Supporting operators against cyber and non-cyber threats to reinforce the resilience of critical infrastructures -

Projects’ results are expected to contribute to some or all of the following outcomes:

• Support is provided to the resilience of operators against cyber and non-cyber threats in specific sectors;
• A reliable state-of-the-art analysis of physical/cyber detection technologies and risk scenarios is created, in the context of an operator in a specific sector in sectors that have not yet been covered by previous research projects;
• Strengthened cooperation against natural or human-made threats and subsequent disruptions of infrastructures in Europe, allowing for operational testing in real scenarios or realistic simulations of scenarios with specific regard to disruptions in a specific sector of critical entities;
• Improved situational awareness, preparedness and governance by the implementation of effective solutions that enhance detection and anticipated projection of a determined threating situation, as well as implementation of prevention, preparedness/mitigation, response, and recovery types of intervention;
• Significant reduction of risks and exposures to anomalies or deliberate events on cyber-physical systems, or on complex and critical infrastructures/systems;
• Enhanced preparedness and response by definition of operational procedures of operators as well as public authorities considering citizen’s behaviour/reaction and societal impact in case of disruption in a specific sector.

The operational environment in which operators operate has changed significantly in recent years. Security research and innovation related to infrastructure resilience has been following a sectorial approach in order to increase the resilience. This approach to critical infrastructure resilience is needed that as it reflects the current and anticipated future risk landscape, the increasingly tight interdependencies between different sectors, and also the increasingly interdependent relationships between physical and digital infrastructures.

A disruption affecting the service provision by one operator in one sector has the potential to generate cascading effects on service provision in other sectors, and also potentially in other Member States or across the entire EU.

With more and more infrastructure systems being interconnected, a stronger focus on the systemic dimension and complexity of attacks and disruptions by cyber or physical means needs to be applied. As such, not only interdependencies within one type of infrastructure (or closely related types) can be taken into account. The risk landscape is more complex in the recent years, involving natural hazards (in many cases exacerbated by climate change), state-sponsored hybrid actions, terrorism, insider threats, pandemics, and accidents (such as industrial accidents).

Physical disruptions of the activities of operators active in these sectors have possibly serious negative implications for citizens, business, governments, in the environment and endanger the smooth functioning of the internal market. Therefore, operators should be equipped with the best possible means to be able to prevent, resist, absorb and recover from disruptive incidents, no matter if they are caused by natural hazards, accidents, terrorism, insider threats, or public health emergencies.

Another important issue is to have in place efficient cybersecurity measures to block the access to critical infrastructures. A possible project focusing on the protection of critical infrastructures against such threat should consider gaps and vulnerabilities that need to be identified and overcome (e.g. protection of drinking water supply systems from high chemical levels, nuclear facilities, etc.).

Therefore, the successful proposal, following a sector-based approach and identifying a specific priority sector, should work on how to increase the combined cyber and non-cyber resilience operators. It should do so by orienting itself on sectors that have not been covered in previous research, out of the list of sectors described in the respective Annexes of the of the directive on the resilience of critical entities (CER[1]) and the directive on measures for high common level of cybersecurity across the Union (NIS-2[2]) and thus contribute to enhancing the overall resilience on EU-level, in line with the EU Security Union Strategy[3].

The proposal should orient itself on the policy shift from protection towards resilience and thus focus on operators acting in the internal market, rather than only on physical or digital assets. This includes concepts of wider business continuity, as well as logistics and supply-chains. Proposals should also focus on the development of a more effective resilience plan conception method, which shall support operators to draft their resilience plans according to the provisions of the CER and NIS-2 Directives. The resilience plan conception method should include risk analysis, domino effects analysis, cross-sector and cross-border analysis, standardised plans etc. In addition, this method could include measures on adequate protection, measures on prevention, response, mitigation, and recovery from the consequences of incidents, protection of classified (e.g. the proposal for a Network Code on sector-specific rules for cybersecurity aspects of cross-border electricity flows) or sensitive information and measures that ensure adequate employee security management.

The main practitioners in this topic should come from private or public operators, meaning organisations and enterprises that use critical infrastructure to deliver services, vital for the functioning of society and the internal market. Consortia that will include MS public entities would be considered as an asset. Competent authorities of MS in charge of resilience and/ or overseeing operators in one or more sectors are also encouraged to join the consortia of applicants.

If the infrastructure includes processing of personal data, the proposal should consider including a risk assessment or privacy impact of individuals and society.

This topic requires the effective contribution of SSH disciplines and the involvement of SSH experts, institutions as well as the inclusion of relevant SSH expertise, in order to produce meaningful and significant effects enhancing the societal impact of the related innovation activities.

Applicants are encouraged to explore and demonstrate synergies with the work conducted in the European Reference Network for Critical Infrastructure Protection (ERNCIP), as applicable.

[1] Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC.

[2] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).

[3] COM(2020) 605 final.

News flashes