Before the 90s there was a different type of threat we had to consider than we currently face. Western countries did not deal with the subject of disruption and destruction of critical infrastructure (hereafter as CI); on the contrary, they did not acknowledge that the threat had changed as a consequence of technological progress.
In the last decade, a tremendous computer science revolution occurred, which is global, and encompasses all spheres of our lives. Major factors for the safety of infrastructure are the following: to enhance protection of individuals, communities and the security of CIs on a higher level. In these spheres threats might derive from physical and informatics sources.
I have a possible proposal for the protection of certain elements of critical infrastructure. Special Underground Facilities (hereafter as UGF-s) withdrawn from the system have capabilities, which make them suitable for the protection of certain elements of more CI within the certain branches.
In my presentation I' am going to make a few proposals for utilizing UGF-s from the aspect of CI protection according to the following considerations:
1. Internationally accepted definition of critical infrastructure.
5.Branches of CI in Hungary
"We call as critical infrastructure of those vital elements of the national and allied or union infrastructures which, if significantly disrupted, broken or destroyed, would have a serious impact on the security, economic, environment, public health of a nation or nations or the effective functioning of the certain governments and member states." 1
Definition for the protection of critical infrastructure:
"The programs, activities and interactions used by the state, the owners and the operators to protect their critical infrastructure." 2
2. Classification and threat of the critical infrastructure.
As it can be seen from the definition, critical infrastructure (hereafter as CI) consists of a number of vitally important elements required for the operation of the state and security of the population. Studying these elements, their threats are different. Chart No 1 shows those branches and sectors that some countries might consider as critical infrastructure.
Chart No. 1.4
From the threat analyzing aspect of CI branches and sectors there might be considered the following "challenges"5:
a) wars, armed conflicts (Gulf war, Southern Slav war etc.)
Classification of natural and industrial (civilization) disasters can be further divided according to its appearance:6
I. Natural disasters (acts of God):
II. Civilization (industrial) disasters:
C) Biological character disasters
III. Traffic, transportation disasters:
A) Danger sources of transportation system
IV. Social catastrophes:
V. Psychological catastrophes:
The endanger factors might occur to increase the effects of each other as well (e.g. in case of damages caused by flood waters it might increase infection and epidemic danger, or stress effect in case of fire and explosion danger). Causes of these factors might be the human being itself and nature alike.
In Hungary, categorizing the elements of critical infrastructure, likewise the settlements for the civil defense (Government decree No 134/1996.) can be ranked as follows:7
Category I.: Highlighted endangered infrastructural elements
The classification listed above is the importance indicator for protecting the elements of CI at the same time. The legal background for implementing the classification and to develop the categories has not occured yet.
3. The legal background of Critical Infrastructure Protection in Hungary.
Regarding Critical Infrastructure Protection (hereafter as CIP) there are serious efforts in progress at the international level (USA, EU). The EU formulated its programme for the CIP in the "Green Book" in November 2005 and asked for proposals closely related with this subject.
Hungary joined this programme. Developing of legal spheres had been started before. Some of the former Government Decree deals with the CIP related tasks, but specifically, no legislation has happened at the national level yet.
Former laws had been developed related with the critical infrastructure protection
2073/2004. (IV. 15.) Government Decree on the national security policy of the Republic of Hungary
We can declare that the security of Hungary has a firm footing based on the processes that have occured since the changes. There is a basic guarantee provided by joining NATO and European Union (hereafter as EU).
Although the bipolar world order has come to an end, but new type of security risks have appeared which don't know the limits of national boundaries. These have an impact on the security and the environment of our country.
I' am going to describe some of these impacts without more details:
- Global challenges: information technology, traffic, financial issues, and public health
- Terrorism: destabilization has an impact on international relations (supporting activities on terrorism undermine the operation of international system)
- Due to the proliferation of weapons of mass destruction: potential for terrorists to get them
- Information society challenges: using PCs and Internet causes a total dependence in our every day life. We need to continue information and telecommunication investment to the level of developed countries. Besides providing conditions for information infrastructure, protection of these systems and a reserve should be provided. Vulnerability in the informatics systems indicates a risk factor for the nation.
The Government Decree sets tasks for decreasing the risk factors. I'm going to brief you on the most important of these:
- Taking steps against global threats and challenges: taking part in the activity of international organizations provides the best protection for Hungary to manage our global challenges.
- Terrorism: hindrance and mocking for developing the financial conditions of terrorism, provides protection of CI.
- Information systems protection: develop a secure informatics structure, protection of the governmental information systems. Prepare governmental information systems to protect against cybernetic attacks.
- Protection of the natural and civil environment: Manage the natural and public health problems via international cooperation, in which Hungary should also participate actively.
