Legal Dimension of the Protection of Critical Infrastructure – Selected Aspects

Aim: As part of this article, an attempt was made to present the legislative process in Poland regarding critical infrastructure, for which valid is the Act of 26 April 2007 on crisis management, specifying, inter alia, authorities competent in crisis management and their tasks and principles of operation in this area as well as implementing acts issued on its basis. The introduced legal regulations define both the concept of critical infrastructure, its protection and activities related to the prevention of crisis situations, reacting in the event of their occurrence and preparation to take control over them, as well as removing their effects and recreating key resources. Introduction: Regulations concerning the protection of critical infrastructure are included in legal acts covering various areas of the country’s functioning, including telecommunications activities, production and trade in fuels and electricity, performance of defence tasks by entrepreneurs, creation of strategic reserves, powers of the minister competent for the State Treasury in some companies, protection of persons and the property. The protection of critical infrastructure is related to the raison d’état, which indicates the need to make special efforts to protect the country’s key infrastructure. Therefore, it is reasonable to present selected legal elements needed to protect critical infrastructure, especially those issues that ensure the continuity of the operation of public administration bodies, which are to ensure the safety of the citizens. Methodology: The article was prepared based on the analysis of the literature on the subject and the analysis of legal acts in the area of strengthening the concept of critical infrastructure, taking into account the current situation related to the pandemic and, consequently, the loss of some officers and employees. During the analysis of the conducted research, compact publications, acts of Polish law as well as guidelines and recommendations published on the websites of governmental institutions were used. Conclusions: In the protection of critical infrastructure, there is a need to introduce legal regulations within the framework of cooperation between institutions. The preparation of effective activities in the area of critical infrastructure requires a comprehensive approach, including: physical, technical, personal, ICT, legal protection, as well as assistance from the government in the reconstruction of the damaged element. Each of the areas mentioned above is a complex set of activities requiring general and specialist knowledge, sometimes expert knowledge, extensive practical experience (using the so-called good practices), risk analysis skills, and risk prediction (profiling).


Introduction
As part of this article, an attempt was made to present the legislative process in Poland regarding critical infrastructure, for which valid is the Act of 26 April 2007 on crisis management [1] which specifies, inter alia, authorities competent in crisis management and their tasks and principles of operation in this area as well as implementing acts issued on its basis. The introduced legal regulations define both the concept of critical infrastructure, its protection, as well as activities related to the prevention of crisis situations, reacting in the event of their occurrence and preparation to take control over them, as well as removing their effects and recreating key resources [2].
Legal regulations referring to the protection of critical infrastructure have been included in many legal acts [1,[3][4][5], covering various areas of the functioning of the country. However, some legal acts do not refer directly to the critical infrastructure (CI), and the analysis of the used terms, including those related to the facilities, indicates their similar, and often even the same meaning [6]. In this subject, the following areas of activity are distinguished: telecommunications activities, production and trading of fuels and electricity, performing defence tasks by entrepreneurs, creating strategic reserves, powers of the minister competent for the State Treasury or protection of persons and property [7]. Therefore, it is reasonable to state that the formal and legal conditions for the protection of CI existed before the entry into force of the Act of 26 April 2007 on crisis management [1].
The term critical infrastructure refers primarily to national resources that are essential for the functioning of the state and its citizens. This concept defines physical objects, supply systems, technologies and information networks which, as a result of destruction, disruption or damage, become unavailable for SFT VOL. 59 ISSUE 1, 2022, PP. 166-181 a certain period of time, and thus may significantly affect the social or economic determinants of the society, as well as affect the ability to provide defence and national security. Critical infrastructure are real and cybernetic systems (and in these systems objects, devices or installations) necessary for the functioning of the economy and the country. It plays a key role in the functioning of the country and the life of its citizens. As a result of events caused by natural forces or resulting from human activities, critical infrastructure may be destroyed, damaged, and its operation may be disrupted, which may endanger the lives and property of the citizens. At the same time, such events negatively affect the economic development of the country.

