· Per the e-Activity, analyze one (1) of the core tenets established in the National Infrastructure Protection Plan. Take a position on how closely following this tenet could have resulted in better protection of critical infrastructure during Hurricane Katrina. Provide a rationale for your response.
TENET #5. Collaborating To Manage Risk
The national effort to strengthen critical infrastructure security and resilience depends on the ability of public and private sector critical infrastructure owners and operators to make risk-informed decisions on the most effective solutions available when allocating limited resources in both steady-state and crisis operations. Therefore, risk management is the cornerstone of the National Plan and is relevant at the national, regional, State, and local levels. National, regional, and local resilience depend upon creating and maintaining sustainable, trusted partnerships between the public and private sector. While individual entities are responsible for managing risk to their organization, partnerships improve understanding of threats, vulnerabilities, and consequences and how to manage them through the sharing of indicators and practices and the coordination of policies, response, and recovery activities. Critical infrastructure partners manage risks based on diverse commitments to community, focus on customer welfare, and corporate governance structures. Risk tolerances will vary from organization to organization, as well as sector to sector, depending on business plans, resources, operating structure, and regulatory environments. They also differ between the private sector and the government based on underlying constraints. Different entities are likely to have different priorities with respect to security investment as well as potentially differing judgments as to what the appropriate point of risk tolerance may be. Private sector organizations generally can increase investments to meet their risk tolerances and provide for their community of stakeholders, but investments in security and resilience have legitimate limits. The government must provide for national security and public safety and operates with a different set of limits in doing so. Finding the appropriate value proposition among the partners requires understanding these differing perspectives and how they may affect efforts to set joint priorities. Within these parameters, critical infrastructure security and resilience depend on applying risk management practices of both industry and government, coupled with available resources and incentives, to guide and sustain efforts. This section is organized based on the critical infrastructure risk management framework, introduced in the 2006 NIPP and updated in this National Plan. The updates help to clarify the components and streamline the steps of the framework, depicted in Figure 3 below. Specifically, the three elements of critical infrastructure (physical, cyber, and human) are explicitly identified and should be integrated throughout the steps of the framework, as appropriate. In addition, the updated framework consolidates the number of steps or “chevrons” by including prioritization with the implementation of risk management activities. Prioritization of risk mitigation options is an integral part of the decision-making process to select the risk management activities to be implemented. Finally, a reference to the feedback loop is removed and instead, the framework now depicts the importance of information sharing throughout the entire risk management process. Information is shared through each step of the framework, to include the “measure effectiveness” step, facilitating feedback and enabling continuous improvement of critical infrastructure security and resilience efforts. Figure 3 – Critical Infrastructure Risk Management Framework Cyber Physical Human Elements of Critical Infrastructure Identify Infrastructure Set Goals and Objectives Assess and Analyze Risks Implement Risk Management Activities Measure Effectiveness INFORMATION SHARING 16 NIPP 2013 The critical infrastructure risk management framework supports a decision-making process that critical infrastructure partners collaboratively undertake to inform the selection of risk management actions. This framework is not binding and many organizations have risk management models that have proved effective and should be maintained. It does, however, provide an organizing construct for those models. This section presents a selection of risk management activities implemented across the critical infrastructure community, but the specific contributions of various partners are described where applicable. In addition, call-out boxes throughout this section identify linkages between the steps in the risk management framework and the specific actions identified in the Call to Action in section 6 of this National Plan. The critical infrastructure risk management framework is designed to provide flexibility for use in all sectors, across different geographic regions, and by various partners. It can be tailored to dissimilar operating environments and applies to all threats and hazards. The risk management framework is intended to complement and support completion of the Threat and Hazard Identification and Risk Assessment (THIRA) process as conducted by regional, SLTT, and urban area jurisdictions to establish capability priorities. Comprehensive Preparedness Guide 201: Threat and Hazard Identification and Risk Assessment, Second Edition cites infrastructure owners and operators as sources of threat and hazard information and as valuable partners when completing the THIRA process. The critical infrastructure community shares information throughout the steps of the risk management framework to document and build upon best practices and lessons learned and help identify and fill gaps in security and resilience efforts. It is essential for the community to share risk information, also known as risk communication, which is defined as the exchange of information with the goal of improving risk understanding, affecting risk perception, and/or equipping people or groups to act appropriately