Intro to Critical Infrastructure Protection

THE SAFETY AND SECURITY OF CRITICAL INFRASTRUCTURE
"When our hometowns are secure, our homeland will be secure" (Tom Ridge)

A critical infrastructure is defined as any facility, system, or function which provides the foundation for national security, governance, economic vitality, reputation, and way of life. In short, critical infrastructure is by definition essential for the survival of the nation. The USA PATRIOT Act specifically defines critical infrastructure as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." FEMA defines critical infrastructure as "personnel, physical assets, and communication (cyber) systems that must be intact and operational 24x7x365 in order to ensure survivability, continuity of operations, and mission success, or in other words, the essential people, equipment, and systems needed to deter or mitigate the catastrophic results of disasters." The DHS Daily Open Source Infrastructure Reports specify the following sectors as part of critical infrastructure: Energy, Chemicals, Nuclear Reactors, Materials and Waste, Defense Industrial Base, Dams; Banking and Finance, Transportation, Postal and Shipping, Information Technology, Communications, Commercial Facilities; Agriculture and Food, Water, Public Health and Healthcare; Government Facilities, Emergency Services, National Monuments and Icons. Obviously, not only are there various definitions of critical infrastructure, but there are so many specified components of it that it is impossible to lock-down or lock-out everything.

Furthermore, attempts to specifically define critical infrastructure may be futile, since there are several ways to look at the concept. First of all, one could base the concept in notions about the value of human life. This asset value approach is usually taken when the idea of "continuity" is considered. The way it's usually put is by saying that the continuity, or continued operation, of a critical infrastructure is essential for the maintenance of human life and/or the maintenance of some standard of living that people have become accustomed to. The continuity of critical infrastructure is essential to avoid panic and hysteria during the impact of a disaster. Every day, a person's life is shaped or affected in some way by one or more critical infrastructures. Life, as we know it, is not possible without critical infrastructures, and they are all connected together in a "system of systems" where failure in one can cascade into a failure of all. This line of thinking is not only important to authorities who want to make sure that life stays worth living, but it is also the hope and dream of terrorists to find that one small chunk in the armor which makes the whole house come down. In other words, terrorism represents the ultimate "anti-continuity."

Yet, others approach the concept of infrastructure as representing those things indispensible for cultural purposes. This is the thinking behind identification of vital or key assets, which are usually things synonymous with national pride, prestige, morale, confidence, reputation, and accomplishment of mission. An example of a key asset would be a national monument or icon which needs to "survive" because neglecting it would send the wrong message. Reasonableness and timeliness are the basic elements of survivability in this mode of thinking, with reasonableness meaning the degree of environmental stress, and timeliness meaning the notion of "mission-critical" during certain periods of time. An example would be an electrical blackout on New Year's Eve in the Big Apple where Americans wouldn't be able to mark the start of the New Year in the way they have become accustomed.

Critical Infrastructure Protection (CIP) consists of all proactive activities to protect indispensable people, physical assets, and systems (especially communications or cyber systems) which are guided by a systematic and reliable decision making process which assists leaders to determine exactly what needs protection, where, when, and how. It is proactive in the same sense that mitigation in emergency management is proactive and goes beyond normal security, defensive postures. The basic steps of CIP consist of: identifying the critical infrastructures, determining the threats against those infrastructures, analyzing the vulnerabilities of threatened infrastructures, assessing the risks of degradation or loss of a critical infrastructure, and applying countermeasures where risk is unacceptable. However, CIP goes beyond ordinary risk analysis, as will be explained later.

Various organizations have existed to defend the country's critical systems. Starting in 1996, the position of national coordinator for security, infrastructure protection, and counter-terrorism (sometimes called the position of "cyber-czar") was created as part of the White House's National Security Council to oversee national policy development and implementation for CIP. Another organization, the Critical Infrastructure Assurance Office (CIAO) existed to coordinate the federal government's initiatives on CIP, to assist agencies in identifying their dependencies and vulnerabilities, and to coordinate awareness programs. Another organization, the National Infrastructure Protection Center (NIPC) served as a threat assessment center and included members of the FBI, DoD, Secret Service, and CIA. Out of NIPC, the InfraGard program was established to provide a mechanism for two-way information sharing about intrusion incidents and system vulnerabilities, and to further provide a channel for the NIPC to disseminate analytical threat products to the private sector. Information Sharing and Analysis Centers (ISACs) also exist, but the List of ISACS maintained by DHS (links also found here) indicate that most if not all are owned and operated by the private sector, with little involvement and poor funding by government. The Information Sharing and Analysis Centers (ISACs) are part of the private sector's responses to the call for action made in May 1998 by Presidential Decision Directive 63. The purpose of an ISAC is to gather and analyze information about information security threats, vulnerabilities, incidents, countermeasures, and best practices. An ISAC typically consists of a secure database, analytic tools, and information gathering and distribution facilities designed to allow authorized individuals to submit either anonymous or attributed reports about information security threats, vulnerabilities, incidents and solutions. ISAC members also have access to analytic products produced by other members and obtained from other sources.

