Add to collection(s) Add to saved
  1. No category
Uploaded by Kwah Kouassi

OCWARC CS2 - Regional critical infrastructure protection policy EN - V3 2020 05 19

advertisement 
ACTIVITY CS2
ECOWAS and Mauritania Regional essential services and critical infrastructures
protection Policy
Draft 3
The ECOWAS Commission and the members of the RTC are invited to send their comments
on this draft, if any, by Friday 12 June 2020 close of business.
This document constitutes version 3 of the draft ECOWAS and Mauritania Regional essential services and
critical infrastructures protection Policy.
The project team would like to thank the ECOWAS Commission and the members of the RTC who made
comments on version 2. Thanks to them, this new version has been improved, including a much shorter
introduction and a completely revised document structure.
Changes to the text of version 2 appear in blue.
RTC members who need it can ask the project team for support in organizing an online meeting with key
players from other national bodies concerned by this Policy (ministries of defense, interior, etc. ) in order to
collect their comments:
- For technical support only, send an email to Rabiyatou BAH, Project Coordinator
-
(rabiyatou.bah@expertisefrance.fr) ;
For technical support and the participation of the project team in the online meeting, send
an email to Rabiyatou BAH and Michel BENEDITTINI (michel.benedittini@ocwarc.eu).
OCWARC_CS2 - Regional critical infrastructure protection policy EN - V3 2020 05 19.docx
1/12
ECOWAS and Mauritania Regional essential services and critical infrastructures
protection Policy
(draft version 3)
Summary
SECTION 1.
INTRODUCTION ................................................................................................................................... 3
SECTION 2.
SUBJECT MATTER ................................................................................................................................. 3
SECTION 3.
DEFINITIONS ........................................................................................................................................ 4
SECTION 4.
FRAMEWORK FOR THE ESSENTIAL SERVICES AND CRITICAL INFRASTRUCTURES PROTECTION............. 4
SECTION 5.
RESPECTIVE ROLES OF THE STATE AND OPERATORS ............................................................................ 5
SECTION 6.
RISK MANAGEMENT APPROACH.......................................................................................................... 5
SECTION 7.
OPERATORS
IDENTIFICATION OF ESSENTIAL SERVICES AND CRITICAL INFRASTRUCTURES AND DESIGNATION OF
............................................................................................................................................................ 6
SECTION 8.
OBLIGATIONS OF OPERATORS ............................................................................................................. 6
SECTION 9.
PROTECTION MEASURES...................................................................................................................... 6
SECTION 10.
INTERDEPENDENCIES OF ESSENTIAL SERVICES AND CRITICAL INFRASTRUCTURES ............................... 7
SECTION 11.
NATIONAL COORDINATION ................................................................................................................. 7
SECTION 12.
INTERDEPENDENCIES BETWEEN COUNTRIES IN THE REGION AND REGIONAL COOPERATION.............. 7
SECTION 13.
MONITORING AND UPDATING OF THIS REGIONAL POLICY .................................................................. 8
ANNEXE I: SERVICES AND INFRASTRUCTURE THAT MAY BE CLASSIFIED AS ESSENTIAL OR CRITICAL ............................. 9
ANNEXE II: DENTIFICATION CRITERIA OF OPERATORS OF ESSENTIAL SERVICES AND CRITICAL INFRASTRUCTURE ...... 10
ANNEXE III: MEASURES THAT MAY BE IMPOSED ON OPERATORS OF ESSENTIAL SERVICES AND CRITICAL
INFRASTRUCTURE ....................................................................................................................................................... 11
OCWARC_CS2 - Regional critical infrastructure protection policy EN - V3 2020 05 19.docx
2/12
SECTION 1. INTRODUCTION
In all countries, a certain number of material or non-material services provided by public or private operators
are essential for the Nation, and in particular for the functioning of the State, for the economy or for health,
safety, security and well-being of the population. These services rely on physical or digital infrastructures as
well as on any data necessary for their operation.
It is therefore of the utmost importance for the State, economic operators and the population to guarantee
the resilience and security of these essential services, critical infrastructures and data in view of all the risks
and threats that could affect their availability or integrity.
Indeed, the resilience and security of essential services and critical infrastructures can be affected by a variety
of risks and threats - breakdowns, accidents, malicious acts, physical or digital attacks, natural disasters,
pandemics, etc. -, all of which can have a serious impact on the Nation. It is therefore important, for each
essential service or critical infrastructure, that any approach to protection takes into account all of the physical
and digital risks and threats it can face.
