Protection of the Critical Infrastructure from Terrorism: Case Study of the Republic of Croatia

The study describes methods for protecting the critical infrastructure of a state. The article aims to determine the combination of protecting methods of the state’s critical infrastructure from terrorist activities, namely security, physical protection, protection of critical infrastructure, protection of critical information infrastructure, and prevention of emergencies of a terrorist nature at objects of critical infrastructure. It is necessary to fulfil the following objectives to achieve the aim: to consider the difference and interrelation of the concepts of critical infrastructure and information critical infrastructure; to characterise the general properties of various terms, in particular: security, physical protection, protection of critical infrastructure, protection of information critical infrastructure, prevention of terrorist emergencies at objects of critical infrastructure; to analyse from the scientific point of view the classical definitions of forms and methods of critical infrastructure protection; to propose a generalised structure of information and technical methods of critical infrastructure protection; to determine the possibility of using information and technical methods in various fields of knowledge to protect the state’s critical infrastructure from terrorist influence. In summary, the structure of information and technical methods for critical infrastructure protection consists of three components: a mathematical model that describes the process occurring at critical infrastructure, a control algorithm that implements the mathematical model, and procedures that indicate the order of actions for applying the method. The problem of protecting critical infrastructure from terrorist activities requires technical, legal, military, psychological, medical, chemical, biological, and other sciences to address it. Each type of science will use its specific methods to solve practical problems of preventing terrorist emergencies at critical infrastructure. For technical sciences, there will be information-technical, engineering-technical, operational-technical, organisational-technical, biotechnical, and other methods to prevent emergencies of a terroristic nature that need development shortly. Keywords: critical information infrastructure, protection, terror, security, terrorist emergency.

