Good Governance for Critical Infrastructure Resilience Good Governance for Critical Resilience Infrastructure
Total Page:16
File Type:pdf, Size:1020Kb
OECD Reviews of OECD Reviews of Risk Management Policies Risk Management Policies Good Governance for Critical Infrastructure Resilience Good Governance for Governance Good Critical Infrastructure Resilience Critical OECD Reviews of Risk Management Policies Good Governance for Critical Infrastructure Resilience This work is published under the responsibility of the Secretary-General of the OECD. The opinions expressed and arguments employed herein do not necessarily reflect the official views of OECD member countries. This document, as well as any data and any map included herein, are without prejudice to the status of or sovereignty over any territory, to the delimitation of international frontiers and boundaries and to the name of any territory, city or area. Please cite this publication as: OECD (2019), Good Governance for Critical Infrastructure Resilience, OECD Reviews of Risk Management Policies, OECD Publishing, Paris. https://doi.org/10.1787/02f0e5a0-en ISBN 978-92-64-53346-2 (print) ISBN 978-92-64-41050-3 (pdf) OECD Reviews of Risk Management Policies ISSN 1993-4092 (print) ISSN 1993-4106 (online) Revised version, July 2019 Details of revisions available at: http://www.oecd.org/about/publishing/Corrigendum_GoodGovernanceCriticalInfrastructureResilience.pdf The statistical data for Israel are supplied by and under the responsibility of the relevant Israeli authorities. The use of such data by the OECD is without prejudice to the status of the Golan Heights, East Jerusalem and Israeli settlements in the West Bank under the terms of international law. Photo credits: Cover © jamesteohart/Shutterstock.com Corrigenda to OECD publications may be found on line at: www.oecd.org/about/publishing/corrigenda.htm. © OECD 2019 You can copy, download or print OECD content for your own use, and you can include excerpts from OECD publications, databases and multimedia products in your own documents, presentations, blogs, websites and teaching materials, provided that suitable acknowledgement of OECD as source and copyright owner is given. All requests for public or commercial use and translation rights should be submitted to [email protected]. Requests for permission to photocopy portions of this material for public or commercial use shall be addressed directly to the Copyright Clearance Center (CCC) at [email protected] or the Centre français d’exploitation du droit de copie (CFC) at [email protected]. FOREWORD │ 3 Foreword Natural hazards and malicious attacks against critical infrastructure pose grave risks to societies and economies. Recent shock events – such as the Great East Japan Earthquake, Hurricane Harvey in the United States, the cyber-attacks on the Ukrainian electricity grid or the Genoa bridge collapse in Italy – show how disruptions to critical infrastructure and essential services can result in substantial economic damage as well as loss of life. The interconnectedness of supply chains and technological and financial systems in the global economy increase the exposure and vulnerability of critical infrastructure. When shocks and disruptions occur, their negative impacts can cut cross sectors and borders, and even resonate globally. At the same time, the global increase in infrastructure investment and the digital transformation of infrastructure services provide opportunities to rethink critical infrastructure resilience. This report takes stock of the changing contexts for boosting resilience across OECD countries, and discusses the policy options and governance models that favour upfront investment in resilience. Based on a cross-country survey, it analyses the progressive shift of critical infrastructure policies from asset protection to system resilience. Rather than focusing on asset protection alone, a system approach allows governments and infrastructure operators to address asset interdependencies and prioritise resilience measures for critical hubs and nodes whose failure would cause the most damage. The report also includes a case study on Finland’s electricity supply that illustrates how governments can build partnerships with critical infrastructure operators to share information and set objectives, strengthening both trust and resilience. Finally, a Policy Toolkit for Governance of Critical Infrastructure Resilience identifies important steps in designing an appropriate governance model for today’s critical infrastructure resilience challenges. This Toolkit complements the OECD Recommendation on the Governance of Critical Risks, contributes to international discussions in the G20 on quality infrastructure, and supports the implementation of the Sendai Framework for Disaster Risk Reduction. The Toolkit is designed to