Working Draft Supplemental Tool: Connecting to the NICC and NCCIC Draft October 21, 2013

Transcription

1 3000 Supplemental Tool: Connecting to the NICC and NCCIC There shall be two national critical infrastructure centers operated by DHS one for physical infrastructure and another for cyber infrastructure. They shall function in an integrated manner and serve as focal points for critical infrastructure partners to obtain situational awareness and integrated, actionable information to protect the physical and cyber aspects of critical infrastructure. - Presidential Policy Directive 21, Critical Infrastructure Security and Resilience Presidential Policy Directive 21 (PPD-21) highlights the role of the national physical and cyber coordinating centers in enabling successful critical infrastructure security and resilience outcomes. The National Cybersecurity and Communications Integration Center (NCCIC) and the National Infrastructure Coordinating Center (NICC) fulfill this Department of Homeland Security (DHS) responsibility within the critical infrastructure partnership. The NICC serves as a clearinghouse to receive and synthesize critical infrastructure information and provide that information back to decision makers at all levels inside and outside of government to enable rapid, informed decisions in steady state, heightened alert, and during incident response. The NCCIC is a round-the-clock information sharing, analysis, and incident response center focused on cybersecurity and communications where government, private sector, and international partners share information and collaborate on response and mitigation activities to reduce the impact of significant incidents, enhance partners security posture, and develop and issue alerts and warnings while creating strategic and tactical plans to combat future malicious activity. An integrated analysis component works in coordination with both centers to contextualize and facilitate greater understanding of the information streams flowing through the two centers. This supplement describes how partners throughout the critical infrastructure community owner/operators, Federal partners, regional consortia, and State, local, tribal, and territorial governments can connect to the NICC and NCCIC. It describes what information is desired by the centers and their partners, as well as how they protect and analyze that data to make timely and actionable information available to partners to inform prevention, protection, mitigation, response, and recovery activities. These centers, along with an integrated analysis function, build situational awareness across critical infrastructure sectors based on partner input and provide back information with greater depth, breadth, and context than the individual pieces from any individual partner or sector. PPD-21 highlights the importance not just of what these centers can provide to the partnership, but the multi-directional information sharing that enables them to build true situational awareness, stating: The success of these national centers, including the integration and analysis function, is dependent on the quality and timeliness of the information and intelligence they receive from the Sector-Specific Agencies (SSAs) and other Federal departments and agencies, as well as from critical infrastructure owners and operators and State, local, tribal, and territorial (SLTT) entities. Draft October 21,

2 I. The Centers The National Infrastructure Coordinating Center (NICC) The NICC is the watch center component of the National Protection and Programs Directorate s (NPPD s) Office of Infrastructure Protection, the national physical infrastructure center as designated by the Secretary of Homeland Security, and an element of the National Operations Center (NOC). The NICC serves as the national focal point for critical infrastructure partners to obtain situational awareness and integrated actionable information to protect physical critical infrastructure. The mission of the NICC is to provide 24/7 situational awareness, information sharing, and unity of effort to ensure the protection and resilience of the Nation s critical infrastructure. When an incident or event impacting critical infrastructure occurs that requires coordination between DHS and the owners and operators of critical infrastructure, the NICC serves as a national coordination hub to support the protection and resilience of physical critical infrastructure assets. Establishing and maintaining relationships with critical infrastructure partners both within and outside the Federal Government is at the core of the NICC s ability to execute its functions. The NICC collaborates with Federal departments and agencies and private sector partners to monitor potential, developing, and current regional and national operations of the Nation s critical infrastructure sectors. The National Cybersecurity and Communications Integration Center (NCCIC) The NCCIC is the lead cybersecurity and communications organization within DHS, and it serves as the national cyber critical infrastructure center designated by the Secretary of Homeland Security. The NCCIC applies analytic resources, generates shared situational awareness, and coordinates synchronized response, mitigation, and recovery efforts in the event of significant cyber or communications incidents. The NCCIC s mission includes leading the cyberspace protection efforts for Federal civilian agencies and providing cybersecurity support and expertise to State, local, international, and private sector critical infrastructure partners. The NCCIC fulfills this mission through trusted and frequent coordination with law enforcement, the Intelligence Community (IC), international Computer Emergency Readiness Teams, domestic Information Sharing and Analysis Centers (ISACs), and critical infrastructure partners to share information and collaboratively respond to incidents. Information-Sharing Mechanisms The centers share information with their constituents through a variety of mechanisms. Partners may connect directly to the centers but often receive NICC/NCCIC information through their respective SSAs or other parties such as regional consortia, ISACs, Fusion Centers, etc. Online Resources (Web portals and Public Internet) Homeland Security Information Network Critical Infrastructure (HSIN-CI): HSIN-CI provides secure networked information sharing covering the full range of critical infrastructure interests. Validated critical infrastructure partners are eligible for HSIN-CI access. o The NICC posts content from a variety of internal and external sources that is available to all Critical Infrastructure (CI) partners, including incident situation reports, threat reports, impact modeling and analysis, common vulnerabilities, potential indicators, and protective measures. Draft October 21,

