Critical Infrastructure: Homeland Security and Emergency Preparedness [5 ed.] 1032387572, 9781032387574

Citation preview

Critical Infrastructure

Critical Infrastructure: Homeland Security and Emergency Preparedness, Fifth Edition represents a continuation of research and recommendations from the past editions that spans nearly 20 years of focusing on critical infrastructure (CI) protection. Over that time, the operating, threat, and technical environments have changed drastically. The doctrines that have guided practitioners across various domains have also evolved due to changing demands. This is a natural result when doctrines collide and gradually evolve toward, and coalesce into, a singular understanding of an issue. Those who have practiced in this domain have seen these collisions in the past—an example being the convergence of physical security and cyber information and operational) technologies security. It is with this backdrop and understanding of the domain that the authors not only describe the current state of affairs, but also provide a means through which researchers and participants—such as practitioners, students, industry stakeholders, owners, and operators in various government and private CI sectors—can look at trends and changes the in the domain that may not be apparent elsewhere. The authors identify shifts in today’s environment that move the thinking away from simply the robustness of systems to their adaptability and resilience. They outline design processes that, likewise, are evolving away from the simple adoption of best practices to risk-based management and even towards structures based on engineering-driven principles. These changes are not occurring at a unified pace, and the differences can result in tensions between certain communities. However, the debate itself is indicative of the critical thinking that is beginning to take hold within each infrastructure domain. Critical Infrastructure, Fifth Edition continues to critically examine the evolving importance of our critical infrastructure to our society—recognizing the under pinning value of cyber technology and how physical infrastructures and delivery models impact and affect people and society. Robert Radvanovsky is an active professional in the United States with over 40 years’ knowledge in security, risk management, business continuity, disaster recovery planning, and cyber. He has a vast background in engineering, business, and cyber, specifically on the topics of critical infrastructure protection and assurance. He has a special interest and tremendous knowledge in matters of critical infrastructure,

along with industrial control systems (ICS) cybersecurity, and has published a number of articles and research papers regarding this topic. His activities include working for several professional accreditation and educational institutions on the topics of homeland security, critical infrastructure protection and assurance, and cybersecurity. Allan McDougall is a seasoned asset protection and security practitioner; he has over 25 years’ experience between the military, public sector, and private sector, in addition to being highly active within the research community. A former combat engineer, his approach to problem solving can be described as pragmatic. His public sector experience has included service in the National Coordinator Security Policy and Projects at the Department of Fisheries and Oceans, senior positions within the Fleet Security organization of the Canadian Coast Guard, the senior inspector for ports and marine facilities, and as the manager and technical authority for physical security at the Canada Border Services Agency. He is currently actively involved in international efforts associated with the future of cybersecurity in the maritime domain and the evolving need for certification and accreditation.

Critical Infrastructure Homeland Security and Emergency Preparedness Fifth Edition

Robert Radvanovsky and Allan McDougall

Boca Raton London New York

CRC Press is an imprint of the Taylor & Francis Group, an informa business

Designed cover image: © Shutterstock Fifth edition published 2024 by CRC Press 2385 NW Executive Center Drive, Suite 320, Boca Raton FL 33431 and by CRC Press 4 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN CRC Press is an imprint of Taylor & Francis Group, LLC © 2024 Robert Radvanovsky and Allan McDougall First edition published by CRC Press 2006 Fourth edition published by CRC Press 2018 Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, access www. copyright.com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. For works that are not available on CCC please contact [email protected] Trademark notice: Product or corporate names may be trademarks or registered trademarks and are used only for identification and explanation without intent to infringe. ISBN: 978-1-032-38757-4 (hbk) ISBN: 978-1-032-38508-2 (pbk) ISBN: 978-1-003-34663-0 (ebk) DOI: 10.4324/9781003346630 Typeset in Garamond by Apex CoVantage, LLC

From Bob This book is dedicated to my loving wife, Tammy, who has always supported and been patient with me, especially while this book was being written. She has encouraged me to continue my research on this topic. She is my rock. From Allan This work is dedicated to my wife, Angela, and those who make great efforts to continuously improve the overall critical infrastructure protection domain. My particular thanks to Martin and those who work across the academic, professional, and practitioner communities to keep our communities and societies safe and secure.

Contents Additional Information .................................................................................xii Preface ..........................................................................................................xiii Introduction .................................................................................................. xv Authors’ Notes .............................................................................................. xix Acknowledgments ........................................................................................ xxi

1 Introduction to Critical Infrastructure Assurance and Protection 1 1.1 Introduction ...................................................................................... 1 1.2 What Is Critical Infrastructure? ........................................................ 3 1.3 What Is the Private Sector? ................................................................ 4 1.4 What Is the Public Sector? ................................................................. 6 1.5 What Is CIP? ..................................................................................... 8 1.6 What Is CIA? .................................................................................... 9 1.7 What Are Public-Private Partnerships? ............................................ 11 1.8 Critical Infrastructure Functions ..................................................... 11 1.9 Evolution of Critical Infrastructure ................................................. 12

2 Demand, Capacity, Fragility, and the Emergence of Networks 2.1 2.2 2.3

2.4

17 Introduction .................................................................................... 17 What Are We Trying to Protect? The Concept of Capacity ............. 17 Demand: The Reason for Capacity ................................................. 18 2.3.1 The Concept of Performance .............................................. 19 2.3.2 Local Impact and the Influence on Capacity ...................... 19 2.3.3 Results of a Local Impact in the Immediate Sense .............. 20 2.3.4 Relevance to CIP ................................................................ 22 2.3.5 Push, Pull, Lag, and Delay in the Network Environment ....................................................................... 23 At the Regional (Small System) Level .............................................. 23 2.4.1 Influence at the Small System Level .................................... 23 2.4.2 Current Efforts and Research.............................................. 26 2.4.3 The Interdependency Hydra ............................................... 27

vii

viii ◾

2.5

2.6 2.7

2.8

Contents

2.4.4 Network Fragmentation and Dissolution ............................ 28 Cyber as a New Domain in Conflict ............................................... 29 2.5.1 The Pendulum of Convergence ........................................... 30 2.5.2 Convergence and the Understanding of Threat................... 31 2.5.3 Fragility .............................................................................. 33 2.5.4 Fragility and Destabilization of Systems ............................. 35 2.5.5 Fragmentation and Dissolution of Networks....................... 36 Dissolution and Convergence: An Emerging Risk ........................... 37 2.6.1 Convergence, Network Expansion, Open Architecture, and Common Criteria ......................................................... 38 Marking the Journey ....................................................................... 38 2.7.1 Overview ............................................................................ 39 2.7.2 Legislation: 107th Congress (2001–2002) ........................... 39 2.7.3 Legislation: 108th Congress to 109th Congress .................. 40 2.7.4 The State Today: A Recap ................................................... 40 2.7.5 Government as a Driver of Change ..................................... 41 2.7.6 Research and Understanding .............................................. 42 Authors’ Notes................................................................................. 42

3 Consolidation of Power on Core Critical Infrastructure Sectors 45 3.1 Introduction .................................................................................... 45 3.2 Meeting the Dragons on the Map ................................................... 45 3.3 Who Owns the Treasure? ................................................................ 49 3.4 What Value?.................................................................................... 51 3.5 Target Audiences ............................................................................. 54 3.6 Expanding beyond the Traditional Response................................... 56 3.7 Areas of Potential Risk or Concern ..................................................64

4 Te New Role of Government 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9

69 Introduction .................................................................................... 69 What Is a Public-Private Partnership (P3)? ...................................... 69 The P3 Spectrum ............................................................................ 70 Establishment of New Capacity....................................................... 73 Maintenance of Existing Capacity ................................................... 73 The Coming Financial Crisis .......................................................... 75 Other Forms of Public-Private Cooperation and the Erosion of Governance ................................................................................. 77 Balancing Points .............................................................................. 78 Authors’ Notes................................................................................. 80

5 Te Reinvention of Information Sharing and Intelligence 5.1 5.2

84 Introduction .................................................................................... 84 Data vs. Information vs. Intelligence ............................................... 85

Contents

◾

ix

5.3 5.4 5.5 5.6 5.7 5.8

The Importance of Background to Context ..................................... 87 Context Affecting Sensitivity........................................................... 91 Enter the Cloud ............................................................................... 99 The Cloud as an Amplifier ............................................................ 101 Clouds and Concealed Conduits ................................................... 102 Linking the Trusted Computing Base and User Communities................................................................................. 105 5.9 Barriers to Information Sharing..................................................... 108 5.10 The Continuing Rise of Open Sources .......................................... 109 5.11 Open-Source Information and Intelligence ................................... 110 5.12 An Approach to Information Sharing—The ConsequenceBenefit Ratio ..................................................................................111

6 Challenges Facing Vital Services 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9

113 Defining Vital Services .................................................................. 113 Trends Creating Vital Services ........................................................114 The Role of Regulatory Oversight ................................................. 116 Balancing Public Safety and Business Operations...........................118 Consultation, Cooperation, or Coercion........................................ 121 Balancing Resilience and Financial Responsibility ........................ 125 The Emerging Role of Private Associations and Membership .................................................................................. 127 Membership Versus Competition? ................................................. 128 Authors’ Note ................................................................................ 128

7 Management of Critical Infrastructure Resiliency

131 Introduction .................................................................................. 131 What Is Resilience?........................................................................ 131 Alignment with the Mission .......................................................... 133 Communities, Operations, and Infrastructure .............................. 135 The Core Elements ........................................................................ 142 The Supply Chain and Third-Party Risks ..................................... 145 Aligning Standards and Baselines .................................................. 148 The Core Challenges ..................................................................... 149 Why Over the Walls When Through the Gates? ........................... 150 The Rise in Counterfeits and Substandard Parts ........................... 153 The Rise of Unknown Vulnerability in the Home Office ............................................................................................ 154 7.12 The Movement towards Clouds ..................................................... 156 7.13 Authors’ Note ................................................................................ 157 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 7.10 7.11

8 Te Coming Resurgence of Interdependencies 8.1 8.2

160 Looking at the World—A Community ......................................... 160 Current Trends in Business............................................................ 161

x

◾

Contents

8.3 8.4 8.5

The Shift and Change Government and Regulation ..................... 163 The Blurred Line between Government and Business ................... 164 The Rise of the Networked Machines—The Internet of Things (IoT).............................................................................. 164 8.6 Trends in the Alignment of Interdependencies .............................. 165 8.7 The Emergence of the Key Sectors—Energy, Transportation, Telecommunications, and Financial .............................................. 168 8.8 Comparing the Topography of Interdependencies with Flat/ Hierarchical Networks .................................................................. 170 8.9 Conditions for the Perfect Storm ................................................... 173 8.10 Authors’ Note .................................................................................174

9 Te Evolution of Physical Security 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8

9.9 9.10 9.11 9.12 9.13

176 Introduction .................................................................................. 176 Core Offices Tested ....................................................................... 179 Resetting the Role of Physical Security .......................................... 180 The Critical Infrastructure Protection (CIP) Perspective ............... 181 Picking an Appropriate Approach .................................................. 184 The Security Goal in Critical Infrastructure Protection ................ 188 Establishing the Overall Context and Organization ...................... 191 Establishing the Infrastructure Underpinning the Organization ................................................................................. 192 Robustness and Assurance ............................................................. 195 Applying Architecture to Physical Security.................................... 198 Some Technical Specifications and Performance Measurement to Continue ................................................................................... 203 Impact Shifts with Strategic Level Architecture .............................204 Conclusion .................................................................................... 205

