CHAPTER 16
CRITICAL INFRASTRUCTURE PROTECTION AND KEY ASSETS
Protecting America’s Most Important Targets

The security and resilience of the critical systems, services, and resources that sustain our daily lives are vital to ensuring that our Nation continues to prosper and thrive. We must deepen our understanding of the nature of the risks to these infrastructures and effectively prioritize our efforts to reduce vulnerabilities.

(U.S.) Quadrennial Homeland Security Review Report, February 2010

CHAPTER OVERVIEW

Many citizens take for granted the assets that are the “lifeblood” of America, both the physical infrastructure serving as the foundation of modern life and the beloved structures and artifacts standing as enduring symbols of the nation. Natural disasters make no exception for such targets as they cut a swath of destruction. They are as likely to wipe out a vital industrial center as an empty parking lot. But terrorists are both well aware of the importance of these assets and capable of targeting the most vulnerable of them.

Little wonder that in establishing the homeland security enterprise, the protection of vital and symbolically important assets was considered an essential component. This chapter surveys the programs and processes for applying scarce resources to protect critical infrastructure, such as electrical or water systems, and key assets, such as universities and national monuments and icons. It explains how these crucial resources are categorized, who is responsible for them, why they are increasingly interdependent, and what government and the private sector are doing to make them more secure and resilient.

CHAPTER LEARNING OBJECTIVES

After reading this chapter, you should be able to

1. Define critical infrastructure.

2. Describe the importance of the councils and centers.

3. Understand the role of risk management in critical infrastructure protection.

4. Identify key concerns for protecting critical infrastructure.

5. Understand roles and responsibilities for protecting critical infrastructure.

LIFEBLOOD OF THE U.S. ECONOMY

Concern over protecting the critical infrastructure of the United States from terrorists emerged long before 9/11. On May 22, 1998, President Bill Clinton issued Presidential Decision Directive (PDD) 63, which defined critical infrastructure as “those physical and cyber-based systems essential to the minimum operations of the economy and government.” This set up a framework for organizing activities such as establishing lead federal agencies to liaise with representatives of different private sectors, establishing interagency coordination on critical infrastructure matters, and assigning responsibility to federal agencies for protecting their own critical assets. Perhaps most importantly, the PDD reaffirmed the primacy of the private sector’s responsibility for protecting commercial assets and established information-sharing and analysis centers (ISACs) to support cooperation between public and private sectors.

The 9/11 attacks did much to expand critical infrastructure protection initiatives. Specific acts were passed immediately to improve airline and maritime transportation security and strengthen the protection of the nation’s food supply. In addition, national strategies specifically identified infrastructure and key asset protection as a critical mission area. Pursuant to 2003’s Homeland Security Presidential Directive (HSPD) 7 (which superseded PDD-63), federal organizations were ordered to identify, prioritize, and protect U.S. critical infrastructure and key resources.

No aspect of homeland security has proved more dynamic, in large part because an estimated 85 percent of critical infrastructure is owned and operated by the private sector. National programs have been revised and restructured several times. This was perhaps predictable. Both the private sector and the threats they face are constantly evolving. Businesses are adapting to the verities of the marketplace. Threats are probing for vulnerabilities. Furthermore, few if any bureaucratic efforts are more complex than building bridges between government agencies and the private sector over security concerns. Crucially, America’s infrastructure faces many pressing challenges other than security. Its private owners grapple with major and often growing business pressures, which make the allocation of resources for security more difficult. Much infrastructure is now crumbling from age, neglect, or inadequate design and construction. As discussed in the last chapter, it did not take terrorists to destroy the busy I–35W Mississippi River bridge. Other regions of the country endure blackouts and water outages due to aging or ineffective equipment.

The challenges of safeguarding national infrastructure are daunting. The United States is a huge, complex, open society, creating an almost infinite number of vulnerabilities. No matter how much is done to mitigate one particular threat, the number of vulnerabilities that remain will be infinity minus one. The United States almost certainly would not succeed in preventing human-made or natural hazards solely by protecting infrastructure. At best, infrastructure policies supplement other efforts. They are necessary but never sufficient to improve homeland security. The key to successful infrastructure policy is the optimum balance of costs and benefits—balancing security concerns and economic competitiveness, as well as heeding the imperative of maintaining a free and open society.

In recent years, many experts have promoted improving resilience rather than merely protecting infrastructure. While protection focuses on the physical defense and security of infrastructure, resilience emphasizes the ability to keep systems operating even after a damaging blow. This can be accomplished by absorbing, adapting, or recovering from a disaster or attack.

FROM THE SOURCE:

“DELIVERING THE GOODS”

The National Infrastructure Advisory Council advises the president on security policies regarding 18 areas of critical infrastructure and key assets. On September 8, 2009, it released a report titled “Critical Infrastructure Resilience.”

Excerpt from the Executive Summary

Infrastructure resilience is about “delivering the goods” regardless of disruptive events that may occur. Although each critical infrastructure sector operates differently, a common definition of infrastructure resilience is needed for public policies and governance to be effective. Toward this end, the Council has developed the following definition based on discussions with executives and security experts across many sectors.

Infrastructure resilience is the ability to reduce the magnitude and/or duration of disruptive events. The effectiveness of a resilient infrastructure or enterprise depends upon its ability to anticipate, absorb, adapt to, and/or rapidly recover from a potentially disruptive event.

