U.S. critical infrastructure protection

Last updated

In the U.S., critical infrastructure protection (CIP) is a concept that relates to the preparedness and response to serious incidents that involve the critical infrastructure of a region or the nation. The American Presidential directive PDD-63 of May 1998 set up a national program of "Critical Infrastructure Protection". [1] In 2014 the NIST Cybersecurity Framework was published after further presidential directives.

Contents

History

The U.S. CIP is a national program to ensure the security of vulnerable and interconnected infrastructures of the United States. In May 1998, President Bill Clinton issued presidential directive PDD-63 on the subject of critical infrastructure protection. [1] This recognized certain parts of the national infrastructure as critical to the national and economic security of the United States and the well-being of its citizenry, and required steps to be taken to protect it.

This was updated on December 17, 2003, by President George W. Bush through Homeland Security Presidential Directive HSPD-7 for Critical Infrastructure Identification, Prioritization, and Protection. [2] The updated directive would add in agriculture to the list of critical infrastructure within the country; this would undo the omission of agriculture from the 1998 presidential directive. The directive describes the United States as having some critical infrastructure that is "so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety." [2]

Overview

Take, for example, a computer virus that disrupts the distribution of natural gas across a region. This could lead to a consequential reduction in electrical power generation, which in turn leads to the forced shutdown of computerized controls and communications. Road traffic, air traffic, and rail transportation might then become affected. Emergency services might also be hampered.

An entire region can become debilitated because some critical elements in the infrastructure become disabled through natural disaster. While potentially in contravention of the Geneva Conventions, [3] military forces have also recognized that it can cripple an enemy's ability to resist by attacking key elements of its civilian and military infrastructure.

The federal government has developed a standardized description of critical infrastructure, in order to facilitate monitoring and preparation for disabling events. The government requires private industry in each critical economic sector to:

Infrastructure sectors

CIP defines sectors and organizational responsibilities in a standard way:

Oklahoma City bombing: Search and rescue teams formed from various emergency services coordinated by the Federal Emergency Management Agency Oklahomacitybombing-fema-1277.jpg
Oklahoma City bombing: Search and rescue teams formed from various emergency services coordinated by the Federal Emergency Management Agency

In 2003 the remit was expanded to include:

With much of the critical infrastructure privately owned, the Department of Defense (DoD) depends on commercial infrastructure to support its normal operations. The Department of State and the Central Intelligence Agency are also involved in intelligence analysis with friendly countries.

In May 2007 the DHS completed its sector-specific plans (SSP) for coordinating and dealing with critical events. [6] the Continuity of government (COG) in time of a catastrophic event can be used to preserve the government as seen fit by the president, at which point the welfare of the government can be placed above the welfare of the citizenry of the United States ensuring that the government is preserved to rebuild the economy and country when it is deemed safe to return to the surface of the United States of America.

Significance

On March 9, 1999, Deputy Defense Secretary John Hamre warned the United States Congress of a cyber terrorist "electronic Pearl Harbor" saying, "It is not going to be against Navy ships sitting in a Navy shipyard. It is going to be against commercial infrastructure". Later this fear was qualified by President Clinton after reports of actual cyber terrorist attacks in 2000: "I think it was an alarm. I don't think it was Pearl Harbor. We lost our Pacific fleet at Pearl Harbor. I don't think the analogous loss was that great. [7] "

There are many examples of computer systems that have been hacked or victims of extortion. One such example occurred in September 1995 where a Russian national allegedly masterminded the break-in of Citicorp's electronic funds transfer system and was ordered to stand trial in the United States. [8] A gang of hackers under his leadership had breached Citicorp's security 40 times during 1994. They were able to transfer $12 million from customer accounts and withdraw an estimated $400,000.

In the past, the systems and networks of the infrastructure elements were physically and logically independent and separate. They had little interaction or connection with each other or other sectors of the infrastructure. With advances in technology, the systems within each sector became automated, and interlinked through computers and communications facilities. As a result, the flow of electricity, oil, gas, and telecommunications throughout the country are linked—albeit sometimes indirectly—but the resulting linkages blur traditional security borders.

While this increased reliance on interlinked capabilities helps make the economy and nation more efficient and perhaps stronger, it also makes the country more vulnerable to disruption and attack. This interdependent and interrelated infrastructure is more vulnerable to physical and cyber disruptions because it has become a complex system with single points of failure. In the past an incident that would have been an isolated failure can now cause widespread disruption because of cascading effects. [9] As an example, capabilities within the information and communication sector have enabled the United States to reshape its government and business processes, while becoming increasingly software driven. One catastrophic failure in this sector now has the potential to bring down multiple systems including air traffic control, emergency services, banking, trains, electrical power, and dam control.

The elements of the infrastructure themselves are also considered possible targets of terrorism. For example, the 2022 attack on North Carolina’s power substations near Carthage leaving tens of thousands of residents without power. The ordeal left residents without proper heating, hot water, and the ability to cook for days as repairs took place. Authorities noted that the attack was intentionally committed via gunfire. [10] Traditionally, critical infrastructure elements have been lucrative targets for anyone wanting to attack another country. Now, because the infrastructure has become a national lifeline, terrorists can achieve high economic and political value by attacking elements of it. Disrupting or even disabling the infrastructure may reduce the ability to defend the nation, erode public confidence in critical services, and reduce economic strength. Additionally, well chosen terrorist attacks can become easier and less costly than traditional warfare because of the interdependence of infrastructure elements. These infrastructure elements can become easier targets where there is a low probability of detection.