10 Paradigm Shift of Nationally Sensitive Information, and Networks 208 10.1 Introduction ............................................................................... 208 10.2 How COVID Impacted Organizations....................................... 209 10.3 The Impact on Critical Infrastructure Workforces ..................... 211 10.4 Challenges in Administering the Critical Infrastructure Workforce ................................................................................... 212 10.5 Challenges Due to Changes in Available Infrastructure for the Critical Infrastructure Workforce .................................... 214 10.6 Securing the Mobile Workforce .................................................. 216 10.7 The Challenge of Enabling Information ..................................... 218 10.8 Challenges Faced with Critical Infrastructure Information ........ 219 10.9 Why Does Critical Infrastructure Information Require a Clearance?................................................................................... 221 10.10 Individual Certifications vs. Industry Certifications ................... 222

Contents

◾

xi

10.11 Why Are There So Many Different Levels of Clearances?........... 224 10.12 Should There Be a CII Certification That Covers All Sectors? ................................................................................. 225 10.13 Authors’ Note ............................................................................. 226 11

Considerations to Be Maintained in Paradigm Shifts 232 11.1 Introduction ............................................................................... 232 11.2 What Are Considered Paradigm Shifts? ...................................... 232 11.3 The Need for Diligence and Care ............................................... 237 11.4 The Need to See the Whole Picture ............................................ 238 11.5 Building an Understanding Through Models ............................. 239 11.6 The System+1 Approach ............................................................. 243 11.7 The Use of System Thinking to Map Dependencies ................... 245 11.8 Not All Change Is Equal ............................................................ 246 11.9 Managing the Complex Adaptive Critical Infrastructure ............ 247 11.10 Alternative or Interim Approaches .............................................. 248 11.11 The Clouds and Critical Infrastructure ...................................... 249 11.12 Authors’ Note ............................................................................. 250

12

Climate Change 252 12.1 Introduction ............................................................................... 252 12.2 Climate versus Weather? ............................................................. 252 12.3 The First Impact—Uncertainty .................................................. 254 12.4 Adjusting Emergency Management ............................................ 256 12.5 The Ability to Withstand............................................................ 257 12.6 The Ability to Respond............................................................... 258 12.7 The Ability to Recover ................................................................ 259 12.8 The Role of the OODA Loop ..................................................... 261 12.9 Factors to Improve Observation .................................................. 261 12.10 Improving Orientation................................................................ 262 12.11 Improving Decision-Making....................................................... 262 12.12 Improving Actions ...................................................................... 263 12.13 Authors’ Note ............................................................................ 264

Index ........................................................................................................... 265

Additional Information Due to the ongoing and rapidly changing Internet resources, the authors have provided a secondary source of reference material should the primary web page URL no longer exist. The entire purpose of this is to maintain a sense of consistency throughout the publication, as well as to provide information as a “snapshot in time,” providing useful resources at the time while writing this book. We hope that you will find these alternative resources useful and informative. An example of the alternate reference material may be as follows: http://cipbook.infracritical.com/book5/chapter_number/reference_number For example, the URL http://cipbook.infracritical.com/book5/chapter12/ch12ref1. pdf is the first publicly accessible reference for Chapter 12. As this is the fifth edition of our book, “book5” is the first subdirectory representing the beginning of the documentation tree. Please refer to the specific referential text, as there is no viewable website, just website copies documentation in Adobe PDF format.

xii

Preface By failing to prepare, you are preparing to fail. Benjamin Franklin This fifth edition represents a culmination of research activity that has gone on over the past several years and builds upon previous editions. The intent of presenting the materials in this book is to represent the significant strides and changes made in understanding the fundamentals behind securing, protecting, and safekeeping the operations of our world’s infrastructures—their relevant industries, their landmarks, as well as their national assets—that are considered critically vital to the continued economic success and operation of our society. From the time that the first edition of this book was conceived to the present day, the importance of identifying what is critical to our society—worldwide—has evolved into new perspectives to many countries throughout the world. As nations explore their response to the critical infrastructure protection challenge, we have seen a shift from the hard postures of robustness and force protection to more fluid postures associated with resiliency and the establishment of redundant infrastructure. While this effort continues, the domain is also seeing increased attention being paid to the interaction between the physical, cyber, and various forms of control and automation systems that are integrated into this infrastructure. While most will recognize the strides being made in communications technology, communities may well want to be prepared for a paradigm shift, as quantum computing and processing is now visible on the horizon. Similarly, the boundaries between physical, cyber, and procedural controls is becoming increasingly blurred, as new technology enables both those protecting infrastructure and those attacking it. What is becoming more apparent is that if certain nations want to retain their competitive advantage or position in the world’s international hierarchy, they need to become far more resilient and creative in their thinking so that they can identify new opportunities for efficiency. Otherwise, their current efforts to protect their infrastructure will have the unintended consequence of stifling their industries and economic engines, causing the nation to ultimately fail in its overall goal to protect its international position, citizens, economies, and sovereignty.

xiii

xiv ◾

Preface

Facing this challenge will require the full security domain (not just government, industries, or individuals) to break the silos that continue to permeate the security industry. This will require updates in the doctrines of all security domains (including physical security and information technology) as well as a significant effort in modernizing the training materials and approaches used to develop those communities. Since the initial inception of this book, there have been significant strides in efforts of safeguarding the operations of our world’s infrastructures. This edition represents further developments since the fourth edition of this book appeared.

Introduction This book is divided into 12 chapters, each of which deals with a specific evolution within the critical infrastructure domain. These chapters are intended to stand alone but present information and build on the fifth edition.

Chapter 1: Introduction to Critical Infrastructure Assurance and Protection This chapter provides the base for the entire book and provides the historical backgrounds of critical infrastructure, and why it is important to society. There are some terms and definitions covering a brief synopsis of the intent of this book and what is to be expected from critical infrastructure assurance and protection specialists and professionals.

Chapter 2: Demand, Capacity, Fragility, and the Emergence of Networks This chapter is more theoretical in that it identifies an emerging trend in thinking rather than describing some of the changes in the strategic infrastructure that have taken place since the first edition appeared. At the time of the first edition, much of the focus on critical infrastructure protection efforts was at the very local level—how to protect key facilities. Recent infrastructure issues have highlighted the fact that this infrastructure is subject to impacts that can flow along interdependencies and also disruptions within its networked environment. This chapter reflects that current trend.

Chapter 3: Consolidation of Power on Core Critical Infrastructure Sector Moving beyond National Frameworks (prior edition), the chapter focuses on core areas of energy, telecom, and transportation—logistics backbones to communications xv

xvi ◾

Introduction

and mobility (and capability to respond to a large-scale crisis) in a modern environment. This chapter reviews the consolidation of power in terms of energy, telecommunications, banking, and transportation, and the potential for these to become “The Big Four” and how their interactions with other sectors play an important factor.

Chapter 4: The New Role of Government This chapter discusses a paradigm shift of the role of governments from regulators to catalysts for change (e.g., setting firm targets for “green energy” and other benefits, such as electric vehicles). The reader should understand that relationships between governments and private sector entities is more dynamic now when looking at management of infrastructure, and its impacts at social and economic levels.

Chapter 5: The Reinvention of Information Sharing and Intelligence This chapter outlines the paradigm shifts in how information and intelligence are viewed and treated. This chapter has been updated to address the current handling of information. Additionally, it introduces the emerging role of clouds and our increasing importance to information, and how intelligence is gathered.

Chapter 6: Challenges Faced with Vital Services This chapter looks at the current challenges associated with managing key-critical services, such as frontline workers during periods of adversity (e.g., pandemics), as well as the need to adopt a more system-focused, performance-based approach to how we look at the value of work. It raises the issue of how we view challenges faced by frontline workers, such as stockers and delivery drivers in the food sector (not restaurants), supply chain, and medical (e.g., lack of experienced doctors in some places.

Chapter 7: Management of Critical Infrastructure Resiliency This chapter discusses systems under pressure during periods of crisis, such as floods, failed electric grids, pandemics, etc. It delves further into how resilient an infrastructure is when faced with an increased number of rapid changes, their speed

Introduction ◾ xvii

and frequency, and diversity of the issues. Additionally, this chapter identifies an even greater holistic approach in encompassing multiple disasters occurring at the same time (e.g., pandemic and flood).

Chapter 8: The Coming Resurgence of Interdependencies With the demand of increased connectivity comes increased interdependencies. This can produce much-needed redundancy, but it can also include dependence and, as such, the potential for increased risk. This chapter reviews how current projects tend to focus on one aspect, and are likely to see either newer or increasing number of vulnerabilities associated with interdependencies associated with other infrastructures.

Chapter 9: The Evolution of Physical Security This chapter assimilates and integrates the Emergency Management chapter from the previous edition into this new chapter. It includes physical and asset security, management, and focus on continuity of operations.

Chapter 10: Paradigm Shift of Nationally Sensitive Information and Networks This chapter introduces challenges faced by public service workers/contractors from home who require nationally secured information that would otherwise be accessed only from a centralized location. This now includes private sector employees who require security clearances to discuss and share information with each other, as well as public service workers.

Chapter 11: Considerations to Be Made in Paradigm Shifts This chapter outlines the concerns at the social and economic levels as to whether governments and private sector entities are ready for these shifts based on several emerging factors. Additionally, can the interdependent sectors pivot accordingly to adapt to these new paradigm shifts? The chapter also introduces the emerging role of the interim operating capability versus the cataclysmic shift of key-critical infrastructures.

xviii

◾

Introduction

Chapter 12: Climate Change While there is still debate within certain circles regarding the specifics of climate change, certain facts can be recognized. Urbanization along coastal and littoral areas needs to consider the changes in the world’s oceans. Building architects and engineers face increasing challenges to a rapidly changing environment and how this will directly and profoundly impact—and, in extreme cases, disrupt— infrastructure. This chapter reviews the ways to protect capacity within the sectors, and it re-examines base requirements dealing with environmental factors (such as building codes, standards of design, etc.) in order to accommodate an environment that could become more extreme or change more rapidly in the years to come.

Authors’ Notes This publication offers an aid in maintaining professional competence, with the understanding that the authors, editor, and publisher are not rendering any legal, financial, or any other professional advice. Due to the rapidly changing nature of the infrastructure security industry, the information contained within this publication will become outdated, and therefore the reader should consider researching alternative or other professional or more current sources of authoritative information. The significant portion of this publication was based on research conducted over several years from a plethora of government and public domain resources, publications, and Internet-accessible websites, some of which may no longer be publicly available or may have been restricted due to laws enacted by a particular country’s government. The views and positions taken in this book represent the considered judgment of the authors and editor. They acknowledge with gratitude any input provided and resources offered that contributed to this book. To those who have contributed to the book’s strengths and characteristics, we thank you for your contributions and efforts. For any inconsistencies that may be found, we alone share and accept the responsibility for them and will gladly make corrections as needed. One additional note concerns the evolutionary process that we are witnessing within this industry. We are seeing a shift from the force-protection doctrine that concentrates on the protection of vital nodes and infrastructure, to a doctrine that relies more heavily on the assurance of critical services and establishing and then maintaining resilient networks. Realistically, private citizens, corporations, and governments alike all see the flow of services and goods, such as electricity, drinkable water, etc., as a service; we turn on a light switch or a faucet, and it just works, and we do not concern ourselves much with the route that the service or product takes to get to its final destination. This paradigm shift is being driven by the continuously evolving threats and the realization of increasing costs associated with the force-protection doctrine’s relatively reactive approach to risk management. In an effort to keep the references available for the readers, we have provided a set of “snapshot of the website” links for all government and public domain website references. As these website references change, become deleted, and so on, it is important that readers know what the references were at the time of the writing of xix

xx ◾

Authors’ Notes

this book. This will ensure that those references are “frozen in time” and will not be changed or altered in any fashion whatsoever. We consider this a value-added feature to this book, and invite you to review those website references now in case they become unavailable over time. You may access this information via a dedicated website at http://cipbook.infracritical.com.

