The Critical Infrastructure Protection Regulation approved by Royal Decree 704/2011 of 20 May 2011 implementing Law 8/2011 of 28 April 2011 laying down measures for the protection of the critical infrastructure, as provided for in Articles 22.4 and 25.5, which the Secretary of State for Security shall establish, respectively, the minimum contents of the Operator's Safety Plans and the Specific Protection Plans included in the Article 14 of the Law.

These minimum contents were set out in the Resolution of the Secretariat of State for Security of 15 November 2011, which was amended by another, dated 29 November 2011, which warned and corrected certain errors in the first.

The constant evolution of the threat, the introduction of new regulations, strategies and planning tools, as well as the experience acquired over the last four years, in good part, thanks to the contributions made by the critical operators themselves, make it advisable to update such minimum contents, in order to adapt the level of planning and response to the requirements required for effective protection of the infrastructures national reviews.

By virtue of that, and in accordance with the provisions of Article 7 (e) of Royal Decree 704/2011 of 20 May 2011 on the approval of the Regulation on the Protection of Critical Infrastructures, it decided to approve and order the publication in the "Official State Gazette" of the new minimum contents of the Operator's Safety Plans and of the Specific Protection Plans inserted as Annex I and Annex II, respectively, of this resolution.

This resolution repeals the precedent in this same matter, of the Secretary of State for Security, of 15 November 2011, establishing the minimum contents of the Operator and the Security Plans Specific Protection Plans, as well as the one of 29 November 2011, which modified the previous one.

Madrid, September 8, 2015. -Secretary of State for Security, Francisco Martínez Vázquez.

ANNEX I

Minimum Contents Guide

Operator Security Plan (PSO)

Index

1. Introduction.

1.1 Legal Base.

1.2 Objective of this Document.

1.3 Purpose and Content of the PSO.

1.4 Review and Update Method.

1.5 Information and Documentation Protection and Management.

2. General Security Policy of the Operator and Government Framework.

2.1 Critical Operator Security General Policy.

2.2 Security Governance Framework.

2.2.1 Organization of Security and Communication.

2.2.2 Training and Awareness.

2.2.3 Applied Management Model.

2.2.4 Communication.

3. Relationship of Essential Services provided by the Critical Operator.

3.1 Identification of Essential Services.

3.2 Essential Services Inventory Maintenance.

3.3 Study of Essential Service Interruption Consequences.

3.4 Interdependencies

4. Risk Analysis Methodology.

4.1 Description of the Analysis Methodology.

4.2 Asset Tipologies that Support Essential Services.

4.3 Threat Identification and Evaluation.

4.4 Assessment and Risk Management.

5. Criteria for the implementation of comprehensive security measures.

6. Supplemental documentation.

6.1 Regulations, Good Practices and Regulations.

6.2 Coordination With Other Plans.

1. Introduction.

1.1 Legal basis.

The normal functioning of the essential services provided to the public rests on a series of public and private management infrastructures, whose operation is indispensable and does not allow for solutions. alternatives: so-called critical infrastructures. It is therefore necessary to design a uniform and comprehensive security policy within the organisations which is specifically targeted at the critical infrastructure field, in which the safety subsystems are defined. they are to be put in place for the protection of the same with the aim of preventing their destruction, disruption or disturbance, thereby prejudicing the provision of essential services to the population.

This is precisely the spirit of Law 8/2011 of 28 April, establishing measures for the protection of critical infrastructures, which aims to establish strategies and organizational structures. (a) appropriate to enable the management and coordination of the actions of the various bodies of public administrations in the field of critical infrastructure protection, after identification and designation of such bodies, Involvement of management and/or management companies and owners (critical operators) of such infrastructure, in order to optimise the degree of protection of such infrastructure against deliberate physical and logical attacks, which may affect the provision of essential services.

This Law has its development through Royal Decree 704/2011 of 20 May, for which the Regulation of protection of critical infrastructures is approved.

Article 13 of the Act explicitly sets out a number of commitments for public and private critical operators, including the need for the development of an operator's security plan (hereinafter the PSO) and the Specific Protection Plans to be determined (hereafter, PPE).

For its part, Article 22.4 of Royal Decree 704/2011 holds the Secretariat of State of Security responsible (the higher body responsible for the System of Protection of National Critical Infrastructures, in accordance with Article 6 of the Law 8/2011), through the CNPIC, of the establishment and making available to the critical operators of the minimum contents with which the PSO must count, as well as the model on which to base the elaboration of the same.

1.2 Objective of this Document.

With this document it is intended to comply with the instructions issued by Royal Decree 704/2011, establishing the minimum contents on which a critical operator must be supported at the time of design and elaboration of your PSO. In turn, some explanatory points are set out on aspects of the reference regulations.

It is also intended to guide those operators who have been or will be designated as critical in the design and development of their respective Plan, so that they can define the content of their general policy and the organisational security framework, which will find its specific development in the PPE of each of its critical infrastructures.

1.3 Purpose and content of the PSO.

The PSO will define the overall operator policy to ensure the overall security of the set of facilities or systems in your property or management.

The PSO, as a planning tool for the Critical Infrastructure Protection System, will contain, in addition to an index referenced on the contents of the Plan, information on:

• General operator security policy and governance framework.

• Essential Services Relationship provided by the critical operator.

• Risk analysis methodology (physical and cybersecurity threats).

• Comprehensive Security Measures Application Criteria.