The elements of the infrastructure are also increasingly vulnerable to a dangerous mix of traditional and nontraditional types of threats. Traditional and non-traditional threats include equipment failures, human error, weather and natural causes, physical attacks, and cyber-attacks. For each of these threats, the cascading effect caused by single points of failure has the potential to pose dire and far-reaching consequences.

Challenges

There are fears from global leaders that the frequency and severity of critical infrastructure incidents will increase in the future. [11] These infrastructure failures are prone to greatly affect the country’s residents who are on high alert. One of these future potential failures can be seen within the cyber security world as American citizens fear that their technological infrastructure is at risk. This comes as the world becomes more technologically advanced with the introduction of AI and technology into many areas of American life. [12]

Although efforts are under way, there is no unified national capability to protect the interrelated aspects of the country's infrastructure. One reason for this is that a good understanding of the inter-relationships does not exist. There is also no consensus on how the elements of the infrastructure mesh together, or how each element functions and affects the others. Securing national infrastructure depends on understanding the relationships among its elements as well as the immediate and delayed effects that these failures may have on residents. Thus, when one sector scheduled a three-week drill to mimic the effects of a pandemic flu, even though two-thirds of the participants claimed to have business continuity plans in place, barely half reported that their plan was moderately effective. [13] These can have drastic effects on those who do not have access to the necessary safeguards in place to protect themselves.

Some of the most critical infrastructure for any in the US are the roads, hospitals, and infrastructure that provides food to residents. An increased risk of the collapse of these critical infrastructure points can lead to, and in most cases have led to, drastic decreases in access to water, food, medical attention, and electricity. Critical needs for residents trapped in their homes and areas, residents who rely on medication or need to be transported to the nearest hospital, and residents who are heavily affected by malnutrition. This was seen during the 2005 Hurricane Katrina aftermath in new Orleans as thousands were displaced, hundreds killed, and thousands more injured with no clear way of receiving shelter or assistance. [14] There is a current movement to improve critical infrastructure with residents in mind.

Critical infrastructure protection requires the development of a national capability to identify and monitor the critical elements and to determine when and if the elements are under attack or are the victim of destructive natural occurrences. These natural occurrences have become more of a threat over the past couple of years due to climate change; increased occurrences of stronger storms, longer droughts, and rising sea levels. [15] CIP's is importance is the link between risk management and infrastructure assurance. It provides the capability needed to eliminate potential vulnerabilities in the critical infrastructure.

CIP practitioners determine vulnerabilities and analyze alternatives to prepare for incidents. They focus on improving the capability to detect and warn of impending attacks on, and system failures within, the critical elements of the national infrastructure. However, there are skeptics that see certain national infrastructure methods as harm to the communities that local and federal governments swore to protect. This is a key factor in the movement against Atlanta’s “Cop City” as residents say that there are negative systematic affects as well as negative environmental affects as well. [16]

Cop City

The Atlanta Public Safety Training Center, also known as, “Cop City” is one of the many examples of critical infrastructure created to try and serve the purpose of protecting the civilian populations. This form of critical infrastructure is one that works indirectly as the project aims to train current and incoming police officers and combat units. The plan is one that was put forth by the Atlanta Police Foundation in 2017 called the “Vision Safe Atlanta – Public Safety Action Plan.” This plan sees the police foundation receiving upgrades and attention to the crumbling infrastructure of police buildings and necessities throughout Atlanta. [17] The largest addition to the foundation and police force’s portfolio is about 85 acres of the city’s greenspace to construct a state-of-the-art training facility. [17]

The Atlanta Police Foundation is a private entity that works for the betterment of the city’s police force. According to the Atlanta Police Foundation, a private entity, the project has the backing of CEOs in the area along with public officials who not only have support for the foundation but support for the $90 million project which would lease and raze about 85 acres of publicly owned forests. [17] According to… the center is being privately funded by other private entities with 2/3 of funding coming from private finance and the other third coming from taxpayer dollars. [18] The new center would replace the crumbling police academy, which, according to the “Public Safety Action Plan,” needs to be replaced. the “Public Safety Action Plan” has a renovated and updated police academy budget at over $2 million; [17] a much cheaper price tag than the $30 million that the city would be contributing for the completion of the facility. These facilities include “a firing range, a burn building, and a ‘kill house’ designed to mimic urban combat scenarios”. [17] The overall goal of the facility is to ensure that Atlanta police officers are getting better training within the city whiles also getting a fresh space. Although a positive outlook for the Police Foundation and the Atlanta Police Department, the facility has faced some pushback from the public in terms of the destruction of public land as well as police misconduct concerns.

Atlanta is a city that is surrounded by large and lush green foliage earning the title of a “a city in a forest” by residents and visitors; according to residents, the importance of the city’s forests cannot be understated. With such a large presence of trees and green space, residents see these spaces as a vital part of the city’s natural ecosystems. Residents are concerned that the clearing of 85 acres of the forest will bring about an increase in poor air quality, decrease natural habitats in the area, and increase flooding in a vulnerable community which happens to be predominantly black. [18] Residents believe that the potential ecological damage was too much of a risk for some residents to stay idle; this is in addition to the potential increase of police violence. [16]

