Three U.S. presidents have issued directives over the past 21 years on critical infrastructure protection of the natural and man-made resources the U.S. depends on to function, as well as the systems needed for their delivery and protection.
Because all critical assets are not controlled by the federal government, President Bill Clinton in 1998 first laid out the need to protect critical infrastructure and key resources (CIKR) using public-private partnerships to reduce vulnerabilities and minimize interruptions or manipulations of critical national resources.
Critical infrastructure and key resources are both publicly and privately held — 85% of the nation’s critical infrastructure is owned and operated by the private sector. As a result, many government agencies, organizations and enterprises have important roles to play in terms of critical infrastructure protection.
Following Clinton’s initial directive, President George W. Bush issued a presidential directive in 2003, describing what constituted critical national assets and which federal agencies were responsible for them. A decade later, the Obama administration issued a presidential policy directive, or PPD-21, that advanced the national effort to strengthen and maintain secure critical infrastructure and listed 16 different critical infrastructure sectors:
- Commercial facilities
- Critical manufacturing
- Defense industrial base
- Emergency services
- Financial services
- Food and agriculture
- Government facilities
- Healthcare and public health
- Information technology
- Nuclear reactors, materials and waste
- Water and wastewater
CIKR owners and operators must be aware of their responsibilities in terms of critical infrastructure protection from physical and cyberattacks. The following four key recommendations can guide resource owners to better protect their critical assets.
1. Identify owned and operated CIKR
The first task is to understand if the organization’s assets and activities are part of the U.S. CIKR inventory. Every owner and operator needs to know what critical infrastructure sector they are associated with as designated by the U.S. Department of Homeland Security (DHS). By knowing which sector or sectors your assets are affiliated with, you should locate and study the appropriate DHS Sector-Specific Plans prepared per the National Infrastructure Protection Plan (NIPP).
The sector-specific plans establish goals and priorities for the CIKR sectors that address their current risk environment, such as the convergence of cyber and physical security, risks associated with climate change, interdependence between various sectors, and the dangers of aging and outdated infrastructure.
DHS sector-specific plans guide the owner or operator with information about the key operating characteristics of the sector, a list of sector risks, identification of sector partners and partnership structure. In addition, the appendices offer information on the sector council membership, and executive orders and federal laws that impact the sector.
Your organization may be associated with multiple sectors. For instance, if your organization is large, it could be part of many sectors, such as emergency services, commercial facilities, healthcare and public health, nuclear reactors and so on.
2. Understand CIKR asset interdependencies
Once you have identified the sector your organization is in, take the time to understand the interdependencies of your CIKR holdings. For instance, if your company is in critical manufacturing, it is closely connected to the energy, transportation, water and wastewater, and information technology sectors. An excellent reference to help understand the nuances of interdependencies is Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies, a 2001 paper that remains a fundamental reference for studying the interdependencies among critical assets. The graphics alone help facilitate brainstorming sessions to best understand and identify ways an organization’s CIKR may be interconnected with other critical infrastructure protection.
This assessment should also include evaluations about the impact of climate change on your CIKR, for example, the impact of workforce retirement, the availability of skilled workers, and the challenges with aging assets and infrastructure.
Take the time to inventory all critical systems and subsystems supporting the operation and resilience of your critical infrastructure. It will provide beneficial knowledge as you defend your operations from physical attacks or cyberattacks.
3. Take advantage of sector-specific resources
Even before you complete your inventory of CIKR and interdependencies, take advantage of sector expertise. Sector-specific plans identify federal government sector leaders, as well as civilian members of the sector council.
It is important to reach out to these organizations and establish a liaison and points of contact with the key players involved with your CIKR sectors. Take advantage of their experience and knowledge, as well as threat intelligence to better protect your CIKR.
Another key resource for the different CIKR Sectors is the collection Information Sharing and Analysis Centers (ISACs). ISACs are intended to help critical infrastructure owners and operators protect their facilities, personnel and customers from cyber and physical security threats and other hazards through cross talk and information sharing. ISACs collect, analyze and disseminate actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency. A list of the currently active ISACs can be found here.
Some ISACs are extremely effective, while others are still struggling to become key players in their respective CIKR Sectors. To identify the viability of an ISAC membership, the CIKR owner should take advantage of the collective knowledge and experience of the sector coordinating council members and the ISAC members.
4. Know who can support you during a crisis
Presidential directives and policies were designed to offer guidance to U.S. government agencies and departments to protect CIKR. But in an emergency — whether local, regional or national — you should know who to contact to help in your organization’s emergency response and recovery. In addition to knowing your ISAC points of contact and sector coordinating council members, you also need to have an up-to-date list of contacts to aid in emergencies due to weather, natural disasters, cyber or physical attacks, and even human error and equipment failure. Reach out to your key support contacts before an emergency.
For example, reach out to your local police, sheriff and fire departments. Establish a liaison with one or two officers and firefighters and give them tours of your facilities. Perhaps give them badges so they can easily enter the facility in an emergency. Having everyone familiar with names, faces and facility floor plans will be helpful before the emergency strikes.
Another organization to connect with is your state emergency management department and state police. They can help with large-scale events and usually have a deeper cyber defense capability. Some states even have wide-range firefighting capability (like California’s CalFire) that may be helpful for firefighting or crisis management around large, remote facilities.
Don’t forget to establish a liaison with your local Federal Bureau of Investigation (FBI), Secret Service, and DHS offices. Setting up periodic meetings and shared lunches may be beneficial down the line when your CIKR is under cyber or physical attack.
Be sure to connect with InfraGard — a partnership between the FBI and the private sector. Your staff can join InfraGard, and you can take advantage of its briefings and intelligence feeds.
The key is to be prepared to take advantage of those who can help you in a crisis. Set up liaisons and tours ahead of time and take advantage of available expertise and knowledge.
Bottom line on critical infrastructure protection
Critical infrastructure is just that — infrastructure so important that its failure or decline could negatively impact American society and your business. To be prepared, your organization and its leadership need to do the following: understand what CIKR you own and operate; identify your related CIKR sectors as per PPD-21; know and study the CIKR sector-specific plans that affect your infrastructure; understand your CIKR interdependencies; know who can help you in an emergency — in particular, one that affects your critical infrastructure. Take advantage of available resources and ISACs, and invest in closer ties with your police, firefighters, sheriffs, state police and state emergency management agency to ensure you’re not alone in dealing with a crisis affecting your CIKR.