tasking and
Dissemination Protocols. October 2007. Australian Government, Attorney-General’s Department.
Web: www.ag.gov.au

Baker, G.H., 2004. A Vulnerability Assessment Methodology for Critical Infrastructure Facilities.
www.jmu.edu/iiia/webdocs/Reports/Facility%20Assessment%2005-07.pdf

CEC, 2005. Green Paper on a European Programme for Critical Infrastructure Protection.
Commission of the European Communities. Brussels, 17.11.2005. COM(2005) 576 final.

Dalziell,E.P. & S.T McManus, 2004. Resilience, Vulnerability, and Adaptive Capacity: Implications
for System Performance. Dept of Civil Engineering, University of Canterbury, New Zealand.
http://www.ifed.ethz.ch/events/Forum04/Erica_paper.pdf

Dunn, M. & I. Wiegert, 2004. Critical Information Infrastructure Protection. International IIP
Handbook. ETH, Zuerich, 405p.

Dunn Cavelty, M. & M.Suter, 2009. “Public-Private Partnerships are no silver bullet: An expanded
governance model for Critical Infrastructure Protection”, International Journal of Critical
Infrastructure Protection, doi:10.1016/j.ijcip.2009.08.006.

EC, 2006. The European Programme for Critical Infrastructure Protection (EPCIP). MEMO/06/477.
European Commission, Brussels, 12 December 2006.

EMA, 2003. Critical infrastructure emergency risk management and assurance. Handbook.
Emergency Management Australia. January 2003. www.ema.gov.au.

EOS Supply Chain Security Working Group, 2009. “White Paper: A European Approach for
Integrated Supply Chain Security”, European Organization for Security, November.

ESRIF, 2009. European Security Research and Innovation Forum (ESRIF). Final Report. EU,
Brussels 2009, 311p.

EU Council, 2008. COUNCIL DIRECTIVE 2008/114/EC of 8 December 2008 on the identification

and designation of European critical infrastructures and the assessment of the need to improve
their protection.

FEMA, 1996. Guide for All-Hazard Emergency Operations Planning. State and Local Guide (SLG)
101. FEMA.

FORESEC (2009). Cooperation in the Context of Complexity: European Security in Light of

Evolving Trends, Drivers, and Threats, FORESEC Final report. Retrieved from
www.foresec.eu/wp3_docs/Foresec_report.pdf.

FORWARD (2010). Deliverable D3.1: White book: Emerging ICT threats. http://www.ict-
forward.eu/.

Gilles, B. (Coord.), A. Michalski &L. R. Pench, 1999. Scenarios Europe 2010, Five Possible
Futures For Europe, Working Paper, European Commission Forward Studies Unit, July 1999.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 145

Guthrie, V.H. & Walker, D.A., 2005. Modelling Security Risk. ABSG Consulting, Inc.; Knoxville,
Tennessee. www.abs-jbfa.com

Haimes, Y.Y., 2005. Risk-Based Framework for Modelling Infrastructure Interdependencies. In:
USC Terrorism Risk Analysis Symposium. Los Angeles, California, January 14, 2005.

Hardenbrook, B., 2006. Critical Infrastructure Interdependencies and Regional Public–Private

Partnerships. Pacific NorthWest Economic Region (PNWER). www.pnwer.org.

Hintsa, J. (2011). Post-2001 Supply Chain Security - Impacts on the Private Sector. Lausanne:
HEC University of
Lausanne.http://www.techforesight.ca/Publications/CanadianStrategicSecurityChallenges2015.pdf.

Hoyt, J, 2003. “Critical Infrastructure Protection (CIP)”, Homeland Security, September 11,,
http://www.hsdl.org/?view&did=479282.

Lee, E.E. et al., 2004: Extreme Events and the Sustainability of Civil Infrastructure Systems.
Department of Decision Sciences and Engineering Systems, Rensselaer Polytechnic Institute,
Troy, New York. www.rpi.edu/~mitchj/papers/sustainability.pdf

Moteff, J, C. Copeland & J. Fischer, 2003. Critical Infrastructures: What makes an Infrastrucuture
Critical? Report for Congress, CRS Web, Order Code RL31556.

Niemeyer, K. (2005). Simulation of Critical Infrastructures. Information & Security: An International

Journal 17, pp. 120-143. http://infosec.procon.bg/.

Peerenboom, J.,2001: Infrastructure interdependencies: overview of concepts and terminology. In:

National Science Foundation Workshop, June 2001. Argonne National Laboratory, Infrastructure
Assurance Center, Argonne, IL.