… Infrastructure resilience is closely aligned with the way modern businesses manage strategic, operational, and financial risks and the way governments absorb societal shocks from disasters. For companies, the need to be resilient is driven by competitive market forces because customers and shareholders expect products and services to be delivered despite disruptive events. In certain sectors, especially those that operate in highly dynamic threat environments and manage extensive global value chains, leading companies have incorporated risk management into their corporate culture and many consider it a competitive differentiator. This sophisticated risk management includes protection, which is a critical component of risk management in asset-based sectors.

Yet market forces alone are insufficient to ensure that sectors are resilient. Not all enterprises are driven to focus on managing operational and strategic risks and the resilience of individual companies does not guarantee the resilience of the entire sector. Small- and medium-size companies, for example, may lack sophisticated continuity of operations plans and may not have the resources to continually monitor the risk landscape. In addition, the resilience of publicly-owned infrastructures, such as many roads and dams, is not governed by market forces. At the federal level, the government is responsible for providing for public security, health, and safety. Maintaining delivery of critical infrastructure services is a significant component of that mission and ensuring the resilience of critical infrastructures in the face of all types of hazards should be evaluated, even when there is no business case for CIKR [Critical Infrastructure and Key Assets] owner and operator investment and action.

LESSONS LEARNED SINCE 9/11

Protection of key facilities and assets from terrorist attacks was a logical and immediate priority after the September 11 attacks. With the good progress made in securing the nation’s most vulnerable assets, attention is on managing all-hazards risks by fostering resilience strategies and practices…

In practice, infrastructure security is a shared responsibility. The NIAC [National Infrastructure Advisory Council] believes that aligning the interests, motivation, and distinct capabilities of owners, operators, and government through the public-private sector partnership is central to improving infrastructure resilience. For many companies interviewed, Hurricane Katrina was a turning point in learning how to work with the federal government to better anticipate risks, respond more effectively, and share information before, during, and after a disaster. Many of the owners and operators we spoke with noted the tremendous progress made since Katrina by the DHS Office of Infrastructure Protection in helping to bring critical infrastructure services back up by providing better information to owners and operators and removing impediments. By serving as an enabler, DHS allows companies to do what they do best: get operations back in service.

ORGANIZATION

The Homeland Security Act of 2002 assigned the Department of Homeland Security wide-ranging responsibilities for coordinating critical infrastructure and key asset policies. Managing and implementing these policies, however, is a federal-wide enterprise governed by a profusion of laws, regulations, and executive directives.

Department of Homeland Security

Established within the department secretariat and reporting to an undersecretary, the National Protection and Programs Directorate controls most major programs and activities for policies relevant to critical infrastructure. Significant components include the Office of Infrastructure Protection (the principal entity for programs and policies), the Office of Cybersecurity and Communications, and the Office of Risk Management and Analysis.

A chief task of the Office of Infrastructure Protection is to develop and maintain the National Infrastructure Protection Plan (NIPP). This plan outlines roles, responsibilities, priorities, and tasks for national programs.

Interagency Activities

Many government interagency programs and activities relate to critical infrastructure and key assets. Particularly noteworthy is the Committee on Foreign Investments in the United States (CFIUS). Guided by the Foreign Investment and National Security Act of 2007, CFIUS is an interagency committee that oversees the national security implications of proposed foreign investments in the United States and makes recommendations to the president. The president may suspend, prohibit, or set conditions for foreign acquisitions, mergers, or takeovers when they “threaten to impair national security.” This authority is called the Exon–Florio Provision. The 2007 law specifically adds homeland security and infrastructure as critical areas for consideration. DHS and the Departments of Defense and Treasury play a major role in adjudicating cases.

Federal Responsibilities

Within the government, federal entities are designated as “sector-specific agencies” designated to lead collaborative efforts in implementing national programs. One is named for each critical infrastructure area. As of 2011, they included the following:

• Agriculture and Food (Departments of Agriculture and Health and Human Services)

• Defense Industrial Base (Defense Department)

• Energy (Department of Energy)

• Health Care and Public Health (Department of Health and Human Services)

• National Monuments and Icons (Department of the Interior)

• Banking and Finance (Department of the Treasury)

• Water (Environmental Protection Agency)

• Chemical (DHS)

• Commercial Facilities (DHS)

• Critical Manufacturing (DHS)

• Dams (DHS)

• Emergency Services (DHS)

• Nuclear Reactors, Materials, and Waste (DHS)

• Information Technology Communications (DHS)

• Transportation (DHS)

• Postal and Shipping (DHS)

• Government Facilities (DHS)

ISSUES:

SELLING TO TERRORISTS?

One of the most controversial 9/11 issues was the proposed 2006 sale of facilities at some U.S. ports to DP World, a company based in Dubai. CFIUS, the government process used to vet such transactions, came under withering criticism. Significant concerns were raised that the sale to an enterprise based in an Islamic nation might increase the risks of terrorist attacks. Critics pointed out that some of the 9/11 attackers were citizens of Dubai.

The American Association of Port Authorities is a trade association that represents public port authorities in the United States, Canada, the Caribbean, and Latin America. In February 2006 the association released the following “fact sheet.”

The U.S. Public Port Industry

The American Association of Port Authorities (AAPA) represents more than 80 public authorities in the United States. These state, county and city government agencies own and develop seaport facilities to handle both domestic and international maritime commerce being imported to or exported from the United States. U.S. ports and waterways handle more than 2.5 billion tons of trade annually. The majority of our nation’s overseas cargo flows through AAPA member ports’ facilities.

