Supplemental Tool: Connecting to the NICC and NCCIC...Working Draft Draft October 21, 2013 1 3000...
Transcript of Supplemental Tool: Connecting to the NICC and NCCIC...Working Draft Draft October 21, 2013 1 3000...
Working Draft
Draft October 21, 2013 1
Supplemental Tool: Connecting to the NICC and NCCIC 3000
There shall be two national critical infrastructure centers operated by DHS – one for physical 3001
infrastructure and another for cyber infrastructure. They shall function in an integrated manner and 3002
serve as focal points for critical infrastructure partners to obtain situational awareness and integrated, 3003
actionable information to protect the physical and cyber aspects of critical infrastructure. 3004
- Presidential Policy Directive 21, Critical Infrastructure Security and Resilience 3005
Presidential Policy Directive 21 (PPD-21) highlights the role of the national physical and cyber 3006 coordinating centers in enabling successful critical infrastructure security and resilience 3007 outcomes. The National Cybersecurity and Communications Integration Center (NCCIC) and the 3008 National Infrastructure Coordinating Center (NICC) fulfill this Department of Homeland 3009
Security (DHS) responsibility within the critical infrastructure partnership. The NICC serves as a 3010 clearinghouse to receive and synthesize critical infrastructure information and provide that 3011
information back to decision makers at all levels inside and outside of government to enable 3012 rapid, informed decisions in steady state, heightened alert, and during incident response. The 3013 NCCIC is a round-the-clock information sharing, analysis, and incident response center focused 3014
on cybersecurity and communications where government, private sector, and international 3015 partners share information and collaborate on response and mitigation activities to reduce the 3016
impact of significant incidents, enhance partners’ security posture, and develop and issue alerts 3017 and warnings while creating strategic and tactical plans to combat future malicious activity. An 3018 integrated analysis component works in coordination with both centers to contextualize and 3019
facilitate greater understanding of the information streams flowing through the two centers. 3020 3021
This supplement describes how partners throughout the critical infrastructure community—3022
owner/operators, Federal partners, regional consortia, and State, local, tribal, and territorial 3023
governments—can connect to the NICC and NCCIC. It describes what information is desired by 3024 the centers and their partners, as well as how they protect and analyze that data to make timely 3025
and actionable information available to partners to inform prevention, protection, mitigation, 3026 response, and recovery activities. 3027 3028
These centers, along with an integrated analysis function, build situational awareness across 3029 critical infrastructure sectors based on partner input and provide back information with greater 3030
depth, breadth, and context than the individual pieces from any individual partner or sector. 3031 PPD-21 highlights the importance not just of what these centers can provide to the partnership, 3032 but the multi-directional information sharing that enables them to build true situational 3033 awareness, stating: “The success of these national centers, including the integration and analysis 3034 function, is dependent on the quality and timeliness of the information and intelligence they 3035
receive from the Sector-Specific Agencies (SSAs) and other Federal departments and agencies, 3036 as well as from critical infrastructure owners and operators and State, local, tribal, and territorial 3037
(SLTT) entities.” 3038 3039
Working Draft
Draft October 21, 2013 2
I. The Centers 3040
The National Infrastructure Coordinating Center (NICC) 3041 The NICC is the watch center component of the National Protection and Programs Directorate’s 3042 (NPPD’s) Office of Infrastructure Protection, the national physical infrastructure center as 3043 designated by the Secretary of Homeland Security, and an element of the National Operations 3044 Center (NOC). The NICC serves as the national focal point for critical infrastructure partners to 3045 obtain situational awareness and integrated actionable information to protect physical critical 3046
infrastructure. The mission of the NICC is to provide 24/7 situational awareness, information 3047 sharing, and unity of effort to ensure the protection and resilience of the Nation’s critical 3048 infrastructure. When an incident or event impacting critical infrastructure occurs that requires 3049 coordination between DHS and the owners and operators of critical infrastructure, the NICC 3050 serves as a national coordination hub to support the protection and resilience of physical critical 3051
infrastructure assets. Establishing and maintaining relationships with critical infrastructure 3052 partners both within and outside the Federal Government is at the core of the NICC’s ability to 3053
execute its functions. The NICC collaborates with Federal departments and agencies and private 3054
sector partners to monitor potential, developing, and current regional and national operations of 3055
the Nation’s critical infrastructure sectors. 3056
The National Cybersecurity and Communications Integration Center (NCCIC) 3057 The NCCIC is the lead cybersecurity and communications organization within DHS, and it 3058 serves as the national cyber critical infrastructure center designated by the Secretary of 3059 Homeland Security. The NCCIC applies analytic resources, generates shared situational 3060
awareness, and coordinates synchronized response, mitigation, and recovery efforts in the event 3061 of significant cyber or communications incidents. The NCCIC’s mission includes leading the 3062
cyberspace protection efforts for Federal civilian agencies and providing cybersecurity support 3063
and expertise to State, local, international, and private sector critical infrastructure partners. The 3064
NCCIC fulfills this mission through trusted and frequent coordination with law enforcement, the 3065 Intelligence Community (IC), international Computer Emergency Readiness Teams, domestic 3066
Information Sharing and Analysis Centers (ISACs), and critical infrastructure partners to share 3067
information and collaboratively respond to incidents. 3068
Information-Sharing Mechanisms 3069 The centers share information with their constituents through a variety of mechanisms. Partners 3070 may connect directly to the centers but often receive NICC/NCCIC information through their 3071
respective SSAs or other parties such as regional consortia, ISACs, Fusion Centers, etc. 3072
Online Resources (Web portals and Public Internet) 3073
Homeland Security Information Network – Critical Infrastructure (HSIN-CI): 3074 HSIN-CI provides secure networked information sharing covering the full 3075 range of critical infrastructure interests. Validated critical infrastructure 3076 partners are eligible for HSIN-CI access. 3077
o The NICC posts content from a variety of internal and external sources that is 3078
available to all Critical Infrastructure (CI) partners, including incident situation 3079 reports, threat reports, impact modeling and analysis, common vulnerabilities, 3080 potential indicators, and protective measures. 3081
Working Draft
Draft October 21, 2013 3
o The NICC combines current high-interest incidents and events on the HSIN-CI 3082
“front page” to enable easy access to relevant information. 3083 o Individual sectors and sub-sectors self-manage more specific portals within 3084
HSIN-CI where smaller communities of participants receive and share relevant 3085 information for their particular information needs. 3086
o HSIN-CI also includes capabilities to facilitate multiple types of information 3087 sharing and coordination, including suspicious activity reporting, webinars, 3088 shared calendars, etc. 3089
o To ensure broad sharing of essential information, the NICC also receives and 3090 provides information via other HSIN portals. 3091
United States Computer Emergency Readiness Team (US-CERT) and Industrial 3092 Control Systems Cyber Emergency Response Team (ICS-CERT) portal: The NCCIC 3093 provides a secure, web-based, collaborative system to share sensitive cybersecurity 3094
prevention, protection, mitigation, response, and recovery information with validated 3095 private sector, government, and international partners. The NCCIC provides partners 3096
with access to two components of the secure portal, which hold information regarding 3097
cyber indicators, incidents, and malware digests for critical infrastructure systems: 3098 o The Cobalt Compartment serves as an information hub for enterprise systems 3099
security. 3100
o The Control System Compartment provides material on industrial control systems 3101 and is limited to control system asset owners/operators. 3102
US-CERT.gov: This publicly open website provides extensive vulnerability and 3103 mitigation information to partners around the world, including: 3104
o A Control Systems section containing Control Systems Advisories and reports of 3105 particular interest to critical infrastructure owners and operators. 3106
o A National Cyber Awareness System, which provides timely alerts, bulletins, tips, 3107
and technical documents for those who sign up. 3108 o Cybersecurity incident reporting, providing critical infrastructure partners with a 3109
secure means to report cybersecurity incidents. 3110
3111
