Critical Infrastructure and Catastrophic Event Planning
Published September 7th 2025
Imagine a scenario in which a sophisticated cyberattack, targets a regional electricity provider serving a major metropolitan area. The attack, which targets the SCADA system of the provider, quickly knocks out power to several sub stations, with the following cascading impacts felt:
· The city’s light rail network grinds to a halt, leaving thousands of commuters stranded. Traffic management system outages cause a large spike in collisions and subsequent gridlock.
· Hospitals immediately switch to backup power generators, but not all equipment can run and elective surgeries are cancelled.
· Water and waste management plant pumping stations stop running and drinking water and wastewater services are affected.
· Food supplies run low as perishable items cannot be refrigerated and supply chains are disrupted due to transport chaos.
· Mobile networks, reliant on power for cell towers begin to fail.
The above is not some fictitious dystopian nightmare, but a realistic outline of the possible impacts when a piece of Critical Infrastructure (CI) is affected. It demonstrates the inter-connectivity of society and the ripple effect of an outage in one area. In this scenario, the principal cause is a cyberattack by a malign actor; however, similar cascading impacts can result from far less complex events, as demonstrated when Storm Eowyn struck our shores earlier this year.
CER Directive
For the European Union, the societal impact associated with the disruption to any form of CI has led to the development of the Critical Entities Resilience Directive (CER Directive).
CER Directive has been transposed into Irish law as the European Union (Resilience of Critical Entities) Regulations 2024 (S.I. No. 559 of 2024), and aims to strengthen the resilience of essential sectors like power, water, transport, health, and food production. It requires critical entities to develop resilience strategies, manage risk and notify authorities to ensure that these vital societal functions can withstand and recover from disruption.
The Directive also places a requirement on undertaking probabilistic and non-probabilistic risk assessments, understanding compounding and cascading risk and identifying vulnerabilities across upstream dependencies, downstream reliance, and lateral interconnections.
In line with the EU’s roll out of CER Directive, the Department of Defence, through the Office of Emergency Planning, and in partnership with the relevant competent authorities, will publish a Strategy for the Resilience of Critical Entities to be delivered in Q1 2026.
Catastrophic Event Planning
Emergency planning within the CI sector ensures that organisations can respond swiftly, protect life, minimise economic damage and ensure continuity of essential services. At Prosilience Consulting, we offer the following guidance, around how CI organisations can prepare for such events.
It starts at the top
Resilience only becomes part of organisational strategy, when it is championed by the C-Suite and embedded through cross functional collaboration. This visible commitment creates a culture where resilience is prioritised at every level of the organisation.
Crisis events strike hard and unless you can quickly communicate and coordinate, your chances of success are slim. Seamless coordination happens through practice and a culture of trust and regular information sharing. Organisations that are siloed in their approach will struggle to mount a response that is effective and cohesive.
Harness risk register information
Risk registers describe individual risks, their likelihood and impact, along with mitigation strategies that are necessary. Within this structure however, there is often additional information that CI organisations can harness to their advantage.
Post Covid 19, the UK Cabinet Office established the National Situations Centre. Its role is to identify data types and sources from the key stakeholders within the top 100 risks identified in the national risk register. In doing so, links can be established pre-emergency, thereby dramatically reducing the time to situational awareness in a national emergency.
Adopting a similar approach within CI can lead to the establishment of better relationships, faster situational awareness and ultimately decision making that is underpinned from information that is coming from verifiable sources. Source credibility assists us in dispelling misinformation and disinformation in a crisis, whilst building relationships in advance, facilitates bi-directional communications when they are most needed.
It’s all about relationships
Emergency management is inherently inter-organisational and requires trust, communications, coordination, and collaboration for success. Informal, trusted relationships between organisations are often the fastest way to share intelligence and much needed resources in the form of mutual aid when an emergency hits.
CI organisations can build this trust in advance of any emergency through joint training and exercises, along with networking in the form of conferences and symposiums.
Cyber is not just an IT issue
For some organisations, cybersecurity risk is seen as something that rests solely with the IT department. Cybersecurity risk can in fact, affect any aspect of an organisation and therefore cyber risk management must be viewed as a holistic business priority. Effective cybersecurity integrates people, processes and technology to promote a culture of security awareness across all business functions.