1.4 Review and Update Method

Pursuant to Article 24 of Royal Decree 704/2011 of 20 May 2011, approving the Regulation on the protection of critical infrastructures, between the obligations of the operator, in addition to the elaboration and presentation of the PSO The National Center for the Protection of Critical Infrastructures (hereinafter CNPIC), includes its review and periodic update:

• Review: Biennial.

• Update: When some type of modification occurs in the data included in the PSO. In this case, the PSO shall be updated when such modifications have been validated by the CNPIC, or under the conditions laid down in its specific sectoral legislation.

Regardless of all this, in the event that it varies some of the circumstances indicated in the PSO (modification of data, identification of new critical infrastructures, low critical infrastructures, cessation of conditions to be considered as critical operator, etc. ..), the operator must transfer the appropriate information to the CNPIC, through the channels enabled to the effect (official HERMES/PoC system), within the maximum period of ten days from the varied circumstances.

1.5 Protection and Management of information and documentation.

Information is a strategic value for any organization, being of a sensitive nature, so in this sense, the operator must define its management and treatment procedures, as well as the standards of accurate security to provide adequate and effective protection of that information, regardless of the format in which it is located.

In addition, the operators designated as critical will have to deal with the documents arising out of the application of Law 8/2011 and its normative development through Royal Decree 704/2011 of 20 May, approving the Regulation for the protection of critical infrastructures, depending on the degree of classification derived from those standards.

By virtue of the additional provision of Law 08/2011, the classification of the PSO shall be expressly stated in the instrument of its approval. To this end, the treatment of the PSO must be governed in accordance with the guidelines published by the National Authority for the Protection of Classified Information of the National Intelligence Center regarding the management and custody of the PSO. classified information with a Limited Broadcast degree.

The reference orientations are collected in the following documents:

Documentary security.

OR-ASIP-04-01.04-Limited Broadcast Grade Classified Information Management Guidelines.

Security in Personnel.

OR-ASIP-04-02.02-Staff Security Instruction for Access to Classified Information.

Physical Security.

OR-ASIP-01-01.03-Guidelines for the Protection Plan for a Restricted Access Zone.

OR-ASIP-01-02.03-Guidelines for the Restricted Access Zones Constitution.

Information and Communications Systems Security.

OR-ASIP-03-01.04-Information and Communications Systems Accreditation for Classified Information Management.

2. Security General and Operator Security Policy.

2.1 Critical Operator Security General Policy.

The goal of a Security Policy is to direct and support security management. In it, the Directorate of the Organization must clearly establish what its lines of action are and show its support and commitment to security.

Therefore, in this section, the operator must reflect the content of its Security Policy in a homogeneous and comprehensive manner that is specifically targeted at the critical infrastructure and serves as a framework for reference for the protection of the same, with the aim of preventing its disturbance or destruction.

The minimum aspects to be collected by the Security Policy are:

• Object: The goal that the Organization intends to achieve with the policy and its subsequent development and application.

• Scope or Scope of Application: A policy may be limited to certain fields or aspects or, on the contrary, to be applicable to the entire Organization. The operator shall reflect on which parts of the Organisation the Critical Infrastructure Protection Security Policy is applicable, without losing sight of the fact that it has an integral character, considering both physical security and safety. as the cybersecurity.

• High Direction Commitment: The operator must ensure that security must be given the same importance as other factors in the organization's production or business.

Therefore, the Organization's commitment to the Security Policy and its development must be reflected through the approval, sanction and support of the Organization (Board of Directors, Council of Address, etc.) or the person (President, CEO, etc.) of government or management of the same with sufficient capacity to implement it in the organization, as well as its firm and explicit commitment to the protection of the essential services provided, a commitment to be reflected in the plan itself.

• Comprehensive Security Character: Physical security and cybersecurity are areas that need to be addressed interlinked and with a holistic perspective of security. This will result in a global vision of security, enabling the design of a unique corporate strategy, and optimizing knowledge, resources and equipment. Therefore, the operator must emphasize the integral nature of the security applied to its critical infrastructures, indicating in any case the procedure by which it is intended to achieve such integral security: concrete aspects of the organization, structures, procedures, etc. In this regard, a comprehensive response to the different threats in place requires the coordinated implementation of physical security and cybersecurity measures.

• Updating the General Operator Security Policy: When security policy is a high-level document, it does not usually require significant changes over time. However, the operator shall ensure that the operator is kept up to date and reflects those changes required by changes in the assets to be protected from the environment that may affect them (threats, vulnerabilities, impacts, safeguards), or the applicable rules. In this section, the operator shall collect the process to be followed for the updating and maintenance of its Security Policy, including the periodicity and the responsibility for carrying out these actions.

2.2 Security Governance Framework.

2.2.1 Organization of Security and Communication.

The critical operator must designate a Security and Liaison Officer and the Security Delegates in each of the critical infrastructure identified, as well as the substitutes for both, according to the requirements. established in Law 8/2011. It must therefore ensure that they are at a sufficient level within their organisational structure in such a way that they are able to ensure compliance with and the implementation of the policy and the requirements laid down for the protection of critical infrastructures under their responsibility.

You must also ensure the physical presence of the security delegate in the infrastructure in a reasonable time, if necessary.

In this section, the critical operator must describe its security organization (understanding both Physical Security and Cybersecurity), indicating the figures included in the Law, as well as the hierarchical levels. that correspond to them in their organizational structure.

This organization chart should include the physical location, structure, hierarchy, governing body, and interrelation of all areas of the organization with responsibility in each of the areas of corporate security. In addition, it must be aware that the designated persons have sufficient capacity to carry out all those actions arising from the application of the Law and the Royal Decree. In this sense, the critical operator must present:

• A general organization chart, where the corporate security structure is identified.