Email and Other Electronic Means 3112 Both centers maintain connectivity with a variety of partners through email, automated data 3113 exchange, and other means. This form of connectivity allows very precise outreach when broad 3114 communications is inappropriate or not possible. In coordination with the SSAs, both the NICC 3115 and the NCCIC will reach out directly to specific partners as a developing situation or 3116 information need evolves. Similarly, both centers are available to stakeholders throughout the 3117
partnership when rapid response to information needs is essential. 3118
Teleconferences 3119
National threat briefings: During periods of heightened threat or concern, the NICC will 3120 coordinate through the SSAs and relevant critical infrastructure partners to conduct 3121 unclassified teleconferences regarding current intelligence, expected actions, and 3122 protective measure options for consideration. 3123
Incident specific cross-sector calls: 3124 o NICC: During significant incidents, the NICC will coordinate calls with the SSA 3125
and Government Coordinating Council (GCC)/Sector Coordinating Council 3126
Working Draft
Draft October 21, 2013 4
(SCC) leadership to discuss national and cascading impacts and determine 3127
potential courses of action to mitigate risk. If necessary, the NICC will also 3128 leverage GCC/SCC and regional partners to determine locally affected partners to 3129 conduct large-scale teleconferences to share mutual situational awareness and 3130 address key areas of concern. 3131
o NCCIC: The NCCIC will similarly reach out to sector partners through its 3132
established mechanisms. 3133
Classified Meetings and Briefings 3134
During periods of heightened threat or concern with significant classified components, 3135 the NICC and/or NCCIC, in conjunction with the IC, will coordinate through the SSAs, 3136 GCCs, and SCCs to conduct classified briefings on current intelligence, expected actions, 3137 and protective measure options for consideration. 3138
The centers, in collaboration with the SSAs and the IC, may assist in arranging similar 3139 briefings outside of the National Capital Region. 3140
In-Person Meetings and Regional Extensions 3141 Onsite consultations and self-evaluations: The NCCIC helps asset owners take preventive 3142
measures necessary to prepare for and protect from cyber attacks via no-cost onsite 3143
defense-in-depth cybersecurity strategic analysis of critical infrastructure by DHS subject 3144 matter experts. 3145
Infrastructure Protection (IP) regional staff: The NICC works in close coordination with 3146 DHS and IP field personnel and other regional public and private partners. Information 3147
sharing to and from the field is coordinated between the NICC and DHS Protective 3148 Security Advisors and chemical inspectors in the field, preventing information stove 3149
pipes while reducing duplication of effort. 3150
Integrating Partners into Daily Operations 3151 The NICC and NCCIC incorporate critical infrastructure partners into their day-to-day 3152 operations, even incorporating both public- and private-sector partners into their physical watch 3153
facilities. These partners serve as bidirectional conduits of information between the centers and 3154 the liaison’s home agency or sector. These partners include, but are not limited to, ISACs, SSAs, 3155 Federal law enforcement, the intelligence community, and other key partners. 3156 3157
II. Federal Partners 3158 3159
Both centers maintain active relationships with Federal partners from among the SSAs, law 3160 enforcement, intelligence, and emergency management communities. Beyond these mission 3161
partners, other government agencies should also work in coordination with the NICC and 3162 NCCIC where they share interest in critical infrastructure-related information. For example, the 3163 NICC works closely with the State Department’s Overseas Security Advisory Council, which 3164 often has the earliest releasable information regarding threats to physical infrastructure overseas 3165 and is therefore an essential partner for ensuring this information is available to the domestic 3166
critical infrastructure community. At the same time, the NCCIC works on a daily basis with 3167 other Federal cyber centers to exchange critical information and coordinate analytical and 3168
Working Draft
Draft October 21, 2013 5
response processes. Both centers provide reports to the NOC to facilitate shared situational 3169
awareness across the Federal community. 3170 3171
Sector-Specific Agencies 3172 The SSAs actively engage with the centers through the mechanisms listed above. The NICC and 3173
NCCIC rely on the SSAs to ensure connectivity broadly across the sectors. During significant 3174 incidents, the SSAs provide the NICC and NCCIC with sector impacts for inclusion in the 3175 comprehensive infrastructure Common Operating Picture (COP), which is then shared back with 3176 the SSAs and other partners. 3177 3178
The Intelligence Community 3179 The NICC and NCCIC serve as a major conduit for IC threat information—both classified and 3180 unclassified—to the owners and operators of critical infrastructure. 3181
3182
Federal Law Enforcement 3183 The NICC and NCCIC, within their information sharing protocols and protections, provide 3184 suspicious activity reporting and other similar information to Federal law enforcement entities. 3185
Federal Emergency Management 3186 During major incidents, the NICC and NCCIC maintain close coordination with the Federal 3187 Emergency Management Agency (FEMA) to ensure that overall critical infrastructure status and 3188
impacts on life and safety are understood throughout the Federal incident response community. 3189 Both the NICC and the NCCIC provide liaisons directly to the National Response Coordination 3190
Center to ensure continuous bidirectional information flow. The SSAs are often directly tied to 3191 the Federal emergency management structure as noted in the table below. The SSAs provide 3192 detailed sector-specific status information, while the NICC and NCCIC provide the cross-sector 3193
analysis of the system-of-systems that makes up our national critical infrastructure. During major 3194
national incidents, particular focus is placed on those lifeline functions on which most critical 3195 infrastructure sectors depend; this includes communications, energy, transportation, and water. 3196 More information on critical infrastructure information sharing during significant incidents is 3197
found in the Critical Infrastructure Support Annex to the National Response Framework. 3198
Sector SSA Related Emergency Support
Function(s) (ESF)1
Chemical Department of Homeland
Security
ESF #10 – Oil and Hazardous
Materials Response (support)
Commercial
Facilities
Department of Homeland
Security
Communications Department of Homeland
Security
ESF #2 – Communications
(coordinator/primary)
1
The ESFs provide the structure for coordinating Federal interagency support for a Federal response to an incident. They are mechanisms for
grouping functions most frequently used to provide Federal support to States and Federal-to-Federal support, both for declared disasters and emergencies under the Stafford Act and for non-Stafford Act incidents.
Working Draft
Draft October 21, 2013 6
Sector SSA Related Emergency Support
Function(s) (ESF)1
Critical
Manufacturing
Department of Homeland
Security
Dams Department of Homeland
Security
ESF #3 – Public Works and
Engineering (support)
Defense
Industrial Base
Department of Defense
Emergency
Services
Department of Homeland
Security
ESF #4 – Firefighting (support)
ESF #5 – Information and
Planning (support)
ESF #13 – Public Safety and
Security (support)
Energy Department of Energy ESF #12 – Energy
(coordinator/primary)
ESF #10 – Oil and Hazardous
Materials Response (support)
Financial
Services
Department of the Treasury
Food and
Agriculture
U.S. Department of
Agriculture and Department of
Health and Human Services
ESF #11 – Agriculture and
Natural Resources (USDA:
(coordinator/primary; HHS:
support)
Government
Facilities
Department of Homeland
Security and General Services
Administration
Healthcare and
Public Health
Department of Health and
Human Services
ESF #6 – Mass Care, Emergency
Assistance, Housing, and Human
Services (support)
ESF #8 – Public Health and
Medical Services
(coordinator/primary)
Information
Technology
Department of Homeland
Security
Nuclear
Reactors,
Materials, and
Waste
Department of Homeland
Security
ESF #12 – Energy
(coordinator/primary)
Transportation
Systems
Department of Homeland
Security and Department of
Transportation
ESF #1 – Transportation (DOT:
coordinator/primary; DHS:
support)
Water and
Wastewater
Systems
Environmental Protection
Agency
ESF #3 – Public Works and
Engineering (support)
3199
Working Draft
Draft October 21, 2013 7
III. Critical Infrastructure Owners and Operators 3200 3201 Individual critical infrastructure owners and operators will often send and receive information to 3202 and from the national centers through intermediary entities, but can always reach directly to the 3203 centers if necessary to share or request mission-critical information. The centers are in 3204
continuous contact with the ISACs and SSAs. 3205
IV. State, Local, Tribal, and Territorial Government Partners, and Other 3206
Regional Partnerships and Consortia 3207 3208 The NICC and NCCIC are resources for non-Federal partners in government and regional 3209 public-private consortia and coalitions. The coordinating centers may leverage existing regional 3210 partnerships to ensure information penetration to decision makers, especially during significant 3211
