Keywords

1 Introduction

Security, the economic and social stability of the country, its functionality also protection of life and property of citizens depends on the proper functioning of many infrastructure systems of the country. The infrastructure necessary for life - energy, water, food, communications, transport, health service, finances, defence - are closely related. The events that may arise in one of the sectors of infrastructure (in one of the subsystems of the society) are able to disrupt all society systems.

We call infrastructure as a critical infrastructure if disruption of function, lack or destruction of physical and virtual systems, institutes, equipment and others services could cause disruption of social stability and state security, create crisis situation or seriously influence the function of state administration and autonomy in crisis situations. This definition of critical infrastructure expresses contents and meaning not only for the functioning of state in normal conditions but in crisis situations too. Crisis situations could be initiated knowingly or unknowingly and caused by internal or external factors or natural, technology and social factors.

The system structure of the critical infrastructure is defined in the relevant documents as “system, which is divided into sectors/subsectors and elements” [1]. The object of our research is the protection and security of critical infrastructure, with relevant subsectors and elements.

2 Ontological Aspects of the Examined Critical Infrastructure Protection

Ontology (gr. Ontos - being, gr. Logos - learning) is the most commonly comprehended as “the doctrine of being”. This is the approach of philosophers and philosophy but not only have they used this concept. In various fields of human activity, including security research is for universal, universally understandable and graspable way need to know how to describe reality, as well as to define real objects, their attributes, and relationships among these objects. Research in various fields requires describing what is, what exists, what can be or what is able to exist. Is it possible to use an ontological approach. The term “being” refers to real, concrete existing things, in this approach, but it can refers to things that may exist too.

Ontological approach in examination of CI allows:

  • to describe uniquely the object of interest,

  • to express ontological principle of protection of CI.

Description of the object of interest is based on the necessity to express the subject of examination. This is what interests us, what we want to clarify and what we want to solve. The object of interest, respectively a research problem is obtained selecting problems existing in the reality. This process could be presented at the model of selection of object interest in the protection of critical infrastructure in the particular sector (Fig. 1).

Fig. 1.
figure 1

Selection of object of interest in reality

Full size image

Being is the reality for us – it is the form of existence of systemically arranged the sector. We selected CI of particular sector from this reality. Protection of its elements is the object of interest. The object of critical infrastructure becomes the object of protection. The object of protection may be a physical, a tangible object or an intangible asset. We need to know, if is necessary to protect a material object or group of objects, or if we need to protect the features performing or providing the objects.

The second aspect is about the terms of ontological principle in CI protection. The essence of this principle is the identification and the description of causes and to give importance of being to protection. That means, the protection is something what exists or may exist. In the case of the critical infrastructure may be more principles.

Ontological principles for CI protection:

  • the existence of CI elements, having existential meaning and importance for the function of the CI sector/subsector,

  • the existence of real or potential threats, which have may an affect the functionality of the CI elements. This effect may result in a disruption in the CI sector or whole national infrastructure.

Protection system may exist without the second ontological principle. Protection systems are designed mainly to prevent in the practice and resource for discarding potential offenders. The protection system is needed if it required from the importance of element. Threat’s may be latent in this case.

3 The Content and Meaning of the Protection

Ontological approach to protection means to clarify what is protection, how their attributes are, what structure it could exist in and how relations are in structure of protection. The term of protection and its importance is the fundamental research problem.

The term protection may be comprehended in various meaning. The most general meaning is a care about averting risk and different harmful effects from the environment of social subject or material object, that may threating its safety. Protection is “summary of system measures, activities and means to prevent and eliminate of consequences of current and potential internal and external threats…” according to the Terminological dictionary of crisis management [2].

Protection is summary of measures to divert or eliminate of harmful effects and consequences of incidents and crisis situations according to the Explanatory Dictionary of Security Management. The protection is also act of protecting or existence of protection or as safeguard - something that guarantees security in this dictionary [3].

There is term protection of property in this dictionary and it is defined as a summary of safety, technical and regime measures which lead to obstruction of enemy action against the object and people in the object. The goal of these measures is to prevent of enemy action against people and property [3].

Protection is “to create of the safety environment for the subject” written by Lukáš and it is realized designing all available means for ensuring required or defined safety [4].

The subject of protection may be tangible or intangible property, important objects, spaces or people.

