Italian Critical Infrastructure Secretariat’s guidance for the continuity of critical infrastructures during the COVID-19 pandemic.
Alessandro Lazari – Director for the Mediterranean Region, IACIPP – Manager, KPMG Advisory SpA
It is a fact that Italy is one of the countries that has been most severely hit by the spreading of the COVID-19. Such condition has triggered an unprecedented response by all of the governmental offices and public authorities with the aim of reducing the diffusion of the virus, guaranteeing public health and supporting the continuity of critical infrastructures. Starting from the 11th of March 2020 and onwards, the Italian Government has called for a lock-down which has begun from the Lombardy region and has later been progressively extended to the entire territory of the Country. At the moment this article is written, Italy is still in a complete lock-down, due to the need to contain the spread of the virus and reduce the pressure on the healthcare system, which is overwhelmed because of the large number of affected citizens that require intensive care or similar treatments. In this context, an important role in keeping the Country up and running, is the one of critical infrastructures and essential services. During these challenging times, in fact, the role of critical infrastructures is even more important, since the Country, more than ever, needs stable services. With all of the forces focused on the containment of the virus, it is a basic requirement that critical infrastructures need to ensure stability, since any failure or accident and the potential consequences across the interdependency-chain, can lead to further complications. The loss of service needs to be avoided at all costs, the more if considering that cyber-attacks have improved, as attackers are willing to exploit and take advantage of the current situation and of the citizens’ feelings of vulnerability and uncertainty (circumstance that makes them an easy target for social engineering and other attacking techniques). Even though “prevention” is not a new item on the agenda, both at national and European level, the pandemic scenario has found the modern society partially unprepared and lessons have mainly been drawn from experiences of those countries that have been first in line in the fight against COVID-19. At the same time, it’s necessary to point out that the pandemic threat wasn’t among the ones properly addressed by critical infrastructures’ business continuity plans, in consideration of the fact that they were surely recognized as high impact events, but with a low probability occurrence. Such perception of the phenomenon has led to light or nonexistent prevention mechanisms which have then resulted in a lack of measures or alternative plans in the following areas:
- HR continuity and resilience (e.g. no people scenarios – segregation of personnel);
- availability of protection supplies, such as masks and suits for employees engaged in critical tasks (e.g. oversight of control rooms) or on field duties (e.g. maintenance);
- difficulties in the execution of planned/extraordinary maintenance to machinery and plants, due to the two points above and also in case of reliance on foreign suppliers which have encountered limitations in the movement of qualified personnel and/or in the shipment of goods, because of the lock-downs and the consequent shortage of certain supplies.
The infrastructure operators in the subsectors of electricity and gas transmission, including bigger multi-utilities, which have more structured and proactive approaches in the areas of prevention and preparedness (since they’re even more vital in such extraordinary conditions), have had to stress their adaptation capabilities, in order to face the challenges posed by the pandemics to the continuity of their business. Their efforts have led to the preliminary exploration of potential ways to tackle most common issues, since they often had a solid base in their business continuity plans that could be partially repurposed to address new challenges posed by COVID-19. Given the need to provide very direct and promptly implementable measures to all of the critical infrastructures and the SMEs that belong to their supply chain constellation, the Critical Infrastructure Secretariat of the Presidency of the Council of Ministries1, on the 26th of March 2020, has released a set of guiding principles2 in order to ensure the continuity of critical services which are of public interest. The released guidance provides recommendations to the operators of critical infrastructures for the “containment and fight against the spreading of the virus, while ensuring the continuity of essential services, the infrastructures’ operation and the safety of the workforce”. The guidance can be summarized as follows:
- operators are invited to sanitize the premises, tools and workstations which are daily used for the business and operations of CIs and such operation should be repeated at every turnover;
- anti-contagion equipment to be distributed to employees that cannot operate in smart working;
- for all the personnel that can operate in remote working, the adoption of all of the measures for ensuring a good level of cybersecurity, including the provision of a specific guidance for smart workers;
- the review of the operational plans, so to minimize the physical presence of employees, including the execution of maintenance which should be limited to tasks that cannot be postponed;
- for those employees whose duties require the physical presence on premise, organize the teams and their turnover by including the minimum number of people who have to operate wearing all safety equipment. On this point, the guidance suggests the teams to always rely on the same pool of employees, in order to reduce the risk of cross-contagion.
Apart from these horizontal recommendations, the guidance also provides two specific measures to be applied to “control rooms” and “essential maintenance”. On these matters, the guidance recalls the need to apply measures that should be as close as possible to “zero-tolerance”, in order to avoid that personnel operating in control rooms is exposed to the risk of contagion. For this reason, the guidance suggests the adoption of a voluntary segregation, which entails that one team is hosted in a temporary accommodation for at least 14 days, with a complete limitation of all social contacts for such period; while the second one observes the same measures from home. In the cases when the voluntary segregation is not a viable option, the guidance suggests the use of different premises, in order to avoid social contacts among the teams that are in charge of the control rooms (e.g. using the disaster recovery sites), including the enforcement of the previously described horizontal measures regarding the reiterated sanitization and the adoption of safety equipment. In regards of the “necessary maintenance for ensuring the continuous operation of essential services”, the guidance stresses again the need to adopt smart working and in all the cases this is not feasible, to provide technicians engaged on field with the necessary safety equipment and allow them to reach the sites, where the maintenance has to be performed, directly from their homes, avoiding unneeded physical presence in headquarters or operation premises. Finally, the guidance draws the attention to the need to prepare lists of active and quiescent personnel, including personnel available in external contractors, that have cross-capabilities (e.g. control room operation and maintenance), in order to call them in service to substitute qualified staff that is temporarily unavailable for any reason. For the purpose of the efficient handling of the COVID-19 crisis, the Secretariat has provided operators with an institutional email address in order to receive updates “from the field” and also prompt reporting of disruptions or difficulties that operators may face in these challenging conditions, so to activate all sort of support. As said, even though business continuity methodologies and plans are usually well known and implemented in critical infrastructures, the release of this guidance, which have been released in similar format from other governments worldwide, provides an important support to operators that haven’t properly considered the pandemic scenario, so to trigger their prompt, efficient and harmonized response. In these very delicate circumstances, while the crisis is still ongoing, it’s maybe too early to draw comprehensive lessons learned on the evolution of the Covid-19 phenomenon. In a later stage, when the “wartime” will be over, further lessons will be drawn, not only in the dimension of pandemic scenarios in the context of critical infrastructures, but also in the domain of hybrid threats. In addition to the challenges posed by the COVID-19, in fact, many countries have experienced all sort of ever-growing cyber-attacks, together with an increasing spreading of fake news which have led to disruptions and contributed to social unrest and unjustified panic. These last arguments confirm the need to keep addressing the matter of CIPR with a multidisciplinary and harmonized approach, circumstance that in the EU will have an impact on the ongoing negotiations of the next phase of the European Programme for Critical Infrastructure Protection (EPCIP), including the new European Critical Infrastructure Directive that should be promulgated as part of the programme.
(2) Download link