support governments’ efforts to renew critical infrastructure policies. Going forward, the OECD will work with governments to develop benchmark indicators and conduct case studies to compare progress and improve cross-country learning in this crucial area. GOOD GOVERNANCE FOR CRITICAL INFRASTRUCTURE RESILIENCE © OECD 2019 ACKNOWLEDGEMENTS │ 5 Acknowledgements This report was prepared under the auspices of the OECD High Level risk Forum by the OECD Public Governance Directorate, led by Marcos Bonturi. The report presents the results of the work of the OECD High-Level Risk Forum to strengthen the resilience of critical infrastructure through improved governance. This report was co-ordinated and written by Charles Baubion, under the guidance of Jack Radisch and Stéphane Jacobzone. Chapters 1 to 3 build on the Policy Evaluation Framework on the Governance of Critical Infrastructure Resilience, developed by Mary Kate Fisher and Catherine Gamper, as part of a project that the OECD jointly conducted with the Inter- American Development Bank. Ariadna Anisimov conducted the analysis of the OECD cross-country survey on critical infrastructure resilience and provided valuable research assistance throughout the project, especially for the case study on electricity transmission and distribution in Finland. Teresa Maria Deubelli and John Roche contributed to the project with their insights and feedbacks. Raquel Paraqueno prepared the report for publication. The team is very grateful for assistance provided by Elisabeth Huggard throughout the project. The Secretariat acknowledges contributions from the High-Level Risk Forum delegates who responded to the OECD Survey, and specifically from the following colleagues for their appreciated feedbacks and comments: Ryan Schwartz and Trent Abbott (Canada), Tiphaine Beaussant (France), Kathrin Stolzenburg (Germany), Georgios Giannopoulos and Maciej Kuszynski (European Commission), Christian Fjäder and Mikko Vähä-Sipilä (Finland), Daigo Ota (Japan), Piotr Szufnara (Poland) Stefan Brem (Switzerland), and Elizabeth Lozey and Susan Stevens (United States). Duane Verner (Argonne National Laboratory), Marie-Valentine Florin (International Risk Governance Council), Richard Smith-Bingham (Marsh and McLennan Companies), and Elisa Gastaldi (Siemens) provided complementary perspectives from research and the private sectors. Comments and feedback received from OECD colleagues Laurent Bernat, Lisa Danielson, Michael Mullan, and Leigh Wolfrom, as well as Nuclear Energy Agency colleague Olvido Guzman, helped integrate complementary perspectives in the analysis. The report benefited from discussions held at the Workshop on System-Thinking for Critical Infrastructure Resilience and Security, jointly organised by the OECD and the European Commission Joint Research Centre (JRC) in September 2018. Special thanks go to the speakers and experts involved for their valuable insights, and to the JRC for its support in organising this event. The financial support received from the Finland National Emergency Supply Agency (NESA) was instrumental for conducting the Finland case study and is gratefully acknowledge by the OECD, as is the contribution of the Inter-American Development Bank for the preliminary analysis. GOOD GOVERNANCE FOR CRITICAL INFRASTRUCTURE RESILIENCE © OECD 2019 ACRONYMS AND ABBREVIATIONS 7 │ Acronyms and abbreviations BBK Germany Federal Office for Civil Protection and Disaster Assistance BSI British Standards Institution CI Critical Infrastructure CIP Critical Infrastructure Protection CIWIN Critical Infrastructure Warning Information Network (European Union) CPNI Centre for the Protection of National Infrastructure (United Kingdom) CRISRRAM Critical Infrastructures and Systems Risk and Resilience Assessment Methodology DAFNI Data and Analytics Facility for National Infrastructure (United Kingdom) DC Direct Current DHS Department of Homeland Security (United States) DSO Distribution System Operator EPCIP European Programme for Critical Infrastructure Protection EU European Union FEMA Federal Emergency Management Agency (United States) FERC Federal Energy Regulatory Commission (United States) GDP Growth Domestic Product GPS Global Positioning System ICT Information and Communication Technologies ISAC Information Sharing and Analysis Center ISO International Standards Organisation IT Information Technology JRC Joint Research Centre (European Commission) NARUC National Association of Regulatory Utility Commissioners (United States) NATS National Air Traffic Control Service NCIPP National Critical Infrastructure Protection Programme (Poland) NCTV National Coordinator for Security and Counterterrorism (the Netherlands) NESA National Emergency Supply Agency (Finland) NESO National Emergency Supply Organisation (Finland) GOOD GOVERNANCE FOR CRITICAL INFRASTRUCTURE RESILIENCE