Comprehensive multi-sectoral public policies to support the resilience or protection of critical infrastructures began to appear in the mid-2000. Out of the 34 OECD countries who responded to the Survey on the Governance of Critical Risks, 90% indicated that they have designated specific infrastructure sectors as critical (OECD, 2018[2]). Many OECD countries have defined critical infrastructure sectors, established an inventory of assets through a criticality and risk assessment process, and set-up national programmes to strengthen their resilience to shocks. Such programmes are usually built on a governance mechanism that allows information sharing between government and critical infrastructure operators and includes a combination of policy tools ranging from regulation to incentive mechanisms to support the implementation of critical infrastructure resilience objectives. A list of these national strategies or programmes is provided in Annex 1.

This section of the report goes into more details of how these national policies are designed and implemented, with the aim to provide a state-of-play across OECD countries. Country’s responses to the OECD Survey on Critical Infrastructure, conducted in 2017-2018, helped inform this section (the overall results are presented in Annexes 3.A to 3.D). Twenty-five OECD countries responded to the survey: Austria, Belgium, Canada, Czech Republic, Estonia, Finland, France, Germany, Ireland, Israel, Korea, Latvia, Luxembourg, the Netherlands, New Zealand, Norway, Poland, Portugal, Slovak Republic, Spain, Sweden, Switzerland, Turkey, the United Kingdom and the United States.

Defining critical infrastructure is a necessary first step in setting up a critical infrastructure security and resilience policy. As shown in Annex 3.A, official definitions of critical infrastructure vary across countries. Some definitions refer to critical infrastructure as infrastructure whose functioning is vital or essential to economic and social well-being, while others stress their importance for the functioning of the State or national security.

In half of the 28 definitions gathered from the survey and desk-research, critical infrastructure is described as a combination of both vital processes for societal well-being and a security concern of the state. The other half remain focused on societal well-being and safety only.

Another observation reveals the growing concern around interconnectedness and interdependencies of critical infrastructure and the need to adopt a system’s approach. This is found in many definitions that define in detail critical infrastructure as a combination of networks, systems, facilities, and technologies that contribute to delivering essential services or support vital functions. Other definitions also include the institutional or organisational structures supporting service delivery.

Although definitions vary, it may be agreed that an overarching notion of critical infrastructure means that a disruption will have severe consequences on socio-economic well-being and public safety, including national security. Australia, Canada, New Zealand, the United Kingdom, and the United States have developed a shared narrative and definition of critical infrastructure, also known as nationally significant infrastructure: the ‘systems, assets, facilities and networks that provide essential services and are necessary for the national security, economic security, prosperity, and health and safety of their respective nations (Critical Five, 2014[34]).

An important aspect is that definition of critical infrastructure should not be static and updating and revising this definition can be a response to a dynamic national and international risk landscape. For instance, Switzerland is currently reviewing and simplifying its definition to “Critical infrastructures are processes, systems and facilities that are essential for the functioning of the economy and the well-being of the population, respectively.” This simplification will allow to adjust the scope of its critical infrastructure programme to changing conditions more easily than before when the definition was more prescriptive. Similarly, in the United Kingdom, the definition has evolved to include impacts on national security, national defence, or the functioning of the state among the criteria to define critical national infrastructure.

The aim of defining critical infrastructure is to target sectors that are most crucial to societal and economic security and stability. Along with the definitions, lists of sectors also vary across countries. A comparative table that maps out sectors deemed critical infrastructure allows to survey general trends and sectors that are more country-specific. The table in Annex 3.C presents a cross-country comparison of how countries differ on categorising critical infrastructure sectors, while Figure 3.1 makes a synthesis of the most commonly types of critical infrastructure sectors across OECD countries from the OECD survey.

Some countries have a large number of critical infrastructure sectors, like the United States with 16 different sectors (White House, 2013[43]). Other countries can limit their critical infrastructure policy to two sectors only, such as Portugal, with only electricity and transportation considered as critical infrastructure sectors as per the provisions of the 2008 Directive of the European Council on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (European Council, 2008[44]).

Overall, six sectors are widely classified as being critical across OECD countries: information and communication technologies, energy, finance, health, transport and water. A second group of sectors, including government, food supply, chemical industry, or public safety, is mentioned as critical in at least half of the responding countries. Other sectors appear to be more country-specific. This includes law enforcement, nuclear, dams and food defence, critical manufacturing, the defence industry of the space sector that are not considered as critical for the functioning of society for a vast majority of countries critical infrastructure policies.

Similar to the generic definition of critical infrastructure, the list of critical sectors can evolve over time to address emerging vulnerabilities and evolving risks. Some countries also have decided to define general sectors as well as sub-sectors of critical infrastructures, which leads to differences in categorisation across countries. For example, Switzerland does not provide a separate category for the nuclear sector as would be the case in the United States, instead it is a sub-category in the energy supply and distribution sector. While these differences reflect national preferences, it can be important to better harmonise approaches across countries especially to favour transboundary and international cooperation on this policy issue.

The next step of a comprehensive critical infrastructure policy is to define a systematic analytical approach to prioritise resilience measures for critical infrastructure. A prioritisation process includes several steps of assessment and can inform targeted planning and investment decisions. First, not all infrastructure assets have the same level of criticality. Criticality assessments should be conducted to identify assets, systems, and networks that are truly critical (DHS, 2013[45]); (Theocharidou and Giannopoulos, 2015[46]).

Criticality analysis should include an assessment of the impacts of the critical infrastructure disruption on a range of pre-established criteria. Several approaches are used across OECD countries. For instance, in Switzerland a first differentiation is done between the different sectors and sub-sectors with three categories of criticality (very high criticality, high criticality, normal criticality). In the Netherlands, economic, physical and social criteria enable to define the different critical infrastructure processes, but then a distinction is made between category A where disruptions can have large impacts and cascading effects and category B where impacts can be lower, in order to reflect the diversity within critical infrastructure and to set priorities. In terms of criteria, the European Commission defines a minimum set for critical infrastructure assessment, including public impacts, economic impacts, environmental impacts, interdependence, political impacts and psychological impacts (European Council, 2008[44]).