Also, since 1999, an effort has been made to establish the Federal Intrusion Detection Network (FIDNet) as a government-wide monitoring system that coordinates intrusion detection and other suspicious behavior patterns involving government computers. Although this effort is far from being completely realized, a central analysis unit can be found in the Federal Computer Incident Response Capability (FedCIRC) program. An effort by the government to more fully involve private sector computers was exemplified by the 1999 Cyberspace Electronic Security Act (CESA), which would have allowed the government to obtain decryption information from third parties, if necessary to view communications or data if any privacy concern needed to be overcome by consent, warrant, or order.

Guiding documents include: the USA PATRIOT Act of 2001 (Supp. II 2002); NIPP (2006); and a 2003 document known as the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets (pdf). In the 2003 document, thirteen (13) critical infrastructure sectors were identified, but the chemicals sector was left off the list for some inadvertent reason, and Homeland Security Presidential Directive 7, issued in late 2003, corrected this and made some other changes such as taking the Defense Department, Postal Service, and Maritime sector off the list, or merging them into other identified sectors. The NIPP document identifies thirteen (13) sectors: agriculture; food; water; public heath; emergency services; government; defense industrial base; information and telecommunications; energy; transportation; banking and finance; chemical industry and hazardous materials; and postal and shipping. Since 2004, it has been customary to say there are fourteen (14) critical infrastructures in the United States, and in alphabetical order, they are:

As the target of terrorism, a critical infrastructure can be either destroyed, incapacitated, or exploited. It is important to note that these involve different strategic objectives. If terrorists seek to completely destroy something, then their own access to those resources will be affected. Bioterrorism, for example, not only destroys much critical infrastructure, but is mainly a suicidal tactic. Many sectors of a critical infrastructure are looked upon, by terrorists, as a "force multiplier" for them; i.e., they may need to keep banking systems or computer systems intact. It is likely that terrorists would temporarily incapacitate a resource, in order to make a symbolic statement (such as weaken the economy or damage morale); or even more likely, terrorists might simply seek to take advantage (exploitation) of weaknesses and vulnerabilities in a sector or sectors of the critical infrastructure. The safety and security of critical infrastructure present challenging and complex tasks for homeland security.

One of the basic goals of infrastructure protection is continuity -- continuity of government, continuity of private sector, and continuity of public services. The continuity of government has always been the first priority, what with decades-old secret underground facilities where politicians can run things after a catastrophe. The Internet was, after all, originally part of a government plan to ensure continuity. Cordesman (2000) also states that since the Cold War, "other" priorities have included power plant grids, oil & gas pipelines, and telecommunications. In fact, for many years, the only thing to receive any major funding for protection was the continuity of government services sector. Today, the private sector is the "first line of defense" since they own most of the critical infrastructures, and the private sector approach to risk usually means price risk as determined by stochastic differential equations. However, the private sector in today's threat environment needs to go beyond simply risk analysis. It is important to understand some of the inherent flaws in design whenever the old business, or private sector, model is followed. Some of these business flaws, as John Robb in an article on design flaws points out, are as follows:

Not only do these flaws point out the need for a more modern "system of systems" approach to continuity, but they raise problematic issues of concern for the quality of public services. For example, not only do hospitals get overwhelmed by the fear and panic in the wake of a terrorist attack, but mental health services often experience a delayed, overcrowding impact about 5-6 months later. There are a number of delayed, or lagged, impacts like that with critical infrastructures. Not all critical infrastructures are affected at the same time, and not all businesses are ready to change their old methods of operation. The greatest liability of traditional risk assessment when it comes to CIP is a failure to fully grasp the temporal elements of short-term impacts, long-term impacts, and cascading effects. CIP must be more than this. It is, after all, involved with big things, like a way of life.