Acknowledgments Some materials used in this book were taken in part or in their entirety from several very reliable and useful sources. Any information that may appear to be repetitive in its content from those sources was taken to provide a more introspective perception of what defines critical infrastructure assurance. The authors, editor, and publisher thank the following organizations for their contributions of references and materials: U.S. Department of Homeland Security (www.dhs.gov) Federal Emergency Management Agency (FEMA), which is part of the U.S. Department of Homeland Security’s National Preparedness Directorate (www.fema.gov) U.S. Department of Homeland Cybersecurity and Infrastructure Security Agency (cisa.gov) National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce (www.nist.gov) Public Safety Canada (www.publicsafety.gc.ca) Parks Canada (www.parks.canada.ca)

xxi

Chapter 1

Introduction to Critical Infrastructure Assurance and Protection 1.1 Introduction Critical infrastructure protection (CIP) is a topic that is now beginning to span generations. The basic concept of critical infrastructure protection finds its roots in concepts such as vital point protection that can cast back several thousand years with the protection of key shelter points, food stores, and other features such as water sources. Those involved in the planning of conflicts extended this to such infrastructure as food, water, ammunition, fuel, and equipment. Civil infrastructure followed the same course, with the need for protecting vital points gradually expanding from vital points to the protection of distributed infrastructure (such as transportation, telecommunications, water, and other networks) to a more holistic protection of critical services described in previous editions. Some will remember the Year 2000 (Y2K) issue as an emerging crisis that was one of the first clear examples of this expansion, involving the surveys of several critical infrastructures (such as the electrical grid) in preparation for the possible disruption of services that included power, communications, financial services, and transportation. For others, the issue began shortly after the attacks on September 11, 2001. Over the past two decades, the paradigm of how we address issues associated with our critical infrastructures has changed from an effort of protecting assets (robustness) to a focus on the promotion of resilience and the capacity to meet demand. This book will focus primarily on changing networks from an asset-based approach to an even more capacity-based approach. Changes made within the food industry (the rise of DOI: 10.4324/9781003346630-1

1

2 ◾ Critical Infrastructure

door delivery services) illustrated some of the adjustments that needed to be made to sustain the capacity during the recent pandemic, with mixed results. This journey began with the mad dashes on Y2K changes, when the situation became dire enough that airline executives had to board aircraft to fly across zerohour in order to demonstrate that their planes were still safe. While Y2K caused concerns at a technical level, it represented a narrow band on the overall threat spectrum. The attacks of 9/11 broadened the focus to include terrorist attacks, while natural disasters around the world, including Hurricanes Katrina and Sandy at home, broadened it even further. Populations have become less confident that critical services can be protected and delivered at all times. Since the last edition, the threat spectrum continues to evolve. The various categories of events continue to broaden. We see “lone wolf attacks”1 and similar attacks continue to occur at many venues. Of note, mental health issues, which may be at the root of some of these attacks, have gained new status as a result of some of these tragic events. We continue to witness increasing numbers of small groups driven by political and other ideologies, forcing conflicts both at home and abroad. These conflicts are often exacerbated by the nature of the dialog permeating through social and news media. We have also observed an increase in both the overt and surreptitious involvement of state actors who engaged in intellectual property theft, economic espionage, information operations, and other activities even to the point of laying the groundwork for attempts to disrupt our infrastructure via cyber and similar means. While outside of the scope of this work, one might even argue that we are now seeing a version of the conflict in which state actors focus their combined political, economic, and military might in both the physical and logical domains. While human factors have expanded, so have the challenges associated with climate change. Changes in the environment have strained the infrastructure’s ability to meet demand. Catastrophic events, ranging from severe drought to severe inundation, that have challenged communities as “century-level events” are occurring more frequently. Populations are now guided to maintain reserves of key resources (food, water, medicine) to sustain them as traditional emergency responders may be delayed, or unable to provide, immediate support. Combined with increasingly severe events, our ability to reliably predict these events has been strained by decisions that reduced the amount of available data to the instability of weather events. The breadth and depth of the challenge continues to increase, drawing in more communities as we attempt to address complex issues. While the issue of critical infrastructure protection has involved significant resources, originally these focused on narrower groups of technical and government teams. However, this has now broadened to include other security domains, such as traditional and social sciences examining sources of conflict and the sources of changes within complex systems. As these groups have expanded and evolved, so have the methods used to examine this domain and its associated challenges.

Critical Infrastructure Assurance and Protection

◾

3

An examination of the community now engaging this challenge shows that not all the changes have been positive. While governments, academic institutions, and private sector entities have continued to take up the challenge, an increasing politicization of issues continues, notably through those that have tainted scientific and critical issues in order to promote political and other interests. The security community has not been immune to this. In short, the issue of critical infrastructure protection, which once resided in the public domain, has expanded to become its own business line. And, like any other business line, there are those who continue to attempt to serve the public interest, while others have identified the issue as a potentially lucrative source of funds. As a result, the data, information, and intelligence associated with climate change have become tainted through communications and spin-doctoring, meaning all conclusions must be put under a far more critical eye.

1.2 What Is Critical Infrastructure? The term critical infrastructure refers to assets of physical and logical systems that are essential to the minimum operations of the economy and government. This much, at least, has not changed. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems, and emergency services, both governmental and private. As these systems become further interconnected, we see two major trends becoming apparent. The first trend involves the pace at which technology evolves. This is not a constant around the world, and as time progresses, we continue to see examples of certain societies and communities progressing at different rates and the emerging challenges associated with the replacement of aging infrastructure. The second trend involves understanding that the specific elements that make up a critical infrastructure are not constant across all communities and may be subject to physical, sociological, and cultural factors. As a result, CIP practitioners need to understand the contexts (economic, environmental, cultural, and political) within which critical infrastructures can be found. Thus, due to advances in information technology and efforts to improve efficiencies in these systems, infrastructures have become increasingly automated and interlinked. These improvements have created new vulnerabilities relating to equipment failure, human error, and weather and other natural causes, as well as physical and computer-related attacks. One contentious statement is that the term critical infrastructure refers to (logical) network architectures that support operations, not the operations themselves. This fails a key test. While the logical infrastructure (including networks) has become increasingly important, it does not feed people, generate electricity, purify water, or ship goods. It is certainly incontestable that the networks supporting critical infrastructure play a significant and vital role, but it needs to be clearly understood that it is one function of many.

4 ◾ Critical Infrastructure

Over the past decade, various levels of government have been held responsible for the protection of their own infrastructure. As the world moves inexorably toward a global-centric network, we are seeing levels of government, along with the private sector and even individual citizens, having responsibilities that take a more global approach. It is not unusual for individuals to call service centers halfway around the world to assist them with their networking difficulties. At the same time, global supply chains require that private entities become much more aware of events around the world that can affect the resilience of their supply chains. This means that local efforts that were seen as manageable, if somewhat uncomfortable, have grown exponentially into international “monsters.” As a result, the previous process associated with critical infrastructure assurance has grown in scope from consistent testing and evaluation of local infrastructures to one that is at its beginning of understanding the vast influences that operate at a much more global level. This has changed the playing field—significantly—from one where the edicts coming from national capitals are now the second step in a much grander process that involves balancing of international interests and priorities with national responsibilities.

1.3 What Is the Private Sector? The private sector of a nation’s economy consists of those entities not controlled by the state, such as private firms and companies, corporations, private banks, nongovernmental organizations (NGOs), etc.2 Many nations have entities that are established to deal with the private sector. Often these are linked to applying requirements or to the contracting arrangements that can be made between the government and the private sector. What needs to be understood here is how controls differ between the two. The private sector entity may influence laws or government policy, but does not have the authority to set that policy. The policy controls which are often referred to in today’s asset protection community are management decisions that remain largely constrained to its own persons, assets, and operations. Even in arrangements where the government delegates work, it is always done under the oversight of some legal mechanism. The private sector may also have to respond to authorities that are outside of the nation—such as those imposed on it by parent companies, partners, or even financial institutions. This can lead to a level of complexity when attempting to determine what the requirements being placed on the private sector actually are. The second aspect to remember about the private sector is the nature of its finances. Regardless of good intentions and public messaging, the private sector entity seeks to generate wealth. In return for some consideration, companies that operate for-profit business models tend to seek to increase that wealth, while those that operate not-for-profit business models attempt to balance their cash flows with their operations. In short, decisions are made with a very clear understanding that there are financial risks involved.

Critical Infrastructure Assurance and Protection

◾

5

This financial risk is also different from that of the government. The government operates on a fiscal year that allows for budgets to be reset to a starting point and also has a significant ability to determine its level of debt, although the past few years have seen pressure on government financial controls to reduce waste and limit spending, resulting in a similar decline in resources in, or even elimination of, some activities. The private sector does not have this. Budgets are linear in that if money out is greater than money in, then eventually the company will first go into debt, then insolvency, and then finally cease to exist. This has a profound effect on how organizations look at their budgets and new requirements—the government may see issues in terms of “costs of doing business,” while the private sector may interpret those new measures as another step on the road toward “going out of business.” With the continuing threat to supply chains, and servicing critical infrastructure, we are currently witnessing the implementation of national requirements in both Canada and the United States.3 The executive order, presented by President Biden, is a clearly stated message for those operating critical infrastructure and certain government services, to ensure their operations are in order. Canada’s C-26 bill (an Act respecting cybersecurity, amending the Telecommunications Act, and making consequential amendments to other Acts), was presented for first reading on June 14, 2022, and focuses on what appears to be a regulatory structure focusing on cybersecurity, including supply chains. Several factors are pressuring global supply chains back onshore. Economic losses due to China’s restrictive policy on “zero COVID”4 has had a severe ripple effect on many countries, not just Canada and the United States. Conflicts, particularly between Russia and Ukraine, have resulted in movements (nearly nationalistic) supporting one side of the conflict or the other. Fuel costs have placed exceptional pressure on the maritime, rail, and trucking industries. Similarly, companies that handle LTL (less-than-truck loads) for courier companies also have had to change their operations in response to increasing fuel costs. Over the past two years, notably during the COVID-19 pandemic, another aspect of critical infrastructure protection became apparent. While traditional doctrine tended to accentuate the importance of key personnel (those with special knowledge or delegations), the pandemic soon illustrated that certain groups of employees needed similar consideration. For example, the stock person may not hold the same level of delegated authority, or certain kinds of advanced skills; however, the loss of all stock persons (or enough to affect operations) had a similar negative effect on corporations or the ability of those corporations to deliver services. The fact that certain managers needed to step in to perform those roles only illustrates the importance of those roles in the overall ability to maintain operations. We have also learned that these impacts do not necessarily have to part to be of the actual event. Anyone who has gone to a restaurant in a major city would likely have noted that there is a key shortage of wait staff and cooks that resulted either from change in priorities (in terms of quality of life for the staff), or through

6 ◾ Critical Infrastructure

individuals taking the time during the government-mandated shutdowns to take steps that broadened their employment opportunities (new education, new trades, new skills, etc.). This illustrates that what is believed to be a necessary response can have impacts that also warrant consideration.