The movement to stop “cop city” came about as the calls to defund the Atlanta Police Department grew in the wake of calls to defund police departments across the country. [18] [16] There have been numerous organizations working to prevent construction from beginning through acts of moving into the forest, sabotaging equipment, and seeking legal action against the city and private companies who are working to supply equipment for the construction of the facility. [18] Many people outside of the community worked to stop “cop city” as well. The forest that the Police Foundation seeks to build their facility on is apart of Native Muscogee land. Tribe members traveled to the city to demand that the city end work and retreat from Muscogee land. The movement to stop “cop city” became a group effort by individuals who wanted to see change in the justice system in Atlanta as well as individuals who wanted to protect the natural habitats as they seek justice for the nonhuman species of Atlanta’s forests. [18] Although a growing movement, there is pushback from the city and the Police Foundation who want the so called “cop city” to go forward and will do anything to get it done. In defending the forest and trying to be heard and recognized by the city and the state government, protestors were met with harsh punishments; both legal and physical. In protesting, a nonbinary environmental activist named Manuel Esteban Paez Terán, or Tortuguita, was killed by Georgia State Patrol on January 18 bringing to light the violent effects of police patrol and watch over protestors. [18] [19]

As much as protestors are speaking up and out about the environmental destruction and negative effects of infrastructure, there are many laws and policies going into place that make it harder to exercise one’s free speech. Critical Infrastructure (CI) Trespass Bills are being introduced across the country to allow for the detention and prosecution of protestors that get in the way of infrastructure construction. [19] According to Jalbert et. al. and if these bills become law, they will allow for the use of drones, excessive force, facial recognition, and community surveillance tactics. [19] [20] Further, Akbar, Love, and Donoghoe argue that these bills will disproportionality affect protestors of color. [16] [18] This is seen by the death of Tortuguita and the mass arrest of Indigenous, black, and brown protesters. Not only are there arrests and violent responses by law authorities, but there are also actions that officials are taking to make CI trespassing a felony as many cite the protest of critical infrastructure to be terroristic actions. [19]

These laws stem from the growing systematic push to criminalize protestors from preventing the construction of new critical infrastructure; these laws are in response to country wide protests against pipeline construction. These are protests that stem from the desire to protect the climate and to protect Indigenous lands. [21] Protests tend to work to stop/slow the construction of new pipelines and aim to speak out against the local, state, and federal governments who support, and in many cases, fund the addition of oil and gas pipelines. [21] Indigenous peoples argue that pipeline construction goes against tribal treaties as well as has the possibility to jeopardize the land through pollution. [22] The intertwining of alleged environmental and systemic oppression has pushed residents of areas due for pipeline construction to speak out and against the projects.

Due to oil and gas pipelines falling under the sector of energy, they are seen as critical infrastructure. Therefore, the US government aims to  uphold and protect them. As a result, multiple states have deployed “Anti-Protest” laws to prevent the disruption of pipeline construction and any development of projects considered to be critical infrastructure and necessary for the advancement of the country. [23] [21] These laws make it a felony to stall and prevent the construction and development of critical infrastructure projects within states that implement these various “anti-protest” laws. [23] [24]

Due to the growing political push to prevent protesters from interfering in infrastructure projects, Georgia has become a state that is slowly using “anti-protest” laws and measures to prevent people from protesting “cop city” and other critical infrastructure projects in the state. [20] Activists have been detained and charged with felonies as they protest “cop city”. [20]

Critical Infrastructure Projects in the US has its supporters and its protestors and the response to these projects are made clear from all sides.

Organization and structure

PDD-63 mandated the formation of a national structure for critical infrastructure protection. To accomplish this one of the primary actions was to produce a National Infrastructure Assurance Plan, or NIAP, later renamed National Infrastructure Protection Plan or NIPP.

The different entities of the national CIP structure work together as a partnership between the government and the public sectors. Each department and agency of the federal government is responsible for protecting its portion of the government's critical infrastructure. In addition, there are grants made available through the Department of Homeland Security for municipal and private entities to use for CIP and security purposes. These include grants for emergency management, water security training, rail, transit and port security, metropolitan medical response, LEA terrorism prevention programs and the Urban Areas Security Initiative. [25]

PDD-63 identified certain functions related to critical infrastructure protection that must be performed chiefly by the federal government. These are national defense, foreign affairs, intelligence, and law enforcement. Each lead agency for these special functions appoints a senior official to serve as a functional coordinator for the federal government. In 2008 a mobile PDA-based Vulnerability Assessment Security Survey Tool (VASST) was introduced to speed physical security assessment of critical infrastructure by law enforcement to meet compliance requirements of PDD-63. [26]

National Infrastructure Assurance Plan / National Infrastructure Protection Plan

The National Infrastructure Protection Plan (NIPP) is a document called for by Homeland Security Presidential Directive 7, which aims to unify Critical Infrastructure and Key Resource (CIKR) protection efforts across the country. The latest version of the plan was produced in 2013 [27] The NIPP's goals are to protect critical infrastructure and key resources and ensure resiliency. It is generally considered unwieldy and not an actual plan to be carried out in an emergency, but it is useful as a mechanism for developing coordination between government and the private sector. The NIPP is based on the model laid out in the 1998 Presidential Decision Directive-63, which identified critical sectors of the economy and tasked relevant government agencies to work with them on sharing information and on strengthening responses to attack.

The NIPP is structured to create partnerships between Government Coordinating Councils (GCC) from the public sector and Sector Coordinating Councils (SCC) from the private sector for the eighteen sectors DHS has identified as critical.

For each of the identified major sectors of the critical infrastructure, the federal government appointed a Sector Liaison Official from a designated Lead Agency. A private sector counterpart, a Sector Coordinator, was also identified. Together, the two sector representatives, one federal government and one corporate, were responsible for developing a sector NIAP.

