Resolution Of 8 September 2015, Of The Ministry Of Security, Which Are Approved New Minimum Content Of The Operator Security Plans And Specific Protection Plans.

Original Language Title: Resolución de 8 de septiembre de 2015, de la Secretaría de Estado de Seguridad, por la que se aprueban los nuevos contenidos mínimos de los Planes de Seguridad del Operador y de los Planes de Protección Específicos.

Read the untranslated law here: http://www.boe.es/buscar/doc.php?id=BOE-A-2015-10060

The critical infrastructure protection regulation approved by Royal Decree 704/2011 may 20, which develops the law 8/2011, on 28 April, which establishes measures for the protection of critical infrastructures, has articles 22.4 and 25.5 respectively, the Secretary of State for security shall establish the minimum contents of the operator security plans and specific protection schemes included in the article 14 of the Act.

These minimum contents were collected in the resolution of the Secretary of State security, on November 15, 2011, resolution in turn amended by another, of 29 November, 2011, which warned and correcting certain errors in the first.

The constant evolution of it threatens, the implementation of new regulations, strategies and tools of planning, as well as the experience acquired in them last four years, in good part, thanks to them contributions made by them own operators critical, make advisable it update of such content minimum, to adapt the level of planning and response to them demands required for an effective protection of them infrastructure critical national.

En_virtud_de this, and in accordance with the provisions of article 7, paragraph e), of the Royal Decree 704/2011, 20 may, which approves the regulation of the protection of the critical infrastructure, I resolve to approve and order the publication in the "Official Gazette" of the new minimum contents of the operator security plans and the plans of specific protection that are inserted as annex I and annex II respectively, of the present resolution.

The present resolution repeals the preceding in this same matter, of the Secretariat of State of security, of 15 of November of 2011, by which is established them contained minimum of them plans of security of the operator and of them plans of protection specific, as well as also the of 29 of November of 2011, that modified the previous.

Madrid, 8 September 2015.-the Secretary of State for security, Francisco Martínez Vázquez.

ANNEX I guide contents minimum Plan of security of the operator (PSO) contents 1. Introduction.

1.1 Legal basis.

1.2 purpose of this document.

1.3 purpose and contents of the PSO.

1.4. method of review and updating.

1.5 protection and information management and documentation.

2. General safety of the operator and framework of Government policy.

2.1 political General of security of the operator critical.

2.2. Government's security framework.

2.2.1. Organization of safety and communication.

2.2.2 training and awareness.

2.2.3 model of management applied.

2.2.4 communication.

3. essential services provided by the operator critical relationship.

3.1 identification of those services essential.

3.2 maintenance of the inventory of essential services.

3.3. study of the consequences of the interruption of the essential service.

3.4 interdependencies 4. Methodology of analysis of risks.

4.1. Description of the analytical methodology.

4.2 types of assets that support essential services.

4.3 identification and assessment of threats.

4.4 assessment and risk management.

5. criteria of implementation of comprehensive security measures.

6. documentation complementary.

6.1 regulations, best practices, and regulatory.

6.2. coordination with other plans.

1. introduction.

1.1 legal basis.

The normal functioning of essential services that lend themselves to citizenship rests on a series of management both public and private facilities, whose operation is essential and not allow alternative solutions: the so-called critical infrastructure. Therefore, it is necessary to design a policy of uniform and comprehensive security in the bosom of the organizations that is specifically directed to the field of critical infrastructure, in which defined security subsystems will be implemented for the protection thereof in order to prevent its destruction, interruption or disturbance , with consequent damage of the delivery of the essential services to the population.

This is precisely the spirit of the law 8/2011 on April 28, by which establish measures for the protection of critical infrastructures, which aims to establish strategies and organizational structures that allow direct and coordinate the activities of the different bodies of the public administrations in the field of critical infrastructure protection previous identification and designation of them, boosting the collaboration and involvement of agencies and/or companies owning and managing (critical operators) of these infrastructures, in order to optimize the level of protection of these deliberate attacks against both physical and logical, that may affect the delivery of essential services.

That law has its development through Royal Decree 704/2011 of 20 may, which approves the regulation for the protection of critical infrastructures.

He article 13 of the law explicitly a series of commitments for them operators critical public and private, between which is is the need of elaboration of a Plan of security of the operator (in forward, PSO) and of them plans of protection specific that is determined (in forward, PPE).

For its part, article 22.4 of the Royal Decree 704/2011 blamed the Ministry of security (superior body responsible for the system of protection of national critical infrastructures, in accordance with article 6 of the law 8/2011), through the CNPIC of the establishment and provision of critical operators the minimum contents which must have the PSO as well as the model on which to base the development of them.

1.2 purpose of this document.

This document is intended to comply with issued instructions of the Royal Decree 704/2011, establishing the minimum contents which must support a critical operator when it comes to the design and development of its PSO. At the same time, settle some explanatory points on aspects contained in the regulations of reference.

Also intends to target those operators which have been or will be designated as critical in the design and development of his Plan, so these to define the content of its general policy and the organizational framework of security, that you will find your specific development in the PPE of each of their critical infrastructure.

1.3 purpose and contents of the PSO.

The PSO will define the general policy of the operator to ensure the integral security of all facilities or its ownership or management systems.

The PSO, as the system of protection of critical infrastructure planning instrument, shall contain, in addition to an index referenced on the contents of the Plan, information about: • general safety of the operator and framework of Government policy.