3 o The NICC combines current high-interest incidents and events on the HSIN-CI front page to enable easy access to relevant information. o Individual sectors and sub-sectors self-manage more specific portals within HSIN-CI where smaller communities of participants receive and share relevant information for their particular information needs. o HSIN-CI also includes capabilities to facilitate multiple types of information sharing and coordination, including suspicious activity reporting, webinars, shared calendars, etc. o To ensure broad sharing of essential information, the NICC also receives and provides information via other HSIN portals. United States Computer Emergency Readiness Team (US-CERT) and Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) portal: The NCCIC provides a secure, web-based, collaborative system to share sensitive cybersecurity prevention, protection, mitigation, response, and recovery information with validated private sector, government, and international partners. The NCCIC provides partners with access to two components of the secure portal, which hold information regarding cyber indicators, incidents, and malware digests for critical infrastructure systems: o The Cobalt Compartment serves as an information hub for enterprise systems security. o The Control System Compartment provides material on industrial control systems and is limited to control system asset owners/operators. US-CERT.gov: This publicly open website provides extensive vulnerability and mitigation information to partners around the world, including: o A Control Systems section containing Control Systems Advisories and reports of particular interest to critical infrastructure owners and operators. o A National Cyber Awareness System, which provides timely alerts, bulletins, tips, and technical documents for those who sign up. o Cybersecurity incident reporting, providing critical infrastructure partners with a secure means to report cybersecurity incidents. and Other Electronic Means Both centers maintain connectivity with a variety of partners through , automated data exchange, and other means. This form of connectivity allows very precise outreach when broad communications is inappropriate or not possible. In coordination with the SSAs, both the NICC and the NCCIC will reach out directly to specific partners as a developing situation or information need evolves. Similarly, both centers are available to stakeholders throughout the partnership when rapid response to information needs is essential. Teleconferences National threat briefings: During periods of heightened threat or concern, the NICC will coordinate through the SSAs and relevant critical infrastructure partners to conduct unclassified teleconferences regarding current intelligence, expected actions, and protective measure options for consideration. Incident specific cross-sector calls: o NICC: During significant incidents, the NICC will coordinate calls with the SSA and Government Coordinating Council (GCC)/Sector Coordinating Council Draft October 21,

4 (SCC) leadership to discuss national and cascading impacts and determine potential courses of action to mitigate risk. If necessary, the NICC will also leverage GCC/SCC and regional partners to determine locally affected partners to conduct large-scale teleconferences to share mutual situational awareness and address key areas of concern. o NCCIC: The NCCIC will similarly reach out to sector partners through its established mechanisms. Classified Meetings and Briefings During periods of heightened threat or concern with significant classified components, the NICC and/or NCCIC, in conjunction with the IC, will coordinate through the SSAs, GCCs, and SCCs to conduct classified briefings on current intelligence, expected actions, and protective measure options for consideration. The centers, in collaboration with the SSAs and the IC, may assist in arranging similar briefings outside of the National Capital Region. In-Person Meetings and Regional Extensions Onsite consultations and self-evaluations: The NCCIC helps asset owners take preventive measures necessary to prepare for and protect from cyber attacks via no-cost onsite defense-in-depth cybersecurity strategic analysis of critical infrastructure by DHS subject matter experts. Infrastructure Protection (IP) regional staff: The NICC works in close coordination with DHS and IP field personnel and other regional public and private partners. Information sharing to and from the field is coordinated between the NICC and DHS Protective Security Advisors and chemical inspectors in the field, preventing information stove pipes while reducing duplication of effort. Integrating Partners into Daily Operations The NICC and NCCIC incorporate critical infrastructure partners into their day-to-day operations, even incorporating both public- and private-sector partners into their physical watch facilities. These partners serve as bidirectional conduits of information between the centers and the liaison s home agency or sector. These partners include, but are not limited to, ISACs, SSAs, Federal law enforcement, the intelligence community, and other key partners. II. Federal Partners Both centers maintain active relationships with Federal partners from among the SSAs, law enforcement, intelligence, and emergency management communities. Beyond these mission partners, other government agencies should also work in coordination with the NICC and NCCIC where they share interest in critical infrastructure-related information. For example, the NICC works closely with the State Department s Overseas Security Advisory Council, which often has the earliest releasable information regarding threats to physical infrastructure overseas and is therefore an essential partner for ensuring this information is available to the domestic critical infrastructure community. At the same time, the NCCIC works on a daily basis with other Federal cyber centers to exchange critical information and coordinate analytical and Draft October 21,