Legal aspects of critical infrastructure
Pursuant to art. 3 of the Act on Crisis Management [1], the concept of critical infrastructure should be understood as linked systems and their functionally, key objects for the security of the country and its citizens and for ensuring the efficient functioning of public administration bodies, as well as institutions and entrepreneurs. The group of systems that may be part of this infrastructure is extensive and includes, among others: energy supply systems, transport systems, energy resources and fuels, as well as communication systems, IT networks, financial systems, food and water supply systems, systems for production, storage and use of chemical and radioactive substances, health protection and rescue systems as well as systems ensuring the continuity of public administration operations. które w wyniku zniszczenia, zakłócenia lub uszkodzenia stają się niedostępne przez określony czas, a tym samym mogą znacząco uderzać w społeczne lub ekonomiczne determinanty społeczeństwa, a także wpływać na możliwości zapewnienia obrony i bezpieczeństwa narodowego. Infrastruktura krytyczna to rzeczywiste i cybernetyczne systemy (a w tych systemach obiekty, urządzenia bądź instalacje) niezbędne do funkcjonowania gospodarki i państwa. Pełni ona kluczową rolę w funkcjonowaniu państwa i życiu jego obywateli. W wyniku zdarzeń spowodowanych siłami natury lub będących konsekwencją działań człowieka, infrastruktura krytyczna może być zniszczona, uszkodzona, a jej działanie może ulec zakłóceniu, przez co zagrożone może być życie i mienie obywateli.

Prawne aspekty infrastruktury krytycznej
Zgodnie z art. 3 ustawy o zarządzaniu kryzysowym [1] przez pojęcie infrastruktury krytycznej należy rozumieć systemy oraz wchodzące w ich skład, powiązane ze sobą funkcjo- The legal act in force in Poland, on the basis of which certain systems are designated to the group of European Critical Infrastructure (ECI), is the EU Council Directive on the identification and designation of ECI [9], establishing the procedure for defining ECI and the rules common to EU approaches to assessing the need to improve the protection of such infrastructure, in order to better protect the population and minimize potential economic and social losses. An important element here is the fact that these are systems whose disruption or destruction would have a significant impact on at least two EU Member States.
Taking into account the applicable legal acts, it can be stated that their scope regulates, among others, the following issues in the area of the functioning and protection of critical In addition to the legal acts mentioned above, special attention has been paid to those elements of critical infrastructure that are important for ensuring the continuity of the country's functioning, regardless of the type of threats. Therefore, other documents have also been issued, which in their records indicate the dimension in question in the area of critical infrastructure. They are, among others: 2018 amending the regulation on the determination of government administration bodies that will establish crisis management centres and the manner of their operation [12], 4. Act on the organization of tasks for national defence carried out by entrepreneurs [13], which allowed for creating a legal structure of an entrepreneur of special economic and defence importance, implementing tasks for the benefit of state defence (i.e. in the area of economic mobilization, militarization, operational planning, defence training) as well as under HN obligations), 5. Act on the protection of persons and property [14].
In the context of CI, the most important thing is that the Act 6. Act on aviation law [15].
The Act covers issues related to air navigation, airport ground infrastructure and aircraft. A separate chapter (art. 84-85) deals with rescue and fire protection of airports. Pursuant to art. 84, the airport operator is obliged, among others, to develop an action plan in an emergency, organize and ensure the functioning of the rescue and firefighting service equipped with specialized equipment, and maintain the necessary rescue and fire-fighting measures.
The Act applies to railway infrastructure, part of which is part of the critical infrastructure. In this context, the Act also defines the principles of the management of railway infrastructure, by maintaining it in a condition ensuring safe railway traffic management (art. 5 sec. 1 point 3), as well as the manager's obligation to take action to eliminate the risk in a situation where the safety of railway traffic or the safety of passenger and goods transport is at risk (art. 5 sec. 5).
The Act regulates the principles of conducting business by providing telecommunications services. As a critical infrastructure protection tool, it is essential for many reasons. It defines a telecommunications undertaking, which in many cases allows 9. Act on water law [18].
The Act, comprehensively regulating the issues of water management, includes, among others, regulations concerning strict protection and supervision of specific areas, important for the supply of drinking water, i.e. an element of critical infrastructure.