• Essential services provided by the operator critical relationship.

• Analysis of risk (physical and cyber security threats) methodology.

• Criteria of implementation of comprehensive safety measures.

1.4 method of review and update according to the article 24 of the Real Decree 704 / 2011 of 20 of mayo, by which is approves the regulation of protection of them infrastructure critical, between them obligations of the operator, in addition to the elaboration and presentation of the PSO to the Center National for the protection of them infrastructure critical (in forward CNPIC), is includes your review and update periodic : • Review: biennial.

• Update: when will produce some type of modification in the data included in the PSO. In this case, the PSO will be updated when such changes have been validated by the CNPIC, or in the conditions established in its normative sectoral specific.

Regardless of all this, in the event that vary some of them circumstances indicated in the PSO (modification of data, identification of new infrastructure critical, low of infrastructure critical, cessation of conditions to be considered operator critical, etc...), the operator must move the information timely to the CNPIC, through them channels enabled to the effect (System HERMES / PoC official), in the term maximum of ten days starting from them circumstances varied.

1.5 protection and management of the information and documentation.

The information is a value strategic for any organization, being this of character sensitive, by what in this sense, the operator must define their procedures of management and treatment, as well as them standards of security accurate to provide a proper and effective protection of that information, regardless of the format in which this is find.

In addition, operators designated as critical, must treat documents arising from the application of the law 8/2011 and its regulatory development through Royal Decree 704/2011, 20 may, which approves the regulation for the protection of critical infrastructures, according to the degree of classification arising from the above-mentioned standards.


By virtue of the provision additional second of it law 08 / 2011, the classification of the PSO will consist of form express in the instrument of its approval. To this end, treatment of the PSO shall be governed in accordance with the guidelines published by the national authority for the protection of the information classified of the Centre national intelligence concerning the handling and custody of classified with degree of diffusion limited information.

The guidelines of reference is found collected in the following documents: safety documentary.

OR-ASIP-04-01.04 - guidelines for the handling of classified information with degree of diffusion limited.

Security in the Personal.

OR-ASIP-04-02.02 - Personal safety instruction for access to classified information.

Physical security.

OR-ASIP-01-01.03 - guidelines for the Protection Plan of a restricted access area.

OR-ASIP-01-02.03-guidelines for the Constitution of areas of access restricted.

Security of information and communications systems.

OR-ASIP-03-01.04 - guidelines for the accreditation of systems of information and communications for the handling of classified information.

2. political General of security of the operator and framework of security.

2.1. General policy of critical operator safety.

The objective of a political of security is direct and give support to the management of it security. In it, the address of the Organization must clearly establish what are their lines of action and express its support and commitment to safety.

Therefore, in this paragraph, the operator must reflect the content of their political of security of a form homogeneous e integral that is specifically directed to the field of them infrastructure critical and that serve of frame of reference for the protection of them same, with the objective of prevent its disturbance or destruction.

The minimum aspects that must collect the security policy are: • object: the goal that aims to get the organization policy and their subsequent development and application.

• Scope or scope of application: A policy may be limited to certain fields or aspects or, conversely, be applicable to the entire organization. He operator must reflect on what parts of your organization is applicable it political of security of protection of infrastructure critical, without losing of vista that it same has of have a character integral, whereas both it security physical as it cybersecurity.

• Senior management commitment: The operator must ensure that safety it should be given the same importance to other factors of production or business of the organization.

Therefore, the commitment of the organization with the security policy and that she develops should be reflected through approval, sanction and support it by the body (Board of Directors, Council of address, etc.) or Government (President, CEO, etc.) person or address with sufficient capacity to implement this in the Organization , as well as its firm and explicit commitment with the protection of those services essential rendered, commitment that is must see reflected in the own plan.

• Comprehensive nature of security: Physical security and cyber security are areas that must be addressed in interrelated way and with a holistic view of the security perspective. This will result in a global vision of security, enabling the design of a unique corporate strategy, and optimizing the knowledge, the resources and equipment. Therefore operator should highlight the integral nature of security applied to their critical infrastructure, indicating at least the procedure by which intends to achieve such comprehensive security: specific aspects of the Organization, structures, procedures, etc. In this regard, a comprehensive response to the different existing threats requires coordinated measures of physical security and cyber-security.

• Operator safety General policy update: being a document of high level security policy, it does not usually require significant changes over time. However, the operator shall ensure that it remains up-to-date and reflects those changes required by variations in assets to protect, the environment that may affect them (threats, vulnerabilities, impacts, safeguards), or in the applicable regulations. In this section, the operator should collect the process to follow for the update and maintenance of your security policy, including the periodicity and responsible for carrying out these actions.

2.2 frame of Government of security.

2.2.1. Organization of safety and communication.

He operator critical must designate to a responsible of security and link and to them delegates of security in each an of them infrastructure critical identified, as well as to them replacements of both, according to them requirements established in the law 8 / 2011. You must, therefore, ensure that they are at one hierarchical level enough within its organizational structure, in such a way that the designated to ensure compliance and enforcement of policy and the requirements for the protection of critical infrastructures under its responsibility.

In addition, you should make the physical presence of the delegate of security infrastructure in a reasonable time, where necessary.

In this section, critical operator shall describe its organizational chart of safety (comprising both physical security and cyber security), with an indication of the figures contained in the law, as well as hierarchical levels, which they are entitled in your organizational structure.

