Supplemental Tool: Connecting to the NICC and NCCIC...Working Draft Draft October 21, 2013 1 3000...

Working Draft

Draft October 21, 2013 1

Supplemental Tool: Connecting to the NICC and NCCIC 3000

There shall be two national critical infrastructure centers operated by DHS – one for physical 3001

infrastructure and another for cyber infrastructure. They shall function in an integrated manner and 3002

serve as focal points for critical infrastructure partners to obtain situational awareness and integrated, 3003

actionable information to protect the physical and cyber aspects of critical infrastructure. 3004

- Presidential Policy Directive 21, Critical Infrastructure Security and Resilience 3005

Presidential Policy Directive 21 (PPD-21) highlights the role of the national physical and cyber 3006 coordinating centers in enabling successful critical infrastructure security and resilience 3007 outcomes. The National Cybersecurity and Communications Integration Center (NCCIC) and the 3008 National Infrastructure Coordinating Center (NICC) fulfill this Department of Homeland 3009

Security (DHS) responsibility within the critical infrastructure partnership. The NICC serves as a 3010 clearinghouse to receive and synthesize critical infrastructure information and provide that 3011

information back to decision makers at all levels inside and outside of government to enable 3012 rapid, informed decisions in steady state, heightened alert, and during incident response. The 3013 NCCIC is a round-the-clock information sharing, analysis, and incident response center focused 3014

on cybersecurity and communications where government, private sector, and international 3015 partners share information and collaborate on response and mitigation activities to reduce the 3016

impact of significant incidents, enhance partners’ security posture, and develop and issue alerts 3017 and warnings while creating strategic and tactical plans to combat future malicious activity. An 3018 integrated analysis component works in coordination with both centers to contextualize and 3019

facilitate greater understanding of the information streams flowing through the two centers. 3020 3021

This supplement describes how partners throughout the critical infrastructure community—3022

owner/operators, Federal partners, regional consortia, and State, local, tribal, and territorial 3023

governments—can connect to the NICC and NCCIC. It describes what information is desired by 3024 the centers and their partners, as well as how they protect and analyze that data to make timely 3025

and actionable information available to partners to inform prevention, protection, mitigation, 3026 response, and recovery activities. 3027 3028

These centers, along with an integrated analysis function, build situational awareness across 3029 critical infrastructure sectors based on partner input and provide back information with greater 3030

depth, breadth, and context than the individual pieces from any individual partner or sector. 3031 PPD-21 highlights the importance not just of what these centers can provide to the partnership, 3032 but the multi-directional information sharing that enables them to build true situational 3033 awareness, stating: “The success of these national centers, including the integration and analysis 3034 function, is dependent on the quality and timeliness of the information and intelligence they 3035

receive from the Sector-Specific Agencies (SSAs) and other Federal departments and agencies, 3036 as well as from critical infrastructure owners and operators and State, local, tribal, and territorial 3037

(SLTT) entities.” 3038 3039

Working Draft


I. The Centers 3040

The National Infrastructure Coordinating Center (NICC) 3041 The NICC is the watch center component of the National Protection and Programs Directorate’s 3042 (NPPD’s) Office of Infrastructure Protection, the national physical infrastructure center as 3043 designated by the Secretary of Homeland Security, and an element of the National Operations 3044 Center (NOC). The NICC serves as the national focal point for critical infrastructure partners to 3045 obtain situational awareness and integrated actionable information to protect physical critical 3046

infrastructure. The mission of the NICC is to provide 24/7 situational awareness, information 3047 sharing, and unity of effort to ensure the protection and resilience of the Nation’s critical 3048 infrastructure. When an incident or event impacting critical infrastructure occurs that requires 3049 coordination between DHS and the owners and operators of critical infrastructure, the NICC 3050 serves as a national coordination hub to support the protection and resilience of physical critical 3051

infrastructure assets. Establishing and maintaining relationships with critical infrastructure 3052 partners both within and outside the Federal Government is at the core of the NICC’s ability to 3053

execute its functions. The NICC collaborates with Federal departments and agencies and private 3054

sector partners to monitor potential, developing, and current regional and national operations of 3055

the Nation’s critical infrastructure sectors. 3056

The National Cybersecurity and Communications Integration Center (NCCIC) 3057 The NCCIC is the lead cybersecurity and communications organization within DHS, and it 3058 serves as the national cyber critical infrastructure center designated by the Secretary of 3059 Homeland Security. The NCCIC applies analytic resources, generates shared situational 3060

awareness, and coordinates synchronized response, mitigation, and recovery efforts in the event 3061 of significant cyber or communications incidents. The NCCIC’s mission includes leading the 3062

cyberspace protection efforts for Federal civilian agencies and providing cybersecurity support 3063

and expertise to State, local, international, and private sector critical infrastructure partners. The 3064

NCCIC fulfills this mission through trusted and frequent coordination with law enforcement, the 3065 Intelligence Community (IC), international Computer Emergency Readiness Teams, domestic 3066

Information Sharing and Analysis Centers (ISACs), and critical infrastructure partners to share 3067

information and collaboratively respond to incidents. 3068

Information-Sharing Mechanisms 3069 The centers share information with their constituents through a variety of mechanisms. Partners 3070 may connect directly to the centers but often receive NICC/NCCIC information through their 3071

respective SSAs or other parties such as regional consortia, ISACs, Fusion Centers, etc. 3072

Online Resources (Web portals and Public Internet) 3073

Homeland Security Information Network – Critical Infrastructure (HSIN-CI): 3074 HSIN-CI provides secure networked information sharing covering the full 3075 range of critical infrastructure interests. Validated critical infrastructure 3076 partners are eligible for HSIN-CI access. 3077

o The NICC posts content from a variety of internal and external sources that is 3078

available to all Critical Infrastructure (CI) partners, including incident situation 3079 reports, threat reports, impact modeling and analysis, common vulnerabilities, 3080 potential indicators, and protective measures. 3081

Working Draft


o The NICC combines current high-interest incidents and events on the HSIN-CI 3082

“front page” to enable easy access to relevant information. 3083 o Individual sectors and sub-sectors self-manage more specific portals within 3084

HSIN-CI where smaller communities of participants receive and share relevant 3085 information for their particular information needs. 3086

o HSIN-CI also includes capabilities to facilitate multiple types of information 3087 sharing and coordination, including suspicious activity reporting, webinars, 3088 shared calendars, etc. 3089

o To ensure broad sharing of essential information, the NICC also receives and 3090 provides information via other HSIN portals. 3091

United States Computer Emergency Readiness Team (US-CERT) and Industrial 3092 Control Systems Cyber Emergency Response Team (ICS-CERT) portal: The NCCIC 3093 provides a secure, web-based, collaborative system to share sensitive cybersecurity 3094

prevention, protection, mitigation, response, and recovery information with validated 3095 private sector, government, and international partners. The NCCIC provides partners 3096

with access to two components of the secure portal, which hold information regarding 3097

cyber indicators, incidents, and malware digests for critical infrastructure systems: 3098 o The Cobalt Compartment serves as an information hub for enterprise systems 3099

security. 3100

o The Control System Compartment provides material on industrial control systems 3101 and is limited to control system asset owners/operators. 3102

US-CERT.gov: This publicly open website provides extensive vulnerability and 3103 mitigation information to partners around the world, including: 3104

o A Control Systems section containing Control Systems Advisories and reports of 3105 particular interest to critical infrastructure owners and operators. 3106

o A National Cyber Awareness System, which provides timely alerts, bulletins, tips, 3107

and technical documents for those who sign up. 3108 o Cybersecurity incident reporting, providing critical infrastructure partners with a 3109

secure means to report cybersecurity incidents. 3110

3111

Email and Other Electronic Means 3112 Both centers maintain connectivity with a variety of partners through email, automated data 3113 exchange, and other means. This form of connectivity allows very precise outreach when broad 3114 communications is inappropriate or not possible. In coordination with the SSAs, both the NICC 3115 and the NCCIC will reach out directly to specific partners as a developing situation or 3116 information need evolves. Similarly, both centers are available to stakeholders throughout the 3117

partnership when rapid response to information needs is essential. 3118

Teleconferences 3119

National threat briefings: During periods of heightened threat or concern, the NICC will 3120 coordinate through the SSAs and relevant critical infrastructure partners to conduct 3121 unclassified teleconferences regarding current intelligence, expected actions, and 3122 protective measure options for consideration. 3123