incidents affecting multiple sectors within a region. The centers, in conjunction with other 3212 national critical infrastructure partners where appropriate, also share information with State and 3213
local fusion centers, InfraGard chapters, Maritime Area Security Committees, FEMA regional 3214
offices, etc. 3215
V. Common Information-Sharing Requirements, Systems, and Processes 3216 3217
The two centers continuously set and refine common information-sharing requirements, systems, 3218 and processes to facilitate a COP that delivers actionable information to decision makers at all 3219
levels. Specifically: 3220
Refine and manage critical information requirements (CIRs): To build situational 3221 awareness, each center operates using a set of defined CIRs, which should be 3222
continuously evaluated and refined to ensure optimal situational awareness. SSAs and 3223
other departments and agencies may augment these with sector-specific CIRs, and 3224 requirements should be coordinated with critical infrastructure owners and operators and 3225
the State, Local, Tribal, and Territorial Government Coordinating Council. 3226 3227
Leverage the DHS COP for a combined, cross-sector situational awareness picture 3228 for critical infrastructure security and resilience: Data feeds and web services should 3229
be created across SSAs and other Federal, State, local, tribal, and territorial governments, 3230 as well as private sector entities to inform the critical infrastructure centers and overall 3231 critical infrastructure COP. In turn, this larger national situational awareness picture is 3232 shared back out among the partnership to enable participants to have greater depth and 3233 context of knowledge than they would otherwise have. 3234
3235
VI. Information Protection 3236 3237 The NICC and NCCIC, as information management and coordination centers, are capable of 3238 handling information under a wide range of handling caveats. These protections and caveats 3239 include, but are not limited to: classified, For Official Use Only, Personally Identifiable 3240 Information (PII), Sensitive PII, Protected Critical Infrastructure Information, Chemical-3241
Working Draft
Draft October 21, 2013 8
terrorism Vulnerability Information, Law Enforcement Sensitive, and various industry standards 3242
such as the Traffic Light Protocol used by many ISACs. 3243
VII. Get Connected 3244
Centers 3245 National Infrastructure Coordinating Center: [email protected]/202–282–9201 3246 3247 National Cybersecurity and Communications Integration Center: [email protected]/888–3248 282–0870 3249
3250
Portals 3251 HSIN-CI: 3252 To request HSIN-CI access, submit the following to [email protected]: 3253
Name 3254
Employer 3255
Title 3256
Business email 3257
Brief written justification 3258
For questions regarding HSIN-CI access, please contact the NICC. 3259 3260
US-CERT and ICS-CERT Portal – An individual or organization can request access to the 3261 Cobalt Compartment by sending an e-mail to [email protected] with the subject 3262
line, “Request access to Cobalt Compartment.” To access the Control System Compartment, 3263
send an e-mail to [email protected] with the subject line, “Request access to 3264
Control Systems Compartment.” 3265
3266
To qualify for either compartment, requestors must: 3267
Be a U.S.-based organization; 3268
Have a role within your organization’s network defense 3269 community; and 3270
Be a control system asset owner/operator (specific to the Control 3271 System Compartment). 3272
3273
Working Draft
Draft October 21, 2013 9
Supplemental Tool: The Critical Infrastructure Risk Management 3274
Framework 3275
3276
Risk is defined as the potential for an unwanted outcome resulting from an incident, event, or 3277 occurrence, as determined by its likelihood and the associated consequences.
2 Simply stated, 3278
risk is influenced by the nature and magnitude of a threat or hazard, the vulnerabilities from 3279
that threat or hazard, and the consequences that could result. Risk information enables 3280 partners, ranging from facility owners and operators to Federal agencies, to prioritize risk 3281 mitigation efforts. 3282 3283 This supplement describes how the critical infrastructure risk management framework can be 3284
used as part of the overall effort to ensure the security and resilience of our Nation’s critical 3285 infrastructure. The critical infrastructure risk management framework, depicted in Figure 1, 3286
supports the integration of strategies, capabilities, and governance to enable risk-informed 3287 decision making related to the Nation’s critical infrastructure. This framework is applicable to 3288
threats such as cyber incidents, natural disasters, manmade safety hazards, and acts of terrorism, 3289 although different information and methodologies may be used to understand each. 3290 3291
There are other risk management models used in government and industry, which can be more 3292 detailed and often are tailored to a specific need. For example, private industry uses specific 3293
models, utilizing standards and best practices, to assess operational and economic business risks. 3294 The critical infrastructure risk management framework is not intended to replace any such 3295 models or processes already in use. Rather, it provides a common, unifying approach to risk 3296
management that all critical infrastructure partners can use, relate to, and align with their own 3297 risk management models and activities. 3298 3299 Figure 1: Critical Infrastructure Risk Management Framework 3300
3301 The critical infrastructure risk management framework is tailored toward and applied on an asset, 3302
system, network, or functional basis, depending on the fundamental characteristics of each 3303 individual critical infrastructure sector. For those sectors primarily dependent on fixed assets and 3304 physical facilities, a bottom-up, asset-by-asset approach may be most appropriate. For sectors 3305
2 DHS Risk Lexicon, U.S. Department of Homeland Security, 2010.
Working Draft
Draft October 21, 2013 10
such as Communications, Information Technology, and Food and Agriculture, with accessible 3306
and distributed systems, a top-down, business or mission continuity approach that uses risk 3307 assessments focused on network and system interdependencies may be more effective. Each 3308 sector must pursue the approach that produces the most effective use of resources and has the 3309 opportunity to contribute to cross-sector comparative risk analyses conducted by the Department 3310
of Homeland Security (DHS). The risk management framework is also useful at a community 3311 level, as jurisdictions or businesses can work collaboratively to make risk-informed decisions 3312 within their span of control. 3313 3314 The critical infrastructure risk management framework includes the following activities: 3315
3316
Set Goals and Objectives: Define specific outcomes, conditions, end points, or 3317 performance targets that collectively describe an effective and desired risk management 3318
posture. 3319
Identify Critical Infrastructure (assets, systems, and networks): Develop an inventory 3320 of critical assets, systems, and networks that contribute to critical functionality, and 3321
collect information pertinent to risk management, including analysis of dependencies and 3322 interdependencies. 3323
Assess and Analyze Risks: Evaluate the risk, taking into consideration the potential 3324 direct and indirect consequences of an incident, known vulnerabilities to various potential 3325 threats or hazards, and general or specific threat information. 3326
Implement Risk Management Activities: Make decisions and implement risk 3327 management approaches to control, accept, transfer, or avoid risks. Approaches can 3328
include prevention, protection, mitigation, response, and recovery activities. 3329
Measure Effectiveness: Use metrics and other evaluation procedures to measure 3330 progress and assess the effectiveness of efforts to secure and strengthen the resilience of 3331 critical infrastructure. 3332
3333 This process is an ongoing and continuing one with feedback loops and iterative steps. It 3334
allows the critical infrastructure partnership to track progress and implement actions to improve 3335 national critical infrastructure security and resilience over time. The physical, cyber, and 3336 human elements of critical infrastructure should be considered in tandem in each aspect of the 3337
risk management framework. The partnership structures discussed in the National Plan 3338 provide the mechanism for coordination of risk management activities that are flexibly 3339 tailored to different sectors, levels of government, and owners and operators. 3340
I. Set Goals and Objectives 3341 3342
Achieving robust, secure, and resilient infrastructure requires national, State, local, and 3343 sector-specific critical infrastructure visions, goals, and objectives that are collaboratively 3344
developed and describe the desired risk management posture. Goals and objectives should 3345 consider the physical, cyber, and human elements of critical infrastructure security and 3346 resilience. Goals and objectives may vary across sectors and organizations, depending on the 3347 risk landscape, operating environment, and composition of a specific industry, resource, or 3348 other aspect of critical infrastructure. 3349 3350
Working Draft
Draft October 21, 2013 11
Nationally, the overall goal of critical infrastructure-related risk management is an enhanced 3351
state of security and resilience achieved through the implementation of focused risk 3352 management activities within and across sectors and levels of government. The risk 3353 management framework supports this goal by: 3354 3355
