Policy framework
In the aftermath of the terrorist attacks in US and EU, the European Council asked the European Commission to prepare an overall strategy for the protection of critical infrastructures, following which the Commission published the communication on Critical Infrastructure Protection in the fight against terrorism. The Council accepted the intention of the Commission to propose a European Programme for Critical Infrastructure Protection (EPCIP) and a Critical Infrastructure Warning Information Network (CIWIN) in December 2004. Almost a year later (November 2005), the Commission adopted a Green Paper on the EPCIP.
In December 2006, the Commission presented a proposal for a directive on the "Identification and Designation of European Critical Infrastructures and a common process to assess the need to improve their protection". Beginning of 2007, the financial instrument of EPCIP “Prevention, Preparedness and Consequence Management of Terrorism and other Security Related Risks” for supporting activities that aim at increasing the protection of critical infrastructures was introduced.
Finally, in December 2008, the EPCIP Directive 2008/114/EC on the "Identification and Designation of European Critical Infrastructures and the Assessment of the need to improve their protection" was adopted.
In 2013, the Commission published a staff working document on a revised approach to EPCIP. In this document the importance of resilience and interdependencies in CIs is clearly mentioned as well as the need to develop the necessary tools and methodologies.
Motivation
Critical Infrastructure Protection (CIP) is getting increased attention as a result of the number of man-made threats (terrorism, malicious attacks, cyber events) and natural disasters. In addition to that, critical infrastructure systems are becoming more and more interconnected with the introduction of ICT technologies and thus isolated events may lead to large-scale or even continent wide disruptions. Interdependencies between critical systems are a key factor that needs to be considered in the framework of their analysis and simulation with the objective to improve their resilience. This is not simply an EU approach but also in the US, the National Infrastructure Simulation and Analysis Centre (NISAC) has developed a number of tools for the analysis of critical infrastructure systems, supply chains, etc. which obviously are tailored to the US reality. NIST is also developing capabilities for community resilience assessment and enhancement.
In Europe, most tools are developed responding to national efforts and focus on the specific issues that need to be addressed at national scale. Obviously this approach shows its limitations in case large-scale infrastructures that expand across borders and jurisdictions need to be assessed. Data sharing concerns are a major issue in the field of critical infrastructures analysis and this is a factor that somehow hinders the development of shared tools and methodologies for the analysis and simulation. Collaboration among CI stakeholders is indeed an open issue in the framework of CI analysis and simulation. In order to foster collaborative analysis, it is important to make sure that all stakeholders agree on a common terminology and to provide tools that enable collaboration while ensuring data security and privacy through the whole analysis cycle.
Critical infrastructure owners, operators and policy makers have agreed on several occasions the importance of developing tools and methodologies for modelling and simulation. However, more efforts are required in order to agree on common approaches and data models. GRRASP has been conceptualized to respond to this need.