• A specific organization chart of the security structure that integrates information about the various functions that you perform in your organization.

Where appropriate, the critical operator shall identify the existing safety and security committees or decision-making bodies, as well as the functions of each of them.

Also, the procedures for the management and maintenance of security will be reflected, stating whether these are of their own character or are subcontracted. In the latter case, it will be necessary to relate the subcontracted company or companies, the safety certifications with which they count, the seat from which the contracted services are carried out, as well as the services and commitments agreed between the two. Similarly, the methodology by which the verification of compliance by the contracted company is carried out shall be defined, with the security protocols implemented by the operator.

In the field of cyber security, and in relation to the protection of critical infrastructures, the CERT for Security and Industry (hereinafter CERTSI) is responsible for the resolution of cyber incidents that may affect the delivery of the essential services managed by the

CERTSI, in application of the Framework Agreement concluded between the Secretariat of State for Security and the Secretariat of State for Telecommunications and for the Information Society, provides direct support to the CNPIC in all matters relating to the prevention and response to incidents that may affect the networks and systems of critical infrastructure operators and the availability of the services they provide.

For all of this, and upon subscription of a confidentiality agreement between the parties (critical operator-CNPIC-CERTSI), such CERT may provide prevention, detection, early warning and incident response services in support to the departments responsible for this work within each organization.

2.2.1.1 The Security and Link Manager.

Pursuant to Article 16.2 of the Act, the critical operator shall, within three months of its designation as such, appoint the Security and Liaison Officer of the organization, which shall be empowered by the Ministry. of the Interior as Director of Security, pursuant to the provisions of Royal Decree 2364/1994, of 9 December, in which the Regulation of Private Security is approved, or to have an equivalent rating, according to its specific sectoral regulations. Such appointment shall be communicated to the Secretary of State for Security, through the CNPIC.

The critical operator must include in this section the name and contact details (address, telephone and email) of the person who was designated as Security and Liaison Officer as well as his/her replacement, with identical conditions, in the absence of the holder. His duties in relation to Article 34.2 of Royal Decree 704/2011 are as follows:

• Represent the critical operator before the Secretary of State for Security:

-In matters relating to the security of your infrastructure.

-Regarding the different plans specified in the Royal Decree.

• Canalize the operational and informational needs that arise between the critical operator and the CNPIC.

2.2.1.2 The Critical Infrastructure Security Delegate.

Pursuant to Article 17 of the Law, the critical operator with infrastructure designated as European criticism or criticism shall communicate to the Government Delegations or, where appropriate, the competent authority of the Autonomous Community with statutory powers recognised for the protection of persons and property and for the maintenance of public order in which they are located, the person designated as the Security Delegate and his/her replacement. This communication shall also be made to the CNPIC within three months of the official notification that it is the owner or manager of at least one European critical or critical infrastructure.

The critical operator must include in this section the name and contact details (address, telephone and email) of the person designated as Security Delegate, as well as his/her replacement, with identical conditions, complying with the the time limits established from his appointment as a critical operator, as well as his participation to the relevant Authorities, as set out in Article 35.1 of Royal Decree 704/2011.

It is advisable for both the Security Delegate and his/her replacement to be holders of a security branch, in addition to belonging to the security department of the entity in question.

His duties in relation to Article 35.2 of Royal Decree 704/2011 are as follows:

• Be the operational liaison and the channel of information with the competent authorities in matters relating to the security of their infrastructures.

• Canalize the operational and information needs that arise, at the infrastructure level, between the operator and the competent authorities.

2.2.2 Training and Awareness.

The critical operator must collaborate with the programs or exercises that can be derived from the Sectoral Strategic Plan, as well as at the time of the Operational Support Plans.

The critical operator will reflect in this section the planned training plan for the staff related to the protection of critical infrastructures, indicating the duration, objectives to be achieved, mechanisms of assessment that is contemplated for the same and update periods. The plan and the training of the plan will also be included.

In the event that you have a General Training Plan, you will specify the part related to the protection of critical infrastructures, and will include it at this point.

The critical operator shall reflect in this section its participation in simulation exercises in security incidents (physical and cyber), and the timing of such exercises.

Staff directly involved in the protection of critical services and critical infrastructure must be trained to achieve knowledge, at the basic level:

• On comprehensive security (physical security and cybersecurity).

• On self-protection.

• On environmental safety.

• On organizational and communication skills.

• On your responsibilities/actions in case of an incident, or in the event of a threat level 4 or 5 of the Anti-Terrorist Prevention and Protection Plan and/or the National Plan for the Protection of the Critical Infrastructures.

Staff not directly involved should be aware by applying active training and operational policies in the organization.

2.2.3 Application Model applied.

Comprehensive security depends on a management process that must provide the necessary organizational and technical control to determine at all times the level of exposure to threats and the level of protection and response that is able to provide the organization for the protection and security of its essential services and Critical Infrastructures.

Therefore, in accordance with the Security Policy marked, the critical operator shall collect within the PSO its chosen management model, which shall include at least:

• An implementation of security controls aligned with the priorities and needs assessed.

• A continuous assessment and monitoring of security, with process and period identification.

• In the event that the critical operator has designed a management system and/or the assessment of the security of information technologies, according to some international reference standard, this should be indicated, as the certifications held by such a system and the certifying body.