While some public ports operate their own cargo terminals, many serve as “landlord” ports, leasing portions of their facilities to private terminal operating companies. While some of the private companies operating terminals in the United States are U.S. corporations, many are non-U.S. businesses that operate terminals worldwide or are affiliated with the foreign flag steamship lines that carry the cargo. All terminal operators, whether public or private, must comply with Maritime Transportation Security Act of 2002 (MTSA) and must have facility security plans reviewed and approved by the U.S. Coast Guard, as indicated below.

PORT SECURITY

Port security is the top priority for AAPA members. Protecting this vital part of our transportation infrastructure is critical to our nation’s economic growth and vitality.

The federal government takes the lead in protecting America’s ports. The Department of Homeland Security, primarily through the activities of Customs and Border Protection (CBP) and the U.S. Coast Guard, run many programs to secure our ports. The U.S. Coast Guard is responsible for maritime security and reviewing and approving security plans for vessels, port facilities and port areas which are required by the MTSA. Customs and Border Protection is responsible for cargo security, and screens and inspects cargo entering the U.S. through every U.S. port.

Other cargo security programs include the Container Security Initiative (inspection of U.S. import cargo by CBP prior to leaving the outbound foreign port), use of radiation detection equipment to screen for weapons of mass destruction, use of other non-intrusive inspection devices, and the Customs Trade Partnership Against Terrorism (C-TPAT) which encourages maritime stakeholders to verify their security measures. The Port Security Grant program and the implementation of the Transportation Worker Identification Credential (TWIC) are also important parts of America’s port security portfolio to provide layered security.

While the federal government takes the lead on water-side and cargo security, overall security is a shared responsibility with port authorities, facility and vessel operators, and state and local police providing additional security. The MTSA also establishes local security committees to evaluate and make improvements in each port.

DP WORLD ACQUISITION OF P&O PORTS

P&O Ports is a terminal operating company that operates marine terminal facilities worldwide, including several terminals in the United States owned by public port authorities. Some press accounts have not accurately stated the nature of the business transaction involved or the resulting impact on U.S. port operations. DP World’s purchase of P&O Ports would involve the operation of specific terminals or provision of stevedoring services (vessel loading/unloading) at some ports, but DP World would not “own,” “control,” or “take over” those ports (which would continue to be owned by the port authorities). DP World would not be solely responsible for facility security at any of the involved terminals, and the federal government would continue to be primarily responsible for maritime and cargo security.

AAPA has not taken a position on the issue.

1. If the fact sheet is correct, should the sale of the facilities have raised significant security concerns?

2. Before 2007, the CFIUS process did not specifically address homeland security. If it had, would that have eliminated the controversy?

3. Should foreign companies be allowed to take over U.S. critical infrastructure?

COORDINATION FOR PROTECTING CRITICAL INFRASTRUCTURE

National efforts to ensure the protection of infrastructure and assets involve coordinating public and private policies, sharing information, and employing risk-based management. These efforts center on government coordinating councils, sector coordinating councils, information-sharing and analysis centers, and risk management.

Government Coordinating Councils

First organized in 2007, these councils are composed of representatives from all levels of government. Intended to provide a forum for input on policies, their membership includes state, local, tribal, and territorial leaders with infrastructure expertise. The councils maintain a number of working groups that address key policy issues, such as information sharing. Councils for each category of critical infrastructure are cochaired by a representative from the sector-specific agency and by the DHS assistant secretary for infrastructure protection.

Sector Coordinating Councils

These councils include representatives of the private sector and serve as the government’s point of entry for coordinating infrastructure protection activities and issues. They include efforts such as sectorwide planning, development of best practices, promulgation of programs and plans, development of requirements for effective information sharing, research and development, and cross-sector coordination.

Information-Sharing and Analysis Centers

ISACs are a primary means of promoting communication and threat warnings across public-private stakeholders. First called for in PDD–63 in 1998, ISACs are voluntary organizations formed by various critical infrastructure sectors. They include chemical, electricity, energy, emergency management and response, financial services, food, information technology, telecommunications, research and education, multistate government operations, public transit, surface transportation, highway, water, and real estate.

The structure, operations, and level of activity among ISACs vary significantly. The basic ISAC model, however, usually finds the center managed, operated or otherwise supported by a private organization, in many cases, an industry association. The American Chemistry Council, for example operates the ISAC for its sector through CHEM-TRAC, a 24-hour communications center providing technical assistance for emergencies related to the distribution of chemicals. Some ISACs employ contractors for day-to-day operations. The centers are funded through a variety of methods, including association dues, fee-for-service, federal grants, and voluntary contributions. ISACs use a variety of means for sharing information, including websites, meetings and conferences, e-mails, faxes, and conference calls. Some ISACs maintain formal alert warning systems.

Risk Management

Many activities related to developing and implementing protection measures are based on risk management techniques. This includes conducting threat and vulnerability assessments, which identify potential security weaknesses and the likelihood that terrorists will exploit them. Based on this analysis, priorities are established to prevent, recover from, or mitigate the effects of a terrorist attack.

Effective strategies depend on careful cost-benefit analysis; there are not enough resources to waste money on programs that don’t work or targets that do not merit protection.

Jurisdictions often attempt to prioritize their infrastructure and assets through the use of risk management models. There is no universally accepted risk management methodology in either government or private sector. A common one, however, has five steps.