Enabling the development of national, State, regional, and sector risk profiles that support 3356 the National Critical Infrastructure Security and Resilience Annual Report. These risk 3357 profiles outline the highest risks facing different sectors and geographic regions and 3358
identify cross-sector or regional issues of concern that are appropriate for the Federal 3359 critical infrastructure focus, as well as opportunities for sector, State, and regional 3360 initiatives. 3361
Enabling the critical infrastructure community to determine the best courses of action to 3362 reduce potential consequences, threats, and/or vulnerabilities, which, in turn, reduce risk. 3363
Some available options include encouraging voluntary implementation of focused risk 3364 management strategies (e.g., through public-private partnerships), applying standards and 3365 best practices, pursuing economic incentive-related policies and programs, and 3366
conducting additional information sharing, if appropriate. 3367
Informing the identification of risk management and resource allocation options, rather 3368 than specifying requirements for critical infrastructure owners and operators. It also 3369 allows for a variety of support from government partners. 3370
3371
From a sector or jurisdictional perspective, critical infrastructure security and resilience goals 3372 and their supporting objectives: 3373
3374
Consider distinct assets, systems, networks, functions, operational processes, business 3375 environments, and risk management approaches; 3376
Define the risk management posture that critical infrastructure partners seek to attain 3377 individually or collectively; and 3378
Express this posture in terms of the outcomes and objectives sought. 3379 3380 Taken collectively, these goals and objectives guide all levels of government and the private 3381
sector in tailoring risk management programs and activities to address critical infrastructure 3382 security and resilience needs. 3383
II. Identify Critical Infrastructure 3384 3385
Partners—both public and private—identify the infrastructure that they consider critical to 3386 focus their efforts for improving and enhancing security and resilience. Different partners 3387
view criticality differently and thereby may identify different infrastructure of concern to 3388 them. The Federal Government works with partners to determine which assets, systems, and 3389 networks are nationally significant. Some sectors identify regional, State, and locally 3390 significant infrastructure as a joint activity between public- and private-sector partners. 3391 Private-sector owners and operators may identify additional infrastructure that are necessary 3392
to keep their businesses running to provide goods and services to their customers. Similarly, 3393 State, local, tribal, and territorial (SLTT) governments should identify those assets, systems, 3394 and networks that are crucial to their continued operations to ensure public health and safety 3395
Working Draft
Draft October 21, 2013 12
and the provision of essential services. 3396
3397 The National Critical Infrastructure Prioritization Program (NCIPP) identifies nationally 3398 significant infrastructure to support risk-informed decision making by the Federal Government 3399 and its critical infrastructure partners. Critical assets, systems, and networks identified through 3400
this process include those, which if destroyed or disrupted, could cause some combination of 3401 significant casualties, major economic losses, or widespread and long-term impacts to national 3402 well-being and governance capacity. The NCIPP collects, identifies, and prioritizes critical 3403 infrastructure information from States, critical infrastructure sectors, and other homeland security 3404 partners across the Nation. The NCIPP uses an enhanced infrastructure data collection 3405
application, which provides the ability to input data throughout the year. 3406 3407 Data collected through the NCIPP forms the basis of a national inventory that includes those 3408
assets, systems, and networks that are nationally significant and those that may not be 3409 significant on a national level but are, nonetheless, important to State, local, or regional 3410 critical infrastructure security and resilience and national preparedness efforts. The goal of 3411 the national inventory is to provide access to relevant information for natural disasters, industrial 3412
accidents, and other incidents. Critical infrastructure partners work together to ensure that the 3413 inventory data structure is accurate, current, and secure. 3414
3415 The Federal Government, including the Sector-Specific Agencies (SSAs), works with critical 3416 infrastructure owners and operators and SLTT entities to build upon and update existing 3417
inventories at the State and local levels to avoid duplication of past or ongoing 3418 complementary efforts. 3419
Identifying Cyber Infrastructure 3420 The national plan addresses security and resilience of the cyber elements of critical 3421 infrastructure in an integrated manner rather than as a separate consideration. As a component 3422
of the sector-specific risk assessment process, cyber system components should be identified 3423 individually or be included as a cyber element of a larger asset, system, or network with which 3424
they are associated. The identification process should include information on international 3425 cyber infrastructure with cross-border implications, interdependencies, or cross-sector 3426 ramifications. 3427
3428 Cyber system elements that exist in most, if not all, sectors include business systems, control 3429 systems, access control systems, and warning and alert systems. The Internet has been 3430
identified as an essential resource, comprising the domestic and international assets within 3431 both the Information Technology and Communications Sectors, and the need for access to and 3432 reliance on information and communications technology is common to all sectors. 3433
3434 DHS supports the SSAs and other critical infrastructure partners by developing tools and 3435 methodologies to assist in identifying cyber assets, systems, and networks, including those 3436 that involve multiple sectors. Several sectors have developed a functions-based approach for 3437
Working Draft
Draft October 21, 2013 13
identifying cyber-dependent critical infrastructure. The Cyber-Dependent Infrastructure 3438
Identification3 approach is based on three high-level steps, which include: 3439
3440
Defining criteria for “catastrophic” impacts across all sectors; 3441
Evaluating previous sector efforts to determine how they can be leveraged to identify 3442 cyber-dependent critical infrastructure at greatest risk; and 3443
Applying a functions-based approach to identify cyber-dependent infrastructure and its 3444 impacts on the sector. 3445
3446 Additionally, DHS, in collaboration with other critical infrastructure partners, provides 3447 cross-sector cyber methodologies, which, when applied, enable sectors to identify cyber assets, 3448
systems, and networks that may have nationally significant consequences if destroyed, 3449 incapacitated, or exploited. These methodologies also characterize the reliance of a sector’s 3450
business and operational functionality on cyber systems. 3451 3452 Today's information systems, networks, and end-user mobile devices are highly dependent upon 3453 the availability of accurate and precise positioning, navigation, and timing (PNT) data. PNT 3454
services are critical to the operations of multiple critical infrastructure sectors and are vital to 3455 incident response. The U.S. Air Force operates the Global Positioning System (GPS), a dual-use 3456
system that provides PNT services worldwide for civil and military purposes. The free, open, and 3457 dependable nature of GPS has led to the development of hundreds of applications affecting every 3458 aspect of modern life and U.S. economic growth. Other countries are also investing in global 3459
navigation satellite systems like GPS. While space-based PNT services are highly available and 3460 reliable, these services can be subject to intentional and unintentional disruption by interference 3461
or signal blockage, thus preventing valuable PNT data from reaching intended recipients. 3462 Because so many business functions and operations rely exclusively on GPS for location and 3463
timing data, disruption to GPS civil services could potentially create a point of failure and lead to 3464 cascading effects across multiple sectors. 3465
3466 To better understand and mitigate risks from potential disruptions to GPS service availability, 3467 critical infrastructure partners can identify the sources and applications of PNT information that 3468
support or enable their critical functions and operations, continually assess dependencies and 3469 interdependencies, and implement steps to increase the resilience of critical infrastructure 3470 operations in the event of interference to or disruption of primary PNT services. 3471
III. Assess Risks 3472 3473 Homeland security risks can be assessed in terms of their likelihood and consequences. 3474
Common definitions, scenarios, assumptions, metrics, and processes are needed to ensure 3475 that risk assessments contribute to a shared understanding among critical infrastructure 3476
partners. The risk management framework outlines a risk assessment approach that results in 3477 sound, scenario-based, consequence and vulnerability estimates, as well as an assessment of 3478 the likelihood that the postulated threat or hazard would occur. 3479