The chart should include the physical location, structure, hierarchy, governing body and interrelationship of all areas of the organization with responsibility for each of the fields of corporate security. In addition, you must record that the designated have sufficient capacity to carry out all actions arising from the application of the law and the Royal Decree. In this sense, the operator critical must submit: • a flow chart general, where is identify the structure of security corporate.

• A specific chart of the security structure that integrates the information about the different functions in the organization.

In your case, the critical operator must declare committees or existing security decision-making bodies, as well as the functions of each of them.

Procedures for the management and maintenance of the safety, stating if they are of character or are subcontracted will also be reflected. In the latter case, it will be necessary to relate the company or subcontractors, certifications in security that have those, Headquarters from which such contracted services, are carried out as well as services and commitments agreed between the two. Of equal form, is will define the methodology through which is takes to out the checking of the compliance from the company contracted, with them protocols of security implemented in its case by the operator.

In the field of it cybersecurity, and in it related with the protection of infrastructure critical, the CERT of security e industry (in forward CERTSI) is the responsible of the resolution of incidents Cyber that can affect to it provision of them services essential managed by them the CERTSI, in application of the agreement frame subscribed between the Secretariat of State of security and the Secretariat of State of telecommunications and for it society of it information It gives direct support to the CNPIC on all matters relating to the prevention and response to incidents that may affect the operators of critical infrastructure systems and networks and the availability of the services provided by these.

All for, and upon signing of an agreement of confidentiality between the parties (operator critical - CNPIC - CERTSI), the CERT will provide services for the prevention, detection, early warning and incident response in support of the departments responsible for this work in within each organization.

2.2.1.1. the responsibility for safety and link.

In accordance with article 16.2 of the Act, critical operator shall appoint, in the period of three months from its designation as such, the head of security and link of the Organization, which must be approved by the Ministry of the Interior as Director of security, pursuant to the Royal Decree 2364 / 1994, of 9 December, which approves the regulation of private security , or have an equivalent qualification, according to their specific sectoral legislation. Such appointment shall be notified to the Secretary of State for security, through the CNPIC.

Critical operator must indicate in this section the name and contact details (address, phone and email) of the person who was designated as responsible for liaison and security as well as his replacement, with identical conditions, in the absence of the owner. Their functions in relation to article 34.2 of the Royal Decree 704/2011 are as follows: • representing the critical operator before the Secretary of State for security:-in matters relating to the security of their infrastructures.

-As regards the various plans specified in the Royal Decree.


• The operational and informational needs that arise between the critical operator and the CNPIC channel.

2.2.1.2 the Director of security of the infrastructure critical.

Pursuant to article 17 of the law, critical infrastructures designated as criticism or criticism of European operator communicated to the delegations of the Government or, where appropriate, to the competent body of the autonomous community with skills recognized articles of Association for the protection of persons and goods and for the maintenance of public order where those are located, the person appointed as Director of security and its substitute. This communication must be made also to the CNPIC, in the period of three months from the official notice that it is at least one European critical or critical infrastructure manager or owner.

He operator critical must do consist in this paragraph the name and data of contact (address, phones and email) of the person designated as delegate of security, as well as of his substitute, with identical conditions, fulfilling them deadlines established from its designation as operator critical, as well as its participation to them authorities corresponding, according to it established in the article 35.1 of the Real Decree 704 / 2011.

It is recommended that both the safety delegate and his substitute are holders of qualifications relating to the Security Branch, in addition to belonging to the Department of security of the institution concerned.

Their functions in relation to the article 35.2 of the Real Decree 704 / 2011, are the following: • be the link operating and the channel of information with them authorities competent in materials relating to the security of their infrastructures.

• Channel operational and informational needs that arise, to level infrastructure, between the operator and the competent authorities.

2.2.2 training and awareness.

Critical operator must collaborate with programmes or exercises that may arise from the sector Strategic Plan, as well as at the time of the operational support plans.

He operator critical will reflect in this paragraph the Plan of training planned for the personal related with the protection of the infrastructure critical, indicating it duration, objectives that is aims to get, mechanisms of evaluation that is contemplated for the same and periods of update. Likewise, the person responsible for the plan and the same training will be.

In the case that you have a General Training Plan, specify the part related to critical infrastructure protection, and will include it at this point.

Critical operator should reflect their participation in simulation exercises in incidents of security (cyber and physical), and the intervals scheduled for such exercises in this section.

He personal involved directly in the protection of them services essential e infrastructure critical must be formed to achieve knowledge, to level basic: • on security integral (security physical and cybersecurity).

• About self-protection.

• Security of the environment.

• About skills organizational and of communication.

• Their responsibilities/actions in case of materialization of an incident, or in the event that will activate a threat level 4 or 5 of the Plan for the prevention and protection against terrorism or of the National Plan for protection of the critical infrastructure.

It personal not directly involved must be conscious through the application of the political of training and operational active in the organization.

2.2.3 management model applied.

It Security integral depends on of a process of management that should provide the control organizational and technical necessary for determine in all moment the level of exhibition to them threats and the level of protection and response that is capable of provide the Organization for the protection and security of their services essential e infrastructure critical.

Therefore, in accordance with security policy marked, critical operator should collect within the PSO its chosen management model, which should be seen as minimum: • implementation of aligned with the priorities and needs evaluated security controls.

• An evaluation and monitoring continues of security, identification of processes and periods.

• In the event that the critical operator has designed a management system or the safety assessment of the technologies of information, according to some international reference standard must indicate this, as well as certifications that has such a system and the certifying body.

