Ebook: Comprehensive Approach as “Sine Qua Non” for Critical Infrastructure Protection

The world in which we live today is becoming more and more complex, both from the viewpoint of ensuring security as well as of the strong dependence of the social community on technology, which is represented by so-called critical infrastructure. We are surrounded by a dynamic security environment in which we witness various security threats and risks - which even yesterday still seemed marginal. International terrorism is much overlooked and represents one of the most important threats for a normal functioning of the modern democratic society and its values. In the period after the terrorist attack in the United States of America (USA) we have witnessed the so-called anti-terrorism war, which has not managed to eliminate or lessen the reasons for emerging and establishing new terrorist networks.

When these factors are put into the context of the development of modern technology, we can see that the provision of security against terrorist threats is extremely difficult. Despite the efforts of national security entities in the national and international context, terrorist threats are not completely preventable. This means that it is necessary to prepare the functioning of the system, starting from the wider social community response to the occurrence of a terrorist attack, to an extent that it will quickly and effectively operate even in this type ofcrisis.

The coordination of authorities and services responsible for the first response in the event of a terrorist act is one basic requirement, which can significantly contribute to a more effective response and reduction of adverse effects. Of course, the economic and financial crisis puts us all in the position that would in the long term entail a reduction of resources for the functioning of the national security system and thus less efficient functioning of those parts of the system that are designed to respond to crisis first. On the other hand, every crisis can be an opportunity to achieve a more rational look at the system as a whole and critically define the role of each individual segment. Through a thorough analysis of national security systems, conducted after 11 September 2001, the main findings were primarily focused on the lack of coordination, duplication of responsibilities, non-systemic approaches and the capability development in the field of countering complex threats, which certainly include international terrorism. A few steps towards improving coordination and concerted action have definitely been done, but still not enough.

Due to rapidly changing environment and related forms of individual threats, which are increasingly moving into the cyber environment, the national security systems, which in many cases are burdened with bureaucratic approaches to changes, face great difficulties in monitoring this dynamics. In this respect, the largest problem lies in the countries which have luckily not yet been submitted to major terrorist threats, but are, due to this virtual safety, responding to terrorist risk much slower than other countries. In a mutually interdependent environment this can become a serious problem, since international terrorism knows no borders and in such environments, it benefits from exploiting the lack of system control measures. In the international community, it has long been recognized that an effective system of international response to terrorist threats can only be successful as much as individual countries, including those less well prepared. From this perspective, the above-mentioned crisis can be considered an advantage, in the sense that we are forced to respond more rationally to the structuring of the national security system and thus eliminate barriers of cooperation between line ministries, which just yesterday seemed insurmountable. The realization that the bodies of national security system are no longer a sufficient condition for a successful functioning of the counter-terrorism system is also strongly enforced. This process certainly requires the inclusion and participation of other non-state actors, which are developed in the framework of private and corporate security sector. To respond effectively to terrorist threats, it is important to mobilize a comprehensive range of levers, not necessarily of state character. The development of public and private partnerships is increasingly penetrating even to the area of security, thus these processes need to be seriously taken into account in building a stronger and more efficient system. If, however, this framework includes threats by individual terrorist groups to use the means of mass destruction, we see that effective participation of the full range of bodies and organizations is the key factor, which in the phase after a terrorist act, sufficiently maintains the effects of such an act at an acceptable level. Of course, there is always a dilemma, which is the acceptable level of risk management, because every human life is invaluable. However, as a suitable level one should look for a critical point that has to be attained for the society to establish normal functioning as soon as possible, despite a crisis situation.

Terrorist attacks do not only cause material damage; their effect is especially problematic from a psychological perspective. From this perspective, an effective system of responding to terrorist threats should not only include initial emergency measures to reduce damage to property and protect human lives, but should continue through later stages of managing post-traumatic disorders of individuals in a wider social environment. With the development of information and other technologies, the society has become complex and vulnerable. We live in an increasingly high-risk society. The positive aspects of development also bring several strongly negative consequences that can, in their extreme form, present an increasing threat to individual, national or international security. The remarkable development of technology has certainly facilitated progress in all segments of the functioning of the society. However, on the other hand, the dependence of the society on the functioning of technological systems is strong; a minor system malfunction might have important consequences for the functioning of the society. For this reason, the reliance on the functioning of this infrastructure has obvious direct and indirect impacts on its threat and represents a tempting target for international terrorist operations.