1.4 What Is the Public Sector? The public sector consists of government-owned or government-controlled corporations, as well as government monetary institutions.5 This includes the various entities (often organized into departments, agencies, commissions, authorities, and so forth) that receive funding through the legislation that enables government organization of funds and that derive their authority from enabling legislation. These can be organized at various levels in both the United States (federal, district, state, municipal, and tribal) and Canada (federal, provincial/territorial, tribal nations, and municipal) with, it is important to note, each wielding its own influence on the population. In these structures, there are three significant trends. First, the balancing of budgets has often been at the expense of lower levels of government through a process called downloading, in which the higher level of government forces costs onto the lower level of government, and ultimately, onto the taxpayer. While this practice helps balance the budget of the higher level of government, it places a strain on government levels beneath it and should be viewed in terms of the rebalancing of accounts as opposed to the fixing of issues. The second involves the concept of divestment. This practice involves the government restricting both its internal and outsourced operations that it considers undesirable due to costs or complexity. This, however, can have consequences, such as recently illustrated by the divestment of the Port of Churchill in Canada that ultimately led to its closure a short time after—costing Canada one of the shortest routes into Europe and the local community its major employer.6 Third, there is also a rise in the apparent importance of First Nations government organizations, particularly when dealing with major infrastructure projects and in partnership with the federal and provincial governments. Public sector entities may be involved in two major functions. The first function is regulating the behavior of those persons or entities that fall within their jurisdiction. This is accomplished through legal tools that may include laws, regulations, rules, measures, or a direction of current trends that would side more so towards an increased reliance on regulation as opposed to legislation. Compliance with any of these is considered mandatory in the eyes of the state, and breaches of compliance may result in penalties ranging from financial penalties to something significantly more severe. The increasing use of regulation and other structures that fall under administrative law has a significant impact on how the government enforces its requirements on the population. While criminal code infractions in Canada and the United States are governed through the Bill of Rights (United

Critical Infrastructure Assurance and Protection

◾

7

States) and the Charter of Rights and Freedoms (Canada), regulatory enforcement is conducted through tribunals that differ significantly. Within the domain of critical infrastructure protection, it is far more likely that an organization would face an administrative action (such as an Administrative Monetary Penalty, or AMP) imposed through an inspector under regulation, rather than a criminal charge; although the latter may still remain available, this option would be used only under the severest of conditions.7 The concept of jurisdiction is also important, particularly when looking at issues that involve international operations—such as shipping. In these cases, the mechanism by which the state generates its requirements often involves participation in groups of various sizes and whose decision-making processes are guided by consensus that is taken back to the various national governments. Depending on the nature of the international group within which the nation-state is participating, the laws and regulations that it passes may be constrained in terms of operating within the constraints of the consensus of the international group or body. This leads to the second function, which is the protection of people, property, and operations under its care. This often operates hand-in-hand with the first function, as many regulations are intended to provide a level of protection for society against activities that would appear to run afoul of public safety concerns or societal norms. Generally, public safety will look more toward people and property, with operations being included as part of the suite of business risks. The nation-state will operate bodies that are designed to protect those persons that are abiding by its requirements in most legitimate forms of government, and against significant events such as natural disasters, fire, etc. This level of constraint may also have an involuntary aspect. Over the past decade, the world has seen an increase in international bodies becoming involved in settling national disputes. Organizations such as the United Nations, Gulf Cooperation Council, and other similar bodies have taken on an increasing role in determining what constitutes acceptable national behavior. We see this in international bodies sanctioning actions that range from trade restrictions to enforcement through military intervention. As we move toward more international operations, these international bodies are taking on increasing roles in overseeing the decisions of their individual members. This has been particularly evident in situations associated with the financial sector in Europe, where the European Union (EU) essentially dictated what financial controls the Greek government was to put in place in order to receive bailout funds. Similarly, the United Nations and other international bodies have taken a significant interest in the state’s response to the migration of persons, making comments on the states’ response and, one might argue, leading a two-front campaign—one being legal and the other being in the court of public opinion. This can be further complicated as certain issues which are being addressed at global levels (such as migration due to climate) are at or near the root of many national issues, such as migration, disease, the movement of invasive species, and even, for some nations, the potential for resettlement. While

8 ◾ Critical Infrastructure

this dynamic is still evolving with respect to critical infrastructure assurance and protection doctrine, the fact that international bodies appear to be becoming more active should at least be in the back of the researcher’s mind when looking at potentially evolving challenges.

1.5 What Is CIP? The term CIP pertains to activities for protecting critical infrastructures. This includes people, physical assets, information, and communication cyber systems that are indispensable for national, state, and urban security, economic stability, and public safety. CIP methods and resources deter or mitigate attacks against critical infrastructures caused by people (terrorists, other criminals, hackers, etc.), natural calamities (hurricanes, tornadoes, earthquakes, floods, etc.), and accidents which may be as innocuous as a vehicle crash or may involve hazardous material exposure to nuclear, radiological, biological, or chemical substances. Essentially, CIP is about protecting those assets considered invaluable to society and that promote social well-being.8 CIP is often considered a reactionary response to threats, risks, vulnerabilities, or hazardous conditions. It does entail some preventative measures and countermeasures, but usually it is reactive by nature. CIP has two goals. The first goal can be related back to an alternative way of thinking. By definition, a critical infrastructure involves physical and logical systems necessary to support the safety, security, and economic well-being of communities (to paraphrase the growing list of definitions). The second goal should be more concerned with the protection of the infrastructure (in its physical and constructional contexts), and whether it is capable of delivering its anticipated services to the community. At this point, the reader needs to be cautious about how he or she looks at the term CIP. Certain organizations, such as the North American Electric Reliability Corporation (NERC), have promoted the approach in their communications using the term CIP only to describe a narrow aspect of infrastructure protection. In the case of the NERC, the term has been cast to identify only critical resources (physical and cyber) that are specific to the North American power grid. Failing to understand these contextual issues can lead to discussions or debates where the scope of the discussions is not understood by all involved. Critical infrastructure assurance goes beyond the concept of CIP in that it seeks to assure the viability of the services provided by that infrastructure. This implies a strong focus on proactive and preventive controls. In this context, the concepts of robustness, resiliency, and redundancy factor much more significantly because the activities balance the need for protection and the potential impacts associated with failure. This kind of approach to the issue of CIP was much closer to the intent of the original goals of assuring the population that critical services would not be

Critical Infrastructure Assurance and Protection

◾

9

disrupted and, in the off chance that they were disrupted, that the infrastructure was designed and managed to restore the necessary level of services as quickly and effectively as possible.

1.6 What Is CIA? Most asset protection programs and their efforts often begin with determining why something needs to be protected. The first part of this involves understanding the mission or purpose of the organization and what service it provides or what good it produces. The second element of this involves working backwards from the successful achievement of these goals and looking at how various managed systems come together. As one reduces from systems to sub-systems and ultimately to processes, one sees the most granular level—that of the asset. These various inputs are identified and assigned value based on their contribution to the given system and its desired outputs or results. For example, the value of a facility may be that it provides a clean and sterile environment for research. Something that breaches the controls that protect that sterility would fall into the threat category, as the organization has lost a valuable part of its activities through the loss of the space. The second part focuses on threats and assets (things) that can or might disrupt processes and cause the organization not to be able to realize the full value or potential of those assets. These steps become the foundation for such statements as risk being a possibility of loss or injury; more specifically, it is an estimated impact that a hazard would have on people, services, facilities, and structures in a community.9 The value associated with a critical infrastructure can be divided into several parts. The first part involves circumstances in which the critical infrastructure provides a unique service within and to a community. This is often the case where infrastructure costs are relatively (or even prohibitively) high, such that the community can afford only one of the installation types. An example that supports this premise might be that it is unlikely that you will see a town of 7,500 inhabitants with a water purification plant able to handle a population of 15,000 suddenly decide that it is time to put in place a second similar installation. In this example, the concept of physical security or force protection10 becomes vital, given any potential impacts associated with the interruption, loss, or destruction of that particular infrastructure—in this case, the loss of fresh drinking water to the local community. The second part is that critical infrastructure may have a strategic value. Even if the demand is not immediate, the critical infrastructure may offer the ability to respond to a sudden change or condition. Canada, for example, recently faced challenges associated with whether it could support Europe’s impending fuel crisis (as of 2022), due to Canada’s lack of sufficient pipelines and refining infrastructure to respond effectively. In a networked environment, an additional layer of protection is possible when leaving the local level as one begins to look at state/provincial, regional, or even national levels. Depending on the nature of the service being provided, the

10 ◾ Critical Infrastructure

networked environment allows for an application of robustness, resilience, and redundancy to be designed. When one infrastructure suffers a negative impact, the loss of its performance in one area is offset by the remaining elements within the network by either increasing or reallocating their own contributions so as to either reach the desired level of overall performance or, in more extreme cases, reduce the amount of impact associated with the disruption. The question becomes whether to protect an individual infrastructure or the ability of the networked environment to perform at a level that meets the demands. The truth is that both are needed. Individual nodes and conduits associated with an infrastructure network are intrinsic to that network’s ability to function. Simultaneously, individual nodes operating in isolation must be looked at closely in terms of residual risks allowed into a system that is essentially a single point of failure. Another harsh reality of the critical infrastructure domain is that there are people (i.e., families) who rely on those who operate in that field ensuring that services are there when needed. A range of events illustrates this reality. During the 1998 ice storm in Canada11 as well as the August 2003 blackout12 that affected13 much of the northeastern portion of the United States and Canada, the challenge was that electrical power was not available to maintain either heating and sumps (ice storm) or refrigeration and heating, ventilation, and air-conditioning systems (2003 blackout). This lack of availability prompted the declared states of emergency and resulted in organizations putting their business continuity plans in motion and practicing other extraordinary measures. The use of Canadian National Railway locomotives and generators to supply electricity (in response to the ice storm) tends to point toward a lack of electricity being the problem and not simply a specific electrical transmission line being disrupted. Consider another example involving the U.S. postal system. Does it really matter what street the mail comes from before it gets to your home? The response would be “of course not.” What does matter is that your mail arrives at your home on time and in unbroken condition. The concern sets in when we wonder whether the mail or post is actually being delivered at all—something that affects our paying of bills, receipt of ordered goods, and other forms of communication. Finally, consider the U.S. water supply systems. Again, we are less concerned with whether the water is coming through a central pipe or some peripheral parts of the system. We tend to become significantly concerned if the water supply fails to provide water to our homes. For example, the prolonged drought in Lake Mead has significantly impacted several states, particularly agriculture in those states. This is resurrecting discussions about the viability of creating pipelines to carry water from the Great Lakes. In turn, this is raising concerns internationally, given the agreements between Canada and the United States over water rights and the preservation of the Great Lakes watershed.14,15

Critical Infrastructure Assurance and Protection

◾

11

Other examples will tend to follow the same suit, because it is the lack of critical services that poses the risk to society. Some might argue that the population is concerned only about protecting critical infrastructure insofar as that protection ensures the availability of the service to the public. This leads to the concept and definition of CIA. The definition of CIP focuses on protecting the nodes and conduits of any given infrastructure that delivers services to its community through force protection. Although CIP tends to focus on an all-hazards approach, it tends to operate at a very basic or local level—say, one facility, one road, etc. CIA, on the other hand, tends to focus on a layer higher than CIP, which includes the necessary arrangements to shift production around within the network or surrounding networks so that demand is met, even if a local node or conduit is disrupted. If we were to take our two power-based examples, we would see the difference in the approach. CIP would tend to focus on a very granular level—power production facilities would be protected against various types of physical attacks or hazards. CIA looks at the entire power grid, ensuring that the system can detect disruption, shift capacity to meet demand, and ensure that services are being met—often transparently to the consumer. In this context, it might be argued that CIA is the holistic view that is actually sought by most CIP professionals.