Popov, P. (2011). Preliminary Interdependency Analysis (PIA): Method, Tool Support and Data
Analysis. Proceedings of the first International Workshop on Critical Infrastructure Safety and
Security (CrISS-DESSERT 2011), Kirovograd, Ukraine.

Procházková, D., 2007a: Methodology for Estimation of Costs for Renovation of Territory Affected
by Disaster. In Czech. SPBI SPEKTRUM XI Ostrava, ISBN 978-80-86634-98-2, 251p.

Procházková, D., 2007b: Human System Safety. In Czech. SPBI, Ostrava, 139p. ISBN 978-80-
86634-97-5.

Procházková, D., 2009a: Critical Infrastructure Safety Management. In: Reliability, Risk and
Safety. Theory and Applications. ISBN 978-0-415-55509-8, CRC Press / Balkema, Leiden 2009,
1875-1882, CD ROM ISBN 978-0-203-85975-9.

Procházková, D., 2009b: Problems of Longterm Failures of Critical Infrastructure. In Czech. Report
for Czech Ministry of Interior –Institute for Public Protection, Praha 2009, 157p.

Procházková, D., 2009c: Critical Infrastructure and Principles for Its Safety. In Czech. In:
Technologies and Prosperity, Praha 2009, CD ROM, ISBN 978-80-87205-09-9, p. 84.

Procházková, D., 2009d: CI Failure Causes Database. In Czech. Private Archives.

PWC. (2011). Securing the supply chain. Transportation & Logistics 2030, Volume 4.
146 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Shell.(2008). Shell Energy scenarios to 2050. Shell International BV. http://www-

static.shell.com/static/aboutshell/downloads/our_strategy/shell_global_scenarios/SES%20booklet
%2025%20of%20July%202008.pdf

Smith, J. E., 2007. “Strategic Security Challenges: Looking Ahead Towards 2015?”.

Svendsen, N.K., Wolthusen, S.D., 2007: Connectivity Models of Interdependency in Mixed-type

Critical Infrastructure Network. Information Security Technical Report 12 (2007) 44 – 55. Elsevier,
12 March 2007.

Urciuoli, L. (2011), Physical Distribution Security: a survey of Swedish Transportation carrier,

Doctoral Thesis, Lund University.

US DHS, 2003. The National Strategy for Physical Protection of Critical Infrastructures and Key
Assets., U.S. Department of Homeland Security. The White House. Washington D.C., February
2003. 96 p.

Wenger, A. & S. Bonin 2007. “ Biological Risks: Protection From Pandemics And Bioterrorism”,
CSS Analyses in Security Policy, Vol. 2 , No. 5, January.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 147

15 Bibliography

Aaltonen, M. (2007). The Third Lens. Multi-ontology Sense-making and Strategic Decision-making.
Emergence Complexity Organization , 151.
Ackerman, E., & E. Guizzo (2011), 5 Technologies That Will Shape the Web, Retrieved from
http://spectrum.ieee.org/telecom/internet/5-technologies-that-will-shape-the-web/0.
Alexander, C. J. & L. A. Pal (eds.) (1998). Digital democracy: policy and politics in the wired world.
Toronto: Oxford University Press.
AON (2012). Terrorism. http://www.aon.com/risk-services/crisis-management/terrorism.jsp
ASCE (2009). Quantify, communicate and manage risk. In A. S. Engineering, guiding principles for
the nation's critical infrastructure. Virginia: American Society of Civil Engineering.
Atos Consulting (2010). Look out 2010+.
Australian National Security.(n.d.). What is critical infrastructure? Retrieved 2007 May from
www.ag.gov.au/agd
Balfour, R. Emmanouilidis, J. A., & Zuleeg, F. (n.d.). European Policy Center. Retrieved December
4, 2011, from Political trends and priorities 2011-2012:
http://www.epc.eu/documents/uploads/pub_1204_political_trends_and_priorities_2011-
2012.pdf
Balzarotti, D. (ed.) (2011). SySSec Project Deliverable D4.1: First Report on Threats on the Future
Internet and Research Roadmap. Retrieved from www.syssec-project.eu/media/page-
media/3/syssec-d4.1-future-threats-roadmap.pdf.
Bhimani, A. (n.d.). Economic Trends in Europe: Seeing risks as opportunities. Retrieved December
15, 2011, from The ISMAILI: http://www.theismaili.org/cms/347/Economic-trends-in-Europe-
Seeing-risks-as-opportunities
Buckland, B., Schreier, F., & Winkler, T. H. (2010). Democratic Governance Challenges of Cyber
Security, DCAF Horizon 2015 Working Paper No.1, Geneva: Geneva Centre for the
Democratic Control of Armed Forces. Retrieved from
http://genevasecurityforum.org/files/DCAF-GSF-cyber-Paper.pdf.
Capros, P., Mantzos, L., De Vita, A., & Kouvaritakis, N. (2009). EU Energy Trends to 2030.
Director-General for Energy.
Castells, M. (1998). The rise of the network society. Reprint. Malden, MA: Blackwell.
CBP Website (n.d.). From
http://www.cbp.gov/xp/cgov/trade/cargo_security/ctpat/what_ctpat/ctpat_overview.xml
CBP website (n.d.). Retrieved 2011 December from
http://www.cbp.gov/xp/cgov/trade/cargo_security/csi/
CBRA working paper No. 114. (2012). Analysis of criticality of supplies to EU27.

