Keywords

jurisdiction; National Preparedness Guidelines (NPG); National Response Framework (NRF); continuity; National Infrastructure Protection Plan (NIPP); Department of Homeland Security Directive (HSPD); Critical Infrastructure and Key Resources (CI/KR); Homeland Security Act of 2002; Intelligence Reform and Terrorism Prevention Act of 2004

Asset Identification and Prioritization

The National Infrastructure Protection Plan (NIPP) defines the term asset to include contracts, facilities, property, electronic and non-electronic records and documents, unobligated or unexpended balances of appropriations, and other funds or resources. The NIPP definition excludes personnel because it categorizes them differently.

Asset identification and prioritization should be a collaborative, multidisciplinary effort that involves experts from many different sectors of a jurisdiction. This effort should use a systematic, quantitative methodology to compile a list of assets, assign each a value, and sort the list to identify which have the highest value. This prioritization step can aid in allocating resources and assist in determining if a full vulnerability assessment of the asset is required.

Within a jurisdiction, many facilities and sites (which are also called assets) may be considered part of the critical infrastructure or a key resource (CIKR) for that area. Several standardized models have been developed to assess the priority of a facility. Although these models contain similarities, there are differences that may make a certain assessment model more appropriate for a particular facility.

National Infrastructure Protection Plan

We have faced many risks in the past and will again in the future, including human-made or natural disasters and terrorist attacks. This is why the NIPP was implemented in 2009 by then Secretary of Homeland Security Michael Chertoff. The mission of the NIPP was to give priority to preventing the loss of life and property from these disasters. The focus was disaster prevention and infrastructure protection.

The plan incorporates 18 sectors of federal agencies, as well as local and state levels of government and the private sector. This was the start of building those private–public sector relationships that had been lacking over the years and developing a level of trust that had not been present before. It was an initiative to develop and integrate all levels of authority, resources, and capabilities to create and maintain a unified effort for the protection of our country. The NIPP meets the requirements for the Homeland Security Presidential Directive 7 (HSPD-7: Critical Infrastructure, Identification, Prioritization, and Protection), which is a national directive to protect our nation through one initial effort. It clearly defines the roles and responsibilities of the Department of Homeland Security (DHS) in relation to all levels of government, as well as the private sector.

Our overarching goal of the National Infrastructure Protection Plan (2009) is to:

The NIPP provides the roadmap to develop, unify, and integrate CIKR protection efforts with resilient strategies into one program that can be used by all levels of government and by the private sector. These efforts will provide benefits such as mitigation of risk, lessening of vulnerabilities, threat deterrence, and minimization of consequences related to human-made and natural disasters. The Homeland Security Act of 2002 provided the foundation for the DHS, which maintains responsibility for the protection our CIKR.

The NIPP focuses on the protection of resources such as agriculture and food; the defense industrial base; energy; healthcare and public health; national monuments and icons; banking and finance; water; chemicals; commercial facilities; critical manufacturing; dams; emergency services; nuclear reactors, materials, and waste; information technology and communications; postal and shipping services; transportation systems; and government facilities.

A continuous process of risk management has been developed that enhances protection of CIKR. This process involves setting goals and objectives; identifying assets, systems, and networks; assessing risks and priorities; and using this information to measure the effectiveness of the programs that have been implemented. The process may seem difficult, but it is an easy system for a proper evaluation.

The NIPP is effective in helping prevent, prepare, protect, respond, and recover from terrorist attacks, natural disasters, and other emergencies. This process is in effect on all local, state, and federal levels of government.

There is a collaborative effort among the NIPP, the National Preparedness Guidelines (NPG), and the National Response Framework (NRF) to provide an integrated and comprehensive approach to completing homeland security missions. This collaboration sets forth the roles and responsibilities for building prevention, protection, response, and recovery areas for the success of any mission.

Appropriate partnerships are forged, and although the focus is on threat prevention, rescue and recovery are not overlooked. All parties must be appropriately trained on similar methods of planning, assessment, preparedness exercises, and technical assistance.

For all of this to be successful, we need to build national awareness of and support for what needs to be accomplished. Research and development is needed to show the capabilities and limits of the effort. There is a built-in process to review and revise the collaborative effort to ensure effectiveness. Federal grants support implementation on the local and state government levels as well as in the private sector.