The important point in criticality assessment is to include an interdependency assessment, in order to identify the critical points of a system, or between different sectors that are essential to keep running when a crisis occurs to avoid cascading failures. Critical infrastructure dependencies and interdependencies can be physical when the state of one infrastructure is dependent on the material output of the other, but there can also be digital, geographic or logical dependencies to be considered in such assessment (Rinaldi, Peerenboom and Kelly, 2001[47]); (Macaulay, 2009[48]). Against this backdrop, it is important to develop models to estimate service loss, which requires to map out the functional links between infrastructure systems.

While interdependency analysis is an area where research is making significant progress, methodologies are not yet widely utilised across OECD countries: only 36% of the respondents to the OECD Survey indicated that they had identified dependencies (Figure 3.2). Argonne National Laboratory in the United States provides a useful overview on the different methods that governments and operators can use for such interdependency assessment of critical infrastructure (Petit et al., 2015[49]).

Criticality assessment usually leads to the development of critical assets inventories, registers or maps, with different levels of classification according to their criticality. Most of the countries which have established critical infrastructure programmes and strategies, have set-up such inventories. For instance, in France, critical infrastructure are precisely referenced and located by the General Secretariat on Defence and national Security, and an effort to focus on the most critical ones led to reducing their number from more than 7000 to around 1500. There are also examples of transboundary mapping of critical infrastructure, such as at the European Union level, in the context of the EU Directive 2008/114/EC on identification and designation of European critical infrastructures and assessment of the need to improve their protection.

Once critical assets are mapped out and hierarchically classified, vulnerability assessments enable identifying weak points where potential failures are likely to happen. A thorough vulnerability assessment of critical infrastructure provides insight into the most important risks, threats, vulnerabilities and degree of resilience of this infrastructure. To do so, it is fundamental to stress test critical infrastructure vulnerability to a series of risk scenarios of different likelihood, magnitude, or their combination, across a range of potential hazards and threats. These assessments consider the most likely scenarios, in addition to those that are less probable, but might nonetheless materialize.

A holistic, all-hazards approach can help uncover complex vulnerabilities. Canada’s national strategy for critical infrastructure equally stresses the need for an all-hazards risk analysis that takes accidental, intentional and natural hazards into account ( (Public Safety Canada, 2014[50])). It can be important also to integrate the vulnerabilities of governance systems of critical infrastructure in the analysis, as management failures during crises are all too common. The European Commission Joint Research Centre for instance has developed a stress-testing tool that focuses on these complex governance aspects with application in the nuclear and banking sectors. (Galbusera, Giannopoulos and Ward, 2014[51]).

Vulnerability assessments for critical infrastructures can be performed using a variety of methodologies. Box 3.1 provides examples of such methodologies from a series of OECD countries. These methodologies range from deterministic approaches to probabilistic methods. Deterministic approaches analyse and interpret historical disaster events and available retrospective data in light of new developments. Disaster scenarios and simulations expand on retrospective analyses.

The identification of weak points allows prioritising where to concentrate resilience efforts in existing infrastructure systems: on failure points that would have the most severe consequences. Such prioritization can inform targeted planning and investment decisions, such as what infrastructure should be hardened or relocated first, or what infrastructure should receive priority restoration in the aftermath of a disaster to ensure rapid recovery (Verner, Petit and Kihaek, 2017[52]).

Risk assessment can be complemented to evaluate the benefits of investments in resilience or security to reduce risks, for both existing infrastructure as well as for new projects. By comparing the benefits of different resilience measures in reducing risk of failures, risk-informed cost-benefit analysis can support decision-making and resilience investment decisions.

Governance arrangements for strengthening critical resilience highlight the need for partnerships and platforms for facilitating information sharing and exchange of knowledge. The commitment of governments and operators to engage in dialogue about these issues through institutionalized, regular meetings has proven useful to build mutual trust based on shared interest, as well as to foster regular information sharing, joint exercises, situation awareness, coordination of actions, mutual assistance, sharing of equipment and emergency stocks.

Several countries have developed programs and approaches to foster trust-based connections between government and private owners and operators. Technical solutions, such as information sharing and collaboration web-portals can serve as a secure environment where private- and public-sector stakeholders can easily and regularly exchange data, information, and good practices relevant to critical infrastructure resilience (Bach et al., 2013[25]); (Lewis, 2006[54])).

The OECD Survey shows that 80% of the respondents have established such information-sharing mechanisms or platforms, most often on a voluntary basis. Box 3.2 provides examples of successful critical infrastructure stakeholder engagement and secure information-sharing approaches.

Although information-sharing presents many benefits for better understanding and exchange of expertise to increase resilience of critical infrastructure, there remain several prevalent challenges.

Ensuring the security of the information shared from owners and operators of critical infrastructure is an essential component for building mutual trust, as some of this information may be important for competitiveness in the market or their image. As operators might not always be inclined to share sensitive information about their vulnerabilities and/ or their critical dependencies outside of safe circles, ensuring mutual trust and security of information shared is an important aspect to foster dialogue and exchange.

Equally important is to focus on the quality and not quantity of information that is shared through these mechanisms. The more clear and precise the information shared is, the more added-value it can offer to building resilience of critical infrastructure. All parties across government and private sector should see the benefits of this information sharing practice from their respective sides. Filtering through massive amount of information is less effective than sharing the most important elements about the security of critical infrastructure. Good quality information can create incentives to boost resilience.

Operators might be reluctant to engage in such partnership if they fear it will lead to extra costs that they will have to finance, once their vulnerabilities are known. Similarly, the risk that competitors do not engage in the process and free-ride on the increased level of resilience that it would lead can cause difficulties for operators to engage. Minimum security standards can help ensure that there are no ‘weakest links’ that could jeopardise the overall security of the system while also overcoming underinvestment in resilience and the lack of willingness to engage.