Center for Problem Oriented Policing (2012). Retrieved 2012 January from
http://www.popcenter.org/about/?p=sara
Chapman, D. W. (1962). A brief introduction to contemporary disaster research, in G. W. Baker &
D. W. Chapman (eds.), Man and society in disaster. New York: Basic Books, 3-22.
148 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

CISCO (2011). The Cisco Connected World Technology Report, September 21, 2011, Retrieved
from www.cisco.com/en/US/solutions/ns341/ns525/ns537/ns705/ns1120/CCWTR-Chapter1-
Report.pdf.
COM 2020, 2 (2010). Europe 2020. A strategy for smart, sustainable and inclusive growth.
Brussels: EC.
Conex Website (n.d.). ICS via conex. Retrieved 2011 December from http://www.ics-import-
control-system.net/
Council Directive (2008 23-December). Official Journal of the European Union. Retrieved 2012 8-
January from http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:345:0075:0082:EN:PDF
Czech Republic. (2002). Recommendation of Czech Republic Safety Board. Resolution No. 4.
Department of Homeland Security (2006). “National Infrastructure Protection Plan”. From
www.dhs.gov
Department of Homeland Security Website (n.d.). Retrieved 2011 December from
http://www.dhs.gov/xabout/history/
Department of Homeland Security. (n.d.). From
http://www.dhs.gov/files/programs/gc_1218476542736.shtm#8
DG-TRADE (u.d.). Retrieved from Countries and regions - Bilateral relations:
http://ec.europa.eu/trade/creating-opportunities/bilateral-relations/countries-and-regions/ den
22 November 2011.
Digital Agenda for Europe (2010) Digital Agenda for Europe 2010-2020. Brussels: The European
Commission. Retrieved from http://ec.europa.eu/information_society/digital-
agenda/index_en.htm.
Emerson et al. (2011) Upgrading the EU´s Role as Global Actor – Institutions, Law and
Restructuring European Diplomacy, Centre of European Security Studies report.
EPCIP (2007). Communication from the Commission of 12 December 2006 on a European
Programme for Critical Infrastructure Protection [COM(2006) 786 final – Official Journal C 126
of 7.6.2007].
http://europa.eu/legislation_summaries/justice_freedom_security/fight_against_terrorism/l3326
0_en.htm#KeyTerms
EU Commission (2006). Annex 30A of Commission Regulation 1875/2006 lists required data
elements of the ESD.
EU Commission (2011). The EU Internal Security Strategy in Action: Five steps towards a more
secure Europe. Brussels: Communication from the commission to the European Parliament
and the Council.
EU Commission (2011, November 25). First annual report on the implementation of the EU Internal
Security Strategy. Retrieved December 2011, from http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2011:0790:FIN:EN:PDF
EU & WTO (u.d.). Retrieved from The Doha Round - for EU submissions to the WTO during the
Doha Round: http://ec.europa.eu/trade/creating-opportunities/eu-and-wto/doha/ den 12
December 2011
Europe (2011) How does the EU work?, Europe in 12 lessons. Retrieved from
http://europa.eu/abc/12lessons/lesson_4/index_en.htm 12 December 2011
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 149