Due to the obvious interdependence, terrorist operations, which used to have local dimensions in the past, are now taking on new regional and global dimensions. The complexity of international relations and the functioning of the international system make national security systems interact with the regional and international environment. In fact, contemporary terrorism has helped the regional community recognize it as a regional phenomenon that requires regional response at different levels. Since terrorist activities are not confined to national borders, the international community can fight terrorism effectively only with the improvement of measures in the area of cooperation, organisation, solidarity between countries, initiatives combining different strategies and mechanisms, and specifically with an increased exchange of information that are important for countering this regional problem. That was one of the main goals of this NATO Advanced Research Workshop “Managing Terrorism Threats to Critical Infrastructure – Challenges for South Eastern Europe”, which was held in Belgrade, Serbia in 2014. The participants from fifteen NATO and partner countries and three international organisations had the opportunity to share their knowledge and experiences on the future improvement of critical infrastructure protection from various terrorist threats. At the same time a collaborative link between scientists and specialists in the region was created. This network of stakeholders will foster further collaborations and the exchange of ideas regarding critical infrastructure protection from terrorist attacks.

In this book, we presented and pointed out authors' main dilemmas and challenges that might influence the process of managing terrorist threats in the region of SEE. It also helps uncover a part of challenges which the complex security environment with its threats brings to the subjects of national, regional, as well as international security in South Eastern Europe.

In the end Editors, on their behalf and on the behalf of all authors, express their deep gratitude to NATO Emerging Security Challenges Division for the moral professional and financial support, which made possible organization of this event. The Editors wish to acknowledge with appreciation the assistance of Dr. Iztok Podbregar and Dr. Anita Perešin in reviewing the manuscripts for this publication.

Dr. Denis Čaleta

Institute for Corporative Security Studies

Dr. Vesela Radović

Faculty of Applied Security, University Educons

The paper points out the specific challenges of possible appearances, threats, risks and dangers to critical infrastructure caused by the activities of modern terrorism. Sensitivity and protection of networks and systems at the national level is priority for national security and the basics on prevention and coordination of measures and activities between the security services. Modern terrorism knows no borders, regions, states. It is focused on critical infrastructure, whose damage or destruction accelerates the motivation for achieving goals. Targets are: pipelines, telecommunications, information technology, financial systems, social, economic, industrial, medical and other important segments of the society, where important preventive roles have not only national, but also international actors and institutions, the European Union, NATO, OSCE, INTERPOL. The new millenium has shown that there is no country that is completely safe and protected from modern forms of asymmetrical threats. The World is “bombarded” with information on a daily basis about events that create feelings of insecurity, fear, threat and danger. Critical infrastructure have become the target of new forms of terrorist threats, known as cyber-terrorism, bio-terrorism, eco-terrorism, nuclear-terrorism and others. This suggests opportunities and the increasing effects of terrorist threats that are more difficultly controlled and managed. Republic of Macedonia follows the efforts of the international community in preventing and countering activities of modern terrorism. Besides participation in NATO operations for the establishment and provision of peace and security in crisis regions worldwide, national security structures have an important role in protecting national critical infrastructure. Contemporary aspects of prevention and protection in society are the basis for establishing, monitoring, detecting, preventing and managing the potential threats directed against critical infrastructure. Besides this, the paper contributes to defining the measures, activities and functions of state authorities in preventive action and combating modern terrorism aimed at social goods, critical infrastructure and security of society as a whole.

The dimeansions of global business acting together with the broad issue of cultural differentiation suggest that there may be no standardized answer as to whether corruption is necessarily bad for a national economy or if, on the contrary, it can even be found to inhibit economic growth to a certain level. However, there is no doubt it has been agreed that corruption as such is an example of unethical behavior. As such, also its impact on the possible disruption of the critical infrastructure may not be clearly identified. This paper, based on the theoretical grounds and findings of other researchers, aims to embed the question of corruptive business practices and behavior within the different frameworks and scopes of business dealing with public and critical infrastructure. Leaning on the findings from different pieces of investigation from around the world it finally concludes that there is no dichotomous solution to the dilemma whether a certain level of corruptive practices, when they are an integral part of a national business environment, would necessarily be bad for future economic growth.