2.2.4 communication.

Critical operator should collect explicitly in this section the procedures established for the communication and exchange of information relating to the protection of critical infrastructures, in the following manner: communication to the CNPIC: • those incidents or situations that may jeopardize or compromise the security of any of the infrastructure which the operator is a Manager or owner in accordance with the Protocol of communication of PIC incidents prepared by this Center and placed at the disposal of the operators critical.

• Of those variations of organizational, planning or structural nature that occur in the bosom of the own operator and somehow that affect critical infrastructures protected (e.g. adjustment of portfolio services, mergers, acquisitions or sales of assets, technical changes, modification of infrastructures, facilities, etc.).

Communication to the CERTSI: • through the Office of coordination Cybernetics of the Ministry of the Interior (OCC), of the incidents that can compromise cyber security systems and critical operator networks and the availability of the services provided. All this, according to the communication protocol incidents PIC made by the CNPIC and placed at the disposal of the operators critical.

3. essential services provided by the operator critical relationship.

The PSO must include, by way of introduction, the context information sufficient to describe the following aspects: • general presentation of the critical operator and sector/subsector principal (s) of your activity. In the case of business groups, will be identified clearly, with name and CIF, what companies is the critical operator.

• Corporate and organizational structure of the whole group (in the case of business groups).

• Presence geographical in them areas national e international, with a summary of the communities autonomous where provide their services essential, as well as of those countries where pay services similar.

• Main lines of activity with the general type of products/services offered.

3.1 identification of those services essential.

The PSO shall identify those essential for citizenship services provided by the operator through the whole of its strategic infrastructures located in the national territory, in relation to the concept of essential service contained in article 2. (a) of the Act: • service necessary for the maintenance of the basic social functions, health, safety, social and economic well-being of citizens.

• Effective functioning of the State institutions and public administrations.

3.2 maintenance of the inventory of essential services.

Periodically, at least every two years, critical operator shall review the list of essential services listed in your PSO, as a result of the normal evolution experienced by any company for the services offering.

Thus, in this maintenance should incorporate those change/s that occur: • by endogenous causes (for example, adjustment of portfolio services, mergers, acquisitions or sales of assets, technical changes, modification of infrastructures, facilities, etc.).

• As a result of the adaptation to the periods set out in the Plan in accordance with point 1.4 of this guide.

3.3. study of the consequences of the interruption of the essential service.

Critical operator should carry out a study of the consequences that would entail the interruption and non-availability of the essential service provided to society, motivated by: • alteration or interruption service temporary.

• Partial or total destruction of the infrastructure that runs the service.

Additionally, it must identify clearly, for each of the above cases, the following information: • geographical Extension and number of persons who may be affected.

• Effect on operators and services essential dependent.

• Existence of alternatives of provision of the service essential or mechanisms of contingency provided by the own operator and level of degradation that lead.

3.4 interdependencies.

With regard to the concept of interdependencies collected in the article 2. (j) of the law, can exist effects and repercussions that affect them services essential and the infrastructure critical own or of others operators, both within the same sector as in others sectors different. These interdependencies shall be in all case considered in the analysis of risks that made them operators in the framework global of your organization.

He operator critical must make reference to the interdependencies that identify, explaining in lines General the motive that originates such dependencies: • between their own facilities or services.

• With operators in the same sector.


• Operators of different sectors.

• Operators of other countries, the same sector or not.

• With its suppliers of service within the chain of supplies.

• ICT services providers, such as: provider (s) of telecommunications, centers of process of data, security services (Centre of security operations, private CERT, etc) and any others deemed, by specifying for each of them the name of the provider, contracted services level agreements SLAs and performance of the service provided with the operator safety general policy.

4. methodology of the analysis of risks.

By virtue of the provisions of article 22.3 of the Royal Decree 704/2011, the PSO will reflected the methodology or methodologies for risk analysis used by critical operator. Such methodologies must be internationally recognized, ensure the continuity of the services provided by said operator and contemplate, of a way global, both them threats physical as logical existing against it all of their active critical. All of this, regardless of the minimum measures that may be established for specific protection schemes pursuant to article 25.

4.1 description of the methodology of analysis.

The methodology employed by the Organization to carry out the risk analysis of the different plans of specific protection (EPP) arising after the designation of the critical infrastructure will be described generically. At least, the following information shall be provided: • essential stages.

• Used algorithms.

• Method employee for the assessment of those impacts.

• Metrics of measuring of acceptable residual risks, etc.

• In particular, shall set forth the relationships between the analysis of risks performed at different levels: at the Corporation level, at the level of services and more concrete, at the level of critical infrastructure.

4.2 types of assets that support those services essential.

They are called assets necessary resources so that the organization is operating properly and achieve the goals proposed by your address.

On the base of them services identified in the paragraph 3.1 above, is included in this paragraph, for each service essential, them types of active that them support, differentiating those that are critical of which not it are.

The types of assets to be considered will be, at least: • the necessary facilities for the provision of the essential service.

• The systems computer necessary to give support to those services essential (hardware and software).

• Communications networks necessary for the provision of the essential service.

• Persons who exploit or operate all of the aforementioned elements.

The object of this section is the identification generic of typologies of active associated to them services essential provided by said operator, and on which is focuses on the analysis of risks that perform the operator. The level of detail will be one that allows an understanding of the functioning of the services, as well as the interrelationships between assets and services.

