This publication intends to provide a framework that encourages the formulation and implementation of appropriate policies and institutional management of cyber security related to NNCEI, based on a co-operative, integrated (all-hazard) and risk-based approach, and with an emphasis on achieving incident response preparedness, overall infrastructure resilience and energy reliability.
National and business infrastructure have always been viewed by adversaries as potential targets. In the ancient world, supply lines to cities and countries, and sometimes the stored supplies themselves, were subject to attack or military supply lines were assaulted to weaken an army. In the past, such attacks focused on supplies such as food and water or military targets, but industrialization has created a new target: the energy supply.
In today’s highly industrialized world, few things can function without energy. Life as we know it would no longer be possible if there was no energy industry or if a power outage occurred over a long period. Our potential enemies are also aware of this.
For this reason, countries and energy sectors must take responsibility for implementing measures to guarantee that energy, including electricity, is available at all times. The participating States of the Organisation for the Security and Co-operation in Europe (OSCE) are no exception. The OSCE is uniquely placed as a pan-European and trans-Atlantic body of highly industrialized and developed participating States with Partners for Co-operation from North Africa to Australia to address energy infrastructure security, particularly threats from terrorist attacks and those emanating from cyberspace.
This guide describes the significance of non-nuclear critical energy infrastructure (NNCEI) for countries and energy consumers and identifies threats to that infrastructure, focusing on cyber-related terrorist attacks. It is not intended to be a comprehensive threat analysis or to explain all protection measures in detail. Nor does it discuss whether and to what extent a particular country or operator of non-nuclear critical energy infrastructure is actually vulnerable to these threats, as this can only be determined on an individual basis. Rather, the guide will highlight methodological issues that need to be taken into account for the protection of non-nuclear critical energy infrastructure and offer suggestions for good practices to mitigate potential vulnerabilities.
Although the aim of the good practices presented here is to assist countries with identifying and countering threats to cyber-related terrorist attacks, these measures may be adapted, extended and/or applied to other threats and other sectors. This possibility is taken into account throughout the guide.
A detailed discussion of these threats and recommendations for greater preparation and resilience follows. Based on our findings, recommended good practices for all countries and companies operating non-nuclear critical energy infrastructure include:
The OSCE has a special role in this, as it can act as an intermediary between international organisations such as the European Union (EU) and North Atlantic Treaty Organisation (NATO), participating States, and the owners and operators of non-nuclear critical energy infrastructure.