In addition, some services may rely on infrastructure and data located abroad. In this case, the protection of
these services cannot be fully ensured by the country where they are provided. This justifies that each country
integrates into its approach the essential services which it needs as much as the critical infrastructures located
on its territory. This type of situation also justifies the regional approach to this policy.
In the rest of this document, data will be considered as integral part of the infrastructure that stores, processes
or transmits it.
SECTION 2. SUBJECT MATTER
The purpose of this Regional Policy is to ensure, in the face of the various risks and threats which could affect
the functioning, the resilience and the security of the services and infrastructures of the region which are
essential for the functioning of the State, for the economy or for the health, safety, security and well-being of
the population, in particular when these services and infrastructures are transnational in nature.
To this end, it:
sets the minimum normative framework that countries should adopt to ensure the protection of their
essential services and critical infrastructures;
provides elements of methodology and criteria to identify the services and infrastructures concerned in the
various sectors;
proposes a list of preventive and reactive measures that can be implemented;
provides the principles and modalities of cooperation between countries with interdependence in essential
services or critical infrastructure.
This Regional Policy should be without prejudice to the possibility for each country to take the necessary
measures to ensure the protection of the essential interests of its security, to safeguard public policy and
public security, and to allow for the investigation, detection and prosecution of criminal offences. No country
is to be obliged to supply information the disclosure of which it considers to be contrary to the essential
interests of its security.
OCWARC_CS2 - Regional critical infrastructure protection policy EN - V3 2020 05 19.docx
3/12
SECTION 3.
DEFINITIONS
For the purposes of this Regional Policy, the following definitions shall apply:
Critical Infrastructure: a public or private infrastructure providing an essential service, as well as the networks
and the physical or digital data essential for providing this service;
Critical infrastructure operator: public or private operator that operates a critical infrastructure;
Critical infrastructure protection (CIP): set of safeguards and actions to protect critical infrastructures from
any risks and threats that could cause the total or partial interruption of the essential services they provide;
Critical information infrastructure: communication network or information system whose disruption or
shutdown could cause the total or partial interruption of a critical infrastructure or an essential service;
Critical information infrastructure protection: cybersecurity of critical infrastructures, i.e. set of safeguards
and actions to protect from cyber threats communication network and information system whose disruption
or shutdown could cause the total or partial interruption of a critical infrastructure or an essential service;
CSIRT (Computer Security Incident Response Team): team responsible for preventing risks and threats to
information systems and reacting to security incidents;
Cybercrime: criminal activities where computers and information systems are involved either as a primary tool
or as a primary target. Cybercrime comprises traditional offences (e.g. fraud, forgery, and identity theft),
content-related offences (e.g. on-line distribution of child pornography or incitement to racial hatred) and
offences unique to computers and information systems (e.g. attacks against information systems, denial of
service and malware);
Cybersecurity: set of safeguards and actions to protect the cyberspace from those threats that are associated
with or that may harm its networks and information infrastructure. Cybersecurity strives to preserve the
availability and integrity of the networks and infrastructure and the confidentiality of the information
contained therein;
Essential service: a service that total or partial interruption of which could have a serious impact on the
functioning of the State, on the economy of the country or on the health, safety, security and well-being of
citizens, or any combination of these issues;
Essential service operator: public or private operator that provides an essential service.
Essential service protection: set of safeguards and actions to protect essential services from any risks and
threats that could cause their total or partial interruption;
Information and communications technologies (ICT): technologies used to gather, store, use and send
information, including technologies that involve the use of computers and any communication system,
including any telecommunication system;
Information system: any isolated or not isolated device or group of interconnected devices that all or in part
carries out automatic processing of data pursuant to a program.
Networks: set of means ensuring the supply of an infrastructure with products or services necessary for its
operation (communications, energy, logistics, etc.);
SECTION 4.
FRAMEWORK FOR THE ESSENTIAL SERVICES AND CRITICAL INFRASTRUCTURES PROTECTION
Each country should adopt a framework for protecting essential services and critical infrastructures, for all
sectors of activity (Government activities, health, energy, transport, water, banks, industry, etc.) and more
OCWARC_CS2 - Regional critical infrastructure protection policy EN - V3 2020 05 19.docx
4/12
particularly in transverse sectors (electrical production and distribution, digital services in particular), which
set:
Criteria and methods for identifying essential services and critical infrastructures;
The procedures for designating operators of essential services and critical infrastructure;
The security obligations imposed on these operators;
The authority or authorities responsible, for the various business sectors of the country, in liaison with the
competent sectoral authorities, for:
identifying essential services and critical infrastructure;
designating the corresponding operators;
developing the security measures imposed on them;
ensuring the coordination of the action of the public authorities which must contribute to the security of
essential services and critical infrastructure;
participating in crisis management in the event of a serious incident affecting critical infrastructure;
Optionally, an authority responsible for ensuring the consistency of the procedures implemented by the
various national authorities.