The mission of protecting critical infrastructure does not depend upon any unique intelligence collection nor does it require any unique intelligence integration functions. Certainly, there is a need for being in the "loop" regarding terrorist threats, but far more important are the specific analytic methods which can be used to assess vulnerabilities and do risk analysis relative to infrastructure protection. The task essentially involves getting businesses to start thinking about terrorist mindsets. For example, one analytic method is red-teaming. Red-teaming is a concept which involves designating folks within your own organization to think like and behave in support of the way bad guys, or terrorists, would attack, and study their approach to target sets and priorities. It is generally assumed with critical infrastructure protection that the "bad guys" are determined adversaries -- flexible, creative, resourceful, and able to learn how to target vulnerable areas while avoiding those that are more protected and predictable. In this sense, modern sophisticated or technologically advanced societies are perfect targets for terrorists, and businesses who haven't got enough flexibility also make perfect targets.

Secrecy is also important in protecting critical infrastructures. Intelligence about threats to the infrastructure, analysis of where the weaknesses are, and then the recommendations on how to protect against those weaknesses have to be communicated or alerted to a wide range of people, all without "leaks" to the very parties who are involved in putting our citizens at risk. This requires reaching out and building cooperative bridges between government and numerous private sectors, including academia. However, the problem of secrecy then becomes a problem of who to recruit for intelligence work, and their security classification level. It is highly important to build a pool of security-cleared translators, for example, and federal scholarships might be used to create a centralized national translation service that draws upon foreign language training in the nation's colleges and universities. However, it may or may not be a necessity for every translator to have a secret or top secret clearance. The question that has to be asked is: "which is worse -- an uncleared translator or an untranslated secret?"

Additionally, good threat analysis is vitally important for CIP, terrorism threat analysis (see Secure Lecture Notes), in particular. Certain targets are more attractive to terrorists than others, and as Peter Black (1993) of Wired Magazine put it long ago in his article "Soft Kill," there are at least ten (10) easy ways to throw a 21st century nation into the dark ages. His list has been expanded upon by Steele (2002) and others, and an adaptation appears as follows:

*A Top Ten List of Critical Infrastructure Threats*
1. Bridges, Levees, and Dams	There are exactly six mainstream railway bridges across the Mississippi and Missouri rivers. They tie the East and West as well as North and South together in trade and the stockage of food and fuel. During 1993, four of the six bridges closed due to flooding, and Amtrack scrambled to find detours, but the economic effects were devastating, and it further turned out that all national railway traffic depended upon one turnstile in the Cincinnati area.
2. The Alaska Pipeline	This pipeline stretches across vast miles of unoccupied territory, and carries at least 10% of the domestic oil for the nation.
3. The Culpepper Switch	This is a voice and data communications node which handles all electronic transfers of federal funds and transactions. The Internet itself has two similar nodes, called MAYEAST and MAYWEST. Taking down the first would cut the federal government along with Wall Street off from the rest of the Internet.
4. Power generators and grids	There are exactly eighteen main power transformers (parts from Germany) for the entire U.S. grid. Grids can be easily browned out, burned out, or confused by computer signals that cause them to draw more power than they can handle, the worst scenario being a complete meltdown.
5. Telephony/Computer Networks	All telephone service is managed by ESS (Electronic Switching System), and all networked computers depend upon TDS (Time Distribution System). Backup systems exist, but still, a disruption in these central services can be disturbing.
6. Satellite Downlinks	All major government departments, military units, law enforcement agencies, hospitals, and corporations have easily visible satellite downlinks. These are larger (and usually more steerable) than your average household antennae. Emergency and non-emergency two-way teleconferencing takes place on them. Satellite imagery centers are also vulnerable.
7. Federal Reserve	The Fed's central computing system has now replaced the twelve regional computing centers that once existed.
8. WWMCCS	This stands for Worldwide Military Command and Control System
9. The Panama Canal	A major choke point for U.S. and worldwide trade
10. The Malaccan Straits	The maritime link between Europe-Arabia and the Pacific

Since most of America's critical infrastructure is owned or operated by the private sector, the government cannot protect it alone. Industry as a whole faces a greater threat than the government. However, the private sector is driven by bottom lines, consumer and shareholder confidence, and market forces. If industry fails to implement the necessary security measures which protect more than their "bottom line," then the government must step in, and in fact, probably has an obligation to do so. Part of this obligation is to assist industry by making sure they have the tools they need to do the job.

Industry works in a competitive environment. Companies competing against one another for market share are not accustomed to cooperating, at a security level or otherwise, with their competitors. In many ways, the government has encouraged this state of affairs with antitrust legislation, but there is much the government could do to encourage cooperation and investment in security by allowing exemptions to antitrust law and/or offering tax breaks to companies who invest in security.