3 Executive Order 13636, Improving Critical Infrastructure Cybersecurity, February 2013.
Working Draft
Draft October 21, 2013 14
3480
The National Plan calls for critical infrastructure partners to generally assess risk from any 3481 scenario, considering both likelihood and consequence. As stated in the introduction to this 3482 supplemental tool, it is important to think of risk as influenced by the nature and magnitude 3483 of a threat or hazard, the vulnerabilities to those threats and hazards, and the consequences 3484
that could result. 3485
Threat: Natural or manmade occurrence, individual, entity, or action that has or indicates 3486 the potential to harm life, information, operations, the environment, and/or property. For 3487
the purpose of calculating risk, the threat of an unintentional hazard is generally 3488 estimated as the likelihood that a hazard will manifest itself. Intentional hazard is 3489 generally estimated as the likelihood of an attack being attempted by an adversary. In the 3490 case of intentionally adversarial actors and actions, for both physical and cyber effects, 3491 the threat likelihood is estimated based on the intent and capability of the adversary. 3492
3493
Vulnerability: Physical feature or operational attribute that renders an entity open to 3494 exploitation or susceptible to a given hazard. In calculating the risk of an intentional haz-3495
ard, a common measure of vulnerability is the likelihood that an attack is successful, 3496 given that it is attempted. 3497
Consequence: The effect of an event, incident, or occurrence; reflects the level, duration, 3498 and nature of the loss resulting from the incident. For the purposes of the national plan, 3499 potential consequences may fall into four categories: public health and safety (i.e., loss of 3500
life and illness), economic (direct and indirect), psychological, and governance/mission 3501 impacts. 3502
3503 It is appropriate for critical infrastructure risk assessments to explicitly consider each of these 3504 factors, but it is not necessary to do so in a quantifiable manner. In conducting assessments, 3505
analysts should be very careful when calculating risk to properly address interdependencies 3506
and any links between how the threats and vulnerabilities were calculated to ensure that the 3507 results are sound and defensible. 3508 3509
A comprehensive critical infrastructure risk assessment will explicitly consider each of these 3510
factors, to the extent necessary for decision making and as possible, given the available 3511 information. Critical infrastructure-related risk assessments are conducted on assets, systems, 3512 or networks, depending on the characteristics of the infrastructure being examined. Individual 3513 threat, consequence, or vulnerability assessments may be useful on their own or in the 3514 aggregate to assess risk. 3515
Critical Infrastructure Risk Assessments 3516 Risk assessments are conducted by many critical infrastructure partners to meet their own 3517 decision-making needs, using a broad range of methodologies. As a general rule, simple but 3518
defensible methodologies are preferred over more complicated methods. Simple methodologies 3519 are more likely to fulfill the requirements of transparency and practicality. 3520 3521 Risk methodologies are often sorted into qualitative and quantitative categories, but when well-3522 designed, both types of assessments have the potential to deliver useful analytic results. 3523 Similarly, both qualitative and quantitative methodologies can be needlessly complex or poorly 3524
Working Draft
Draft October 21, 2013 15
designed. The methodology that best meets the decision maker’s needs is generally the best 3525
choice, whether quantitative or qualitative. 3526 3527 The common analytic principles originally provided in the National Infrastructure Protection 3528 Plan are broadly applicable to all parts of a risk methodology. These principles provide a guide 3529
for improving existing methodologies or modifying them so that the investment and 3530 expertise they represent can be used to support national-level, comparative risk assessments, 3531 investments, incident response planning, and resource prioritization. Recognizing that many 3532 risk assessment methodologies are under development and others evolve in a dynamic 3533 environment, the analytic principles for risk assessment methodologies serve as a guide to future 3534
adaptations. The basic analytic principles ensure that risk assessments are: 3535 3536
Documented: The methodology and the assessment must clearly document what 3537 information is used and how it is synthesized to generate a risk estimate. Any 3538 assumptions, weighting factors, and subjective judgments need to be transparent to the 3539
user of the methodology, its audience, and others who are expected to use the results. The 3540
types of decisions that the risk assessment is designed to support and the timeframe of the 3541 assessment (e.g., current conditions versus future operations) should be given. 3542
Reproducible: The methodology must produce comparable, repeatable results, even 3543 though assessments of different critical infrastructure may be performed by different 3544 analysts or teams of analysts. It must minimize the number and impact of subjective 3545
judgments, leaving policy and value judgments to be applied by decision makers. 3546
Defensible: The risk methodology must logically integrate its components, making 3547 appropriate use of the professional disciplines relevant to the analysis, as well as be free 3548 from significant errors or omissions. Uncertainty associated with consequence estimates 3549 and confidence in the vulnerability and threat estimates should be communicated. 3550
Risk Scenario Identification 3551 It is generally helpful for homeland security risk assessments to use scenarios to divide the 3552
identified risks into separate pieces that can be assessed and analyzed individually. A scenario is 3553 a hypothetical situation comprised of an identified hazard, an entity impacted by that hazard, and 3554
associated conditions including consequences, when appropriate. 3555 3556
When analysts are developing plausible scenarios to identify potential risks for a risk assessment, 3557 the set of scenarios should attempt to cover the full scope of the assessment to ensure that the 3558 decision maker is provided with complete information when making a decision. For a relatively 3559 fixed system, an important first step is to identify those components or critical nodes where 3560 potential consequences would be highest and where security and resilience activities can be 3561
focused. Analysts should take care when dealing with the results, as including multiple scenarios 3562 that contain the same event could lead to double counting the risk. 3563
Threat and Hazard Assessment 3564 The remaining factor to be considered in the risk assessment process is the assessment of threat 3565 and/or hazard. Assessment of the current terrorist threat to the United States is derived from 3566 extensive study and understanding of terrorists and terrorist organizations, and frequently is 3567 dependent on analysis of classified information. The Federal Government provides its 3568 partners with unclassified assessments of potential terrorist threats and appropriate access to 3569
Working Draft
Draft October 21, 2013 16
classified assessments where necessary and authorized. These threat assessments are derived 3570
from analyses of adversary intent and capability, and describe what is known about terrorist 3571 interest in particular critical infrastructure sectors, as well as specific attack methods. Since 3572 international terrorists, in particular, have continually demonstrated flexibility and 3573 unpredictability, DHS and its partners in the intelligence community also analyze known 3574
terrorist goals, objectives, and developing capabilities to provide critical infrastructure 3575 owners and operators with a broad view of the potential threat and postulated terrorist attack 3576 methods. Similar approaches are used to assess the threats of theft, vandalism, sabotage, 3577 insider threat, cyber threats, active shooter, and other deliberate acts. 3578 3579
Both domestic and international critical infrastructure remains potential prime targets for 3580 adversaries. Given the deeply rooted nature of these goals and motivations, critical 3581 infrastructure likely will remain highly attractive targets for state and non-state actors and others 3582
with ill intent. Threat assessments must address the various elements of both physical and 3583 cyber threats to critical infrastructure, depending on the attack type and target. 3584
3585 Hazard assessments draw on historical information and future predictions about natural 3586 hazards to assess the likelihood or frequency of various hazards. This is an area where various 3587
components of the Federal Government work with sector leadership and owners and operators 3588 to make assessments in advance of any specific hazard as well as once an impending hazard 3589
(such as a hurricane yet to make landfall) is identified. 3590
Vulnerability Assessment 3591 Vulnerabilities are physical features or operational attributes that render an entity open to 3592 exploitation or susceptible to a given hazard. Vulnerabilities may be associated with physical 3593
(e.g., no barriers or alarm systems), cyber (e.g., lack of a firewall), or human (e.g., untrained 3594
guards) factors. A vulnerability assessment can be a stand-alone process or part of a full risk 3595 assessment. The vulnerability assessment involves the evaluation of specific threats to the asset, 3596 system, or network under review to identify areas of weakness that could result in 3597
consequences of concern. 3598 3599
Many different vulnerability assessment approaches are used in the different critical 3600 infrastructure sectors and by various government authorities. Many of the Sector-Specific 3601 Plans (SSPs) describe vulnerability assessment methodologies used in the sectors. The 3602 SSPs also may provide specific details regarding how the assessments can be carried out 3603 (e.g., by whom and how often). 3604
Consequence Assessment 3605 Consequence categories may include: 3606
Public Health and Safety: Effect on human life and physical well-being (e.g., fatalities, 3607 injuries/illness). 3608
Economic: Direct and indirect economic losses (e.g., cost to rebuild asset, cost to 3609 respond to and recover from attack, downstream costs resulting from disruption of 3610 product or service, long-term costs due to environmental damage). 3611
Psychological: Effect on public morale and confidence in national economic and 3612 political institutions. This encompasses those changes in perceptions emerging after a 3613 significant incident that affect the public’s sense of safety and well-being and can 3614
Working Draft
Draft October 21, 2013 17
manifest in aberrant behavior. 3615