European Commission (u.d.). European Commission: Trade: Free Trade Agreements. Retrieved
from Bilateral relations Free Trade Agreements:
http://ec.europa.eu/enterprise/policies/international/facilitating-trade/free-trade/index_en.htm
January 2012.
European Commission (2004 20-October). Communication from the Commission to the Council
and the European Parliament - Critical Infrastructure Protection in the fight against terrorism.
Retrieved 2012 10-Januray from http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52004DC0702:EN:NOT
European Commission (2006). Green Paper on a European Programme for Critical Infrastructure
Protection. Retrieved 2012 10-January from Liberty & Security:
http://www.libertysecurity.org/article718.html
European Commission (2008). Restrictive Measures 2008.
European Commission (2011). Retrieved from Tackling the challenges in commodity markets and
on raw materials: http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2011:0025:FIN:EN:PDF den 12 November
2011
European Commission (2011). European Commission Home Affairs. Retrieved 2011 December
from http://ec.europa.eu/home-affairs/policies/iss/internal_security_strategy_en.htm
European Union (2010). Employment and Social Developments in Europe 2011. Retrieved
December 15, 2011, from European Commission Directorate-General for Employment, Social
Affairs and Inclusion - Directorate A:
http://ec.europa.eu/social/BlobServlet?docId=7266&langId=en
Europol. (2011) Organized Crime Threat Assessment (OCTA). Retrieved October 2011, from
http://mobile.europol.europa.eu/content/press/europol-organised-crime-threat-assessment-
2011-429
Federal Office for Information and Security (n.d.). Critical Infrastructure Protection in Germany.
Retrieved 2012 11-January from www.bsi.de/english/topics/topics/kritis/KRITIS in
Germany.pdf
FOCUS Deliverable 2.1 (2011). Report describing and defining the methodology. Retrieved from
http://www.focusproject.eu/documents/14976/15032/FOCUS+D2.1+Report+describing+metho
dology.pdf
FORESEC (2009) Cooperation in the Context of Complexity: European Security in Light of
Evolving Trends, Drivers, and Threats, FORESEC Final report. Retrieved from
www.foresec.eu/wp3_docs/Foresec_report.pdf
FORWARD Consortium (2010). D3.1 White Book: Emerging ICT Threats. Retrieved from www.ict-
forward.eu/media/publications/forward-whitebook.pdf.
Ghannam, J. (2011). Social Media in the Arab World: Leading up to the Uprisings of 2011.
Washington, D.C.: Center for International Media Assistance. Retrieved from
http://cima.ned.org/sites/default/files/CIMA-Arab_Social_Media-Report%20-%2010-25-11.pdf.
Greig, M. J. (2002). The end of geography? Globalization, communications, and culture in the
international system. Journal of Conflict Resolution, 46(2), 225-243.
150 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Goldman Sachs. (2011, April). Introducing growth markets. Retrieved January 26, 2012, from
http://www2.goldmansachs.com/our-thinking/global-economic-outlook/intro-growth-
markets/index.html
Hintsa, J. (2011). Post-2001 Supply Chain Security - Impacts on the Private Sector. Lausanne:
HEC University of Lausanne.
HM Revenue and Customs (n.d.). HM Revenue and Customs. Retrieved December 2011, from
http://customs.hmrc.gov.uk/channelsPortalWebApp/channelsPortalWebApp.portal?_nfpb=true
&_pageLabel=pageImport_ShowContent&propertyType=document&id=HMCE_MIG_009926
Homeland Security Presidential Directive Seven. (2003). Homeland Security Presidential Directive
Seven (HSPD-7). Retrieved from http://www.dhs.gov/xabout/laws/gc_1214597989952.shtm#1
January 2012.
IMO (2012). Piracy and armed robbery against ships. Retrieved from
http://www.imo.org/OurWork/Security/PiracyArmedRobbery/Pages/Default.aspx December
2011.
International Maritime Organization Website (n.d.). International Maritime Organization. Retrieved
2011 December from ISPS Code:
http://www.imo.org/ourwork/security/instruments/pages/ispscode.aspx
International Maritime Organization (n.d.). Retrieved 2011 December from
http://www.imo.org/about/conventions/listofconventions/pages/international-convention-for-the-
safety-of-life-at-sea-(solas),-1974.aspx
International Organization for Standardization Website (n.d.). International Organization for
Standardization . Retrieved 2011 December from ISO 28000:2007:
http://www.iso.org/iso/catalogue_detail?csnumber=44641
INTERPOL (2012). INTERPOL – connecting police for a safer world. Retrieved from
http://www.interpol.int/ December 2011.
ISO (2012). Risk management principles and guidelines. Retrieved from
http://www.iso.org/iso/catalogue_detail?csnumber=43170 November 2011
ISO 28000 (2012). New suite of ISO supply chain management standards to reduce risks of
terrorism, piracy and fraud. Retrieved from
http://www.iso.org/iso/pressrelease.htm?refid=Ref1086 January 2012.
Iyengar, S., R. C. Luskin & J. S. Fishkin (2003). Facilitating informed public opinion: evidence from
face-to-face and online deliberative polls. Retrieved from
http://cdd.stanford.edu/research/papers/2003/facilitating.pdf.
Kanninen, T. (2007). A Political Early Warning-response System to Address Global and Regional
Threats. In M. Aaltonen, The Third Lens: Multi-ontology Sense-making and Strategic Decision-
making (pp. 49-76). Ashgate Publishing Limited.
LOGSEC. (2011). Development of a strategic roadmap towards a large scale demonstration
project in European logistics and supply chain security. Project ID: 241676.
Minchev, Z. & V. Shalamanov (2010). Scenario Generation and Assessment Framework Solution
in Support of the Comprehensive Approach. In RTO-MP-SAS-081, Symposium on “Analytical
Support to Defence Transformation,” Boyana, Bulgaria, April 26-28, 22-1 – 22-16.
Ministry of Interior (2005). Netherlands Report on Critical Infrastructure Protection. Netherlands.
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 151