In addition, each department and agency of the federal government was responsible for developing its own CIP plan for protecting its portion of the federal government's critical infrastructure. The federal department and agency plans were assimilated with the sector NIAPs to create one comprehensive National Infrastructure Assurance Plan. Additionally the national structure must ensure there is a national CIP program. This program includes responsibilities such as education and awareness, threat assessment and investigation, and research.

The process includes assessments of:

Sector Specific Agencies

Sector Coordinating Councils

  • Agriculture and Food
  • Defense Industrial Base
  • Energy
  • Public Health and Healthcare
  • Financial Services
  • Water and Wastewater Systems
  • Chemical
  • Commercial Facilities
  • Dams
  • Emergency Services
  • Nuclear Reactors, Materials, and Waste
  • Information Technology
  • Communications
  • Postal and Shipping
  • Transportation Systems
  • Government Facilities

Examples of similar critical infrastructure protection plans are the German National Strategy for Critical Infrastructure Protection (CIP Strategy) and the Swedish STYREL Steering of electricity to prioritized users during short-term electricity shortages [28]

Controversy

There have been public criticisms of the mechanisms and implementation of some security initiatives and grants, with claims they are being led by the same companies who can benefit, [29] and that they are encouraging an unnecessary culture of fear. Commentators note that these initiatives started directly after the collapse of the Cold War, raising the concern that this was simply a diversion of the military-industrial complex away from a funding area which was shrinking and into a richer previously civilian arena.

Grants have been distributed across the different states even though the perceived risk is not evenly spread, leading to accusations of pork barrel politics that directs money and jobs towards marginal voting areas. The Urban Areas Security Initiative grant program has been particularly controversial, with the 2006 infrastructure list covering 77,000 assets, including a popcorn factory and a hot dog stand. [30] The 2007 criteria were reduced to 2,100 and now those facilities must make a much stronger case to become eligible for grants. [31] While well-intentioned, some of the results have also been questioned regarding claims of poorly designed and intrusive security theater that distracts attention and money from more pressing issues or creates damaging side effects.

An absence of comparative risk analysis and benefits tracking it has made it difficult to counter such allegations with authority. In order to better understand this, and ultimately direct effort more productively, a Risk Management and Analysis Office was recently created in the National Protection and Programs directorate at the Department of Homeland Security.

Department of Defense and CIP

The U.S. Department of Defense is responsible for protecting its portion of the government's critical infrastructure. But as part of the CIP program, DoD has responsibilities that traverse both the national and department-wide critical infrastructure.

PDD-63 identified the responsibilities DoD had for critical infrastructure protection. First, DoD had to identify its own critical assets and infrastructures and provide assurance through analysis, assessment, and remediation. DoD was also responsible for identifying and monitoring the national and international infrastructure requirements of industry and other government agencies, all of which needed to be included in the protection planning. DoD also addressed the assurance and protection of commercial assets and infrastructure services in DoD acquisitions. Other DoD responsibilities for CIP included assessing the potential impact on military operations that would result from the loss or compromise of infrastructure service. There were also requirements for monitoring DoD operations, detecting and responding to infrastructure incidents, and providing department indications and warnings as part of the national process. Ultimately, DoD was responsible for supporting national critical infrastructure protection.

In response to the requirements identified in PDD-63, DoD categorized its own critical assets by sector, in a manner similar to the national CIP organization. The DoD identified a slightly different list of infrastructure sectors for those areas that specifically required protection by DoD. DoD's organizational structure for critical infrastructure protection reflects, complements, and effectively interacts with the national structure for CIP.

DoD sectors

There are ten defense critical infrastructure sectors that are protected by the DoD. These include:

DoD special functions

The DoD CIP special function components interface with the equivalent national functional coordinators and coordinate all activities related to their function within DoD.

DoD's special function components currently include seven areas of focus. They include the following components:

DoD CIP lifecycle

As mandated by PDD-63, the DoD must protect its portion of the federal government's critical infrastructure. For DoD, this is the Defense Infrastructure or DI. Protecting the Defense Infrastructure is a complex task involving ten defense sectors.

It was deemed that it was nearly impossible to protect every critical asset at every location, therefore the focus was directed on protecting the critical Defense Infrastructure. The critical Defense Infrastructure is the critical assets essential to providing mission assurance.

The CIP Cycle (Chart 1) CIP-chart1.jpg
The CIP Cycle (Chart 1)

Six phases

The six phases of the DoD CIP life cycle build on one another to create a framework for a comprehensive solution for infrastructure assurance. The life cycle phases occur before, during, and after an event that may compromise or degrade the infrastructure. A synopsis of the six phases are:

Effective management of the CIP life cycle ensures that protection activities can be coordinated and reconciled among all DoD sectors. In many ways, DoD CIP, is risk management at its most imperative. Achieving success means obtaining mission assurance. Missing the mark can mean mission failure as well as human and material losses. For critical infrastructure protection, risk management requires leveraging resources to address the most critical infrastructure assets that are also the most vulnerable and that have the greatest threat exposure.

The most important part of the CIP lifecycle is Phase 1. Because it is crucial to target the right assets for infrastructure protection, determining these assets is the first phase in the CIP life cycle. This phase, Analysis and Assessment, is the key and foundation of the seven lifecycle activities. Without a solid foundation, the remaining CIP life cycle phases may be flawed, resulting in a CIP plan that fails to protect the critical infrastructure and, therefore, mission assurance.

Phase 1: Analysis and Assessment

Phase 1 determines what assets are important, and identifies their vulnerabilities, and dependencies so that decision makers have the information they need to make effective risk management choices.

The Defense Infrastructure, or DI, is organized into ten sectors. Each sector is composed of assets, such as systems, programs, people, equipment, or facilities. Assets may be simple, such as one facility within one geographic location, or complex, involving geographically dispersed links and nodes.

