The security and safety of our nation rely on the production and distribution of certain goods and services. The resources, operations, and systems that support the delivery of these goods and services are called critical infrastructures. The national security community has been concerned for some time about the vulnerability of critical infrastructure to both physical and cyberattacks.
Many believe the concept of critical infrastructure protection evolved as a result of the 9-11 terrorist attacks. While 9-11 changed the focus of infrastructure protection, the concept of identifying and protecting the nation’s critical infrastructure started five years earlier. The definition of critical infrastructure has changed over time. In 1996, with Executive Order 13010, President Clinton established a national commission on critical infrastructure. The Commission was charged with identifying what constituted a critical infrastructure and then assessing the range and type of vulnerabilities and threats to those critical infrastructures. Finally, they were to develop a comprehensive national policy and implementation strategy for protecting critical infrastructures from physical and cyber threats. Two years later, in 1998, President Clinton signed Presidential Decision Directive 63 (PDD-63). The directive picked up where Executive Order 13010 left off by creating the concept of a national infrastructure protection plan and adding “cyber” to the definition of critical infrastructure and recognizing the role that cyber resources have in the overall infrastructure protection plan.
Following 9-11, the Patriot Act of 2001 and the Homeland Security Act of 2002 redefined critical infrastructure. For example, the Homeland Security Act of 2002 added the concept of Key Resources to the critical infrastructure definition. Today, CIKR is defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”[1]
The number of CI sectors change. In 1996 there were eight sectors. PDD-63 in 1998 raised that number to 15. Executive Order 13228 in 2001 reduced the 15 sectors to 9. Today there are 16 sectors (see sidebar). As the sector map changes, so too does the approach to assessing threats and risks and the risk mitigation strategy to address those threats and risks.
Today the Cybersecurity and Infrastructure Security Agency (CISA) is the Nation’s risk advisor, working with public and private partners to identify and defend against all threats to the critical infrastructures and collaborating to build more secure and resilient infrastructure for the future.What is CIKR
There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.[2]
The production and distribution of goods and services are key to ensuring the well-being of our nation. The process of production and distribution – how those goods and services are delivered to end-users – relies upon Critical Infrastructures (CI). Some of those goods and services are more essential than others with respect to maintaining our economy, security, safety, public health, and way of life. Those essential resources are known as Key Resources (KR). Collectively these CIKR are those systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of them would have a debilitating impact on security, national economic security, and/or national public health and safety.[3]
A commonly used example is the Energy Sector: electricity, the power plants that generate it, and the electric grid upon which it is distributed is an example of critical infrastructure.
How critical infrastructure protection works
The federal government works with other government entities (state, regional, local, tribal) and private owners/operators of CIKR to identify specific assets and systems that make up the nation’s critical infrastructure.
This public-private partnership assesses the vulnerabilities and threats (natural or manmade, i.e., all-hazards) to determine the level of risk associated with possible attacks or the impacts of natural events on those assets and then establishes actions that can be taken to reduce those risks. Primary responsibility for protection, response, and recovery lies with the owners and operators. However, the federal government holds open the possibility of intervening in those areas where owners and operators are unable (or unwilling) to provide what it, the federal government, may assess to be adequate protection or response.[4]
Current and Anticipated Threats to CIKR
Following the September 11 terrorist attacks in 2001, additional attention was placed on physical protection of critical infrastructures. At the government level, policy, programs, and legislation focused on increased physical security of critical infrastructure. Similar initiatives evolved within the private sector, with CI owners/operators focusing on hardening targets from a physical attack. Today those initiatives have stabilized to a large extent and current legislative and private sector activity has refocused on cyber threats and cybersecurity.
Today, the threats we face are more complex than at any other time. CISA is leading the efforts to build and maintain a collective defense and manage risk to our critical infrastructure. As part of CISA, the National Risk Management Center (NRMC) acts as the Agency’s risk advisor by working with public and private stakeholders within each of the CI sectors to identify the most significant risks to the nation. [5]
As determined by NRMC, the top areas of concern and the related initiatives to address infrastructure security are[6]:
- 5G Technologies -- Securing the next generation of wireless technology which transforms U.S. telecommunication networks and empowers critical services.
- Election Security -- Working with a wide range of stakeholders and State and local governments to ensure America’s election infrastructure is resilient.
- Electromagnetic Pulse and Geomagnetic Disturbance -- Mitigating potential nuclear and space weather events that can affect large areas of our nation.
- Enterprise Cyber Risk Management -- Advancing the emerging discipline of cyber risk quantification by adding analytic rigor to the ability to connect vulnerability management with consequence metrics and use this information to drive business and national security decisions.
- Information and Communications Technology (ICT) Supply Chain Risk Management -- Reducing risk of vulnerabilities in the ICT supply chain that if exploited, can impact a wide range of enterprises and sectors dependent on that hardware, software, or services.
- Pipeline Cybersecurity -- Partnering with front-line operators to assess and manage risk to the design and configuration of control systems for the Nation’s 2.7 million miles of pipelines.
Sector-Specific Examples of Current Threats
Food and Agriculture Security
The Food and Agriculture sector is unique in that it is almost exclusively privately owned. Food chain and agriculture security threats have been and remain a concern and need even more attention from the highest levels of government with the ability to apply effective resources both quickly and over the long term. Now, an emerging threat with even greater long-term impact potential is the evolving impact of global warming that includes, changing weather patterns, wildfires, droughts, and receding water supplies in reservoirs and aquifers that serve America’s breadbasket/fruit basket in the Central Valley of California and surrounding areas.
