What distinguishes a CBRN programme from a project for critical-infrastructure operators?

A programme has a continuing budget line, a named accountable executive, an annual review cycle, and outputs feeding both regulatory reporting and the operator's board-level risk register. A project ships once and does not iterate.

How often should aggregate-posture exercises run across a multi-site operator's portfolio?

Annually at minimum, with site-level exercises running quarterly. Lower cadences leave the aggregate response unrehearsed and produce predictable failure when activated.

Critical-Infrastructure CBRN Preparedness

Critical infrastructure inherits CBRN risk from adversary intent, not from operator preference. The risk is standing, not episodic. Programmes that meet it are built deliberately and maintained continuously.

Tier 1 — site-specific threat assessment

Each site's threat picture differs. A power-distribution substation, a water-treatment plant, and a telecommunications backbone facility share a category — critical infrastructure — and share little else operationally.

The site-specific assessment names the agents in scope, the dispersal vectors plausible at the site, the standing adversary intent against the site's role in the wider system, and the specific indicators that would precede an attempt. The assessment is reviewed against the regional threat picture and the operator's incident history.

Tier 2 — calibrated detection and response per site

Detection capability is calibrated to the agents in scope. Response capability matches the site's operational footprint. Both are documented, drilled, and reviewed.

The disciplines that distinguish operational capability from notional capability:

Detection-sensor calibration on a documented cadence.
Operator competence — the site personnel who would respond have the documented training, refreshed against the AAR cycle.
Response timing — measured against documented benchmarks, not against operator self-assessment.
Equipment readiness — PPE, decontamination, medical countermeasures stored to standard, audited regularly.

Tier 3 — aggregate posture across the portfolio

A multi-site critical-infrastructure operator has more capability than any single site can produce. The aggregate posture is the architecture that mobilises the portfolio.

Aggregate posture includes mutual-aid arrangements between sites, central intelligence-sharing on indicators across the portfolio, and a programme-level after-action review that captures lessons across the system rather than at site level only. Without the aggregate posture, every site faces the threat alone.

The exercise architecture

Documented exercises are the means by which the three tiers are validated. The exercise architecture covers single-site scenarios, multi-site scenarios that test mutual aid, and aggregate-posture scenarios that include host-nation services.

Exercise cadence is the diagnostic. An operator running site-level CBRN exercises annually and aggregate exercises every two years is in a different operational state to one running site-level exercises quarterly and aggregate exercises annually. The threat picture does not adjust to the exercise cadence.

The programme posture

Critical-infrastructure CBRN preparedness is a programme, not a project. The programme has a budget line, a named accountable executive, an annual review cycle, and a documented improvement plan. Its outputs feed the operator's regulatory reporting and its own board-level risk register.

Programmes carrying all of the above survive contact with reality. Projects that look like programmes do not.

Critical-infrastructure CBRN preparedness — programme architecture