5 response processes. Both centers provide reports to the NOC to facilitate shared situational awareness across the Federal community. Sector-Specific Agencies The SSAs actively engage with the centers through the mechanisms listed above. The NICC and NCCIC rely on the SSAs to ensure connectivity broadly across the sectors. During significant incidents, the SSAs provide the NICC and NCCIC with sector impacts for inclusion in the comprehensive infrastructure Common Operating Picture (COP), which is then shared back with the SSAs and other partners. The Intelligence Community The NICC and NCCIC serve as a major conduit for IC threat information both classified and unclassified to the owners and operators of critical infrastructure. Federal Law Enforcement The NICC and NCCIC, within their information sharing protocols and protections, provide suspicious activity reporting and other similar information to Federal law enforcement entities. Federal Emergency Management During major incidents, the NICC and NCCIC maintain close coordination with the Federal Emergency Management Agency (FEMA) to ensure that overall critical infrastructure status and impacts on life and safety are understood throughout the Federal incident response community. Both the NICC and the NCCIC provide liaisons directly to the National Response Coordination Center to ensure continuous bidirectional information flow. The SSAs are often directly tied to the Federal emergency management structure as noted in the table below. The SSAs provide detailed sector-specific status information, while the NICC and NCCIC provide the cross-sector analysis of the system-of-systems that makes up our national critical infrastructure. During major national incidents, particular focus is placed on those lifeline functions on which most critical infrastructure sectors depend; this includes communications, energy, transportation, and water. More information on critical infrastructure information sharing during significant incidents is found in the Critical Infrastructure Support Annex to the National Response Framework. Sector SSA Related Emergency Support Function(s) (ESF) 1 Chemical Department of Homeland Security Commercial Department of Homeland Facilities Security Communications Department of Homeland Security ESF #10 Oil and Hazardous Materials Response (support) ESF #2 Communications (coordinator/primary) 1 The ESFs provide the structure for coordinating Federal interagency support for a Federal response to an incident. They are mechanisms for grouping functions most frequently used to provide Federal support to States and Federal-to-Federal support, both for declared disasters and emergencies under the Stafford Act and for non-stafford Act incidents. Draft October 21,

6 Sector SSA Related Emergency Support Function(s) (ESF) Critical Manufacturing Dams Defense Industrial Base Emergency Services Department of Homeland Security Department of Homeland Security Department of Defense Department of Homeland Security ESF #3 Public Works and Engineering (support) ESF #4 Firefighting (support) ESF #5 Information and Planning (support) ESF #13 Public Safety and Security (support) Energy Department of Energy ESF #12 Energy (coordinator/primary) ESF #10 Oil and Hazardous Materials Response (support) Financial Services Food and Agriculture Government Facilities Healthcare and Public Health Information Technology Nuclear Reactors, Materials, and Waste Transportation Systems Water and Wastewater Systems Department of the Treasury U.S. Department of Agriculture and Department of Health and Human Services Department of Homeland Security and General Services Administration Department of Health and Human Services Department of Homeland Security Department of Homeland Security Department of Homeland Security and Department of Transportation Environmental Protection Agency ESF #11 Agriculture and Natural Resources (USDA: (coordinator/primary; HHS: support) ESF #6 Mass Care, Emergency Assistance, Housing, and Human Services (support) ESF #8 Public Health and Medical Services (coordinator/primary) ESF #12 Energy (coordinator/primary) ESF #1 Transportation (DOT: coordinator/primary; DHS: support) ESF #3 Public Works and Engineering (support) Draft October 21,

