Physical Critical Infrastructure Protection - Security by Obscurity is No Defence for Western Survivability

Abstract

Critical Infrastructure - the systems, facilities and assets that are vital for the functioning and protection of society and the economy. The aim of this white paper is to undertake a broad analysis of the threats to Critical Infrastructure and how western democracies address them, alongside highlighting the enormity and the complexity of the issue, hopefully prompting new dialogue and, more importantly, action. For the purpose of this paper, the authors have identified four vectors that define the threats relevant to critical infrastructure (Fig. 1). The increasing volume of academic research into the critical infrastructure ecosystem, as referred to later in this paper (Fig 10.) is a tangible indicator of its importance, particularly the patterns emerging from Chinese institutions. The question of whether this evolving research is from a futureproofing/defence perspective or to greater understand the weakness of other nations is beyond the scope of this paper; it does however demonstrate a desire for increased knowledge and therefore capability. As a current example, the targeting of Ukrainian critical infrastructure by Russian forces demonstrates the importance of this arena, with such infrastructure now clearly Physical Critical Infrastructure Protection 3 identified as battlefield assets with game-changing strategic and psychological potential worthy of high levels of defence and a ‘building back better’ mindset. Drilling down into the threats affecting the critical infrastructure ecosystem, we observe that the challenges facing the two attack vectors are neither exclusively civil nor exclusively military but both, in the context of what has been termed ‘total war’. Indirectly, the same could be said of the two non-confrontational vectors. In the current geo-political climate, we are once again at a point where we must protect civilian assets from potential overt military, terrorist and covert aggression; our enemies are both seen and unseen. Due to the complex nature of the threats against critical infrastructure, the non-confrontational vectors, arguably both man-made and natural, require an almost identical style of response to those of the physical attack vector – namely enhanced physical resilience. Enhanced physical resilience is a passive form of defence and comes in the form of greater protection. As an example of the inherent importance of this approach, it is applicable even to elements of the seemingly less tangible ‘cyber’ domain. While the cyber-attack vector is proactively defending against attacks online and supported by a combination of public/private sector investment, tech development and constant deployment, the hardware, power and communications aspects of the cyber threat are at constant risk and require effective physical protection against converging threats. The authors have developed the Critical Infrastructure Threat Prism to highlight the protective synergy across the western powers at the strategic and operational levels. Only in the cyber-attack vector, however, is there any collective Critical 5 tactical level guidance or action in the form of the recent recommendation to include 12 essential security elements into all official and corporate Operational Technology (OT) procurement, as a minimum cyber security requirement. The Critical 5 nations have made no mitigation recommendations for the physical attack vector in relation to minimum physical resilience guidelines for critical infrastructure, nor the non-confrontational threat vectors relating to adverse weather and structural decay. This oversight could dramatically affect the defence capabilities of both the Five Eyes Alliance and NATO as well as the domestic operability of member states’- built infrastructure, critical or otherwise. The basic three-phase analysis of each critical infrastructure vector in this paper has also highlighted similar patterns of underreach in relation to the proactive hardening of physical critical infrastructure as a passive defence against attack and wider protection against adverse weather and structural decay.