Assets will not necessarily be physical spaces, concrete, and may for example be considered active distributed systems, such as a data network.

4.3 identification and assessment of threats.

Within the framework of the rules of protection of critical infrastructures and to ensure the adequate protection of those infrastructures that provide essential services, critical operator must have a reference threats tree provided by the CNPIC, considering in particular those threats of terrorist or deliberate origin. Operator shall expressly indicate the threats been considered for carrying out risk analysis, capturing at least: • the intentional, both physical and logical, type that affect the whole of their infrastructures, which must be identified specifically in their respective PPE, in his case.

• From interdependencies, which may directly affect essential services, whether deliberate or not.

4.4 assessment and risk management.

The PSO will pick up the strategy of risk management implemented by the operator in terms of: • criteria used for the assessment of the categories of classification of risks.

• Methodology of selection of strategy (reduction, disposal, transfer, etc.).

• Deadlines for the implementation of measures, in the case of choosing a strategy of minimization of risk with indication, if any, mechanisms of prioritization of actions.

• Treatment given to threats of attack deliberate and, in particular, to those that have a low probability but high impact due to the consequences for their destruction or disruption in the continuity of essential services.

• Mechanisms of follow-up and update periodic of levels of risk.

5. criteria of implementation of comprehensive security measures.

Within the scope of comprehensive security, the operator will define broadly the criteria used in your organization to the implementation and administration of the security. In this sense, will include of form generic them measures of security implemented in the set of active and resources on which is support them services essential and that is collected in their respective PPE, to the object of make facing them threats physical and logical identified in them timely analysis of risks made on each an of them typologies of their active.

6. documentation complementary.

6.1 regulations, best practices, and regulatory.

The operator will collect in a brief reference motivated all the applicable regulations and good practices that regulate the functioning of essential services for all and each one of their infrastructures.

Regulations include will include general and sectoral regulations both range national, regional, European and international, concerning: • physical security.

• Cyber Security.

• Security of the information.

• Security staff.

• Safety environmental.

• Self-protection and prevention of risks labour.

6.2 coordination with other plans.

Is identified all those plans designed by the operator relating to others aspects (continuity of business, management of the risk, response, cybersecurity, self-protection, emergencies, etc.) that can coordinate is with the Plan of safety of the operator and them respective plans of protection specific that will be activated in the event of them measures preventive fallen and is produce an incident. Likewise, should leave is constancy of the coordination existing with the Plan national for the protection of the infrastructure critical.

ANNEX II guide of contained minimum Plan of protection specific (PPE) index 1. Introduction.

1.1 Legal basis.

1.2 purpose of this document.

1.3 purpose and contents of the EPP.

1.4. method of review and updating.

1.5 protection and information management and documentation.

2. organizational aspects.

2.1 security organization chart.

2.2 critical infrastructure safety delegates.

2.3. coordination mechanisms.

2.4 mechanisms and responsible for approval.

3. Description of the critical infrastructure.

3.1. General information about critical infrastructure.

3.2. assets/elements of critical infrastructure.

3.3 interdependencies.

4. results of risk analysis.

4.1 threats considered.

4.2. existing comprehensive security measures.

4.2.1 organizational or of management.

4.2.2 operational or procedural.

4.2.3 of protection or technical.

4.3 assessment of risks.

5. plan of action proposed (by active).

6. documentation complementary.

1. introduction.

1.1 legal basis.

According to sets it law 8 / 2011, of 28 of April, by which is established measures for the protection of them infrastructure critical, the operator designated as critical, already is this belonging to the sector public or to the private, is will integrate as agent of the system of protection of infrastructure critical, must comply with a series of responsibilities collected in its article 13.

In accordance with in the point 1, letter «d», of the cited article, the operator must develop a Plan of protection specific (in ahead, PPE) by each an of the infrastructure critical of which is owner or Manager.

He Real Decree 704 / 2011, of 20 of mayo, by which is approves the regulation of protection of them infrastructure critical, through which is da development regulatory to the law 8 / 2011, sets, in its chapter IV of the title III on them instruments of planning, those aspects relating to the elaboration, purpose and content of such plans, besides its approval or modification , registration, classification and forms of review and update, as well as the authorities responsible of its application and follow-up, and the compatibility with others plans already existing.

In this sense, and according to the article 25.5 of said real Decree, is assigns to the Secretariat of State of security, through the Center National for it protection of them infrastructure critical (in forward, CNPIC), the responsibility of establish them contained minimum of them PPE, as well as the model in which based its structure and completion, on the base of them guidelines and criteria marked by the Plan of security of the operator (in forward) (, PSO).


In the PPE, the operator critical apply the following aspects and criteria included in your PSO, that affect of way specific to that installation: • aspects relating to their political general of security.

• Development of the methodology of risk analysis that guarantees the continuity of the services provided by the operator through this critical infrastructure.

• Development of them criteria of application of them different measures of security that is implanted to make facing them threats, both physical as those that affect to the cybersecurity, identified in relation to each an of them types of them active existing in that infrastructure.

1.2 purpose of this document.

With the present document is aims to give compliance to the instructions emanating of the Real Decree 704 / 2011, establishing them contained minimum on which is must support the operator critical at the time of develop your respective PPE in them facilities catalogued as critical. At the same time, settle some explanatory points on aspects contained in the law 8/2011 and the Royal Decree 704/2011.

1.3 purpose and contents of the EPP.