Big business is also accustomed to lobbying and having many points of contact in their influence on government. It may become important, for homeland security efforts, to establish single points of contact between government and business. Government, for its part, has engaged in multiple avenues of regulation over business, mostly in hopes of establishing some sort of public accountability. It may be possible, but difficult, to continue regulating business in this way, but most likely, what will occur is "another avenue," and a secret one at that, whereby business and government cooperate on security plans and exercises that are related to the vital safety of the nation.

The concept of contingency planning is technically different than the concept of continuity planning. A contingency plan is sometimes called a "reversion" plan because it outlines what kinds of decisions and procedures are the "fall back" procedures reverted to in case some specific unexpected circumstances arise. For example, in business, a common contingency is when some construction project runs over cost or the deadline for completion. Contingency plans always tend to refer to some planned change within the organization while continuity plans always tend to refer to services and assets that are already operational.

Insurance plans, on their own, will not ensure business continuity for some contingencies, particularly those involving terrorism, since there are factors such as "loss of consumer confidence" to be considered. Such factors are significantly different from the usual practices of business planning, such as how to prepare for downtime due to network failure or a power outage. The ramifications of a terrorist attack need to be considered. Also, succession planning, often overlooked in business continuity planning, should be looked into, as key employees tend to leave if they come to think their organization is unsafe or vulnerable to terrorism. It is in a company's best interests to have pre-existing relationships in place with government organizations, law enforcement, emergency personnel, vendors, the public, and industry peers. Customers and shareholders will need reassurance that the company will remain an ongoing enterprise under all sorts of "what if" scenarios, such as the terrorist kidnapping of top executives or the total destruction of an overseas branch office.

Businesses need to be "flexible" in an era of terrorism. A business, for example, might be tempted to consider negotiating with terrorists or paying off a ransom demand, something that runs contrary to most government policy and may have consequences for the safety of government(s) and other businesses. It would be nice to think that contingency planning and CIP would erase terrorism from the face of the earth, but that just isn't going to happen. What's more likely to happen, unless care is taken to prevent it, is the rise of corporate terrorism, where terrorist groups attack certain corporations who are seen as the most vulnerable and profitable targets for them.

The phrase "securing the built environment" comes from the field of civil engineering but is used in a number of fields such as urban planning and structural engineering. It is generally considered something that must be done alongside protection of critical infrastructure, especially when critical infrastructure is taken to strictly mean cybersecurity. At minimum, securing the built environment consists of (1) blast protection of buildings, and (2) maintaining life support systems in buildings (ventilation, water, etc.) under all kinds of possible terrorist scenarios, such as an attack on a building with a plume cloud of chemical gas. Securing the built environment is more a process than a standard since it is practically impossible to safeguard anything made with present construction materials from all multi-hazard scenarios. This fact is often expressed as the need for risk management, and with limited engineering solutions available, recent attention has been paid to "litigation management" which are measures designed to protect against legal claims arising from acts of terrorism.

In fact, the Support Anti-terrorism by Fostering Effective Technologies Act of 2002 (SAFETY Act) is intended to foster the development of litigation management by designating certain technologies (and technology manufacturers) as a Qualified Anti-Terrorism Technology (QATT). Such technology may include products, devices, equipment, or services. Companies can benefit from using QATT technology in various ways, which include a bar on punitive damages and prejudgment interest if they are sued by victims of terrorism. In addition, companies that make use of such technology are not required to purchase liability insurance more than what can reasonably be expected from private sources on the world market (and self-insurance plans are allowed). Technology can be pre-approved by DHS as ATT if a plausible risk can be shown to be mitigated, and such mitigation can include preventing mass disruption (public fear) as well as preventing "symbolic damage" (e.g., monuments, icons, cultural treasures, or environment).

The nature of cybersecurity threats are constantly evolving, increasing in frequency and sophistication, and to counter this, the Department of Homeland Security (through its National Cyber Security Division or NCSD) is busy developing technologies and standards which can be gleaned from lessons learned. The mission of the NCSD is to work collaboratively with public and private stakeholders to secure cyberspace and the nation's cyber assets. A risk management approach is taken since resources are limited (the number of staff assigned to NCSD is low, at about 60 personnel). Collaboration takes place on a number of fronts: situational awareness, attribution, analysis, response and recovery. International collaboration also takes place, via the conduit of the Department of State. One strategic objective is to build a "cyber situational awareness" capability which not only serves as a national alarm system, but works in tandem with increased information sharing between agencies and the private sector. The ability to provide actionable alerts and warnings from detectable significant acts of cyber activity (as opposed to just "white noise") is an essential part of the nation's cybersecurity strategy. At present, only patchwork systems exist, such as DHS's US-CERT and a number of other such warning intelligence processes handled by the private sector. The US-CERT Concept of Operations (CONOPS) now requires reporting of cyberincidents to US-CERT and agencies also report to other agencies pursuant to the Federal Information Security Management Act (FISMA).