7 III. Critical Infrastructure Owners and Operators Individual critical infrastructure owners and operators will often send and receive information to and from the national centers through intermediary entities, but can always reach directly to the centers if necessary to share or request mission-critical information. The centers are in continuous contact with the ISACs and SSAs. IV. State, Local, Tribal, and Territorial Government Partners, and Other Regional Partnerships and Consortia The NICC and NCCIC are resources for non-federal partners in government and regional public-private consortia and coalitions. The coordinating centers may leverage existing regional partnerships to ensure information penetration to decision makers, especially during significant incidents affecting multiple sectors within a region. The centers, in conjunction with other national critical infrastructure partners where appropriate, also share information with State and local fusion centers, InfraGard chapters, Maritime Area Security Committees, FEMA regional offices, etc. V. Common Information-Sharing Requirements, Systems, and Processes The two centers continuously set and refine common information-sharing requirements, systems, and processes to facilitate a COP that delivers actionable information to decision makers at all levels. Specifically: Refine and manage critical information requirements (CIRs): To build situational awareness, each center operates using a set of defined CIRs, which should be continuously evaluated and refined to ensure optimal situational awareness. SSAs and other departments and agencies may augment these with sector-specific CIRs, and requirements should be coordinated with critical infrastructure owners and operators and the State, Local, Tribal, and Territorial Government Coordinating Council. Leverage the DHS COP for a combined, cross-sector situational awareness picture for critical infrastructure security and resilience: Data feeds and web services should be created across SSAs and other Federal, State, local, tribal, and territorial governments, as well as private sector entities to inform the critical infrastructure centers and overall critical infrastructure COP. In turn, this larger national situational awareness picture is shared back out among the partnership to enable participants to have greater depth and context of knowledge than they would otherwise have VI. Information Protection The NICC and NCCIC, as information management and coordination centers, are capable of handling information under a wide range of handling caveats. These protections and caveats include, but are not limited to: classified, For Official Use Only, Personally Identifiable Information (PII), Sensitive PII, Protected Critical Infrastructure Information, Chemical- Draft October 21,

8 terrorism Vulnerability Information, Law Enforcement Sensitive, and various industry standards such as the Traffic Light Protocol used by many ISACs VII. Get Connected Centers National Infrastructure Coordinating Center: National Cybersecurity and Communications Integration Center: Portals HSIN-CI: To request HSIN-CI access, submit the following to Name Employer Title Business Brief written justification For questions regarding HSIN-CI access, please contact the NICC. US-CERT and ICS-CERT Portal An individual or organization can request access to the Cobalt Compartment by sending an to with the subject line, Request access to Cobalt Compartment. To access the Control System Compartment, send an to with the subject line, Request access to Control Systems Compartment. To qualify for either compartment, requestors must: Be a U.S.-based organization; Have a role within your organization s network defense community; and Be a control system asset owner/operator (specific to the Control System Compartment). Draft October 21,

9 Supplemental Tool: The Critical Infrastructure Risk Management Framework Risk is defined as the potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences. 2 Simply stated, risk is influenced by the nature and magnitude of a threat or hazard, the vulnerabilities from that threat or hazard, and the consequences that could result. Risk information enables partners, ranging from facility owners and operators to Federal agencies, to prioritize risk mitigation efforts. This supplement describes how the critical infrastructure risk management framework can be used as part of the overall effort to ensure the security and resilience of our Nation s critical infrastructure. The critical infrastructure risk management framework, depicted in Figure 1, supports the integration of strategies, capabilities, and governance to enable risk-informed decision making related to the Nation s critical infrastructure. This framework is applicable to threats such as cyber incidents, natural disasters, manmade safety hazards, and acts of terrorism, although different information and methodologies may be used to understand each. There are other risk management models used in government and industry, which can be more detailed and often are tailored to a specific need. For example, private industry uses specific models, utilizing standards and best practices, to assess operational and economic business risks. The critical infrastructure risk management framework is not intended to replace any such models or processes already in use. Rather, it provides a common, unifying approach to risk management that all critical infrastructure partners can use, relate to, and align with their own risk management models and activities. Figure 1: Critical Infrastructure Risk Management Framework The critical infrastructure risk management framework is tailored toward and applied on an asset, system, network, or functional basis, depending on the fundamental characteristics of each individual critical infrastructure sector. For those sectors primarily dependent on fixed assets and physical facilities, a bottom-up, asset-by-asset approach may be most appropriate. For sectors 2 DHS Risk Lexicon, U.S. Department of Homeland Security, Draft October 21,