Incident specific cross-sector calls: 3124 o NICC: During significant incidents, the NICC will coordinate calls with the SSA 3125

and Government Coordinating Council (GCC)/Sector Coordinating Council 3126

Working Draft


(SCC) leadership to discuss national and cascading impacts and determine 3127

potential courses of action to mitigate risk. If necessary, the NICC will also 3128 leverage GCC/SCC and regional partners to determine locally affected partners to 3129 conduct large-scale teleconferences to share mutual situational awareness and 3130 address key areas of concern. 3131

o NCCIC: The NCCIC will similarly reach out to sector partners through its 3132

established mechanisms. 3133

Classified Meetings and Briefings 3134

During periods of heightened threat or concern with significant classified components, 3135 the NICC and/or NCCIC, in conjunction with the IC, will coordinate through the SSAs, 3136 GCCs, and SCCs to conduct classified briefings on current intelligence, expected actions, 3137 and protective measure options for consideration. 3138

The centers, in collaboration with the SSAs and the IC, may assist in arranging similar 3139 briefings outside of the National Capital Region. 3140

In-Person Meetings and Regional Extensions 3141 Onsite consultations and self-evaluations: The NCCIC helps asset owners take preventive 3142

measures necessary to prepare for and protect from cyber attacks via no-cost onsite 3143

defense-in-depth cybersecurity strategic analysis of critical infrastructure by DHS subject 3144 matter experts. 3145

Infrastructure Protection (IP) regional staff: The NICC works in close coordination with 3146 DHS and IP field personnel and other regional public and private partners. Information 3147

sharing to and from the field is coordinated between the NICC and DHS Protective 3148 Security Advisors and chemical inspectors in the field, preventing information stove 3149

pipes while reducing duplication of effort. 3150

Integrating Partners into Daily Operations 3151 The NICC and NCCIC incorporate critical infrastructure partners into their day-to-day 3152 operations, even incorporating both public- and private-sector partners into their physical watch 3153

facilities. These partners serve as bidirectional conduits of information between the centers and 3154 the liaison’s home agency or sector. These partners include, but are not limited to, ISACs, SSAs, 3155 Federal law enforcement, the intelligence community, and other key partners. 3156 3157

II. Federal Partners 3158 3159

Both centers maintain active relationships with Federal partners from among the SSAs, law 3160 enforcement, intelligence, and emergency management communities. Beyond these mission 3161

partners, other government agencies should also work in coordination with the NICC and 3162 NCCIC where they share interest in critical infrastructure-related information. For example, the 3163 NICC works closely with the State Department’s Overseas Security Advisory Council, which 3164 often has the earliest releasable information regarding threats to physical infrastructure overseas 3165 and is therefore an essential partner for ensuring this information is available to the domestic 3166

critical infrastructure community. At the same time, the NCCIC works on a daily basis with 3167 other Federal cyber centers to exchange critical information and coordinate analytical and 3168

Working Draft


response processes. Both centers provide reports to the NOC to facilitate shared situational 3169

awareness across the Federal community. 3170 3171

Sector-Specific Agencies 3172 The SSAs actively engage with the centers through the mechanisms listed above. The NICC and 3173

NCCIC rely on the SSAs to ensure connectivity broadly across the sectors. During significant 3174 incidents, the SSAs provide the NICC and NCCIC with sector impacts for inclusion in the 3175 comprehensive infrastructure Common Operating Picture (COP), which is then shared back with 3176 the SSAs and other partners. 3177 3178

The Intelligence Community 3179 The NICC and NCCIC serve as a major conduit for IC threat information—both classified and 3180 unclassified—to the owners and operators of critical infrastructure. 3181

3182

Federal Law Enforcement 3183 The NICC and NCCIC, within their information sharing protocols and protections, provide 3184 suspicious activity reporting and other similar information to Federal law enforcement entities. 3185

Federal Emergency Management 3186 During major incidents, the NICC and NCCIC maintain close coordination with the Federal 3187 Emergency Management Agency (FEMA) to ensure that overall critical infrastructure status and 3188

impacts on life and safety are understood throughout the Federal incident response community. 3189 Both the NICC and the NCCIC provide liaisons directly to the National Response Coordination 3190

Center to ensure continuous bidirectional information flow. The SSAs are often directly tied to 3191 the Federal emergency management structure as noted in the table below. The SSAs provide 3192 detailed sector-specific status information, while the NICC and NCCIC provide the cross-sector 3193

analysis of the system-of-systems that makes up our national critical infrastructure. During major 3194

national incidents, particular focus is placed on those lifeline functions on which most critical 3195 infrastructure sectors depend; this includes communications, energy, transportation, and water. 3196 More information on critical infrastructure information sharing during significant incidents is 3197

found in the Critical Infrastructure Support Annex to the National Response Framework. 3198

Sector SSA Related Emergency Support

Function(s) (ESF)1

Chemical Department of Homeland

Security

ESF #10 – Oil and Hazardous

Materials Response (support)

Commercial

Facilities

Department of Homeland

Security

Communications Department of Homeland

Security

ESF #2 – Communications

(coordinator/primary)

1

The ESFs provide the structure for coordinating Federal interagency support for a Federal response to an incident. They are mechanisms for

grouping functions most frequently used to provide Federal support to States and Federal-to-Federal support, both for declared disasters and emergencies under the Stafford Act and for non-Stafford Act incidents.

Working Draft


Sector SSA Related Emergency Support

Function(s) (ESF)1

Critical

Manufacturing


Security

Dams Department of Homeland

Security

ESF #3 – Public Works and

Engineering (support)

Defense

Industrial Base

Department of Defense

Emergency

Services


Security

ESF #4 – Firefighting (support)

ESF #5 – Information and

Planning (support)

ESF #13 – Public Safety and

Security (support)

Energy Department of Energy ESF #12 – Energy


ESF #10 – Oil and Hazardous

Materials Response (support)

Financial

Services

Department of the Treasury

Food and

Agriculture

U.S. Department of

Agriculture and Department of

Health and Human Services

ESF #11 – Agriculture and

Natural Resources (USDA:

(coordinator/primary; HHS:

support)

Government

Facilities


Security and General Services

Administration

Healthcare and

Public Health

Department of Health and

Human Services

ESF #6 – Mass Care, Emergency

Assistance, Housing, and Human

Services (support)

ESF #8 – Public Health and

Medical Services


Information

Technology


Security

Nuclear

Reactors,

Materials, and

Waste


Security

ESF #12 – Energy


Transportation

Systems


Security and Department of

Transportation

ESF #1 – Transportation (DOT:

coordinator/primary; DHS:

support)

Water and

Wastewater

Systems

Environmental Protection

Agency

ESF #3 – Public Works and

Engineering (support)

3199

Working Draft


III. Critical Infrastructure Owners and Operators 3200 3201 Individual critical infrastructure owners and operators will often send and receive information to 3202 and from the national centers through intermediary entities, but can always reach directly to the 3203 centers if necessary to share or request mission-critical information. The centers are in 3204

continuous contact with the ISACs and SSAs. 3205

IV. State, Local, Tribal, and Territorial Government Partners, and Other 3206

Regional Partnerships and Consortia 3207 3208 The NICC and NCCIC are resources for non-Federal partners in government and regional 3209 public-private consortia and coalitions. The coordinating centers may leverage existing regional 3210 partnerships to ensure information penetration to decision makers, especially during significant 3211

incidents affecting multiple sectors within a region. The centers, in conjunction with other 3212 national critical infrastructure partners where appropriate, also share information with State and 3213

local fusion centers, InfraGard chapters, Maritime Area Security Committees, FEMA regional 3214

offices, etc. 3215

V. Common Information-Sharing Requirements, Systems, and Processes 3216 3217

The two centers continuously set and refine common information-sharing requirements, systems, 3218 and processes to facilitate a COP that delivers actionable information to decision makers at all 3219

levels. Specifically: 3220

Refine and manage critical information requirements (CIRs): To build situational 3221 awareness, each center operates using a set of defined CIRs, which should be 3222

continuously evaluated and refined to ensure optimal situational awareness. SSAs and 3223

other departments and agencies may augment these with sector-specific CIRs, and 3224 requirements should be coordinated with critical infrastructure owners and operators and 3225

the State, Local, Tribal, and Territorial Government Coordinating Council. 3226 3227