Protection of spaces or objects is summary of measures and activities for prevention of events, acts or phenomenon that could threat protected objects or spaces as well as to prevent entering unauthorized people to protecting objects or spaces.

We can examine protection in two basic meaning in terms of presented view:

  • Protection as an activity for ensure safety

  • Protection as means or system of means for ensures safety.

Protection as an Activity.

Protection as activity is to create safety environment for CI objects. This activity is focused on:

  • elimination of negative effect - social, natural and technogenic threats on safety of objects,

  • reduction of risks resulting from the environment to acceptable level,

  • ensuring the functionality and operability of the system for solving crisis situations in the environment of the object.

Critical Infrastructure protection is defined as the set of measures planned and performed with the goal:

  • Critical Infrastructure protection is defined as the set of measures planned and performed with the goal:

  • Identify and protect critical objects from sectors of state infrastructure. It could be critical from some aspects – maintenance its safety, functionality, economics and society stability. It is necessary for equivalence review in state and private sphere.

  • Ensure functionality of early warning system about crisis situations and ensure protection infrastructure important for solving crisis situations [5].

Protection of CI is Risk management method. It means it is a realization of set coordinated and systematic activities. These activities are focused on the elimination of the possibility of security threat intention (ensure safety CI objects) by a negative event, effect or activity.

Protection of CI objects is a systematic activity for ensuring safety using protective equipment and measures. These equipment and measures are for ensuring functionality, integrity, and continuity of activity object. The aim is to prevent, to avert or to ease threat of object or its destruction (modified by [1]).

Protection as a Means.

Protection in closer meaning is a mean (individual, technical equipment…) offered to protect another person, material values, CI objects etc.

Means for objects protecting, spaces and assets of different kind could be divided into:

  • Passive protection elements (mechanical barrier, building elements, barriers, foils etc.),

  • Active protection elements – alarm systems (electrical barrier, CCTV, entry control system, fire detection)

  • Physical protection elements (security service, self- protection)

  • Regime measures – preparation and creating procedures for application protection system.

The protection system is protection means connection. This system has various definitions in various spaces.

Physical Protection System it is a system that integrates people, means and procedures for property protection or object protection against theft, sabotage or other human attack [6].

Cиcтeмa физичecкoй зaщиты in the Russian speaking area. It is a set of laws, organization measures and technical solutions for protection of important interests and resources in business. Protection is focused on human attacks threats [7].

We understand Protection System in connection with the solved problem as integrate set of real elements, actions and processes which are logical and functionally arranged for the instrument for ensure CI protection in the time and space. It may be from aspect of systemic approach synergistic system with the target behavior. Required functions of protecting system are:

  • deterrence of potential attackers from the attack to protected object,

  • detection of intrusion to protected object, spaces or zones or detection of dangerous situation formation in object or in its close environs,

  • delay of attackers movement,

  • response on disruption of protected spaces or zone, to the disallow attackers approach to protected interest.

Protection is connected with the ensuring of safety process in previous meanings. This process is to ensure safety for someone or something. It is the primary goal of responsible authorities and institutes in CI protection. This is the reason to know and understand the term of security.

4 Security Assessment of Objects of Critical Infrastructure

Level of security of objects can be rated. Base for this rate are following factors [8]:

  • Vulnerability of quantified defensive and protective skills.

  • Threat which may be in open or latent form in environment.

We can express it by relation:

$$ S(t) = f\left\{ {T(t);V(t)} \right\} $$
(1)
S(t) :

is a real security of object in time t,

T(t) :

is an intensity of the threat in time t,

V(t) :

is a vulnerability of object against real threats in time t.

Security Assessment.

The threat is the term for a particular, physically existing object, effect or event. This particular, physically existing object, effect or event is able to cause damage or injury. It is everything, what is dangerous for an object and could negatively change its security situation, in the widest meaning. The threats are events and effects, which could happen in relative short time or they happened in the past and could cause dramatic changes to objects in existential conditions too. The threats occurrence is determined by:

  • the occurrence of the wearer, the source of the threat - something or someone which could cause damage or injury or who intends to do it.

  • the capacity of the wearer, the source of the threat endanger the subject or protected interest or causes damage, injury or dangerous event.