2.2.4 Communication.

The critical operator must explicitly collect in this section the procedures established for the communication and exchange of information regarding the protection of critical infrastructures, as follows:

Communication to the CNPIC:

• Of those incidents or situations that may put at risk or compromise the security of any of the infrastructure of which the operator is a manager and/or owner, in accordance with the PIC incident communication protocol developed by this Center and made available to critical operators.

• From those variations of organizational, planning or structural character that occur within the operator itself and that affect in some way the critical infrastructures object of protection (for example, adjustment portfolio of services, mergers, acquisitions or sales of assets, technical changes, modification of infrastructure, change of facilities, etc.).

Communication to CERTSI:

• Through the Office of Cyber Coordination of the Ministry of the Interior (OCC), of incidents that could compromise the cyber security of the systems and networks of the critical operator and the availability of services it provides. All this, in accordance with the PIC incident communication protocol developed by the CNPIC and made available to critical operators.

3. Relationship of Essential Services provided by the Critical Operator.

The PSO must include, by way of introduction, sufficient context information to describe the following aspects:

• General presentation of the critical operator and main sector/sub-sector of its activity. In the case of business groups, it will be clearly identified, by name and CIF, which of the companies is the critical operator.

• Organizational and corporate structure of the entire Group (in the case of business groups).

• Geographical presence at national and international level, with a summary of the Autonomous Communities where they provide their essential services, as well as those countries where they provide similar services.

• Main lines of activity with the general typology of services/products they offer.

3.1 Identification of Essential Services.

The PSO must identify those services essential for the citizenship provided by the operator through the set of its strategic infrastructures located in the national territory, in relation to the concept of service Article 2 (1) is essential. a) of the Law:

• Service necessary for the maintenance of basic social functions, health, safety, social and economic well-being of citizens.

• Effective functioning of State Institutions and Public Administrations.

3.2 Maintenance of essential services inventory.

Periodically, at least biennially, the critical operator must review the relationship of essential services listed in its PSO, as a consequence of the normal evolution that any company experiences with respect to services. which offers.

So, in this maintenance you will need to incorporate those changes that occur:

• For endogenous causes (e.g., service portfolio adjustment, mergers, acquisitions or asset sales, technical changes, infrastructure modification, facility change, etc.).

• As a consequence of the adequacy to the periods set out in the Plan in accordance with point 1.4 of this guide.

3.3 Study of the consequences of the interruption of the essential service.

The critical operator must carry out a study of the consequences of the interruption and unavailability of the essential service provided by the company, motivated by:

• Override or temporary interruption of the service provided.

• Partial or total destruction of the infrastructure that the service manages.

Additionally, you must clearly identify, for each of the above cases, the following information:

• Geographical extent and number of people who may be affected.

• Effect on dependent essential operators and services.

• Existence of essential service delivery alternatives or contingency mechanisms provided by the operator itself and level of degradation that they entail.

3.4 Interdependencies.

In relation to the concept of interdependencies set out in Article 2. (j) of the Law, there may be effects and impacts affecting the essential services and critical infrastructure of their own and/or other operators, both within the same sector and in other different sectors. These interdependencies shall in any case be considered in the risk analysis carried out by the operators in the overall framework of their organisation.

The critical operator must refer to the interdependencies that it identifies, explaining in general terms the reason for these dependencies:

• Between your own facilities or services.

• With operators in the same sector.

• With operators from different sectors.

• With operators from other countries, from the same sector or not.

• With your service providers within the supply chain.

• With contracted ICT service providers such as: telecommunications provider (s), Data Processing Centers, security services (Security Operations Center, private CERT, etc.) and any other it is considered, specifying for each of them the name of the provider, the contracted services, service level agreements (SLAs) and service compliance provided with the general operator security policy.

4. Risk Analysis Methodology.

By virtue of the provisions of Article 22.3 of Royal Decree 704/2011, the PSO will translate the methodology or methodologies of risk analysis used by the critical operator. Such methodologies shall be internationally recognised, ensure the continuity of the services provided by that operator and provide, in a comprehensive manner, both physical and logical threats against the entire its critical assets. All this, irrespective of the minimum measures which may be laid down for the Specific Protection Plans as laid down in Article 25.

4.1 Description of the analysis methodology.

A generic description of the methodology used by the Organization for the performance of the risk analyses of the different Specific Protection Plans (PPE) to be derived after the designation of their critical infrastructure. At least the following information shall be provided:

• Essential stages.

• Employee calculation algorithms.

• Method used to assess impacts.

• Acceptable risk measurement metrics, residual, etc.

• In particular, the relationships between risk analyses performed at different levels will be recorded: At the level of the corporation, at the level of services and the most concrete, at the level of critical infrastructures.

4.2 Asset Tipologies that support essential services.

The resources required for the Organization to function properly and achieve the objectives proposed by its Management are called assets.

On the basis of the services identified in section 3.1 above, the types of assets that support them will be included in this section for each essential service, differentiating those that are critical of those that do not are.

Asset typologies to consider will be, at least:

• The facilities required for the delivery of the essential service.

• The computer systems required to support essential services (hardware and software).

• The communications networks required for the delivery of the essential service.

• People who exploit or operate all of the above elements.

The purpose of this section is the generic identification of typologies of assets associated with the essential services provided by that operator, and on which the risk analysis carried out by the operator will be focused. The level of detail will be the level of understanding of the functioning of the services, as well as the interrelations between assets and services.

Assets will not necessarily be specific physical spaces, such as distributed systems, such as a data network, for example.