Strengthening resilience to critical infrastructure is a collaborative effort amongst several stakeholders requiring a mix of tools to gather information, prioritise resilience investments, and increase overall incentives.

Governments can choose from a variety of policy tools and mechanisms to strengthen critical infrastructure resilience. Instruments range from prescriptive regulatory tools, compensation mechanisms, to voluntary frameworks based on partnerships between government and operators. Twenty-two policy tools have been identified in the OECD Survey on critical infrastructure resilience (Table 3.1). These policy tools are further described in Annex 3.D. This comprehensive list aims to present the different policy options that government can use, once they have set up a critical infrastructure resilience programme, identified its most critical infrastructure and their vulnerability, and established an information sharing mechanism with critical infrastructure operators.

Identifying the pros and cons of these different tools in different policy contexts can be of great support for designing critical infrastructure protection and resilience policies. The OECD High Level Risk Forum, through its survey and case studies has initiated taking stocks of these policy tools. The following considerations can contribute to facilitating the choices that governments can make amongst these different options.

Regulation is an important method that provides mandatory requirements and enforcement mechanisms for critical infrastructure resilience. The regulatory approach has strengths in that it provides mandatory requirements, but it can also prove costly and create lags of time between technological developments in many sectors that require regular updates. Different regulatory approaches can be applied from prescriptive sectoral regulations to performance-based ones, which let operators define by themselves the way to achieve resilience targets.

Financial incentives provide another method to increase investments and continuity plans for critical infrastructure protection and resilience. The design of compensation mechanisms for customers in case of service disruption or other types of penalties can be used to internalise the benefits of resilience. This provides operators with the choice of the ways to increase their resilience. In Finland, the 2013 Energy Market Act provides such an incentive structure for electricity distribution operators to invest in the resilience of their network, with the combination of price incentives for improved resilience with important fees in case resilience targets are not attained (Chapter 4).

Public finance used for critical infrastructure resilience can set standards and demonstrate the value of up-front investments in resilience. Integrating resilience in major public investment projects sets an example for value and benefits of these investments, and can create incentives for other critical infrastructure owners and operators to follow suit (OECD, 2018[12]). Public procurement is increasingly factoring in climate resilience, which can serve as an approach to expand to other risks as well. For example, the Greater Paris 30 billion euro investment in public transportation was designed with specific flood resilience requirements beyond the existing regulation (OECD, 2014[7]).

Peer-pressure is another policy option that works amongst owners and operators of critical infrastructure based on holding up their image and rankings to the public. Creating public access to evaluations of critical infrastructure creates concerns for companies and their image. Rankings are important indicators of resiliency and an incentive-creating mechanism. Korea has included a mechanism of peer-pressure within its system for managing the failure of infrastructure. Every year, the Periodic Nationwide Safety Diagnosis makes a sampling diagnosis for 21 types of infrastructures. These evaluations are made public and provide rankings of the infrastructure, creating important incentives for companies to keep up their public image. Another example is found with the National Emergency Supply Agency (NESA) in Finland. The annual assessments of the business continuity plans of operators in the energy sector is presented to the pool of operators so that they can compare their performance and learn from each other (See chapter 4). While in this case, the results are not publicly disclosed, peer-pressure within the sector provides incentives for improving performance. The increasing public disclosure of climate risks can here also provide elements of reflection for critical infrastructure resilience to multiple hazards (OECD, 2018[12])

It is important for governments to find the right combination between mandatory and voluntary frameworks to enhance stakeholder engagement in resilience. As shown in Figure 3.3, the results of the OECD survey indicate a preference towards voluntary frameworks to strengthen critical infrastructure resilience.

Instruments such as guidance for sub-national levels of governments, awareness raiding activities and trainings, provision of hazards and threats information, resilience guidelines for critical infrastructure operators and voluntary information sharing mechanism are the policy tools that are the most commonly used by OECD governments. On the contrary, more stringent tools, such as inspections and performance assessments, sectoral prescriptive regulations, or mandatory business continuity plans, are less utilised by OECD countries to foster critical infrastructure resilience.

This preference for voluntary frameworks demonstrates that overall, critical infrastructure resilience policies are still at an early age in many OECD countries. In that context, operators’ engagement in broad multi-stakeholders partnerships with governments remains a key priority, which enables building trust between the public and the private sector. Adopting voluntary frameworks appears to be more effective to achieve this objective.

Nevertheless, this approach does not necessarily guarantee a strong enough incentive structure to ensure that sufficient investments are effectively made to attain expected resilience targets. Over the years, once the value of these partnerships will be widely acknowledged, one can expect that mandatory approaches will be more easily accepted and more largely developed, in order to guarantee that operators ensure some forms of minimum common standards of resilience. The OECD Policy Toolkit on the Governance of Critical Infrastructure Resilience proposed in Chapter 5 provides a way forward for governments aiming to strengthen progressively the resilience of critical infrastructure in their country with a staged approach based on partnerships.

Operators have a keen interest in maintaining the continuity of their services and their reputation by investing in resilience. However, investments in resilience often imply costs up front, even if these should be compensated in terms of greater reliability of service and resilience to shocks.

The question is how to find the right balance. Excessive requirements imposed by governments to strengthen resilience can result in additional costs of service borne by customers, citizens and businesses. When deciding on the policy tools best fitted to improve critical infrastructure resilience in their national contexts, governments should assess how these different options can provide effective incentives for operators to invest in resilience, while managing the repercussions on the cost of service. Solving this economic equation is the cornerstone for an efficient policy, but there is no simple solution. As shown in the Finland case-study in Chapter 4, engaging in trusted partnerships and regular dialogue between governments, regulators and operators should enable discussing cost-sharing arrangements to attain resilience objectives.

[25] Bach, C. et al. (2013), “Adding value to critical infrastructure research and disaster risk management: the resilience concept”, http://journals.openedition.org/sapiens 6.1, https://journals.openedition.org/sapiens/1626 (accessed on 25 February 2019).