The PPE are the operating documents where defined concrete measures to put in place by the critical operators to ensure comprehensive security (physical security and CIBER-security) of their critical infrastructure.

In addition to a reference index to the contents of the Plan, the EPP shall contain at least the following specific information about the infrastructure to protect: • organization security.

• Description of the infrastructure.

• Result of the analysis of risks: measures of safety integral (both them existing as which is necessary implement) permanent, temporary and gradual for them different typologies of active to protect and according to them different levels of threatens declared to level national in accordance with it established by the Plan of prevention and protection against terrorism and by the Plan national of protection of infrastructure critical.

• Action plan proposed (by each active evaluated in the risk analysis).

The PPE must be aligned with the guidelines established in the political General of security of the operator reflected in the PSO. Likewise, the analysis of risks, vulnerabilities, and threats that are carried out, shall be subject to methodological guidelines described in the PSO.

1.4 method of Revision and update.

In accordance with article 27 of the Royal Decree which approves the regulation for the protection of critical infrastructure, the obligations of the critical operator, in addition to the preparation and presentation of the EPP to the CNPIC, included review and periodic updating: • review: biennial, which must be approved by the delegations of the Government in the autonomous region. and cities with statute of autonomy or , in his case, by the organ competent of them communities autonomous with competencies bylaws recognized for the protection of people and property and for the maintenance of the order public, besides from the CNPIC.

• Update: When there is a modification in data contained within the EPP. In this case, the PPE will be updated when such changes have been validated by the CNPIC, or the conditions laid down in the specific sectoral legislation.

Regardless of everything, in the event that they vary some of the circumstances indicated in the EPP (security organization, data description of infrastructure, safety precautions, etc.), the operator must move timely information CNPIC, the channels enabled in this instance (System HERMES/PoC official), within a maximum period of ten days from the varied circumstances.

1.5 protection and management of the information and documentation.

The information associated with the EPP and the one relating to the analysis of risks and security measures implemented on critical infrastructure to make reference is of a sensitive nature, for which, in this sense, the operator must define its procedures of treatment of such information, as well as precise safety standards to provide an adequate and effective protection of information used regardless of the format in which it is.

In addition, operators designated as critical, must treat documents arising from the application of the law 8/2011 and its regulatory development through Royal Decree 704/2011, 20 of may, which approves the regulation for the protection of infrastructures, according to the degree of classification arising from the above-mentioned standards.

Under the second additional provision of law 08/2011, the classification of the EPP will consist of explicitly in the instrument of approval. To this end, the treatment of the PPE must be governed in accordance with the guidelines published by the national authority for the protection of the information classified of the Centre national intelligence concerning the handling and custody of classified with degree of diffusion limited information.

The guidelines of reference is found collected in the following documents: safety documentary.

OR-ASIP-04-01.04-guidelines for the handling of classified information with degree of diffusion limited.

Staff security.

OR-ASIP-04-02.02 - Personal safety instruction for access to classified information.

Physical security.

OR-ASIP-01-01.03-guidelines for the Protection Plan of a restricted access area.

OR-ASIP-01-02.03-guidelines for the establishment of areas of restricted access.

Security of information and communications systems.

OR-ASIP-03-01.04-guidelines for the accreditation of systems of information and communications for the handling of classified information.

2. organizational aspects.

2.1 security organization chart.

Critical operator must be graphically presented the functional organizational structure that comprehensive security exists in the critical infrastructure, with an indication of all the actors involved in that one, his role of responsibility and their hierarchy in the decision-making process. Similarly, the dependence of this structure must be set to that defined in the corresponding operator Security Plan.

2.2 critical infrastructure safety delegates.

Pursuant to article 17 of law 8/2011, the operator of critical infrastructures designated as critical or critical European will inform the delegations of the Government in the autonomous communities and cities with statute of autonomy or, where appropriate, to the competent body of the autonomous community with skills recognized articles of Association for the protection of persons and goods and for the maintenance of public order where those are located , the person designated as Director of security and its substitute. This communication must perform is also to the CNPIC, in the term of three months from the designation of an infrastructure as critical.

He operator critical must do consist in this paragraph the name and data of contact (address, phones and email) of the person designated as delegate of security as well as of his substitute, with identical conditions, fulfilling them deadlines established from its designation, as well as its participation to them authorities corresponding, according to it established in the article 35.1 of the Real Decree 704 / 2011.

It is recommended that both the safety delegate and his substitute are holders of qualifications relating to the Security Branch, in addition to belonging to the Department of security of the institution concerned.

Their functions in relation to article 35.2 of the Royal Decree 704/2011 are as follows: • be the operating link and channel of information with the competent authorities in matters relating to the security of their infrastructures.

• Channel operational and informational needs that arise.

Critical operator must reflect this section courses or training the safety delegate has received, related to the skills necessary for the performance of the post, in accordance with the Plan of training provided for in the PSO.

2.3. coordination mechanisms.

Critical operator should reflect existing coordination mechanisms within their PPE: • between the safety delegate of critical infrastructure with other delegates of other critical infrastructures and responsible for security and the own operator link.

• With authorities and third (forces and bodies in security of the status / bodies police regional and local / CNPIC / others).

• With other plans existing for the operator (plans of continuity of business, plans of evacuation, etc.).

• With the CERT of security e industry (CERTSI) identifying the points of contact of the operator in them 3 levels required: the institutional, and the management and the technical, all them referred to in the management of incidents.