Asset Assessment

This step focuses on identifying the most valuable assets—targets whose destruction would have the worst consequences. These potential targets might be people, facilities, or infrastructures, including computer networks. Consequences could include physical damage, such as the release of hazardous fumes from a destroyed chemical plant, or psychological, such as from the assassination of a key leader or celebrity. Some jurisdictions use a “target value assessment” process to determine results from the destruction of various assets.

Threat Assessment

This entails determining who would want to attack certain targets and how these attacks might be undertaken. A good threat assessment includes analysis of the organization, its people, and its facility to assess whether they might be seen as social, cultural, or economic icons whose destruction would serve terrorist goals. The priority placed by the terrorists in attacking specific types of targets is also considered in this step. Analysis of terrorist strategies and intelligence on their planned activities is a critical component of threat assessment. Planners must also consider the “insider threat” posed by employees or other insiders who might want to sabotage their workplace as part of a terrorist attack, individual act of vengeance, criminal plot, or psychiatric breakdown.

Vulnerability Assessment

During this process, planners determine security vulnerabilities in targets, trying to gauge how open they are to attack. Additionally, this assessment considers the specific and unique likely consequences of a successful attack on the target, including potential casualties, physical destruction, and psychological consequences.

Risk Assessment

Combining and weighing the asset, threat, and vulnerability assessments produces a risk assessment. A target that has a high asset value, is threatened by terrorists, and is vulnerable merits protection.

Identification of Countermeasures

Once key potential targets are identified, planners can determine countermeasures to reduce risks. These measures could be preemptive efforts to minimize threats, protection initiatives to lessen the danger of a successful strike, mitigation precautions to minimize disruptions or limit damage caused by an attack, and recovery efforts to ensure the rapid restoration of service after an attack. They should be evaluated for cost-effectiveness.

TYPES OF CRITICAL INFRASTRUCTURE

Critical infrastructures consist of people, physical assets, and information systems. In the United States, they are vast in scope and complexity, including 2,800 power plants, 5,800 hospitals, 66,000 chemical plants, 120,000 miles of railroads, two million miles of pipeline, and many other facilities. Much of this infrastructure is interdependent. In other words, the operation of one sector is dependent on or related to the functioning of another. For example, the operations of many sectors depend on reliable energy supplies. In turn, power plants rely on transportation assets to deliver fuel that drives machinery. If one is destroyed, many others may be affected.

Critical infrastructure assets are divided into three categories. The first is the production of essential goods and services. This includes sectors such as food and water production. Also included are sectors that sustain the U.S. economy, including energy, transportation, and banking and financial services. A second category is comprised of assets that provide essential interconnectedness and operability among various other sectors, including information and telecommunications and postal services. Third, critical infrastructure includes sectors essential for public safety and security, including public health, emergency services, the defense industrial base, and government.

Agriculture and Food

The agriculture and food sector includes supply chains for feed, animals, and animal products; crop production and its supply chains of seed, fertilizer, and related materials; and the postharvesting components of the food supply from processing, production, and packaging through distribution to retail sales, food service, and home consumption. The sector helps feed and clothe people not just in America, but across the world. Almost entirely owned by private individuals and companies, the sector includes an estimated 2.1 million farms, approximately 880,500 firms, and over one million facilities. Accounting for about one-fifth of America’s economic activity, on the federal level it is overseen by the U.S. Department of Agriculture (USDA) and the Department of Health and Human Services’ Food and Drug Administration.1

Concerns

The most significant security concern to the agricultural sector is disease and contamination of the food supply. Biological dangers can threaten plants and animals as well as people. Crop and livestock losses from contamination by mycotoxins (toxins produced by fungi) alone cost hundreds of millions of dollars. Humans can also be exposed to deadly or debilitating toxins by ingesting contaminated plant and animal products, or less frequently by contact or inhalation. Improper storage, poor sanitation, and cross-contamination during the production, transportation, processing, or storage of medicine, food supplies, or other consumables can further spread toxins or biological agents. This includes agents intentionally spread by criminals and terrorists. For instance, in 1984 the Rajneeshee cult contaminated local salad bars in an Oregon town with salmonella, demonstrating the ease of conducting small-scale, indiscriminate terrorist attacks.2

Protecting the food supply from production to delivery in supermarkets and restaurants is an ongoing challenge. The responsibility for securing the supply chain is divided among federal, state, and local authorities. The Public Health Security and Bioterrorism Preparedness and Response Act of 2002 called for a number of additional measures to strengthen protection, including hiring additional inspectors, creating a registry of products manufactured abroad, increasing research and development, adding reporting requirements, and instituting new legal penalties and prohibitions. In 2011, the FDA began issuing regulations under the recently passed Food Safety Modernization Act, which among other provisions made it easier for the federal government to embargo food suspected of being contaminated.

Water

The nation’s critical water infrastructure includes systems for delivering fresh water and wastewater collection and management. Facilities that make up these systems include reservoirs, wells, aquifers, treatment facilities, pumping stations, aqueducts, pipelines, storm water systems, and sewer lines. The United States has some 160,000 public drinking water systems and more than 16,000 publicly owned wastewater treatment systems.3

Concerns

Concerns in this sector include the protection of toxic chemicals used in water treatment, cyberattacks on the supervisory control and data acquisition (SCADA) systems that control water systems, disruption of services, and contamination of water supplies. Addressing all possible means of threatening the U.S. water supply could be a serious, perhaps debilitating fiscal challenge. Aging U.S. water systems are also a cause for concern. While concerns about contamination attract significant public attention, it is actually quite difficult to poison a major water system (see Chapter 13). Indeed, waste treatment plants, which can build up explosive methane gas or spill raw sewage, may be more attractive terrorist targets.