[36] Barami, B. (2013), Infrastructure Resiliency: A Risk-Based Framework, US Department of Transportation, https://www.volpe.dot.gov/sites/volpe.dot.gov/files/docs/Infrastructure%20Resiliency_A%20Risk-Based%20Framework.pdf (accessed on 25 February 2019).

[37] Chang, S. et al. (2014), “Toward Disaster-Resilient Cities: Characterizing Resilience of Infrastructure Systems with Expert Judgments”, Risk Analysis, Vol. 34/3, pp. 416-434, http://dx.doi.org/10.1111/risa.12133.

[34] Critical Five (2014), Forging a Common Understanding for Critical Infrastructure Shared Narrative, https://www.dhs.gov/sites/default/files/publications/critical-five-shared-narrative-critical-infrastructure-2014-508.pdf (accessed on 25 February 2019).

[45] DHS (2013), NIPP 2013: Partnering for Critical Infrastructure Security and Resilience | Homeland Security, https://www.dhs.gov/publication/nipp-2013-partnering-critical-infrastructure-security-and-resilience (accessed on 25 February 2019).

[44] European Council (2008), COUNCIL DIRECTIVE 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:345:0075:0082:EN:PDF (accessed on 26 February 2019).

[19] Flynn, S. (2015), Bolstering Critical Infrastructure Resilience After Superstorm Sandy: Lessons for New York and the Nation, Northeastern University, Boston, Massachusetts, http://dx.doi.org/10.17760/D20241717.

[35] Flynn, S. (2008), “America the Resilient, Defying Terrorism and Mitigating Natural Disasters”, Foreign Affairs, https://www.foreignaffairs.com/articles/2008-03-02/america-resilient (accessed on 25 February 2019).

[51] Galbusera, L., G. Giannopoulos and D. Ward (2014), Developing stress tests to improve the resilience of critical infrastructures: a feasibility analysis, European Commission Joint Research Centre, http://dx.doi.org/10.2788/954065.

[53] Giannopoulos, G., R. Filippini and M. Schimmer (2012), Risk assessment methodologies for Critical Infrastructure Protection. Part I: A state of the art, European Commission Joint Research Centre, http://dx.doi.org/10.2788/22260.

[54] Lewis, T. (2006), Critical infrastructure protection in homeland security : defending a networked nation, Wiley-Interscience.

[48] Macaulay, T. (2009), Critical infrastructure : understanding its component parts, vulnerabilities, operating risks, and interdependencies, CRC Press, https://www.crcpress.com/Critical-Infrastructure-Understanding-Its-Component-Parts-Vulnerabilities/Macaulay/p/book/9781420068351 (accessed on 26 February 2019).

[42] Moteff, J. (2012), CRS Report for Congress Critical Infrastructure Resilience: The Evolution of Policy and Programs and Issues for Congress, Congressional Research Service, https://fas.org/sgp/crs/homesec/R42683.pdf (accessed on 25 February 2019).

[2] OECD (2018), Assessing Global Progress in the Governance of Critical Risks, OECD Reviews of Risk Management Policies, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264309272-en.

[12] OECD (2018), “Climate-resilient Infrastructure”, OECD Environment Policy Paper, No. 14, OECD, Paris, http://www.oecd.org/environment/cc/policy-perspectives-climate-resilient-infrastructure.pdf (accessed on 25 February 2019).

[7] OECD (2014), Seine Basin, Île-de-France, 2014: Resilience to Major Floods, OECD Reviews of Risk Management Policies, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264208728-en.

[9] OECD (2011), Future Global Shocks: Improving Risk Governance, OECD Reviews of Risk Management Policies, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264114586-en.

[41] OECD and EU JRC (2018), System thinking for critical infrastructure resilience and security - OECD/ JRC Workshop - OECD, http://www.oecd.org/gov/risk/workshop-oecd-jrc-system-thinking-for-critical-infrastructure-resilience-and-security.htm (accessed on 25 February 2019).

[49] Petit, F. et al. (2015), Analysis of Critical Infrastructure Dependencies and Interdependencies, Argonne National Laboratory, https://publications.anl.gov/anlpubs/2015/06/111906.pdf (accessed on 26 February 2019).

[50] Public Safety Canada (2014), Action Plan for Critical Infrastructure 2014-2017, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/pln-crtcl-nfrstrctr-2014-17/pln-crtcl-nfrstrctr-2014-17-eng.pdf (accessed on 26 February 2019).

[47] Rinaldi, S., J. Peerenboom and T. Kelly (2001), Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies, https://pdfs.semanticscholar.org/b1b7/d1e0bb39badc3592373427840a4039d9717d.pdf (accessed on 26 February 2019).

[46] Theocharidou, M. and G. Giannopoulos (2015), “Risk assessment methodologies for critical infrastructure protection. Part II: A new approach”, http://dx.doi.org/10.2788/621843.

[52] Verner, D., F. Petit and K. Kihaek (2017), “Incorporating Prioritization in Critical Infrastructure Security and Resilience Programs - HOMELAND SECURITY AFFAIRS”, Homeland Security Affaits, Vol. 13, https://www.hsaj.org/articles/14091 (accessed on 26 February 2019).

[43] White House (2013), Presidential Policy Directive -- Critical Infrastructure Security and Resilience | whitehouse.gov, https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil (accessed on 25 February 2019).

The Trusted Information Sharing Network (TISN) for Critical Infrastructure Resilience was established by the Australian Government in 2003, with the aim of assisting critical infrastructure organisations to better prevent, prepare, respond to and recover from disruptions and adverse events. The TISN provides national level forums for owners and operators of critical infrastructure to discuss critical infrastructure vulnerabilities with relevant government agencies and to work together in developing strategies and solutions to mitigate risk. Led by the Attorney-General’s Department, and supported by a number of Australian Government agencies, the TISN now encompasses hundreds of members, including representatives from many of Australia’s largest and best known companies, and state and territory governments. The TISN operates on an all-hazards basis. It comprises seven critical infrastructure Sector Groups (Energy, Water, Communications, Banking and Finance, Health, Transport, Food) and two Expert Advisory Groups. TISN members meet regularly within their sector groups in a secure, non-competitive environment to share vital information on risks and mitigation strategies, and to develop collective solutions to shared problems. In addition, there are regular meetings and exercises between groups, and with governments.