The Act provides for the possibility of establishing protection zones for water intakes and protection areas for inland water reservoirs (art. 51 points 1-2). In the former, there are orders, prohibitions and restrictions on the use of water and land, while the protection zone itself is divided into the area of direct and indirect protection (art. 52). In direct protection areas, it is forbidden to use the land for purposes not related to the operation of water intake (art. 53), while in indirect protection areas, restrictions may or may not apply to activities reducing the usefulness of the abstracted water or the catchment efficiency (art. 54). The above provisions create the possibility of additional protection of the critical infrastructure system related to water supply. 10. Act on strategic reserves [19]. to the Regulation, these facilities are subject to special protection ( § 5). They have also been divided into category I facilities (listed in points 1-9 § 2) and category II facilities (listed in points 10-19 § 2). The minister of national defence is responsible for determining the requirements for the preparation and implementation of special protection for category I facilities, while the minister responsible for internal affairs has the same obligation with regard to category II facilities. In fact, objects of both categories are largely critical infrastructure, which is another example of the fact that its protection was prepared and the decision which was carried out long before was made on its legal and structural separation and additional requirements for its protection, involving the need to prepare, among others, National Protection Program of Critical Infrastructure.
Apart from the aforementioned legal acts, mentioned should also be the Act of 27 March 2003 on spatial planning and development [29] and the Act of 4 September 2008 on the protection of shipping and seaports [30]. They are also related to the issues of critical infrastructure. The first requires that planning and spatial development take into account the needs of state defence and security (art. 1 sec. 2 point 8) [29], while the second regulates the issues of protection seaports and port facilities (art. 2 sec. 1) [30]. Critical infrastructure is crucial for the existence of the country and, within it, of an organized society. If its functioning is disrupted, the country and its institutions may lose all or part of their ability to perform their basic administrative and service functions, as well as to exercise effective control over their entire territory. Improper management of critical infrastructure undoubtedly prevents economic and social development and, in some cases, can even lead to the decay of social life. Therefore, it is worth remembering that critical infrastructure in Poland is not completely free from threats, and the society -from the consequences of its deliberate damage or failure. According to the scale and sources of threats, this infrastructure should be developed and protected using appropriate instruments. As in other countries, also in Poland modern and efficient critical infrastructure -regardless of emerging threats -is a decisive factor in the effectiveness of the functioning of the country. In extraordinary situations it also determines its survival [24]. The elements of critical infrastructure systems constitute a collection of classified information, which means that a specialized group of people with a certificate confirming access to classified information has the right to decide on their composition and functioning. Therefore, in order to achieve the objectives of the program in question, it is necessary to adopt the principles that should guide its participants [25]. -recognition of differences between CI systems -CI systems have many similarities, but they have some unique features that should be taken into account in the area of CI protection, -leading role of the minister responsible for the CI system -the initiative to increase the level of protection of infrastructure essential for the functioning of society came from the administration, therefore it should have a significant share in the activities to improve CI security. This role in building trust and effective cooperation is played by the ministers responsible for the CI system, regardless of the CI operator's obligation to protect CI.
-equality of CI operators -CI operators include both private entities, state-owned entities, and the administration itself. The presented program emphasizes that the operators of a significant part of critical infrastructure are private entrepreneurs not related to the public administration. NPOIK establishes a framework in which the public administration and CI operators cooperate in order to ensure the continuity of CI operations, thus protecting the economic and social foundations of our country. It also outlines the mechanisms of developing partnership relations between the public administration and CI operators in the area of CI protection. Taking into account the above and the obligation imposed on the CI operators by the Act, NPOIK is also addressed to these entities, and in particular to their management boards.
Each new CI operator becomes its addressee automatically. CI operators participate in the activities for the benefit of CI protection described in the program [26].

Identification of critical infrastructure -importance for the protection of facilities, installations and devices of critical infrastructure
Identification of objects, devices, installations or services, the destruction or disruption of their functioning which could cause a crisis situation, is a key stage in the protection process of critical infrastructure. In order to achieve maximum objectivity, the Government Centre for Security, in cooperation with the ministers and heads of central offices and with the support of private entrepreneurs, developed criteria for the identification of critical infrastructure [25].
In the individual systems referred to in the Act, critical infrastructure will be selected on the basis of specific criteria. These criteria are divided into two groups [27]: 1. Sector (system) criteria that characterize parameters (functions) of an object, device, installation or service in terms of quantity or subjectivity, the fulfilment of which may result in being classified as elements of critical infrastructure. These criteria are presented for each of the CI systems.