1.7 What Are Public-Private Partnerships? The divide between the public and private sectors is becoming more gray and flexible through the concept of public-private partnerships. A public-private partnership is an agreement between a public agency and a private sector entity that combines skills and resources to develop a technology, product, or service that improves the quality of life for the general public. The private sector has been called upon numerous times to use its resources, skills, and expertise to perform specific tasks for the public sector.16 Historically, the public sector has frequently taken an active role in spurring technological advances by directly funding the private sector to fulfill a specialized need that cannot be completed by the public sector. What this arrangement seeks to accomplish is a stable relationship between the two that allows a more efficient and effective delivery of services. This is discussed in detail in Chapter 2.

1.8 Critical Infrastructure Functions Defining, using, and maintaining critical infrastructure is a combination of processes. When looking at what should be defined as a critical infrastructure, we need to move beyond the convenient definition and shopping lists promulgated by governments and associations and ask three fundamental questions:

12 ◾ Critical Infrastructure

◾ Is the infrastructure necessary for the preservation of life or the continuation of a society? ◾ Is the infrastructure operating in a very limited context or across a much broader context? Put another way, is that infrastructure only specifc to a local community, or does it interconnect with other communities to make a much larger, more fragile community? Tis may infuence whether the infrastructure is considered to be a critical infrastructure in the national context or a vital asset at the local level. ◾ Is the infrastructure operating as a singly or uniquely organized entity, or is it a community of coordinated eforts put forth by several parties? Tis is important to understand because the infrastructure, and its capacity, needs to be understood in terms of assurance to its operations. The answers to each of these three questions will have a profound impact on the methods needed to protect the infrastructure and ensure delivery of its services. This in turn will have an impact on the various methodologies and measures that are available to those seeking to accomplish the same. It should not be looked upon as a purely administrative process guided by checklists and prescriptive formulas.

1.9 Evolution of Critical Infrastructure What many policy makers consider to be critical infrastructure has been evolving and is often ambiguous. In the early 1990s, the word infrastructure was defined primarily with respect to the adequacy of the community’s public works. In the mid-1990s, however, the growing threat of international terrorism led policy makers to reconsider the definition of infrastructure in the context of security at national levels. Successive government policies and laws have become refined and better understood based on the expanded number of infrastructure sectors and the types of assets considered critical for purposes of an economy’s security.17 This definition was adopted, by reference, in the Homeland Security Act of 2002 (P.L. 107-296, Sec. 2.4),18 and it established the U.S. Department of Homeland Security (DHS). The national strategy adopted the definition of critical infrastructure in P.L. 107-56, providing the following list of specific infrastructure sectors and its assets falling under that definition. SECTORS INCLUDE: Agriculture and food production Banking and finance Chemical production Critical manufacturing Communications Emergency services

Critical Infrastructure Assurance and Protection

◾

13

Energy Government facilities Information technology Nuclear energy and facilities Postal shipping Public health and healthcare Transportation and logistics services Water and wastewater treatment K EY R ESOURCES INCLUDE: Defense industrial base Commercial facilities Dams National monuments and icons The critical infrastructure sectors within the national strategy contain many physical assets, but only a fraction of these could be viewed as critical according to the DHS and Public Safety Canada definitions. For example, out of 33,000 individual assets cataloged in the DHS national asset database, the agency considers only 1,700, or 5%, to be nationally critical.19 Of the 33,000 assets listed in the DHS database, only a small subset is defined as critical infrastructure sectors.20 Because federal, state, and local governments, as well as the private sector, often have different views of what constitutes criticality, compiling a consensus list of nationally critical assets has been an ongoing challenge for both DHS and Public Safety Canada. The critical infrastructure sectors are now being reviewed in the context of both critical infrastructure protection (protection of assets) and critical infrastructure assurance (protection of capacity). We see this evolution very clearly within the Information Technology Sector as we look at the application of NIST Cybersecurity Framework (CSF)21 that began its implementation with the security and privacy controls described in NIST SP 800-53, Revision 4.22,23,24 NIST then published NIST SP 800-160, Volume 1,25 specific to systems security engineering. The former NIST SP 800-53, Revision 4,26 was then brought in-line through Revision 5 to align more closely with NIST SP-800-160, Volume 1.27 As this shift was happening, NIST SP 800-160, Volume 2,28 has refined that systems security engineering approach but focuses on developing cyber-resilient systems. While CIP has been the focus, the concept of CIA has been approached largely through the concept of resilience, which aligns much more closely with the concept of CIA at the networked level and which has a profound impact at the local level by allowing a greater degree of flexibility than the former CIP models.29 This shift may afford greater flexibility for business, but it also opens up the need for improved oversight by those authorities as it allows for better or expanded use of administrative and procedural controls.

14 ◾ Critical Infrastructure

Notes 1. “[A]cts of terrorism carried out by radicalized individuals who prepare and commit violent attacks on behalf of foreign terrorist organizations without first traveling abroad to meet with and receive training from other members of the terrorist organization” (p. 5; URL: www.justice.gov/opa/press-release/file/1221386/download). 2. FEMA Emergency Management Institute. (2007). U.S. Department of Homeland Security Federal Emergency Management Agency, Principles of Emergency Management Supplement, p.  5, released September 11, 2007. http://training.fema.gov/EMIWeb/ edu/08conf/Emergency%20Management%20Principles%20Monograph%20Final. doc (alt URL: http://cipbook.infracritical.com/book3/chapter1/ch1ref10.doc). 3. www.whitehouse.gov/briefing-room/presidential-actions/2021/02/24/executiveorder-on-americas-supply-chains/ (alt URL: http://cipbook.infracritical.com/book5/ chapter1/ch1ref1.pdf ). 4. The term “zero COVID” is actually a strategy to control and suppress the contagion as much as possible to achieve a zero-contamination rate. Although it may be extremely difficult to achieve, the objective of this strategy is to minimize contagion by reaching as close to zero as possible. Many countries, such as China, have implemented such a strategy. URL: www.isglobal.org/documents/10179/7943094/26_ISGlobal+COVID19+y+ COVIDCero+o+Maxima+Supresion+EN/0a4e83bb-6257-4f5d-8960-16c323b464b2 (alt URL: http://cipbook.infracritical.com/book5/chapter1/ch1ref2.pdf). 5. National Archives (United Kingdom), Cabinet Papers 1915–1978, the International Monetary Fund and Bretton Woods Conference. www.nationalarchives.gov.uk/cabinetpapers/themes/bretton-woods-conference.htm (alt URL: http://cipbook.infracritical.com/book3/chapter1/ch1ref4.pdf ). 6. The Port of Churchill sat on a great circle that was one of the shortest to the European market. The port had been identified as being strategically important in the opening of the Arctic to economic activity but had continued in decline. The divestment and ultimate closure of the port, including some commentary on the impact, can be found at www.cbc.ca/news/canada/manitoba/port-churchill-layoffs-1.3694830 and www. cbc.ca/news/canada/thunder-bay/churchill-port-closure-thunder-bay-1.3697342. 7. Criminal courts involve the police laying specific charges with the state (used generically), then laying a charge and introducing evidence to support that charge in the court. This evidence must provide beyond a reasonable doubt that the individual is, in fact, guilty within administrative law, the Administrative Monetary Penalty is laid through the inspector’s department or agency, and the onus is on the individual to contest it through an administrative tribunal which bases its decision on a balance of probabilities. While administratively less burdensome, one might also have concerns regarding the shift in the presumption of innocence that would shift between the two systems—the criminal system requires the state to prove guilt, while the organization must defeat a penalty in administrative court or continue to face the impacts of the enforcement action. 8. www.usfa.fema.gov/a-z/critical-infrastructure-protection.html (alt URL: http://cipbook.infracritical.com/book3/chapter1/ch1ref1.pdf [old] and http://cipbook.infracritical.com/book5/chapter1/ch1ref3.pdf ). 9. U.S. Federal Emergency Management Agency (FEMA) defines risk as “a function of the nature and magnitude of a threat, the vulnerabilities to that threat, and the consequences that could result.” https://emilms.fema.gov/is_0870a/groups/22.html (alt

Critical Infrastructure Assurance and Protection

10.

11.

12.

13.

14. 15. 16. 17.

18. 19.

◾

15

URL: http://cipbook.infracritical.com/book5/chapter1/ch1ref4.pdf ). Alternatively, risk is “the likelihood that a threat will harm an asset with some severity of consequences—and deciding on and implementing actions to reduce it.” www.fema.gov/ pdf/plan/prevent/rms/155/e155_unit_v.pdf, p. 3 (alt URL: http://cipbook.infracritical.com/book5/chapter1/ch1ref5.pdf ). A term used by the military establishment of the United States and other countries to define the following: “preventative measures taken to mitigate hostile actions against the U.S. Department of Defense personnel (to include family members), resources, facilities, and critical information.” Joint Publication 1–02, Department of Defense Dictionary of Military and Associated Terms, November 2010 (as amended through February 15, 2016), p. 90. URL: https://irp.fas.org/doddir/dod/jp1_02.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter1/ch1ref6.pdf ). The 1998 ice storm hit several Canadian provinces of Ontario, Quebec, and New Brunswick. Thousands of Canadians were without power and heat for several weeks as power lines fell due to heavy ice and snow. Alongside public utilities and law enforcement, over 15,000 members of the Canadian Armed Forces were there to help. URL: https://www.publicsafety.gc.ca/lbrr/archives/qc%20926.45.c22%20e78%202003eng.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter1/ch1ref17.pdf). The northeastern U.S. and portions of southern Canada had suffered the worst recorded power blackout in history. Areas affected included New York, Massachusetts, as well as New Jersey, along with Michigan, and from Ohio north to Toronto and Ottawa, Ontario in Canada. Approximately, 50 million customers were impacted without power for several days. The main cause of the power loss was due to poor redundant operational controls. URL: https://www.energy.gov/oe/articles/blackout2003-final-report-august-14-2003-blackout-united-states-and-canada-causes-and (alt URL: http://cipbook.infracritical.com/book5/chapter1/ch1ref18.pdf). U.S. Department of Energy, August 2003 Blackout, dedicated web page with useful links to information about the worst recorded blackout in U.S. and Canadian history. URL: https://www.energy.gov/oe/august-2003-blackout (alt URL: http://cipbook. infracritical.com/book5/chapter1/ch1ref19.pdf). www.epa.gov/glwqa/what-glwqa (alt URL: http://cipbook.infracrfitical.com/book5/ chapter1/ch1ref7.pdf ). https://binationa l.net/w p-content/uploads/2014/05/1094 _Ca nada-USAGLWQA-_e.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter1/ch1ref8. pdf ). www.dhs.gov/xlibrary/assets/st_innovative_public_private_partnerships_0710_version_2.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter1/ch1ref12.pdf). Library of Congress, CRS Report for Congress. (2004). Guarding America: Security Guards and US Critical Infrastructure Protection, CRS-RL32670, November. https:// fas.org/sgp/crs/RL32670.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter1/ch1ref5.pdf ). www.congress.gov/107/plaws/publ296/PLAW-107publ296.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter1/ch1ref9.pdf ). Liscouski, Robert, Asst. Sec. Infrastructure Protection, U.S. Department of Homeland Security, testimony before the House Select Committee on Homeland Security, Infrastructure and Border Security Subcommittee, April 21, 2004. Note that DHS’s list of 1,700 critical assets may not include the 430 US commercial airports with

16 ◾ Critical Infrastructure

20.

