THE SAFETY AND SECURITY OF CRITICAL INFRASTRUCTURE

These class notes were composed by Dr. Tom O'Connor for his class on Homeland Security at NORTH CAROLINA WESLEYAN COLLEGE, original documents can be found here

THE SAFETY AND SECURITY OF CRITICAL INFRASTRUCTURE
"When our hometowns are secure, our homeland will be secure" (Tom Ridge)

A critical infrastructure can be defined as any facility, system, or function which provides the foundation for national security, governance, economic vitality, reputation, and way of life. Selected Provisions of the USA PATRIOT Act specifically define critical infrastructure as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." FEMA specifically defines critical infrastructure as "personnel, physical assets, and communication (cyber) systems that must be intact and operational 24x7x365 in order to ensure survivability, continuity of operations, and mission success, or in other words, the essential people, equipment, and systems needed to deter or mitigate the catastrophic results of disasters." Other definitions can be easily found in the literature or on the Internet.

Attempts to make specific definitions may be futile, since there are several ways to look at the concept of critical infrastructure. First of all, one could base the concept in notions about the value of human life. This value, or asset value, approach is usually taken when the idea of "continuity" is granted some importance. The way it's usually put is by saying that the continuity, or continued operation, of a critical infrastructure is essential for the maintenance of human life and/or the maintenance of some standard of living that a people have become accustomed to. The continuity of critical infrastructure is also essential to avoid panic and hysteria during the impact of a disaster. Every day, each person's life is shaped or affected in some way by one or more critical infrastructures. Life, as we know it, is not possible without the services of the critical infrastructures, and they are all connected together in a "system of systems" where a failure in one can cascade into a failure in others. This line of conceptual thinking implies that critical infrastructure is important to protect because it's what makes life worth living or keeps our quality of life from degrading because of panic or fear.

Another approach is to emphasize things which are less important for life-sustaining purposes, but essential or important because they are indispensible for cultural purposes. This is the approach behind identifying a vital or key asset, which is something that is usually protected for purposes of national prestige, morale, confidence, reputation, and accomplishment of mission. An example of a key asset would be a national monument or icon which needs to "survive" because neglecting its protection would send the wrong message. Reasonableness and timeliness are the basic elements of survivability in this mode of conceptual thinking, with reasonableness meaning the degree of environmental stress and timeliness meaning the notion of "mission-critical" during certain periods of time. An example would be an electrical blackout on New Year's Eve in the Big Apple where Americans wouldn't be able to mark the start of the New Year in the way they have become accustomed.

Critical Infrastructure Protection (CIP) consists of all proactive activities to protect indispensable people, physical assets, and systems (especially communications or cyber systems) which are guided by a systematic and reliable decision making process which assists leaders to determine exactly what needs protection, where, when, and how. The basic steps of CIP consist of: identifying the critical infrastructures, determining the threats against those infrastructures, analyzing the vulnerabilities of threatened infrastructures, assessing the risks of degradation or loss of a critical infrastructure, and applying countermeasures where risk is unacceptable. However, CIP goes beyond ordinary risk analysis, as will be explained in this lecture.

THE HISTORY OF CRITICAL INFRASTRUCTURE PROTECTION

Various organizations have existed to defend the country's critical systems. Starting in 1996, the position of national coordinator for security, infrastructure protection, and counter-terrorism (sometimes called the position of "cyber-czar") was created as part of the White House's National Security Council to oversee national policy development and implementation for CIP. Another organization, the Critical Infrastructure Assurance Office (CIAO) existed to coordinate the federal government's initiatives on CIP, to assist agencies in identifying their dependencies and vulnerabilities, and to coordinate awareness programs. Another organization, the National Infrastructure Protection Center (NIPC) served as a threat assessment center and included members of the FBI, DoD, Secret Service, and CIA. Out of NIPC, the InfraGard program was established to provide a mechanism for two-way information sharing about intrusion incidents and system vulnerabilities, and to further provide a channel for the NIPC to disseminate analytical threat products to the private sector. Information Sharing and Analysis Centers (ISACs) also exist, but the List of ISACS maintained by DHS (links also found here) indicate that most if not all are owned and operated by the private sector, with little involvement and poor funding by government. The Information Sharing and Analysis Centers (ISACs) are part of the private sector's responses to the call for action made in May 1998 by Presidential Decision Directive 63. The purpose of an ISAC is to gather and analyze information about information security threats, vulnerabilities, incidents, countermeasures, and best practices. An ISAC typically consists of a secure database, analytic tools, and information gathering and distribution facilities designed to allow authorized individuals to submit either anonymous or attributed reports about information security threats, vulnerabilities, incidents and solutions. ISAC members also have access to analytic products produced by other members and obtained from other sources.