National Council on Public Works Improvement. (1988). Fragile Foundations: A Report on

America’s Public Works, Final Report to the President and Congress. Washington D.C.
Niemeyer, K. (2005). Simulation of Critical Infrastructures. Information & Security: An International
Journal 17, pp. 120-143. http://infosec.procon.bg/
North Atlantic Electronic Reliability Corporation (n.d.). From
http://www.nerc.com/page.php?cid=2%7C20
Ordnance #18. (2011). On the establishment and designation of European Critical Infrastructures
in Bulgaria and measures for their protection. 18 February 2011.
Outcome of the European Convention (n.d.). The founding principles of the Union. Retrieved from
EUROPA: http://europa.eu/scadplus/european_convention/objectives_en.htm 11 January
2012.
Pawson, R., K. Walshe, T. Greenhalgh, T. & G. Harley (2006). Realist synthesis: an introduction.
Methods. University of Manchester: ESRC Research Methods Programme.
Popov, P. (2011). Preliminary Interdependency Analysis (PIA): Method, Tool Support and Data
Analysis. Proceedings of the first International Workshop on Critical Infrastructure Safety and
Security (CrISS-DESSERT 2011), Kirovograd, Ukraine.
President’s Commission on Critical Infrastructure Protection (1997). Critical Foundations:
Protecting America’s Infrastructures.
Presidential Decision Directive 63 (1997). Retrieved from http://www.fas.org/irp/offdocs/pdd/pdd-
63.htm
Public Safety Canada (n.d.). About Critical Infrastructure. Retrieved 2008 January from www.ps-
sp.qc.ca
PWC (2011). Securing the supply chain. Transportation & Logistics 2030, Volume 4.
Rapoport, D. C. (2004). the Four Waves of the Modern Terrorist. In A. K. Cronin, & J. M. Ludes,
Attacking Terrorism. Washington: Georgetown University Press.
Rouvinen, P., Vartia, P., & Ylä-Anttila, P. (2007). Seuraavat sata vuotta, Aikamatka maailmaan ja
Suomeen. Helsinki: The Research Institute of the Finnish Economy.
Schreier, F., Weekes, B., & Winkler, T. H. (2011). Cyber Security: The Road Ahead, DCAF Horizon
2015 Working Paper No.4. Geneva: Geneva Centre for the Democratic Control of Armed
Forces. Retrieved from www.dcaf.ch/Publications/Publication-Detail?lng=en&id=126370.
Sophos Security Threat Report (2011). The Security Threat Landscape: Where We Were and
Where We're Going. Retrieved from www.sophos.com/en-us/security-news-trends/security-
trends/security-threat-report-2011.aspx.
Symantec Internet Security Threat Report (2011). Trends for 2010, Volume 16. Retrieved from
http://msisac.cisecurity.org/resources/reports/documents/SymantecInternetSecurityThreatRep
ort2010.pdf.
SySSec. (2012). Managing Threats and Vulnerabilities in the Future Internet. Retrieved from
http://syssec-project.eu
TAPA EMEA. (n.d.). From
http://tapaemea.com/public/trucking_security_requirements.php?nav=4&subnav=3
152 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