The article analyzes the existing legal mechanisms for managing critical information infrastructure in Ukraine. The instruments for their improvement are proposing in this article. An important component of critical infrastructure is its information component – a critical information infrastructure. The sphere of protection of critical information infrastructure in Ukraine is at the initial stage of formation. The current legislation defines only certain objects of socio-economic sphere, in which extraordinary events can lead to socially dangerous consequences. In view of the fact, that the term “critical information infrastructure” does not having a consistent interpretation in different countries, we propose our opinion. “Critical information infrastructure is a system of information management of critical facilities and information and communication networks that provide defense capabilities and security of public and private institutions, whose operation may flow to the national security of Ukraine” (KII). In the KII we can identified information and network components. Information environment of KII is a system for information management of critical objects, including computing and information resources that form automated control systems (ACS). The network component of KII consists of a set of telecommunication devices, communication lines and network equipment, systems of open protocols for the exchange of information between elecommunication devices, global system of digital addresses and digital identifiers, software. The Internet network can be considered as a technological add-on over a telecommunication network that provides the provision of data transmission and processing services (e-mail, teleconferencing, file transfer, access to computing and information systems in local area networks). The main threat to the safety of ACS of critical information infrastructure objects is targeted actions on information systems, information and telecommunication networks by software and hardware. KII legal security include two main components – national and international. The national component may be forming by a set of principles, legal institutions and norms, which are enshrined in the national legislation regulating public relations in Ukraine in the area of counteracting the security threats of the ACS of critical objects. In order to protect the most important objects of KII, it is necessary to identify these objects. The current legislation defines such categories of objects, for which special conditions for ensuring their protection and functioning are established. Some of them, in whole or in part, may be classifying as objects of critical infrastructure. The specificity of providing information security was reflecting in such Ukraine laws like “On the Fundamentals of National Security of Ukraine”, “On the Concept of the National Program of Informatization”, “On the National Program of Informatization”. As well as the Concept of Development of the Security and Defense Sector of Ukraine, the National Security Strategy of Ukraine, the Strategy of Cybersecurity Of Ukraine. The National Security Strategy identifies actual threats to national security and sets priorities for information security, cyber security and security of information resources and critical infrastructure. At the same time, the implementation of the state policy in the field of security of KII requires the further development of legal principles and norms governing the relevant social relations, that is, the national component of the legal security of KII. Ukraine should ensure the establishment of a nationwide system for assessing risks and threats to critical infrastructure, and after the legislative definition of the main terms, the implementation of the Identification of Critical Information Infrastructure objects. Identification of objects of critical information infrastructure can be accomplishing by introducing the certification of objects of critical information infrastructure. Such passports must contain general data about the facility, data on the main sources of danger, data on hazardous natural conditions, technological processes and response to threats. The international component of the legal security of KII provides for the regulation of a set of principles and norms defined by international treaties and recognized by the state, regulating issues of international cooperation in this area. Ukraine has signed the Convention on Cybercrime together with the member states of the Council of Europe and other States. It is aiming at stopping actions against the confidentiality, integrity and availability of computer systems, networks and computer data, as well as abusing such systems, networks and data by installing the criminal responsibility for such behavior, the provision of powers sufficient to combat criminal offenses, and the conclusion of agreements on rapid and reliable international cooperation. In addition, the plan of measures for 2017 on implementation of the Cybersecurity Strategy of Ukraine provides for the implementation of Directive 2008/114/EC on the protection of critical infrastructure, in particular on cybersecurity and cyber defense of critical infrastructure objects. Development of the system of international information security, the following main groups of international relations that requirenormative legal regulation within the framework of the legal security of KII: definition of the boundaries of the national KII in the global information and communication infrastructure and fixing signs of computer incidents in the control system of critical objects information infrastructure. The absence of generally recognized borders of state sovereignty of States in this space is a significant obstacle to the application of international law to the actions of other states. In particular, this impedes the establishment of limits of responsibility of states for violating the security of the KII and organizing international cooperation in the field of countering computer crime. The urgency of the legislative consolidation of signs of computer incidents in the automated control system of critical information infrastructure objects suggests the widespread use of the concept of “incident” in international law. An incident in cyberspace usually associated with a violation of the functioning of the components of cyberspace – an electronic collection environment and automated processing of information that determines the processes of the implementation of these operations, as well as information systems and automated control systems. The essence of the general definition of the “international incident” in the field of KII will be determining, firstly, by the nature of international relations between states that are violating by the “incident”. This event may be the result of unforeseen actions of the state, including actions that harm the interests of public bodies of one or more states, or, conversely, be one of many intentional but minor provocations carried out by agents of one state against another state. Given that international relations in the field of incidents in the field of KII are not regulating by international treaties, the main and, in fact, the only source of international law in this case serves as an international custom, however, its application to the sphere of KII is accompanying by considerable difficulties. For Ukraine, it is possible to introduce the positive experience of other states in the security of the KII. In particular, the problem of security of information technologies has been enshrined in the international standard ISO / IEC 15408 “General criteria for assessing the safety of information technology”.

One of the directions of state policy in the field of ensuring national security is the development of a multi-level effective national security and resilience system for critical infrastructure. A key factor in any system, whether in the field of national security or in other spheres, is human capital, its ability to analyze risks and threats, identify vulnerabilities, master newtechnologies, and find innovative solutions to address modern challenges. Thus, an important aspect becomes the training of qualified professionals who possess systemic knowledge and skills. The need to provide systemic knowledge to specialists and managers directly addressing the tasks of ensuring the protection and resilience of critical infrastructure has been established. The current state of the training system for specialists in the field of critical infrastructure protection in Ukraine has been identified, and the main forms of organizing training and personnel preparation in this area have been analyzed. Tasks have been established based on an analysis of existing professions and labor market demand to determine a set of professions that are expedient to involve in ensuring the security and resilience of critical infrastructure. An analysis of the training and qualification enhancement of specialists in the field of critical infrastructure protection and resilience has shown the necessity and possibility of creating a national education and training system on critical infrastructure protection and resilience in Ukraine. Professions and labor market demand have been analyzed, and a set of professions expedient to involve in ensuring the security and resilience of critical infrastructure has been determined. After their final approval, these professions could include: the head of a structural unit responsible for the protection and resilience of critical infrastructure and a specialist in the protection and resilience of critical infrastructure. Developed or updated professional standards in the field of critical infrastructure protection and resilience will serve as a basis for adapting educational programs of higher education institutions according to the labor market demand.