The Analysis and Assessment is made up of five steps that include activities that span and encompass the ten DI sectors and their assets.

Phase 1 Example in the “Real World”

On August 24, 2001, the Director of the Joint Staff requested USPACOM to serve as the lead support Combatant Command for creating a CIP first-ever theater CIP Plan – known as the “CIP Appendix 16 Plan”. The following is how USPACOM approached the task. USPACOM focused the Analysis and Assessment phase by organizing its activities to answer three major questions:

  • What is critical?
  • Is it vulnerable?
  • What can be done?

To answer the question, “What is critical?”, USPACOM outlined a three-step procedure:

  • First, identify the project focus.
  • Second, complete an operational analysis.
  • Third, complete a Defense Infrastructure analysis.

To accomplish these steps, USPACOM adopted a methodology that focuses its CIP efforts on Tier 1 assets. Tier 1 assets are assets that could cause mission failure if they are compromised or damaged. The methodology UAPACOM adopted and modified is Mission Area Analysis, or MAA. The MAA links combatant command missions to infrastructure assets that are critical to a given Operations Plan, or OPLAN, Contingency Plan, or CONPLAN, or Crisis Action Plan. Typically, the MAA process determines the assessment site priorities. USPACOM modified the process and selected the CIP assessment sites and installations prior to conducting the MAA. The following is an illustration of the USPACOM MAA process:

  • First, it identified the Mission Essential Requirements, or MERs, which are specific combatant commands or joint task force capabilities essential for execution of a warfighting plan. Then, they created an MER matrix for the specific command. For example, one MER may be to provide command, control, communications, and computers, or C4.
  • Second, it identified forces required for each MER. For example, the C4 MER is linked to a specific signal battalion. Third, it linked the forces to the necessary functions and tasks supporting the force. For example, the signal battalion is linked to the Communications and Civil Engineers functions and the task of managing the theater's C4 information systems requirements.
  • Third, it links assets to the functions supporting the tasks. The result is a mission area analysis of mission-critical assets.

USPACOM uses the MAA data it gathers to scope and focus its efforts on truly mission-critical assets to answer the next question in its process, Is it vulnerable?

The first step in answering this question is to complete an installation analysis. The next step is to complete a commercial infrastructure analysis. USPACOM relied upon two different DoD organizations for CIP assessments: Balanced Survivability Assessments, or BSAs, and Mission Assurance Assessments. The BSA is a two-week mission-focused assessment at a military installation or designated site. A Mission Assurance Assessment is unique because it uses an area assessment approach to focus on both commercial and military asset vulnerabilities and dependencies. The final step to determine vulnerabilities is to integrate the two analyses and assessments. With its critical assets and their vulnerabilities identified, USPACOM is ready to perform risk management activities to decide what can be done to protect the mission-critical assets.

Booz Allen Hamilton developed this process at PACOM.

Phase 2: Remediation

The first phase of the CIP life cycle, Analysis and Assessment, identified the critical assets of DoD sector infrastructures and the vulnerabilities or weaknesses of those critical assets.

The second phase is the Remediation phase. In the Remediation phase, the known weaknesses and vulnerabilities are addressed. Remediation actions are deliberate, precautionary measures designed to fix known virtual and physical vulnerabilities before an event occurs. The purpose of remediation is to improve the reliability, availability, and survivability of critical assets and infrastructures. Remediation actions apply to any type of vulnerability, regardless of its cause. They apply to acts of nature, technology failures, or deliberate malicious actions.

The cost of each remediation action depends on the nature of the vulnerability it addresses. The Defense Infrastructure Sector Assurance Plan that each infrastructure sector must develop, establishes the priorities and resources for remediation. Remediation requirements are determined by multiple factors. These are analysis and assessment, input from military planners and other DoD sectors, the National Infrastructure Assurance Plan and other plans, reports, and information on national infrastructure vulnerabilities and remediation, as well as intelligence estimates and assessments of threats.

Remediation requirements are also gathered through lessons learned from Defense Infrastructure sector monitoring and reporting and infrastructure protection operations and exercises. The CIP program tracks the status of remediation activities for critical assets. Remediation activities to protect the critical Defense Infrastructure cross multiple Department components.

Phase 3: Indications and Warnings

The need to monitor activities and warn of potential threats to the United States is not new. From conventional assaults to potential nuclear attacks, the military has been at the forefront of monitoring and warning of potential dangers since the founding of the country. Protecting the security and well-being of the United States, including the critical Defense Infrastructure, has now entered a new era. It has been deemed essential to have a coordinated ability to identify and warn of potential or actual incidents among critical infrastructure domains. The ability to detect and warn of infrastructure events is the third phase of the critical infrastructure protection life cycle, the Indications and Warnings phase.

Indications and warnings are actions or infrastructure conditions that signal an event is either:

Historically, DoD event indications have focused and relied on intelligence information about foreign developments. These event indications have been expanded to include all potential infrastructure disruption or degradation, regardless of its cause. DoD CIP indications are based on four levels of input:

This fusion of traditional intelligence information with sector-specific information has been determined to be essential for meaningful CIP indications.