10 such as Communications, Information Technology, and Food and Agriculture, with accessible and distributed systems, a top-down, business or mission continuity approach that uses risk assessments focused on network and system interdependencies may be more effective. Each sector must pursue the approach that produces the most effective use of resources and has the opportunity to contribute to cross-sector comparative risk analyses conducted by the Department of Homeland Security (DHS). The risk management framework is also useful at a community level, as jurisdictions or businesses can work collaboratively to make risk-informed decisions within their span of control. The critical infrastructure risk management framework includes the following activities: Set Goals and Objectives: Define specific outcomes, conditions, end points, or performance targets that collectively describe an effective and desired risk management posture. Identify Critical Infrastructure (assets, systems, and networks): Develop an inventory of critical assets, systems, and networks that contribute to critical functionality, and collect information pertinent to risk management, including analysis of dependencies and interdependencies. Assess and Analyze Risks: Evaluate the risk, taking into consideration the potential direct and indirect consequences of an incident, known vulnerabilities to various potential threats or hazards, and general or specific threat information. Implement Risk Management Activities: Make decisions and implement risk management approaches to control, accept, transfer, or avoid risks. Approaches can include prevention, protection, mitigation, response, and recovery activities. Measure Effectiveness: Use metrics and other evaluation procedures to measure progress and assess the effectiveness of efforts to secure and strengthen the resilience of critical infrastructure. This process is an ongoing and continuing one with feedback loops and iterative steps. It allows the critical infrastructure partnership to track progress and implement actions to improve national critical infrastructure security and resilience over time. The physical, cyber, and human elements of critical infrastructure should be considered in tandem in each aspect of the risk management framework. The partnership structures discussed in the National Plan provide the mechanism for coordination of risk management activities that are flexibly tailored to different sectors, levels of government, and owners and operators. I. Set Goals and Objectives Achieving robust, secure, and resilient infrastructure requires national, State, local, and sector-specific critical infrastructure visions, goals, and objectives that are collaboratively developed and describe the desired risk management posture. Goals and objectives should consider the physical, cyber, and human elements of critical infrastructure security and resilience. Goals and objectives may vary across sectors and organizations, depending on the risk landscape, operating environment, and composition of a specific industry, resource, or other aspect of critical infrastructure. Draft October 21,

11 Nationally, the overall goal of critical infrastructure-related risk management is an enhanced state of security and resilience achieved through the implementation of focused risk management activities within and across sectors and levels of government. The risk management framework supports this goal by: Enabling the development of national, State, regional, and sector risk profiles that support the National Critical Infrastructure Security and Resilience Annual Report. These risk profiles outline the highest risks facing different sectors and geographic regions and identify cross-sector or regional issues of concern that are appropriate for the Federal critical infrastructure focus, as well as opportunities for sector, State, and regional initiatives. Enabling the critical infrastructure community to determine the best courses of action to reduce potential consequences, threats, and/or vulnerabilities, which, in turn, reduce risk. Some available options include encouraging voluntary implementation of focused risk management strategies (e.g., through public-private partnerships), applying standards and best practices, pursuing economic incentive-related policies and programs, and conducting additional information sharing, if appropriate. Informing the identification of risk management and resource allocation options, rather than specifying requirements for critical infrastructure owners and operators. It also allows for a variety of support from government partners. From a sector or jurisdictional perspective, critical infrastructure security and resilience goals and their supporting objectives: Consider distinct assets, systems, networks, functions, operational processes, business environments, and risk management approaches; Define the risk management posture that critical infrastructure partners seek to attain individually or collectively; and Express this posture in terms of the outcomes and objectives sought. Taken collectively, these goals and objectives guide all levels of government and the private sector in tailoring risk management programs and activities to address critical infrastructure security and resilience needs II. Identify Critical Infrastructure Partners both public and private identify the infrastructure that they consider critical to 3387 focus their efforts for improving and enhancing security and resilience. Different partners 3388 view criticality differently and thereby may identify different infrastructure of concern to 3389 them. The Federal Government works with partners to determine which assets, systems, and 3390 networks are nationally significant. Some sectors identify regional, State, and locally 3391 significant infrastructure as a joint activity between public- and private-sector partners Private-sector owners and operators may identify additional infrastructure that are necessary 3393 to keep their businesses running to provide goods and services to their customers. Similarly, 3394 State, local, tribal, and territorial (SLTT) governments should identify those assets, systems, 3395 and networks that are crucial to their continued operations to ensure public health and safety Draft October 21,