in response to an identified risk.12 Risk management enables the critical infrastructure community to focus on those threats and hazards that are likely to cause harm, and employ approaches that are designed to prevent or mitigate the effects of those incidents. It also increases security and strengthens resilience by identifying and prioritizing actions to ensure continuity of essential functions and services and support enhanced response and restoration. Set Infrastructure Goals and Objectives This National Plan establishes a set of broad national goals for critical infrastructure security and resilience. These national goals are supported by objectives and priorities developed at the sector level, which may be articulated in Sector-Specific Plans (SSPs) and serve as targets for collaborative planning among SSAs and their sector partners in government and the private sector. As discussed in Section 2, a set of national multi-year priorities, developed with input from all levels of the partnership, will complement these goals. These priorities might focus on particular goals or cross-sector issues where attention and resources could be applied within the critical infrastructure community with the most significant impact. Critical infrastructure owners and operators, as well as SLTT and regional entities, can identify objectives and priorities for critical infrastructure that align to these national priorities, national goals, and sector objectives, but are tailored and scaled to their operational and risk environments and available resources. Related Calls to Action • Establish National Focus through Joint Priority Setting • Determine Collective Actions through Joint Planning Efforts Identify Infrastructure To manage critical infrastructure risk effectively, partners must identify the assets, systems, and networks that are essential to their continued operation, considering associated dependencies and interdependencies. This aspect of the risk management process also should identify information and communications technologies that facilitate the provision of essential services. Critical infrastructure partners view criticality differently, based on their unique situations, operating models, and associated risks. The Federal Government identifies and prioritizes nationally significant critical infrastructure 12 U.S. Department of Homeland Security, DHS Risk Lexicon, 2010. Identify Infrastructure Set Goals and Objectives Collaborating To Manage Risk 17 based upon statutory definition and national considerations.13 SLTT governments identify and prioritize infrastructure according to their business and operating environments and associated risks. Infrastructure owners and operators identify assets, systems, and networks that are essential to their continued operations and delivery of products and services to customers. At the sector level, many SSAs collaborate with owners and operators and SLTT entities to develop lists of infrastructure that are significant at the national, regional, and local levels. Effective risk management requires an understanding of criticality as well as the associated interdependencies of infrastructure. This National Plan identifies certain lifeline functions that are essential to the operation of most critical infrastructure sectors. These lifeline functions include communications, energy, transportation, and water. Critical infrastructure partners should identify essential functions and resources that impact their businesses and communities. The identification of these lifeline functions can support preparedness planning and capability development. Related Call to Action • Analyze Dependencies and Interdependencies Assess and Analyze Risks Critical infrastructure risks can be assessed in terms of the following: • Threat – natural or manmade occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property. • Vulnerability – physical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard. • Consequence – effect of an event, incident, or occurrence. Risk assessments are conducted by many critical infrastructure partners to inform their own decision making, using a broad range of methodologies. These assessments allow critical infrastructure community leaders to understand the most likely and severe incidents that could affect their operations and communities and use this information to support planning and resource allocation in a coordinated manner. To assess risk effectively, critical infrastructure partners—including owners and operators, sector councils, and government agencies—need timely, reliable, and actionable information regarding threats, vulnerabilities, and consequences. Nongovernmental entities must be involved in the development and dissemination of products regarding threats, vulnerabilities, and potential consequences and provide risk information in a trusted environment. Partners should understand intelligence and information requirements and conduct joint analysis where appropriate. Critical infrastructure partnerships can bring great value in improving the understanding of risk to both cyber and physical systems and assets. Neither public nor private sector entities can fully understand risk without this integration of wide-ranging knowledge and analysis. Supporting information-sharing initiatives exist both at the national and regional level. Information-sharing activities can protect privacy by applying the FIPPs and protect civil liberties by complying with applicable laws and policies. It is equally crucial to ensure adequate protection of sensitive business and security information that could cause serious adverse impacts to private businesses, the economy, and public or private enterprise security through unauthorized disclosure, access, or use. The Federal Government has a statutory responsibility to safeguard critical infrastructure information.14 DHS and other agencies use the Protected Critical Infrastructure Information (PCII) program and other protocols such as Classified National Security Information, Law Enforcement Sensitive Information, and Federal Security Classification Guidelines. The PCII pro- 13 The National Critical Infrastructure Prioritization Program within DHS is the primary program helping entities prioritize critical infrastructure at the national level. This program identifies nationally significant assets, systems, and networks which, if destroyed or disrupted, could cause some combination of significant casualties, major economic losses, and/or widespread and long-term impacts to national well-being and governance. Executive Order 13636 also requires DHS to use a consultative process to identify infrastructure in which a cyber incident could result in catastrophic consequences. Other Federal departments and agencies identify and prioritize their own critical infrastructure which, if destroyed or disrupted, could result in mission failure or other catastrophic consequences at the national level. 