PROTECTING CRITICAL INFRASTRUCTURE: A Shared Responsibility

Dec 1, 2007 12:00 PM

One of the key issues confronting the Department of Homeland Security (DHS), the Department of Defense (DoD), state, local and tribal governments and America's private sector is how to collectively protect the nation's critical infrastructure. DoD guidance and programs have been in place for some time, and there are processes and procedures to define roles and responsibilities for protection and response — although the anticipated threats have diverged somewhat as we confront the asymmetrical terrorist threats of today rather than threats from nation-states alone.

One only needs to review the media coverage of recent weeks to find articles highlighting a terrorist plot against Ft. Huachuca, Ariz. There does not appear to be clear evidence of nation-state involvement — leaving us in the gray zone between direct military action against an aggressor and a law enforcement action directed toward collecting evidence and prosecuting foreign nationals through our court system. Cyber-attacks are another example of emerging threats that have demonstrated malicious intent to disrupt and damage our country — as in recent reports of attacks on the DoD mail system leading back to Chinese Web sites. These threats serve notice that our perimeter is being probed constantly by an elusive, well-informed and educated enemy. The private sector is also under attack by external agents of foreign governments and terrorist networks. In those cases where there is clear alignment with the DoD industrial base and sites related to Chemical, Biological, Radiological/Nuclear and Explosives, the effectiveness of a strong public-private partnership is being demonstrated every day. For example, Northrop Grumman's own manufacturing facilities for aircraft assemblies, ships and military electronics fall well within the DoD Critical Infrastructure Protection (CIP) guidelines.

The challenge for DHS is in motivating and encouraging partnerships across public, private and DoD domains, each with different organizational and cultural objectives governed under our current governance systems. With 85 percent of the country's critical infrastructure in the hands of the private sector, this challenge dwarfs the not inconsiderable DoD CIP program. DHS is now 5-years-old and still lacks a complete, detailed inventory of the CIP resources in the country. It doesn't have an efficient method for updating the information it has received through programs such as Protected Critical Infrastructure Information (PCII) either. Rather, DHS is depending on the 17 Sector Coordinating Councils to promulgate critical information to their sectors, thinking that private industry is more likely to accept a relationship of this magnitude from their private sector peers. The opportunity for inaction or incomplete risk analysis is high in sectors with little or no interdependence. Others, such as electrical power generation and distribution and financial institutions with high reliance on others in their sector, are far more cooperative. In the end, the measure of effectiveness for federal government relationships (in all of its regulatory, enforcement and inspection guises) will be measured by the willingness of the private sector to accept a relationship built on new levels of trust.

From a private sector perspective, operation of manufacturing facilities and other core infrastructure must be competitive in the market. Security is an added cost that hurts profitability and competitiveness. Research on the regulated energy and water industries indicates effective federal standards can be established across the public-private domains. These industries are far more regulated and have established their operations in areas where there is little to no competition and the barriers to entry are extremely high (adding a second municipal water distribution system, for example). Establishing federal tax and insurance incentives, limiting corporate liability and developing industry standards may motivate increased security and circumvent excessive federal mandates.

In addition, the fact that these infrastructure components are privately held creates an additional layer of complexity, since there is no community plan that is easily owned by geographically collocated infrastructure owners within or across sectors. Each owner/operator has his or her own plan and likely a trust relationship with DHS along with state and local government. This creates a mosaic of overlapping plans with no coherent understanding of the interdependencies and impacts in the face of a natural or terrorism event.

The question of partnering approaches is a gray area since each private sector participant has different risk tolerances and trust sensitivities when dealing with the public sector. Even threats that represent clear and present danger to the infrastructure and surrounding populations are at issue when it comes to public awareness. The public sector is bound to inform the citizens it protects; the private sector has a responsibility to its shareholders to maintain its brand and profitability. Building security partnerships with federal guidance that are considerate of these two points of view may not be sufficient to secure critical infrastructure. The implementation of a dual-purpose strategy and change management principles is needed to further enhance the efficiency of security partnerships. Making security a fundamental element of the business models for CIP owners — without harming their ability to effectively compete — stands as a significant challenge in today's rapidly expanding and globalized economies.

Developing strong, bi-directional trust agreements in today's threat environment will take time and patience in order to mature into effective arrangements for both sides of this issue. Supporting and enhancing sector-specific plans for highly interdependent businesses looks to be the path of least resistance today. While the loss of infrastructure in these sectors would have tremendous impact, other less cross-reliant sectors have the potential for much more lethal incidents, particularly when viewed in the context of local impacts on other sector collated resources such as freight terminals, train switch yards and petrochemical manufacturing and storage facilities. Getting a community plan in place that looks at the risk scenarios across sectors is necessary and within reach.
— Bruce Walker

About the Author

Bruce Walker is the director of Homeland security for Northrop Grumman.

A CASE IN POINT:

America's 131 million electricity customers are at risk if the grid goes down

Forty percent of energy consumption in America is in the form of electricity. At the center of the supply that fuels our food, shelter, water, law and order is the electric grid. But a decrease in transmission facilities and an increase in demand have left the grid so congested that the ongoing question of its vulnerability is one that security experts haven't quite answered.Recently, the Office of Electric Reliability (OER) for the Federal Energy Regulatory Commission (FERC) raised the issue to House committees, suggesting that because the grid's operating systems are connected to the Internet, the risk of cyberattack is escalating.

The OER has the responsibility to oversee mandatory, enforceable reliability standards for the electric grid based on the Energy Policy Act of 2005, enacted by Congress in August 2005. Joseph McClelland, director of the OER, recently presented stronger regulations that he sees are necessary to secure the grid. Among the committeewas the House Homeland Security Cybersecurity Subcommittee.

Chairmen hit back at the regulations, recommending that the Department of Homeland Security (DHS) develop a better system for guiding private industry efforts to secure control systems.

Want to use this article? Click here for options!
© 2010 Penton Media Inc.

Story Missing Your Link?

• Innovation In The Sun
• Tackling Identity Theft
• Search And Rescue