Also, since 1999, an effort has been made to establish the Federal Intrusion Detection Network (FIDNet) as a government-wide monitoring system that coordinates intrusion detection and other suspicious behavior patterns involving government computers. Although this effort is far from being completely realized, a central analysis unit can be found in the Federal Computer Incident Response Capability (FedCIRC) program. An effort by the government to more fully involve private sector computers was exemplified by the 1999 Cyberspace Electronic Security Act (CESA), which would have allowed the government to obtain decryption information from third parties, if necessary to view communications or data if any privacy concern needed to be overcome by consent, warrant, or order.

A 2003 document known as the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets (pdf) serves as the guiding document on this subject. In that document, thirteen (13) critical infrastructure sectors were identified, but the chemicals sector was left off the list for some inadvertent reason, and Homeland Security Presidential Directive 7, issued in late 2003, corrected this and made some other changes such as taking the Defense Department, Postal Service, and Maritime sector off the list, or merging them into other identified sectors. Since 2004, it has been customary to say there are fourteen (14) critical infrastructures in the United States, and in alphabetical order, they are:

Banking & Finance Sector -- see Financial Services ISAC; 2003 GAO Report (pdf)
Chemicals Sector -- see Chemical Sector ISAC; Chemical Sector Cybersecurity Forum
Continuity of Government Services Sector -- see NASCIO; 2001 GAO Report (pdf)
Electrical Power & Energy Sector -- see ESISAC; North American Electric Reliability Council
Emergency & Law Enforcement Services Sector -- see EMR ISAC
Fire Services Sector -- see FEMA's Fire Administration website
Food Sector -- see Food Industry ISAC webpage
Health Services Sector -- see CDC's Public Health Emergency Response Guide
Higher Education Sector -- see Educause; Office of Safe & Drug-Free Schools
Information & Communications Sector -- see IT ISAC; Information Technology Association of America
Insurance Sector -- see Financial Services ISAC; Real Estate ISAC
Oil & Gas Sector -- see National Petroleum Council
Transportation Sector -- see Surface Transportation ISAC; Association of American Railroads
Water Sector -- see Water ISAC; Association of Metropolitan Water Agencies

As the target of terrorism, a critical infrastructure can be either destroyed, incapacitated, or exploited. It is important to note that these involve different strategic objectives. If terrorists seek to completely destroy something, then their own access to those resources will be affected. Bioterrorism, for example, not only destroys much critical infrastructure, but is mainly a suicidal tactic. Many sectors of a critical infrastructure are looked upon, by terrorists, as a "force multiplier" for them; i.e., they may need to keep banking systems or computer systems intact. It is likely that terrorists would temporarily incapacitate a resource, in order to make a symbolic statement (such as weaken the economy or damage morale); or even more likely, terrorists might simply seek to take advantage (exploitation) of weaknesses and vulnerabilities in a sector or sectors of the critical infrastructure. The safety and security of critical infrastructure present challenging and complex tasks for homeland security.

One of the basic goals of infrastructure protection is continuity -- continuity of government, continuity of private sector, and continuity of public services. The continuity of government has always been the first priority, what with decades-old secret underground facilities where politicians can run things after a catastrophe. The Internet was, after all, originally part of a government plan to ensure continuity. Cordesman (2000) also states that since the Cold War, "other" priorities have included power plant grids, oil & gas pipelines, and telecommunications. In fact, for many years, the only thing to receive any major funding for protection was the continuity of government services sector. Today, the private sector is the "first line of defense" since they own most of the critical infrastructures, and the private sector approach to risk usually means price risk as determined by stochastic differential equations. However, the private sector in today's threat environment needs to go beyond simply risk analysis. It is important to understand some of the inherent flaws in design whenever the old business, or private sector, model is followed. Some of these business flaws, as John Robb in an article on design flaws points out, are as follows:

economics always trumps security -- the private sector sacrifices security or safety for profit
large is better than small -- the private sector builds big things that handle a lot of load
short routes are better than long routes -- the private sector centralizes power & communications
hub and spoke systems are efficient -- the private sector controls distance via "avenues"
remote operations are safe -- the private sector believes something is safe if distant and inaccessible
regulation is bad -- the private sector feels that government intervention is unwarranted
manipulation of demand -- the private sector says things work as advertised and more

Not only do these flaws point out the need for a more modern "system of systems" approach to continuity, but they raise problematic issues of concern for the quality of public services. For example, not only do hospitals get overwhelmed by the fear and panic in the wake of a terrorist attack, but mental health services often experience a delayed, overcrowding impact about 5-6 months later. There are a number of delayed, or lagged, impacts like that with critical infrastructures. Not all critical infrastructures are affected at the same time, and not all businesses are ready to change their old methods of operation.