14 Under the Homeland Security Act of 2002, §201(d)(11)(a), DHS must ensure that any material received pursuant to this Act is “protected from unauthorized disclosure and handled and used only for the performance of official duties.” Assess and Analyze Risks Related Call to Action • Improve Information Sharing and Apply Knowledge to Enable Risk-informed Decision Making 18 NIPP 2013 gram, authorized by the Critical Infrastructure Information (CII) Act of 2002 and its implementing regulations (Title 6 of the Code of Federal Regulations Part 29), defines both the requirements for submitting CII and those that government agencies must follow for accessing and safeguarding CII. Implement Risk Management Activities Decision makers prioritize activities to manage critical infrastructure risk based on the criticality of the affected infrastructure, the costs of such activities, and the potential for risk reduction. Some risk management activities address multiple aspects of risk, while others are more targeted to address specific threats, vulnerabilities, or potential consequences. These activities can be divided into the following approaches: Identify, Deter, Detect, Disrupt, and Prepare for Threats and Hazards • Establish and implement joint plans and processes to evaluate needed increases in security and resilience measures, based on hazard warnings and threat reports. • Conduct continuous monitoring of cyber systems. • Employ security protection systems to detect or delay an attack or intrusion. • Detect malicious activities that threaten critical infrastructure and related operational activities across the sectors. • Implement intrusion detection or intrusion protection systems on sensitive or mission-critical networks and facilities to identify and prevent unauthorized access and exploitation. • Monitor critical infrastructure facilities and systems potentially targeted for attack (e.g., through local law enforcement and public utilities). Reduce Vulnerabilities • Build security and resilience into the design and operation of assets, systems, and networks. • Employ siting considerations when locating new infrastructure, such as avoiding floodplains, seismic zones, and other riskprone locations. • Develop and conduct training and exercise programs to enhance awareness and understanding of common vulnerabilities and possible mitigation strategies. • Leverage lessons learned and apply corrective actions from incidents and exercises to enhance protective measures. • Establish and execute business and government emergency action and continuity plans at the local and regional levels to facilitate the continued performance of critical functions during an emergency. • Address cyber vulnerabilities through continuous diagnostics and prioritization of high-risk vulnerabilities. • Undertake research and development efforts to reduce known cyber and physical vulnerabilities that have proved difficult or expensive to address. Mitigate Consequences • Share information to support situational awareness and damage assessments of cyber and physical critical infrastructure during and after an incident, including the nature and extent of the threat, cascading effects, and the status of the response. • Work to restore critical infrastructure operations following an incident. • Support the provision of essential services such as: emergency power to critical facilities; fuel supplies for emergency responders; and potable water, mobile communications, and food and pharmaceuticals for the affected community. Implement Risk Management Activities Collaborating To Manage Risk 19 • Ensure that essential information is backed up on remote servers and that redundant processes are implemented for key functions, reducing the potential consequences of a cybersecurity incident. • Remove key operational functions from the Internetconnected business network, reducing the likelihood that a cybersecurity incident will result in compromise of essential services. • Ensure that incidents affecting cyber systems are fully contained; that asset, system, or network functionality is restored to pre-incident status; and that affected information is available in an uncompromised and secure state. • Recognize and account for interdependencies in response and recovery/restoration plans. • Repair or replace damaged infrastructure with cost-effective designs that are more secure and resilient. • Utilize and ensure the reliability of emergency communications capabilities. • Contribute to the development and execution of private sector, SLTT, and regional priorities for both near- and longterm recovery. The above activities are examples of risk management activities that are being undertaken to support the overall achievement of security and resilience, whether at an organizational, community, sector, or national level. Prevention activities are most closely associated with efforts to address threats; protection efforts generally address vulnerabilities; and response and recovery efforts help minimize consequences. Mitigation efforts transcend the entire threat, vulnerability, and consequence spectrum. These five mission areas, as described in the National Preparedness Goal and System, provide a useful framework for considering risk management investments. Figure 4 illustrates the relationship of the national preparedness mission areas to the elements of