European elections face growing threat of organised social media manipulation
07 Jan 2019 – 11:36 | No Comment

With a new batch of MEPs, a new president of the European Council and European Central Bank, as well as new commissioners due to take up their posts in 2019, European elections face growing threat …

Read the full story »

Energy & Environment

Circular Economy

Climate Change


Home » International

Supporting the CIIP Action Plan

Submitted by on 09 Mar 2012 – 13:07

By Steve Purser, Head of Technical Competence Department, ENISA.

Critical information infrastructure

Modern business systems that are designed to operate in a global environment are distributed in nature by definition and often rely for their correct functioning on the Internet and its supporting infrastructure. This supporting infrastructure is composed of several components, many of which are critical in the sense that a malfunction in these components could result in a serious degradation of network services or even a total outage.

An example of such a component would be the electricity grid where, although many enterprises may have the possibility to continue to operate their systems through local batteries and generators, this cannot be done indefinitely. The electricity grid is therefore a good example of what has come to be known as critical information infrastructure. The protection of critical components such as electricity grids, submarine cables and similar supporting infrastructure is necessary in order to ensure that other more specialised systems can continue to operate normally.

The importance of co-operation

In general, the political and economic impact of a failure in a critical information infrastructure component is likely to be much greater than a corresponding failure of a specific application. It is therefore essential to ensure that critical systems are adequately protected against significant risks, such as those associated with natural disasters or large-scale cyber-attacks.

However, the critical infrastructure that currently supports global networks such as the Internet is necessarily also global in nature. In other words, this infrastructure is designed to function in a cross-border environment. Consequently, any approach to securing this infrastructure must also be based on a cross-border perspective.

This requirement for a geographically coherent solution is easy to appreciate. Less obvious is the fact that a successful approach to securing critical information infrastructure also requires strong collaboration between the public and private sector. Whilst the public sector is responsible for defining policy, it is the private sector that owns and manages a significant proportion of the infrastructure and which therefore will need to implement the recommendations.

The CIIP Action Plan

In March 2009, the European Commission published the communication entitled “Protecting Europe from large-scale cyber-attacks and disruptions: enhancing preparedness, security and resilience”[1].  This Communication gives details of the main challenges facing critical information infrastructures and proposes an action plan aimed at increasing their protection. This action plan is based on five pillars:

  • Preparedness and prevention
  • Detection and response
  • Mitigation and recovery
  • International cooperation
  • Establishing criteria for European Critical Infrastructures in the ICT sector

The activities that form part of this action plan are being conducted under and in parallel to the European Programme for Critical Infrastructure Protection (EPCIP)[2]. The Commission communication strengthens the role of ENISA in this area and explicitly calls upon the Agency to contribute to the first three pillars.

The key instruments

The CIIP Action plan resulted in the establishment of two new instruments in the area of Critical Information Infrastructure protection (CIIP):

  • The European Forum for Member States (EFMS)
  • The European Public-Private Partnership for Resilience (EP3R)

The European Forum for Member States (EFMS) was established to enable Member States to share information and good practice in a trusted environment. Membership of this forum is restricted to nominated representatives of the Member States and meetings take place typically three to four times a year. The EFMS is a decision-making forum where Member States can influence cross-border issues in the area of CIIP. The idea behind the EFMS is to learn from existing national approaches to CIIP and to use this experience in formulating a viable cross-border approach. ENISA supports the EFMS by assisting the Commission and the Member States in identifying priorities, ensuring exchange of expertise on policy and operational aspects, by identifying good practices and by ensuring that risks are subject to suitable mitigation strategies.

The main objective of the second instrument, the European Public Private Partnership for Resilience (EP3R), is to encourage cooperation between the public and private sector on issues related to resilience and CIIP. The EP3R is not a decision-making body, but is a forum for discussing and disseminating successful initiatives and sharing lessons learned. A major challenge in this forum is building the necessary trust between the different participants given that the forum is continually growing in size. That having been said, it is encouraging to note that the EP3R is currently hosting a number of working groups, which are actively looking into a number of key issues:

  • Key assets / resources / functions for the continuous and secure provisioning of electronic communications
  • Security baseline requirements for the security and resilience of electronic communications
  • Coordination and cooperation needs and mechanisms to prepare for and respond to large scale disruptions

Results arising out of the EP3R will be discussed within the EFMS and these results will be used to support future policy initiatives.

Exercises and pan-European Contingency Planning

National contingency planning and exercises collectively constitute an area that is perhaps the best current example of the strength of a pan-European approach.

The decision to carry out a first pan-European CIIP exercise was taken in the Tallinn ministerial conference of April 2009, where a deadline for end of 2010 was set.  The exercise was  conducted on November 4, 2010 and involved all 27 Member States and three EFTA countries. The goal of the exercise was to test how well Member States communicate with each other in the event of an emergency. More specifically, the objectives were to test, in the event of a major incident:

  • If Member States knew who to contact in other Member States.
  • The level of understanding of the mandate and decision-making power of the contact point.
  • The understanding of which channels should be used for which data.

Although the exercise was supported by a scenario, this scenario was not the focus of the test. The scenario used was based on a cyber-incident with an impact on IP networks, affecting cross-border connectivity. It was (unrealistically) assumed that voice communications were not affected and that supporting facilities (such as power supplies) were not affected. These assumptions were made to simplify the test and enabled the emphasis to be placed on cross-border communication aspects. The scenario was implemented as a series of 320 injects. A total of 70 organisations and 150 experts participated.

Findings from the exercise were structured into a number of different categories; (a) planning & structure, (b) building trust, (c) understanding and (d) points of contact. A detailed report of the findings, together with the main recommendations has been published on the ENISA website[3].

Following this first successful exercise, it is planned to hold further exercises on a regular basis, although the exact frequency of such exercises still needs to be agreed with the Member States. Although the first exercise was conducted together with essentially public sector participants, it is likely that such exercises will be gradually opened up to the private sector following a structured approach – this is a reflection of the fact that most critical information infrastructure is owned and operated by the private sector.

The EU does not currently have a cross-border framework for contingency planning and incident response. However, exercises can be used as a motor to create such a framework, by providing ‘lessons learned’ and good practice in well-defined areas. This bottom-up approach could be expected to provide practical results in the short and medium-term, but would need to be accompanied by a top-down approach implementing appropriate governance principles in the long-term.


[1] “Protecting Europe from large-scale cyber-attacks and disruptions: enhancing preparedness, security and resilience” (COM(2009)149).

[2] COM(2006) 786 final