Once upon a time there were IT-based National Critical Infrastructures, but these times are gone forever...This could be the beginning of a modern-times bedside tale, because today both the national constraint and the distinction between IT and non-IT are pointless: every Critical Infrastructure is in fact IT-based, or "digital" as it is now more commonly said, and almost no Critical Infrastructure is purely National.
But what is in fact a Critical Infrastructure (CI)? According to the definition of the US Department of Homeland Security (DHS) "The nation’s CI provides the essential services that underpin US society and serve as the backbone of our nation's economy, security, and health."The DHS then lists 16 sectors "so vital to the US that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof." 
At European level we still lack a definition with this level of clarity, probably because we are more diverse than US and we are anyhow still in the implementation phase of the Network Information Systems (NIS) Directive , promulgated by the European Parliament and by the Council on 6 July 2016 and to be adopted by all Member States by 9 May 2018 (Italy published the decree necessary to comply on 21 February).
The Directive clarifies that Operator of Essential Services (OES) - the name Europe chose to adopt for CIs, directly quoting in fact the DHS definition above - are "those entities providing a service which is essential for the maintenance of critical societal and/or economic activities", that this service furthermore depends on network and information systems and that an incident would have significant disruptive effects on the service provision; it then asks the Member States to create their own list of services based on 7 main sectors and 7 sub-sectors.
Both the definitions above recognize therefore that CIs have been built to provide essential services to the nations they belong to and that they are largely based on digital systems. What these definitions do not include is a significant series of side attributes that are anyhow very relevant when we consider how to protect the capabilities required in order to provide the services underpinned by the different CIs and what their significance could be in the case of warfare considerations.
Let’s try and list the main points:
- CIs have very different levels of digitalization having been (re)built over the last 70 years, starting from reconstruction following WWII (almost all main utilities in western countries started their operations in that period even if certain technologies, e.g. mobile communications, jet planes, satellites etc. have obviously been added at later stages).
- CIs are a mix of "industrial" facilities, assets, plants and networks plus IT components, based on technologies developed for civilian usage (dedicated and closed systems, industrial grade cabling, SCADA , DCS/ICS , are the basis on which the largest majority of CIs still operate).
- The main focus of designers and builders of CIs has been efficiency and safety (operations of industrial plants have been subject or the last 40 years to a constant attempt to improve working conditions, reduce safety risks and limit potential of failures towards environment and population, particularly following some clear catastrophic examples of many various kinds. Just to mention some names we could remember Bhopal, Chernobyl, Fukujima, but we must consider the many events occurring every day that still make up the count of work-related fatal accidents ; plenty of standards and certifications have been drawn and implemented to mitigate this type of risks).
- CIs were created by Westfalian nations to serve the purpose of the development of each Country, but they have over time been "privatized" and transformed in market entities often listed in stock exchanges and having objectives tied to shareholders’ value more than stakeholders’ benefits (no examples are needed in this case: it would be much more difficult to list the "contrary" examples in which this sequence of events does not hold true).
- As globalization took off CIs become more and more open, interconnected and inter-dependent, both seeking to lower costs and to increase scale and synergies (thus we have multiple foreign ownerships of CIs, but also multinational CIs as well as infrastructures that are clearly of global nature, e.g. oil pipes, internet cables, but also airlines, air traffic control networks, satellites constellations, etc.)
From a practical viewpoint CIs in Western countries - having made of globalization, specialization and market openness the core of their economic development - and in Europe in particular, are not self-contained entities, but rather a complex system of assets and networks with different types of technological components - of worldwide provenance - that have generally been designed for closed system operations. In this context, when the assets and networks started to be interconnected, and then often opened to the Internet, the vulnerabilities that were negligible in a closed environment became suddenly very relevant.
Because of this self-evident situation everybody agrees that it is necessary to raise the level of protection of the CIs and it is therefore not a case that probably the major initiative that the European Commission activated - before the Cybersecurity Act currently under discussion and before starting any joint initiatives in Cyber Defense involving EDA  or within the PESCO  context - has been the NIS Directive, aiming at a high common level of security of network and information systems across the Union.
The real goal for CIs should anyhow be not (only) cyber protection, but rather cyber resilience: for Essential Services it is in fact more important to guarantee the continuity of the service itself, maybe in a partially degraded, but controlled state, than trying to create barriers to any kind of threats and possible attacks, thus practically implementing what is defined as a deterrence by denial doctrine.