This paper critically deals with outsourcing as a more complex source of risk in the system for ensuring corporate security, especially when talking about subjects that are part of the critical infrastructure of the country. The Republic of Slovenia has become an integral part of the global market, which is why it is essential to recognize that the outsourcing entities that work in the Slovenian market operate more and more globally, but on the other hand global corporations are entering the market. When addressing the risks of outsourcing it is therefore essential to take into account a broader global perspective, especially if these risks are discussed in terms of the risk of terrorist attacks. Globalization requires the integration and aggregation of organizations from different geographical and cultural backgrounds, which is why there is a growing openness of the labor market and an increase in the free passage of the workforce and as a result new risks are brought by outsourcing entities. Regarding this in particular I mean the risks associated with human resources and humans as individuals. In the future, a comprehensive approach to risk management outsourcing needs to provide a different perception of outsourcing and its impact on the organization’s risk and social environment. Therefore in the future, corporate security mechanisms must significantly pay more attention to outsourcing risk in so far as they would like to fulfill their basic mission, which is to allow continuous operation under normal as well as emergency situations (natural disasters, accidents, large-scale, international organized crime, terrorist acts, etc.). Therefore, there is a need for a broader discussion including more scientific research dealing with the risks of outsourcing. The real world has revealed that too little attention or even no attention has been given to establishing systems of risk management and building comprehensive integrated security systems for outsourcing risk since there is a lack of awareness of what constitutes outsourcing risk for the organization and the wider local community. The purpose of this paper is to show the importance and the role of the outsourcing in ensuring corporate security at both the operational as well as the strategic level and to indicate the risks associated with the integration process of outsourcing in the provision of corporate security.

Terrorism is one of many sources of risk which may reduce the capacity of critical infrastructure organizations to deliver against their objectives. However, unlike more frequent and more predictable incidents like criminal offenses or natural hazards, terrorist acts are non-routine risks and therefore difficult to anticipate. Typically, non routine risks have low probability, that is, they occur rarely or in some instances have never occurred but have very high consequences for the organisation. The attack on CI can be particularly attractive for a terrorist organization or an individual due to its highly interdependent infrastructures and its often high symbolic value. Critical infrastructure resilience (CIR) is an integrating objective designed to foster system-level investment strategies. Three resilience capacities are used to define, quantify, and ultimately design for a better resilience of the particular system: (1) absorptive capacities, or the ability of the system to absorb the disruptive event; (2) adaptive capacities, or the ability to adapt to the event; and (3) restorative capacities, or the ability of the system to recover. Occasionally the magnitude of a crisis exceeds an organization's own ability to respond. At such times the intervention and assistance of external groups (including government, other businesses, and the public) can be decisive.

The contribution focuses on terrorist and violent extremist attacks against schools and pupils in Europe. Discussed are the reasons why schools can serve as targets, what kind of danger is represented, in which context of political extremism and terrorism, and what consequences and challenges it brings in the issue of managing terrorist threats (the possibility of early warning mechanisms, prevention and preparedness). The emergency plans of American schools are considered as good practice.

Ensuring cyber security is a dynamic, demanding, and complex task. Due to the pace of development in this area, cyber security experts are forced to engage in constant education and have access to test environments and develop both offensive and defensive cyber techniques. The qualitative analyses of past attacks and other security incidents can present a significant contribution to the development of knowledge. In an effort to improve the attack modeling in critical infrastructure and remedy certain weaknesses of the existing models, we have developed a model called the Enhanced Structural Model. The purpose of this paper is to present both the possibilities of the attack modeling and our model for the analysis of past incidents and for educational purposes. The model is suitable for presenting the knowledge in the form of an analytical presentation of the attacks as well as for performing laboratory work and the examination of students.