TAPA EMEA. (n.d.). Retrieved from

http://www.tapaemea.com/public/freight_security_standards.php?navId=4&subnavId=1&subna
v2Id=2
TAPA EMEA (n.d.). Retrieved 2011 December from
http://tapaemea.com/public/profile.php?navId=1&subnavId=2&PHPSESSID=53b226e8d17cd0
485ed594979a46e7ee
The Change Institute for the European Commission (2008). Studies into violent radicalization; the
beliefs, ideologies and narratives. London: Directorate General Justice, Freedom and Security.
TI (2012). Transparency International – the global coalition against corruption. Retrieved from
http://www.transparency.org/
Tranfield, D., D. Denyer, D., & P. Smart (2003). Towards a Methodology for Developing Evidence-
Informed Management Knowledge by Means of Systematic Review. British Journal of
Management, 14(3) , 207-222.
U.S. Congressional Budget Office. New Directions for the Nation’s Public Works.
Union for the Co-ordination of Transmission of Electricity (UCTE) (n.d.). From www.ucte.org
United Kingdom Home Office Security (n.d.). Counter Terrorism Strategy: Protecting the Critical
National Infrastructure. Retrieved 2012 11-January from www.security.homeoffice.gov.uk
UNODC. (2002). Results of a pilot survey of forty selected organized criminal groups in sixteen
countries. Global programme against transnational organized crime. Retrieved from
http://www.unodc.org/pdf/crime/publications/Pilot_survey.pdf
Wikipedia. (2011). Retrieved 2012 January from http://en.wikipedia.org/wiki/Supply_chain_security
Wired (2011). Organized Crime: The World's Largest Social Network. Retrieved from
http://www.wired.com/magazine/2011/01/ff_orgchart_crime/ December 2011
World Customs Organization. (2007). WCO SAFE- Framework of Standards. Retrieved from
http://www.wcoomd.org/files/1.%20Public%20files/PDFandDocuments/SAFE%20Framework_
EN_2007_for_publication.pdf December 2011.
Zoll Germany. (n.d.). Retrieved from http://www1.zoll.de/english_version/h0_ics/ind
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 153

ANNEX 1

FOOD AND LIVE ANIMALS

Examining the proportion of import to EU27 in 100kg, the EU27 is largely dependent on Latin
America (Brazil & Argentina) who are the main suppliers, covering about 45% of total imports of
food and live animals. These countries have a widespread cultivation of crops with GMOs (gene
modified organisms) that are domestically approved but not EU-approved. As EU laws become
more stringent it could lead to potential trade disruptions, with shortages in supplies. A temporary
halt in imports is also possible. Stricter requirements for testing for EU-certification or sudden
shortages in supplies may result in higher prices in the EU. The sudden outbreak of a pandemic
disease (like the Foot and Mouth crisis in Brazil) might recur and cause serious trade disruptions,
as the EU is rather dependent on exports from one region(CBRA working paper No. 114, 2012).

In monetary values, (€ in left diagram in Figure 20) the situation is similar and presents only small
differences. About 12.08% of total food and live animal supplies trade in the EU are done with
Brazil. Argentina is positioned in the second with a 7.61% food and live animal imports. United
States exports 6.24% of the total food and live animal in the EU. After that, China exports 5.29%,
Turkey exports 4.31%, Thailand exports 3.31% and Cote d’Ivoire exports 3.01%. The rest 58.14%
food and live animals are traded from other countries (CBRA working paper No. 114, 2012).

Figure 20 Proportion of food and live animals imports to EU27 in € (left diagram) and 100kg (right diagram).

BEVERAGES AND TOBACCO

From a quantity perspective (kg), the distribution of beverage and tobacco imports is quite even.
There is a slightly higher dependence on Switzerland, which may not pose significant risks to the
EU27’s critical supplies, since this country could be substituted by the US Australia, Chile and
South Africa by slightly increasing their imported amounts (right diagram in Figure 21). The
situation appears much different when analyzing the import proportion from the value of the goods
viewpoint. EU is dependent on the United States for 17.75% of the total beverages and tobacco
supplies. Brazil supplies 9.63%, Australia supplies 8.12%, Chile supplies 8.09%, South Africa
supplies 6.39%, Mexico supplies 3.17%, and New Zealand supplies 3.08% of total beverages and
tobacco in the EU. The rest of 43.78% is supplied by other countries including Romania’s
contribution of 6.36% of the total supply (left diagram in Figure 21). Hence, we may deduce that
whenever Switzerland will stop exporting beverages and tobacco there is the risk that to replace
154 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

the deficit a higher expenditures will be required by the EU27 (CBRA working paper No. 114,
2012).

Figure 21 Proportion of beverages and tobacco imports to EU27 in € (left diagram) and 100kg (right diagram).