12 and the provision of essential services. The National Critical Infrastructure Prioritization Program (NCIPP) identifies nationally significant infrastructure to support risk-informed decision making by the Federal Government and its critical infrastructure partners. Critical assets, systems, and networks identified through this process include those, which if destroyed or disrupted, could cause some combination of significant casualties, major economic losses, or widespread and long-term impacts to national well-being and governance capacity. The NCIPP collects, identifies, and prioritizes critical infrastructure information from States, critical infrastructure sectors, and other homeland security partners across the Nation. The NCIPP uses an enhanced infrastructure data collection application, which provides the ability to input data throughout the year. Data collected through the NCIPP forms the basis of a national inventory that includes those assets, systems, and networks that are nationally significant and those that may not be significant on a national level but are, nonetheless, important to State, local, or regional critical infrastructure security and resilience and national preparedness efforts. The goal of the national inventory is to provide access to relevant information for natural disasters, industrial accidents, and other incidents. Critical infrastructure partners work together to ensure that the inventory data structure is accurate, current, and secure. The Federal Government, including the Sector-Specific Agencies (SSAs), works with critical infrastructure owners and operators and SLTT entities to build upon and update existing inventories at the State and local levels to avoid duplication of past or ongoing complementary efforts. Identifying Cyber Infrastructure The national plan addresses security and resilience of the cyber elements of critical infrastructure in an integrated manner rather than as a separate consideration. As a component of the sector-specific risk assessment process, cyber system components should be identified individually or be included as a cyber element of a larger asset, system, or network with which they are associated. The identification process should include information on international cyber infrastructure with cross-border implications, interdependencies, or cross-sector ramifications. Cyber system elements that exist in most, if not all, sectors include business systems, control systems, access control systems, and warning and alert systems. The Internet has been identified as an essential resource, comprising the domestic and international assets within both the Information Technology and Communications Sectors, and the need for access to and reliance on information and communications technology is common to all sectors. DHS supports the SSAs and other critical infrastructure partners by developing tools and methodologies to assist in identifying cyber assets, systems, and networks, including those that involve multiple sectors. Several sectors have developed a functions-based approach for Draft October 21,

13 identifying cyber-dependent critical infrastructure. The Cyber-Dependent Infrastructure Identification 3 approach is based on three high-level steps, which include: Defining criteria for catastrophic impacts across all sectors; Evaluating previous sector efforts to determine how they can be leveraged to identify cyber-dependent critical infrastructure at greatest risk; and Applying a functions-based approach to identify cyber-dependent infrastructure and its impacts on the sector. Additionally, DHS, in collaboration with other critical infrastructure partners, provides cross-sector cyber methodologies, which, when applied, enable sectors to identify cyber assets, systems, and networks that may have nationally significant consequences if destroyed, incapacitated, or exploited. These methodologies also characterize the reliance of a sector s business and operational functionality on cyber systems. Today's information systems, networks, and end-user mobile devices are highly dependent upon the availability of accurate and precise positioning, navigation, and timing (PNT) data. PNT services are critical to the operations of multiple critical infrastructure sectors and are vital to incident response. The U.S. Air Force operates the Global Positioning System (GPS), a dual-use system that provides PNT services worldwide for civil and military purposes. The free, open, and dependable nature of GPS has led to the development of hundreds of applications affecting every aspect of modern life and U.S. economic growth. Other countries are also investing in global navigation satellite systems like GPS. While space-based PNT services are highly available and reliable, these services can be subject to intentional and unintentional disruption by interference or signal blockage, thus preventing valuable PNT data from reaching intended recipients. Because so many business functions and operations rely exclusively on GPS for location and timing data, disruption to GPS civil services could potentially create a point of failure and lead to cascading effects across multiple sectors. To better understand and mitigate risks from potential disruptions to GPS service availability, critical infrastructure partners can identify the sources and applications of PNT information that support or enable their critical functions and operations, continually assess dependencies and interdependencies, and implement steps to increase the resilience of critical infrastructure operations in the event of interference to or disruption of primary PNT services III. Assess Risks Homeland security risks can be assessed in terms of their likelihood and consequences Common definitions, scenarios, assumptions, metrics, and processes are needed to ensure 3476 that risk assessments contribute to a shared understanding among critical infrastructure 3477 partners. The risk management framework outlines a risk assessment approach that results in 3478 sound, scenario-based, consequence and vulnerability estimates, as well as an assessment of 3479 the likelihood that the postulated threat or hazard would occur. 3 Executive Order 13636, Improving Critical Infrastructure Cybersecurity, February Draft October 21,

