Critical Infrastructures: Requirements and Compliance with the PIC Law

The journey in the management of Critical Infrastructures begins with an email such as: “Hello, you have been designated by the CNPIC (National Center for the Protection of Critical Infrastructure) as a critical operator in X centers”. If this sounds familiar, this article may be helpful.

The CNPIC (National Center for the Protection of Critical Infrastructure) is the body under the Ministry of the Interior responsible for promoting, coordinating, and supervising all policies and activities related to the protection of Spanish critical infrastructures.

These activities are carried out through the support of the Computer Emergency Response Team (CERT/CSIRT) composed of experts in cyber security-related crimes whose mission is to offer advice in the resolution of cyber security incidents; and through the Cyber Coordination Office (OCC), which is the technical body for coordination in cyber security matters that serves as an intermediary between the national reference CSIRTs and the Secretary of State for Security, which provides an early warning channel against cyber attacks, enables information exchange between different public/private actors, in addition to offering response mechanisms to cyber incidents.

A Critical Infrastructure is considered a physical or virtual installation whose operation is essential for national interests and whose partial or total interruption causes serious consequences for the normal development of the basic and daily activities of citizens.

In this sense, a Critical Infrastructure can encompass different services within the 12 strategic sectors that ensure the provision of services in Spain, such as the energy, financial, information technology sectors, among others.

If you have been designated as a critical operator by the CNPIC, you must adapt to the requirements established in Law 8/2011, which establishes measures for the protection of critical infrastructures, and Royal Decree 704/2011, which enables the execution and development of the aforementioned Law.

The objective of the PIC (Protection of Critical Infrastructure) legislation is to define a structure and comprehensive security strategy that allows coordinating common actions in the different bodies of the Public Administrations, in addition to regulating the requirements that operators designated as critical must meet.

Therefore, as a critical operator, you are obliged to develop and document the strategy applied in your organization or institution (public or private) regarding comprehensive security, from the Security Policies applied, the security risk analysis executed, or defining the organizational, procedural, or technical security measures, among other points, but how to address these requirements?

Compliance with Law 8/2011 and R.D. 704/2011 require documenting what is known as the Operator Security Plan and the Specific Protection Plan, so we are going to detail the implications of each of them.

Operator Security Plan (PSO)

The Operator Security Plans, better known as PSO, is a strategic document that compiles the general policies of the critical operator to guarantee the security of all the facilities or systems owned or managed by it. Among the points that it must contain, we can highlight the following:

• Introduction: Identification of the measures carried out by the operator for the management of documentation related to the protection of critical infrastructures, ranging from the appointment of a person responsible for document approval, identification of the storage and distribution units of information related to PIC, as well as the security measures (logical and physical) applied for its safeguard.
• Security Policy and Governance Framework: Requires establishing the security policy applied in the operator; representing and documenting the governing bodies from the point of view of comprehensive security, as well as defining a Security and Liaison Officer, Security Delegates, or the security training actions planned and executed in the operator.
• List of Essential Services Provided by the Operator: Requires documenting in a general way the essential services that the operator provides to citizens, documenting the impacts that the interruption of services would cause (e.g., affected population) and the relationships between the operator and other critical operators and/or critical service providers related to comprehensive security.
• Risk Analysis Methodology: The PSO must define the risk analysis methodology applied in the operator to guarantee the continuity of the services provided. This methodology must include the risk assessment criteria and mechanisms to cover threats not assumed by the critical operator.
• Criteria for Applying Comprehensive Security Measures: Identify in a general way the Organizational or Management measures; Operational or Procedural; Protection or Technical measures that are applied in the operator for the safeguard of critical services.
• Complementary Documentation: Implies listing the physical, logical, personal, environmental, or occupational risk safety regulations that directly affect the critical operator.

It should be noted that, within six months from the notification of the resolution of its designation as a critical operator, it must prepare an Operator Security Plan and submit it to the CNPIC, who will evaluate it and report on its approval or modification, if applicable, by the Secretary of State for Security or the body in which it delegates.

The Specific Protection Plans are operational documents where the specific security measures adopted by the operator and those to be adopted to guarantee the comprehensive security (physical and logical) of the infrastructures designated as critical must be defined.

Unlike the PSO, which requires documenting a single document with the general security measures of the operator, the PPEs are directly aligned with the Critical Infrastructures, so, if an operator has been designated 3 infrastructures as critical, it must prepare 3 independent PPEs, one for each operating headquarters.

In this sense, the Specific Protection Plans must include all those security measures applied to each of the centers, being necessary to cover the following sections:

• Introduction: Identification of the measures carried out by the operator for the management of documentation related to the protection of critical infrastructures and more specifically with the PPE.
• Organizational aspects: Requires detailing the graphic organization charts that represent the security governance structure in each designated headquarters. Identify identifying data of the Security and Liaison Officer, as well as the Security Delegates of the center and the substitutes of both in case of need.
• Description of the Critical Infrastructure: Implies a detailed description of the critical infrastructure, from the location (address, geographical coordinates), the functions that said headquarters provides to citizens and in particular all the elements that are necessary for the provision of said services, highlighting hardware, software, communications, critical suppliers, among others.
• Results of the Risk Analysis: Document in detail the organizational or Management measures; Operational or Procedural; Protection or Technical measures that are applied in the center, as well as the results of the Risk Analysis carried out that range from the representation of the evaluated elements, the values obtained to conclusions by the critical operator.
• Action Plan: Depending on the results of the Risk Analysis, it is required to document the improvement actions derived from it to reduce the risks not assumed by the organization, in addition to establishing additional strategic security improvement actions provided by the critical operator in the analyzed center.
• Complementary Documentation: Identification of the physical security regulations, in addition to other elements necessary for the operability of the center, such as the Continuity Plan, Self-Protection Plans, etc.

It should be noted that, within four months from the approval of the Operator Security Plan, each critical operator must have prepared a Specific Protection Plan for each of its critical infrastructures designated by the CNPIC and submit it to the Secretary of State for Security for evaluation and approval.

Adapting to the requirements of Law 8/2011 requires collecting the different comprehensive security measures (physical and logical) in the Operator Security Plan and the different Specific Protection Plans.

From GlobalSuite Solutions we offer the experience that the different consulting and auditing works in security matters treasure, and specifically in supporting different organizations, both public and private, in the preparation and approval of said documents, all thanks to the participation of a team of experts in the field and the support of our GlobalSuite® Software that has a specific module for Protection of critical infrastructures.

If you need support for compliance with the PIC Law, contact us and discover how we can collaborate with your organization to comply with the established requirements, protect your critical infrastructure and improve security in a comprehensive manner!