CRUDE MATERIALS, INEDIBLE, EXCEPT FUEL

The analysis of the quantity imported unveils that a quarter of total EU imports come from Brazil.
Although the EU is still the main importer for Brazil, there has been a surge in demand for Brazilian
exports to China. This has resulted in a slight decrease in exports to the EU. Growing trade
relations between Brazil and China, may disrupt supplies to the EU. Moreover there is a rising
demand for crude materials in emerging economies, including Brazil’s domestic market. This may
result in a global shortage in supply. Industrialized nations like the U.S., have begun stockpiling
raw materials to tackle future shortages, but the EU has no such policy of safeguarding its
resources. Hence, the EU might be particularly affected in case of sudden shortages in supplies
(right diagram in Figure 22). From the value of imported goods perspective, the countries that
dominate are Brazil and the United States. They supply 16.66% and 11.08% of value respectively.
With 6.84% of supply Canada is positioned in the third. Afterwards, Russia supplies 5.52%, China
supplies 3.94%, Ukraine supplies 3.66%, Chile supplies 3.54%, South Africa supplies 3.45%, Peru
supplies 3.12%, and the rest of 42.20% are supplied by other countries (left diagram in Figure 22)
(CBRA working paper No. 114, 2012).

Figure 22 Proportion of crude material, inedible, except fuels, imports to EU27 in € (left diagram) and 100kg
(right diagram).

MINERAL FUELS, LUBRICANTS & RELATED MATERIALS

FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 155

Examining the quantities imported, the EU is relatively more dependent on Russian exports. This
might imply increased pressure on EU-Russia borders e.g. transport routes and customs points.
Avoiding truck congestion might be an issue. Moreover, Russia has a very high rate of supply
chain thefts. Cargo security is a matter of concern for Russia. These may pose risks of delays or
disruption in supplies to the EU. Russian ties with the Baltic States are not the best at the moment,
but the latter is highly dependent on Russian exports of mineral fuels. Russia’s position as a
reliable trade partner for the EU might be questionable (right diagram in Figure 24). The proportion
of value imported tells that Russia is the major supplier of mineral fuels, lubricants and related
materials in the EU. Russia supplies about 33.73% of the total amount of mineral fuels, lubricants
and related materials followed by Libya 8.10%, countries and territories not specified for
commercial or military reasons in the framework of trade with third countries 6.93%, Algeria 5.72%,
Kazakhstan 4.02%, Nigeria 3.79%, and Saudi Arabia 3.54%. The rest of the supply, which is
30.56%, comes from other countries (left diagram Figure 24). Another deduction that can be made
is that a disruption of imports from Norway could cause a raise in the expenditures for the EU27
(CBRA working paper No. 114, 2012).

Figure 23 Proportion of Mineral Fuels, lubricants & Related materials, imports to EU27 in € (left diagram) and
100kg (right diagram).

ANIMAL AND VEGETABLE OILS, FATS AND WAXES

The EU is relatively dependent on Indonesia for the amount of this category imported. Indonesia
faces threats from terrorist organisations (e.g. Jemaah Islamiya ) which largely target western
interests and commerce. From this viewpoint, the Indonesia-EU trade routes are particularly
vulnerable. It is important to have in mind that Indonesia also has a high rating in terrorism and
other serious cargo crime and disruptions (right diagram in Figure 25). Likewise for animal and
vegetable oils, fats and waxes Indonesia and Malaysia have the largest values supplied. Indonesia
supply 30.12% of the total amount. Malaysia is the second supplying 17.21% of the total value
imported by EU27. Ukraine 7.47%, Philippines 5.8%, Papua New Guinea 5.02%, Argentina 4.61%,
Russia 3.29%, and other countries supply the rest of the 26.47% of total animal and vegetable oils,
fats and waxes (left diagram in Figure 25) (CBRA working paper No. 114, 2012).
156 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Figure 24 Proportion of animal and vegetable oils, fats and waxes imports to EU27 in € (left diagram) and 100kg
(right diagram).

CHEMICALS AND RELATED PRODUCTS

Looking at the imported amount of chemicals supplies, the EU27 shows some dependence with
the Russian Federation, United States, Norway and Saudi Arabia. Despite this, the distribution of
imports is quite even. So we may suggest that the EU27 are less vulnerable to disruptions (right
diagram in Figure 26). Some differences may be notices examining the proportion of values
imported. EU27 are largely importing from the United States as it supplies 34.47% of the total
value. The other countries as China supplies 9.75%, Singapore supplies 6.53%, Japan supplies
5.76%, Russia supplies 4.17%, and India supplies 3.57% of the total value of chemicals and
related products. The rest of the 35.74% of the total value are supplied by several other countries
(left diagram in Figure 26). Given the difference we may expect that a loss of import from the
Russian Federation may imply an increase of EU27 expenditures, hence a higher economic impact
(CBRA working paper No. 114, 2012).