Commercial Facilities

Commercial facilities include installations where large numbers of people congregate, including public assembly facilities (such as zoos, museums, and convention centers), sporting facilities, gaming facilities, lodging (such as hotels, motels, and conference centers), outdoor facilities (such as amusement parks), entertainment and media venues, real estate (such as office and apartment buildings), and retail establishments (such as shopping malls). This category includes a diverse group of stakeholders and infrastructure with disparate capabilities to provide physical security. Most of these facilities are owned and operated by commercial enterprises with federal limited regulatory authority. From a vulnerability perspective, many of these facilities are open to the public, and attempts to secure them more tightly could cause negative economic consequences.

Concerns

Worldwide, these kinds of facilities are often called “soft targets” and have suffered numerous terrorist attacks. Such venues offer the potential to inflict high numbers of casualties and draw significant public attention. The 2008 terrorist attacks in Mumbai, India, for example, deliberately targeted a popular international hotel. Al-Qaida plots aimed at the United States had included, among their planned targets, both apartment and office buildings. These facilities have also been the target of workplace violence and hate crimes, including the 2009 shooting at the U.S. Holocaust Memorial Museum, in which an 88-year-old white supremacist with a virulently anti-Semitic background gunned down a security guard in the museum. In addition to their risks, these facilities can play an important affirmative role in helping office workers and patrons “shelter in place” during WMD attacks or serving as shelters for disaster victims.

Government Facilities

Although governments control the security of their buildings and restrict access to them, many of their challenges resemble those of commercial facilities. Agencies must also account for “continuity of government operations.” In other words, if facilities and infrastructure are lost, capabilities must be available to continue government functions. This sector covers a huge scope. More than 3 billion square feet of space and 650 million acres of land are managed by the federal government alone, not to mention assets owned and operated by the estimated 87,000 municipal governments, plus U.S. embassies, consulates, and military installations abroad.4

Concerns

Government facilities have symbolic value and are often targeted for violence. The most dramatic example in recent history was the 1995 bombing of the Alfred P. Murrah Federal Building in Oklahoma City.

Health Care and Public Health

The public health sector consists of state and local health departments, hospitals, health clinics, mental health facilities, laboratories, mortuaries, pharmacies, and pharmaceutical stockpiles. Most are in private hands. Healthcare, in fact, comprises one of the largest sectors of the economy, with approximately 15 percent of the gross national product.5 More than some others, this sector is critical to homeland security due to its crucial role in defending the nation against the very real threat of biological warfare, along with disastrous natural pandemics.

Concerns

Concerns in this sector are vulnerabilities of health facilities to physical attack, their great dependence on other critical infrastructure systems such as energy and information and telecommunications, and risks posed by the spread of disease from contaminated patients or health care workers (including the widespread loss of medical personnel or shutdown of facilities during a biological weapons attack or pandemic). Control and protection of facilities are a major challenge since medical centers are, by design, intended to be accessible (leading to concerns they could be swamped by masses of patients, including the “worried well,” during a disaster).

Perhaps the prime issue over the long term is the fiscal strain on the health care system. Advantages provided by initiatives in public preparedness could be overwhelmed by declines in the national health care structure driven by such factors as an increasingly aging population, rising numbers of medically uninsured, the cost of prescription drugs, and unintended consequences of national healthcare legislation. The federal government and many states forecast that future increases in Medicare and Medicaid costs will place an enormous burden on their budgets. Critical infrastructure will be of less use if the medical system lacks sufficient emergency medical technicians, doctors, nurses, and hospital facilities.

Dams

This sector includes dams themselves; systems, networks, and functions related to dam projects; navigation locks; levees; hurricane barriers; and other water retention and control facilities. The massive levee failure after Hurricane Katrina demonstrated the catastrophic consequences from the failure of these systems. In addition to direct consequences of an attack, many other systems are dependent on water control infrastructure, including power generation, agriculture, and inland waterways navigation.

Concerns

Most of this infrastructure is controlled through SCADA systems, the failure of which could have disastrous consequences. Thus, cyber-security and the resilience of information technology are often as vital as the physical protection of the dams themselves.

Critical Manufacturing

The National Critical Infrastructure Protection plan identifies nine components of the U.S. industrial base that are critical to the overall U.S. economy. They are iron and steel mills and ferro-alloy manufacturing; aluminum production and processing; nonferrous metal production and processing; engine, turbine, and power transmission equipment manufacturing; electrical equipment manufacturing; motor vehicle manufacturing; aerospace product and parts manufacturing; railroad rolling stock manufacturing; and transportation equipment manufacturing.

Concerns

Many American manufacturing processes rely on the “just in time” delivery of goods and services. This reduces the costs of having large inventories onhand and gets goods to market in a timely and profitable manner. However, such industries are highly susceptible to supply chain disruptions by acts of terrorism or natural disaster, such as the Japanese earthquake and tsunami of 2011.

Additionally, many advanced manufacturing processes rely on information technologies and SCADA systems. Thus, cybersecurity remains a great concern.

Finally, natural and human-made disease outbreaks are risks. If response to an outbreak requires “social distancing,” or limiting the potential for disease transmission by reducing human contact, much of the nation’s manufacturing workforce could be sidelined, along with its output.