4.3 Threat identification and assessment.

In the framework of the rules for the protection of critical infrastructures and in order to ensure adequate protection of those infrastructures that provide essential services, the critical operator must have as reference the A threat tree provided by the CNPIC, especially considering threats of terrorist or intentional origin. The operator must expressly indicate the threats he has considered for the performance of the risk analysis, at least:

• The intentional, physical and logical type, which may affect the whole of their infrastructures, which must be identified specifically in their respective PPE, if any.

• Those from interdependencies, which can directly affect essential services, whether they are deliberate or not.

4.4 Assessment and Risk Management.

The PSOs will collect the risk management strategy implemented by the operator as to:

• Criteria used for the assessment of risk classification categories.

• Strategy selection methodology (reduction, elimination, transfer, etc.).

• Plazos for the implementation of measures, in the case of choosing a risk minimization strategy with indication, if any, of mechanisms of prioritization of actions.

• Treatment given to threats of deliberate attacks and, in particular, to those with a low probability but a high impact due to the consequences for their destruction or interruption in the continuity of services essential.

• Periodic monitoring and updating mechanisms of risk levels.

5. Criteria for the implementation of comprehensive security measures.

Within the scope of comprehensive security, the operator will define in broad terms the criteria used in your organization for the application and administration of security. In this sense, it will include in a generic way the security measures implemented in the set of assets and resources on which essential services are supported and which will be collected in their respective PPE, in order to deal with the threats physical and logical identified in the appropriate risk analysis carried out on each of the typologies of its assets.

6. Supplemental documentation.

6.1 Regulations, good practices and regulations.

The operator will collect in a brief and reasoned reference all the implementing rules and those good practices that regulate the proper functioning of the essential services provided by each and every one of its infrastructure.

The regulations to include will include general and sectoral regulations, both at national, regional, European and international levels, relating to:

• Physical Security.

• Cybersecurity.

• Security of Information.

• Personal Security.

• Environmental Security.

• Self-protection and prevention of occupational hazards.

6.2 Coordination with Other Plans.

All operator-designed plans relating to other aspects (business continuity, risk management, response, cybersecurity, self-protection, emergencies, etc.) that can be coordinated with the Plan will be identified. The operator and the respective Specific Protection Plans will be activated in the event that preventive measures fail and an incident occurs. In addition, the existing coordination with the National Plan for the Protection of Critical Infrastructures should be put on record.

ANNEX II

Minimum Content Guide

Specific Protection Plan (PPE)

Index

1. Introduction.

1.1 Legal Base.

1.2 Objective of this Document.

1.3 Purpose and Content of PPE.

1.4 Review and Update Method.

1.5 Information and Documentation Protection and Management.

2. Organizational Aspects.

2.1 Security Organization Chart.

2.2 Critical Infrastructure Security Delegates.

2.3 Coordination Mechanisms.

2.4 Mechanisms and Appoints of Approval.

3. Description of the Critical Infrastructure.

3.1 General Data for Critical Infrastructure.

3.2 Critical Infrastructure Assets/Elements.

3.3 Interdependencies.

4. Results of Risk Analysis.

4.1 Threats Considered.

4.2 Existing Comprehensive Security Measures.

4.2.1 Organizational or Management.

4.2.2 Operational or mental health.

4.2.3 Protection Or Techniques.

4.3 Risk Assessment.

5. Proposed Action Plan (per asset).

6. Supplemental documentation.

1. Introduction.

1.1 Legal basis.

According to Law 8/2011 of 28 April, establishing measures for the protection of critical infrastructures, the operator designated as a critic, whether it belongs to the public sector or to the private sector, It shall be an agent of the critical infrastructure protection system, with a number of responsibilities set out in Article 13.

In accordance with point 1 (d) of that Article, the operator shall draw up a Specific Protection Plan (hereinafter referred to as PPE) for each of the critical infrastructure owned or operated by the operator.

Royal Decree 704/2011 of 20 May, approving the Regulation on the protection of critical infrastructures, through which regulatory development is given to Law 8/2011, establishes, in Chapter IV of Title III on the Planning Instruments, those aspects related to the elaboration, purpose and content of such plans, in addition to their approval or modification, registration, classification and forms of revision and updating, as well as the authorities (a) the implementation and monitoring, and compatibility with other existing plans.

In this regard, and in accordance with Article 25.5 of that royal decree, it is assigned to the Secretariat of State for Security, through the National Center for the Protection of Critical Infrastructures (CNPIC), the responsibility for establishing the minimum contents of the PPE, as well as the model on which to base its structure and completeness, on the basis of the guidelines and criteria set out in the Operator Security Plan (hereinafter PSO).

In the PPE, the critical operator will apply the following aspects and criteria included in your PSO, which specifically affect that installation:

• Aspects of your overall security policy.

• Development of the risk analysis methodology to ensure the continuity of the services provided by such operator through this critical infrastructure.

• Development of the criteria for implementing the different security measures that are implemented to address threats, both physical and those affecting cybersecurity, identified in relation to each of the typologies of existing assets in that infrastructure.

1.2 Objective of this document.

With this document it is intended to comply with the instructions issued by Royal Decree 704/2011, establishing the minimum contents on which the critical operator must be supported when preparing their respective PPE in facilities listed as critical. In turn, some explanatory points are set out on aspects of Law 8/2011 and Royal Decree 704/2011.

1.3 Purpose and content of PPE.

The PPE is the operational documents that define the concrete measures to be implemented by critical operators to ensure comprehensive security (physical security and cybersecurity) of their critical infrastructures.