The year-round growing season and advanced farming methods make this area Americas largest and most efficient area of food production for the US and other nations and one of the ten largest in the world. An area this size with year-round growing features is not easily relocated to capture changing weather patterns and water resources. This issue will require not only ongoing threat and mitigation modeling of weather patterns and water resources, but also a multi-disciplinary management, science, and technology strategy to optimize those diminishing resources.
Higher Education Security
At large research institutions where faculty engage in both teaching and research, the labs and the various research projects themselves are a priority. The mission of these institutions includes research being conducted. The assets that go along with this work include the lab facilities, libraries, museums, collections and the scientific or support equipment for these such as wireless networks and intelligent software. Disruption of any could impact years of work or mean the loss of irreplaceable specimens. Not all assets of higher education institutions are as tangible or visible as a research lab.
Each college or university institution uniquely contributes to the community, whether research-based or one devoted to liberal arts study. The presence of students and the employment of faculty and staff add to the local economy. Events such as academic lectures and conferences and non-academic events such as athletics bring people to the institution. This broadens the idea of critical assets in higher education to the lecture halls, conference rooms, stadiums and arenas. In an address to the Greater Boston Chamber of Commerce MIT President Charles M Vest’s noted “… universities are a key part of …. the institutions that drive our regional economy: financial services, health care, high technology, and higher education.”[7]
Protecting assets and infrastructure at higher education institutions requires taking a broad perspective of enterprise security. One that includes but is not limited to facility design, physical safety, technology, and most certainly the human element.
Technologies for Protecting Critical Infrastructure
Technologies for detecting and combating threats to the Nation’s critical infrastructure are constantly evolving. The Science and Technology Directorate (S&T) of the Department of Homeland Security is the science advisor to the Secretary and serves as the research and development arm of the Department of Homeland Security (DHS). S&T is responsible for developing and monitoring evolving technologies use to combat physical and cyber threats to the Nation.
“We provide evidence-based scientific and technical perspectives to address a range of current and emerging threats—from aviation security to chemical and biological detection to critical infrastructure, resilience, climate and natural disasters, cybersecurity, and beyond. We work hand in hand with fellow DHS component agencies, first responders at all levels, emergency management and public safety personnel, and partners from across the public and private spectrums to develop timely and innovative solutions to meet today’s challenges and tomorrow’s opportunities.”[8]
Clearly, the responsibility of developing and implementing security technologies cannot fall to a single entity. Typically, the government will establish standards for critical infrastructure protection, but it will be the owners/operators of that infrastructure, generally the private sector, that will be responsible for implementation. At the federal level, as the Biden administration looks to establish cybersecurity priorities and programs, it will become even more important to establish relationships between the private sector and the government to safeguard our supply chain systems.
As one example of this partnership, the US Department of Energy (DOE) has announced a 100-day plan to improve the cybersecurity of the nation’s electric infrastructure. This is a coordinated effort between DOE, the electricity industry, and the Cybersecurity and Infrastructure Security Agency (CISA). The 100-day plan includes aggressive but achievable milestones and will assist owners and operators as they modernize cybersecurity defenses, including enhancing detection, mitigation, and forensic capabilities.[9] The 100-day plan has identified the following goals:
- Real-time situational awareness with industrial control systems and OT.
- Enhanced security incident detection, mitigation, response, and forensics.
- Increased visibility of threats within ICS and OT systems.
- Reinforcing the IT networks and infrastructure used within facilities.
Strategic Risk Mitigation
Within the critical infrastructure environment, managing risk is a shared endeavor between the private sector and government. The NRMC works with key stakeholders in the private sector and government agencies to manage the most significant risks to our critical infrastructure.
An approach to critical infrastructure strategic risk mitigation was developed in 2013 as part of the National Infrastructure Protection Plan[10] and is still used today. The plan involves a five-step process to build the risk mitigation framework. This process represents a sound approach for managing CI risk. Within the manmade (natural vs. human-caused threats vs. accidental/technical) threat category the model considers three elements – physical, cyber, and human. These elements run across the five steps of the risk management framework and should be integrated throughout a risk management approach. A continuous loop runs behind each step and bidirectional arrows indicate the information is shared at each step of the process to facilitate feedback and enable continuous improvement of critical infrastructure security and resilience efforts.
The NRMC’s risk management process helps to align private-public engagement by defining and outlining how government and industry develop response and security plans, risk-reduction activities, and share information. The NRMC creates an environment where government and industry can collaborate and share expertise to enhance critical infrastructure resiliency within and across sectors.[11]
Conclusion
Regardless of critical infrastructure sector or the size of your public or private organization, success lies in sound security and operational principles[12]. People, policy, and technology are the cornerstones of a successful protection strategy. Those factors are most successful with the integrated support of intelligence, cyber, science, research, government, and subject-specific resources.
Note: Other contributors to this article are James H. Clark, CPP, Paul S. Denton, MBA, MSCJ, CSSP, CIPM, and James C. Townzen, PSP, CPP.
[1] The US Patriot Act and HSPD-7.
[2] Presidential Policy Directive 21 (PPD-21)
[3] Homeland Security Presidential Directive Number 7 (HSPD-7)
[4] National Strategy for Homeland Security
[5] https://www.cisa.gov/national-risk-management
[6] https://www.cisa.gov/sites/default/files/publications/fact_sheet_nrmc_508_1.pdf
[7] http://web.mit.edu/president/communications/chamcomm-1-96.html
[8] https://www.dhs.gov/science-and-technology/about-st
[9] https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/20/statement-by-nsc-spokesperson-emily-horne-on-the-biden-administrations-efforts-to-protect-u-s-critical-infrastructure/
[10] CISA: A Guide to Critical Infrastructure Security and Resilience; November 2019.
[11] https://www.cisa.gov/nrmc
[12] CISA: A Guide to Critical Infrastructure Security and Resilience; November 2019.