Spanish Critial Infrastructure Protection Law and Business Continuity

By Daniel Blanco Real

The Spanish Law 8/2011 or Ley  de Protección de Infraestructuras Críticas (LPIC) its related to grant essential services that support specific infrastructures considered critical mainly because of two properties:

1. because its required and there are not other alternative solutions that could replace it and/or
2. because a disruption or destruction should have very important impacts in essential services. 

But What is considered a essential service in the law? LPIC identify essential service as those services required to maintain social basic functions (health, security, social welfare and economics, Public administration, etc), although there is difficult to identify it based on the definition above.

Looking for activities and definitions carried out by other countries, we can take a look to the information published by Swedish Civil Contingencies Agency, (MSB in Swedish), that in 2007 established a set of criteria to identify Social critical functions, very close to what is described in LPIC as essential services.

Sector	Functions
Energy supply	Production and distribution of electricity, district heating, fossil fuels and vehicle fuels.
Information and communication	Telephone services, Internet, radio and TV broadcasts, postal services, production and distribution of newspapers, radio and TV.
Financial services	Money transmission, cash access, private insurance and securities trading.
Social insurances	Payment of sickness and unemployment benefits and the national pension system.
Public health and medical services, and special social services	Emergency hospitals, primary care, psychiatry, pharmaceutical supplies, infectious disease control, and special social services for children, disabled persons and the elderly.
Protection, security and safety	Rescue services, police, courts, correctional institutions and SOS Alarm, military, coast guard, and customs, border and immigration control.
Transport	Road, rail, sea and air transport, and transport infrastructure management.
Municipal services	Drinking water, sewage treatment, streetcleaning, public meeting places, refuse collection and roads.
Food Agriculture and the production, distribution and control of food.º	Trade and industry Retail, IT operations and service, construction and contract work, guard and security services and the manufacturing industry.
Public administration  governance  support functions  service sector	National management, regional management and local management, diplomatic and consular services, inspection and permit services, expert and analytical services, detection and laboratory services, collection and provision of population data, meteorological services, training services and burial services.

It can be seen in the original document.

In order to clarify what is considered as a essential service, the document offers some questions that have to be answered for those who think that can be critical operators, grouped by two different blocks: preventive measures and respond measures

From a preventive measures perspective:

• What is the potential scope of a shutdown?
• How many people would be affected?
• What levels of society would be affected by a shutdown?
• To what degree would people’s lives and health be affected?
• What financial, environmental, societal and cultural values could be lost?
• How would public trust be affected?
• How long would it take to repair the damage?

 From a response measures perspective:

• Is the function essential for Leading and coordinating society’s response?
• Is the function essential for Providing the public with enough information about the situation?
• Is the function essential for Responding operatively to the emergency?
• Is the function essential for Minimising the consequences?
• Is the function essential for Restoring functions?

Once essential services are clearly defined, all organizations (obviously critical operator, but also if not)  must focus on:

• How products and services that are delivering can affect to those essential services (This is clear in critical operators)
• How lack of this essential services could affect to products and services delivered.

As a conclusion, Business Continuity in an organization has not only focus in how to recover products and service delivery, but also to take into account how the lack of this products and services affect to the society and the essential services. Without support of those essential services it's probably that organizations will not be able to recover their business and this is something that a lot of organizations don't take into account in their plans and business continuity management systems.