Critical infrastructure delivers essential services such as food, water, healthcare, electricity, communications, transportation and banking. Without these services, Australia's social cohesion, economic prosperity and public safety are threatened. The Trusted Information Sharing Network responds to this by providing a forum for public and private stakeholders to cooperate towards critical infrastructure resilience.

• Operate an effective business-government partnership with critical infrastructure owners and operators;

• Sharing information and techniques required to assess and mitigate risks to critical infrastructure;

• Building resilience capacity within organisations.

• Since its creation, the TISN has influenced the national debate on critical infrastructure issues by partnering with key stakeholders to enable change;

• The TISN has fostered a cohesive approach to addressing shared threats and vulnerabilities and building resilience across critical infrastructure sectors;

• TISN initiatives include the development of shared frameworks, guides and planning documents, the preparation of large-scale exercises, and the organisation of workshops. These initiatives have contributed to enhance the resilience of critical infrastructure systems in Australia.

• There are major benefits to setting up platforms for information sharing among policy makers and owners and operators of critical infrastructure

• Business-government partnerships are key to encourage the private sector to address mutual interests, such as business continuity and resilience.

• There are major benefits to setting up platforms for information sharing among policy makers and owners and operators of critical infrastructure.

• Business-government partnerships are key to encourage the private sector to address mutual interests, such as business continuity and resilience.

Source: https://www.oecd.org/governance/toolkit-on-risk-governance/goodpractices/page/trustedinformationsharingnetworkforcriticalinfrastructureinaustralia.htm

A new integrated approach for critical infrastructure protection was established in May 2015 as part of the National Safety and Security Strategy, developed by the Dutch Ministry for Security and Justice. The approach contains three steps. First, the approach identifies what is critical infrastructure, based on economic, physical and social impact criteria. Criteria were developed based on the National Risk Assessment process. The degree of criticality depends upon the consequences of a failure of the critical sectors identified. A distinction is made between category A where disruptions can have large impacts and cascading effects and category B where impacts can be lower, in order to reflect the diversity within critical infrastructure and to set priorities. Secondly, a vulnerability assessment provides insight into the most important risks, threats, vulnerabilities and degree of resilience of this infrastructure. The third step of the approach is to make agreements on maintaining or, where needed, increasing the resilience of the vital infrastructure. This enables a customized approach for resilience enhancement, based on risks, threats and vulnerabilities. In addition, critical infrastructure will be incorporated into the national crisis management structures.

Guaranteeing the continuity of critical infrastructure is of common interest to both infrastructures operators (usually private) and to society in the Netherlands. Critical infrastructure includes products, services and underlying processes which, should they fail, could cause large-scale social disruption. That is why the government and critical organisations in the Netherlands cooperate in protecting this infrastructure. An integrated approach is required, due to the number of parties, networks and levels involved. This is a dynamic and complex domain due to technological developments and interconnectedness of critical processes. Society has become more dependent on critical infrastructure while the failure of such infrastructure has become less accepted in society. Infrastructure has become more dependent and has become more vulnerable to (deliberate) cyber incidents. Moreover, the interconnectedness of critical processes makes it difficult to predict cascade effects. Cascading effects caused by failing processes leads to higher impact on society.

• Resilient critical infrastructure

• Impacted based identification of critical infrastructure

• Understanding of risk, threats and vulnerabilities

• Development of customized agreements

• Impact based identification methodology

• From sectorial approach to a process approach

• Identification of critical infrastructure at the national level

• national level prioritised list of critical infrastructure

• Tailor made agreements per critical process

• Monitoring and evaluation methodology

• Fostering an all-hazard approach is a good way to engage with private operators as they may be particularly interested in one specific threat without having the largest view on risks

• Having clear and transparent criteria well established for the identification of critical infrastructure helps engaging the different stakeholders.

• It requires a political decision what impact criteria are regarded as disruptive. There is a risk that changes in societal preferences may lead to changes in the thresholds, which would ask for a reassessment of critical infrastructure.

• Developing partnerships with private operators requires developing trust across the public and the private sector and a common understanding of the challenges, which develops over the long-term.

Source: https://www.oecd.org/governance/toolkit-on-risk-governance/goodpractices/page/integratedapproachforcriticalinfrastructureprotectioninthenetherlands.htm

The German National Strategy for Critical Infrastructure Protection summarizes the Federal Administration's aims and objectives and its political-strategic approach to actively address matters of critical infrastructure protection (CIP). The strategy is guided by the principle of joint action by the state, society, and business and industry. The state co-operates with other public and private actors in developing analyses and protection concepts. The Strategy first defines critical infrastructure, as organizational and physical structures and facilities of such vital importance to a nation's society and economy that their failure or degradation would result in sustained supply shortages, significant disruption of public safety and security, or other dramatic consequences. It also identifies main threats, risks and vulnerabilities of critical infrastructure systems in Germany. Its guiding principle is that the responsibility for the security, reliability and availability of such infrastructure is a shared-responsibility. The Strategy takes stock of existing measures, and suggests a way forward to structure the different initiatives and further improve the protection of critical infrastructure systems. It develops guidelines in the prevention, response and sustainability areas, based on three pillars: (1) Preventing and mitigating loss of services (2) Promoting back-up systems (redundancies) and emergency capacity (3) Enhancing self-protection capabilities. Developments are currently ongoing with regard to the protection of critical infrastructures in Germany

Infrastructure in general and critical infrastructure in particular are vital to the functioning and well-being of modern and efficient societies. Germany is among the leading industrial and technology-oriented nations. Germany is also an important location for business activities and industry. Ensuring the country’s competitiveness in a globalized economic and technological setting is highly dependent on the availability of high-performance and well-functioning infrastructure. Therefore, ensuring the protection of this infrastructure is a key function of security-related preparedness measures taken by industry and government agencies, and is a central issue of the country's security policy.