2112/2004. (V. 7.) Government decree on the actual tasks of the battle for anti terrorism
The Government has agreed on the actual tasks of the battle for anti terrorism via the comprised Anti Terrorism Action Plan II in annex 1 of the present government decree. The Government established an interdepartmental working team led by the Minister of the Interior.
Based on the Union Action Plan the Government set a task to adopt a general decree about attacks against the information systems for the CIP. This decree was accepted on 24 February 2005. Developing the completely protected communication system will be implemented over several years.
Another important task of the Union Action Plan is to enhance protection for basic services to citizens and to develop a controlling, early warning and reaction mechanism for managing consequences of terrorist attacks, furthermore to analyze the threat of CI and their defense policy. They also decided to support the European Programme of the CIP.
An autonomous Hungarian arrangement was started to develop and accept a government decree of the National Crisis Reaction System. The national system will be developed in harmony with the NATO Crisis Respond System and the EU crisis management mechanism.
2151/2005. (VII. 27.) Government decree on the review of the Anti Terrorist Action Plan.
The Government agrees with Action Plan II, and orders the implementation of the measures included.
Analyzing the threat to CI and their defense policy should be carried out. The necessary measures need to be taken and we should be prepared to support the European CIP programme.
A specialist should be designated in the Critical Infrastructure Warning Information Network.
4. Use and utilization of special UGF-s for protecting CI
4.1 Status of special UGF-s
The effect of the defense review
The Defense Review of the HDF was carried out in 2003 in order to make a proposal to establish a smaller strength and less costly, capability based defense force.
Economic capability of the country now stands at such a stage that the HDF might be under financed because of the current defense structure.
Hungary is a member of NATO since 1999 and of the EU since 2004. Both of these organizations are scenes of our interests. Moreover, we should not consider any traditional attack against NATO and its member states, besides being a member of NATO Article V. of the Alliance applies to Hungary as well.
There is an important fact we shouldn't forget about it. The end of the Cold War has really reduced the importance of the fixed, stationary command elements (e.g. bunkers, wire communication) -because these organizational elements had been planned for wartime purposes before. However, due to some factors deriving from the new type of challenges already mentioned before, it would be appropriate to reconsider the status of the above mentioned elements and involve them in the national planned programme as defense elements for protection of CI.
Based on the Defense Review the government decree has been developed and this lead to the termination of these organizational elements.
2236/2003. (X. 1.) Government decree on the development of the new organizational structure and transition of HDF for the period 2004-2013.
In the aforesaid government decree they ordered those tasks, which have to be carried out, in order to establish the new capability based defense forces.
Security of the country must be interpreted within the system of the Alliance. Therefore, in spite of the new security challenges, the Republic of Hungary will not be threatened by any danger of a traditional attack in the next 10 years.
The concrete task is to analyze the necessity of maintaining the protected command system and to review the chance of using certain elements for specific crisis management purposes.
As a result of this, a further government decree directed the future of the certain special UGF-s. Since the state believes that maintaining these is expensive and they are national assets at the same time, therefore there is a task to utilize them and to look for opportunities to use them in peacetime. This currently is still on progress.
4.2 Utilization of the special UGF-s
The special UGF-s were created during the Cold War. In the beginning they constructed underground shelters only, then there was a continually increasing requirement to build so called bomb, gas and shrapnel proof (BGS type) shelters on the territory of industrial factories (war plants), and railway stations as well. Later more national organizations had similar protection built for their own groups. There were such shelters built in which they developed the complete communications and telecommunications system appropriate for the given time, while their protection was even adequate against the effects of an atomic bomb. At this time, the "command posts" for the state leadership and the national defense command were established as well.
Following the change of regime, the political situation has also changed. The bipolar world system terminated, the threat of a total nuclear war was over, but other new types of security challenges emerged, which I have already mentioned before.
Because the special UGF-s were planned for wartime, their significance has decreased after the change of regime. However the new type of challenges pointed out different tasks for the experts. In the last few years the protection of critical (vitally important) infrastructure came to the front, on which the 9/11 2001 terrorist attack provided especially a good example.
The special UGF-s can provide total protection for the certain elements of the CIs, in addition they are capable of performing other peacetime tasks as well.
4.2.1 Protection of information systems
I have already touched on this subject in chapter 3. Presently we live in the world of PCs and informatics, which determine our every day life. We live almost in "PC dependence". The access to information is important for not only the simple people, but perhaps it is more important for the economic and business life as well as for the governmental operation. Therefore, storing data in a secure way and placement of data carriers in safe place has become important from the point of operating the country.
For the effective support of economic preparation, planning and the economic mobilization activity8, the Economy and Transportation Minister operates an informatics system which includes the following elements: actual data base with direct access and authorized competence on the national economy processes, stationary and transportable PCs, central work stations, and deployed workstations at the planning organizations.