INTELLIGENCE IN CRITICAL INFRASTRUCTURE PROTECTION

The mission of protecting critical infrastructure does not depend upon any unique intelligence collection nor does it require any unique intelligence integration functions. Certainly, there is a need for being in the "loop" regarding terrorist threats, but far more important are the specific analytic methods which can be used to assess vulnerabilities and do risk analysis relative to infrastructure protection. The task essentially involves getting businesses to start thinking about terrorist mindsets. For example, one analytic method is red-teaming. Red-teaming is a concept which involves designating folks within your own organization to think like and behave in support of the way bad guys, or terrorists, would attack, and study their approach to target sets and priorities. It is generally assumed with critical infrastructure protection that the "bad guys" are determined adversaries -- flexible, creative, resourceful, and able to learn how to target vulnerable areas while avoiding those that are more protected and predictable. In this sense, modern sophisticated or technologically advanced societies are perfect targets for terrorists, and businesses who haven't got enough flexibility also make perfect targets.

Secrecy is also important in protecting critical infrastructures. Intelligence about threats to the infrastructure, analysis of where the weaknesses are, and then the recommendations on how to protect against those weaknesses have to be communicated or alerted to a wide range of people, all without "leaks" to the very parties who are involved in putting our citizens at risk. This requires reaching out and building cooperative bridges between government and numerous private sectors, including academia. However, the problem of secrecy then becomes a problem of who to recruit for intelligence work, and their security classification level. It is highly important to build a pool of security-cleared translators, for example, and federal scholarships might be used to create a centralized national translation service that draws upon foreign language training in the nation's colleges and universities. However, it may or may not be a necessity for every translator to have a secret or top secret clearance. The question that has to be asked is: "which is worse -- an uncleared translator or an untranslated secret?"

RELIANCE UPON INDUSTRY AND PRIVATE SECTOR

Most of America's critical infrastructure is owned or operated by the private sector. Industry as a whole faces a greater threat than the government. However, the private sector is driven by bottom lines, consumer and shareholder confidence, and market forces. If industry fails to implement the necessary security measures which protect more than their "bottom line," then the government must step in, and in fact, probably has an obligation to do so. Part of this obligation is to assist industry by making sure they have the tools they need to do the job.

Industry works in a competitive environment. Companies competing against one another for market share are not accustomed to cooperating, at a security level or otherwise, with their competitors. In many ways, the government has encouraged this state of affairs with antitrust legislation, but there is much the government could do to encourage cooperation and investment in security by allowing exemptions to antitrust law and/or offering tax breaks to companies who invest in security.

Big business is also accustomed to lobbying and having many points of contact in their influence on government. It may become important, for homeland security efforts, to establish single points of contact between government and business. Government, for its part, has engaged in multiple avenues of regulation over business, mostly in hopes of establishing some sort of public accountability. It may be possible, but difficult, to continue regulating business in this way, but most likely, what will occur is "another avenue," and a secret one at that, whereby business and government cooperate on security plans and exercises that are related to the vital safety of the nation.

CONTINGENCY PLANNING

The concept of contingency planning is technically different than the concept of continuity planning. A contingency plan is sometimes called a "reversion" plan because it outlines what kinds of decisions and procedures are the "fall back" procedures reverted to in case some specific unexpected circumstances arise. For example, in business, a common contingency is when some construction project runs over cost or the deadline for completion. Contingency plans always tend to refer to some planned change within the organization while continuity plans always tend to refer to services and assets that are already operational.