Leverage the DHS COP for a combined, cross-sector situational awareness picture 3228 for critical infrastructure security and resilience: Data feeds and web services should 3229

be created across SSAs and other Federal, State, local, tribal, and territorial governments, 3230 as well as private sector entities to inform the critical infrastructure centers and overall 3231 critical infrastructure COP. In turn, this larger national situational awareness picture is 3232 shared back out among the partnership to enable participants to have greater depth and 3233 context of knowledge than they would otherwise have. 3234

3235

VI. Information Protection 3236 3237 The NICC and NCCIC, as information management and coordination centers, are capable of 3238 handling information under a wide range of handling caveats. These protections and caveats 3239 include, but are not limited to: classified, For Official Use Only, Personally Identifiable 3240 Information (PII), Sensitive PII, Protected Critical Infrastructure Information, Chemical-3241

Working Draft


terrorism Vulnerability Information, Law Enforcement Sensitive, and various industry standards 3242

such as the Traffic Light Protocol used by many ISACs. 3243

VII. Get Connected 3244

Centers 3245 National Infrastructure Coordinating Center: [email protected]/202–282–9201 3246 3247 National Cybersecurity and Communications Integration Center: [email protected]/888–3248 282–0870 3249

3250

Portals 3251 HSIN-CI: 3252 To request HSIN-CI access, submit the following to [email protected]: 3253

Name 3254

Employer 3255

Title 3256

Business email 3257

Brief written justification 3258

For questions regarding HSIN-CI access, please contact the NICC. 3259 3260

US-CERT and ICS-CERT Portal – An individual or organization can request access to the 3261 Cobalt Compartment by sending an e-mail to [email protected] with the subject 3262

line, “Request access to Cobalt Compartment.” To access the Control System Compartment, 3263

send an e-mail to [email protected] with the subject line, “Request access to 3264

Control Systems Compartment.” 3265

3266

To qualify for either compartment, requestors must: 3267

Be a U.S.-based organization; 3268

Have a role within your organization’s network defense 3269 community; and 3270

Be a control system asset owner/operator (specific to the Control 3271 System Compartment). 3272

3273

mailto:[email protected]




Working Draft


Supplemental Tool: The Critical Infrastructure Risk Management 3274

Framework 3275

3276

Risk is defined as the potential for an unwanted outcome resulting from an incident, event, or 3277 occurrence, as determined by its likelihood and the associated consequences.

2 Simply stated, 3278

risk is influenced by the nature and magnitude of a threat or hazard, the vulnerabilities from 3279

that threat or hazard, and the consequences that could result. Risk information enables 3280 partners, ranging from facility owners and operators to Federal agencies, to prioritize risk 3281 mitigation efforts. 3282 3283 This supplement describes how the critical infrastructure risk management framework can be 3284

used as part of the overall effort to ensure the security and resilience of our Nation’s critical 3285 infrastructure. The critical infrastructure risk management framework, depicted in Figure 1, 3286

supports the integration of strategies, capabilities, and governance to enable risk-informed 3287 decision making related to the Nation’s critical infrastructure. This framework is applicable to 3288

threats such as cyber incidents, natural disasters, manmade safety hazards, and acts of terrorism, 3289 although different information and methodologies may be used to understand each. 3290 3291

There are other risk management models used in government and industry, which can be more 3292 detailed and often are tailored to a specific need. For example, private industry uses specific 3293

models, utilizing standards and best practices, to assess operational and economic business risks. 3294 The critical infrastructure risk management framework is not intended to replace any such 3295 models or processes already in use. Rather, it provides a common, unifying approach to risk 3296

management that all critical infrastructure partners can use, relate to, and align with their own 3297 risk management models and activities. 3298 3299 Figure 1: Critical Infrastructure Risk Management Framework 3300

3301 The critical infrastructure risk management framework is tailored toward and applied on an asset, 3302

system, network, or functional basis, depending on the fundamental characteristics of each 3303 individual critical infrastructure sector. For those sectors primarily dependent on fixed assets and 3304 physical facilities, a bottom-up, asset-by-asset approach may be most appropriate. For sectors 3305

2 DHS Risk Lexicon, U.S. Department of Homeland Security, 2010.

Working Draft


such as Communications, Information Technology, and Food and Agriculture, with accessible 3306

and distributed systems, a top-down, business or mission continuity approach that uses risk 3307 assessments focused on network and system interdependencies may be more effective. Each 3308 sector must pursue the approach that produces the most effective use of resources and has the 3309 opportunity to contribute to cross-sector comparative risk analyses conducted by the Department 3310

of Homeland Security (DHS). The risk management framework is also useful at a community 3311 level, as jurisdictions or businesses can work collaboratively to make risk-informed decisions 3312 within their span of control. 3313 3314 The critical infrastructure risk management framework includes the following activities: 3315

3316

Set Goals and Objectives: Define specific outcomes, conditions, end points, or 3317 performance targets that collectively describe an effective and desired risk management 3318

posture. 3319

Identify Critical Infrastructure (assets, systems, and networks): Develop an inventory 3320 of critical assets, systems, and networks that contribute to critical functionality, and 3321

collect information pertinent to risk management, including analysis of dependencies and 3322 interdependencies. 3323

Assess and Analyze Risks: Evaluate the risk, taking into consideration the potential 3324 direct and indirect consequences of an incident, known vulnerabilities to various potential 3325 threats or hazards, and general or specific threat information. 3326

Implement Risk Management Activities: Make decisions and implement risk 3327 management approaches to control, accept, transfer, or avoid risks. Approaches can 3328

include prevention, protection, mitigation, response, and recovery activities. 3329

Measure Effectiveness: Use metrics and other evaluation procedures to measure 3330 progress and assess the effectiveness of efforts to secure and strengthen the resilience of 3331 critical infrastructure. 3332

3333 This process is an ongoing and continuing one with feedback loops and iterative steps. It 3334

allows the critical infrastructure partnership to track progress and implement actions to improve 3335 national critical infrastructure security and resilience over time. The physical, cyber, and 3336 human elements of critical infrastructure should be considered in tandem in each aspect of the 3337

risk management framework. The partnership structures discussed in the National Plan 3338 provide the mechanism for coordination of risk management activities that are flexibly 3339 tailored to different sectors, levels of government, and owners and operators. 3340

I. Set Goals and Objectives 3341 3342

Achieving robust, secure, and resilient infrastructure requires national, State, local, and 3343 sector-specific critical infrastructure visions, goals, and objectives that are collaboratively 3344

developed and describe the desired risk management posture. Goals and objectives should 3345 consider the physical, cyber, and human elements of critical infrastructure security and 3346 resilience. Goals and objectives may vary across sectors and organizations, depending on the 3347 risk landscape, operating environment, and composition of a specific industry, resource, or 3348 other aspect of critical infrastructure. 3349 3350

Working Draft


Nationally, the overall goal of critical infrastructure-related risk management is an enhanced 3351

state of security and resilience achieved through the implementation of focused risk 3352 management activities within and across sectors and levels of government. The risk 3353 management framework supports this goal by: 3354 3355

Enabling the development of national, State, regional, and sector risk profiles that support 3356 the National Critical Infrastructure Security and Resilience Annual Report. These risk 3357 profiles outline the highest risks facing different sectors and geographic regions and 3358

identify cross-sector or regional issues of concern that are appropriate for the Federal 3359 critical infrastructure focus, as well as opportunities for sector, State, and regional 3360 initiatives. 3361

Enabling the critical infrastructure community to determine the best courses of action to 3362 reduce potential consequences, threats, and/or vulnerabilities, which, in turn, reduce risk. 3363

Some available options include encouraging voluntary implementation of focused risk 3364 management strategies (e.g., through public-private partnerships), applying standards and 3365 best practices, pursuing economic incentive-related policies and programs, and 3366

conducting additional information sharing, if appropriate. 3367

Informing the identification of risk management and resource allocation options, rather 3368 than specifying requirements for critical infrastructure owners and operators. It also 3369 allows for a variety of support from government partners. 3370

3371

From a sector or jurisdictional perspective, critical infrastructure security and resilience goals 3372 and their supporting objectives: 3373

3374

Consider distinct assets, systems, networks, functions, operational processes, business 3375 environments, and risk management approaches; 3376

Define the risk management posture that critical infrastructure partners seek to attain 3377 individually or collectively; and 3378

Express this posture in terms of the outcomes and objectives sought. 3379 3380 Taken collectively, these goals and objectives guide all levels of government and the private 3381

sector in tailoring risk management programs and activities to address critical infrastructure 3382 security and resilience needs. 3383