Governance/Mission Impact: Effect on the ability of government or industry to maintain 3616 order, deliver minimum essential public services, ensure public health and safety, and 3617
carry out national security-related missions. 3618 3619 Consequence analysis should ideally address both direct and indirect effects. Many assets, 3620 systems, and networks depend on connections to other critical infrastructure to function. For 3621 example, nearly all sectors share relationships with elements of the Energy, Information 3622
Technology, Communications, Financial Services, and Transportation Systems sectors. In 3623 many cases, the failure of an asset or system in one sector will affect the ability of interrelated 3624 assets or systems in the same or another sector to perform the necessary functions. 3625 Furthermore, cyber interdependencies present unique challenges for all sectors because of 3626 the borderless nature of cyberspace. Interdependencies are dual in nature. For example, the 3627
Energy Sector relies on computer-based control systems to manage the electric power grid, 3628 while those same control systems require electric power to operate. As a result, complete 3629
consequence analysis addresses both critical infrastructure interconnections for the purposes 3630
of risk assessment. 3631 3632 The level of detail and specificity achieved by using the most sophisticated models and 3633
simulations may not be practical or necessary for all assets, systems, or networks. In these 3634 circumstances, a simplified dependency and interdependency analysis based on expert 3635
judgment may provide sufficient insight to make informed risk management decisions in a 3636 timely manner. 3637 3638
There is also an element of uncertainty in consequence estimates. Even when a scenario with 3639 reasonable worst-case conditions is clearly stated and consistently applied, there is a range of 3640
outcomes that could occur. For some incidents, the consequence range is small, and a simple 3641 estimate may provide sufficient information to support decisions. If the range of outcomes is 3642
large, the scenario may require more specificity about conditions to obtain appropriate 3643 estimates of the outcomes. However, if the scenario is broken down to a reasonable level of 3644
granularity and there is still significant uncertainty, the estimate should be accompanied by the 3645 uncertainty range to support more informed decision making. The best way to communicate 3646
uncertainty will depend on the factors that make the outcome uncertain, as well as the amount 3647 and type of information that is available. 3648
IV. Implement Risk Management Activities 3649 3650 The selection and implementation of appropriate risk management activities requires 3651
prioritization to help focus planning, increase coordination, and support effective resource 3652 allocation and incident management, response, and restoration decisions. Comparing the risk 3653 faced by different entities helps identify where risk mitigation is most needed and to 3654 subsequently determine and help justify the most cost-effective risk management options. 3655
Prioritization can be used primarily to inform resource allocation decisions, such as where risk 3656 management programs should be instituted; guide investments in these programs; and highlight 3657 the measures that offer the greatest return on investment. 3658 3659
Working Draft
Draft October 21, 2013 18
The prioritization process also develops information that can be used during incident 3660
response to help inform decision makers regarding issues associated with critical infrastructure 3661 restoration. It also provides the basis for understanding potential risk-mitigation benefits that 3662 are used to inform planning and resource decisions. 3663 3664 Critical infrastructure partners rely on different approaches to prioritize risk management 3665
activities according to their authorities, specific sector needs, risk landscapes, security 3666 approaches, and business environment. For example, owners and operators, Federal agencies, 3667 and State and local authorities all have different options available to them to help reduce risk. 3668 Asset-focused priorities may be appropriate for critical infrastructure with risks predominantly 3669 associated with facilities, the local environment, and physical attacks, especially those that 3670
can be exploited and used as weapons. Function-focused priorities may more effectively 3671 ensure the continuity of operations in the event of a terrorist attack or natural disaster in 3672 sectors where critical infrastructure resilience may be more important than critical 3673
infrastructure hardening. Programs intended to reduce critical infrastructure risk will prioritize 3674 investments that secure physical assets or ensure resilience in virtual systems, depending on 3675 which option best enables cost-effective critical infrastructure risk management. 3676
3677 Risk management actions involve measures designed to prevent, deter, and mitigate the 3678 threat; reduce vulnerability to an attack or other disaster; minimize consequences; and enable 3679
timely, efficient response and restoration in a post-event situation, whether a terrorist attack, 3680 natural disaster, or other incident. The risk management framework focuses attention on 3681
those prevention, protection, mitigation, response, and recovery activities that bring the 3682 greatest return on investment, not simply the vulnerability reduction to be achieved. Security 3683 and resilience activities vary between sectors and across a wide spectrum of activities designed to 3684
deter, devalue, detect, defend, protect, and strengthen critical infrastructure. 3685
3686 Risk management activities also may include the means for reducing the consequences of an 3687 attack or incident. These actions are focused on mitigation, response, and/or recovery. Often 3688
it is more cost-effective to build security and resilience into assets, systems, and networks 3689 than to retrofit them after initial development and deployment. Accordingly, critical 3690
infrastructure partners should consider how risk management, robustness, and appropriate 3691 physical and cyber security enhancements can be incorporated into the design and construction 3692 of new critical infrastructure and the redesign of existing infrastructure. 3693 3694
In situations where robustness and resilience are keys to critical infrastructure security, it may be 3695 more effective and efficient to implement programs at the system level rather than at the 3696 individual asset level (e.g., if there are many similar facilities, it may be easier to allow other 3697 facilities to provide the infrastructure service rather than to secure each facility). 3698
3699 In light of the specifics of the scenario of interest, analysts should consider industry standards, 3700 best practices, practices used effectively in other settings, and lessons learned from actual events 3701
and exercises. Analysts should describe the options in enough detail to define the extent to which 3702 they will reduce the elements of risk and estimate their life-cycle costs, i.e., initial investment or 3703 startup, operations, maintenance and support, and, for physical options, their demolition and 3704 disposal when their usefulness has ended. It is important to review the candidate options for 3705 synergies (e.g., instances where risk-reduction options designed for one scenario affect the risk—3706
Working Draft
Draft October 21, 2013 19
positively or negatively—of other scenarios). Exploiting positive synergies and avoiding 3707
negative ones allows analysts to select cost-effective portfolios of options. 3708 3709 Effective risk management activities are comprehensive, coordinated, and cost-effective. 3710 Risk management decisions should be made based on an analysis of the costs and other 3711
impacts, as well as the projected benefits of identified courses of action—including the no-action 3712 alternative if a risk is considered to be effectively managed already. It is important to note that 3713 risk management actions can be evaluated based on their potential to manage risk in the 3714 aggregate across a range of scenarios, as well as their ability to manage risks associated with a 3715 single scenario; maintaining both perspectives is crucial in identifying the most effective actions. 3716
V. Measure Effectiveness 3717 3718
The use of performance metrics is a critical step in the critical infrastructure risk management 3719 process to enable assessment of improvements in critical infrastructure security and resilience. 3720
While the results of risk analyses help sectors set priorities, performance metrics allow 3721 partners to track progress against these priorities and against their goals and objectives. The 3722
metrics provide a basis for the critical infrastructure community to establish accountability, 3723 document actual performance, promote effective management, and provide a feedback 3724 mechanism to inform decision making—strengthening this voluntary program. 3725
3726 The national outcomes around risk management, shared situational awareness, and national 3727 preparedness referenced in the introduction of the national plan will be central to effectively 3728 assessing progress, providing a shared understanding of the desired “end-state” the voluntary 3729
partnership is collectively working to achieve. The accompanying set of national goals (see 3730 Section 2 of the National Plan) will illustrate the broad courses of action necessary to achieve 3731
those national outcomes. Developed through a participatory process involving a wide range of 3732 critical infrastructure partners, these national outcomes and goals will facilitate measurement by 3733
adding specificity to the ultimate outcome of critical infrastructure security and resilience 3734 established in Presidential Policy Directive 21. 3735
3736 With this common understanding as a baseline, the critical infrastructure community can 3737
demonstrate progress toward those outcomes using available data and information. When 3738 significant progress has been made toward the national-level outcomes and goals—or as the risk 3739 environment, policy landscape, and field of practice evolve—the community will review and 3740 update these outcomes and goals. Sectors and regional partnerships should develop goals 3741 complementary to the national outcomes and goals but tailored to the specific sector or 3742
geographic area. 3743
Using Metrics and Performance Measurement for Continuous Improvement 3744 By using metrics to evaluate the effectiveness of voluntary partnership efforts to achieve 3745 national and sector priorities, critical infrastructure partners can adjust and adapt their 3746 security and resilience approaches to account for progress achieved, as well as changes in the 3747 threat and other relevant environments. Metrics are used to focus attention on areas of 3748 security and resilience that warrant additional resources or other changes through an analysis 3749 of challenges and priorities at the national, sector, and owner/operator levels. 3750