21. 22. 23.

24. 25. 26. 27. 28. 29.

passenger screeners, whose security is primarily administered by the Transportation Security Administration; https://fas.org/sgp/crs/RL32670.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter1/ch1ref5.pdf ). For example, in the chemicals sector, DHS has identified 4,000 facilities as potentially critical out of 66,000 total U.S. chemical sites. See Liscouski, Robert, Asst. Sec. Infrastructure Protection, U.S. Department of Homeland Security, testimony before the House Committee on Government Reform, Subcommittee on National Security, Emerging Threats and International Relations, Combating Terrorism: Chemical Plant Security, serial no. 108–156, February 23, 2004, p.  13. www.govinfo.gov/content/ pkg/CHRG-108hhrg94257/pdf/CHRG-108hhrg94257.pdf or www.govinfo.gov/content/pkg/CHRG-108hhrg94257/html/CHRG-108hhrg94257.htm (alt URL: http:// cipbook.infracritical.com/book5/chapter1/ch1ref10.pdf and http://cipbook.infracritical.com/book5/chapter1/ch1ref10a.htm). NIST CSF v1.1—https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018. pdf (alt URL: http://cipbook.infracritical.com/book5/chapter1/ch1ref11.pdf and http://cipbook.infracritical.com/book5/chapter1/ch1ref11a.pptx). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter1/ch1ref12.pdf ). It should be noted that NIST SP 800-53, Revision 4, has been superseded with Revision 5 as of September 23, 2021. The difference between the two versions is considerable. Revision 5 adds 66 new base controls, 202 new control enhancements, and 131 new parameters to existing controls. The reason for referring to Revision 4 instead of Revision 5 is for sake of clarity pertinent to the discussion. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter1/ch1ref13.pdf ). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v1r1.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter1/ch1ref14.pdf ). Ibid. Ibid. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v2r1.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter1/ch1ref15.pdf ). The resilience model has an increased emphasis on the restoration of operations. While robustness or preventive controls continue to factor significantly, the concept of detection, response, and recovery (using Canadian physical security doctrine as per G1-025), or the response and recovery phase in the emergency management cycle figure more prominently; www.rcmp-grc.gc.ca/physec-secmat/pubs/g1-025-eng.htm (alt URL: http://cipbook.infracritical.com/book5/chapter1/ch1ref16.pdf).

Chapter 2

Demand, Capacity, Fragility, and the Emergence of Networks 2.1 Introduction The concepts described in this chapter have evolved significantly since the first edition and continue to evolve as new and emerging factors continue to impact infrastructure. These factors include well-debated issues such as climate change, migration of populations, integration of new technology, increasing regulatory burdens, and economic factors. What has been apparent is that an increasing number and frequency of infrastructure issues are highlighting the fact that infrastructure, and even whole communities, can be impacted through interdependencies and disruptions within the networked environment.

2.2 What Are We Trying to Protect? The Concept of Capacity If critical infrastructure is really about the infrastructure necessary to preserve the safety, security, and economic well-being of citizens, then shouldn’t the focus necessarily be on protecting infrastructure or assuring that a given service continues to be delivered as required? Although the former is certainly important, the latter aligns much more closely with the stated goals of critical infrastructure protection (CIP). DOI: 10.4324/9781003346630-2

17

18 ◾ Critical Infrastructure

The fact is that a given infrastructure at the local level is there to provide some level of contribution into the system. The sum of these contributions, the ability to coordinate how those services are delivered, and the means of delivering them to their intended recipients may be best described as the capacity of the system. These three elements (safety, security, and economic well-being) are important because they operate similarly to the fire triad (heat, oxygen, and chemical reaction). If the infrastructure can generate a significant amount of the service but cannot identify where it is useful or deliver it to those points, then the system has essentially failed. At the same time, a well-coordinated and well-maintained grid that does not have anything sent through it is still failing to meet the final goal. The ability of the system to produce, distribute, and deliver can be described as the system’s capacity. The symbiosis that exists between the ability to generate capacity and the ability to distribute that capacity has become much more evident, particularly when looking at the fringes and expanding edges of society’s networked infrastructure. Communities (which may range from settlement to economic bases of operation) are expanding into environments such as the north. Similarly, the demand for technology is spreading outwards into increasingly remote locations. For those seeking a clear example of the challenges that can arise, one only needs to look at the 2017 events that damaged the transportation network to communities such as Churchill, Manitoba. In this specific example, the main ground transportation route (a rail line) suffered catastrophic damage to the point where economic interests and even the community’s survival has been called into question.1 The concept of capacity is now also being linked to the concept of assurance. Assurance, generally speaking, is the trustworthiness that something is going to perform as expected given a set of competitive or adversarial conditions. Those assets or services that operate only in very stable and tranquil environments may need only a lower level of assurance. Those intended to operate under difficult or even contested environments, like conflict, need to offer a higher level of assurance. As a result, those that are offering the capacity to meet demand are now being increasingly challenged about the level of assurance that their capacity will be able to meet that demand in what appears to be an increasingly competitive environment. Acceptance, in an engineering context, is not only about meeting accepted requirements from one set of conditions, but about meeting the same accepted requirements under more difficult or stringent conditions.

2.3 Demand: The Reason for Capacity Demand and capacity exist in a constant balancing act. This is not to say that they are always in equilibrium—they rarely are. It simply means that where there is a demand, capacity will attempt to fill that demand. Where there is surplus capacity, there is likely going to be a demand attempting to exploit that capacity. Those with

Demand, Capacity, Fragility, and the Emergence of Networks

◾

19

a background in a supply-and-demand economics will find this concept very familiar. The concept of assurance simply broadens the application of this balancing act into differing threat conditions. The main question here is, can you still meet your demands under an even more hostile environment?

2.3.1 The Concept of Performance The concept of performance basically describes whether the system works with sufficient capacity to meet its demand. For example, if there is a demand for 500 units of something, then the system would be considered in balance when it delivers those 500 units, and otherwise out of balance. Because of the nature of critical infrastructure, it can be reasonably argued that three imbalances have to be considered. The most serious of these involves a situation where the capacity does not meet the demand. This may be represented by a situation in which some portion of the population does not receive an expected level of the critical service—such as occurs during a power failure. The second most serious condition occurs when the capacity exceeds the demand but leads to a response where the capacity is reduced, leaving the system vulnerable to a spike in demand. This might be exhibited in situations where the private sector is primarily involved in the delivery of the service, but due to a surplus of supply, businesses leave the market because they become intolerably unprofitable. The final imbalance is a sustained surplus of capacity. The example of Churchill, Manitoba, illustrates an important factor in looking at the demand and capacity balance. The local community has a vested interest in the performance of regional infrastructure, particularly since that regional infrastructure is essentially a single point of failure. With no viable replacement of the rail system (i.e., no road) and the only alternative being air transportation, the movement of critical supplies and stores (such as food) are impacted in terms of cost and availability to the point where the impacts cascade through the community. Concerns regarding Canada’s ability to sustain sovereignty operations in the area are impacted due to the challenges. The example here is showing how the impacts in terms of the performance of infrastructure need to be examined in a more coordinated fashion between local (including business), regional, and national (including strategic) perspectives.

2.3.2 Local Impact and the Influence on Capacity When infrastructure is disrupted at the local level, that disruption loses its ability to provide the expected level of capacity into the overall system. At the local level, the clearest understanding regarding the loss of capacity will flow from activities associated less with physical security than with business continuity planning (BCP). Within BCP, thresholds are communicated that are used to determine the severity of impacts or losses of key resources, etc. Although BCP generally ends at

20 ◾ Critical Infrastructure

the edge of the organization’s responsibility or mandate, the concept of CIP urges this approach to be carried on throughout the organization and into progressively larger systems. One of the more evolving issues of late has been the concept of supply chain risk management. In this context, the local impact now must now be looked at not only in terms of its impact on operations and simple performance, but also in terms of how people interpret the trustworthiness of the assurance case. An example of this concern would be the recent introduction of Executive Order (EO) 14017,2,3,4 which focuses on supply chain security; EO 14028,5 for improving the nation’s cybersecurity and utilizing standards such as the NIST Special Publication (SP) 800161;6 and NIST IR 8762, which reinforces the Executive Orders’ implementations. These are being reviewed more closely in the context of both suitability of services and acceptance in design.7,8 Some care has to be taken here to ensure that the quality of service is maintained at a manageable level. What if the final product (e.g., a fuel) fails to reach that level of quality for it to be usable in the system? This aspect of integrity is somewhat different from the traditional “nothing added, nothing deleted, and only authorized changes made through well-formed or defined processes” and is more closely in line with the traditional views of quality assurance and quality management.

2.3.3 Results of a Local Impact in the Immediate Sense When something is disrupted, we return to the concept that the availability of the critical service has been reduced. This leads to three important events that are worthy of study. The first event involves what the loss or reduction of that service means to the overall system. This revolves around the concept of what consequences arise should the organization fail to meet its goals—again, a power failure, loss of transportation, etc. The second event involves what the loss or reduction of that service means to the internal use or management of inputs that would normally be used to maintain that level of service delivery. How do the unused inputs survive the impact? Are they perishable—must they be used within a certain time frame before they are no longer of value? Are they persistent in that they can be stored nearly indefinitely without a loss of value? These factors should generally be included in the basic impact analysis—often in consultation with operations or material management personnel. The third event involves how the organization manages the fact that it is no longer consuming those inputs at the same rate. Does this mean that it will stop purchases of future inputs or that it will simply delay the delivery of some? These upstream impacts are also important factors to be considered both in the local impact analysis and later in the understanding of the impact on the overall system. For those seeking parallels, concepts defined in supply chain management and logistics provide some input. Here we are seeing what may be described as an increase in how fast the impacts can move through fragile and interdependent systems. When one considers the

Demand, Capacity, Fragility, and the Emergence of Networks

◾

21

1987 disruption in Canada on the movement of grain and the loss of exports of coal from certain areas of the western United States, the impacts moved through the system quickly, but in a matter of days and weeks. These can be described largely in terms of their root being economic in nature (one being a labor dispute and the other being a collapse of an economy). The example of Churchill, Manitoba, illustrates two factors that have almost immediate impacts. The cessations of operations by the private sector interest had an impact on the supply chain, and the economy within the surrounding area. It cascaded quickly to other events, such as the closure of the Canada Border Services Agency (CBSA) office in the town due to a lack of need for operational support. The damage to the rail line also has an immediate impact that will last some time (before repairs can be affected), but which is also related to the first impact. The question will be whether there is adequate economic demand for a restoration of full services without the seaport. Consequently, it is not enough to simply look at these impacts as being completely isolated from each other. One might propose looking at the impacts more in terms of the same principles as supportive and destructive waves—where two impacts collide and create a far more significant or difficult situation. We are also witnessing two levels of impact, particularly within life safety environments. The first of these is the impact that we all see—the fallen bridges, damaged roads, and so on. These are not new and are well worn. The next level of impact; however, is associated with the level of trust that the infrastructure will perform as expected. For example, people used to be able to count on being able to at least go to an emergency room if they needed medical attention and there were no other options. In Canada, conditions now exist where hospitals have actually closed their emergency rooms for certain periods of time (or even weekends) because of staff shortages.9 The demand for emergency services hasn’t changed; however, where the system is offering capacity to meet that demand, it is now finding that the added demand being placed on it is overwhelming what locations remain open.10 Impacts based upon trustworthiness may not be within the span of control of the companies actually providing the capacity to meet demand. A recent outage in Canada involving a major telecommunications community impacted a number of services, including 911 emergency services and certain financial organizations. These companies were not in a position to directly address the impacts, however, there is an argument that the public confidence in their services has been eroded as a result of the event. People had trust in the 911 service because that service was supposed to be always available by law. As the service wasn’t available, additional pressure has been placed upon the industry for increased assurance that similar situations will not arise in the future. Generally, at the local level, four classes of impacts are observed. The first are delaying impacts that essentially slow the inward flow of something into the system. This concept is seen when warehouses are filled—at some point, the warehouse is full, but we still need to store the material. The second involves the concept of lag. This category of disruption describes the condition where something else is slowed