Nowadays business continuity and disaster management procedures and policies are increasingly based on the notion of resilience. This relatively young topic is gaining increasing importance now that more recent experiences have shown that not all the attacks or accidents to critical information infrastructures (CIIs) can be avoided even if protection measures are correctly implemented. Such a circumstance implies that the response to ‘protection’ needs, which has mainly shown the use of technology as a possible solution to all of the issues, is not sufficient in covering the entire lifecycle of modern information infrastructures which requires instead the implementation of redundancy measures together with specific procedures that are designed and implemented in view to facilitate a faster recovery of an asset that has suffered an unavoidable accident. The aforementioned scenario is somehow confirmed by the reorientation of the EU policies in the field and, more specifically, by the 2014-2020 European Programme for Critical Infrastructure Protection (EPCIP) which now mainly rotates around key resilience concepts like prevention, preparedness and response. This paper, after a short description of the most significant vectors of attacks directed towards CIIs, offers a review of the main principles of resilience and a basic scheme that should guide those stakeholders that are in the phase of studying how to effectively implement those measures in the management lifecycle of technology driven infrastructures.

The process of globalization and the rise of information and telecommunication technology have significantly affected global and South Eastern -SEE security. On one hand, thanks to the development of these technologies and geopolitical dynamics, the region of SEE is becoming more interconnected, interrelated and shaped by modern infrastructures that enable respective SEE countries’ commodities, prosperity and competitiveness. On the other hand, like in the rest of the world, these processes and dynamics have increased unpredictability, complexity and threats to the SEE security in the context of modern terrorism. At the same time, the recent history of violent conflicts, social stability challenges, Euro-Atlantic ambitions, support to the “global war on terror” and the increased presence of radical religious groups and individuals in the region of SEE are variables that further affect its security. Today, modern terrorist groups and individuals exploit cyberspace to achieve strategic advantages against the mightier enemies. Given that their agenda is violent, abstract and apocalyptic protection of the critical information infrastructure has become one of the main concerns for NATO and its allies. Therefore the article explores how and in which way terrorists' use of cyberspace could affect critical information infrastructure in the region of SEE. To achieve this, the article first explains contemporary terrorists' objectives around the globe and compares them with the objectives that these actors have in the region of SEE. In this context the article briefly explains the development and achievements of the ICT sector in the region of SEE and analyzes them into the context of cyber-based threats posed by modern terrorism. Then the article provides an assessment of how the terrorists' use of a cyberspace affects critical information infrastructures in the region of SEE.

The system of the information protection is part of the national critical infrastructure protection. Handling of classified information is one of the critical infrastructure protection components by which individual segments of the national security system are safeguarded. In organizational terms, crisis management in cyber defense implies engaging the capacities of the relevant state bodies responsible for national security. Their activities are coordinated and guided by organizations of the executive branch and usually by the National Security Authority, as a body responsible for the coordination of the national security activities in the domain of classified information. Protection of the classified information is a crucial part of the overall critical infrastructure protection in Macedonia. The leading governmental agency for classified information protection (including information regarding terrorist activities) that plays a role of the National Security Authority in the international context is the Directorate for the Security of Classified Information. In our paper we will analyze the Macedonian experience in the protection of classified information as part of national critical infrastructure protection.

The aim of the present paper is to introduce a case study and the best practice of security vetting in relation to the critical infrastructure and in specific to nuclear security. In Slovenia the Nuclear Power Plant in Krško (the NEK) is an important part of the energy sector and the environmental safety sector of the state's critical infrastructure. The NEK is also an important source of electricity for Croatia - in that respect the plant produces and supplies electricity for both Slovenia and Croatia, each of which has the right and obligation to use 50 percent of its total output. The structure of the management board and personnel is based on the parity principle, considering the equal business shares of both partners. When there is a need for a security check of foreign citizens working in the facilities, public-Private, inter-ministerial and international cooperation is needed. The best practice presented in this paper of a comprehensive approach to cooperation regarding legislation and implementation similar to the security vetting of foreign citizens relating to nuclear security can also be used in other sectors of the critical infrastructure. It also represents an example of best practice for the risk management of potential internal threats connected with terrorist threats to the normal functioning of the critical infrastructure.