14 The National Plan calls for critical infrastructure partners to generally assess risk from any scenario, considering both likelihood and consequence. As stated in the introduction to this supplemental tool, it is important to think of risk as influenced by the nature and magnitude of a threat or hazard, the vulnerabilities to those threats and hazards, and the consequences that could result. Threat: Natural or manmade occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property. For the purpose of calculating risk, the threat of an unintentional hazard is generally estimated as the likelihood that a hazard will manifest itself. Intentional hazard is generally estimated as the likelihood of an attack being attempted by an adversary. In the case of intentionally adversarial actors and actions, for both physical and cyber effects, the threat likelihood is estimated based on the intent and capability of the adversary. Vulnerability: Physical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard. In calculating the risk of an intentional hazard, a common measure of vulnerability is the likelihood that an attack is successful, given that it is attempted. Consequence: The effect of an event, incident, or occurrence; reflects the level, duration, and nature of the loss resulting from the incident. For the purposes of the national plan, potential consequences may fall into four categories: public health and safety (i.e., loss of life and illness), economic (direct and indirect), psychological, and governance/mission impacts. It is appropriate for critical infrastructure risk assessments to explicitly consider each of these factors, but it is not necessary to do so in a quantifiable manner. In conducting assessments, analysts should be very careful when calculating risk to properly address interdependencies and any links between how the threats and vulnerabilities were calculated to ensure that the results are sound and defensible. A comprehensive critical infrastructure risk assessment will explicitly consider each of these factors, to the extent necessary for decision making and as possible, given the available information. Critical infrastructure-related risk assessments are conducted on assets, systems, or networks, depending on the characteristics of the infrastructure being examined. Individual threat, consequence, or vulnerability assessments may be useful on their own or in the aggregate to assess risk. Critical Infrastructure Risk Assessments Risk assessments are conducted by many critical infrastructure partners to meet their own decision-making needs, using a broad range of methodologies. As a general rule, simple but defensible methodologies are preferred over more complicated methods. Simple methodologies are more likely to fulfill the requirements of transparency and practicality. Risk methodologies are often sorted into qualitative and quantitative categories, but when welldesigned, both types of assessments have the potential to deliver useful analytic results. Similarly, both qualitative and quantitative methodologies can be needlessly complex or poorly Draft October 21,

15 designed. The methodology that best meets the decision maker s needs is generally the best choice, whether quantitative or qualitative. The common analytic principles originally provided in the National Infrastructure Protection Plan are broadly applicable to all parts of a risk methodology. These principles provide a guide for improving existing methodologies or modifying them so that the investment and expertise they represent can be used to support national-level, comparative risk assessments, investments, incident response planning, and resource prioritization. Recognizing that many risk assessment methodologies are under development and others evolve in a dynamic environment, the analytic principles for risk assessment methodologies serve as a guide to future adaptations. The basic analytic principles ensure that risk assessments are: Documented: The methodology and the assessment must clearly document what information is used and how it is synthesized to generate a risk estimate. Any assumptions, weighting factors, and subjective judgments need to be transparent to the user of the methodology, its audience, and others who are expected to use the results. The types of decisions that the risk assessment is designed to support and the timeframe of the assessment (e.g., current conditions versus future operations) should be given. Reproducible: The methodology must produce comparable, repeatable results, even though assessments of different critical infrastructure may be performed by different analysts or teams of analysts. It must minimize the number and impact of subjective judgments, leaving policy and value judgments to be applied by decision makers. Defensible: The risk methodology must logically integrate its components, making appropriate use of the professional disciplines relevant to the analysis, as well as be free from significant errors or omissions. Uncertainty associated with consequence estimates and confidence in the vulnerability and threat estimates should be communicated. Risk Scenario Identification It is generally helpful for homeland security risk assessments to use scenarios to divide the identified risks into separate pieces that can be assessed and analyzed individually. A scenario is a hypothetical situation comprised of an identified hazard, an entity impacted by that hazard, and associated conditions including consequences, when appropriate. When analysts are developing plausible scenarios to identify potential risks for a risk assessment, the set of scenarios should attempt to cover the full scope of the assessment to ensure that the decision maker is provided with complete information when making a decision. For a relatively fixed system, an important first step is to identify those components or critical nodes where potential consequences would be highest and where security and resilience activities can be focused. Analysts should take care when dealing with the results, as including multiple scenarios that contain the same event could lead to double counting the risk. Threat and Hazard Assessment The remaining factor to be considered in the risk assessment process is the assessment of threat and/or hazard. Assessment of the current terrorist threat to the United States is derived from extensive study and understanding of terrorists and terrorist organizations, and frequently is dependent on analysis of classified information. The Federal Government provides its partners with unclassified assessments of potential terrorist threats and appropriate access to Draft October 21,