If an indication is detected, a warning notifying the appropriate asset owners of a possible or occurring event or hazard can be issued. The sector's assurance plan determines what conditions and actions are monitored and reported for each Defense Infrastructure Sector. Each sector must develop a written Defense Sector Assurance Plan that includes a compendium of sector incidents for monitoring and reporting. The sector incident compendium is made up of three types of incidents:

DoD critical asset owners, installations, and sector CIAOs determine the DoD and sector-defined incidents. Each of the reportable incidents or classes of incidents must include the following components:

The National Infrastructure Protection Center (NIPC) is the primary national warning center for significant infrastructure attacks. Critical asset owners, DoD installations, and Sector CIAOs monitor the infrastructure daily. Indications of an infrastructure incident are reported to the National Military Command Center, or NMCC. If indications are on a computer network, they are also reported to the Joint Task Force Computer Network Operations (JTF-CNO). The NMCC and JTF-CNO assess the indications and pass them to the NIPC and appropriate DoD organizations. When the NIPC determines that an infrastructure event is likely to occur, is planned, or is under way, it issues a national warning. For DoD, the NIPC passes its warnings and alerts to the NMCC and JTF-CNO. These warnings and alerts are then passed to the DoD components. The warning may include guidance regarding additional protection measures DoD should take.

Phase 4: Mitigation

Phase 1 of the CIP life cycle provided a layer of protection by identifying and assessing critical assets and their vulnerabilities. Phase 2 provided another layer of protection by remediating or improving the identified deficiencies and weaknesses of an asset. Even with these protections and precautions, an infrastructure incident was still possible. When it does the Indications and Warnings phase goes into effect.

The Mitigation phase (Phase 4), is made up of preplanned coordinated actions in response to infrastructure warnings or incidents. Mitigation actions are taken before or during an infrastructure event. These actions are designed to minimize the operational impact of the loss of a critical asset, facilitate incident response, and quickly restore the infrastructure service.

A primary purpose of the Mitigation phase is to minimize the operational impact on other critical Defense Infrastructures and assets when a critical asset is lost or damaged. As an example, if there is a U.S. installation, Site A, located in a host nation. Site A is a tier 1 asset, meaning that if it fails, the Combatant Commands mission fails. Site A has mutual Global Information Grid Command Control (GIG/C2), information interdependencies with Sites B and C. In addition, other Defense Infrastructure sectors rely on Site A for mission capabilities. In this scenario, what could be the impact if the supply line to the commercial power plant that provides the installation's primary power is accidentally severed. Because of all the interdependencies, losing this asset is more than the loss of just one site. It means the loss of other sector capabilities.

A possible mitigation action might be for Site A to go on backup power. An alternate action could be to pass complete control of Site A's functionality to another site, where redundancy has been previously arranged. These actions would limit the impact of this incident on the other sites and related sectors. In addition to lessening the operational impact of a critical infrastructure event, the Mitigation phase of the CIP life cycle supports and complements two other life cycle phases. Mitigation actions aid in the emergency, investigation, and management activities of Phase 5, Incident Response. They also facilitate the reconstitution activities of Phase 6.

During the Mitigation phase, DoD critical asset owners, DoD installations, and Sector Chief Infrastructure Assurance Officers, or CIAOs, work with the National Military Command Center (NMCC) and the Joint Task Force-Computer Network Operations (JTF-CNO) to develop, train for, and exercise mitigation responses for various scenarios. When there is a warning, emergency, or infrastructure incident, the critical asset owners, installations, and Sector CIAOs initiate mitigation actions to sustain service to the DoD. They also provide mitigation status information to the NMCC and JTF-CNO. The NMCC monitors for consequences from an event within one Defense Infrastructure sector that are significant enough to affect other sectors. For events that cross two or more sectors, the NMCC advises on the prioritization and coordination of mitigation actions. When event threats or consequences continue to escalate, the NMCC directs mitigation actions by sector to ensure a coordinated response across the DoD. The NMCC and the JTF-CNO keep the National Infrastructure Protection Center, or NIPC, apprised of any significant mitigation activities.

Phase 5: Incident response

When an event affects the Defense Infrastructure, the Incident Response phase begins. Incident Response is the fifth phase of the CIP life cycle. The purpose of the Incident Response phase is to eliminate the cause or source of an infrastructure event. For example, during the 9/11 attacks on the World Trade Center and Pentagon, all non-military airplanes were grounded over the United States to prevent further incidents. Response activities included emergency measures, not from the asset owners or operators, but from dedicated third parties such as law enforcement, medical rescue, fire rescue, hazardous material or explosives handling, and investigative agencies. Response to Defense Infrastructure incidents can take one of two paths depending on whether or not the event affects a DoD computer network.

When incidents compromise a DoD computer network, the Joint Task Force-Computer Network Operations (JTF-CNO) directs the response activities. These activities are designed to stop the computer network attack, contain and mitigate damage to a DoD information network and then restore minimum required functionality. JTF-CNO also requests and coordinates any support or assistance from other Federal agencies and civilian organizations during incidents affecting a DoD network. When incidents impact any other DoD owned assets, installation commanders and critical asset owners follow traditional channels and procedures to coordinate responses. This includes notifying affected Sector Chief Infrastructure Assurance Officers, or CIAOs, in the initial notice and status reporting. Although third parties play a major role in the response to Defense Infrastructure events, DoD CIP personnel also have responsibilities to fulfill.

Phase 6: Reconstitution

After the source or cause of an infrastructure event is eliminated or contained, the infrastructure and its capabilities must be restored. Reconstitution is the last phase of the critical infrastructure protection. Reconstitution is probably the most challenging and least developed process of the life cycle. DoD critical asset owners have the major responsibility for reconstitution.

See also

Related Research Articles

Information security is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information. It also involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g., electronic or physical, tangible, or intangible. Information security's primary focus is the balanced protection of data confidentiality, integrity, and availability while maintaining a focus on efficient policy implementation, all without hampering organization productivity. This is largely achieved through a structured risk management process.

