2. Role of the CPNI
The Centre for the Protection of National Infrastructure is the
recognised UK government authority for protective security
advice to the National Infrastructure.
It protects national security through:
• Minimising risk to the National Infrastructure; by
• Delivering authoritative advice; to
• Reduce the vulnerability of the National Infrastructure to
terrorist and other threats.
3. The N i
Th National Infrastructure (NI):
lI f (NI)
Telecommunications
Energy
E
Finance
Government & Public Services
Water
Health
Emergency Services
Transport
Food
Delivering
D li i essential services to
ti l i t
the citizen
Not everything is critical
Each sector is different
4. Protecting the NI: Our Strategic Approach
•Impact driven
•Vulnerability focused
•Threat informed
•Under pinned by:
p y
Tripartite Relationship
International angle
Research and Technology Programme
5. The
Th Old Approach to Criticality
A h t C iti lit
•‘CNI’ means different things to different people.
•Only ‘catalogue’ was f EKP (S
O l ‘ t l ’ for EKPs (Supers, 1 2 )
1s, 2s).
•Focus on the site, not the service.
•Old fashioned language.
language
•EKPs did not cover critical networks & systems.
•Criteria different across sectors.
•Insufficient account taken of non-’critical’ infrastructure.
6. Updating the Meaning of C iti lit
U d ti th M i f Criticality
•Focus on delivery of ‘critical services’, including
information infrastructure
infrastructure.
•Scale from 5 (most critical) down to 0.
•Cat 5 = Supers; Cat 4 = EKP 1s; etc.
•Common approach for sites and critical networks.
•Categories 3 – 5 likely to represent ‘critical’ national
infrastructure.
•Foundation for prioritisation of advice and resources.
7. Criticality Scales
Definition Example
5 Catastrophic Loss of > 20% of national gas supply for > 24
hours
4 Severe Loss of electricity for > 1m consumers for > 18
hours
3 Substantial Loss of water for > 100k consumers > 3 days
2 Significant Disruption to payment settlement systems for up
to 12 hours
1 Moderate Local disruption to emergency services
p g y
0 Minor
8. Criticality sc
cale
1
2
3
4
5
Communic
cations
Emer
rgency
Se
ervices
E
Energy
Fi
inance
Food
NI Sectors
Gover
rnment
Health
Criticality Scale
Tran
nsport
Water
Th
Critical
Threshold
h ld
9. CPNI Knowledge Development
Integrated advice…
PHYSICAL
SECURITY
…to reduce
INFORMATION vulnerability in
y
SECURITY the national
infrastructure
PERSONNEL
SECURITY &
BEHAVIOURAL
ASSESSMENT
10. Advice D li
Ad i Delivery
External Inputs Processes Outputs Outcomes
factors
Contest
C t t2 Prioritisation f
P i iti ti of Focused
F d Reduced
R d d
Terrorism resources consultancy vulnerability in
National Risk
CNI
Espionage Assessment Advice delivery Better
plans products & Shaped
IA Strategy
services environment
CNI Self
Knowledge:
assessment Better skilled
•Threats advisers
Requirement
•Sectors setting Performance
management
•Technology R&D
Programme
•People
Training
•Criticalities
Information
•Vulnerabilities
sharing
11. Information Exchanges
Transport Sector Pharmaceuticals Industry
28 Representatives 12 Representatives
18 Companies 7 Companies
Managed Service Providers Finance Sector
36 Representatives 54 Representatives
23 Companies 34 Companies
TSIE PIIE
MSPIE FSIE
Northern Ireland Aerospace/Defence
Crossover 32 Representatives
26 Representatives
NIXIE
CPNI ADMIE 17 Companies
14 Companies
Information
SCADA
Exchanges SCSIE 77 Representatives
Space Industries SPIIE 37 Companies
10 Representatives
7 Companies WSIE
NSIE Water S
W t Security
it
VIE
SRIE VSIE 40 Representatives
Network Security
27 Representatives 18 Companies
15 Companies
Security Researchers Vendor S
V d Security i
12 Exchanges 23 Representatives
30 Representatives
15 Companies 15 Companies
220 Companies
12. Building Trust
•Flourishes i small groups with th same members. It i
Fl i h in ll ith the b is
personal.
•Start small and grow – you can’t easily shrink a group.
•Trust and value grow together but needs investment and
an understanding of incentives.
•Regular face to face contact works best Other options
best.
are teleconferences and “meetings outside of meetings”.
Trust will only develop if all members
contribute.