Emergency Services

Critical infrastructure supporting emergency services consists of fire, rescue, medical, and law enforcement organizations, including both personnel and facilities. Emergency services are provided by federal, state, and local governments, as well as commercial firms and volunteer organizations.

Concerns

A disturbing concern for protecting emergency services is the potential for service providers or facilities to themselves become targets of terrorist attacks. Terrorists in Iraq and other locations have used secondary devices timed to explode after an initial blast when first responders and civilian onlookers have gathered. Explosives are commonly used for this purpose, but other weapons may be employed as well. Small amounts of various chemical, biological, toxin, or radiological agents in the ancillary strike against first responders could disrupt a coordinated response.

Follow-on terrorist strikes may not be limited to the initial attack site. To complicate consequence management, attacks might be launched at hospitals, police stations, and emergency operations centers. Many state and city emergency operations centers are particularly vulnerable. Often they lack physical security protection and redundant communications. Backup centers and mobile command posts may do not exist.

The efficiency of emergency services is also affected by the state of interoperable communications, the absence of which has long been a barrier to effective interagency communications. In a typical metropolitan area, public safety agencies operate over frequencies ranging from VHF to UHF, 800 MHz, and low bands. It is not uncommon for responders from the same jurisdiction to have difficulty communicating with one another at an emergency scene or be unable to request help from neighboring jurisdictions. Although this problem was highlighted during New York City’s response to 9/11 and has received substantial attention and federal funding since; it is far from solved in many jurisdictions.

Defense Industrial Base

Private sector defense industries provide critical capabilities essential for the mobilization, deployment, and combat operations of U.S. military forces. These include making ammunition and equipment, as well as a range of support services, including support of sensitive special operations and intelligence missions.

Concerns

Market competition and consolidation have reduced or eliminated redundant sources for some critical products and services. In certain cases, only a handful of vendors, or even just one, may be the only source in the world capable of satisfying a unique requirement. In other cases, defense industries use so many subcontractors and suppliers that they are unable to map their supply chains and identify critical sources of supplies and services. This problem is feared to grow with slowing federal spending on defense.

Protecting critical infrastructure that could be a bottleneck in U.S. power projection is a significant concern. As an example, the overwhelming bulk of American military power moves by ship. Most military supplies and hardware depart from just 17 seaports. Only four of these ports are designated specifically for the shipment of arms, ammunition, and military units.6 During the height of a foreign crisis, enemy attacks could interfere with operations and limit the role of combat forces in overseas theaters by preventing them from leaving the United States in the first place.

Even on the home front, defense contractors find themselves the target of numerous hostile operators using the Internet to steal their secrets or establish the groundwork for future attacks.

Information Technology Communications

Discussed in detail in chapter 21, the IT industry and cyber domain represent perhaps the most pressing and rapidly developing critical infrastructure challenges—challenges that impact all other sectors. This infrastructure includes voice and data services carried through a complex public-private network making up the public switched telephone network (PSTN), Internet, and private enterprise networks. The PSTN includes a vast array of infrastructures, including two billion miles of communications cables, 20,000 switches, access tandems, and other equipment, as well as cellular, microwave, and satellite technologies that provide access to mobile users. Internet service providers (ISPs) interconnect with the PSTN through points of presence (POPs), usually switches and routers. In addition, private enterprises have proprietary and leased telecommunications assets.

Concerns

The challenge for telecommunications carriers and information technology providers is to balance reliable service, acceptable costs, security, and privacy. A shared appreciation of acceptable risks among public and private stakeholders, including trade-offs required between security and privacy, has proven difficult to achieve.

Cybersecurity issues present a wealth of risks, from the use of subterfuge online to undermine confidence in government communications to the public to the deployment of malicious software for disrupting or destroying systems and facilities. As discussed earlier, cyberattacks are now capable of causing highly disruptive, and potentially deadly, results in physical critical infrastructure. Communication satellites are also at risk of attack by enemy systems.

Another concern is attacks on communications systems that impair other critical infrastructure sectors. For example, crippling telecommunications could greatly limit responders’ capacities to coordinate emergency services. Terrorists, for example, might attempt to jam systems to delay the response of first responders. The technology for conducting electromagnetic jamming—to interfere with radio, radar, television, and telecommunications signals—has been available for some time. It is accomplished by broadcasting electromagnetic radiation on certain frequencies in order to create interference to prevent legitimate transmissions. It can range from intermittent jamming that makes it appear that targeted systems are not operating properly or constant jamming to prevent the use of equipment altogether.

Energy

The production and transmission of electricity, oil, and natural gas comprise the energy sector. The infrastructure includes production platforms, processing, and refining facilities; terminals and bulk storage stations; nuclear, coal, and oil-fired power plants; and transmission, distribution, and control and communications systems. (Pipelines, which can carry oil or natural gas, are considered components of the transportation sector.) More than 80 percent of this infrastructure is owned by the private sector. Assets include more than 5,300 power plants (49 percent of electricity is produced by coal, usually transported by train), 211,000 miles of high-voltage transmission lines, and 500,000 oil-producing wells.7

Concerns

Challenges in the energy sector center on its sprawling, complex, and interdependent infrastructure. The business configuration of the sector also presents obstacles to implementing security initiatives. Competition, structural changes, and regulatory regimes significantly complicate the sector’s ability to fix responsibilities and create incentives to improve security.