<span class="mw-page-title-main">Critical infrastructure</span> Infrastructure important to national security

Critical infrastructure, or critical national infrastructure (CNI) in the UK, describes infrastructure considered essential by governments for the functioning of a society and economy and deserving of special protection for national security. Critical infrastructure has traditionally been viewed as under the scope of government due to its strategic importance, yet there's an observable trend towards its privatization, raising discussions about how the private sector can contribute to these essential services.

<span class="mw-page-title-main">National Cyber Security Division</span>

The National Cyber Security Division (NCSD) is a division of the Office of Cyber Security & Communications, within the United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. Formed from the Critical Infrastructure Assurance Office, the National Infrastructure Protection Center, the Federal Computer Incident Response Center, and the National Communications System, NCSD opened on June 6, 2003.

Information security standards are techniques generally outlined in published materials that attempt to protect a user's or organization's cyber environment. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

<span class="mw-page-title-main">Under Secretary of Defense for Policy</span> United States government position

The United States under secretary of defense for policy (USDP) is a high level civilian official in the United States Department of Defense. The under secretary of defense for policy is the principal staff assistant and adviser to both the secretary of defense and the deputy secretary of defense for all matters concerning the formation of national security and defense policy.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies.

Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. IA encompasses both digital protections and physical techniques. These methods apply to data in transit, both physical and electronic forms, as well as data at rest. IA is best thought of as a superset of information security, and as the business outcome of information risk management.

Security controls or security measures are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

National intelligence programs, and, by extension, the overall defenses of nations, are vulnerable to attack. It is the role of intelligence cycle security to protect the process embodied in the intelligence cycle, and that which it defends. A number of disciplines go into protecting the intelligence cycle. One of the challenges is there are a wide range of potential threats, so threat assessment, if complete, is a complex task. Governments try to protect three things:

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

Proactive cyber defense, means acting in anticipation to oppose an attack through cyber and cognitive domains. Proactive cyber defense can be understood as options between offensive and defensive measures. It includes interdicting, disrupting or deterring an attack or a threat's preparation to attack, either pre-emptively or in self-defence.

<span class="mw-page-title-main">Department of Defense Cyber Crime Center</span> United States defense organization

The Department of Defense Cyber Crime Center (DC3) is designated as a Federal Cyber Center by National Security Presidential Directive 54/Homeland Security Presidential Directive 23, as a Department of Defense (DoD) Center Of Excellence for Digital and Multimedia (D/MM) forensics by DoD Directive 5505.13E, and serves as the operational focal point for the Defense Industrial Base (DIB) Cybersecurity program. DC3 operates as a Field Operating Agency (FOA) under the Inspector General of the Department of the Air Force.

In computer security, a threat is a potential negative action or event enabled by a vulnerability that results in an unwanted impact to a computer system or application.

Control system security, or automation and control system (ACS) cybersecurity, is the prevention of interference with the proper operation of industrial automation and control systems. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and programmable controllers, each of which could contain security vulnerabilities. The 2010 discovery of the Stuxnet worm demonstrated the vulnerability of these systems to cyber incidents. The United States and other governments have passed cyber-security regulations requiring enhanced protection for control systems operating critical infrastructure.

<span class="mw-page-title-main">Information security operations center</span> Facility where enterprise information systems are monitored, assessed, and defended

An information security operations center is a facility where enterprise information systems are monitored, assessed, and defended.

Cyber Security and Information Systems Information Analysis Center (CSIAC) is a United States Department of Defense (DoD) Information Analysis Center (IAC) sponsored by the Defense Technical Information Center (DTIC). The CSIAC is a consolidation of three predecessor IACs: the Data & Analysis Center for Software (DACS), the Information Assurance Technology IAC (IATAC) and the Modeling & Simulation IAC (MSIAC), with the addition of the Knowledge Management and Information Sharing technical area.

National Cyber Security Policy is a policy framework by Department of Electronics and Information Technology (DeitY) It aims at protecting the public and private infrastructure from cyber attacks. The policy also intends to safeguard "information, such as personal information, financial and banking information and sovereign data". This was particularly relevant in the wake of US National Security Agency (NSA) leaks that suggested the US government agencies are spying on Indian users, who have no legal or technical safeguards against it. Ministry of Communications and Information Technology (India) defines Cyberspace as a complex environment consisting of interactions between people, software services supported by worldwide distribution of information and communication technology.

<span class="mw-page-title-main">National Cybersecurity and Critical Infrastructure Protection Act of 2013</span>

The National Cybersecurity and Critical Infrastructure Protection Act of 2013 is a bill that would amend the Homeland Security Act of 2002 to require the Secretary of the Department of Homeland Security (DHS) to conduct cybersecurity activities on behalf of the federal government and would codify the role of DHS in preventing and responding to cybersecurity incidents involving the Information Technology (IT) systems of federal civilian agencies and critical infrastructure in the United States.

National Critical Information Infrastructure Protection Centre (NCIIPC) is an organisation of the Government of India created under Section 70A of the Information Technology Act, 2000 (amended 2008), through a gazette notification on 16 January 2014. Based in New Delhi, India, it is designated as the National Nodal Agency in terms of Critical Information Infrastructure Protection. It is a unit of the National Technical Research Organisation (NTRO) and therefore comes under the Prime Minister's Office (PMO).

Operational collaboration is a cyber resilience framework that leverages public-private partnerships to reduce the risk of cyber threats and the impact of cyberattacks on United States cyberspace. This operational collaboration framework for cyber is similar to the Federal Emergency Management Agency (FEMA)'s National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world.

