Security in Critical Infrastructures: A Global Reality

Critical infrastructure protection is a general concern that transcends borders. It is important to define what are considered critical infrastructures so that, regardless of geographic area, all the interested parties know they are referring to the same thing. This facilitates the identification, planning and development of security.

There are many implications in the concept of critical infrastructure. Without disparaging any, the definition given in the legislation in force in Spain (Act 08/2011, of 28 April) may prove useful. An important indication given by this definition rules that critical infrastructures differ from strategic infrastructures because of the impossibility of offering alternative solutions in case of disruption. This factor implies that everything we contemplate for a critical infrastructure may be applicable to a strategic infrastructure.

Hence, guaranteeing security by identifying threats – whether technical or natural – and vulnerabilities, as well as neutralizing attacks and adopting a pro-active attitude in terms of prevention, is a joint responsibility of the authorities and operators charged with delivering the basic services. This fundamental premise may be considered common to any part of the planet. Nevertheless, the practical application of security solutions for critical infrastructures has to be customized for every country.

Although critical infrastructure protection has to be based on this local approach, the experience acquired in certain geographic areas may serve as an excellent starting point for transferring such know-how to other markets. This fact makes it possible to apply the best practices known and, in the end, to generate a cycle of continuous improvement – a common philosophy that is widespread today, albeit it acquires even greater importance where security is concerned, due to the rapid development of the threats and risks to which critical infrastructures are exposed.

In the current context, where factors as diverse as the real need to face threats and vulnerabilities have to be considered while maximizing the efficiency of security resources, technological solutions acquire new dimensions. This is the opportunity that technological companies are working on. As seen by operators, they are allies with the capacity to offer solutions that, together with the indispensable private surveillance services and other organizational measures, allow them to design and implement integrated security systems.

Still, technological knowledge and capacity alone are not sufficient, since the technological evolution that security systems are subject to has been redefining the scenarios of its application. One of the factors for success in the development of efficient global security measures is the promotion of understanding and communication among the principal agents involved: Information Technology (IT) security departments, whose fundamental objectives in terms of contributing to the business are equivalent, albeit not in terms of resource use and implementation for their purposes. From the security point of view, such convergence is desirable towards the end of guaranteeing continuity for the essential services offered by these infrastructures.

Only thus – far from posing a hindrance to the business of critical operators – does security become a driving force, preventing the undesired la interruption of services and supplies from critical infrastructures.

From the theoretical point of view, in the technological perspective, the convergence of IT Security departments acquires overall sense. However, it would be a mistake not to go beyond theory. It is needful to evaluate or identify consequences, bearing in mind that we are referring to environments that are largely concerned with production.

With exclusive regard to electronic security systems, this fact generally gives rise to the need for prior evaluation that will allow for identifying existing systems and their capacity for integration with the new technologies. This evaluation should not be conducted solely from the functional perspective or with a view to the improvement of physical / electronic security, but also considering capacity for integration within the available IT infrastructure and for coexistence with the other services. At this point, from the electronic security systems angle, we must begin to assimilate the concept of applied logical security, which entails none other than contemplating the additional new threats and vulnerabilities, to make it possible to implement and maintain the necessary cybersecurity mechanisms compatible with the existing IT infrastructure.

Going back to the matter of security systems from the service point of view, the definition and development of a specific security solution that combines physical / electronic security and cybersecurity is not sufficient. Once the risks as well as their possible evolution are identified, technical security measures cannot be delegated solely to one product or one set of specific technologies. The duty of technological companies is to provide solutions in which the services acquire an even greater importance due to increased exposure to potential attacks through bad design praxis, implementation and / or maintenance of the solutions, which in most cases is involuntary.

The delivery of these services in critical infrastructures must be based on a concept of security by layers similar to the traditional concept of in-depth security, such that the IT infrastructure lodging the systems that contribute to production as well as those concerned with security operations per se, fundamental in crisis decision-making processes, is taken into account.

Success Stories

• In Colombia, Ikusi executed a public security project in the department of Huila, to the southwest. The project consisted of the design and implementation of a Data Management Center (DMC) located in the capital, from where the surveillance system spread over several municipalities in the area, which were also included in the project scope, could be operated and supervised. The implementation of this data management center allowed the various public authorities to centrally avail of actual information in real time, which redounded to resident safety.
• As for Mexico, Ikusi carried out a project for the implementation of an integrated security management platform enabling real-time security administration for multiple Pemex installations distributed over different geographic points in the country, ensuring the optimal operation of all electronic security systems and sub-systems.