If unauthorized persons accessed this database, it might cause colossal damage. And what about the loss of the social security system's database? Unfortunately these databases are saved only on one storage media only. There is no savings on the back-up data store. In this way, damage of the only data store causes a data loss. To mitigate this risk there is a need to establish server farms, which should be geographically separated from each other, to increase more security (e.g. Austria).
In many Western countries secured installations are already used for this purpose.
On the Internet certain organizations advertise the use of secured installations as a service:
"Our installation called'TheRock', which is sited in the monolith bed of the earth's crust, in a continuous, several kilometer long and deep geological formation, provides a hard protection for Your data. This installation, which is built for this purpose, is able to resist to the effects of an earthquake has 9.5 intensity on the Richter scale. Being 40 meters deep, it is described as the Northern Fort Knox."
"Each day of the year, the secure system operating for 24 hours provides the bio detection and the closed-circuit television monitoring, card-operated entry system, furthermore computer operated vibration and motion sensor."
In 2002 U.S.A. dealt seriously with the results9 of a possible cyber attack. According to an intelligence officer's proposal it would be expedient if the gigantic companies symbolizing U.S.A. (GE, GM, IBM, etc.) established a secure channel between the company and the local FBI HQ.
The reason for this is that a physical attack followed by an attack coming from cyber space would cause a thousand billion dollar losses for the national economy and would shock the fundamentals of the country.
4.2.2 Storage of strategically important material and supplies (medicines, instruments, food etc.)
Throughout the history protection of material was always an essential subject. In the great wars both the armies and the civilian population needed to be provided with food, arms, clothes etc. In addition, shelters were established not only for protection of persons but for the protection of the above mentioned material as well.
The special UGF-s are well suited for the purposes of storage and warehousing. Additionally, the refreshing replacement of the material is also possible.
You can rank here those assets and material, which assures the operation of the national economy during a crisis or state of emergency.
The Government maintains defensive purpose state reserves in order to safely satisfy economic mobilization requirements.
These state reserves are the following10:
- industrial products, assets, special military technology and equipment and transportation assets,
- communications and informatics assets,
- medical and pharmaceutical industry instruments,
- waterworks and flood prevention means,
The defensive purpose state reserves include the following groups:
- Economic emergency reserve- (industrial and semi-finished-products, base material, and products which guarantee the operation of the national economy, the supply and defense of the population, furthermore they ensure the task performance of the armed forces, police and the security organizations),
- State medical reserve- (for looking after wounded persons belonging to the armed forces and security organizations in an emergency, and casualties during disasters (medicines, surgical instrument, medicinal aids, stockpiled equipment of the emergency hospitals),
- State provisions for liabilities and charges (material necessary for the special tasks of certain ministries during emergencies; material, parts, semi-finished products, goods and stocks are required for the production, service and restoring activities),
-Foreign currency and cash reserve (banknote reserve for the smooth operation of the bank accounts and cash-flow management within the country),
In Finland there are more plants established in similar installations (underground facilities- hereafter as UGF-s) where they produce special measuring instruments for the defense sector.
By redesign of the large rooms it is possible to create even multi-tiered or multi-level storage spaces as well. There might be some limitation because of the size of the entries. For this reason it is required to know precisely the dimensions of the selected product.
4.2.3 Protection of national treasures, establishing archives and public records offices
Due to ad hoc solutions, most of the museums are facing the problem that expensive historical relics, paintings and art treasures are kept in dusty, dump cellars or in corridors, which are supplied with public utility cables. There are similar conditions in case of archives and public records. There is a solution when they take microfilm of certain archive items for easier storage. But these valuables might be sited in the fortified/guarded installations by creating a proper storage structure.
4.2.4 Protection of broadcasting and telecom systems
Regarding the above mentioned systems there are such kind of equipment, which in case of any physical damage might bring to a stand off in the countrywide mass communication system. Of course, an antenna system can't be placed inside a building but its complete informatics and electronics background set can be. This way, in case of destruction of the fixed antenna, it can be replaced with a vehicle-mounted antenna as well. In this case the only thing we should do is to establish the proper connection point and even a satellite communications can be provided.
4.2.5 Carry out contingency (emergency) tasks
It is a basic requirement to provide all the conditions of the safe operation and control for the government and the leadership. In order to maintain the continuous and smooth operation, besides the economical and safety conditions, the informatics and telecommunications systems run in peacetime too. During emergency, taking administrative measures and using technical means to meet the modern requirements upgrade the safeguard.
In its entirety
We can describe every installation that by maintaining the strictly ordered air conditioning parameters, it can be guaranteed that the interior air status will meet specifications. These could be further regulated depending on the type of material is placed. In case of special assets (valuables) it is possible to install additional air conditioners in the rooms.
