We can become a leader in the region by developing good practices for identifying key services. All this will not be possible if there is no central entity coordinating the protection of critical infrastructure, with authority to supervise and sanction operators of such facilities – says Karolina Wojtasik, PhD, from the University of Silesia.
Tanker at the oil port. Picture by Naftoport.pl
BiznesAlert.pl: What has the sabotage of Nord Stream 1 and 2 taught us?
When we think of security, we often think of military equipment or border security. Meanwhile, the so-called hybrid actions, which are below the threshold of war are designed to weaken the enemy, and have been carried out consistently for years. We are only now seeing their serious impact. Before tanks entered Ukraine, the country had been weakened by cyber attacks for years. Its critical infrastructure was targeted in various ways: blackouts in 2015, 2017; cyber attacks on government websites that paralyzed the administration. These actions, although +below the threshold of war, were aimed at, among others, weakening the state, but also at collecting information about the vulnerability of the Ukrainian strategic infrastructure (civilian and military). Al Jazeera has recently reported that 40 percent of Ukraine’s energy infrastructure has been destroyed. In order to destroy such a significant percentage of strategic facilities, it is necessary to have knowledge of their deployment and importance for the continuity of state administration. This requires intelligence work spread over years. I am convinced that such actions have also been carried out in our country for years. It is known that in Poland already after the war, in the 1940s, the reconnaissance of water supply systems, and especially the sources of water intake in large urban clusters, continued. This reconnaissance, on the orders of Soviet decision-makers, was conducted by military personnel serving in the Soviet embassy in Warsaw, who over time also extended their tasks to the Polish energy system. Such intelligence activities can begin already at the stage of designing a given critical infrastructure facility. These actions can be aimed at finding gaps in the security system and the technical vulnerability of the structure. This may involve the introduction of the so-called insiders, people working in the company only to collect information, or information gathering with the help of social media, the study of activities key to maintaining the continuity of employees in the network. Companies, which operate critical infrastructure, like to brag on social media about their facilities, but often publish detailed photos giving away key information to future saboteurs. Information gathering, which is being done in various ways, including satellite imaging or unmanned aerial vehicles, has not started now, but has been going on for years. The effects are visible today, or we will see them in the future. The sabotage of Nord Stream 1 and 2 shows that we must ensure the maximum security of critical infrastructure, both onshore and offshore, located outside the exclusive economic zone of a country that obtains energy resources in this way. Such sabotage is a form of conflict in today’s conditions. Instead of using a huge army, you just need a few saboteurs trained and equipped by the military. It can be argued that it is enough to damage several elements of critical infrastructure to start the economic collapse of Poland. In other words, we spend billions on rearmament, but the smooth functioning of the army depends on the critical facilities, whose protection requires immediate support from the state.
How to improve security?
This should be done in a coordinated manner. This is the role of the Government Security Centre (RCB) responsible for the protection of critical infrastructure in Poland. It is extremely important to avoid a dispersion of responsibilities and a parallel decision-making process, especially in the face of the Critical Entities Resilience Directive (CER). We need a single central supervisory body, independent of the law enforcement agencies, with the competence of a national coordinator, an auditor for critical infrastructure security. The new draft law on the protection of the population and state of emergency (version from the end of January 2023, after the Internal Affairs Ministry conciliation conference) goes against these needs. Without an “RCB+”, we will not provide an adequate security system for facilities on which the continuity of the state depends, in political, economic and, above all, military terms. It is worth noting that the current so-called unsanctioned approach from the National Plan for the Protection of Critical Infrastructure (NPOIK) makes it difficult to punish a critical infrastructure operator that does not follow the recommendations, or manages a facility that is strategically important for state security with a fence 70 cm high. The only type of critical infrastructure in Poland that is subject to systemic control (national and EU) and supervision by state institutions are “strategic” airports. In this highly regulated area after 9/11, the Civil Aviation Authority (ULC) can enforce certain actions dedicated to the protection of civil aviation in Poland. In other cases, there is no such possibility. This situation will change significantly after the implementation of the CER Directive into national legislation. We only have a few months.
It is necessary to raise the level of awareness about the importance of critical infrastructure in our daily lives. The word “infrastructure” is understood colloquially. It is associated with objects such as roads and bridges. As a society, we often do not understand what critical infrastructure is. At the same time, there are many concepts in Polish legislation: critical infrastructure, facilities subject to mandatory protection, key service provider. More often than not, security specialists at companies are confused by this nomenclature, trying to figure out to which category they belong to and whether this involves specific responsibilites. That is why the role of educational initiatives for the security of the state and citizens, implemented by the RCB, is so important. Public administration must build this awareness. Engineers trained at technical universities need to know that their facilities may in the future receive the status of critical infrastructure, and thus become the targets of reconnaissance by hostile intelligence services. We have a big gap in this area. As long as critical infrastructure works, we do not think about it, but we should in case of crisis situations that can lead to the economic collapse of the country.