In addition, the Criminal law may impose stronger penalties for offenses which disrupted or attempted to
disrupt the proper functioning of critical infrastructure and essential services.
SECTION 5.
RESPECTIVE ROLES OF THE STATE AND OPERATORS
The State, as guarantor of the nation’s security, is responsible for organizing the protection of the country's
essential services and critical infrastructures. In this context, it must in particular identify and designate
operators of essential services and critical infrastructures, impose obligations to protection them and monitor
their proper execution.
However, the protection of essential services and critical infrastructures cannot be ensured by the operators
concerned alone. They have neither the legitimacy nor the means to intervene outside their perimeter of
responsibility. The State must play its part, by providing operators with support, in a close public-private
partnership. In particular, it should act to prevent threats and to manage the situation in the event of a physical
or digital attack, in particular with its authorities, intelligence services, law enforcement agencies, national
CSIRT and judicial institutions.
SECTION 6.
RISK MANAGEMENT APPROACH
Essential services and critical infrastructure protection constitutes a heavy burden from the organizational,
technical, human and financial aspects. Therefore, enhanced protection should only be required for those
services and infrastructures that are genuinely essential or critical, and this protection should only be provided
at the appropriate level.
To this end, a risk management approach must be put in place for the application of this policy in order to
identify potential risks and threats and to proportion efforts to the probability of occurrence and the severity
of impacts they could cause on the Nation.
Each country should therefore adopt a risk management approach to:
Identify essential services, critical infrastructures and the public and private operators concerned;
define the adequate level of measures to protect these services and infrastructures from physical and digital
risks and threats likely to cause a serious impact on the Nation.
OCWARC_CS2 - Regional critical infrastructure protection policy EN - V3 2020 05 19.docx
5/12
SECTION 7.
IDENTIFICATION OF ESSENTIAL SERVICES AND CRITICAL INFRASTRUCTURES AND
DESIGNATION OF OPERATORS
The process must begin with the identification of essential services and the infrastructure that is necessary to
provide them. A non-exhaustive list of services likely to be classified as essential, presented by sector of
activity, is provided in Annex I.
The process should continue with the identification of operators of essential services or critical infrastructures.
Standard criteria are proposed in Annex II. These operators must then be subject to a formal designation.
SECTION 8.
OBLIGATIONS OF OPERATORS
A non-exhaustive list of measures that can be imposed on operators of essential services and critical
infrastructures is provided in Annex III.
These operators should be forced to at least:
set up an organization intended to organize and take into account the protection of their installations at the
level of their management;
comply with technical and operational rules intended to strengthen the physical security and cybersecurity of
their facilities;
to report to the authorities any incident that could have a serious impact on the essential services they
provide.
Any operator of essential services or critical infrastructure must put in place the organizational, operational
and technical arrangements necessary to comply with the protection measures imposed on it. They should be
described in the following documents, which are to be submitted to the competent authorities:
An operator security plan;
an information security policy (ISP) with regard to cybersecurity, emphasizing the information systems most
critical to the essential services it provides.
Criminal sanctions should be provided against operators who fail to comply with the measures imposed on
them.
SECTION 9.
PROTECTION MEASURES
A risk analysis, based on scenarios taking into account the various risks and threats identified, must then make
it possible to develop protection measures for each operator or type of operator of essential services or critical
infrastructures.
These measures can be organizational, operational, technical or legal.
They include preventive and reactive measures. Preventive measures must aim to prevent and mitigate risks
and threats, and to reduce as far as possible the probability and severity of potential impacts on the service
or infrastructure concerned and on the Nation. Reactive measures must be planned and implemented in the
event of an incident affecting the essential service or critical infrastructure. They must enable the
management of the incident affecting the essential service or critical infrastructure, until the resumption of
normal activity, and the management of the crisis that this incident causes on the Nation. The measures taken
should be smart and have a tangible impact on the objectives mentioned.
Measures to protect critical services and critical infrastructure from risks and threats using or affecting
information and communication technologies must be consistent with the Regional cybersecurity and
cybercrime Strategy.