Terrorism in the global world is recognized as one of the most significant threats. Hence, combating terrorism has become a primary focus for security professionals throughout the world. By studying the phenomenon of modern terrorism, we can easily conclude that the nature of terrorism has changed. Therefore, the authors are focused in the article on a new form of terrorism, named “environmental terrorism”. Environmental terrorism is an old type of conflict with a new face, and we have to confront it. For the purpose of this article the authors have chosen to present the environmental terrorism threat to the Serbian water infrastructure sector. The available scientific data witnessed that the water infrastructure system in Serbia is already vulnerable and needs a lot of improvement. A terrorist attack on such a fragile infrastructure could have enormous consequences and be devastating in its scope. Hence, the authors have analyzed the current state in the water infrastructure sector, which is already compromised with numerous problems and have addressed the question: do we fully understand the water infrastructure vulnerabilities and what has to be done to ensure its protection as one of the part of the Serbian critical infrastructure? The protection of the water infrastructure sector against terrorist attacks is a task for the Serbian Government, but it has to be solved in collaboration with neighboring countries. The final goal for all activities has to be the greater scope of trust among the neighbors and the achievement of an adequate level of security regarding environmental terrorism threats in the region of South Eastern Europe. Furthermore, environmental terrorism as a threat has to be settled at a national and regional security agenda in a more visible way.

The paper scrutinizes the current situation in agricultural production in the Republic of Bulgaria as the sector of the national economy with the greatest significance in food supply and as the most vulnerable in respect to common production menaces and terrorist challenges in particular. It focuses on food quality and safety as the major priority of humanity and the ways of their achievement in the globalizing world starting from the national level plans, decisions and actions. In addition, the connection to the development of tourism in Bulgaria as the most expanding industry in recent years will be considered as well as the importance of risk management in food supply. The following questions are discussed: the importance of agriculture and food safety in the contemporary world; the state-of-art of agricultural production and food safety in the Republic of Bulgaria as a Balkan country and as a member of the European Union; common threats and probable targets of terrorist attacks affecting agricultural and tourism sector and having impacts on food quality and safety; legislation, national and local authorities’ responsibilities and competences in forecasting and preventing terrorist attacks, especially those considering agricultural produce and tourist services; recommendations for assuring food security in national and international aspects. The conclusion summarizes the findings concerning current and possible future national contributions to global antiterrorist responses. It will stress the crucial issue of international cooperation in counteracting terrorism threats and attacks.

In the last decade, substantial progress has been made in improving safety & security for nuclear material worldwide, both by states' own domestic actions and through international cooperation. Al Qaeda has continuously expressed interest in unleashing radiological terrorism by building and using radiological dispersal devices (RDDs), known as “dirty bombs” for instance. Common radioactive materials, such as commercial radioactive sources used in medicine, industry scientific research could fuel RDDs. Since 1998, in Albania a special centralized building exists for radioactive waste management and as a temporary storage facility situated inside the INP territory. Radioactive waste conditioned with or without shielding was successively placed into this building for long-term storage. So far, there have been several incidents worldwide with terrorism potential that involved nuclear waste materials and radioactive materials and its repository facilities, which may serve as a target by attacks of terrorism. DU was also feared to causes environmental contamination through it being spread, especially in territories and borders of our countries involving the risk and injuring of the civilian population.

Bioterrorism presents the use of microorganisms and their toxins as agents in terrorist actions in political, economic, religious, ideological or other purposes. Today, in the changing world of many contradictions bioterrorism is a real challenge for many non-state and state actors. The main target of bioterrorist acts are humans while a critical infrastructure can be used as a target depending on its impact on life and everyday activities. Among them, food supplies and distribution systems are extremely important and their deliberate contamination as a part of terrorist action is a real threat that can cause even global and serious health, ecological, economic and political consequences. Most health professionals have limited knowledge in the recognition of diseases from either natural or intentional contamination of food. They are not trained to respond appropriately to a terrorist assault for management of the consequences. Outbreaks of both unintentional and intentional food-borne disease can be managed by the same mechanisms contained in a crisis management plan. So, in order to be prepared for any incidents of food and water terrorism, it is essential to establish procedures, plans, to train the experts and to improve response capacities. The other subjects of society, especially decision makers as well as security professionals must also pay more attention to this problem in order to prevent it.