There are many assets in the energy sector exposed to terrorist strikes. In some cases, disrupting a few critical nodes would have a significant effect on national energy production. For example, offshore oil platforms are especially vulnerable. The electrical grid in many regions is already under strain, suffering blackouts even in normal conditions and at risk for even worse during an attack or disaster.

Transportation

This sector consists of major national transportation nodes, including aviation, maritime traffic, rail, pipelines, highways, trucking and busing, and public mass transit. Transportation assets are diverse and robust sectors. They include 450 commercial airports and 19,000 additional airfields; 4 million miles of roadways and supporting infrastructure; about 95,000 miles of coastline, 361 ports, and over 10,000 miles of navigable waterways; numerous mass transit systems, with large numbers of buses and subway trains; more than 143,000 route miles of train track, more than 1.3 million freight cars, and roughly 20,000 locomotives; and more than 1 million miles of natural gas and other pipelines.8

Concerns

Despite the vast capabilities and resilience of the transportation sector, significant concerns remain. Many critical sectors are dependent upon transportation, and disruptions can have a significant rippling effect throughout the economy. Moreover, Islamist terrorists and others have shown significant interest in attacking transportation assets. In addition to hijacking and attempting to blow up airplanes, enemy operatives have explored attacking airports, bridges, tunnels, railways, and subways in the United States. Meantime, terrorists have launched deadly bomb attacks against transit systems in Great Britain, Spain, and India. While mass transit is in the crosshairs, officials have struggled to develop cost-effective solutions to protect systems dependent upon the easy and rapid entrance and exit of huge numbers of riders.

Attacks against transportation assets could range from explosive devices, the most commonly used terrorist weapon, to innovative threats. One concern is the vulnerability of commercial aircraft to shoulder-fired missiles. For years, official studies of airline vulnerabilities have recognized this serious threat to U.S. aircraft.9 However, as discussed in Chapter 13, the huge price tag for defending airliners against missiles has prevented implementation of significant countermeasures.

Banking and Finance

The banking and financial services sector includes retail and wholesale banking operations, financial markets, regulatory institutions, and repositories of documents and financial assets. Of particular concern is infrastructure that supports electronic financial services, including computers and telecommunications networks. Also considered vital are financial services employees with highly specialized skills. The sector consists of some 29,000 financial firms and in 2007 accounted for more than 8 percent of the U.S. gross domestic product.10

Concerns

Disruptions in this sector have the potential not only to disrupt financial activities, but also to inflict significant rippling effects across the nation and the world, including shaking public confidence. The September 11 attacks, for example, resulted in the longest closure of stock markets since the 1930s. The strikes demonstrated the vulnerability of financial institutions to wide-scale disruption.11 Analysts today are concerned about the crippling potential of a massive cyberattack on the financial system. In such a scenario, even average citizens might be impacted when they could not get cash from ATMs or use their credit cards.

Chemical

The nation’s chemical sector provides products vital to virtually every sector of economic activity. Chemical manufacturing includes everything from fertilizer to medicines. In fact, the chemical sector is perhaps the most diverse with respect to size, geographic dispersion, and range of commercial activities. It employed nearly one million people and generated revenue of more than $637 billion per year as of 2011, according to DHS.12

Concerns

Enhancing security across such a diverse and complex infrastructure could be extraordinarily expensive. Many companies lack even minimal security measures. Where precautions were taken in the past, they were primarily concerned with safety and environmental issues and gave scant attention to the prospects of attack or sabotage. Many components of the sector operate on slim profit margins. As a result, no single security blueprint would likely be practical for all chemical facilities.

Of greatest concern is the potential for chemical releases that could endanger large numbers of lives, as discussed in Chapter 14.

Postal and Shipping

The U.S. postal system serves more that 137 million addresses nationwide. The supporting infrastructure consists of almost 750,000 personnel and tens of thousands of facilities. Disruption of mail service would impact economic activity. It might also provoke psychological effects, increasing anxiety and apprehension. In addition to the U.S. postal service, the private shipping industry moves a vast array of goods and services.

Concerns

Challenges for the postal service are not only ensuring service but also protecting employees. The 2001 anthrax attacks that contaminated and killed two postal workers underscored this concern. Numerous points of entry into the mail system, as well as the fact that the postal service does not always maintain custody of mail throughout the delivery process, complicates the task. The postal service must also ensure that constitutional rights of U.S. citizens (such as the rights to privacy and free speech) are not abridged by security procedures.

Major private shipping and delivery companies play a significant role in commerce and are vulnerable to attack. In 2010 terrorists sent “printer bombs” via commercial air shippers with the (unfulfilled) goal of destroying airplanes over Chicago or another U.S. city.

Nuclear Reactors Material and Waste

Nuclear systems are vital because they provide about 20 percent of the nation’s electricity. They are also significant because of the potential consequences of a natural disaster, accident, or malicious act. This sector includes supporting infrastructure engaged in all forms of commercial and research nuclear operations, not just the power plants themselves. Other elements of the sector are nonpower nuclear reactors used for research, testing, and training; nuclear materials used in medical, industrial, and academic settings; nuclear fuel fabrication facilities; decommissioned reactors; and the transportation, storage, and disposal of nuclear material and waste. The Nuclear Regulatory Commission is responsible for overseeing the security of commercial nuclear power plants.