• Guiding the Federal Government but also the Länder, municipalities and enterprises in their critical infrastructure protection efforts. 

• Promote critical infrastructure resilience in a coordinated manner 

• Strengthen public safety and security

• Foster  joint action performed by the Government, companies and/or operations and the civil society for critical infrastructure protection

• Implementation of work packages within the Federation, Lander and local governments involving (1) the definition of general protection targets, (2) an analysis of threats, vulnerabilities and management capabilities, (3) the assessment of threats, (4) the specification of protection targets, taking into account existing protective measures; analysis of existing regulations and, where applicable, identification of additional measures contributing to goal attainment; and where required, legislation.

• Development of programmes and Plans (such as the National Plan for Information Infrastructure Protection), specific recommendations for action (such as the National Baseline Protection Concept, the Risk and Crisis Management Guide for Critical Infrastructure Operations, and standards, norms and regulations (such as BSI Information Security Standards, or the regulations of the German Gas and Water Supply Association on risk management in the field of drinking water supply).

• Preserving critical infrastructure protection is of growing importance, particularly in the context of increasingly interdependent economies.

• Co-operations and partnerships in the area of critical infrastructure both with authorities and in particular with private service providers is vital to guarantee successful work.

• The aim of a critical infrastructure strategy should not be absolute protection, but implementing measures that foster resilience.

• Cross-sectoral cooperation and coordination is key to achieving resilience of critical infrastructure.

Source: https://www.oecd.org/governance/toolkit-on-risk-governance/goodpractices/page/nationalstrategyforcriticalinfrastructureprotectioningermany.htm

The Swiss National Strategy for the Protection of Critical Infrastructure was established in 2012, drawing upon the “Basic Strategy for Critical Infrastructure Protection” (2009). The overarching goal of the Strategy is to improve the resilience of Switzerland’s critical infrastructures. The Strategy outlines strategic goals as well as key principles, and describes the measures to be taken in the area of critical infrastructure. These measures include the improvement of the overall critical infrastructure resiliency, and the enhancement of the general framework for cross-sectoral collaboration. The Strategy covers the definition of comprehensive protection approaches, the identification and compilation of critical infrastructure elements and objects in a classified inventory, the establishment of cross-sectoral, public-private platforms, and information sharing on risks, notably risk assessment and warning systems, among stakeholders. The Strategy also addresses federal support to handle disruptions to critical infrastructure, if the operators’ and substate actors’ resources are overwhelmed. It establishes a permanent process to improve the resilience of critical infrastructure systems by facilitating a coordinated approach among the relevant CI operators as well as specialised and regulatory agencies. Ten sectors are considered critical at the national level, including energy, transport, information and communication technologies, financial services, public administration, public health, public safety, and transport. They are subdivided into 28 subsectors like natural gas supply, oil supply and power supply in the sector energy supply.

Switzerland is highly dependent on the continuous operation of critical infrastructures that ensure the supply of vital goods and services. Disruptions may have rapid repercussions for the population and the basis of its livelihood, and can affect other critical infrastructure through cascading effects. In the different critical sector, protection measures are already implemented on an individual basis. However, the lack of cross-sectoral coordination among critical infrastructure stakeholders and the need to promote a consolidated approach at the national level created the need for an integrated national strategy.

• Contributing to maintain the operability of critical infrastructure systems,

• Identifying critical infrastructure systems to be protected,

• Facilitating risk analysis procedures,

• Initiating cross-sectoral collaboration by setting up coordination and information sharing platforms.

• Classified critical infrastructure inventory

• Created a critical infrastructure guideline

• Conducted sub-sectoral risk and vulnerability assessments

• Established  supporting tools (e.g. methodology, scenarios, etc.)

• Critical infrastructure protection is becoming more and more important today, in particular in major cities and small interdependent countries such as Switzerland.

• The aim of a critical infrastructure strategy should not be absolute protection, but implementing measures to foster resilience.

• Cross-sectoral cooperation and coordination is key.

• Cross-country cooperation should be encouraged in an increasingly globalised world.

Source: https://www.oecd.org/governance/toolkit-on-risk-governance/goodpractices/page/swissbasicstrategyforcriticalinfrastructureprotection.htm

The National Emergency Supply Agency (NESA), created in 1993, is tasked with planning, developing and maintaining the security of supply in Finland. While its historic role of maintaining reserve stockpiles to protect the livelihoods of the population as well as the functioning of the economy remains part of its strategic tasks, NESA is more and more active in mainstreaming business continuity and resilience in various sectors of the economy through public-private partnerships. NESA has established a network of thematic clusters where key stakeholders of critical sectors, such as: food supply, energy, transportation, health or industry, develop partnerships in order to assess vulnerability and performance and plan for resilience. NESA also proposes dedicated tools, such as information systems, storage and transport facilities to support business continuity on these domains. NESA also finances specific activities related to business continuity and critical infrastructure protection. The agency prepares annual reports that evaluate the performance of companies in the critical sectors including ranking and specific recommendations

Finland faces specific vulnerabilities regarding the disruption of supply chains and critical infrastructures which constitute a major challenge. Harsh winter conditions, high dependence on sea transportation and international markets, interdependencies and the complexity of critical networks are among the key challenges to security of supplies in Finland. Consequently, Finland has invested significant efforts to secure supplies and maintain continuity of services. This is a primary concern of its Security Strategy for Society, in which the functioning of the economy and the infrastructure is one of the seven vital functions of Finnish society. NESA contributes to the implementation of the functioning of society in times of crisis by keeping reserve stockpiles but also by guiding critical infrastructure providers the necessary knowledge about preparedness and continuity planning.