Necessary but not enough conditions for the real threat are occurrence of the source or wearer of the threat, which wants (has a motivation) and knows (has the capacity) for the threat. These conditions do not guarantee the real threat. There are other conditions for real and direct threat, for example, the adequate vulnerability of the object, availability of protected interest, low risk of failure for attackers, high probability of profit and others favorable conditions for attackers from the inside of the object etc.

The size of every identified threat can be rated using qualitative method with expert review of answers (Fig. 2) for the following questions:

Fig. 2.
figure 2

Model of threat assessment

Full size image

  • Does a source of danger exist (S – Source)?

  • Has a reason or motivation (M– Motivation)?

  • Has a capability for attack (C – Capability)?

  • Does event occur in past (E – Event)?

Vulnerability Assessment.

Vulnerability is an attribute of any material objects or technical means to lose ability to do its natural or given function. It is due to action internal or external threats of different character and intensity. It is degree or the extent of material objects or technical means ability to resist internal and external threats.

Vulnerability is a part of the protected object (building, fenestration) or the elements of protection system which do not provide required protection degree (protection equivalent to the security class), are weak or easy crossable element in protecting the system or create appropriate conditions for attacking on an object, increase attack probability and its success.

Indicators for vulnerability rating of the object, its elements, zones or spaces are:

  • Level of vulnerability rated by qualitative methods (expert review) as little, medium, large etc.,

  • or probability of successful attack on the object PA, it can be expressed with using probability models in the scale (0;1), or like subjective probability, respectively credibility, or according to the relation:

    $$ P_{A} = 1 - P_{E} $$
    (2)

  • P A is probability of successful attack,

  • P E is probability of attack elimination; it is express according to the relation (3)

    $$ P_{E} = f(P_{d,l} ,P_{I,L} ) $$
    (3)

  • P E is probability of attack elimination

  • P d,l is probability of detection attack to critical line of detection Footnote 1,

  • P I,L is probability of interruption of attack before line areas endangered of object Footnote 2

Security Assessment of the Object.

Determining of the CI object security lines, in the logical analysis of the relationship of factors and their impact on the object security.

  • If size of identified threat is reviewed as a large but vulnerability is reviewed as very small; it shows to enough security, also for the protection of the element. It is because of the threat cannot accord to degree of protection system resistance cause damage or disruption to CI objects functions. The method is illustrated in the Table 1.

    Table 1. Security evaluation matrix.
    Full size table

This method and scale of evaluation is only for example. The evaluator may determine own scale and method for evaluation according to extent of acceptable risk.

5 Conclusion

The more secure Critical infrastructure object will be, the higher abilities of protection subjects to identify possible threats in time will be. And its possibilities for permanent protection of its physical integrity and fulfilling its functions against changing (evolving) security threats of various kinds will be. However, this is expected active approach of the object. It means especially:

  • to identify possible threats, its resources and holders,

  • to detect of proximate (immediate) causes of security threats; it means to identify why may be threatened object security,

  • to detect ultimate (final) causes of security threat, i.e. how can reach to object security threat [8].

The situation when the object will be secure, does not mean that it exists without threats in environment. Security means that the object is enough resistant against all expected negative effect and events which may change conditions of its stabile functioning.

The conditions for object security are:

  • there is not threat source, there is not threats itself or its environment (others systems, processes and objects),

  • its condition guarantees stability, physical integrity or continuity of fulfilment its functions,

  • protection system of the object has got enough potential to eliminate or minimize external or internal various kind of threats,

  • it is able immediately react to its state changes or environment state,

  • it is able to react to changes of balance between threats and protection system [8].

Security of CI objects is dynamic value. This value is measured in time and is depending on interaction of referred factors (Threat - T, Vulnerability - V), it can be of various levels. It can be expressed as:

  • sufficient security of the object; it is when active threats cannot influence or disrupt stability and performance of the object functions,

  • condition of risk, when object and its protecting system are able to confront active threats but this state is limit with tendency to negative change,

  • non security when object and its protection system are not able to confront active threats, where these threats are able to disrupt performance of the functions objects even destructive changes.

From the foregoing results that the disruption of CI object security can be reach when following conditions will be fulfilled:

  • there will be such changes in the object structure and attributes (in its protection system) which reduce its protecting abilities and increase its vulnerability, but the development in the environment will be without change,

  • changes in environment of the object and protecting system caused threat with intensity higher then resistance.