risk. The National Preparedness Goal also establishes 31 core capabilities that support the five national preparedness mission areas. The development of many of these core capabilities contributes to the achievement of critical infrastructure security and resilience and communities and owners and operators can apply these capabilities to identified activities to manage risk. Such efforts are enhanced when critical infrastructure risks are considered as part of setting capability targets. To support efforts in advance of or during an incident, the critical infrastructure community collaborates based on the structures established in the National Prevention Framework, the National Protection Framework, the National Mitigation Framework, the National Response Framework (NRF), the National Disaster Recovery Framework, and the interim National Cyber Incident Response Plan or its successor. One example of how these structures support collaborative efforts is provided through the NRF. The NRF organizational structures coordinate critical infrastructure-related activities conducted in response to a nationally declared disaster or major incident necessitating Federal assistance. Its Critical Infrastructure Support Annex15 explains how critical infrastructure security and 15 U.S. Department of Homeland Security, Critical Infrastructure Support Annex to the National Response Framework, 2013. Figure 4 – Critical Infrastructure Risk in the Context of National Preparedness Risk Elements National Preparedness Mission Areas Recover Protect Mitigate Respond Prevent Threat nature and magnitude Vulnerability to a threat Consequence that could result REsiliENCE sECuRiTy A secure and resilient Nation maintains the capabilities required across the whole community to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk. –from the National Preparedness Goal 2011 Related Calls to Action • Rapidly Identify, Assess, and Respond to Cascading Effects During and Following Incidents • Promote Infrastructure, Community, and Regional Recovery Following Incidents 20 NIPP 2013 resilience activities are integrated into the NRF and describes policies, roles and responsibilities, incident-related actions, and coordinating structures used to assess, prioritize, secure, and restore critical infrastructure during actual or potential domestic incidents. The Annex leverages the partnership structures and information-sharing and risk management processes described in this National Plan. Similar linkages are in place, and will continue to be enhanced, through the other Frameworks and incident response plans. In addition to the identified threat-, vulnerability-, and consequence-reducing activities, risk reduction can be achieved through critical infrastructure and control system design. Factoring security and resilience measures into design decisions early can facilitate integration of measures to mitigate physical and cyber vulnerabilities as well as natural and technological hazards at lower cost. Governments and businesses can better invest in measures that increase the security and resilience of both critical infrastructure and the broader society through risk analysis, evidence-based design practices, and consideration of costs and benefits. Such efforts are also helpful during infrastructure recovery efforts, in those instances when the Federal Government is working with communities and industry to rebuild infrastructure. Measure Effectiveness The critical infrastructure community evaluates the effectiveness of risk management efforts within sectors and at national, State, local, and regional levels by developing metrics for both direct and indirect indicator measurement. SSAs work with SCCs through the sector-specific planning process to develop attributes that support the national goals and national priorities as well as other sector-specific priorities. Such measures inform the risk management efforts of partners throughout the critical infrastructure community and help build a national picture of progress toward the vision of this National Plan as well as the National Preparedness Goal. At a national level, the National Plan articulates broad area goals to achieve the Plan’s vision that will be complemented by a set of multi-year national priorities. The critical infrastructure community will subsequently evaluate its collective progress in accomplishing the goals and priorities. This evaluation process functions as an integrated and continuing cycle: • Articulate the vision and national goals; • Define national priorities; • Identify high-level outputs or outcomes associated with the national goals and national priorities; • Collect performance data to assess progress in achieving identified outputs and outcomes; • Evaluate progress toward achievement of the national priorities, national goals, and vision; • Update the national priorities and adapt risk management activities accordingly; and • Revisit the national goals and vision on a periodic basis. Just as regular evaluation of progress toward the national goals informs the ongoing evolution of security and resilience practices, planned exercises and real-world incidents also provide opportunities for learning and adaptation. For example, fuel shortages after Hurricane Sandy illustrated the interdependencies and complexities of infrastructure systems, the challenges in achieving shared situational awareness during large events, and the need for improved information collection and sharing among government and private sector partners to support restoration activities. The critical infrastructure and national preparedness communities also conduct exercises on an ongoing basis through the National Exercise Program and other mechanisms to assess and validate the capabilities of organizations, agencies, and jurisdictions. During and after such planned and unplanned operations, partners identify individual and group weaknesses, implement and evaluate corrective actions, and share best practices with the wider critical infrastructure and emergency management communities. Such learning and adaptation inform future plans, activities, technical assistance, training, and education