• Securing supplies to ensure the continuity of the economic activities and the functioning of critical infrastructure in cases of serious disturbances and exceptional circumstances;

• Setting-up private-public partnerships as the primary method for securing supply and developing business continuity;

• Implementing technical and financial measures to support the development of business continuity efforts across society production of goods and services necessary in exceptional conditions.

• Increased public-private partnerships with companies in critical sectors (now more than 1000) which all yielded a business continuity plan specific to their activities and sector;

• Established 7 thematic clusters and dedicated pools to discuss and implement sector-specific supply security and business continuity policies;

• Developed continuity-management tools designed to support organizations in their continuity management efforts.

• Public bodies within countries should not take full responsibility to maintain the continuity of services, but also the private sector should invest some efforts into preparedness in order to achieve a whole-of-society approach of risk prevention

• Incentivizing private sector’s efforts in business continuity is essential to facilitate their involvement in these efforts. Evaluating the performance of individual companies is a complementary and efficient way to stir progress.

• As security of supplies and continuity of critical infrastructures is market-dependent, specific attention to issues related to fair competition, non-discrimination and equal treatment are fundamental when designing policies

Source: https://www.oecd.org/governance/toolkit-on-risk-governance/goodpractices/page/publicprivatepartnershipsforcriticalinfrastructuresresilienceinfinland.htm

The Polish National Critical Infrastructure Protection Programme (NCIPP) was adopted in March 2013 by the Polish Council of Ministers, with the main objective of ensuring the protection of critical infrastructure systems. The NCIPP defines the vision and the objectives behind critical infrastructure protection processes and covers all the phases of the risk management cycle: it aims not only to ensure critical infrastructure’s protection against threats (prevention), but also to contribute to reduce the impact and length of the potential damages (preparedness and response). The NCIPP addresses the following infrastructure systems: energy, communication, ICTs, financial, food supply, water supply, health protection, transportation, rescue, public administration and the production, storage and use of chemical and radioactive substances. The NCIPP describes the cooperation to be set between individuals, and sets out roles and responsibilities for each stakeholder. The NCIPP pays particular attention to building partnerships between stakeholders. Information and knowledge sharing between all levels of the administration as well as between the public and the private sector are key in protecting infrastructure systems. The NCIPP also identifies a number of good practices and recommendations to ensure the smooth functioning of critical infrastructure, in several areas such as technical protection, IT/OT protection, legal protection, business continuity/recovery plans. The good practices and recommendations have been broadened, especially in the area of IT/OT protection. In November 2015, the NCIPP has been updated. It now includes new priorities and tasks for the 2015-2017 period

Critical infrastructure is key to the smooth functioning of the public and private sectors. Protecting critical infrastructure in Poland is therefore essential for the smooth functioning of the economic system; Critical infrastructure resilience is also a priority as it can negatively impact the lives of the Polish citizens.

• Increase the resilience of critical infrastructure systems in Poland;

• Raise awareness about the importance of critical infrastructure and enhance risk assessment frameworks;

• Allow coordinated and risk-based partnerships for the protection of critical infrastructure

• Three meetings of the National Forum for Infrastructure Protection have been organised, gathering representatives from the private sector and the administration to exchange on the resilience of critical infrastructure in Poland.

• Four textbooks were developed: on verifying the authenticity of the documents, on explosive threats to critical infrastructure, on applying biometrics to critical infrastructure, and on technical protection of critical infrastructure systems

• Over 800 individuals were trained in the fields covered by these textbooks.

• People are the most valuable resource for protecting critical infrastructure. Their knowledge, experience and commitment are key to achieve determined goals.

• A strategy related to risk management must encompass clear objectives and action plans, and precisely define the roles of each stakeholder.

• Broad-based partnerships and information sharing are essential to promote critical infrastructure protection.

Source: https://www.oecd.org/governance/toolkit-on-risk-governance/goodpractices/page/nationalcriticalinfrastructureprotectionprogrammeinpoland.htm

The National Strategy for Critical Infrastructure sets the direction for enhancing the resilience of Canada’s critical infrastructure against current and emerging hazards. The Strategy presents a collaborative approach to strengthening the resilience of critical infrastructure, by ensuring that federal, provincial and territorial critical infrastructure activities are complementary and respect… [More] the laws of each jurisdiction. It outlines mechanisms for enhanced information sharing and information protection, and identifies the importance of a risk management approach to strengthen the resilience of critical infrastructure in Canada. Enhancing the resilience of critical infrastructure can be achieved through the appropriate combination of security measures to address intentional and accidental incidents, business continuity practices to deal with disruptions and ensure the continuation of essential services. It also addresses the importance of emergency management planning to ensure adequate response procedures are in place to deal with unforeseen disruptions and natural disasters.. At the national level, the Strategy classifies critical infrastructure within the 10 following sectors: energy and utilities, finance, food, transportation, government, information and communication technology, health, safety, water, manufacturing

As the risks to critical infrastructure cut across jurisdictions and sectors, the Strategy provides a comprehensive and collaborative federal, provincial and territorial approach to enhancing the resilience of critical infrastructure. This common approach enables partners to respond collectively to risks and target resources to the most vulnerable areas of critical infrastructure.

• Building partnerships at all levels of government, and with the private sector;

• Implementing an all-hazards risk management approach;

• Advancing the timely sharing of information among partners

The National Strategy was accompanied by an Action Plan for Critical Infrastructure (2010), which set out action items for each of the three strategic objectives. A summary of progress achieved under the original Action Plan is contained in the renewed Action Plan for Critical Infrastructure (2014-2017). The next phase of the Action Plan involves taking additional steps for each of the three strategic objectives outlined in the National Strategy, building on what was already achieved under the original Action Plan (2010), with an emphasis on tangible risk management activities

• Critical infrastructure protection is becoming more and more important today, in particular in the context of increasingly interdependent economies.