In addition to an index referenced to the contents of the Plan, the PPE must contain at least the following specific information about the infrastructure to be protected:

• Organization of security.

• Description of the infrastructure.

• Result of risk analysis:

Comprehensive security measures (both existing and necessary to implement) permanent, temporary and gradual for the different types of assets to be protected and according to the different levels of threat declared at national level in accordance with the provisions of the Anti-Terrorist Prevention and Protection Plan and the National Critical Infrastructure Protection Plan.

• Proposed action plan (for each asset evaluated in the risk analysis).

The PPE must be aligned with the guidelines set out in the General Security Policy of the operator reflected in the PSO. Likewise, the analysis of risks, vulnerabilities and threats that are carried out, will be subject to the methodological guidelines described in the PSO.

1.4 Review and Update Method.

According to Article 27 of the Royal Decree establishing the Regulation on the protection of critical infrastructures, between the obligations of the critical operator, in addition to the elaboration and presentation of the PPE to the CNPIC, includes your periodic review and update:

• Review: Biennial, to be approved by the Government Delegations in the ACs. and the Cities with Autonomy Statute or, where appropriate, by the competent authority of the Autonomous Communities with competence (a) a statutory procedure for the protection of persons and property and for the maintenance of public order, in addition to the CNPIC.

• Update: When a modification occurs in the data included within the PPE. In this case, the PPE shall be updated when such modifications have been validated by the CNPIC, or under the conditions laid down in its specific sectoral legislation.

Regardless of all this, in the event that some of the circumstances indicated in the PPE (security organization, infrastructure description data, security measures, etc. ..) are varied, the operator must to transfer the timely information to the CNPIC, through the channels enabled to the effect (official HERMES/PoC system), within a maximum of ten days from the varied circumstances.

1.5 Information and Documentation Protection and Management.

The information associated with the PPE and that related to the risk analysis and the security measures implemented on the critical infrastructures to which they refer is of a sensitive nature, therefore, in this The operator must define its procedures for the processing of such information, as well as the precise safety standards to provide adequate and effective protection of the information used, regardless of the format in which is found.

In addition, the operators designated as critical will have to deal with the documents arising out of the application of Law 8/2011 and its normative development through Royal Decree 704/2011 of 20 May, approving the Regulation for the protection of infrastructure, depending on the degree of classification resulting from those standards.

By virtue of the additional provision of Law 08/2011, the classification of the PPE will be expressed in an express way in the instrument of its approval. To this end, the treatment of the PPE must be governed according to the guidelines published by the National Authority for the Protection of Classified Information of the National Intelligence Center regarding the management and custody of the PPE. classified information with a Limited Broadcast degree.

The reference orientations are collected in the following documents:

Documentary security.

OR-ASIP-04-01.04. -Guidelines for the Management of Classified Information with Limited Broadcast Degree.

Security on the staff.

OR-ASIP-04-02.02-Staff Security Instruction for Access to Classified Information.

Physical security.

OR-ASIP-01-01.03. -Guidelines for the Protection Plan for a Restricted Access Zone.

OR-ASIP-01-02.03. -Guidelines for the Restricted Access Zones Constitution.

Information and Communications Systems Security.

OR-ASIP-03-01.04. -Guidelines for Accreditation of Information and Communications Systems for the handling of Classified Information.

2. Organisational aspects.

2.1 Security Organization Chart.

The critical operator must graphically present the functional organizational structure that exists in the critical infrastructure, with the indication of all the actors involved in the critical infrastructure, its role as a responsibility and its hierarchy in the decision-making process. Similarly, the dependency of this structure must be established with that defined in the corresponding Operator Security Plan.

2.2 Critical Infrastructure Security Delegates.

According to Article 17 of Law 8/2011, the critical operator with infrastructure designated as European criticism or criticism will communicate to the Government Delegations in the ACs. and in the Cities with Autonomy Statute or, where appropriate, to the competent authority of the Autonomous Community with statutory powers recognised for the protection of persons and property and for the maintenance of public policy where those persons are located, the person appointed as the Security and his replacement. This communication should also be made to the CNPIC within three months of the designation of an infrastructure as critical.

The critical operator must include in this section the name and contact details (address, telephone and email) of the person designated as Security Delegate as well as his/her replacement, with identical conditions, the time limits established since their designation, and their participation in the relevant Authorities, as set out in Article 35.1 of Royal Decree 704/2011.

It is advisable for both the Security Delegate and his/her replacement to be holders of a security branch, in addition to belonging to the security department of the entity in question.

His duties in relation to Article 35.2 of Royal Decree 704/2011 are as follows:

• Be the operational liaison and the channel of information with the competent authorities regarding the security of their infrastructures.

• Canalize the operational and informational needs that arise.

The critical operator must reflect in this section the courses or training that the Security Delegate has received, related to the skills necessary for the performance of the post, in accordance with the Training Plan. provided in the PSO.

2.3 Coordination Mechanisms.

The critical operator must reflect within its PPE the existing coordination mechanisms:

• Between the Security Delegate of the critical infrastructure with other Delegates from other critical infrastructures and with the Security and Liaison Officer of the operator itself.

• With authorities and third parties (State Security Forces and Bodies/Autonomous and local Police Corps/CNPIC/others).

• With other existing operator plans (business continuity plans, evacuation plans, etc.).

• With the CERT of Security and Industry (CERTSI) identifying the contact points of the operator at the required 3 levels: the institutional, and the manager and the technician, all of them referred to in the management of incidents.