• Critical supplier that you specify in the light of the development of provisions in section 3.2.

2.4 mechanisms and approvers.

Operator shall include aspects relating to approval and internal review within the EPP: • responsible for their approval.

• Procedure followed for its adoption.

• Date that occurred last approval.

• Responsible for review and update.

• Aspects subject to revision, if any.


• Records generated by the review procedure allowing to verify that the EPP has been revised (meetings, minutes of the corresponding Committee, studies and analyses, updates of the risk analysis, etc.).

3. Description of the infrastructure critical.

3.1. General information about critical infrastructure.

Critical operator shall include the following data and information about the infrastructure to protect: • General, relating to the designation and type of installation, ownership and management of the same.

• Physical location and structure (location, shots, pictures, components, etc.)

• On those systems ICT that manage it infrastructure critical and its architecture.

• Strategic data: description of the essential service provided and geographic or population level of the same.

Relationship with other possible infrastructure needed to provide this essential service.

Description of its functions and of its relationship with those services essential supported.

3.2 asset/infrastructure elements critical.

All assets supporting critical infrastructure, distinguishing those who are critical of those who are not will be included in this section. In concrete is explained: • the facilities or components of it infrastructure critical that are necessary and therefore vital to the provision of the service essential.

• Computer systems (hardware and software) used, with specification of manufacturers, models, versions, etc.

• The networks of communications that allow Exchange data and that is used for such infrastructure critical: architecture of network, ranges of IP public and, domains.

Network diagram (s) complete and detailed, graphic type, with literary description, where collected flows of exchange of information carried out in networks, as well as their electronic perimeters.

Description of components of the network (servers, terminals, hubs, switches, nodes, routers, firewalls,...) as well as your location physical.

• Persons or groups of persons that explode or operate all the elements above, stating and detailing in particular if there is some process outsourced to third parties.

• Those suppliers critical that in general are necessary for the operation of such infrastructure critical, and specifically: of supply electric.

Communications (telephone, internet, etc...).

Treatment and storage (CPDs, etc.).

Cybersecurity (private CERTs, SOCs, etc.).

• On the suppliers appointed by the operator, is specify them different agreements of level of services that is have contracted and that are considered essential.

Similarly, specify existing interdependencies between different assets that support or make up critical infrastructure. The above information must be sufficient to collect explicitly the scope of infrastructure to protect, and with the same level of detail that has been established within the PSO.

3.3 interdependencies.

The concept of a inter-dependencies collected in article 2. (j) of the law, can exist effects and repercussions that affect them services essential and them infrastructure critical own and/or of other operators, both within the same sector as in areas different. These interdependencies must be in all case considered in the analysis of risks that made them operators for the infrastructure critical of that is concerned, in the framework of the PPE.

Critical operator must reference within its different PPE to interdependencies, where appropriate, identify, briefly explaining the reason that originates them: • with other critical infrastructures of the own operator.

• With other strategic infrastructure of the own operator that support the essential service.

• Between its own facilities or services.

• With its suppliers in the supply chain.

• Providers of ICT services contracted for such infrastructure, such as: provider (s) of telecommunications, centers of process of data, security services (Centre of security operations, private CERT, etc) and any others deemed, by specifying for each of them the name of the provider, contracted services level agreements SLAs and performance of the service provided with the operator safety general policy.

• Service providers of physical security, indicating the services provided and the staff and means employed.

4. results of risk analysis.

Critical operator should reflect the results of the comprehensive risk analysis done on critical infrastructure in its EPP. This risk analysis must follow the methodological guidelines contained in your PSO.

Below reflect the minimum contents relating to the risk analysis which the operator must be included within the EPP.

4.1 threats considered.

In the framework of the regulations to protect critical infrastructure, and to ensure the adequate protection of critical infrastructure, critical operator must have a reference threats tree provided by the CNPIC, considering in particular those threats of terrorist or deliberate origin. Operator shall expressly indicate the threats been considered for carrying out risk analysis, capturing at least: • the intentional threats, both physical and cyber security, relating specifically to any of the assets supporting critical infrastructure.

• Threats that directly affect the identified interdependencies from infrastructure, whether deliberate or not.

• The directed to the nearby environment and interdependent elements both of the physical ante-perimetro as logical that could affect infrastructure.

• The threats that affect to them systems of information that den support to the operation of the infrastructure critical and all which are connected to such systems without count with them appropriate measures of segmentation.

• The threats that affect to the systems and services that support the security integral.

4.2 measures of safety integral existing.

He operator must describe them measures of security integral (measures of protection of the facilities, equipment, data, software of base and applications, personal and documentation) implanted currently, with which is has counted for the realization of the analysis of risks. You must distinguish between the measures of character permanent, and those temporary and gradual.

By permanent measures are understood those measures already taken by the critical operator, as well as those which it deems necessary to install depending on the result of the risk analysis conducted with respect to risks, threats and consequences/impact on its assets, all of them aimed at ensuring the integral security of your installation listed as critical on an ongoing basis.

Temporary and gradual measures means those security measures of an extraordinary nature that will reinforce the permanent and that they need to implement upward as a result of the activation of any of the security levels set out respectively in the National Plan for critical infrastructure protection (article 16.3 of the 704 2011 RD), in coordination with the Plan for the prevention and protection against terrorism mainly for levels 4 and 5, or as a result of communications that the competent authorities can perform the critical operator in relation to a specific threat and temporary installation by he managed.