• The aim of a critical infrastructure strategy should not be absolute protection, but implementing measures that foster resilience.

• Cross-sectoral cooperation and coordination is key.

Source: https://www.oecd.org/governance/toolkit-on-risk-governance/goodpractices/page/canadasnationalstrategyforcriticalinfrastructure.htm

The U.S. Department of Homeland Security created the Critical Infrastructure Protection and Resilience Toolkit for owners and operators of critical infrastructure at the local and regional levels to enhance their ability to prepare for, protect against, respond to, and recover from the full range of 21st-century hazards and threats. The toolkit is designed to help critical infrastructure owners and operators incorporate key concepts of the US National Infrastructure Protection Plan (NIPP) into their day-to-day activities. The toolkit includes: A brief video that highlights the role of local and regional communities and the private sector in national infrastructure protection efforts. An exercise planning resource that provides simple tools to help owners and operators plan a discussion-based “table top” exercise to evaluate infrastructure protection and resilience. Frequently asked questions about the role of owners and operators in critical infrastructure protection and resilience. Links to additional online reference materials and training resources related to infrastructure protection and resilience. Information on critical infrastructure protection partnerships and information sharing.

As critical infrastructure systems, essential health services must remain available to communities and individuals during and immediately following extreme weather events, even during extended utility outages and transportation infrastructure disturbances. Resilient health care organizations must anticipate extreme weather risks and transcend limitations of regional public policy, local development vulnerabilities, and community infrastructure challenges as they site, construct, and retrofit health care facilities. The disruptions and losses incurred by the U.S. health care sector following recent extreme weather events demonstrate the need for specific guidance on ways to manage the new and evolving hazards presented by climate change. During Super Storm Sandy in New York, for example, several hospitals had to be evacuated because their back-up electricity generators were located in the basement and ended up being flooded, or because there was no plan to fuel them during a longer period than 24 h. In addition some of their most expensive equipment, such as X-Rays were also in the hospital’s basement and contributed to large losses in the sector. These events have also provided opportunities to learn from past disasters so that health care facilities, and the communities they serve, can be more resilient in the future. For these reasons, the Department of Health and Human Services has developed the Sustainable and Climate Resilient Health Care Facilities Toolkit to support building resilience in the health care sector.

• Share best practices for health care providers, design professionals, policy makers, and others to promote continuity of care before, during, and after extreme weather events.

• Assess the current status of health care infrastructure to extreme weather risks, and policy options that can be adopted to improve climate readiness.

• Assist organizations engaged in health care facility climate resilience to improve their resilience to extreme weather events.

• The Toolkit contains a set of checklists for each of the five elements of climate resilience. These checklists can assist health care organizations in assessing climate-related infrastructure and care-delivery vulnerabilities at both a system and facility level and evaluating the results of their resiliency policies.

• The Climate Resilience Toolkit also includes tools and processes for converting the results of the checklist exercise into a practical plan for improved resilience, and will facilitate identification of policies to implement based on the assessment provided by the checklist.

• Sectorial plans that provide sector-specific guidance on risk preparedness and resiliency are useful to ensure the relevance and the appropriation of policy options.

Source: https://www.oecd.org/governance/toolkit-on-risk-governance/goodpractices/page/uscriticalinfrastructureprotectionandresiliencetoolkit.htm

The Centre for the Protection of National Infrastructure (CPNI) protects national security by providing advice to the UK national infrastructure organisations, covering physical, personnel and cyber security. To achieve protective security in the national infrastructure sectors, the CPNI supports vulnerability reduction efforts to terrorism and other threats, keeping the UK's essential services (delivered by communications, emergency services, energy, finance, food, government, health, transport and water sectors) safer. Without these services, the UK could suffer serious consequences, including severe economic damage, grave social disruption, or even large scale loss of life. CPNI advice primarily targets critical national infrastructure organisations, which are crucial to the continued delivery of essential services to the UK. CPNI works both with private and public sector partners. Key partners include as the National Technical Authority for Information Assurance (CESG) and the police - National Counter Terrorism Security Office (NaCTSO) and the Counter Terrorism Security Advisor (CTSA) network, as well as critical national infrastructure businesses and organisations. CPNI was formed on 1 February 2007 from the merger of the National Infrastructure Security Co-ordination Centre (NISCC) and the National Security Advice Centre (NSAC). NISCC used to provide advice to companies operating in critical national infrastructure, while NSAC was a unit within MI5 that provided security advice to other parts of the UK government.

National critical infrastructure is recognized as “‘those critical elements of infrastructure” (namely assets, facilities, systems, networks or processes and the essential workers that operate and facilitate them), the loss or compromise of which could result in: a) major detrimental impact on the availability, integrity or delivery of essential services – including those services, whose integrity, if compromised, could result in significant loss of life or casualties – taking into account significant economic or social impacts; and/or b) significant impact on national security, national defence, or the functioning of the state. Achieving protective security, i.e. 'putting in place, or building into design, security measures or protocols such that threats may be deterred, detected, or the consequences of an attack minimized', in critical infrastructure is therefore crucial to prevent severe economic damage, social disruption or large scale loss of lives.

• Support vulnerability reduction efforts to terrorism and other threats in the UK’s critical infrastructure

• Address major threats as identified in the UK National Security Strategy, i.e. espionage, terrorism, cyber and other threats

• Provide security advice and security planning services to critical infrastructure operators

• Protect national security

In recent years, the CPNI has issued periodic warnings about increasing levels of cybercrime. Securing digital systems, including open wireless access points, implementing strong firewalls and encrypting communications are all important priorities, analogous to securing physical property and facilities.

Offering centralized advice to critical national infrastructure organisations on vulnerability and security aspects, is an essential component of raising awareness on the matter. In this way guidance helps infrastructure make better informed decisions and respond to early warning signs.

Source: https://www.oecd.org/governance/toolkit-on-risk-governance/goodpractices/page/centrefortheprotectionofnationalinfrastructurecpni.htm