16 classified assessments where necessary and authorized. These threat assessments are derived from analyses of adversary intent and capability, and describe what is known about terrorist interest in particular critical infrastructure sectors, as well as specific attack methods. Since international terrorists, in particular, have continually demonstrated flexibility and unpredictability, DHS and its partners in the intelligence community also analyze known terrorist goals, objectives, and developing capabilities to provide critical infrastructure owners and operators with a broad view of the potential threat and postulated terrorist attack methods. Similar approaches are used to assess the threats of theft, vandalism, sabotage, insider threat, cyber threats, active shooter, and other deliberate acts. Both domestic and international critical infrastructure remains potential prime targets for adversaries. Given the deeply rooted nature of these goals and motivations, critical infrastructure likely will remain highly attractive targets for state and non-state actors and others with ill intent. Threat assessments must address the various elements of both physical and cyber threats to critical infrastructure, depending on the attack type and target. Hazard assessments draw on historical information and future predictions about natural hazards to assess the likelihood or frequency of various hazards. This is an area where various components of the Federal Government work with sector leadership and owners and operators to make assessments in advance of any specific hazard as well as once an impending hazard (such as a hurricane yet to make landfall) is identified. Vulnerability Assessment Vulnerabilities are physical features or operational attributes that render an entity open to exploitation or susceptible to a given hazard. Vulnerabilities may be associated with physical (e.g., no barriers or alarm systems), cyber (e.g., lack of a firewall), or human (e.g., untrained guards) factors. A vulnerability assessment can be a stand-alone process or part of a full risk assessment. The vulnerability assessment involves the evaluation of specific threats to the asset, system, or network under review to identify areas of weakness that could result in consequences of concern. Many different vulnerability assessment approaches are used in the different critical infrastructure sectors and by various government authorities. Many of the Sector-Specific Plans (SSPs) describe vulnerability assessment methodologies used in the sectors. The SSPs also may provide specific details regarding how the assessments can be carried out (e.g., by whom and how often). Consequence Assessment Consequence categories may include: Public Health and Safety: Effect on human life and physical well-being (e.g., fatalities, injuries/illness). Economic: Direct and indirect economic losses (e.g., cost to rebuild asset, cost to respond to and recover from attack, downstream costs resulting from disruption of product or service, long-term costs due to environmental damage). Psychological: Effect on public morale and confidence in national economic and political institutions. This encompasses those changes in perceptions emerging after a significant incident that affect the public s sense of safety and well-being and can Draft October 21,

17 manifest in aberrant behavior. Governance/Mission Impact: Effect on the ability of government or industry to maintain order, deliver minimum essential public services, ensure public health and safety, and carry out national security-related missions. Consequence analysis should ideally address both direct and indirect effects. Many assets, systems, and networks depend on connections to other critical infrastructure to function. For example, nearly all sectors share relationships with elements of the Energy, Information Technology, Communications, Financial Services, and Transportation Systems sectors. In many cases, the failure of an asset or system in one sector will affect the ability of interrelated assets or systems in the same or another sector to perform the necessary functions. Furthermore, cyber interdependencies present unique challenges for all sectors because of the borderless nature of cyberspace. Interdependencies are dual in nature. For example, the Energy Sector relies on computer-based control systems to manage the electric power grid, while those same control systems require electric power to operate. As a result, complete consequence analysis addresses both critical infrastructure interconnections for the purposes of risk assessment. The level of detail and specificity achieved by using the most sophisticated models and simulations may not be practical or necessary for all assets, systems, or networks. In these circumstances, a simplified dependency and interdependency analysis based on expert judgment may provide sufficient insight to make informed risk management decisions in a timely manner. There is also an element of uncertainty in consequence estimates. Even when a scenario with reasonable worst-case conditions is clearly stated and consistently applied, there is a range of outcomes that could occur. For some incidents, the consequence range is small, and a simple estimate may provide sufficient information to support decisions. If the range of outcomes is large, the scenario may require more specificity about conditions to obtain appropriate estimates of the outcomes. However, if the scenario is broken down to a reasonable level of granularity and there is still significant uncertainty, the estimate should be accompanied by the uncertainty range to support more informed decision making. The best way to communicate uncertainty will depend on the factors that make the outcome uncertain, as well as the amount and type of information that is available IV. Implement Risk Management Activities The selection and implementation of appropriate risk management activities requires 3652 prioritization to help focus planning, increase coordination, and support effective resource 3653 allocation and incident management, response, and restoration decisions. Comparing the risk 3654 faced by different entities helps identify where risk mitigation is most needed and to 3655 subsequently determine and help justify the most cost-effective risk management options Prioritization can be used primarily to inform resource allocation decisions, such as where risk 3657 management programs should be instituted; guide investments in these programs; and highlight 3658 the measures that offer the greatest return on investment Draft October 21,