Organisations that promote cross functional collaboration in planning for, managing, and recovering from the impacts of an emergency, will greatly increase their chance of success in this area.
Review your crisis management plan
Is your plan a weighty document, with a myriad of identified risks and a roadmap for every possible scenario? If so, you need to think of a more streamlined plan, a plan that is incident agnostic, intuitive, and easily recalled by those using it. The goal is to build a coherent plan with a response methodology that is applicable across multiple scenarios.
Within your plan, having pre-identified staff roles, allow us to build functional playbooks, thereby avoiding duplication of effort and enabling rapid coordinated action. Through exercising, staff can become familiar with their roles and through technology, playbooks or action cards can be pushed to them, allowing their use as tactical aids in a crisis.
Harness the power of technology
Critical Event Management (CEM) software can help you manage a crisis with precision. Many crisis events affect organisations out of normal business hours, requiring us to have the ability to alert key members of staff remotely to begin our response.
Using outdated modes such as call trees will no longer cut it, as crisis events hit harder and move much faster than before. Similarly, many personal messaging apps do not have the ability to override silent functions on a phone; therefore user engagement is not guaranteed.
CEM software allows us to:
Geo-locate & notify key staff by skill set, incident proximity, and availability, overriding a phones silent function and guaranteeing user engagement in a fully auditable system;
Geo-fence to alert individuals entering hazardous zones;
Gather real time intelligence through secure photo/video submissions;
Achieve cross agency collaboration and bi-directional communications to build a Common Operating Picture; and
Provide out of band communication, in the event of a cyberattack or IT failure.
Ensure your EOC is fit for purpose
An Emergency Operations Centre (EOC) is the central hub of your response, where your team will convene, and where information management systems will inform decision making.
Within this structure we should have the option of convening at a fixed site location in a dedicated workspace, or alternatively, depending on the incident type and the situation at hand, a virtual/ hybrid operation that can connect stakeholders digitally across geographic areas.
Your EOC needs to be fully stocked and ready for use at short notice. Responsibility for this needs to be assigned in advance, with periodical checks for functionality scheduled on a regular basis.
Build an Information Management System
Information Management (IM) systems collect, analyse, and disseminate information to support evidence based decision making. System dashboards should have the ability to connect with other stakeholders, for shared situational awareness and a Common Operating Picture.
IM systems serve as a basis for decision making but also shape our crisis communications strategy, to allow us to inform the public and key stakeholders.
Effective, transparent crisis communication with the public is often as critical as technical recovery.
Consider using the Incident Command System
The Incident Command System (ICS) was first developed in California in the 1970s to deal with fast moving wildfires, but today it’s used worldwide to coordinate many different crises events, including those that threaten critical infrastructure.
At its heart, ICS is about structure and clarity. It gives teams a common language for command, control, and coordination, so that different agencies can pull in the same direction. With ICS in place, resources are used effectively, goals are clear, and everyone knows who they report to and who makes the key decisions.
Without this structure, responses can quickly unravel. Chains of command get blurred, communication breaks down, planning loses focus, and agencies struggle to work together. The result is wasted effort, slower decision making, and in some cases, real risk to responders on the ground.
One of the biggest strengths of ICS is how it manages complexity. Large incidents are broken down into clear functions, like Command, Operations, Planning, Logistics, and Finance. This lets leaders hand responsibility to the right people, avoid duplication, and keep the overall response moving smoothly. It also frees up cognitive space for the Incident Commander, allowing them to focus on the bigger picture rather than being bogged down in detail.
Put simply, ICS creates order from chaos. It balances central leadership with local decision making, helping teams stay agile, coordinated, and resilient when it matters most.
Conclusion
Resilience is not built in isolation. Critical infrastructure operators, regulators, and governments must collaborate, prepare, and continually adapt to ensure society can withstand and recover from the most severe shocks.
The time to prepare is before the crisis hits. By investing in resilience, fostering trusted relationships, and ensuring plans are agile and actionable, organisations can protect lives, economies, and the critical systems we all depend on.
At Proslience Consulting we exist to help organisations lean forward in the face of crisis. We build plans, create exercises, and provide training to support your organisational resilience. If you’d like to talk to us about how we can help your organisation prepare for a wide range of crisis events, then please contact us at:
derek@prosilienceconsulting.eu
www.prosilienceconsulting.eu