: Over the past decade, the cyber threat to critical infrastructure has grown to potentially catastrophic dimensions. Critical Infrastructure protection has become a matter of national security, public safety, and economic stability. It is imperative the U.S. Government (USG) examine current responsibilities, develop a comprehensive cybersecurity strategy, cybersecurity regulations, impose standards, and enforce the strongest security measures possible to protect the Nation from cyber attacks to critical infrastructure. This paper provides a background of what constitutes national critical infrastructure and Critical Infrastructure Protection (CIP), discusses the immense vulnerabilities, threats, and risks associated in the protection of critical infrastructure, and outlines governance and responsibilities of protecting vulnerable infrastructure. Finally, the paper will make recommendations for federal responsibilities and legislation to direct nation critical infrastructure efforts to ensure national security, public safety and economic stability.

The necessity of protecting critical infra­structure is an extremely important task for the normal functioning of the national states, especially taking into account modern threats related to military actions, natural disasters, cyberattacks, pandemics, etc. The aim of the research is to substantiate and characterize the organizational and legal conditions for ensuring the resilience of critical infrastructure, using the example of the EU, NATO countries and Ukraine. The articleʼs hypo­thesis is that the resilience of critical infrastructure depends on the level of institutional support, which is capable of adapting to the conditions of modern threats and risks, particularly during wartime, and involves comprehensive interaction between state institutions, the private and international orga­nizations. To achieve the aim of the research, a complex of general scientific and special methods was used, including methods of systematization and generalization, tabular methods, as well as analysis and synthesis. The main regulatory legal acts ensuring the resilience of critical infrastructure in the EU have been identified and analyzed, highlighting the importance of coordinated efforts among EU member states to enhance the resilience and protection of critical infrastructure, especially in response to cross-border threats. NATO approach to ensuring the resilience of critical infrastructure has been analyzed that focuses primarily on crisis preparedness and ensuring the continuity of governance and essential functions even in the event of military aggression or hybrid threats. The regulatory legal acts on ensuring the resilience of critical infrastructure in Ukraine have also been examined, and the main tasks of the authorities responsible for ensuring the resilience of critical infrastructure identified. The levels and manage­ment bodies of Ukraineʼs national system for protecting critical infrastructure have been defined. The main determinants of the resilience of critical infrastructure entities include physical resilience, functional resilience, organizational resilience, infor­mational resilience, social resilien­ce, economic resi­lience, and environmental resi­lience. These deter­minants are interconnected and collectively impact the ability of critical infrastruc­ture entities to ensure continuous operation in crisis situations.

Security is a key concern in societies worldwide. Moreover, societies are dependent on the continual operation of critical infrastructure i.e., critical entities (sectors: energy; transport; banking and finance; water; health; digital infrastructure; food; public administration; space) that are key and vital for national security, economic vitality, and public health and safety, and relevant regionally and globally, due to its physical, cyber, geographic, and logical interdependency. However, in the dynamic security context, there are risks and threats to critical infrastructure with potential cross-sectoral or cross-border nature, including accidents, natural disasters, public health emergencies, such as a pandemic, and hybrid threats, including terrorist offences, criminal infiltration, and sabotage. Hence, strengthening the security and resilience of critical infrastructure is high on the agenda of authorities. Private security companies are part of the security continuum and have always complimented state security efforts. Moreover, the increasing security risks to critical infrastructure driven by natural and geopolitical events have increased the role of private security services, and security companies and personnel are an integral part of Critical Infrastructure Protection. The main tendency of this paper will be to elaborate on the new EU Directive on the resilience of critical entities 2022/2557 of 14 December 2022. The theoretical explication will cover the wider critical infrastructure protection and resilience concept. The main focus will be to analyze the role of private security in critical infrastructure protection. Furthermore, this paper will elaborate on the sector-specific Standard EN 17483, Private security services -Protection of critical infrastructure, which illustrates requirements for quality in organizations, processes, personnel and management. The final goal will be to systematize the body of knowledge about the key quality criteria of private security in the protection and resilience of critical entities.