Insurance plans, on their own, will not ensure business continuity for some contingencies, particularly those involving terrorism, since there are factors such as "loss of consumer confidence" to be considered. Such factors are significantly different from the usual practices of business planning, such as how to prepare for downtime due to network failure or a power outage. The ramifications of a terrorist attack need to be considered. Also, succession planning, often overlooked in business continuity planning, should be looked into, as key employees tend to leave if they come to think their organization is unsafe or vulnerable to terrorism. It is in a company's best interests to have pre-existing relationships in place with government organizations, law enforcement, emergency personnel, vendors, the public, and industry peers. Customers and shareholders will need reassurance that the company will remain an ongoing enterprise under all sorts of "what if" scenarios, such as the terrorist kidnapping of top executives or the total destruction of an overseas branch office.

Businesses need to be "flexible" in an era of terrorism. A business, for example, might be tempted to consider negotiating with terrorists or paying off a ransom demand, something that runs contrary to most government policy and may have consequences for the safety of government(s) and other businesses. It would be nice to think that contingency planning and CIP would erase terrorism from the face of the earth, but that just isn't going to happen. What's more likely to happen, unless care is taken to prevent it, is the rise of corporate terrorism, where terrorist groups attack certain corporations who are seen as the most vulnerable and profitable targets for them.

SECURING THE BUILT ENVIRONMENT

The phrase "securing the built environment" comes from the field of civil engineering but is used in a number of fields such as urban planning and structural engineering. It is generally considered something that must be done alongside protection of critical infrastructure, especially when critical infrastructure is taken to strictly mean cybersecurity. At minimum, securing the built environment consists of (1) blast protection of buildings, and (2) maintaining life support systems in buildings (ventilation, water, etc.) under all kinds of possible terrorist scenarios, such as an attack on a building with a plume cloud of chemical gas. Securing the built environment is more a process than a standard since it is practically impossible to safeguard anything made with present construction materials from all multi-hazard scenarios. This fact is often expressed as the need for risk management, and with limited engineering solutions available, recent attention has been paid to "litigation management" which are measures designed to protect against legal claims arising from acts of terrorism.

In fact, the Support Anti-terrorism by Fostering Effective Technologies Act of 2002 (SAFETY Act) is intended to foster the development of litigation management by designating certain technologies (and technology manufacturers) as a Qualified Anti-Terrorism Technology (QATT). Such technology may include products, devices, equipment, or services. Companies can benefit from using QATT technology in various ways, which include a bar on punitive damages and prejudgment interest if they are sued by victims of terrorism. In addition, companies that make use of such technology are not required to purchase liability insurance more than what can reasonably be expected from private sources on the world market (and self-insurance plans are allowed). Technology can be pre-approved by DHS as ATT if a plausible risk can be shown to be mitigated, and such mitigation can include preventing mass disruption (public fear) as well as preventing "symbolic damage" (e.g., monuments, icons, cultural treasures, or environment).

PRINTED RESOURCES
American Water Works Association. (2002). Water System Security: A Field Guide. Denver: AWWA.
Anderson, R. (2001). Security Engineering. NY: Wiley.
Bullock, J., Haddow, G., Coppola, D., Ergin, E., Westerman, L. & Yeletaysi, S. (2005). Introduction to Homeland Security. Boston: Elsevier.
Cordesman, A. (2000). "Defending America: Redefining the Conceptual Borders of Homeland Defense." Final Review Draft for Comment. Washington DC: Center for Strategic & International Studies.
Cordesman, A. (2002). Cyber-Threats, Information Warfare, and Critical Infrastructure Protection. Washington DC: Center for Strategic & International Studies.
Gomez-Ibanez, J. (2003). Regulating Infrastructure. Cambridge, MA: Harvard Univ. Press.
Gunaratna, R. (2003). Inside Al Qaeda: Global Network of Terror. NY: Berkley Publishing Group.
Guy, S., Marvin, S. & Moss, T. (2001). Urban Infrastructure in Transition: Networks, Buildings, Plans. London: Earthscan Publications.
Haddow, G. & Bullock, J. (2003). Introduction to Emergency Management. Boston: Elsevier.
Kessides, I. (2004). Reforming Infrastructure: Privatization, Regulation & Competition. Herndon, VA: World Bank Publications. [Sample Excerpt]
Nasheri, H. (2005). Economic Espionage and Industrial Spying. NY: Cambridge Univ. Press.
Noonan, W. (2004). Hardening Network Infrastructure. NY: McGraw Hill Osborne.
Wade, B. (2003). "Security for Public Utilities." Pp. 65-69 in R. Kemp (ed.) Homeland Security: Best Practices for Local Government. Washington DC: ICMA.

Last updated: 03/16/05
Syllabus for JUS 415 (Homeland Security)
MegaLinks in Criminal Justice

ml>