II. Identify Critical Infrastructure 3384 3385

Partners—both public and private—identify the infrastructure that they consider critical to 3386 focus their efforts for improving and enhancing security and resilience. Different partners 3387

view criticality differently and thereby may identify different infrastructure of concern to 3388 them. The Federal Government works with partners to determine which assets, systems, and 3389 networks are nationally significant. Some sectors identify regional, State, and locally 3390 significant infrastructure as a joint activity between public- and private-sector partners. 3391 Private-sector owners and operators may identify additional infrastructure that are necessary 3392

to keep their businesses running to provide goods and services to their customers. Similarly, 3393 State, local, tribal, and territorial (SLTT) governments should identify those assets, systems, 3394 and networks that are crucial to their continued operations to ensure public health and safety 3395

Working Draft


and the provision of essential services. 3396

3397 The National Critical Infrastructure Prioritization Program (NCIPP) identifies nationally 3398 significant infrastructure to support risk-informed decision making by the Federal Government 3399 and its critical infrastructure partners. Critical assets, systems, and networks identified through 3400

this process include those, which if destroyed or disrupted, could cause some combination of 3401 significant casualties, major economic losses, or widespread and long-term impacts to national 3402 well-being and governance capacity. The NCIPP collects, identifies, and prioritizes critical 3403 infrastructure information from States, critical infrastructure sectors, and other homeland security 3404 partners across the Nation. The NCIPP uses an enhanced infrastructure data collection 3405

application, which provides the ability to input data throughout the year. 3406 3407 Data collected through the NCIPP forms the basis of a national inventory that includes those 3408

assets, systems, and networks that are nationally significant and those that may not be 3409 significant on a national level but are, nonetheless, important to State, local, or regional 3410 critical infrastructure security and resilience and national preparedness efforts. The goal of 3411 the national inventory is to provide access to relevant information for natural disasters, industrial 3412

accidents, and other incidents. Critical infrastructure partners work together to ensure that the 3413 inventory data structure is accurate, current, and secure. 3414

3415 The Federal Government, including the Sector-Specific Agencies (SSAs), works with critical 3416 infrastructure owners and operators and SLTT entities to build upon and update existing 3417

inventories at the State and local levels to avoid duplication of past or ongoing 3418 complementary efforts. 3419

Identifying Cyber Infrastructure 3420 The national plan addresses security and resilience of the cyber elements of critical 3421 infrastructure in an integrated manner rather than as a separate consideration. As a component 3422

of the sector-specific risk assessment process, cyber system components should be identified 3423 individually or be included as a cyber element of a larger asset, system, or network with which 3424

they are associated. The identification process should include information on international 3425 cyber infrastructure with cross-border implications, interdependencies, or cross-sector 3426 ramifications. 3427

3428 Cyber system elements that exist in most, if not all, sectors include business systems, control 3429 systems, access control systems, and warning and alert systems. The Internet has been 3430

identified as an essential resource, comprising the domestic and international assets within 3431 both the Information Technology and Communications Sectors, and the need for access to and 3432 reliance on information and communications technology is common to all sectors. 3433

3434 DHS supports the SSAs and other critical infrastructure partners by developing tools and 3435 methodologies to assist in identifying cyber assets, systems, and networks, including those 3436 that involve multiple sectors. Several sectors have developed a functions-based approach for 3437

Working Draft


identifying cyber-dependent critical infrastructure. The Cyber-Dependent Infrastructure 3438

Identification3 approach is based on three high-level steps, which include: 3439

3440

Defining criteria for “catastrophic” impacts across all sectors; 3441

Evaluating previous sector efforts to determine how they can be leveraged to identify 3442 cyber-dependent critical infrastructure at greatest risk; and 3443

Applying a functions-based approach to identify cyber-dependent infrastructure and its 3444 impacts on the sector. 3445

3446 Additionally, DHS, in collaboration with other critical infrastructure partners, provides 3447 cross-sector cyber methodologies, which, when applied, enable sectors to identify cyber assets, 3448

systems, and networks that may have nationally significant consequences if destroyed, 3449 incapacitated, or exploited. These methodologies also characterize the reliance of a sector’s 3450

business and operational functionality on cyber systems. 3451 3452 Today's information systems, networks, and end-user mobile devices are highly dependent upon 3453 the availability of accurate and precise positioning, navigation, and timing (PNT) data. PNT 3454

services are critical to the operations of multiple critical infrastructure sectors and are vital to 3455 incident response. The U.S. Air Force operates the Global Positioning System (GPS), a dual-use 3456

system that provides PNT services worldwide for civil and military purposes. The free, open, and 3457 dependable nature of GPS has led to the development of hundreds of applications affecting every 3458 aspect of modern life and U.S. economic growth. Other countries are also investing in global 3459

navigation satellite systems like GPS. While space-based PNT services are highly available and 3460 reliable, these services can be subject to intentional and unintentional disruption by interference 3461

or signal blockage, thus preventing valuable PNT data from reaching intended recipients. 3462 Because so many business functions and operations rely exclusively on GPS for location and 3463

timing data, disruption to GPS civil services could potentially create a point of failure and lead to 3464 cascading effects across multiple sectors. 3465

3466 To better understand and mitigate risks from potential disruptions to GPS service availability, 3467 critical infrastructure partners can identify the sources and applications of PNT information that 3468

support or enable their critical functions and operations, continually assess dependencies and 3469 interdependencies, and implement steps to increase the resilience of critical infrastructure 3470 operations in the event of interference to or disruption of primary PNT services. 3471

III. Assess Risks 3472 3473 Homeland security risks can be assessed in terms of their likelihood and consequences. 3474

Common definitions, scenarios, assumptions, metrics, and processes are needed to ensure 3475 that risk assessments contribute to a shared understanding among critical infrastructure 3476

partners. The risk management framework outlines a risk assessment approach that results in 3477 sound, scenario-based, consequence and vulnerability estimates, as well as an assessment of 3478 the likelihood that the postulated threat or hazard would occur. 3479

3 Executive Order 13636, Improving Critical Infrastructure Cybersecurity, February 2013.

Working Draft


3480

The National Plan calls for critical infrastructure partners to generally assess risk from any 3481 scenario, considering both likelihood and consequence. As stated in the introduction to this 3482 supplemental tool, it is important to think of risk as influenced by the nature and magnitude 3483 of a threat or hazard, the vulnerabilities to those threats and hazards, and the consequences 3484

that could result. 3485

Threat: Natural or manmade occurrence, individual, entity, or action that has or indicates 3486 the potential to harm life, information, operations, the environment, and/or property. For 3487

the purpose of calculating risk, the threat of an unintentional hazard is generally 3488 estimated as the likelihood that a hazard will manifest itself. Intentional hazard is 3489 generally estimated as the likelihood of an attack being attempted by an adversary. In the 3490 case of intentionally adversarial actors and actions, for both physical and cyber effects, 3491 the threat likelihood is estimated based on the intent and capability of the adversary. 3492

3493

Vulnerability: Physical feature or operational attribute that renders an entity open to 3494 exploitation or susceptible to a given hazard. In calculating the risk of an intentional haz-3495

ard, a common measure of vulnerability is the likelihood that an attack is successful, 3496 given that it is attempted. 3497

Consequence: The effect of an event, incident, or occurrence; reflects the level, duration, 3498 and nature of the loss resulting from the incident. For the purposes of the national plan, 3499 potential consequences may fall into four categories: public health and safety (i.e., loss of 3500

life and illness), economic (direct and indirect), psychological, and governance/mission 3501 impacts. 3502

3503 It is appropriate for critical infrastructure risk assessments to explicitly consider each of these 3504 factors, but it is not necessary to do so in a quantifiable manner. In conducting assessments, 3505

analysts should be very careful when calculating risk to properly address interdependencies 3506

and any links between how the threats and vulnerabilities were calculated to ensure that the 3507 results are sound and defensible. 3508 3509

A comprehensive critical infrastructure risk assessment will explicitly consider each of these 3510

factors, to the extent necessary for decision making and as possible, given the available 3511 information. Critical infrastructure-related risk assessments are conducted on assets, systems, 3512 or networks, depending on the characteristics of the infrastructure being examined. Individual 3513 threat, consequence, or vulnerability assessments may be useful on their own or in the 3514 aggregate to assess risk. 3515

