CRIM 3460; Introduction to Critical Infrastructure Protection Spring 2016

Chapter 1 – Origins of Homeland Security and Critical Infrastructure Protection Policy

School of Criminology and Justice Studies University of Massachusetts Lowell

“Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private.” Source: http://www.fas.org/irp/offdocs/pdd/pdd-63.htm

Critical infrastructure is the backbone of our nation's economy, security and health. We know it as the power we use in our homes, the water we drink, the transportation that moves us, and the communication systems we rely on to stay in touch with friends and family.

Critical infrastructure are the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

Source: Department of Homeland Security, 2013

Source: Figure 1.1 “Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation”, Second Edition

Source: Table 1.1 “Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation”, Second Edition

Source: Table 1.1 “Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation”, Second Edition

Source: Table 1.3 “Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation”, Second Edition

Source: Table 1.3 “Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation”, Second Edition

Source: Table 1.4 “Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation”, Second Edition

Risk - The potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences.

Risk-Informed Decision-making - The determination of a course of action predicated on the assessment of risk, the expected impact of that course of action on that risk, and other relevant factors.

Risk Management Framework - A planning methodology that outlines the process for setting goals and objectives; identifying assets, systems, and networks; assessing risks; prioritizing and implementing protection programs and resiliency strategies; measuring performance; and taking corrective action.

Risk => fProb(x) • Consequence (x)

Where x = hazard

Hazards include: Natural disasters, such as hurricanes and earthquakes

Terror attacks

Vandalism

Where: ROI = Return on Investment

Risk = Expected loss

$Investment = Cost to reduce the risk

ROI = Risk (before) – Risk (after)

Investment $

Source: Figure 1.2 “Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation”, Second Edition

Definition - The ability to resist, absorb, recover from, or successfully adapt to adversity or a change in conditions.

How can this be measured?

How do we know when something is more or less resilient?

What does resist, absorb, recover mean?

What is adaptation?

More difficult to define….

Resilience is a property of a system; not just an object or single asset

Understanding of CIKR as systems is needed to determine resilience

A simple definition of resilience for now: Normal output

Collapse

Recovery

Elapsed time to recovery

This forms a triangle as shown

Source: Figure 1.2 “Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation”, Second Edition

High-risk vs. low-risk

Different strategies for different classifications?

Prevention vs. response

Low risk means the risk profile goes to zero with increasing consequence

High risk means the risk profile goes up forever, with increasing consequence

Risk is defined here as expected loss, or probable maximum loss.

Source: Figure 1.4a “Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation”, Second Edition

Low-risk profiles can initially be high and then drop to low, as consequence increases

Conversely, high-risk profiles can be low, initially, and then rise without bound, as consequence increases.

Source: Figure 1.4b “Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation”, Second Edition

Why is terrorism a low risk and earthquakes a high risk?

Source: Table 1.6 “Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation”, Second Edition