For us to ensure the continuity of our CI, it is essential to protect our nation’s security, public health, and safety. We know that terrorist attacks and human-made or natural disasters can disrupt the functioning of our government, as well as the private sector. Today, we need to look at the direct and indirect impacts that result because of large-scale loss of human life and the destruction of property.

As we look at the infrastructure model, we first need to look at protection and how it mitigates risk to CIKR assets and overall functioning. Protection is an essential tool that is the umbrella for what we are attempting to do. Protection includes looking at physical, cyber, and human assets and using successful partnerships to mitigate risk.

The goal of the NIPP is to make a safer and more secure place to live by preventing, deterring, neutralizing, or mitigating the efforts to attack our nation’s CIKR and to strengthen our nation’s preparedness, response, and recovery in the event of an attack, natural disaster, or other emergency. To work effectively and positively, all parties need to understand their roles and share information efficiently. They also need to build relationships in order to implement long-term risk plans and share resources that are beneficial to all.

All of what has been discussed so far is based on the attacks that occurred on September 11, 2001. Therefore, most, if not all, of the focus is on protection against terrorist threats. A development that occurred because of 9/11 is the importance of public–private sector relationships and the effective flow of information between them.

One aspect of our vulnerability rests on how open our nation is with technology and how interconnected we are with other nations, both publicly and privately. We must protect our infrastructure in every way we can in hopes of strengthening our economy, as well as our nation. Over the past 2 decades, we have witnessed a number of high-profile, disruptive international and domestic terrorist plots. The terrorists have proven to be relentless, patient, opportunistic, and flexible when it comes to those attempts, which shows the importance of prevention and risk mitigation.

The NIPP outlines ways that DHS can partner with public and private sector organizations to use threat analysis to inform risk assessment and mitigation activities. When we discuss cyber infrastructure and CIKR, we need to look at two defined areas, focus and attention. When it comes to focus, it is important to “focus” on the specifics of the potential risks that are obvious. To pay “attention”, an organization needs to put into place perimeters to constantly have the infrastructure protected. We depend on the U.S. economy and national security of our global cyber infrastructure to allow all sectors to function as a highly interconnected and interdependent global network of CIKR. Yet there have been several recent cyber attacks.

We know that we must prevent any damage to our electronic information systems, as well as our communications systems. We must also maintain the confidentiality and integrity of these systems to be able to operate on the level we are accustomed to. We must use any approach to fight the war on cyber attacks, whether domestically or globally, as our nation is directly and indirectly involved with any attacks—whether publically or privately.

To achieve the goals of NIPP, we must build a safer, more secure, and more resilient nation. We must also be ready to share information about any terrorist threats or movements. This is why it is vital to maintain an information-sharing network within the public and private sectors. We must maximize our resources to be more efficient in our CIKR protection. This is a very complex challenge, and this support is needed at all levels based on an NIPP framework that is integrated, engaged, and interactive with all sectors.

The DHS is responsible for leading, integrating and coordinating an overall effort to assist in CIKR protection. Our nation has developed comprehensive risk management guidelines and direction necessary for us to survive and maintain a high level of protection where and when needed. The process involved threat identification, prioritization, and a coordinated effort to develop appropriate solutions for both the public and private sectors.

As we consider each sector of CIKR, we recognize that each of these sectors has its own characteristics, and each has its own operations model and risk landscape.

A main aspect of the NIPP is its risk management framework that is responsible for the outcomes from an incident or event and its associated consequences. Risk is influenced by the nature or magnitude of a threat or vulnerability. This is also an essential means of prioritizing mitigation efforts for partners of to work towards a common solution.

Since its inception, DHS has set up a national inventory of assets, systems, and networks that make up our nation’s CIKR. This national inventory and assets is a vital part of the CIKR and is called the infrastructure database warehouse. It was developed to allow partners to access infrastructure data necessary for national security and risk mitigation.

The inventory system is designed to adapt to change and is used to help prioritize assets and develop strategies for response and recovery. Prioritizing information involves aggregating, combining, and analyzing risk assessment based on the highest risk possible.

The Internet has been identified as a KR, both domestically and internationally, within the information technology and communications sector. Just as with any business, we need to look at the vulnerabilities, threats, and potential consequences of damage to the Internet.

On a regular schedule, DHS conducts a risk analysis for all of the CIKR sectors, which uses the three control factors previously mentioned. All of these items are monitored on a 24/7 basis by intelligence operations tasked with monitoring the sectors that affect our infrastructure.