5. Branches of the CI in Hungary
The "Green Book", makes a proposal for identifying the services and sectors of CI can be seen in Chart 2. Considering the characteristics of the given country, it might be possible to depart from this, but it is an important task to survey the sectors and their elements within certain branches in any case. Since the branches - including CI - are different, it would be difficult to prescribe what those considerations to protect them are. Therefore, it is appropriate to develop their protection by branches. It is also sure, that is not possible to place every element (product) in a safeguarded installation; moreover the protection of some elements could be developed in a different way.
In Hungary branches and sectors of the CI are the following:12
1) Informatics and communication systems,
The operation of each branch and sector is based on informatics, therefore the establishment of protection should be considered from this aspect.
The spreading of informatics systems and expansion of networks makes it increasingly hard to maintain security of the informatics means. The more people in contact with the informatics system, the more possibilities are for the undesirable occurrences.
An informatics system can be attacked in many sorts of ways and in countless places; therefore the way to protect it is also hard. The target of the attack13 and the defense of the data itself is the data carrier element. But there are also attacks touching the data indirectly via the surrounding system elements (hardware, software, environmental infrastructure).
Data is surrounded by the following system elements:
There are such basic threats affecting the system elements, because of which there is a requirement to provide protection for the information carried by the data. For this reason the protection measures should be attached to the system elements.
The underground facilities provide some kind of protective chance for certain elements of the Critical Infrastructure. The underground facilities could be drawing occasionally in those cases when the detected threat level or the consequences of the losses are heavy, and the vulnerability can't be terminated by the redundancy of the system or via other constructing measures. Although the buildings can be fortified against damage caused by earthquakes, explosions or constructional damages. Beyond a threat level or constructional load, the protection of the critical elements inside a fortified surface construction, could cost more than to establish an underground facility.
1. Use of Underground Facilities to Protect Critical Infrastructure. Summary of a Workshop. 1998. Rome.
2. Péter Pásztor: Possibilities for using special (protected) underground facilities in peacetime. Sword and pen. Selection from the studies of the doctoral students for military science. Education and Scholarship Organizer Division, MOD. Budapest, 2004/1.
3. Dr. Ferenc Kovács: Survey of elements of the critical infrastructure, working out arrangement proposals regarding its restoration and arranging. Study. Budapest, 2005.
4. 2073/2004. (IV. 15.) Government decree on the national security strategy of the Republic of Hungary. Official CD Law Collection. 2005/5.
5. 2112/2004. (V. 7.) Government decree on the actual tasks of the antiterrorist struggle. Official CD Law Collection. 2005/5.
6. 2151/2005. (VII. 27.) Government decree on the review of the Antiterrorist Action Plan. Official CD Law Collection. 2005/5.
7. 2236/2003. (X. 1.) Government decree on the development of the new organizational structure and transition of HDF for the period 2004-2013. Official CD Law Collection. 2005/5.
9. Source: Commission of the European Communities: Green Book on the European programme for the critical infrastructure protection. COM(2005) 576 final. Brussels. 2005.
10. 131/2003. (VIII.) Government decree on the control of the tasks concerning the preparation of the national economy and the mobilization. Collection of the Current Legislation. 16. Dec. 2004.
11. Liquidation the results of acts of God, natural and industrial disasters. Construction Science Information Centre. Budapest, 1984.
12. Experts on the consequences for the possible chance of a cyber attack. COMPUTERWORLD. http://www.szt.hu/hirek_hir.php?id=29093
13. Ákos Bodlaki: Planning Issues of the information security. Informatics at the Higher Education '96 - Networkshop '96 Debrecen, August 27-30. 1996.
14. Defense-coordination Division, Ministry of Economy and Transportation: Home and international control of the critical infrastructure protection, identification of the potential danger sources and analysis of their effects, proper analysis methods for identification of critical elements of the infrastructure. Professional debate paper. Budapest, 2006.
1 Dr. Ferenc Kovács: Survey of elements of the critical infrastructure, working out arrangement proposals regarding its restoration and arranging. Study. Budapest, 2005.
5 Home and international control of the critical infrastructure protection, identification of the potential danger sources and analysis of their effects, proper analysis methods for identification of critical elements of the infrastructure. Professional debate paper. Budapest, 2006.
6 Liquidation the results of Acts of God, natural and industrial disasters. Construction Science Information Centre. Budapest, 1984.
8 131/2003. (VIII.) Government decree on the control of the tasks concerning the preparation of the national economy and the mobilization. Collection of the Current Legislation. 16. Dec. 2004.
11 Source: Commission of the European Communities: Green Book on the European Programme for the critical infrastructure protection. COM(2005) 576 final. Brussels, 2005.
13 We should mean by attack every kind of threat, which threatens the reliable operation of the system, furthermore threatens the availability of data and the required operation of the instruments.
© ZMNE BJKMK 2006.