• With critical suppliers that are specified in accordance with the development of the 3.2.

2.4 Mechanisms and responsible for approval.

The operator must include in the PPE the following aspects relating to its approval and internal review:

• Responsible for approval.

• Procedure that is followed for approval.

• Date on which the last approval occurred.

• Responsible for your review and update.

• Aspects of review, if any.

• Records generated by the review procedure to verify that the PPE has been reviewed (meetings, minutes of the relevant Committee, studies and analyses carried out, updates of the risk analyses, etc.).

3. Description of the Critical Infrastructure.

3.1 General data for critical infrastructure.

The critical operator must include the following data and information about the infrastructure to protect:

• General, relating to the name and type of installation, ownership and management of the same.

• On physical location and structure (location, general plans, photographs, components, etc.)

• About the ICT systems that manage critical infrastructure and their architecture.

• Strategic data:

Description of the essential service that you provide and the geographic or population scope of the service.

Relationship with other possible infrastructure required for the provision of that essential service.

Description of your functions and their relationship to the supported essential services.

3.2 Critical infrastructure assets/items.

All assets that support critical infrastructure will be included in this section, differentiating those that are vital from those that are not. In particular they will be detailed:

• Facilities or components of critical infrastructure that are necessary and therefore vital for the delivery of the essential service.

• The computer systems (hardware and software) used, with specification of the manufacturers, models and, versions, etc.

• Communications networks that allow data to be exchanged and used for that critical infrastructure:

Network architecture, public IP ranges, and domains.

Full and detailed network schema (s), of a graphic type and with a literary description, where information exchange flows are collected in networks, as well as their electronic perimeters.

Description of network components (servers, terminals, hubs, switches, nodes, routers, firewalls, ...) as well as their physical location.

• Persons or groups of persons who exploit or operate all of the above mentioned elements, indicating and detailing in particular whether there is any outsourced process to third parties.

• Critical vendors that are generally required for the operation of such critical infrastructure, and specifically:

Power supply.

Communications (telephony, Internet, etc.) ...).

Information storage and treatment (CPDs, etc.).

Cybersecurity (private CERTs, SOCs, etc.).

• On the providers appointed by the operator, the different Service Level Agreements that are contracted and are considered essential will be specified.

Similarly, existing interdependencies between the different assets that support or make up critical infrastructure will be specified. The above information must be sufficient to explicitly collect the scope of the infrastructure to be protected and with the same level of detail as set within the PSO.

3.3 Interdependencies.

In relation to the concept of interdependencies set out in Article 2. (j) of the Law, there may be effects and impacts affecting the essential services and critical infrastructure of their own and/or other operators, both within the same sector and in different areas. These interdependencies should in any case be considered in the risk analysis carried out by operators for the critical infrastructure in question, within the framework of the PPE.

The critical operator must refer within its different PPE to the interdependencies that, if any, identify, briefly explaining the reason that originates them:

• With other critical infrastructure from the operator itself.

• With other strategic infrastructures of the operator itself that support the essential service.

• Between your own facilities or services.

• With your suppliers within the supply chain.

• With ICT service providers hired for that infrastructure, such as: telecommunications provider (s), Data Processing Centers, security services (Security Operations Center, private CERT, (etcetera) and any other consideration, specifying for each of them the name of the supplier, the contracted services, service level agreements (SLAs) and compliance with the service provided with the general security policy of the operator.

• With the physical security service providers, indicating the services provided and the staff and means employed.

4. Results of Risk Analysis.

The critical operator should reflect in its PPE the results of the comprehensive risk analysis carried out on critical infrastructure. Such risk analysis shall follow the methodological guidelines set out in its PSO.

Below are the minimum contents for the risk analysis carried out by the operator within the PPE.

4.1 Threats considered.

Within the framework of the critical infrastructure protection regulations, and in order to ensure adequate protection of critical infrastructures, the critical operator must have as reference the threat tree provided by the CNPIC, taking into account in particular those threats of terrorist or intentional origin. The operator must expressly indicate the threats he has considered for the performance of the risk analysis, at least:

• Intentiated threats, both physical and cybersecurity, that specifically affect some of the assets that support critical infrastructure.

• Threats that may directly affect the infrastructure from identified interdependencies, whether they are deliberate or not.

• Those directed to the nearby environment or interdependent elements of both the physical and the physical perimeter that might affect the infrastructure.

• Threats that affect information systems that support the operation of critical infrastructure and all those connected to such systems without the appropriate segmentation measures.

• Threats that affect systems and services that support comprehensive security.

4.2 Existing comprehensive security measures.

The operator must describe the comprehensive security measures (protection measures for installations, equipment, data, base and application software, personnel and documentation) implemented at present, with which the for the performance of the risk analysis. It must distinguish between measures of a permanent nature, and temporary and gradual measures.

By permanent measures, we understand the specific measures already taken by the critical operator, as well as those that it considers necessary to install according to the result of the risk analysis carried out with respect to the risks, threats and consequences/impact on your assets, all aimed at ensuring the comprehensive security of your facility catalogued as critical in a continuous manner.

By temporary and gradual measures, security measures of an extraordinary nature are understood that will reinforce the permanent ones and must be implemented in an ascending manner following the activation of some of the levels (Article 16.3 of RD 704/2011), in coordination with the Anti-Terrorist Prevention and Protection Plan, in particular for levels 4 and 5, respectively, as set out in the National Plan for the Protection of Critical Infrastructures. either as a result of the communications which the competent authorities may perform the critical operator in relation to a specific and temporary threat to the installation by the managed one.

