Summary
Every country has critical infrastructures that are essential for social, economic, and political stability. Therefore, their protection becomes truly a sovereignty matter. Local and global threats and attached disruptive incidents (emergencies, crises, and disasters) have been pushing nations across the globe to develop mechanisms to be implemented by the operators to protect and organize the resilience of these structures. Brazil, through experience with its own problems – gangs, natural disasters, political polarization etc. –, has been developing its own strategy since 2018, through various instruments who make up the Security of Critical Infrastructures (Segurança de Infraestruturas Críticas -SIC)
Considering that the private sector owns or manage many of these infrastructures, the proper development and maintenance of the SIC will demand the involvement of the private sector. Thus, this is a crucial moment for corporations to get involved in this process, to be heard and prove its perspective and influence the process of creation of the SIC.
The Attacks in Rio Grande do Norte
On 14 March, a series of attacks to public and private facilities and services began to be carried out by criminals in Rio Grande do Norte, in the Northeast of Brazil. The acts of terror lasted until 25 March and affected at least 48 cities, including the capital, Natal. Public buildings, Military Police cabins, buses, justice courts, vehicles, stores and even homes were shot and torched. Natal and Mossoró had to remove their bus fleets from the streets. Intercity travels were also suspended. A total of 298 attacks were recorded by the authorities.
In response, Justice and Public Security Minister Flavio Dino announced aid of R$ 35 million from the federal government. In addition, the National Force was sent to the state, where it will remain indefinitely. The institutional response led to the arrest of 187 suspects, 43 firearms and 148 explosive devices and 33 gallons of fuel were seized. Three people died, a businessman and 2 suspects.
According to investigations, the actions were a retaliation for prison conditions. There are allegations of torture, spoiled food, and intentional contamination by tuberculosis in state prisons. However, according to the federal government, what triggered the attacks was the transfer of heads of the so-called RN Crime Syndicate (SDC) out of state in January.
Investigations are expected to advance now that Andreza Cristina Lima Leitão, one of the heads of the faction that controls drug trafficking in RN, has been arrested. Andreza is believed to have ordered the wave of attacks. She had been hiding in Vila Kennedy, a favela in Rio de Janeiro, since 2020, and she was only caught after leaving her hideout to go to a shopping mall.
The incident in Rio Grande do Norte stopped daily activities all over the state, and highlighted the threats that surround the Brazilian critical infrastructure. It also serves as a brutal reminder to authorities of how important it is to be prepared, which is to have a defined policy (a plan, a strategy, and a way to respond) against risks that can cause serious impacts on the social, economic, political, and national security fields.
PNSIC – The Brazilian Policy Under Development
In fact, Brazil has been developing this policy. On 15 September 2022, the National Plan for Critical Infrastructures Security was approved through decree nº 11,200. The plan, also known as PLANSIC, was the latest step completed by Brazil to prepare itself for defending installations, services and goods whose interruption or destruction will cause serious social, economic, political, international or national security impact – which is the formal definition of critical infrastructure.
An important task carried out with the disclosure of PLANSIC was the definition of areas and sectors that have critical infrastructure. The areas and their corresponding sectors are defined in the document are the following:
This step recently completed is part of a process that aims to create all the necessary elements stipulated by the National Policy for Critical Infrastructure Security (PNSIC), which was implemented in November, 2018. Besides characterizing the security of critical infrastructures (CIs) as a State activity, the PNSIC was important to set the essential guidelines for the joint effort that must be developed by bodies and entities from the public, but also private sectors with regard to the security activity of CIs.
PNSIC also established the need to create three mechanisms, among them, the already mentioned PLANSIC; the National Strategy for Critical Infrastructure Security (ENSIC), launched in December, 2020; and the Integrated System of Security Data for Critical Infrastructures (SIDSIC), which shall be ready by September, 2024.
The ENSIC identified the main challenges for the security activity of CIs, defining structural axes and strategic objectives, thus serving as a directive for the actions of the PLANSIC. The strategy also informs that services provided by a country’s critical infrastructure can be affected by threats arising from human action or natural disasters and the occurrence of failures of all kinds. Additionally, it points out the risks of vulnerabilities in the physical structure, personal protection systems, processes, operations or other areas that may be exploited by malicious intents. For its turn, SIDSIC will be the operational structure responsible for the permanent follow-up and monitoring of the Security of Critical Infrastructures in the country.
History and Development
This policy now under development in Brazil is the product of a movement born internationally and that years later became more relevant for the Brazilian authorities, particularly due to local circumstances, similar to those seen this year in RN.
Security of CIs appeared as a worldwide trend soon after the terrorist attacks that occurred in the United States, on 11 September 2001. The following year, the US began preparations to develop a plan that would increase security and prevent new attacks. This document, the National Infrastructure Protection Plan (NIPP), was delivered in 2006, and it continues to be updated to this day.
Europe, which was also hit by several terrorist attacks, traced a comparable path, delivering its response in the form of the Council Directive 2008/114/EC of 8 December 2008. This document was replaced recently by the Council Directive 2022/2557 of 14 December 2022.
