“Companies are the number one target of new threats to critical infrastructures”
We interviewed José Luis Pérez Pajuelo (Madrid, 1978), director of the National Center for the Protection of Critical Infrastructure (CNPIC), about the challenges to security that these vital systems and installations are facing.
CNPIC is a body created in 2007 to adapt the security systems of the country’s key sectors to the post 9/11 and 3/11 world. Since then, Spain and CNPIC have become “international benchmarks” in the field, states the Center’s director, who recently advised authorities in Latin American countries and several others, such as Lebanon.
Nowadays, risks are increasingly emerging from the digital realm, claims Pérez Pajuelo, who is also a Major in the Civil Guard, and who gave a presentation at MAPFRE’s 28th International Global Risks Seminar, organized by the large risks unit. Public-private collaboration and information sharing between organizations like CNPIC and businesses is key, given that many critical infrastructures are managed by private companies.
Spanish law provides for 12 critical sectors, which are: administration, food, water, energy, space, the nuclear industry, the chemical industry, research installations, health, the financial and tax system, information and communications technology (ICT), and transport; and the critical infrastructures that enable them to function. In this interview we take a closer look at the main challenges to security.
What are critical infrastructures?
The most important aspect of infrastructure is the service it provides, and these types of infrastructure provide services that are considered essential. First, when infrastructure provides an essential service, it is considered strategic. Second, if its destruction or disablement would have a very serious impact, it means that it is considered critical infrastructure. CNPIC’s main objective is to promote and coordinate the mechanisms that are needed to guarantee the security of this type of infrastructure.
How have threats associated with infrastructure changed due to digitalization?
They’ve changed radically. New and evolving ICTs (information and communications technology) that have been introduced have led to new threats and vulnerabilities, which need to be handled in risk analyses so that they can be counteracted. What ICT advancements have done is increase the number of angles that critical infrastructure can be attacked from.
Do we suffer a lot of attacks that we’re not even aware of?
At CNPIC, we’re normally aware of all types of attack, but citizens obviously aren’t. There are many security issues that aren’t public knowledge and aren’t talked about because their impact is minimal or nonexistent, so there are definitely a large number of risks or attacks that materialize or almost materialize that citizens don’t know about.
During your presentation you mentioned that we once again find ourselves living in a VUCA world (volatility, uncertainty, complexity, and ambiguity), a term that was discussed at the end of the Cold War. Do you think there are parallels between that era and our own? Are we in that type of situation?
My opinion is that yes, we are. Since everything is advancing so quickly, we’re living in a situation where new and uncertain scenarios are emerging, because we don’t really know what these scenarios will look like tomorrow, or what situations we’ll find ourselves in. I think we can definitely have discussions about VUCA environments today, just like people did during the Cold War era.
Are companies also the aim of attacks on critical infrastructures? What role do they play in security?
Companies are definitely the main targets, especially those that provide essential services. In the end, the nature and concept of these new threats have changed. The term critical infrastructure was introduced precisely because the targets of these threats went from being very selective, and normally personal, to more strategic, focusing on the essential services provided by these companies. So, by attacking these companies and disabling their systems and infrastructures, you can trigger a much more chaotic situation than you would with a terrorist attack or just by attacking one person. Companies are the number one target of these new threats and trends.