22 ◾ Critical Infrastructure

down because the necessary amount of inputs is not being received. Finally, at the other end of the spectrum, the system will attempt to balance itself through either the third class, push (seeking to find new demand), or the fourth class, pull (seeking to find surplus capacity that can be aligned against unmet demand). While the concept of push, pull, lag, and delay may operate independently at a conceptual level, greater care needs to be taken to identify conditions where a single event can lead to multiple impacts. Currently, many networked environments have been making significant efforts to “fit more capacity into the same space,” so as to be getting the best return on investment with respect to the use of infrastructure. This is clearly evident when looking at issues in the transportation system (more efficient switching systems, intermodal systems, freight forwarding), electronic networks (increasing bandwidth, compression technology, and multiplexing), and centralization.11 The impact here is that the current model (push-pull-lag-delay) now operates at multiple levels. The disruption of a node or conduit may not just impact something coming into the system, but it is becoming increasingly likely to impact movement in the opposite direction. This is not new but is becoming far more apparent. The other aspect comes from the fragility that is inherent in fringe communities or communities that have not matured to the point where they have robust, resilient, and redundant infrastructures. This can come in the form of new communities but also in terms of new activities within communities that place additional demands on that community. One might postulate that we will see several working examples of this in the expansion into the North. An impact that is becoming far more prevalent across a number of sectors might be referred to as “load shedding,” a term often coined in the electrical power generation community. In the electrical generating capacity, this involves distributing production capacity so that a loss of production capacity is reduced in severity at one level. At the same time, however, it introduces several new layers of “moving parts” that can, if not balanced and managed appropriately, lead to its own issues in terms of cascading impacts. While the electric grid has seen this in terms of solar farms, personal generating capability and similar forms or programs, it is evident in other sectors as well. We are now seeing increases in the number of community gardens, water supply and purification, outsourced services, and small service providers in telecommunications. As these distribute capacity while reducing the probability of a catastrophic failure at one level, they also can come at the price of increased instability or even vulnerability unless carefully coordinated at levels including technical, scientific, and regulatory oversight.12

2.3.4 Relevance to CIP The concepts of push, pull, lag, and delay are becoming increasingly understood at the local level. This was initially established through bodies of knowledge associated with supply chains and logistics; it then moved into the realm of BCP and has now become more understood in the realm of CIP. Where the divide

Demand, Capacity, Fragility, and the Emergence of Networks

◾

23

currently resides is between the local and regional (small system) levels when you look at the CIP services that have stemmed from such concepts as force protection and infrastructure protection. Today, the reader will be able to find no shortage of integrators and information management services, both proprietary and cloud-based, that will allow them to achieve this level of interaction and integration. These systems range from fully integrated hardware and software solutions (where one system handles all elements) to specific or proprietary services that allow for the formerly independent activities to be linked through dashboards, information management systems, domain awareness systems, or even systems that allow for the formation, management, and dissolution of communities on an issue-by-issue basis.

2.3.5 Push, Pull, Lag, and Delay in the Network Environment The concept of push, pull, lag, and delay is not unique to the transportation system, but it is rather characteristic of any system that involves exchanges. The concept is familiar within the energy sector in pipelines and across transmission lines. These topics are also familiar in water systems and networks, and although they illustrate applications in physical networks, the concept is similar to various other concepts, such as bandwidth, throughput, and buffering within the logical realm. For the CIP professional, an understanding of how these four elements operate is of vital importance. Fortunately, these sectors have already carried out significant research with respect to each of these elements as they work on understanding and refining their understanding of their own risks.

2.4 At the Regional (Small System) Level Returning to the first principle, we find that the core values associated with critical infrastructure services can be prioritized in order of availability, integrity, and confidentiality, as we migrate to a smaller system, usually at a regional level. Understanding what the concept of push, pull, lag, and delay means within that small system plays a vital role in the ability to assure delivery of critical services— now being thought of in some limited circles as critical infrastructure assurance.

2.4.1 Influence at the Small System Level When attempting to assure these services, it is most important to understand how these concepts operate at the small system (regional) level. Consider that each node (or intersection) and each channel (or conduit) can handle only a certain capacity. If there is no release to the surplus demand (e.g., through a release of pressure), then the system simply operates as it is best able to. Beyond that, however, the system

24 ◾ Critical Infrastructure

begins to clog as the surplus demand that cannot be handled attempts to find other options and, if this is not possible, remains in place. This concept can be seen quite clearly in most metropolitan automotive traffic congestion conditions. A route can handle a certain number of cars in a certain amount of time. When that level is exceeded, the route begins to fill. When the space between intersections is full, cars cannot pass through the intersection or will block the intersection, thus compounding the problem, and the system begins to fill. In response to this situation, certain jurisdictions have established Emergency

Figures 2.1a and 2.1b The signs shown are used to divert traffic during an evacuation when there is flooding. Source: Iowa State Department of Transportation.

Demand, Capacity, Fragility, and the Emergence of Networks

Figures 2.1a and 2.1b

◾

25

(Continued)

Figure 2.2 The sign shown is used to divert traffic during an evacuation when there is an expected hurricane. Applicable to all coastal states, including Hawaii. Source: NOAA.

26 ◾ Critical Infrastructure

Detour Routes or Emergency Diversion Routes that are intended to bypass disruptions (see Figures 2.1a and b and 2.2).13 What becomes important at this point is the ability to identify that a disruption has taken place, find alternatives that can release the pressure, and then route or reroute the demand onto those alternatives. The release of pressure, if balanced correctly, allows the system to break the cycle of cascading and expanding failure and regain that delicate operating balance between capacity and demand. Two factors have a serious influence on this. First, what if there is no surplus capacity available in the system? In this instance, the system fills. It is also important to note that where the system is full, it, too, denies further movement through the system. The second factor may be whether surplus capacity within the system can actually be reached from the disruption. The routes between nodes fill as a result of the surplus demand; here again we have a situation where the impact is cascading and expanding. One aspect that the reader may want to consider, particularly as more services are layered on the same infrastructure, involves the prioritization of services. This concept is already well known in the telecommunications sector, where certain numbers are identified as priority numbers that either must be maintained or must be restored first. The identification of routes for emergency vehicles and the identification of zones for critical service restoration all fall into these categories and are a natural part of the prioritization of disaster recovery and business resumption. For the individual, it means that community-driven services are restored prior to individual services—something that individuals may want to consider when looking at how long they should be able to sustain themselves before assistance arrives.

2.4.2 Current Efforts and Research As the reader will soon see, the legislation, regulation, and other forms of oversight regarding the local layer associated with critical infrastructure have evolved somewhat since the first edition of this book. The first significant line of research has focused on the concept of interdependencies. Interdependency is where the level of one system’s product is reduced, and this reduction causes an impact in another system. For example, a loss of fuel production impacts the transportation sector, or a loss of electrical power affects telecommunications. For those involved in BCP, the concept of interdependency may appear to be complicated from an operational viewpoint but is considered relatively simple to accept from a theoretical level. The challenge here is that the concept of interdependencies is approaching a situation much like cancer research. Most of us understand that the term cancer actually represents a significant number of different diseases. As a result, one might fund “cancer research” (and we would certainly not discourage you from doing so) but not have a clear sense as to what form of cancer is being researched. The same

Demand, Capacity, Fragility, and the Emergence of Networks

◾

27

might be argued for interdependencies (see the example reports within the footnotes, especially the one from Idaho National Laboratory14). The second challenge is associated with the concept of network fragmentation and dissolution. Since the first edition, significant work has been carried out in the transportation and energy sectors to try to understand how the disruption in one part of the system impacts the rest of the system. For some, it is simply akin to the butterfly effect—an assumption that may hold true for nearly inconsequential parts of the system, such as a terminal or isolated node. On the other hand, disruptions at major infrastructure points may be apparent rather quickly, as the impacts flow throughout the various connections and begin to influence the capacity at other locations. Documentation has been published through the U.S. Department of Homeland Security’s Transportation Security Administration fairly early on, and recently, entire works have been dedicated to the concept of using technology such as intelligent transportation systems as a safeguard against this type of issue.

2.4.3 The Interdependency Hydra We have alluded to the concept that the term interdependency is becoming used to describe a number of states within and between networks and their interrelation between other systems. Research into interdependencies have now taken on a sixdimensional model. The first three dimensions are obviously the physical domain. The fourth involves time, in terms of operations and other similar factors. The newer research today is focusing on the fifth and sixth elements of this effort—the fifth is the interrelationship between administrative structures and organizations, while the sixth involves the impact of the logical topography and geography that may influence outcomes. One particular area of concern in this regard involves the expansion of concepts such as cyber war and whether or not a cyberattack against what may be a legitimate military target can actually have an impact similar to that of a weapon of mass destruction. When considering interdependencies, one might argue that there needs to be a basic understanding of how the impact flows between or across sectors. These might include, as a basic system of categorization, the following: ◾ Interdependencies fowing out of one system (host) and impacting an independent system in that the impact does not cycle back onto itself (the host)—henceforth, this would be more of a dependency rather than an interdependency. Te number of dependencies that were purely linear in this respect now actually appear to be relatively few. Tese impacts would now relate more to a disruption of noncritical services. For example, if a doctor’s cellular service were to become unavailable, but the service overall remains available, this would not impact the critical services provided by the healthcare service.

28 ◾ Critical Infrastructure

◾ Interdependencies fowing out of one system (host) and impacting a system that provides a direct good or service back into the host system, leading to an elevated rate of deterioration attributable to the initial disruption. A recently observed scenario that supports this factor is a recent disruption of an entire communications network servicing multiple critical infrastructure sectors and their services. Tis outage resulted in the unavailability of critical services, such as 911 emergency call centers. Te disruption of the entire telecommunication system afecting the 911 emergency centers in certain areas is one that has both linear and cross-sector impact. Te 911 service being impacted creates a looping efect that is largely singular in nature (i.e., once the impact happens, it stays at about the same level until it is fxed). ◾ Interdependencies fowing out of one system (host) and impacting a system that then provides a service to another sector that then has an infuence on the host. Tis form of impact has morphed to reveal that there are now four primary sectors: Transportation Systems, Energy, Communications, and Financial Services.15 Where the event impacts a sector and then begins to cascade within the four key infrastructure sectors, recovery becomes a very complex issue. Tis interdependency involves other sectors that are co-dependent on at least one of the four key infrastructure sectors. There is still a significant amount of work to be done with respect to the proper categorization and definition of these types of events. The questions that persist across a number of blogs and discussions where researchers tend to communicate continue to center on a general acceptance that some of the underpinning principles appear to be common but are still difficult to quantify.

