OSCE guidance aims to protect ‘major target’ critical infrastructure from physical attacks

As violent extremist movements and terrorist organizations view critical infrastructure as a “major target,” the Organization for Security and Cooperation in Europe released new physical security guidance intended to help governments, owners and operators cut through “a complex web of practices, principles and nonbinding guidance documents” across member states.

The Technical Guide on Physical Security Considerations for Protecting Critical Infrastructure against Terrorist Attacks was released by OSCE’s Transnational Threats Department in English and Russian. In 220 pages, it lays out “structured guidance on practices, principles and considerations that can enhance the physical security of permanent CI sites and facilities, with a view towards preventing, better preparing for and mitigating terrorist attacks.”

The focus on physical security comes as European countries have been dealing with various cyber breaches against critical infrastructure, including attacks against water suppliers in Britain, airports in multiple member states and undersea cable networks. Google Cloud Security said in its Cybersecurity Forecast 2026 released this week that Europe is poised to see a spike in cyber-physical attacks targeting critical infrastructure sectors.

“The many good practices cited from across our membership are a testament to the depth and breadth of this knowledge and expertise,” Ambassador Alena Kupchyna, coordinator of activities to address transnational threats, wrote at the outset of the guidance. “…By sharing the guidance and good practice compiled in this Guide with both public and private stakeholders, we are confident we can improve our collective security against evolving terrorist threats and protect the essential services these terrorists threaten.”

The guidance covers strategic and legal frameworks for critical infrastructure protection including crisis management, human rights considerations such as the use of force and privacy rights, public-private partnerships including information sharing, and identifying and managing risk.

It extensively delves into how terrorists view critical infrastructure as a prime target due to its symbolic value, the potential for economic damage, the psychological value of hitting services that impact many people, the propaganda value and media attention derived from a successful attack on high-impact targets, the potential for high casualties and more.

It also covers attack methods such as explosives, firearms, vehicles, arson, hostage-taking at critical facilities, utilizing drones to bypass ground-level security, and using chemical, biological, radiological or nuclear materials — either in an attack from the outside or as an insider threat.

“A nuanced assessment of extant threats and risks to a given CI facility is central to protecting that facility from terrorist attacks,” the guidance states. “Such assessments drive the range of security responses, including physical security measures. If these assessments are incomplete or inaccurate, it can put CI facilities, personnel or processes in danger.”

Physical security measures “supported by proper personnel and procedural measures to ensure that they are executed by authorized individuals and regularly tested” are discussed, including perimeter security, access-control systems, screening of people and vehicles, and measures such as bullet-resistant glass or blast curtains. “Mailrooms can represent a significant CI facility vulnerability if they are poorly located, poorly constructed or insufficiently designed to address potential threats from, for example, mail-borne IEDs,” the guidance notes. “Considerations for the location of a mailroom should be made for newly constructed CI facilities, with preference given to mailrooms located near the perimeter of a CI facility to avoid mail-borne IEDs being transported through a CI facility on the way to processing in a mailroom.”

The section on security planning and hardening targets includes how potential attackers may conduct reconnaissance on critical-infrastructure targets or choose to conduct attacks using a vehicle as the weapon or carrying an IED.

“CI facility personnel are likely to be familiar with the principles and practices of evacuations due to fire or earthquakes. However, in the event of a terrorist attack, the appropriate response may be to not evacuate, and thus the evacuation response will differ from that to a fire,” the guidance continues. “For example, personnel may be directed to specific exits or to avoid a particular route or area. For this reason, it is important to avoid activating the same alarm for a terrorist threat and a fire to reduce the possibility of an incorrect response.”

The guidance also includes sections on business continuity management and detecting insider threats. “The definition of insider threat should be specific to the context of a CI sector or stakeholder,” OSCE says, citing guidance from the U.S. Cybersecurity and Infrastructure Security Agency. Some insider threats may be intentional and some negligent, OSCE adds, and some may be self-motivated to take hostile actions while others may be recruited by outsiders eager to take advantage of insiders’ access to critical facilities.