What DHS is trying to do is come up with a way to measure Internet Health, much like the way Hoover once set up the UCR crime reporting system as a barometer of the nation's moral health. However, the stakes are more global this time. One of the problems that interferes with at least the information sharing part of this strategy is that some entities are reluctant to share embarrassing information or to make it known that they have some new vulnerability. Parallel efforts to enhance information sharing while building situational awareness capability must go on. Sharing must be done in a way that adds value and doesn't overload existing resources. Tabletop exercises have been held in Germany, with APEC in Asia, the OAS in the Americas, and with the G-8 and EU in Europe to develop the capacity to know when something is anomolous enough to report, rising to a level of significance enough, internationally. Effectively, the world's reporting system (as it is emerging) takes the shape of a "follow the sun" approach where significant events are shared internationally at the end of each day (when the sun sets in that part of the world).

In addition to international efforts, the state ISACs help facilitate awareness capability as well as develop preparedness, or response and recovery capability. Interagency coordination is necessary for this -- after a disaster happens. A Cyber Annex exists to the National Response Plan which ensures that there is proper leveraging and coordination in the restoration or recovery from a cyber incident with significant cyber consequences. Natural disasters can have cyber consequences, so it is important to use an all-hazards approach. The National Recovery Plan provides some general guidance in how communications and Internet service are to be restored regardless if the cause is a cyber attack or a natural disaster, but there are numerous scenarios possible which require more work on the specifics.

PRINTED RESOURCES
American Water Works Association. (2002). Water system security. Denver: AWWA.
Anderson, R. (2001). Security engineering. NY: Wiley.
Auerswald, P., Branscomb, L., LaPorte, T. & Michel-Kerjan, E. (Eds.) (2006). Seeds of disaster. NY: Cambridge.
Black, P. (1993). "Soft Kill: Fighting infrastructure wars in the 21st century." Wired Magazine (July/August).
Bullock, J. et.al. (2005). Introduction to homeland security. Boston: Elsevier.
Condron, S. (2008). "Getting it right: Protecting American critical infrastructure in cyberspace." Pp. 373-390 in A. Guiora (ed.) Top ten global justice law review articles 2007. NY: Oxford Univ. Press.
Cordesman, A. (2000). "Defending America." Final Review Draft for Comment. Washington DC: Center for Strategic & International Studies.
Cordesman, A. (2002). Cyber-threats, information warfare, and critical infrastructure protection. Washington DC: Center for Strategic & International Studies.
Gomez-Ibanez, J. (2003). Regulating infrastructure. Cambridge, MA: Harvard Univ. Press.
Gunaratna, R. (2003). Inside al qaeda. NY: Berkley Publishing Group.
Guy, S., Marvin, S. & Moss, T. (2001). Urban infrastructure in transition. London: Earthscan Publications.
Haddow, G. & Bullock, J. (2003). Introduction to emergency management. Boston: Elsevier.
Kessides, I. (2004). Reforming infrastructure. Herndon, VA: World Bank Publications. [Sample Excerpt]
Nasheri, H. (2005). Economic espionage and industrial spying. NY: Cambridge Univ. Press.
National Infrastructure Protection Plan 103 (2006). NIPP. Washington D.C.: DHS.
Noonan, W. (2004). Hardening network infrastructure. NY: McGraw Hill Osborne.
Steele, R. 2002). The new craft of intelligence. Oakton, VA: OSS.
Wade, B. (2003). "Security for public utilities." Pp. 65-69 in R. Kemp (ed.) Homeland security: Best practices. Washington DC: ICMA.

Last updated: July 22, 2009
Not an official webpage of APSU, copyright restrictions apply, see Megalinks in Criminal Justice
O'Connor, T. (Date of Last Update at bottom of page). In Part of web cited (Windows name for file at top of browser), MegaLinks in Criminal Justice. Retrieved from http://www.apsu.edu/oconnort/rest of URL accessed on today's date.