Working Draft
Draft October 21, 2013 20
In addition to supporting the evaluation of progress against priorities, metrics also serve as a 3751
feedback mechanism for other parts of the critical infrastructure risk management frame-3752 work. The metrics can inform progress against broader sector goals and provide analysts 3753 with information to adjust their risk assessments. For instance, metrics indicate the effectiveness 3754 of security and resilience activities and the extent to which these activities are reducing risks. 3755
Finally, metrics can inform the prioritization process, as this information can assist decision 3756 makers in identifying effective ways to achieve desired outcomes. 3757
3758
Working Draft
Draft October 21, 2013 21
Supplemental Tool: DHS Resources for Vulnerability Assessments 3759
3760 Assessing vulnerabilities of critical infrastructure is an important step in conducting a risk 3761 assessment and an activity central to the critical infrastructure risk management framework. 3762
The Department of Homeland Security (DHS) conducts vulnerability assessments of the 3763 Nation’s critical infrastructure to inform its internal risk management processes, and as a form 3764 of technical assistance to its State, local, tribal, and territorial (SLTT) and private sector 3765 partners to enable their own risk assessments. DHS provides additional resources, typically in 3766 the form of informational material on known vulnerabilities, to support the risk assessments 3767
done by critical infrastructure partners. This supplement provides information on Federal 3768 resources that are used by DHS and available to SLTT governments and critical infrastructure 3769 owners and operators to identify and assess critical infrastructure vulnerabilities. 3770
I. DHS Vulnerability Assessments 3771 3772
The Homeland Security Act of 2002 and Presidential Policy Directive 21 direct the DHS 3773 Secretary to conduct comprehensive assessments of the vulnerabilities of the Nation’s critical 3774 infrastructure, in coordination with the Sector-Specific Agencies (SSAs) and in collaboration 3775
with SLTT entities and critical infrastructure owners and operators. The following paragraphs 3776 summarize some of the resources available from DHS for identifying and assessing critical 3777
infrastructure vulnerabilities. 3778 3779 Cyber Resilience Review (CRR). The DHS Office of Cybersecurity and Communications 3780
conducts voluntary assessments to evaluate and enhance cybersecurity capacities and 3781 capabilities within the critical infrastructure sectors and State, local, tribal, and territorial 3782
governments through its CRR process. The goal of the CRR is to understand and measure key 3783 cybersecurity capabilities and provide meaningful maturity indicators of an organization’s 3784
operational resilience and ability to manage cyber risk to its critical services during normal 3785 operations and times of operational stress and crisis. To schedule a CRR, or to request 3786
additional information, please email the Cyber Security Evaluation program at 3787 [email protected]. 3788
3789 Enhanced Critical Infrastructure Protection (ECIP) Security Surveys. ECIP Security 3790 Surveys are voluntary, non-regulatory assessments of the overall security posture of the 3791 Nation’s critical infrastructure. Security Surveys collect, process, and analyze facility data to 3792 develop a detailed assessment of physical security, security management, security force, 3793
information sharing, protective measures, dependencies, and preparedness. The resulting 3794
survey information is provided to owners and operators and may be shared with SSAs and 3795
other Federal, State, local, and private sector representatives, as appropriate, through 3796 interactive “Dashboards.” In addition to providing a facility and sector security overview, the 3797 “Dashboards” highlight areas of potential concern and feature options to view the impact of 3798 potential enhancements to protective and resilience measures. The DHS Office of 3799 Infrastructure Protection (IP) conducts Security Surveys at the request of the participating 3800 facility. More information can be obtained through the local Protective Security Advisor or by 3801 emailing [email protected]. 3802
Working Draft
Draft October 21, 2013 22
3803
Site Assistance Visits (SAVs). SAVs are voluntary vulnerability assessments that assist 3804 owners and operators of critical infrastructure with identifying and documenting 3805 vulnerabilities, protective measures, planning needs, and options for consideration to increase 3806 protection from, and resilience to, a wide range of hazards. Like the Security Survey, SAVs 3807
provide owners and operators with interactive “Dashboards” showing a facility and sector 3808 security overview, areas of potential concern, and options to view the impact of potential 3809 enhancements to protective and resilience measures. In addition, SAVs provide narrative 3810 reports by subject matter experts that provide options for consideration to enhance the 3811 facility’s security and resilience. The DHS Office of Infrastructure Protection (IP) conducts 3812
SAVs at the request of the participating facility and in coordination with other Federal and 3813 SLTT government entities. More information can be obtained through the local Protective 3814 Security Advisor or by emailing [email protected]. 3815
3816 The Cyber Security Evaluation Tool (CSET
TM). CSET is a self-contained software tool 3817
that runs on a desktop or laptop. It evaluates the cybersecurity of an automated, industrial 3818 control or business system using a hybrid risk and standards-based approach. CSET helps 3819
asset owners assess their information and operational systems cybersecurity practices by 3820 asking a series of detailed questions about system components and architecture, as well as 3821
operational policies and procedures. These questions are derived from accepted industry 3822 cybersecurity standards. Once the self-assessment questionnaire is complete, CSET provides a 3823 prioritized list of recommendations for increasing cybersecurity posture. The CSET tool is 3824
available to all through the United States Computer Emergency Readiness Team’s (US-3825 CERT) Website at www.us-cert.gov/control_systems. 3826
3827
Chemical Security Assessment Tool (CSAT) Security Vulnerability Assessment (SVA). 3828 This tool is available only to chemical facilities that are subject to the Chemical Facility Anti-3829 Terrorism Standards (CFATS) regulations. The CSAT SVA application: 3830
3831
Collects basic facility identification information and information about the chemicals 3832 that a facility possesses. 3833
Collects information about assets at the facility that involve the chemicals of interest 3834 identified by DHS in Appendix A of the CFATS Authorization. 3835
Enables users to locate assets on an interactive map and apply DHS attack scenarios or 3836 define attack scenarios of their own to run against the facility’s assets. This provides 3837 DHS with data on the vulnerability and potential consequences of such attacks. Users 3838
will assess the vulnerability of their facilities based on the security measures already in 3839 place at the facility. 3840
Collects information on relevant cyber systems that may affect the security of 3841 identified assets. 3842 3843
For additional information, the CSAT Help Desk has a toll-free number for questions 3844 regarding the CSAT SVA application—866–323–2957 between 7:00 a.m. and 7:00 p.m. 3845 (Eastern Standard Time), Monday through Friday. The CSAT Help Desk is closed on Federal 3846 holidays. 3847 3848
Working Draft
Draft October 21, 2013 23
More details on 6 CFR Part 27, information regarding Chemical-Terrorism Vulnerability 3849
Information, and other related information is available on the DHS Website at 3850 http://www.dhs.gov/chemicalsecurity. 3851 3852
II.DHS Resources to Inform Vulnerability Assessments 3853
3854 Infrastructure Protection Report Series. These reports identify common vulnerabilities by 3855
asset class within the sectors, as well as the types of terrorist activities that are likely to be 3856 successful in exploiting these vulnerabilities. They also identify security and preparedness 3857 best practices by asset class within the sectors. Brief integrated papers are currently available 3858 to Federal, SLTT, and private sector partners on the Homeland Security Information Network. 3859
3860
Working Draft
Draft October 21, 2013 24
Supplemental Tool: Incorporating Security and Resilience into Critical 3861
Infrastructure Projects 3862
3863
I. Purpose and Scope 3864
3865 The purpose of this supplement is to provide the critical infrastructure community with steps that 3866 support making investments in critical infrastructure that will enhance the security and resilience 3867 of critical infrastructure systems. This supplement was developed through research into existing 3868 strategies for infrastructure security and resilience, including the Hurricane Sandy Rebuilding 3869
Strategy and the updated National Infrastructure Protection Plan (NIPP) 2013. The target 3870
audience is government decision makers at all levels who are undertaking new infrastructure 3871
projects or enhancing security and mitigation measures on existing government-owned 3872 infrastructure. This supplement also provides a useful tool that can be used more broadly by all 3873 critical infrastructure owners and operators as decisions are made to invest in infrastructure 3874 replacements or improvements. 3875
3876 This supplement includes a discussion of characteristics of security and resilience, an overview 3877
of the current environment, and examples of steps in the infrastructure planning and investment 3878 process that can be used to prioritize projects that promote security and resilience to critical 3879 infrastructure. All of the recommended steps included in this supplemental tool may not apply 3880
directly to each sector and type of critical infrastructure. In that case, this tool can help decision 3881 makers tailor the relevant steps that will promote security and resilience as well as provide a 3882
model for the types of characteristics that should be incorporated into secure and resilient 3883
systems. 3884
3885
Characteristics of Critical Infrastructure Security and Resilience 3886 Presidential Policy Directive 21: Critical Infrastructure Security and Resilience (PPD-21) 3887 articulates characteristics of both secure and resilient systems, and these definitions help frame 3888
what success looks like in achieving these end goals. Security is a strategy that reduces “the risk 3889 to critical infrastructure by physical means or defense cyber measures to intrusions, attacks, or 3890 the effects of natural or manmade disasters.”