Critical Infrastructure Risk Assessments 3516 Risk assessments are conducted by many critical infrastructure partners to meet their own 3517 decision-making needs, using a broad range of methodologies. As a general rule, simple but 3518

defensible methodologies are preferred over more complicated methods. Simple methodologies 3519 are more likely to fulfill the requirements of transparency and practicality. 3520 3521 Risk methodologies are often sorted into qualitative and quantitative categories, but when well-3522 designed, both types of assessments have the potential to deliver useful analytic results. 3523 Similarly, both qualitative and quantitative methodologies can be needlessly complex or poorly 3524

Working Draft


designed. The methodology that best meets the decision maker’s needs is generally the best 3525

choice, whether quantitative or qualitative. 3526 3527 The common analytic principles originally provided in the National Infrastructure Protection 3528 Plan are broadly applicable to all parts of a risk methodology. These principles provide a guide 3529

for improving existing methodologies or modifying them so that the investment and 3530 expertise they represent can be used to support national-level, comparative risk assessments, 3531 investments, incident response planning, and resource prioritization. Recognizing that many 3532 risk assessment methodologies are under development and others evolve in a dynamic 3533 environment, the analytic principles for risk assessment methodologies serve as a guide to future 3534

adaptations. The basic analytic principles ensure that risk assessments are: 3535 3536

Documented: The methodology and the assessment must clearly document what 3537 information is used and how it is synthesized to generate a risk estimate. Any 3538 assumptions, weighting factors, and subjective judgments need to be transparent to the 3539

user of the methodology, its audience, and others who are expected to use the results. The 3540

types of decisions that the risk assessment is designed to support and the timeframe of the 3541 assessment (e.g., current conditions versus future operations) should be given. 3542

Reproducible: The methodology must produce comparable, repeatable results, even 3543 though assessments of different critical infrastructure may be performed by different 3544 analysts or teams of analysts. It must minimize the number and impact of subjective 3545

judgments, leaving policy and value judgments to be applied by decision makers. 3546

Defensible: The risk methodology must logically integrate its components, making 3547 appropriate use of the professional disciplines relevant to the analysis, as well as be free 3548 from significant errors or omissions. Uncertainty associated with consequence estimates 3549 and confidence in the vulnerability and threat estimates should be communicated. 3550

Risk Scenario Identification 3551 It is generally helpful for homeland security risk assessments to use scenarios to divide the 3552

identified risks into separate pieces that can be assessed and analyzed individually. A scenario is 3553 a hypothetical situation comprised of an identified hazard, an entity impacted by that hazard, and 3554

associated conditions including consequences, when appropriate. 3555 3556

When analysts are developing plausible scenarios to identify potential risks for a risk assessment, 3557 the set of scenarios should attempt to cover the full scope of the assessment to ensure that the 3558 decision maker is provided with complete information when making a decision. For a relatively 3559 fixed system, an important first step is to identify those components or critical nodes where 3560 potential consequences would be highest and where security and resilience activities can be 3561

focused. Analysts should take care when dealing with the results, as including multiple scenarios 3562 that contain the same event could lead to double counting the risk. 3563

Threat and Hazard Assessment 3564 The remaining factor to be considered in the risk assessment process is the assessment of threat 3565 and/or hazard. Assessment of the current terrorist threat to the United States is derived from 3566 extensive study and understanding of terrorists and terrorist organizations, and frequently is 3567 dependent on analysis of classified information. The Federal Government provides its 3568 partners with unclassified assessments of potential terrorist threats and appropriate access to 3569

Working Draft


classified assessments where necessary and authorized. These threat assessments are derived 3570

from analyses of adversary intent and capability, and describe what is known about terrorist 3571 interest in particular critical infrastructure sectors, as well as specific attack methods. Since 3572 international terrorists, in particular, have continually demonstrated flexibility and 3573 unpredictability, DHS and its partners in the intelligence community also analyze known 3574

terrorist goals, objectives, and developing capabilities to provide critical infrastructure 3575 owners and operators with a broad view of the potential threat and postulated terrorist attack 3576 methods. Similar approaches are used to assess the threats of theft, vandalism, sabotage, 3577 insider threat, cyber threats, active shooter, and other deliberate acts. 3578 3579

Both domestic and international critical infrastructure remains potential prime targets for 3580 adversaries. Given the deeply rooted nature of these goals and motivations, critical 3581 infrastructure likely will remain highly attractive targets for state and non-state actors and others 3582

with ill intent. Threat assessments must address the various elements of both physical and 3583 cyber threats to critical infrastructure, depending on the attack type and target. 3584

3585 Hazard assessments draw on historical information and future predictions about natural 3586 hazards to assess the likelihood or frequency of various hazards. This is an area where various 3587

components of the Federal Government work with sector leadership and owners and operators 3588 to make assessments in advance of any specific hazard as well as once an impending hazard 3589

(such as a hurricane yet to make landfall) is identified. 3590

Vulnerability Assessment 3591 Vulnerabilities are physical features or operational attributes that render an entity open to 3592 exploitation or susceptible to a given hazard. Vulnerabilities may be associated with physical 3593

(e.g., no barriers or alarm systems), cyber (e.g., lack of a firewall), or human (e.g., untrained 3594

guards) factors. A vulnerability assessment can be a stand-alone process or part of a full risk 3595 assessment. The vulnerability assessment involves the evaluation of specific threats to the asset, 3596 system, or network under review to identify areas of weakness that could result in 3597

consequences of concern. 3598 3599

Many different vulnerability assessment approaches are used in the different critical 3600 infrastructure sectors and by various government authorities. Many of the Sector-Specific 3601 Plans (SSPs) describe vulnerability assessment methodologies used in the sectors. The 3602 SSPs also may provide specific details regarding how the assessments can be carried out 3603 (e.g., by whom and how often). 3604

Consequence Assessment 3605 Consequence categories may include: 3606

Public Health and Safety: Effect on human life and physical well-being (e.g., fatalities, 3607 injuries/illness). 3608

Economic: Direct and indirect economic losses (e.g., cost to rebuild asset, cost to 3609 respond to and recover from attack, downstream costs resulting from disruption of 3610 product or service, long-term costs due to environmental damage). 3611

Psychological: Effect on public morale and confidence in national economic and 3612 political institutions. This encompasses those changes in perceptions emerging after a 3613 significant incident that affect the public’s sense of safety and well-being and can 3614

Working Draft


manifest in aberrant behavior. 3615

Governance/Mission Impact: Effect on the ability of government or industry to maintain 3616 order, deliver minimum essential public services, ensure public health and safety, and 3617

carry out national security-related missions. 3618 3619 Consequence analysis should ideally address both direct and indirect effects. Many assets, 3620 systems, and networks depend on connections to other critical infrastructure to function. For 3621 example, nearly all sectors share relationships with elements of the Energy, Information 3622

Technology, Communications, Financial Services, and Transportation Systems sectors. In 3623 many cases, the failure of an asset or system in one sector will affect the ability of interrelated 3624 assets or systems in the same or another sector to perform the necessary functions. 3625 Furthermore, cyber interdependencies present unique challenges for all sectors because of 3626 the borderless nature of cyberspace. Interdependencies are dual in nature. For example, the 3627

Energy Sector relies on computer-based control systems to manage the electric power grid, 3628 while those same control systems require electric power to operate. As a result, complete 3629

consequence analysis addresses both critical infrastructure interconnections for the purposes 3630

of risk assessment. 3631 3632 The level of detail and specificity achieved by using the most sophisticated models and 3633

simulations may not be practical or necessary for all assets, systems, or networks. In these 3634 circumstances, a simplified dependency and interdependency analysis based on expert 3635

judgment may provide sufficient insight to make informed risk management decisions in a 3636 timely manner. 3637 3638

There is also an element of uncertainty in consequence estimates. Even when a scenario with 3639 reasonable worst-case conditions is clearly stated and consistently applied, there is a range of 3640

outcomes that could occur. For some incidents, the consequence range is small, and a simple 3641 estimate may provide sufficient information to support decisions. If the range of outcomes is 3642

large, the scenario may require more specificity about conditions to obtain appropriate 3643 estimates of the outcomes. However, if the scenario is broken down to a reasonable level of 3644

granularity and there is still significant uncertainty, the estimate should be accompanied by the 3645 uncertainty range to support more informed decision making. The best way to communicate 3646

uncertainty will depend on the factors that make the outcome uncertain, as well as the amount 3647 and type of information that is available. 3648