Concerns

The 2011 nuclear emergency in Japan following the catastrophic earthquake and tsunami significantly heightened concerns over the surety of nuclear infrastructure and risks associated with damage to nuclear facilities.13 Among many issues raised was the importance of clear and credible communications. No aspect of the Japanese government’s response was more troubled than its inability to communicate effectively the risks associated with low-dose radiation exposure. Information was at times understated, inaccurate, and incomplete. Additionally, conflicting information came from sources including Japanese ministries, Tokyo Electric Power Co. (TEPCO, the utility operating the plant), the International Atomic Energy Agency (IAEA, the United Nations nuclear monitoring agency), the Office of the U.S. Surgeon General, and the U.S. Nuclear Regulatory Commission. Furthermore, U.S. media featured a diverse array of nuclear experts; while some had relevant experience regarding nuclear power and plant infrastructure, others were experts in nuclear weapons whose expertise had less bearing. Some analysts used the opportunity to advocate for or against the efficacy of nuclear power, rather than focus on providing effective, understandable risk communications.

In addition, the International Nuclear and Radiological Event scale, maintained by the IAEA, showed poor utility as a communication tool. At one point the IAEA elevated the Fukushima Daiichi Nuclear Power Station potential meltdown to 7, the level of a major accident. This placed the station on par with the rating given to the 1986 Chernobyl reactor disaster, though the release of radiation in Japan was far less substantial.

Communicating information of a technical nature during a disaster is especially difficult, particularly when responsibility is shared by the government and private enterprise. In many respects, the troubles experienced by the government of Japan and TEPCO are reminiscent of similar challenges encountered by the U.S. government and BP in the aftermath of the Gulf oil spill. Government and the private sector can have competing objectives, differing perspectives and levels of technical knowledge, and even contrasting legal obligations in sharing information during a crisis.

The diversion of nuclear material for use as a dirty bomb or a direct strike on a nuclear power plant are also significant concerns, as discussed in Chapter 14.

Other Key Assets

In addition to establishing critical sectors to protect, national strategies identify several categories of key assets—specific facilities of major importance. These include national monuments and icons. As with other aspects of critical infrastructure, key assets belong to a mix of federal, state, local community, and private entities. Federal agencies are responsible for securing their own key assets. The Department of the Interior has oversight of national monuments.

Concerns

These assets may rank among the most tempting targets. Some have great symbolic value, and many are accessible to the public.

CHAPTER SUMMARY

Protecting critical infrastructure and key assets is vital to the security of the United States. While initiatives are ongoing to secure key infrastructures from terrorist attacks, significant concerns remain in all areas. Since most critical infrastructure is in private hands, public-private cooperation is essential. Effective coordination of policies and practices through sector coordinating councils and better communications through ISACs are important parts of that effort. Risk management is also a critical tool for determining how to apply scarce resources to the huge challenge of protecting critical infrastructure. There are simply more potential targets than budgets to defend them.

CHAPTER QUIZ

1. How does the government determine critical infrastructure and key assets?

2. What is the difference between government coordinating councils and sector coordinating councils?

3. How should the balance of government and private-sector responsibilities for security be determined?

4. What is an ISAC and how does it work?

5. What are the steps in risk management?

NOTES

1. DHS figures: www.dhs.gov/files/programs/gc_1189168948944.shtm.

2. For an overview of the threat of biological agroterrorism, see Anne Kohnen, “Responding to the Threat of Agroterrorism: Specific Recommendations for the United States Department of Agriculture,” BCSIA Discussion Paper 2000–29, ESDP Discussion Paper ESDP–2000–04, John F. Kennedy School of Government, Harvard University (October 2000). Estimates for the cost of food-borne illness vary considerably based on what criteria are used. See Jean C. Buzby et al., “Bacterial Foodborne Disease: Medical Costs and Productivity Losses,” Agricultural Economics 741 (August 1996), www.ers.usda.gov/publications/Aer741/index.htm.

3. DHS figures, Op. cit.

4. Ibid.

5. Ibid.

6. For an overview of the military’s reliance on ports and associated security risks, see U.S. General Accounting Office, “Combating Terrorism: Preliminary Observations on Weaknesses in Force Protection for DOD Deployments through Domestic Seaports,” GAO–02–955TNI, July 23, 2002; Statement of William G. Schubert before the Subcommittee on National Security, Veterans Affairs, and International Relations, Senate Government Reform Committee, July 23, 2002, www.marad.dot.gov/Headlines/testimony/homesecurity.html. See also U.S. General Accounting Office, “Combating Terrorism: Actions Needed to Improve Force Protection for DOD Deployments through Domestic Seaports,” GAO–03–15 (October 2002), 5–10.

7. Ibid.

8. Ibid.

9. See, for example, White House Commission on Aviation Safety and Security: Final Report to the President (February 12, 1997), api.hq.faa.gov/strategicgoals/docs/WHCrpt.html.

10. Ibid.

11. U.S. General Accounting Office, “Potential Terrorist Attacks: Additional Actions Needed to Better Prepare Critical Financial Market Participants,” GAO–03–414 (February 12, 2003), www.gao.gov/atext/d03414.txt.

12. DHS figures, op. cit.

13. This section is adapted from James Carafano, “The Great Eastern Japan Earthquake: Assessing Disaster Response and Lessons for the U.S.,” Special Report No. 94 (May 2011), www.heritage.org/Research/Reports/2011/05/The-Great-Eastern-Japan-Earthquake-Assess ing-Disaster-Response-and-Lessons-for-the-US.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset