European infrastructures and their autonomy safeguarded against systemic risks

Security research related to infrastructure protection has been traditionally following a sectorial approach. With more and more infrastructure systems being interconnected, a stronger focus on the systemic dimension and complexity of attacks and disruptions by cyber or physical means needs to be applied. As such, not only interdependencies within one type of infrastructure (or closely related types) can be taken into account, but large-scale disruptions also with a view of the specific challenges of the cross-border dimension. Also, there is a need for a comprehensive strategy that takes into account different forms of interdependence (e.g. physical, geographic, cyber and logical).

In order to raise the awareness and preparedness for emerging risks, research should enhance the capabilities for foresight and risk management on a systemic level. As such, large-scale Vulnerability Assessments and risks management capabilities, as well as forecasting of emerging risks should be developed with a view of preparing for attacks or disruptions on the whole infrastructure of one or several EU Member States and Associated Countries. To allow for rapid and adequate response, simulations to prepare for systemic disruption of several key infrastructures are necessary. Since especially physical attacks on infrastructures in the EU are less frequent compared to other scenarios there is less empirical data available that can be used to improve protection. Furthermore, there is a lack of capabilities for testing protective equipment and training manuals. Security research can help to develop tools for operational testing in real-scenarios or simulated scenarios. Specific attention should be dedicated to Hybrid Threat scenarios, as defined by the European Centre of Excellence for Countering Hybrid Threats. The same is true for extreme natural events, which have the potential to disrupt several key infrastructures and whose subsequent effects are difficult to predict. Security research should in this regard support and complement obligations to better prevent and prepare for crises as set by the Union Civil Protection Mechanism.

Some essential sectors of the economy need uninterrupted access to the high-quality position and timing information provided for free by satellite navigation systems. Despite the fact that satellite navigation systems such as Galileo are made ever more robust to withstand risks and disruptions in terms of ground segments as well as space assets, there remain residual vulnerabilities that cannot be coped with when facing the emergence of new challenges. These critical sectors should therefore develop complementary positioning and/or timing solutions that are able to sustain a sudden disruption of GNSS service. This would make the vital functions of the society more resilient.

Infrastructure security research is in many cases transnational. While there has always been a strong European dimension in the conducted research, there has been less of a focus on cross-border scenarios with third-countries. Security research should therefore stimulate knowledge generation and cooperation with relevant third countries, which are vital for the functioning of European infrastructure. Examples could include energy, but also critical supplies, digital services or transport.

The means to attack infrastructure on a large scale have been rapidly enhanced by malevolent actors. Nevertheless, risks do not only emerge from intentional acts or disruptions, they can also grow over time based on other factors such as climate change, or lack of independence in critical technologies. Thus, better anticipation of systemic risks including forward-looking technological risk assessment and advanced screening of private interests related to ownership and operations (licensing), and FDI should be a key area of security research in the future. On a constant basis, information about the functioning and vulnerabilities of European infrastructures is unlawfully gathered for economic reasons, as well as with a view of preparing possible intentional disruptions. With the aim of safeguarding autonomy, more sophisticated tools against unlawful gathering of information on infrastructures need to be developed.

In this topic the integration of the gender dimension (sex and gender analysis) in research and innovation content is not a mandatory requirement.