IV. Implement Risk Management Activities 3649 3650 The selection and implementation of appropriate risk management activities requires 3651

prioritization to help focus planning, increase coordination, and support effective resource 3652 allocation and incident management, response, and restoration decisions. Comparing the risk 3653 faced by different entities helps identify where risk mitigation is most needed and to 3654 subsequently determine and help justify the most cost-effective risk management options. 3655

Prioritization can be used primarily to inform resource allocation decisions, such as where risk 3656 management programs should be instituted; guide investments in these programs; and highlight 3657 the measures that offer the greatest return on investment. 3658 3659

Working Draft


The prioritization process also develops information that can be used during incident 3660

response to help inform decision makers regarding issues associated with critical infrastructure 3661 restoration. It also provides the basis for understanding potential risk-mitigation benefits that 3662 are used to inform planning and resource decisions. 3663 3664 Critical infrastructure partners rely on different approaches to prioritize risk management 3665

activities according to their authorities, specific sector needs, risk landscapes, security 3666 approaches, and business environment. For example, owners and operators, Federal agencies, 3667 and State and local authorities all have different options available to them to help reduce risk. 3668 Asset-focused priorities may be appropriate for critical infrastructure with risks predominantly 3669 associated with facilities, the local environment, and physical attacks, especially those that 3670

can be exploited and used as weapons. Function-focused priorities may more effectively 3671 ensure the continuity of operations in the event of a terrorist attack or natural disaster in 3672 sectors where critical infrastructure resilience may be more important than critical 3673

infrastructure hardening. Programs intended to reduce critical infrastructure risk will prioritize 3674 investments that secure physical assets or ensure resilience in virtual systems, depending on 3675 which option best enables cost-effective critical infrastructure risk management. 3676

3677 Risk management actions involve measures designed to prevent, deter, and mitigate the 3678 threat; reduce vulnerability to an attack or other disaster; minimize consequences; and enable 3679

timely, efficient response and restoration in a post-event situation, whether a terrorist attack, 3680 natural disaster, or other incident. The risk management framework focuses attention on 3681

those prevention, protection, mitigation, response, and recovery activities that bring the 3682 greatest return on investment, not simply the vulnerability reduction to be achieved. Security 3683 and resilience activities vary between sectors and across a wide spectrum of activities designed to 3684

deter, devalue, detect, defend, protect, and strengthen critical infrastructure. 3685

3686 Risk management activities also may include the means for reducing the consequences of an 3687 attack or incident. These actions are focused on mitigation, response, and/or recovery. Often 3688

it is more cost-effective to build security and resilience into assets, systems, and networks 3689 than to retrofit them after initial development and deployment. Accordingly, critical 3690

infrastructure partners should consider how risk management, robustness, and appropriate 3691 physical and cyber security enhancements can be incorporated into the design and construction 3692 of new critical infrastructure and the redesign of existing infrastructure. 3693 3694

In situations where robustness and resilience are keys to critical infrastructure security, it may be 3695 more effective and efficient to implement programs at the system level rather than at the 3696 individual asset level (e.g., if there are many similar facilities, it may be easier to allow other 3697 facilities to provide the infrastructure service rather than to secure each facility). 3698

3699 In light of the specifics of the scenario of interest, analysts should consider industry standards, 3700 best practices, practices used effectively in other settings, and lessons learned from actual events 3701

and exercises. Analysts should describe the options in enough detail to define the extent to which 3702 they will reduce the elements of risk and estimate their life-cycle costs, i.e., initial investment or 3703 startup, operations, maintenance and support, and, for physical options, their demolition and 3704 disposal when their usefulness has ended. It is important to review the candidate options for 3705 synergies (e.g., instances where risk-reduction options designed for one scenario affect the risk—3706

Working Draft


positively or negatively—of other scenarios). Exploiting positive synergies and avoiding 3707

negative ones allows analysts to select cost-effective portfolios of options. 3708 3709 Effective risk management activities are comprehensive, coordinated, and cost-effective. 3710 Risk management decisions should be made based on an analysis of the costs and other 3711

impacts, as well as the projected benefits of identified courses of action—including the no-action 3712 alternative if a risk is considered to be effectively managed already. It is important to note that 3713 risk management actions can be evaluated based on their potential to manage risk in the 3714 aggregate across a range of scenarios, as well as their ability to manage risks associated with a 3715 single scenario; maintaining both perspectives is crucial in identifying the most effective actions. 3716

V. Measure Effectiveness 3717 3718

The use of performance metrics is a critical step in the critical infrastructure risk management 3719 process to enable assessment of improvements in critical infrastructure security and resilience. 3720

While the results of risk analyses help sectors set priorities, performance metrics allow 3721 partners to track progress against these priorities and against their goals and objectives. The 3722

metrics provide a basis for the critical infrastructure community to establish accountability, 3723 document actual performance, promote effective management, and provide a feedback 3724 mechanism to inform decision making—strengthening this voluntary program. 3725

3726 The national outcomes around risk management, shared situational awareness, and national 3727 preparedness referenced in the introduction of the national plan will be central to effectively 3728 assessing progress, providing a shared understanding of the desired “end-state” the voluntary 3729

partnership is collectively working to achieve. The accompanying set of national goals (see 3730 Section 2 of the National Plan) will illustrate the broad courses of action necessary to achieve 3731

those national outcomes. Developed through a participatory process involving a wide range of 3732 critical infrastructure partners, these national outcomes and goals will facilitate measurement by 3733

adding specificity to the ultimate outcome of critical infrastructure security and resilience 3734 established in Presidential Policy Directive 21. 3735

3736 With this common understanding as a baseline, the critical infrastructure community can 3737

demonstrate progress toward those outcomes using available data and information. When 3738 significant progress has been made toward the national-level outcomes and goals—or as the risk 3739 environment, policy landscape, and field of practice evolve—the community will review and 3740 update these outcomes and goals. Sectors and regional partnerships should develop goals 3741 complementary to the national outcomes and goals but tailored to the specific sector or 3742

geographic area. 3743

Using Metrics and Performance Measurement for Continuous Improvement 3744 By using metrics to evaluate the effectiveness of voluntary partnership efforts to achieve 3745 national and sector priorities, critical infrastructure partners can adjust and adapt their 3746 security and resilience approaches to account for progress achieved, as well as changes in the 3747 threat and other relevant environments. Metrics are used to focus attention on areas of 3748 security and resilience that warrant additional resources or other changes through an analysis 3749 of challenges and priorities at the national, sector, and owner/operator levels. 3750

Working Draft


In addition to supporting the evaluation of progress against priorities, metrics also serve as a 3751

feedback mechanism for other parts of the critical infrastructure risk management frame-3752 work. The metrics can inform progress against broader sector goals and provide analysts 3753 with information to adjust their risk assessments. For instance, metrics indicate the effectiveness 3754 of security and resilience activities and the extent to which these activities are reducing risks. 3755

Finally, metrics can inform the prioritization process, as this information can assist decision 3756 makers in identifying effective ways to achieve desired outcomes. 3757

3758

Working Draft


Supplemental Tool: DHS Resources for Vulnerability Assessments 3759

3760 Assessing vulnerabilities of critical infrastructure is an important step in conducting a risk 3761 assessment and an activity central to the critical infrastructure risk management framework. 3762

The Department of Homeland Security (DHS) conducts vulnerability assessments of the 3763 Nation’s critical infrastructure to inform its internal risk management processes, and as a form 3764 of technical assistance to its State, local, tribal, and territorial (SLTT) and private sector 3765 partners to enable their own risk assessments. DHS provides additional resources, typically in 3766 the form of informational material on known vulnerabilities, to support the risk assessments 3767

done by critical infrastructure partners. This supplement provides information on Federal 3768 resources that are used by DHS and available to SLTT governments and critical infrastructure 3769 owners and operators to identify and assess critical infrastructure vulnerabilities. 3770

I. DHS Vulnerability Assessments 3771 3772

The Homeland Security Act of 2002 and Presidential Policy Directive 21 direct the DHS 3773 Secretary to conduct comprehensive assessments of the vulnerabilities of the Nation’s critical 3774 infrastructure, in coordination with the Sector-Specific Agencies (SSAs) and in collaboration 3775

with SLTT entities and critical infrastructure owners and operators. The following paragraphs 3776 summarize some of the resources available from DHS for identifying and assessing critical 3777

infrastructure vulnerabilities. 3778 3779 Cyber Resilience Review (CRR). The DHS Office of Cybersecurity and Communications 3780

conducts voluntary assessments to evaluate and enhance cybersecurity capacities and 3781 capabilities within the critical infrastructure sectors and State, local, tribal, and territorial 3782

governments through its CRR process. The goal of the CRR is to understand and measure key 3783 cybersecurity capabilities and provide meaningful maturity indicators of an organization’s 3784

operational resilience and ability to manage cyber risk to its critical services during normal 3785 operations and times of operational stress and crisis. To schedule a CRR, or to request 3786

additional information, please email the Cyber Security Evaluation program at 3787 [email protected]. 3788

3789 Enhanced Critical Infrastructure Protection (ECIP) Security Surveys. ECIP Security 3790 Surveys are voluntary, non-regulatory assessments of the overall security posture of the 3791 Nation’s critical infrastructure. Security Surveys collect, process, and analyze facility data to 3792 develop a detailed assessment of physical security, security management, security force, 3793

information sharing, protective measures, dependencies, and preparedness. The resulting 3794

survey information is provided to owners and operators and may be shared with SSAs and 3795

other Federal, State, local, and private sector representatives, as appropriate, through 3796 interactive “Dashboards.” In addition to providing a facility and sector security overview, the 3797 “Dashboards” highlight areas of potential concern and feature options to view the impact of 3798 potential enhancements to protective and resilience measures. The DHS Office of 3799 Infrastructure Protection (IP) conducts Security Surveys at the request of the participating 3800 facility. More information can be obtained through the local Protective Security Advisor or by 3801 emailing [email protected]. 3802



Working Draft


3803

Site Assistance Visits (SAVs). SAVs are voluntary vulnerability assessments that assist 3804 owners and operators of critical infrastructure with identifying and documenting 3805 vulnerabilities, protective measures, planning needs, and options for consideration to increase 3806 protection from, and resilience to, a wide range of hazards. Like the Security Survey, SAVs 3807

provide owners and operators with interactive “Dashboards” showing a facility and sector 3808 security overview, areas of potential concern, and options to view the impact of potential 3809 enhancements to protective and resilience measures. In addition, SAVs provide narrative 3810 reports by subject matter experts that provide options for consideration to enhance the 3811 facility’s security and resilience. The DHS Office of Infrastructure Protection (IP) conducts 3812

SAVs at the request of the participating facility and in coordination with other Federal and 3813 SLTT government entities. More information can be obtained through the local Protective 3814 Security Advisor or by emailing [email protected]. 3815

3816 The Cyber Security Evaluation Tool (CSET

TM). CSET is a self-contained software tool 3817

that runs on a desktop or laptop. It evaluates the cybersecurity of an automated, industrial 3818 control or business system using a hybrid risk and standards-based approach. CSET helps 3819

asset owners assess their information and operational systems cybersecurity practices by 3820 asking a series of detailed questions about system components and architecture, as well as 3821

operational policies and procedures. These questions are derived from accepted industry 3822 cybersecurity standards. Once the self-assessment questionnaire is complete, CSET provides a 3823 prioritized list of recommendations for increasing cybersecurity posture. The CSET tool is 3824

available to all through the United States Computer Emergency Readiness Team’s (US-3825 CERT) Website at www.us-cert.gov/control_systems. 3826

3827

Chemical Security Assessment Tool (CSAT) Security Vulnerability Assessment (SVA). 3828 This tool is available only to chemical facilities that are subject to the Chemical Facility Anti-3829 Terrorism Standards (CFATS) regulations. The CSAT SVA application: 3830

3831

Collects basic facility identification information and information about the chemicals 3832 that a facility possesses. 3833

Collects information about assets at the facility that involve the chemicals of interest 3834 identified by DHS in Appendix A of the CFATS Authorization. 3835

Enables users to locate assets on an interactive map and apply DHS attack scenarios or 3836 define attack scenarios of their own to run against the facility’s assets. This provides 3837 DHS with data on the vulnerability and potential consequences of such attacks. Users 3838

will assess the vulnerability of their facilities based on the security measures already in 3839 place at the facility. 3840

Collects information on relevant cyber systems that may affect the security of 3841 identified assets. 3842 3843

For additional information, the CSAT Help Desk has a toll-free number for questions 3844 regarding the CSAT SVA application—866–323–2957 between 7:00 a.m. and 7:00 p.m. 3845 (Eastern Standard Time), Monday through Friday. The CSAT Help Desk is closed on Federal 3846 holidays. 3847 3848


http://www.us-cert.gov/control_systems

Working Draft


More details on 6 CFR Part 27, information regarding Chemical-Terrorism Vulnerability 3849

Information, and other related information is available on the DHS Website at 3850 http://www.dhs.gov/chemicalsecurity. 3851 3852

II.DHS Resources to Inform Vulnerability Assessments 3853

3854 Infrastructure Protection Report Series. These reports identify common vulnerabilities by 3855

asset class within the sectors, as well as the types of terrorist activities that are likely to be 3856 successful in exploiting these vulnerabilities. They also identify security and preparedness 3857 best practices by asset class within the sectors. Brief integrated papers are currently available 3858 to Federal, SLTT, and private sector partners on the Homeland Security Information Network. 3859

3860

Working Draft


Supplemental Tool: Incorporating Security and Resilience into Critical 3861

Infrastructure Projects 3862

3863

I. Purpose and Scope 3864

3865 The purpose of this supplement is to provide the critical infrastructure community with steps that 3866 support making investments in critical infrastructure that will enhance the security and resilience 3867 of critical infrastructure systems. This supplement was developed through research into existing 3868 strategies for infrastructure security and resilience, including the Hurricane Sandy Rebuilding 3869

Strategy and the updated National Infrastructure Protection Plan (NIPP) 2013. The target 3870

audience is government decision makers at all levels who are undertaking new infrastructure 3871

projects or enhancing security and mitigation measures on existing government-owned 3872 infrastructure. This supplement also provides a useful tool that can be used more broadly by all 3873 critical infrastructure owners and operators as decisions are made to invest in infrastructure 3874 replacements or improvements. 3875

3876 This supplement includes a discussion of characteristics of security and resilience, an overview 3877

of the current environment, and examples of steps in the infrastructure planning and investment 3878 process that can be used to prioritize projects that promote security and resilience to critical 3879 infrastructure. All of the recommended steps included in this supplemental tool may not apply 3880

directly to each sector and type of critical infrastructure. In that case, this tool can help decision 3881 makers tailor the relevant steps that will promote security and resilience as well as provide a 3882

model for the types of characteristics that should be incorporated into secure and resilient 3883

systems. 3884

3885

Characteristics of Critical Infrastructure Security and Resilience 3886 Presidential Policy Directive 21: Critical Infrastructure Security and Resilience (PPD-21) 3887 articulates characteristics of both secure and resilient systems, and these definitions help frame 3888

what success looks like in achieving these end goals. Security is a strategy that reduces “the risk 3889 to critical infrastructure by physical means or defense cyber measures to intrusions, attacks, or 3890 the effects of natural or manmade disasters.”

4 There are several characteristics common to secure 3891

critical infrastructure systems, including being protected, defended, and having accurate 3892 information and analysis on current and future risks. 3893 3894 Resilience has a slightly different connotation and different characteristics. As defined in PPD-3895 21, resilience is “the ability to prepare for and adapt to changing conditions and withstand and 3896

recover rapidly from disruptions. Resilience includes the ability to withstand and recover from 3897

4 The White House, Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience, February 12,

2013, http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil

http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil

http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil

Working Draft


deliberate attacks, accidents, or naturally occurring threats or incidents.”5 As with secure 3898

infrastructure systems, having accurate information and analysis about risks is essential to 3899 achieving resilience. However, there are several other characteristics to resilient infrastructure 3900 systems, including being agile and adaptable. 3901 3902

Even though security and resilience are different end goals, there is an intrinsic link between the 3903 two. Both security and resilience need to be integrated into critical infrastructure in a holistic 3904 manner in order to create robust assets and systems. The Nation relies on the essential services 3905 provided by critical infrastructure in order to function as a society, and if critical infrastructure 3906 fails—due to a security breach or because it is not resilient—this failure can cascade across 3907

sectors, communities, and regions, and it affects our Nation’s safety, prosperity, and well-being. 3908 3909

Current Incorporation of Security and Resilience in Infrastructure Investments 3910 Critical infrastructure owners and operators make risk-informed decisions every day about their 3911 infrastructure assets. It is important to acknowledge that security and resilience are already an 3912 integral part of project planning for infrastructure investment because the functioning of the 3913

infrastructure has direct economic value. While needs vary depending on the sector, owners and 3914 operators generally have established plans to protect their investments. These may include onsite 3915

physical security to protect the premises of the asset, strict access control rules to avoid 3916 unauthorized access, and advanced IT controls to prevent cyber crime and data breaches. These 3917 security measures are effective at protecting critical infrastructure at individual sites, and they 3918

provide a strong foundation to help the Nation move toward more secure and resilient 3919 infrastructure systems overall. 3920

3921 In general, owners and operators conduct cost-benefit analyses before they make their 3922 investments. Cost-benefit analyses and other decision tools help support well-informed decisions 3923

and smart, profitable investments. Critical infrastructure owners and operators also have an 3924

incentive to be forward-looking, since the lifespan of many types of infrastructure can be 50 to 3925 100 years. Before making an investment, for instance, owners and operators will typically try to 3926 determine demographic and population shifts so they can determine whether the critical 3927

infrastructure they develop will retain its usefulness. 3928 3929

Steps to Promoting Security and Resilience in Infrastructure Investments 3930 Building off the positive steps owners and operators have taken toward developing and 3931 maintaining secure and resilient critical infrastructure, the following steps can be used as a guide 3932 to promote security and resilience in infrastructure investment. The following list is not 3933 exhaustive, but instead represents some of the best practices and strategies for improving critical 3934

infrastructure security and resilience. When making investment decisions and selecting 3935

infrastructure projects, public sector decision makers are encouraged to use these recommended 3936 steps to the fullest extent applicable and possible to select their investments. 3937 3938

As previously discussed, there are certain characteristics of both security and resilience that can 3939 be incorporated in concrete ways to achieve robust critical infrastructure systems. Security, for 3940

5 Ibid.

Working Draft


instance, can be achieved through access to accurate information and the development and 3941

maintenance of protection and defense capabilities. Resilience also requires access to accurate 3942 information, but is characterized by agile and adaptable solutions. These characteristics of 3943 security and resilience are used to frame the following recommendations. 3944 3945

Accurate information and analysis about current and future risks is essential to planning for 3946 security and resilience. Possible steps to include in an infrastructure project plan may include the 3947 following: 3948 3949

Incorporating projected climate change impacts into the decision-making process. 3950

Measuring both the direct and indirect costs and benefits of developing the project to 3951 gain a holistic picture of the impact of the project (e.g., the financial and opportunity cost 3952 of losing infrastructure functions and services, the societal impacts of developing the 3953

project, environmental costs and benefits, etc.). 3954 Examining demographic trends and using the anticipated demographics to predict the 3955

future demand for infrastructure. 3956 Consulting with the Federal Emergency Management Agency (FEMA) on the best 3957

available data pertaining to flood risk (e.g., the FEMA Map Service Center to access 3958 current flood maps). [see additional resources for more information] 3959

Referring to available science and predictive tools on future trends and risks when 3960 selecting a location (e.g., the National Oceanic and Atmospheric Administration Sea 3961 Level Rise and Coastal Flooding Impacts Viewer tool, etc.). [see additional resources for 3962

more information] 3963 Considering applicable standards and best practices for incorporating security and 3964

resilience into asset and system design. 3965 Conducting vulnerability assessments that can identify where the infrastructure is 3966

vulnerable to known and future risks. 3967 Utilizing available risk assessment and scenario planning tools to make risk-informed 3968

decisions (e.g., the Department of Homeland Security-sponsored Owners Performance 3969 Requirements tool, which allows owners to develop several scenarios for a project to help 3970 select the optimal combination of performance levels for energy, environmental, safety, 3971

security (including blast; ballistic; and chemical, biological, and radiological protection), 3972 sustainability, durability, operational, and cost-effectiveness attributes to meet their 3973 needs). [see additional resources for more information] 3974

Identifying key interdependencies and ways in which this critical infrastructure asset 3975 will impact other components of critical infrastructure systems, whether within the same 3976 sector or across sectors. 3977

Working with partners to develop a picture of how this infrastructure investment will fit 3978

into the regional landscape of critical infrastructure. 3979 3980 Investments and training in protection and defense measures can enhance the security of an 3981 investment. When planning for an infrastructure investment, possible elements to include in the 3982 infrastructure project plan that could promote security may include the following: 3983

3984

Working Draft


Developing a comprehensive incident response plan that includes such components 3985

as scenario planning for the most likely risks and clearly articulated roles and 3986 responsibilities for all partners. 3987

Creating security policies and providing opportunities to train employees to comply 3988 with the policies. 3989

Including planning for physical and/or electronic protection capabilities in the 3990 development of the project. 3991

3992 Agility and adaptability help systems recover rapidly and react quickly to changing conditions. 3993 Agile and adaptable systems are nimble and flexible, so they can continue operations with 3994

minimal interruptions. When planning for an infrastructure investment, possible elements to 3995 include in the infrastructure project plan that could promote resilience may include the 3996 following: 3997

3998 Building redundancy into an infrastructure system so it can handle a localized failure. 3999 Budgeting for infrastructure mitigation during the development of a project to ensure the 4000

resilience of the infrastructure to threats and hazards. 4001

Developing a business continuity plan to ensure rapid recovery to disasters or other 4002 disruptions. 4003

Planning to conduct periodic updates for the infrastructure asset that can incorporate 4004 new technologies and/or upgrades that could enhance mitigation. 4005

Determining whether environmental buffers (e.g., dunes or wetlands) can be 4006

incorporated into the infrastructure design to mitigate the effects of natural disasters. 4007 Ensuring there are manual overrides and physical backups built into automated 4008

systems. 4009 4010

II.Conclusion 4011 4012

The above list represents recommended steps that decision makers can use to promote security 4013 and resilience in infrastructure projects. In many cases, stakeholders are already using these steps 4014 in localized efforts to achieve the mission. However, as we work together to promote the goals of 4015

secure and resilient critical infrastructure nationwide, it is important to codify and update these 4016 best practices and implement them when possible. As we work toward achieving this mission, 4017 stakeholders are encouraged to tailor this information to suit their needs and to provide feedback 4018 on additional recommendations that can be incorporated. 4019

4020

III.Additional Resources 4021 4022

Department of Homeland Security, Office of Science and Technology, Building and 4023 Infrastructure Protection Series: Designing Buildings to Withstand Almost Anything, 4024 http://www.dhs.gov/building-and-infrastructure-protection-series-designing-buildings-withstand-4025 almost-anything 4026 4027

Department of Homeland Security, Office of Science and Technology, Owner Requirement 4028 Tool, http://www.oprtool.org/ 4029 4030

http://www.dhs.gov/building-and-infrastructure-protection-series-designing-buildings-withstand-almost-anything

http://www.dhs.gov/building-and-infrastructure-protection-series-designing-buildings-withstand-almost-anything

http://www.oprtool.org/

Working Draft


Federal Emergency Management Agency, FEMA Map Service Center, 4031

https://msc.fema.gov/webapp/wcs/stores/servlet/FemaWelcomeView?storeId=10001&catalogId4032 =10001&langId=-1 4033 4034 Department of Housing and Urban Development, Hurricane Sandy Rebuilding Strategy, August 4035

2013, http://portal.hud.gov/hudportal/HUD?src=/sandyrebuilding 4036 4037 National Oceanic and Atmospheric Administration, NOAA Sea Level Rise and Coastal Flooding 4038 Impacts Viewer tool, http://csc.noaa.gov/digitalcoast/tools/slrviewer 4039 4040

4041

https://msc.fema.gov/webapp/wcs/stores/servlet/FemaWelcomeView?storeId=10001&catalogId=10001&langId=-1

https://msc.fema.gov/webapp/wcs/stores/servlet/FemaWelcomeView?storeId=10001&catalogId=10001&langId=-1

http://portal.hud.gov/hudportal/HUD?src=/sandyrebuilding

http://csc.noaa.gov/digitalcoast/tools/slrviewer

Supplemental Tool: Connecting to the NICC and NCCIC...Working Draft Draft October 21, 2013 1 3000...

Documents

Transcript of Supplemental Tool: Connecting to the NICC and NCCIC...Working Draft Draft October 21, 2013 1 3000...