In 2008, the European Union regulated the basics of the protection of critical infrastructures in a directive. The Member States therefore had to ensure that – in addition to the freedom of the method and means of implementation – the provisions of the directive were transposed into their national legal order. Accordingly, some Member States may define different detailed rules. The detailed rules related to the protection of critical infrastructures (e.g. the designation thresholds) are not public in several Member States, but in Germany and Hungary they have been recorded at the legislative level. In my study, I compare the rules related to the protection of critical healthcare infrastructures, including inpatient care institutions, primarily based on legal sources and the experiences of my study tour in Germany, from the selection criteria system to crisis planning. The good practices resulting from the differences and similarities to be discovered can help to revise and standardise the rules and practices related to the protection of critical health infrastructures.

In the information age, critical infrastructure have become largely computerized and interconnected throughout the world, and their scope has grown more and more. Indeed, a failure in one critical infrastructure could lead to serious consequences on national security, economic well-being, public health, safety, or any combination thereof, producing then cascading effects because of their synergies. Consequently, the reliability, performance, continuous operation, safety, and protection of these so-called critical infrastructures is essential toward society and its economy. Nevertheless, the protection of critical infrastructure is a classical method that opens the question on the situation of these infrastructures in case of failure. In response to this, several studies necessitate a further strengthening in terms of resilience of these infrastructures. The items explored in this paper discuss different aspects related to resilience that gives the foundation of resilience strategy. We present in one hand the state of the art regarding resilience view in Critical Infrastructures and gives a systematic approach that can be applied on it, introducing then the applicability of resilience policy on these infrastructures.

The content outline: in accordance with law, the Polish critical infrastructure constitutes 11 sectors, vital for national security and public safety persistence. Two of the sectors (energy sector and transportation systems sector), are elements of the European Critical Infrastructure, and due to Poland’s EU and NATO membership, are subject to particular protection. The paper describes general principles of Polish critical infrastructure safety law acts and critical infrastructure sectors. Later in this paper, 4 alert states (THREATCON), and their impact on the critical infrastructure safety and protection were presented. The purpose and the program content of the National Critical Infrastructure Protection Programme and the National Infrastructure Protection Plan were described.

Background . The Law of Ukraine "On Critical Infrastructure" defines the task of ensuring the security and resilience of critical infrastructure. The practice of implementation of the Law provisions shows the need to introduce a system of education and training of personnel in this area. The observed tendencies of increasing of the range of threats to critical infrastructure, in particular during armed conflict, only emphasize the urgency of raising the level of knowledge and skills of personnel in this area. The purpose of the article is to review potential formats of education and identification of fields of knowledge and specialties within which it is appropriate to reflect issues of critical infrastructure protection in the educational process. Among the important tasks of the article are: a review of research on the problems and the practice of implementation of the educational process in this field, an analysis of legislative and organizational opportunities for the introduction of educational programs, a review of higher education standards and programs, identification of basic competencies of graduates and program results of studies in this area. Methods . There were used methods of theoretical-methodological and comparative analysis for the developing conceptual approaches to the organization of education process on the issues of security and resilience of critical infrastructure. The system-functional analysis of the tasks of the subjects responsible for critical infrastructure protection was used to determine the fields of knowledge and specialties in which it is appropriate to train specialists. Methods of system analysis to form a list of program results of training in this area. Results . The article proposes a methodical approach to determining the necessary competencies, knowledge and skills of the personnel of the subjects of the national system of critical infrastructure protection. The list of specialties in which it is expedient to train specialists by higher education institutions of Ukraine has been defined. A set of competencies and program learning outcomes have been developed, which could serve as basic for developing educational standards and educational programs. A set of educational disciplines is offered that can be a component of the educational process in selected specialties. Conclusions . The article substantiates the legislative conditionality and scientific and practical relevance to establish the system of specialists training in the field of critical infrastructure protection. Though, the training system can cover various forms and methods of training, at the current stage of development of the national critical infrastructure protection system of Ukraine, it is advisable to introduce separate educational programs within the framework of existing educational programs of defined set of specialties. There has been developed the competencies and program outcomes for graduates. A set of educational disciplines that can be a component of the educational process in selected specialties is also proposed. In future, it is necessary to continue research on the development of specific educational programs on the security and resilience of critical infrastructure for various specialties.