Figure 25 Proportion of chemicals and related products imports to EU27 in € (left diagram) and 100kg (right
diagram).
FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 157

MANUFACTURED GOODS CLASSIFIED CHIEFLY BY MATERIAL

From an amount viewpoint, China is relatively dominating but still the distribution of these imports
are relatively proportionate, which may not imply serious threats to the EU’s critical supplies (right
diagram in Figure 27). Similarly, examining the proportion of values imported (left diagram in
Figure 27) we see that about 21.28% of the total value of manufactures goods classified chiefly by
material are supplied by China, followed by Russia 8.71%, United States 7.29%, Turkey 4.78%,
South Africa 4.04%, and Japan 3.23%. The rest of the total amount, that is 44.79%, is cumulatively
supplied by other countries (CBRA working paper No. 114, 2012).

Figure 26 Proportion of manufactured goods imports to EU27 in € (left diagram) and 100kg (right diagram).

MACHINERY AND TRANSPORT EQUIPMENT

The EU remains largely dependent on Chinese imports of machinery and transport equipment.
China’s illicit exports of fake computers and its parts has caused much scandal. There is a risk of
more fake items finding its way into the EU27 market. One of the countries most prone to natural
disasters is China. In case of an occurence in a critical geographical location, EU27 imports might
be adversely affected (right diagram in Figure 27). From a value perspective, EU27 imports
significant flows from China, United States and Japan. China is the biggest supplier which supplies
32.90% of the total value, followed by the United States 15.13%, and Japan 10.06%. Also in this
case some significant differences in EU27 expenditures could appear in case a disruption of
Turkish flows happens (CBRA working paper No. 114, 2012).
158 D5.1 – Problem space report: Critical infrastructure & supply chain protection FOCUS

Figure 27 Proportion of machinery and transport equipment imports to EU27 in € (left diagram) and 100kg (right
diagram).

MISCELLANEOUS MANUFACTURED ARTICLES

Also for this category, the EU27 is highly dependent on China for the import of manufactured
goods. The highest number of counterfeit goods seized in the EU27 comes from China. This
implies longer customs procedures, brand reputation risks, product recalls etc. all of which might
delay or halt in supplies. Recently there has been a public outcry over unsafe Chinese imports
including unsafe children’s products. If the Chinese government fails to resolve this issue, there
might be temporary ban on certain EU27 imports from China, is the largest trading partner. This
might cause significant disruption of supplies to the EU27 (right diagram in Figure 29). From a
value viewpoint, the EU27 is tremendously dependent on China for the supply of miscellaneous
manufactured articles, as China alone provides 42.77% of the total supplies. After China, the
United States provide 11.56%, Turkey provides 5.19%, Japan provides 3.98%, India provides
3.94%, and other countries provide rest of the 32.56% of the total miscellaneous manufactures
articles (left diagram in Figure 20) (CBRA working paper No. 114, 2012).

Figure 28 Proportion of miscellaneous manufactured articles imports to EU27 in € (left diagram) and 100kg (right
diagram).

COMMODITIES AND TRANSACTIONS NOT CLASSIFIED ELSEWHERE IN SITC

FOCUS D5.1 – Problem space report: Critical infrastructure & supply chain protection 159

As shown in the right diagram in Figure 30, some of the countries importing to EU27 cannot be
traced. Among those that are available in the statistics it is possible to notice that Colombia and the
Russian Federation play a major role. Colombia has a high rate of illicit drug trafficking which
might find its way into the EU market through exports. Examining the values of imported
commodities, EU27 is dependent on countries that are not made available in the statistics:
countries and territories not specified for commercial or military reasons in the framework of trade
with third countries, 31.97% of the total value of supplies; countries not specified for commercial or
military reasons in the framework of trade with third countries 15.56%, and countries not specified
for commercial or military reasons in the framework of trade with third countries 9.71%. The only
countries that we can find in the statistics are United States 9.02%, Russia 8.54%, South Africa
3.76%, and other countries 21.45% (left diagram in Figure 30) (CBRA working paper No. 114,
2012).

Figure 29 Proportion of miscellaneous manufactured articles imports to EU27 in € (left diagram) and 100kg (right
diagram).