The potential vulnerability of the Chernivtsi water supply systems is analyzed in light of some basic shortcomings committed in the general planning, the poor realization of the project and some natural conditions imposing potential threats. Also the potential threat of intentional and unintentional human malicious activity is evaluated. Two potential strategies of mitigation are considered: the deep restructuration of the water supply system and some minor targeted steps aimed at the minimization of the threats. The latter option requires a smaller investment and promises quite reliable results in the short-term prospect.

The term security, in the narrow sense, represents the degree of safety in terms of protecting a nation, a people, or individuals from danger, damage, or crime. Structures that raise the security level constitute elements of security as a form of protection in the technical sense. Analysis of relevant scientific sources clearly indicates that a form of protection is where a separation is created between the assets and the threat. Such a definition implies a dual conclusion – that the security level can be raised either by eliminating, i.e. reducing, the threat (technical sense of security) or by eliminating the asset, i.e. by reducing subjective perception of what the asset to be protected is (the threat has no effect if there are no assets to be threatened). The global dimension of environmental problems and sustainability, in particular the seriousness of various risks and security threats to the operation of the critical infrastructure of a state implies the need for new educational approaches and content in this area. In a significant number of European countries, the goals of teaching and education in general have been innovated and redefined by the introduction of tailor-made training modules and courses regarding the abovementioned environmental and energy security. In parallel with socio-economic transitions, countries in transition should also take certain initiatives for change in the education system. In this sense, this paper discusses the problems of environmental and energy security and opportunities offered by formal and informal education within this area. Special emphasis is given to the issues of the tailor-made education of personnel operating within critical infrastructure facilities. Pertaining to this goal, the organization of diverse educational and informational/promotional activities in this field is of equal importance.

The nexus between terrorism and organized crime could be developed into a major threat for South East Europe. Some areas, for instance the Western Balkans, are considered a “safe haven” for Islamists terrorism and criminals. The Critical Infrastructure is considered an important part of the security of the states and could be a target of terrorism and organized crime. The broad definitions of the Critical Infrastructure and energy security show the different views of organizations and states towards national security. The post Cold War era has blurred the dividing lines between internal and external security. Terrorism and organized crime have converged interests in order to finance their operations. NATO could play a leading role in the protection of Critical Infrastructure. NATO could establish a Gendarmerie Force on the model of the European Gendarmerie Force (EGF) and the Italian Guardia di Finanza. NATO could guard against the combined threat of terrorism and organized crime by adopting an effective strategy. It could include military and policing methods, border security, smuggling, safety of financial, economic, judicial and public sectors and cyber -security.

Critical infrastructure represents a medium of national and international importance whose destruction, temporary or permanent disruption in process activities, would seriously endanger or weaken national and public safety, economic and social prosperity. Beside the internal threats, critical infrastructure is exposed to natural, technical-technological and anthropogenic threats, where terrorism is recognized to be one of the most unpredictable and dangerous sources of threats to the critical infrastructures. For that reason countries are responsible for the implementation and improvement of the critical infrastructures' protection and resilience to ensure survival, the development and advancement of individuals' and the social community, domestic and foreign economic subjects on their soil and, in partnership, achieving stability and safety of other countries. The goal of this work is to analyze how the Republic of Croatia has, so far, legally, regulatory and operationally developed protection and resilience of the national critical infrastructure, and give recommendations with regards to necessary steps in the continuation of the said process.

Terrorism, as a global negative threat, endangers not only the security of individual countries, but also of the international community. Still, individual countries and protected values (the life and health of people, assets, etc.) are predominantly affected by it. Terrorist threats pose special danger to critical infrastructure. The risk from endangering critical infrastructure is on the rise, considering “the domino effect” of endangering critical infrastructure. The domino effect does not only imply the negative consequences within the borders of a country, but it also has a wider influence (a regional and even international dimension). Of course, the entire critical infrastructure system is at risk from terrorist activities, in particular cyber terrorist offences, which can endanger the key infrastructure of the country, burden communication systems, and even cause serious consequences for the security system within the country. Bosnia and Herzegovina is not an exception. In that sense, the list of critical infrastructure sectors poses a potential target for terrorist attacks, but also for cyber terrorism. Thus, it is extremely important to identify the sectors of critical infrastructure, and create adequate measures for their protection. In that regard, the paper points to some key European standards for the protection of critical infrastructure, and concrete antiterrorist and counterterrorist activities for their protection.