According to the large number of cyber incidents that occur every day, the process of critical infrastructure protection is an important not only technical but also scientific task. However, not all states in the world have an opportunity to provide high-quality protection of such infrastructure at a high level. Based on the fact that the critical information infrastructure protection should be managed at the state level, states need to develop a regulatory framework to address the above issue. Considering the legal framework of Ukraine, as in most post-Soviet countries, there is no effective approach to the protection of critical information infrastructure, such as in the USA or in the EU. The legislation of Ukraine identifies only certain objects of the socio-economic sphere, emergencies where they can lead to socially dangerous consequences, while a single procedure for identification and classification of critical infrastructure is not developed. A number of basic terms in the field of critical infrastructure protection from cyber threats, including “critical infrastructure” term, remain normatively vague. The mechanism of organization of activity and interaction of state and private structures in the process of critical infrastructure protection needs scientific substantiation. In this paper, the analysis of the world’s best practices concerning critical information infrastructure protection was carried out, that allows to improve qualitatively, at the state legislative level and practice, process of critical information infrastructure protection of Ukraine.

The research was conducted to study the state of development of the issue of protection of critical infrastructure in Ukraine. It is established that the world is increasingly using an integrated approach to ensuring the security of systems, facilities and resources that are crucial to the life of a state or association from criminal encroachments and terrorist threats, as well as threats of another nature - natural, technogenic, social, military ones.It is determined that the term “critical infrastructure” has not yet received its legislative definition, it is, de facto, already used in such fundamental regulations. Today in Ukraine only the legislative base for the protection of critical infrastructure is being formed and the body that will formulate the state policy for the protection of critical infrastructure, as well as the body (military formation) that will be responsible for implementing the tasks of protection of critical infrastructure remains undefined critical infrastructure from various threats.The purpose of the article is to conduct a research to study the state of development of the issue of protection of critical infrastructure in Ukraine and justify the tasks and powers of the National Guard of Ukraine in this area.A legal analysis of the implementation by the National Guard of Ukraine of the tasks to stop terrorist activities and counter-sabotage. It has been proved that the National Guard of Ukraine is involved in anti-terrorist activities and participates in the activities of the Unified State System of Prevention, Response and Cessation of Terrorist Acts and minimization of their consequences, without being part of the system of subjects of fight against terrorism. Counter-sabotage activities are a direct form of execution by the National Guard of Ukraine of tasks related to the cessation of terrorist activities.It is substantiated that at the stage of creation and organization of the State Critical Infrastructure Protection System, including by determining the Authorized Body for Critical Infrastructure Protection of Ukraine and determining the competence and authorities in the field of critical infrastructure protection of other subjects of the state critical infrastructure protection system. The National Guard of Ukraine in this system is not normatively defined.It is proved that the legal status, level of logistics and training of personnel, the presence of special units in the National Guard of Ukraine that perform the functions of units for counter-sabotage, their experience in performing counter-sabotage tasks in the field of the anti-terrorist operation and joint operations forces allow considering the National Guard of Ukraine the main subject of counter-sabotage activities ‒ the Authorized Body for Critical Infrastructure Protection of Ukraine both within the territorial defense and in peacetime for the protection of critical infrastructure.Areas of further research will focus on the protection of critical infrastructure in Ukraine.