In Brazil, a country much less targeted by Islamic terrorist groups, the topic gained momentum from 2006, after the most famous wave of attacks perpetrated by criminal organizations. In this event, the First Capital Command (PCC) struck several facilities based in the State of São Paulo, 564 people were shot and killed and 110 people were injured by firearms during the turmoil, including 59 public servants (policemen, penitentiary agents, and firemen). It led the Brazilian Government to take the initiative to identify which infrastructures in the country should be given priority protection, in case of new occurrences of that nature. This was the beginning of the way towards the PNSIC.
New and Old Threats
The finalization of all SIC stages are now even more necessary, as old threats evolve and new ones appear from different directions. Among the topics that are sources of concern, there are the expansion and evolution of the organized crime across the country; the political polarization, and civil and institutional disorder; the vulnerabilities of industrial control systems and supervisory control and data acquisition systems (SCADA); and problems caused by natural disaster that are potentiated by climate change.
The wave of attacks from last March is quite similar to those from 2006. Both appear to be connected to the transference of prisoners and to living conditions in these units.
The evolution of criminal organizations has reached a point that event high authorities linked to the fight against organized crime have been plausible targets. This has been recently proved, when, on 22 March, the Federal Police (PF) arrested several PCC members after discovering a scheme to assassinate São Paulo Public Prosecutor Lincoln Gakyia, a member of the Special Action Group for the Repression of Organized Crime (Gaeco). He has been investigating and punishing PCC members for 18 years and due to that he has had 24-hour police escort for more than ten years. Another target was the former Public Security Minister and now Senator Sérgio Moro.The growing political polarization is one new element that adds challenges to the Brazilian context. A great example on the right of the political spectrum is the large mobilization of supporters of former President Jair Bolsonaro. After more than 2 months of protests in front of military barracks, and attempts to stop the country by blocking roads, they attacked the main facilities of the central administration on 8 January. On the same day, a coordinated action attempted to suffocate the distribution of fuels by blocking access to some refineries. In addition, unidentified agents sabotaged 7 transmission towers with the objective of interrupting the distribution of energy.
There is the threat of radicalized members of this right-wing group. The wider access to weapons after the flexibilization of gun laws during the past government could add up to the risk level. An example was the bomb attack attempted against Brasília Airport (BSB), where supporters of Bolsonaro planted a bomb in a fuel truck. Later the police discovered that they had many high-caliber weapons with them, in addition to dynamite that was illegally obtained.
To the left of the political spectrum, there are groups that have potential to cause disruptions and affect critical infrastructures as well. Social movements such as the Landless Rural Workers Movement (MST) have a history of blocking roads, invading properties and attacking labs with transgenic plants.
Brazil has a history of dependency on roads. According to data from the National Transport Confederation (CNT), more than 60% of everything produced and consumed in Brazil arrives at its destination by road. This condition gives some groups of professionals a lot of power when they decide to go on strike, which is the case with truck drivers. In 2018, they showed that by almost bringing the country to a halt.
This dependency on roads is also a great issue due to the natural disasters that affect the roads in Brazil, like landslides and floods. Heavy tropical rains soak deforested slopes near roads, houses, and other structures. When the earth becomes saturated, it collapses destroying everything on its way, including the essential highways. BR-101, which crosses the coast from south to north, suffers from this. For instance, the coastal city of Angra dos Reis can become almost isolated if this highway is closed. In this scenario, things can become even more critical because in Angra there is the only two nuclear power plants in Brazil, and another one under construction, Angra 1, 2 and 3.
A global factor can make this threat worse, the climate changes caused by global warming. According to the American Geophysical Union, landslides are becoming more frequent in the past 50 years due to global warming.
Even though cybersecurity is not under the scope of PNSIC, but under the National Cyber Security Strategy, in Decree No. 10,748, the topic is also relevant. Most of the world’s critical infrastructure—nuclear plants, electrical transmission systems, water treatment plants, etc.—is managed by supervisory control and data acquisition (SCADA) systems and attacks on them are growing more common. Dell detected over 160,000 attacks globally in 2014, double the number from the previous year.
The Role of Private Operators
An increasingly significant part of the country’s critical infrastructure is owned or operated by the private sector. Consequently, the need to build a partnership between the Federal Government and the private sector is required in order to join efforts in guaranteeing the security and resilience of critical infrastructures. In this context, ENSIC establishes responsibilities for all parties involved, including the private sector. According to the document, some of duties to be completed by this sector are:
- Survey vulnerabilities related to personal protection systems, physical structure, processes, operations or other areas that may be targets of adverse events
- Develop skills in private sector entities involved with the security of critical infrastructure, in planning and executing risk, crisis and business continuity management activities
- Acquire knowledge about the security of critical infrastructure and its importance for the private sector
- Be aware of the importance of the relationship between the interest of defense and national security with the security of critical infrastructures
- Develop prevention and response plans for critical infrastructures
- identify potential threats and vulnerabilities to these critical infrastructures
- propose control measures to reduce risks to critical infrastructure corresponding to the priority area considered
Furthermore, while the PNSIC is under development, the opportunity to be proactive and get involved with the ongoing work arises. Participating directly or through professional associations is a unique chance to be heard and do not have inadequate decisions affecting the business.