Risk management actions involve designated measures designed to prevent, deter, and mitigate threat. As this is applied, it will reduce the vulnerability for an attack. NIPP will address a risk management framework based on the largest return of investment and not just the vulnerability reduction that can be achieved; however, these actions include mitigating the consequences of an attack or incident.

The use of performance metrics is a crucial step of the NIPP risk management process because it enables DHS to effectively assess the protection and resiliency of the public and private sectors and allows risk analysis to be prioritized based on threats and vulnerabilities. It is important to gather performance information to measure the success or failure of this process.

The organization and building of partnerships is a very complex task of CIKR organizations. To be effective organizational structures, as well as partners, all parties must be committed to sharing information and protecting the information needed to accomplish the goals of NIPP. If it were not for DHS and its coordination efforts with NIPP, this would not be an effective tool.

Before 9/11, trust and partnership among public agencies, as well as between the public and private sectors, was nonexistent. Even today, as partnerships are being built, there is still room for improvement. Building relationships and gaining trust are two of the largest efforts by those involved with CIKR protection. This same partnership process is occurring with other countries to build solid information-sharing and trusting relationships.

When looking at information sharing, we need to look at this as a “network” approach because for NIPP to be effective, there must be active participation by our government agencies and the private sector partners. There must be a constant information flow, as well as the ability to assess risk and be able to develop a resilience approach for any event or disaster. A basic approach is to collect the information, analyze it, and disseminate it the best way possible. This approach is a must when it comes to any information to determine if it is reliable or not.

One of the lessons learned by DHS is that before 9/11, much of the information gathered was not shared with all levels within an agency, much less with other agencies or the private sector. This is why the process has to be from the top down and from the bottom up for us to be effective when approaching an event or disaster. This is all identified in the Intelligence Reform and Terrorism Prevention Act of 2004, and it affects all levels of government, as well as the private sector.

Information must be obtained with the strictest confidence because leaking any information can cause serious damage, whether it is unclassified or classified information. DHS has strict information security procedures for the access, use, and storage of sensitive information, including that of CIKR. These procedures include not only physical security measures but also cyber security measures. These procedures not only protect our privacy, civil rights, and civil liberties but also part of our national character.

The Homeland Security Act of 2002 provided the authority for homeland security missions as established by the NIPP. The National Strategy for Homeland Security established protection of our nation through CIKR, as the key element of the approach to homeland security and domestic emergency management. This was designed to address vulnerabilities that involved more than one infrastructure sector and required more than one agency to assess those threats and vulnerabilities and reduce any risk to our nation. The accumulation of partnerships formed, the coordination of homeland security strategy and legislation, Presidential Directives, and national initiatives all form a coordinated approach to homeland security.

The National Strategy to Secure Cyberspace set objectives and actions to counteract cyber attacks against our nation’s CIKR, which reduce identified vulnerabilities, damage, and recovery time from cyber attacks. One priority is the strategy to focus on improving national response to cyber incidents, reduce those threats to cyber attacks, and prevent cyber attacks that could affect our national security.

We have developed a plan of interrelated national authorities, strategies, and initiatives for a common approach to achieving the mission of homeland security. The focus on CIKR protection gives us a steady component of routine, day-to-day business operations for our government as well as the private sector. As a result, building engaged partnerships is a must for the public and private sectors to be able to work in cooperation and collaboration.

Part of the success of the CIKR protection plan is to make sure that this effective measure can withstand a long-term commitment and investment over time, but by doing this, we must build skilled human-capital, develop high-tech systems, and build a public awareness. A support mechanism has been developed to give both the public and private sectors a decision-making avenue for relevant and effective strategic planning for the protection of CIKR.

To effectively use all components that are involved, we must use the CIKR Awareness and Training Plan by continuously pushing to use partnerships to, show awareness, educate, train, and then exercise what we have learned. Building and sustaining capabilities are key components of the success of NIPP. This is where education and training efforts come into play and use certification standards and technical training programs that are already in place. This enables those with the necessary skills to perform the roles and responsibilities under NIPP. DHS and CIKR partners offer these training and academic programs for the enhancement and support of NIPP.

Directive HSPD-7 established national policies for the enhancement of our nation’s CI and protection of KR. To be successful, we must use every resource available to maintain a long-term investment and protection of CIKR and provide sustainable science, engineering, and technology to minimize the impact of future attacks, whether physical or cyber.