Such measures must remain active during the time that the level of alarm, gradually modified according to this level is established.

For your best understanding, is recommended an approximation by layers for each level, being the scale of levels of the 1 to the 5 (level 1: risk low; level 2: risk moderate; level 3 risk medium; level 4: risk high; level 5: risk very high), specifying for each level them measures of prevention and protection, the time of response and the time of recovery.

In concrete, the operator must describe the measures specific of that has relative a: 4.2.1 organizational or of management.

He operator must indicate if has of at least of them following measures organizational or of management, and the scope of each an of them: • analysis of risks: evaluation and assessment of them threats, impacts and likely to get a level of risk.

• Definition of roles and responsibilities: allocation of responsibilities in terms of security.

• Body normative defined: policies, procedures and standards of safety.

• Standards and/or regulations of implementation to critical infrastructure, as well as identification of their level of compliance.

• Certification, accreditation and evaluation of safety obtained for critical infrastructure.

4.2.2 operational or procedural.

The operator shall indicate if it has at least the following operational or procedural measures, and the scope of each of them.

• Procedures for the creation, management and maintenance of critical assets (life cycle): identification.

Acquisition.

Cataloging.

High.

Update.

Low.

• Procedures for training, awareness-raising and training (general and specific) for: employees/workers.

Staff of security.

Personal contract.


Etc.

• Procedures of contingency / recovery, depending on the scenarios of contingency that have been defined. In addition the methods and policies of backup copies (backup) should give details.

• Operating procedures for monitoring, supervision and evaluation/audit: physical assets of the infrastructure (scope/operation/monitoring).

Active logical or of systems of operation (scope / operation / monitoring).

• Safety procedures.

• Procedures for the management of access: user management: high, low and modifications, processes of selection, internal regulations, procedures of cessation.

Control of accesses temporary: of people, vehicles, etc. to the enclosure general or to venues restricted.

Identifiers of user temporary of the systems (maintenance...).

Control of inputs and outputs: parcel, correspondence, etc.

Stands, equipment and information (information leakage prevention technologies and measures).

• Procedures operational of the staff of security (functions, schedules, equipment, etc.).

• Procedures for management and response to threats and incidents.

• Procedures for communication and exchange of information relating to the protection of critical infrastructures (through incidents Protocol provided by the CNPIC effect): with the CNPIC: about incidents or situations that may jeopardize or compromise the security of the infrastructure.

On variation of data on the Organization and security measures, data description of infrastructure, etc.

With the CERTSI: through the Office of coordination Cyber of the Ministry of the Interior (OCC), of them incidents that can compromise the security Cyber of them systems and networks of it infrastructure and the availability of them services by she lent.

4.2.3. of protection or techniques.

• Prevention and detection measures: measures and elements of electronic and physical security to protect the perimeter and access control: hurdles, areas of security, intrusion detectors, video cameras surveillance/CCTV, doors and locks, locks, readers of vehicle registration, safety bows, winches, scanners and active cards, readers of cards, etc.

Measures and cybersecurity elements: • Firewalls, DMZ, IPSs, IDSs, segmentation and isolation of networks, encryption, VPNs, elements and measures of access control of users (tokens, biometric controls, etc.), measures for installation and configuration of certain technical elements, correlators of events and logs, protection front Malware, etc.

Redundancy of systems (hardware and software).

Others.

• Coordinating and monitoring measures: Control Center security (control of alarms, receiving, and viewing of images, etc.).

Equipment of surveillance (shifts, rounds, volume, etc.).

Communication systems.

Others.

4.3 assessment of risks.

This section will describe the main findings in the risk analysis. For each par asset/threat, you must specify the valuation carried out, on the basis of the criteria specified in the risk analysis methodology detailed in the PSO. Under this heading the following information shall include, for each par asset/threat: • who has evaluated/approved the risk and associated treatment strategy.

• Criteria of estimation of risks adopted.

• Date of the last scan performed.

• Outcome/conclusion on the level of risk supported.

• Evolution in the time of the par asset/threat assessment in particular, risks taken in assets with levels of high impact and low probability of occurrence, that must be validated by the CNPIC must be detailed.

5. plan of action proposed (by assets).

In case of being relevant and expected availability of complementary to existing measures to be implemented in the next three years, shall describe, as an integral part of the European people's PARTY: • list of complementary measures to have (physical or cyber-security).

• An explanation of the operational result for each type of protection (physical and logical).

Operator must specify the detailed package of measures to be applied to protect assets as a consequence of the results of the risk analysis. In particular, must include the following information: • active application.

• Proposed action, with details of its scope (scope).

• Responsible for its implementation, deadlines, coordination and monitoring mechanisms, etc.

• Nature of the measure, permanent, temporary or gradual.

6. documentation.

Critical operator be annexed the planimetry general installation or system and its information systems, as well as those other plans that incorporate the location of the implemented security measures. At the same time, you may attach other information that can be generated from the different sections of this document.

There will be a brief reference to all those plans of different type (emergency, self-protection, cyber-security, etc.), that can affect the installation or system in order to establish a proper coordination among them, as well as all the rules and practices governing the functioning of the essential service provided by the infrastructure and the reasons why apply it.

Regulations include will include general and sectoral regulations both range national, regional, European and international, concerning: • physical security.

• Cyber Security.

• Information security.

• Personal safety.

• Environmental safety.

• Self-protection and prevention of occupational risks.