Aim: As part of this article, an attempt was made to present the legislative process in Poland regarding critical infrastructure, for which valid is the Act of 26 April 2007 on crisis management, specifying, inter alia, authorities competent in crisis management and their tasks and principles of operation in this area as well as implementing acts issued on its basis. The introduced legal regulations define both the concept of critical infrastructure, its protection and activities related to the prevention of crisis situations, reacting in the event of their occurrence and preparation to take control over them, as well as removing their effects and recreating key resources. Introduction: Regulations concerning the protection of critical infrastructure are included in legal acts covering various areas of the country’s functioning, including telecommunications activities, production and trade in fuels and electricity, performance of defence tasks by entrepreneurs, creation of strategic reserves, powers of the minister competent for the State Treasury in some companies, protection of persons and the property. The protection of critical infrastructure is related to the raison d’état, which indicates the need to make special efforts to protect the country’s key infrastructure. Therefore, it is reasonable to present selected legal elements needed to protect critical infrastructure, especially those issues that ensure the continuity of the operation of public administration bodies, which are to ensure the safety of the citizens. Methodology: The article was prepared based on the analysis of the literature on the subject and the analysis of legal acts in the area of strengthening the concept of critical infrastructure, taking into account the current situation related to the pandemic and, consequently, the loss of some officers and employees. During the analysis of the conducted research, compact publications, acts of Polish law as well as guidelines and recommendations published on the websites of governmental institutions were used. Conclusions: In the protection of critical infrastructure, there is a need to introduce legal regulations within the framework of cooperation between institutions. The preparation of effective activities in the area of critical infrastructure requires a comprehensive approach, including: physical, technical, personal, ICT, legal protection, as well as assistance from the government in the reconstruction of the damaged element. Each of the areas mentioned above is a complex set of activities requiring general and specialist knowledge, sometimes expert knowledge, extensive practical experience (using the so-called good practices), risk analysis skills, and risk prediction (profiling). Keywords: act on crisis management, legal acts, crisis management, protection of critical infrastructure, identification Type of article: review article

The world trends in increasing of threats of natural and man-made nature, a level of terrorist threats, the number and complexity of cyberattacks have caused the actualization of needs for critical information infrastructure protection and improvement it's informational security and functional safety. A critical information infrastructure is considered as a set of information and telecommunication systems, improper operation of which may lead to the occurrence of an accident of critical infrastructure (energy, transport, etc.), as well as to decrease in quality of its services. The subject of paper’s study is the mechanisms for ensuring the safety (protection) of critical information infrastructures. The purpose of the paper is to substantiate the approach to the development of methodological foundations and technologies for assessing and ensuring the safety (protection) of critical information infrastructures taking into account the state and capabilities of modern information technologies. The methods used are: systems analysis methods, mathematical optimization methods, safety, and risk theory methods. The following results were obtained. The main tasks of the critical infrastructure protection system are formulated. The necessity of using the system of protection of critical information infrastructure as part of the system of protection of critical infrastructure is substantiated. The concept and principles of the methodology for assessing and ensuring the safety (protection) of critical information infrastructures are developed, working hypotheses, methods and models necessary for their implementation are suggested. The way of interaction of the elements of the proposed methodology, tasks and elements of the critical infrastructure protection system is shown. The results obtained are aimed at solving of one fundamental problem such as the existence of a contradiction between the intensive development of critical information infrastructures, negative influences and threats of various nature and the lack of methodological foundations, models, methods and information technologies for assessment and assurance of critical information infrastructure security and safety. The results obtained should be used to create elements of informational and analytical support for the decision maker in solving tasks related to the assessment and security (protection) of critical infrastructure

Critical Infrastructure: Making It Private or Public An Institutional Economic Discussion on the Example of Transport Infrastructure