2. Cross-cutting criteria, describing parameters related to the effects of the destruction or non-functioning of a facility, device, installation or service. In order for an object, device, installation or service to qualify as CI, in accordance with the adopted methodology, all three steps presented below must be completed: -in the first one the first one -in order to make the first selection of objects, installations, devices or services that could potentially be considered CI in a given system, the sector (system) criteria relevant for a given CI system should be applied to the system infrastructure.
-in the second one -in order to check whether the object, device, installation or service plays a key role for the security of the country and its citizens and whether it serves to ensure the efficient functioning of public administration bodies, as well as institutions and entrepreneurs, the infrastructure selected through the fulfilment of the first step should be defined as contained in art. 3 point 2 of the Act.
-in the third one -in order to indicate the effects of the destruction or cessation of the functioning of a potential CI, cross-sectional criteria should be applied to the infrastructure selected through the fulfilment of the first and second steps (the criteria that best reflect the characteristics of the system should be selected), while in order to complete the third step, the potential CI must meet at least two cross-sectional criteria [27].
It is worth mentioning that meeting the cross-sectional cri- Critical Infrastructure and -similarly to the program itself -require systematic updating. Thus, it will be possible to use the mechanism to "regulate" the criteria in such a way that they cover a larger or smaller number of CI elements. The assumption is that in the future, after developing tools that would allow for the evaluation of the effects of destruction or cessation of the functioning of CI in a meaningful manner, the sectoral (systemic) criteria should be abandoned at all.
As a result, the cross-cutting criteria would be applied to any chosen system infrastructure or to any national infrastructure [27].

Conclusion
Critical infrastructure is characterized by extremely complex, het- There are many answers, pointing to errors in building an appropriate technical and physical protection system, improper cooperation of the owners of critical infrastructure with the services and bodies supporting its protection.
Planning of effective forms of defence of critical infrastructure should take place on the basis of a coherent system for monitoring threats, which may facilitate the diagnosis of the danger.
It is the ability to predict a crisis situation, as well as the introduction of preventive mechanisms that use a full range of the offered protection, that is a measure of the country's efficiency in the area of achieving its most important goal, i.e. securing the life and health of the citizens. Therefore, appropriate division of competences and responsibilities, the introduction of effective planning methods, as well as organizational and financial methods, and the appropriate distribution of protective tasks to national and private entities will determine the improvement of the response process related to the emerging crisis situations. Podsumowując, doświadczenia zgromadzone w związku z ochroną infrastruktury krytycznej wskazują, że nie jest możliwe zapewnienie całkowitej ochrony elementom infrastruktury bezpieczeństwa państwa. Z tego też względu szczególny wysiłek powinien zostać włożony w maksymalne uodpornienie infrastruktury element of the country's protection system of critical infrastructure. His activity may increase or decrease the resilience of critical infrastructure, and in drastic cases -lead to its disruption, deprivation of functions or complete destruction. Human activity -both positive (creating) and destructive -can be the result of deliberate or accidental actions. In order to limit the destructive activities of people as much as possible, a significant challenge in the protection of critical infrastructure has become not only the development of appropriate procedures, but also the raising of public awareness of that infrastructure.
Critical infrastructure plays a key role in the functioning of the country and its citizens. As a result of the events caused by forces of nature or resulting from human activities, i.e. in crisis situations (situations that negatively affect the level of safety of people, property to a large extent or the environment, causing significant restrictions in the operation of competent public administration bodies due to the inadequacy of the resources available to them according to the above-mentioned Act, art.3 point 1) [1], critical infrastructure may be destroyed, damaged, and its operation may be disrupted. Such events negatively affect the economy of the country and the lives of its citizens. The essence of the tasks related to critical infrastructure boils down not only to ensuring its protection against threats, but also to ensuring that any disruptions in its functioning are as short-lived as possible, easy to remove and do not cause additional losses. Hence, the protection of critical infrastructure is one of the priorities facing Poland and has a significant impact on the national security system. Therefore, it is so important that the legal provisions are precise and do not affect security, and that the efficiency of organizational structures is ready to face new challenges and to counter threats, which may be decisive for the state of security of the country.