How do we protect infrastructure like the Baltic Pipe or Naftoport, considering the recent amber hunters event?
The Critical Infrastructure Resilience Group met for the first time on 25 January in Brussels. It is a forum for discussions on how Europe should protect its critical infrastructure. We need critical infrastructure protection standards and national supervisory authorities, CI security audits and permanent inspections of the security system of such facilities, as well as the possibility of imposing financial penalties for violations of the protection requirements from the state. Without such a body, the level of security of critical infrastructure facilities depends on the goodwill of the CI operators boards. The Act on Crisis Management and the Act on the Protection of Persons and Property, as well as the Act on Counter-Terrorism Measures, are the three key legal acts that regulate the protection of critical infrastructure in Poland. In the field of security, which we are talking about, the operator of such an infrastructure has at least two documents to develop. Physical security is regulated in detail in the protection plan (under the Act on the Protection of Persons and Property). This document is agreed on with the relevant police unit, which checks it on site. The manager of this type of a facility also creates the so-called anti-terrorism annex (AT) that is added to the protection plan. This document needs to be agreed on with the Internal Security Agency unit responsible for the given area. It contains, among other things, an analysis of vulnerability, and the risk of a terrorist incident is also estimated. However, the most important are the procedures for dealing with various types of attacks, for example, the appearance of an attacker with a dangerous tool or a shipment with dangerous contents, such as explosives. In addition, annex AT establishes a list of actions to be taken in a given facility if the alarm levels are raised. The AT attachment can include anything. You can write a lot of things there. But if the employees are not trained, there is no awareness of the risks, there is no cyclical exercises, then these ideas will remain on paper. The human factor is therefore crucial. In turn, the plan for the protection of critical infrastructure is agreed in the RCB after consultation with various entities. It describes security in a comprehensive manner, taking into account the business continuity plan for the service provided. The problem is that it is difficult to force different entities to draw up such a document, because there are no legal instruments due to the already mentioned no-sanctions approach. It is also worth noting that we have a national plan for the protection of CI updated every two years and annexes. It’s a signpost that needs to be updated with new threats. It contains, among others, the rules for building a physical defence system, IT, personnel and legal security. So far, not meeting these requirements does not mean sanctions can be imposed. The latest safety standards that will come into force as part of the ongoing update of the NPOIC are to take into account the experience from the war in Ukraine and the role played by unmanned systems there. The implementation of safety standards for critical infrastructure operators in the field of prevention, response and mitigation of risks posed by incidents involving unmanned systems (flying, floating, land) is an example of the fact that we are able to create innovative solutions in the country that meet the interest of other EU countries. We can be leaders when we build security above departmental divisions. Unfortunately, from what I had the opportunity to learn during the last Critical Infrastructure Security Forum, only a few CI facilities, out of several hundred, have a system of protection against flying unmanned platforms that is worth mentioning. For systems designed to protect offshore energy infrastructure from detection or sabotage by underwater drones, the situation is even less optimistic. Despite the fact that Polish start-ups and technical universities have achievements to boast about in the global market of drone recognition and neutralization, the way management boards of CI treat investments in underwater drone systems does not reflect the security risk. This is the aftermath of the impunity.
How much time do we have for these changes?
We only have a few months. This is why the role of the RCB is so important. Critical infrastructure protection evolves, we learn, and threats change. The approach to CI as facilities made things easier. We had a set of criteria defining what such infrastructure is. The criteria were not disclosed, but were drawn up in consultation with individual ministries. The CER directive changes the approach from facility-oriented to service-oriented. The very definition of what is a key service will require cooperation at the interdepartmental level and require enormous knowledge and orientation in the work of such entities on a daily basis. We can’t sleep through this moment. We have the opportunity to bring our existing solutions to the European level. We can become a leader in the region by developing good practices for identifying key services. All this will not be possible if there is no coordinating body and supervisory authority. In the event of the liquidation of RCB, time will not stand still waiting for a new institution. Meanwhile, the law to abolish the RCB leaves for later different decisions in relation to the protection of critical infrastructure. This would mean more lost months in the face of the exacerbating situation in Ukraine, and after all, today’s war is being waged in various ways to paralyze critical infrastructure. At that time, we can “open” this infrastructure. Critical infrastructure is protected, but much still depends on the operator, who is not always sufficiently aware of the threat. In addition, security costs a lot and does not generate financial profits from the point of view of the CI operator’s management board. That is why in times of a crisis security expenses are cut first. Leaving such matters to the boards is exposing ourselves to risks. The CER directive will help to build a system that allows for the control and enforcement of adequate protection at the level of the EU member states and at EU level. Delaying this process serves no one. In the geopolitical situation in which we are, such an approach violates the raison d’etat of the Polish state. It is worth emphasizing that the Ukrainian government is basing its CI protection system on the solutions used in Poland, while acknowledging the new approach to building resilience to hybrid threats to CI proposed by the European Commission.
Interview by Wojciech Jakóbik