According to current approaches and methodologies this goal is attainable through a clear discipline in the design and build phase, using many different techniques known collectively as security-by-design and resilience-by-design. Unfortunately the achievement of a situation in which OESs are cyber-resilient enough to mitigate at an acceptable level the risks from cyber events (regardless their attribution from either hacktivists, terrorists, warfare acts, sabotage or any other initiators) must take into account what we discussed before about the current state of the complex systems constituting the CIs: if we do so, many problems to be considered are immediately evident.
First, resilience-by-design techniques can be applied to newly designed systems, but CIs are normally quite old or are, at least, the superposition of many systems with different technologies from different ages, making it difficult to identify generalized techniques to create resilience: each case must be analyzed as a single instance and specific remediation should be designed and built. This will require a strong cooperation in order to align standard and techniques and, more important, to exchange what could be sensitive information on the underlying systems, protocols and technologies utilized by the various technology providers. Second, since OES are closely interconnected, requiring at least some services from other CIs, e.g. telecommunications, energy, gas, water, transportations, etc..., we find ourselves in a situation in which either we design multiple redundant sub-systems for any CI or we must find a way to guarantee an acceptable level of performance of all interconnected CIs. This leads again to the need or information sharing, but raises once more the level of complexity since we will now need to exchange information among many more subjects, not only technology providers, but the CIs themselves, that could sometime be partially competing on certain sectors or markets. Policy-makers try in general to allow this exchange through the mediation realized by independent entities such as CSIRTs.
Third, CIs are interconnected across the national borders, sometimes across the borders of geographical areas of influence (let’s think for instance to gas and oil pipes or to internet cables) and therefore resilience cannot be simply enforced, but must be built through G2G agreements, through commercial contracts, through mutual benefits recognition. Once again information sharing is required and complexity is higher again, since we are now talking about sharing information across national boundaries and this must be done, obviously, without prejudice to National Security (see for example, NIS art 7.3). CSIRTs are again part of the equation, in this case with some transnational form of coordination to be implemented.
Transnational CIs’ inter-connections make also difficult to address a Defense-led response to cyber-events: joint or coalition initiatives will help in this respect, but international treaties should be drawn, because if an OES is put at risk by an event occurring in a separate geography the rules on how to approach this situation will need to be clearly known in advance to avoid risk of misinterpretation and escalation.
Fourth, CIs are generally private, for-profit, Companies and therefore the costs required to build security and resilience must be recognized as a part of the Company’s mission, finding their way in the Company’s governance, for instance as a part of Stakeholders’ interests in their Corporate Social Responsibility vision, but necessarily contributing also to the Company’s P&L and Balance Sheet. Any different situation would jeopardize the competitive position of the Company acting as OES and in the long run could create more damage to the overall resilience of the system than a failure to properly recognize and address this need. In short, security and resilience have a cost and we must collectively decide how this cost must be borne.
Cyber-protection and cyber-resilience of CIs have a clear technological dimension that can be tackled and managed by a Security Provider such as Leonardo and by major players in the Defense and Security arena, but technology will not suffice to provide a context in which continuity of operations of CIs can be guaranteed if the points above are not addressed by policy-makers, by supra-national organizations and by stakeholders that must recognize that the very complex framework of technologies and services’ interactions that our society is based on, requires an at least as complex action to be secured.
Unfortunately, this complex framework we live on has been built in the last 70 years, but we don’t have the same amount of time to disentangle all the links that we built and to decide a way to approach the resilience of the overall system.
The NIS Directive currently indicates, for instance, that (Art. 5.3) "…where an entity provides a service as referred to in point (a) of paragraph 2 in two or more Member States, those Member States shall engage in consultation with each other…" and that (Art. 17.3) "If a digital service provider has its main establishment or a representative in a Member State, but its network and information systems are located in one or more other Member States, the competent authority of the Member State of the main establishment or of the representative and the competent authorities of those other Member States shall cooperate and assist each other as necessary. Such assistance and cooperation may cover information exchanges between the competent authorities concerned and requests to take the supervisory measures...".
It is a starting point, and a good one in fact, since the complexity of the situation is clearly recognized and starts to be addressed, but we must quickly progress from the recognition to the execution; the timing of technology development - of cyber-technologies development in particular - is becoming less and less compatible with the timings of diplomacy and policy-making.
 DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union
 Schema di decreto legislativo recante attuazione della direttiva (UE) 2016/1148 recante misure per un livello comune elevato di sicurezza delle reti e dei sistemi informativi nell'Unione (520), trasmesso alla Presidenza il 21 febbraio 2018
 SCADA = Supervisory Control And Data Acquisition
 DCS / ICS = Distributed Control System / Industrial Control System
 EDA = European Defence Agency
 PESCO = PErmanent Structured COoperation on security and defence