OCWARC_CS2 - Regional critical infrastructure protection policy EN - V3 2020 05 19.docx
6/12
In addition, countries should take into account the protection measures already provided for in international
regulations for certain sectors (air transport, maritime navigation, banking transactions, etc.) before
considering any additional measures.
SECTION 10.
INTERDEPENDENCIES OF ESSENTIAL SERVICES AND CRITICAL INFRASTRUCTURES
The approach must take into account the interdependencies that may exist between essential services and
critical infrastructure. For example, all services and infrastructure are, with rare exceptions, dependent on the
power grid and electronic communications services.
Therefore, each country should put in place circumvention measures, such as the installation of electric
generators or a redundancy of power feeds and electronic communications links, to avoid any interruption in
the operation of essential services and critical infrastructure that could cause a serious impact on the Nation.
SECTION 11.
NATIONAL COORDINATION
Each country should mobilize all authorities and public actors concerned to establish a national policy for the
protection of essential services and critical infrastructures and to define the contribution of each to its
implementation, in relation to both preventive and reactive measures.
Public authorities and actors should engage in a dialogue with operators of essential services and critical
infrastructures to identify with each of them their main vulnerabilities, the measures likely to reduce them
and the reasonable timeframe for the implementation of these measures.
SECTION 12.
INTERDEPENDENCIES BETWEEN COUNTRIES IN THE REGION AND REGIONAL COOPERATION
Interdependencies between countries continue to grow within ECOWAS and Mauritania, also in relation to
essential services.
In addition to the services which by nature concern all countries, such as public telecommunications, financial
transactions or international air transport, there is an increasing number of infrastructures serving several
countries, for example in the areas of road corridors, Internet connectivity (especially global transit), electricity
or even gas. Another example is the West Africa Police Information System (WAPIS) set up in all ECOWAS
countries and Mauritania.
Certain services may be classified as essential by all countries concerned. Others, deemed essential in one
country, may depend on infrastructure located in another country that does not identify them as critical.
Faced with this dual problem, it is necessary to set up a dialogue and cooperation between the countries of
the region, based on a common understanding of the issues and on protection measures as similar as possible
and of sufficient level in all countries.
Countries with interdependence in essential services or critical infrastructure should establish cooperation
between their competent authorities aimed at:
Identifying transnational essential services and critical infrastructures, as well as the nature of their
interdependencies;
Taking into account as much as possible the needs of other countries in the designation of their critical
infrastructure;
Harmonizing the protection measures imposed on the operators concerned;
Exchanging information on threats and risks and taking, in a coordinated manner, any additional measures
necessary to respond to an increasing or imminent threat or risk;
Coordinating the measures to be taken in the event of a crisis linked to a transnational critical infrastructure.
OCWARC_CS2 - Regional critical infrastructure protection policy EN - V3 2020 05 19.docx
7/12
SECTION 13.
MONITORING AND UPDATING OF THIS REGIONAL POLICY
The ECOWAS Commission shall set up a committee to monitor this policy. The monitoring committee
comprised of the ECOWAS Commission and a high-level representative provided by each State will meet at
least once a year [periodicity to be discussed] to ensure the monitoring of the provisions of this regional policy
over time and to propose any new actions and changes that may be necessary.
OCWARC_CS2 - Regional critical infrastructure protection policy EN - V3 2020 05 19.docx
8/12
ANNEXE I:
SERVICES AND INFRASTRUCTURE THAT MAY BE CLASSIFIED AS ESSENTIAL OR CRITICAL
The process of identifying operators of essential services and critical infrastructures must consider the services
and infrastructures appearing on the following non-exhaustive list:
Sectors
Services and infrastructures
Public security
Judicial services
Election processes
Electronic administration
Electricity production, transport and distribution
Production, transport, refining, storage and distribution of petroleum products
2. Energy
Production, transport, treatment, storage and distribution of gas
Nuclear installations
Air, road, rail, sea and river transport
Air traffic control
3. Transport
Airport and port platform management
Road and rail infrastructure management
4. Logistics
Logistics platform management
Distribution of social minima
Management of the recovery and the treasury of social organizations
5. Finances
Bank transactions
Financial services
Financial market infrastructures
Health care (in healthcare establishments or by telemedicine)
6. Health
Pharmaceutical distribution
Research laboratories
7. Water
Production, transport and distribution of drinking water (by pipeline or bottled)
National Internet network and interconnection to the regional and global Internet
(submarine and terrestrial cables, cable landing points, Internet exchange points,
8. Electronic
etc.)