References

  1. 1 2 Presidential directive PDD-63
  2. 1 2 "December 17, 2003 Homeland Security Presidential Directive/Hspd-7". White House Archives. 17 December 2003. Retrieved 29 July 2014.
  3. Article 52 and 54 of the Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts ("Geneva Conventions")
  4. Financial Services Information Sharing and Analysis Center
  5. Jaynes, Cristen Hemingway (2024-02-27). "Biden's DOE Announces $366 Million for Green Energy Projects in Rural and Remote Areas". EcoWatch. Retrieved 2024-05-02.
  6. Department of Homeland Security - Sector-Specific Plans Archived 2011-03-06 at the Wayback Machine
  7. Federation of American Scientists February 15, 2000 Presidential remarks on Computer Security
  8. Harmon, Amy (1995-08-19). "Hacking Theft of $10 Million From Citibank Revealed". Los Angeles Times. Retrieved 2024-05-02.
  9. Austen Givens, "Deepwater Horizon Oil Spill Is An Ominous Sign for Critical Infrastructure's Future", May 27, 2011.
  10. Sullivan, Becky; de la Canal, Nick (December 5, 2022). "What we know about the attack on two North Carolina power substations". npr. Retrieved May 2, 2024.
  11. Paul J. Maliszewski, "Modeling Critical Vaccine Supply Location: Protecting Critical Infrastructure and Population in Central Florida Archived 2009-03-20 at the Wayback Machine " (2008)
  12. Visé, Daniel de (2023-04-07). "Americans now fear cyberattack more than nuclear attack". The Hill. Retrieved 2024-05-02.
  13. How Well Can Wall Street Handle Pandemic Flu? Drill Results Are Mixed Archived 2011-07-18 at the Wayback Machine Wall Street & Technology
  14. "Remembering New Orleans chaos, 10 years after Katrina". Correspondent. 2015-08-27. Retrieved 2024-05-02.
  15. Forzieri, Giovanni; Bianchi, Alessandra; Batista e Silva, Filipe; A. Marin Herrera, Mario; Leblois, Antoine; Lavalle, Carlo; C.J.H. Aerts, Jeroen; Feyen, Luc (January 2018). "Escalating impacts of climate extremes on critical infrastructures in Europe". Global Environmental Change. 48: 97–107. Bibcode:2018GEC....48...97F. doi:10.1016/j.gloenvcha.2017.11.007. PMC   5872142 . PMID   29606806.
  16. 1 2 3 4 Love, Hanna; Donoghoe, Manann. "Atlanta's 'Cop City' and the relationship between place, policing, and climate". Brookings. Retrieved 2024-05-02.
  17. 1 2 3 4 5 "Vision Safe Atlanta" (PDF). Atlanta Police Foundation. 2017. Retrieved May 2, 2024.
  18. 1 2 3 4 5 6 7 Akbar, Amna A. (2023). "The Fight Against Cop City". Dissent. 70 (2): 62–70. doi:10.1353/dss.2023.0011. ISSN   1946-0910.
  19. 1 2 3 4 Jalbert, Kirk; Wasserman, Sherri; Garza Navarro, Homero; Florence, Natalie (2023-02-01). "Petro-Security State Power and the Imaginaries of Extremism: An Analysis of U.S. Critical Infrastructure Trespass Bills Targeting Anti-Pipeline Advocacy Movements". Environmental Justice. 16 (1): 43–53. doi: 10.1089/env.2021.0102 . ISSN   1939-4071.
  20. 1 2 3 Federman, Adam (April 17, 2024). "The War on Protest Is Here". In These Times. Retrieved May 2, 2024.
  21. 1 2 3 Mueller-Hsia, Kaylana (March 17, 2021). "Anti-Protest Laws Threaten Indigenous and Climate Movements". Brennan Center for Justice. Retrieved May 2, 2024.
  22. Lakhani, Nina (2021-01-21). "'No more broken treaties': indigenous leaders urge Biden to shut down Dakota Access pipeline". The Guardian. ISSN   0261-3077 . Retrieved 2024-05-02.
  23. 1 2 Buchele, Mose (September 25, 2019). "Activists Say New Laws To Protect Critical Infrastructure Aim To Silence Them". npr. Retrieved May 2, 2024.
  24. Cagle, Susie (2019-07-08). "'Protesters as terrorists': growing number of states turn anti-pipeline activism into a crime". The Guardian. ISSN   0261-3077 . Retrieved 2024-05-02.
  25. 2006 Catalog of Federal domestic assistance grants Archived 2016-11-18 at the Wayback Machine (CFDA), including security projects
  26. "Aegis Bleu Launches VASST, Vulnerability Assessment Security Survey Tool", PR Leap 11 September 2008.
  27. "National Infrastructure Protection Plan" (PDF). United States Department of Homeland Security. Archived from the original (PDF) on 2017-05-15. Retrieved 2014-07-15.
  28. Große, C. & Olausson, P.M. (2023). Is there enough power?: Swedish risk governance and emergency response planning in case of a power shortage. Stockholm: SNS
  29. Elisa Williams, "Climate of Fear", Forbes magazine, 2 April 2002
  30. Eric Lipton, "Terror Target List", The New York Times , July 12, 2006.
  31. Zack Phillips, "Security Theater Archived 2007-08-24 at the Wayback Machine ," Government Executive, 1 August 2007.
  32. Critical Infrastructure Interdependency Wheel (CIIW) assessment tool Archived 2011-07-17 at the Wayback Machine