Such measures should remain active for as long as the alarm level is set, gradually being modified based on that level.

For your best understanding, one approach per layer is recommended for each level, with the scale of levels 1 to 5 (level 1: low risk; level 2: moderate risk; level 3 medium risk; level 4: high risk; level 5: risk very high), specifying prevention and protection measures, response time, and recovery time for each level.

In particular, the operator must describe the specific measures at its disposal relating to:

4.2.1 Organizational or Management.

The operator must indicate whether it has at least the following organizational or management measures, and the scope of each of them:

• Risk Analysis: Assessment and assessment of threats, impacts and probabilities to obtain a level of risk.

• Defining roles and responsibilities: Assigning security responsibilities.

• Defined rule body: Security policies, procedures, and standards.

• Standards and/or regulations for application to critical infrastructure, as well as identification of their level of compliance.

• Certification, accreditation and security assessment obtained for critical infrastructure.

4.2.2 Operational or mental health.

The operator must indicate whether it has at least the following operational or procedural measures, and the scope of each of them.

• Procedures for the performance, management, and maintenance of critical assets (lifecycle):

Identification.

Acquisition.

cataloging.

High.

Update.

Low.

• Training, awareness and training procedures (both general and specific) for:

Employees/Operaries.

Security personnel.

Hired staff.

Etc.

• Contingency/Recovery Procedures, depending on the contingency scenarios that have been defined. Backup copies (backup) methods and policies should be further detailed.

• Operating procedures for monitoring, monitoring, and evaluating/auditing:

Infrastructure Physical Assets (Scope/Operation/Tracking).

Logical Assets or Operating Systems (Scope/Operation/Tracking).

• Security procedures.

• Procedures for access management:

User management: High, low and modifications, selection processes, internal regime, cessation procedures.

Control of temporary accesses:

From people, vehicles, etc. to the general enclosure or restricted enclosures.

Systems temporary user identifiers (maintenance ...).

Control of inputs and outputs:

Parcel, correspondence, etc.

Media, equipment and information (information leak prevention measures and technologies).

• Operational procedures for security personnel (functions, schedules, envelopes, etc.).

• Management and response procedures for threats and incidents.

• Communication and information exchange procedures regarding the protection of critical infrastructures (through the incident protocol provided by the CNPIC to the effect):

With the CNPIC:

About incidents or situations that might put at risk or compromise the security of the infrastructure.

Over data variation on organization and security measures, infrastructure description data, etc.

With CERTSI:

Through the Office for Cyber Coordination of the Ministry of the Interior (OCC), of incidents that could compromise the cyber security of infrastructure systems and networks and the availability of services provided by her.

4.2.3 Protection Or Techniques.

• Prevention and Detection Measures:

Measures and elements of physical and electronic security for perimeter protection and access control:

Fences, security zones, intrusion detectors, surveillance video cameras/CCTV, doors and locks, locks, license plate readers, security arches, tornos, scanners, active cards, card readers, etc.

Cybersecurity measures and elements:

• Firewalls, DMZ, IPSs, IDSs, network segmentation and isolation, encryption, VPNs, user access control elements and measures (tokens, biometric controls, etc.), installation measures, and secure configuration of items technicians, event and log correlators, Malware protection, etc.

Redundancy of systems (hardware and software).

Other.

• Coordination and Monitoring Measures:

Security Control Center (alarm control, image reception and viewing, etc.).

Surveillance teams (shifts, rounds, volume, etc.).

Communication systems.

Other.

4.3 Risk assessment.

This section describes the main conclusions obtained in the risk analysis. For each active/threat pair the assessment made, on the basis of the criteria specified in the detailed risk analysis methodology in the PSO, shall be specified. Within this section, the following information must be included for each active/threat pair:

• Who has assessed/approved the risk and associated treatment strategy.

• Risk assessment criteria adopted.

• Date of last analysis performed.

• Result/conclusion on the supported risk level.

• Evolution in the Time of Active/Threat Assessment

In particular, the risks assumed in assets with high impact levels and low probability of occurrence, which must be validated by the CNPIC, should be detailed.

5. Proposed action plan (per asset).

In case of relevance and provision of complementary measures to the existing ones to be implemented in the next three years, it should be described as an integral part of the PPE:

• Listing of complementary measures to be available (physical or cybersecurity).

• An explanation of the resulting operational for each type of protection (physical and logical).

The operator must specify the detailed set of measures to be applied to protect the asset as a result of the results obtained in the risk analysis. In particular, you must include the following information:

• Application asset.

• Proposed action, in detail of its scope (scope) of application.

• Responsible for their implementation, deadlines, coordination and monitoring mechanisms, etc.

• Character of the measure, permanent, temporary, or gradual.

6. Supplemental documentation.

The critical operator will incorporate as an annex the general plan of the installation or system and its information systems, as well as those other plans that incorporate the location of the implemented security measures. In turn, you will be able to attach that other information that can be generated from the different sections of this document.

A brief reference will be made to all plans of different types (emergency, self-protection, cybersecurity, etc.), which affect the installation or system in order to establish appropriate coordination between them, as well as all those rules and good practices that regulate the proper functioning of the essential service provided by that infrastructure and the reasons for which it applies to it.

The regulations to include will include general and sectoral regulations, both at national, regional, European and international levels, relating to:

• Physical Security.

• Cybersecurity.

• Security of Information.

• Personal Security.

• Environmental Security.

• Self-protection and prevention of occupational hazards.