Communications Internet domain name management (DNS)
Internet access
Telecommunication services (telephony, etc.)
9. Information
Radio and television
10. Food
Supply, storage and distribution of the main foodstuffs
11. Industry
Essential industries for the country
Industries likely to cause serious damage to the population in the event of
12. Miscellaneous
accidental or malicious damage or destruction (dam for example)
1.
Government
activities
OCWARC_CS2 - Regional critical infrastructure protection policy EN - V3 2020 05 19.docx
9/12
ANNEXE II:
DENTIFICATION CRITERIA OF OPERATORS OF
ESSENTIAL SERVICES AND CRITICAL INFRASTRUCTURE
The process of identifying operators of essential services and critical infrastructures can take place using all
or part of the criteria indicated in the following non-limiting list:
The level of severity, duration and extent of the impact that an interruption of service or an accident would
have on the operation of the State, on the economy or on health, safety, security and well-being of the
population;
The size of the area likely to be affected by an incident;
The number of users depending on the service (expressed as a percentage of the population for example);
The operator's market share;
The dependence of essential services or critical infrastructures to this service (case of electrical distribution
and electronic communications services for example);
The importance of the operator in ensuring an adequate level of service, taking into account the availability
of alternative means for providing the service;
Where applicable, sectoral factors.
OCWARC_CS2 - Regional critical infrastructure protection policy EN - V3 2020 05 19.docx
10/12
ANNEXE III:
MEASURES THAT MAY BE IMPOSED ON
OPERATORS OF ESSENTIAL SERVICES AND CRITICAL INFRASTRUCTURE
The following non-exhaustive list provides measures that can be imposed on operators of essential services
and critical infrastructures.
Preventive measures
Protection governance:
Designation of a security officer who is accountable to public authorities for all security related matters;
Establishment of an organization to ensure the physical protection and cybersecurity of the operator's
infrastructure;
Annual report to public authorities [periodicity to be discussed] on the risks, threats and vulnerabilities
identified and on the main measures taken to address them;
Physical security:
Implementation of a risk analysis process to identify and address the main vulnerabilities that can lead to a
serious impact on the Nation;
Staff awareness and training;
Access security: management of identities and access rights, devices aimed at prohibiting or delaying
unauthorized penetration, intrusion detection devices;
control of natural hazards and accidental risks: fire prevention and fire-fighting devices, flood prevention,
accident prevention;
Implementation of redundancies for the most critical installations or power supplies;
Establishment and implementation of an operator security plan (OSP);
Periodic physical security audit by a State service or by a provider approved by the State;
Cybersecurity:
Implementation of a risk analysis process to identify and address the main vulnerabilities that can lead to a
serious impact on the Nation;
Mapping critical information networks and systems;
Staff awareness and training;
Enforcement of cyber hygiene rules;
Applying security patches on systems and softwares;
Taking into account the alerts given by the CSIRT;
Network and system security: configurations rules, partitioning, remote access, filtering;
Security of network and system administration: rules on accounts and administration systems;
Identity and access management: rules on identification, authentication, access rights;
Defence of networks and systems: detection of security incidents, event logging, correlation and analysis of
logs;
Fitting redundancies for the most critical systems or power supplies;
Establishment and implementation of an information security policy (ISP);
Security certification of critical information systems;
Periodic cybersecurity audit by a State service or by a provider approved by the State;
OCWARC_CS2 - Regional critical infrastructure protection policy EN - V3 2020 05 19.docx
11/12
Reactive measures
Immediate notification to public authorities of any incident that could cause a serious impact;
Establishment of an internal crisis management organization in liaison with public authorities (identified and
reachable managers, premises, networks, directories, etc.);
Establishment of business continuity and recovery plans.
OCWARC_CS2 - Regional critical infrastructure protection policy EN - V3 2020 05 19.docx
12/12
Related documents
Abstract From the aqueduct to the automobile, new technologies have always... urban environment but often with unexpected negative affects to the...
Abstract From the aqueduct to the automobile, new technologies have always... urban environment but often with unexpected negative affects to the...
Role of Government
Role of Government
David Rennie – Cabinet Office
David Rennie – Cabinet Office
Smith1
Smith1
348WHO DG Message at IFRC Side Event in Rio
348WHO DG Message at IFRC Side Event in Rio
IT Architecture & Infrastructure
IT Architecture & Infrastructure
Download
advertisement