Critical Infrastructure 1
Critical Infrastructure Can be defined as any facility, system, or function which provides the foundation for national security, governance, economic vitality, reputation, and way of life. They are all connected together in a "system of systems" where a failure in one can cascade into a failure in others. 2
SECTORS Critical infrastructures are not static; rather, they evolve to reflect both changing threats and the nature of the economy. Every critical infrastructure sector complements and depends on others, creating economies of scale and the accumulation of human and material capital. Interconnectivity complicates critical infrastructure protection. Its consequence is the cascading effect, and occurs when an assault against one infrastructure negatively affects the ability of another sector to function. Currently 14 identified sectors 3
SECTORS Agriculture, including feed, animals, animal products, crop production, and the post-harvesting components of the food supply chain. Food, including retail food distribution and consumption. Water, including fresh water supply and wastewater collection and treatment. 4
SECTORS Public Health, including hospitals, nursing homes, pharmaceutical stockpiles, and the national blood supply. Emergency Services, including police, fire, and emergency medical/rescue services. Government Services, including programs such as Social Security and Medicare. 5
SECTORS Defense Industrial Base, including the production and distribution of military hardware as well as the goods and services critical to military readiness. Information and Tele-communications, including voice and data services as well as Internet access and wireless capabilities. 6
SECTORS Energy, including electricity, oil, and natural gas. Transportation, including air, rail, maritime, pipeline, highway, truck, bus, and public mass transit. Banking and Finance, including banking operations, financial markets, and financial utilities, such as electronic payment systems. 7
SECTORS Chemicals and Hazardous Materials, including substances used for agricultural, industrial, and commercial use. Postal and Shipping, including the movement and handling of letters, packages, and cargo. 8
Critical Infrastructure Protection (CIP) The basic steps of CIP consist of: Identifying the critical infrastructures Determining the threats against those infrastructures Analyzing the vulnerabilities of threatened infrastructures Assessing the risks of degradation or loss of a critical infrastructure Applying countermeasures where risk is unacceptable 9
THE HISTORY OF CRITICAL INFRASTRUCTURE PROTECTION In 1996, the position of national coordinator for security, infrastructure protection, and counter-terrorism (sometimes called the position of "cyber-czar") was created as part of the White House's National Security Council to oversee national policy development and implementation for CIP. Another organization, the Critical Infrastructure Assurance Office (CIAO) existed to coordinate the federal government's initiatives on CIP, to assist agencies in identifying their dependencies and vulnerabilities, and to coordinate awareness programs. 10
THE HISTORY OF CRITICAL INFRASTRUCTURE PROTECTION The National Infrastructure Protection Center (NIPC) served as a threat assessment center and included members of the FBI, DoD, Secret Service, and CIA. Out of NIPC, the InfraGard program was established to provide a mechanism for two-way information sharing about intrusion incidents and system vulnerabilities, and to further provide a channel for the NIPC to disseminate analytical threat products to the private sector. 11
THE HISTORY OF CRITICAL INFRASTRUCTURE PROTECTION Information Sharing and Analysis Centers (ISACs) are part of the private sector's responses to the call for action made in May 1998 by Presidential Decision Directive 63. The purpose of an ISAC is to gather and analyze information about information security threats, vulnerabilities, incidents, countermeasures, and best practices. An ISAC typically consists of a secure database, analytic tools, and information gathering and distribution facilities designed to allow authorized individuals to submit either anonymous or attributed reports about information security threats, vulnerabilities, incidents and solutions. ISAC members also have access to analytic products produced by other members and obtained from other sources. 12
Critical Infrastructure Protection One of the basic goals of infrastructure protection is Continuity -- continuity of government, continuity of private sector, and continuity of public services. 13
RELIANCE UPON INDUSTRY AND PRIVATE SECTOR Most of America's critical infrastructure is owned or operated by the private sector. Industry as a whole faces a greater threat than the government. However, the private sector is driven by bottom lines, consumer and shareholder confidence, and market forces. If industry fails to implement the necessary security measures which protect more than their "bottom line," then the government must step in, and in fact, probably has an obligation to do so. Part of this obligation is to assist industry by making sure they have the tools they need to do the job. 14
Geographic Diversity Approximately 66,000 chemical plants 104 nuclear power plants 5,000 public airports 2 billion miles of telecommunication cable 5,800 registered hospitals Critical infrastructures are plentiful and geographically dispersed. Every city and town has critical. With pipelines, power lines, and communications networks distributed across the landscape, even remote areas now constitute target-rich environments. An absence of classic terrorist targets no longer provides immunity from attack or reason for inaction. 15
Vulnerabilities to Critical Infrastructures Critical infrastructure protection is challenging because vulnerabilities are diverse and omnipresent. Diversity is reflected by a dual method of attack, namely cyber exploitation and physical exploitation. 16
17