4 There are several characteristics common to secure 3891
critical infrastructure systems, including being protected, defended, and having accurate 3892 information and analysis on current and future risks. 3893 3894 Resilience has a slightly different connotation and different characteristics. As defined in PPD-3895 21, resilience is “the ability to prepare for and adapt to changing conditions and withstand and 3896
recover rapidly from disruptions. Resilience includes the ability to withstand and recover from 3897
4 The White House, Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience, February 12,
2013, http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil
Working Draft
Draft October 21, 2013 25
deliberate attacks, accidents, or naturally occurring threats or incidents.”5 As with secure 3898
infrastructure systems, having accurate information and analysis about risks is essential to 3899 achieving resilience. However, there are several other characteristics to resilient infrastructure 3900 systems, including being agile and adaptable. 3901 3902
Even though security and resilience are different end goals, there is an intrinsic link between the 3903 two. Both security and resilience need to be integrated into critical infrastructure in a holistic 3904 manner in order to create robust assets and systems. The Nation relies on the essential services 3905 provided by critical infrastructure in order to function as a society, and if critical infrastructure 3906 fails—due to a security breach or because it is not resilient—this failure can cascade across 3907
sectors, communities, and regions, and it affects our Nation’s safety, prosperity, and well-being. 3908 3909
Current Incorporation of Security and Resilience in Infrastructure Investments 3910 Critical infrastructure owners and operators make risk-informed decisions every day about their 3911 infrastructure assets. It is important to acknowledge that security and resilience are already an 3912 integral part of project planning for infrastructure investment because the functioning of the 3913
infrastructure has direct economic value. While needs vary depending on the sector, owners and 3914 operators generally have established plans to protect their investments. These may include onsite 3915
physical security to protect the premises of the asset, strict access control rules to avoid 3916 unauthorized access, and advanced IT controls to prevent cyber crime and data breaches. These 3917 security measures are effective at protecting critical infrastructure at individual sites, and they 3918
provide a strong foundation to help the Nation move toward more secure and resilient 3919 infrastructure systems overall. 3920
3921 In general, owners and operators conduct cost-benefit analyses before they make their 3922 investments. Cost-benefit analyses and other decision tools help support well-informed decisions 3923
and smart, profitable investments. Critical infrastructure owners and operators also have an 3924
incentive to be forward-looking, since the lifespan of many types of infrastructure can be 50 to 3925 100 years. Before making an investment, for instance, owners and operators will typically try to 3926 determine demographic and population shifts so they can determine whether the critical 3927
infrastructure they develop will retain its usefulness. 3928 3929
Steps to Promoting Security and Resilience in Infrastructure Investments 3930 Building off the positive steps owners and operators have taken toward developing and 3931 maintaining secure and resilient critical infrastructure, the following steps can be used as a guide 3932 to promote security and resilience in infrastructure investment. The following list is not 3933 exhaustive, but instead represents some of the best practices and strategies for improving critical 3934
infrastructure security and resilience. When making investment decisions and selecting 3935
infrastructure projects, public sector decision makers are encouraged to use these recommended 3936 steps to the fullest extent applicable and possible to select their investments. 3937 3938
As previously discussed, there are certain characteristics of both security and resilience that can 3939 be incorporated in concrete ways to achieve robust critical infrastructure systems. Security, for 3940
5 Ibid.
Working Draft
Draft October 21, 2013 26
instance, can be achieved through access to accurate information and the development and 3941
maintenance of protection and defense capabilities. Resilience also requires access to accurate 3942 information, but is characterized by agile and adaptable solutions. These characteristics of 3943 security and resilience are used to frame the following recommendations. 3944 3945
Accurate information and analysis about current and future risks is essential to planning for 3946 security and resilience. Possible steps to include in an infrastructure project plan may include the 3947 following: 3948 3949
Incorporating projected climate change impacts into the decision-making process. 3950
Measuring both the direct and indirect costs and benefits of developing the project to 3951 gain a holistic picture of the impact of the project (e.g., the financial and opportunity cost 3952 of losing infrastructure functions and services, the societal impacts of developing the 3953
project, environmental costs and benefits, etc.). 3954 Examining demographic trends and using the anticipated demographics to predict the 3955
future demand for infrastructure. 3956 Consulting with the Federal Emergency Management Agency (FEMA) on the best 3957
available data pertaining to flood risk (e.g., the FEMA Map Service Center to access 3958 current flood maps). [see additional resources for more information] 3959
Referring to available science and predictive tools on future trends and risks when 3960 selecting a location (e.g., the National Oceanic and Atmospheric Administration Sea 3961 Level Rise and Coastal Flooding Impacts Viewer tool, etc.). [see additional resources for 3962
more information] 3963 Considering applicable standards and best practices for incorporating security and 3964
resilience into asset and system design. 3965 Conducting vulnerability assessments that can identify where the infrastructure is 3966
vulnerable to known and future risks. 3967 Utilizing available risk assessment and scenario planning tools to make risk-informed 3968
decisions (e.g., the Department of Homeland Security-sponsored Owners Performance 3969 Requirements tool, which allows owners to develop several scenarios for a project to help 3970 select the optimal combination of performance levels for energy, environmental, safety, 3971
security (including blast; ballistic; and chemical, biological, and radiological protection), 3972 sustainability, durability, operational, and cost-effectiveness attributes to meet their 3973 needs). [see additional resources for more information] 3974
Identifying key interdependencies and ways in which this critical infrastructure asset 3975 will impact other components of critical infrastructure systems, whether within the same 3976 sector or across sectors. 3977
Working with partners to develop a picture of how this infrastructure investment will fit 3978
into the regional landscape of critical infrastructure. 3979 3980 Investments and training in protection and defense measures can enhance the security of an 3981 investment. When planning for an infrastructure investment, possible elements to include in the 3982 infrastructure project plan that could promote security may include the following: 3983
3984
Working Draft
Draft October 21, 2013 27
Developing a comprehensive incident response plan that includes such components 3985
as scenario planning for the most likely risks and clearly articulated roles and 3986 responsibilities for all partners. 3987
Creating security policies and providing opportunities to train employees to comply 3988 with the policies. 3989
Including planning for physical and/or electronic protection capabilities in the 3990 development of the project. 3991
3992 Agility and adaptability help systems recover rapidly and react quickly to changing conditions. 3993 Agile and adaptable systems are nimble and flexible, so they can continue operations with 3994
minimal interruptions. When planning for an infrastructure investment, possible elements to 3995 include in the infrastructure project plan that could promote resilience may include the 3996 following: 3997
3998 Building redundancy into an infrastructure system so it can handle a localized failure. 3999 Budgeting for infrastructure mitigation during the development of a project to ensure the 4000
resilience of the infrastructure to threats and hazards. 4001
Developing a business continuity plan to ensure rapid recovery to disasters or other 4002 disruptions. 4003
Planning to conduct periodic updates for the infrastructure asset that can incorporate 4004 new technologies and/or upgrades that could enhance mitigation. 4005
Determining whether environmental buffers (e.g., dunes or wetlands) can be 4006
incorporated into the infrastructure design to mitigate the effects of natural disasters. 4007 Ensuring there are manual overrides and physical backups built into automated 4008
systems. 4009 4010
II.Conclusion 4011 4012
The above list represents recommended steps that decision makers can use to promote security 4013 and resilience in infrastructure projects. In many cases, stakeholders are already using these steps 4014 in localized efforts to achieve the mission. However, as we work together to promote the goals of 4015
secure and resilient critical infrastructure nationwide, it is important to codify and update these 4016 best practices and implement them when possible. As we work toward achieving this mission, 4017 stakeholders are encouraged to tailor this information to suit their needs and to provide feedback 4018 on additional recommendations that can be incorporated. 4019
4020
III.Additional Resources 4021 4022
Department of Homeland Security, Office of Science and Technology, Building and 4023 Infrastructure Protection Series: Designing Buildings to Withstand Almost Anything, 4024 http://www.dhs.gov/building-and-infrastructure-protection-series-designing-buildings-withstand-4025 almost-anything 4026 4027
Department of Homeland Security, Office of Science and Technology, Owner Requirement 4028 Tool, http://www.oprtool.org/ 4029 4030
Working Draft
Draft October 21, 2013 28
Federal Emergency Management Agency, FEMA Map Service Center, 4031
https://msc.fema.gov/webapp/wcs/stores/servlet/FemaWelcomeView?storeId=10001&catalogId4032 =10001&langId=-1 4033 4034 Department of Housing and Urban Development, Hurricane Sandy Rebuilding Strategy, August 4035
2013, http://portal.hud.gov/hudportal/HUD?src=/sandyrebuilding 4036 4037 National Oceanic and Atmospheric Administration, NOAA Sea Level Rise and Coastal Flooding 4038 Impacts Viewer tool, http://csc.noaa.gov/digitalcoast/tools/slrviewer 4039 4040
4041