2.4.4 Network Fragmentation and Dissolution The concept of interdependencies and cascading impacts has also worked in parallel and even contributed to a growing amount of research into the fragmentation and dissolution of networks. Much of this still focuses on the concept of mathematical models and translations of informatics systems into physical infrastructure. Again, there is merit to this research: Where such concepts translate gracefully into the physical domain, they are worth keeping. Where a concept is discounted, the results of the research still have value in that they can narrow the focus of other research based not on pet theories or whimsical intuition, but rather on sound scientific bases. For those entering the arena of critical infrastructure assurance, the concept of network fragmentation and dissolution is relatively simple to explain—if one does not get bogged down in the complexity. Consider capacity and demand. Where there is a surplus of demand, it will seek out spare capacity (or where there is an ability to meet the demand, surplus capacity will be sought). This goes back to what was discussed in terms of how impacts affect the small system level.

Demand, Capacity, Fragility, and the Emergence of Networks

◾

29

What has become increasingly important to researchers is the ability to predict how that system will collapse and break apart. This is important for two reasons. One, a predictive model enables effective preventative measures (focusing on the robustness of the system); however, second, it also pre-positions mitigation and response strategies (focusing on the recovery aspects) to be established. To return to the traffic congestion example, this is somewhat akin to being able to identify where the traffic jam is most likely to appear next. It is perhaps fortuitous that this research has coincided with difficult economic times. This is because both United States and Canadian administrations appear to have committed to working on significant infrastructure upgrades as part of their economic recovery packages. Prudent planning would involve a forward-looking approach that identifies what capacity will be needed, rather than simply restoring overburdened infrastructure to its original design. These difficult economic times can also spawn issues at another level of interdependency. Consider the competition between nations for global influence and economic position. While military conflict may involve a range of hostilities, other avenues can be taken to achieve similar ends. Instead of breaching the various security controls over highly protected systems (such as satellite surveillance systems used for military reconnaissance), could not the same ends be achieved by gaining control over the proprietary information of value by purchasing the companies involved in its manufacture? At the time of drafting this edition, this debate is very much in the forefront of certain communities as a result of the sale of this kind of company to a country that is known to be in direct competition with a number of national and allied interests—including the potential for military conflict in the South China Sea. Taking into account this new level of complexity and interdependencies will likely become a growing concern as a multipolar political environment.

2.5 Cyber as a New Domain in Conflict In addition to the physical and operational safeguards, the concept of cyber warfare has approached the forefront of many critical infrastructure issues. Outside of Hollywood’s extrapolation of potential events, the world has seen clear examples of the results of coordinated cyberattacks in Estonia and Georgia as part of political and military campaigns. The application of cyber warfare has now become mainstream such that certain countries have set up cyber warfare units. We have also seen indications that nationstates are willing to incorporate traditional warfare tactics with cyber warfare as a means of being ready to compromise other countries’ infrastructure. Instead of destroying the infrastructure, attacks now include focusing on disrupting the capacity to meet its demand. Combined with a strategic approach that uses the full scope of military, economic, political, and social power, we can now argue a significant blurring between what may be described as intense competition and conflict.

30 ◾ Critical Infrastructure

We are also seeing criminal tactics as a means of fundraising while cybercriminals launch increasingly large-scale and financially lucrative attacks. These types of attacks are categorized primary on three factors: (1) denial of data, (2) denial of access, (3) and denial of operation. Denial of data (such as financial records, employee records, and contact information) involves the use of tools (such as encryption) to prevent legitimate use by its targeted organization(s). Denial of access involves removing the ability to control critical systems, while allowing those systems to continue operating. This could prevent operators from intervening under emergency or safety-related conditions. Denial of operations involves the disruption, shutdown, or destruction of critical operations. In contrast to the denial of access, the loss of these critical operations becomes the hazard. We continue witnessing groups acting out ideological beliefs that have used a range of tactics to bring what they consider to be awareness to issues of social or societal importance. Some of these groups have taken direct action that would normally be reserved for state intervention (such as the group responsible for the June 27, 2022 attack on the Iranian steel industry)16 This conflict arena has taken on additional importance. There is now increased recognition within industry and government that if key resources (this term is chosen specifically to align with BCP approaches) are connected through Internet-enabled technology, cyber-related threats to those key resources need to be recognized and addressed. This not only includes the organization’s business systems but now extends into the organization’s supply chain.

2.5.1 The Pendulum of Convergence Convergence, simply put, is the gradual integration of physical and logical infrastructure. For those without degrees in architecture (logical or physical), it may be described as the gradual march onto the network-enabled system. Convergence is really being driven by two interrelated variables. The first variable involves the need for increased efficiency and situational awareness. This is a direct result of the need to be increasingly competitive on a global stage. Where North American markets used to be serviced by North American companies, one might argue that the past 35 years have essentially destroyed that concept, particularly when considering issues associated with supply chains and offshore production. As a result, there is an increasing intolerance for isolated or stand-alone systems that cannot be expanded as operationally required or as per the will of management. The second variable involves changes in technology. While analog systems continue to have a very limited presence in many systems, one must also note that the system is moving past the concept of the simple TCP/IP and point-specific architecture that make up the traditional star, hub, and similar topographies to those that would be more aptly described as fully connected or mesh structures that are prevalent in cloud-enabled technologies. This next evolution of capabilities is a significant challenge to organizations that are having to rethink continuity

Demand, Capacity, Fragility, and the Emergence of Networks

◾

31

of operations and business continuity plans, as some of their critical services are now more subscription-based than owned (such as software-as-a-service). The end result, however, is the deployment of key resources using a type of technology that may, if not treated carefully, be subject to the same types of attacks that were present within the context of cyberterrorism, but with much greater impact, should these centralized clouds be disrupted. These two factors, the increasing pressure toward network-enabled systems and the decreasing supply of those able to work in past logical environments, will likely change the face of physical security and enterprise security. The concept of convergence does not simply mean a change in the application of technology; it also requires a change in organizational culture and personal approaches to the issue of security. Some of the basic concepts will, of course, be consistent. As we look at how issues are identified, problems and issues are scoped, challenges are met, and solutions are applied, however, the traditionally diverging IT and physical and personnel security communities will be forced back to the same tables. At least one federal department in Canada and another in the United States has actually created a condition where a cybersecurity expert has to be directly involved in the design of any physical security infrastructure. Although the security industry is in for some interesting years as the various elements in these communities go through the normal processes associated with storming and finally norming, the end result for industry may well be worth the effort if both sides remember the primacy of operations.

2.5.2 Convergence and the Understanding of Threat Convergence will also impact on how threats are considered within an organization. The all-hazards approach has been front and center in the past—but its application has largely looked at the surface layers of threat. For example, keeping a cybercriminal at bay was a matter of installing a firewall, whereas keeping a prowler out was a matter of locking the door. Today’s criminal, however, has access to both tools, and with the change of technology, it may be that the prowler is unknowingly working for the cybercriminal and has access to complex tools specifically conceptualized, designed, and used for defeating security infrastructure through logical means. Within the modern context, the cyber threat is now being looked at in terms of all seven layers of the OSI networking model, and not just those that may affect the transport, session, application, and presentation layers. Physical and insider threats are now being looked at in terms of their ability to manipulate configuration and the protection of all layers, not only those that exist in electronic form. At the same time, there are increasing efforts to understand the relationship between traditional security controls, IT security measures, and those that are involved in the various control and automation technologies. One element of this involves the concept of bi-directional threats, including in the realm of SCADA and control systems. While there has been a significant

32 ◾ Critical Infrastructure

amount of research that looks at the potential impacts associated with the threat moving from the central processing capabilities (where operations are controlled from) to the perimeter of the network, the increased pressure to integrate memory and processing capabilities onto these networks is beginning to raise the question of threats that may originate on a peripheral device to attack the central processor. This is currently much more prevalent in the physical security community, where the integration of memory and processors has opened up potential threat vectors. The pressure to integrate operational, control, and automation systems into networked environments will only compound this challenge. This example can best be described by providing three divergent threat scenarios—each of which intersects with the critical infrastructure and key resources domain. First, consider the Federal Bureau of Investigation (FBI) report on December 3, 2008, that identified another threat to U.S. infrastructure—the theft of copper that is being fed by an increasing demand for the metal, including in overseas markets.17 Although it may be argued that all network infrastructure runs on fiber optics (it does not), it should be noted that this is not the type of traditional threat that might appear on a technical vulnerability analysis. The second threat involves personnel. Again, the FBI published (December 16, 2008) a report describing how certain elements of organized crime were able to infiltrate, through financial means, seaports along the East Coast.18 In this case, the threat vector was not asset based, but rather personnel based, as the gradual trapping of individuals who had been given access. Finally, in a similar report in CSO magazine, a network administrator was able to establish himself as the key source of control over much of the city’s network infrastructure.19 These three events show how a potential adversary or attacker could gain access over key resources using indirect methods. Of significant concern today is the concept of the hybrid attack. As noted earlier, changes in technology and the availability of more and more processing power (an ongoing challenge) are leading to situations for which adversaries have a wider array of tools at their disposal. Thus organizations that tend to focus their security activities in such a way that any one of the personnel, information, or physical safeguards are often left more exposed may be at risk of an attacker identifying, examining, and finally exploiting that vulnerability. Consider, for example, a meeting room in a public area. On one hand, the fact that it is intended for public access and resides outside of the more sensitive work areas is good; on the other hand, one has to examine whether the IT infrastructure installed in that boardroom is sufficiently hardened. This should be done so that an attacker does not simply bypass the physical security infrastructure by using the network connectivity to pass through the barrier, in a way similar to crawling over a dropped ceiling or defeating a weak lock. Although hard connections are reasonably simple to address, the propensity of several organizations to work toward wireless access points or capabilities means that the physical security expert will have to look not only at the physical design, but also at how to establish the necessary levels of shielding and standoff—particularly if the adversary can simply sit in

Demand, Capacity, Fragility, and the Emergence of Networks

◾

33

public areas where it is difficult to control his or her activities. Combined with this is the increasing availability of new technology, including surveillance devices, that challenge even this concept with the costs associated with significant surveillance packages being within the reach of the individual and not simply limited to larger organizations or nation-states.

2.5.3 Fragility Given a basic understanding of some of the pressures within the system and some of the upcoming challenges associated with understanding how the infrastructure is protected, we can begin to look at fragility. Fragility, in this context, is not mystical—it has been inferred in such fields as reliability engineering for some time. Fragility can be described in terms of the propensity of something to fail. At the local level, this aligns reasonably closely with the concept of the risk of loss associated with availability and, as a secondary factor, integrity. In reality, this can be divided into three major categories. The first of these categories refers to the design of objects. When an engineer designs something, he or she indicates some level of assurance with respect to the design actually performing as intended. This is largely tied to the amount of effort spent in design, implementation, and other aspects of quality assurance. Aircraft manufacturers and other entities are subject to strict safety regimes; for example, they may have remarkably low tolerances for failure. Other industries, where the impacts are not so grave, may have considerably lower thresholds. Thus, given that an engineer may ensure that an aircraft design will work 99.5% of the time, whereas another engineer may only have to ensure that his product will work 75% of the time, we have our first significant difference in fragility. This fragility, however, is often based on averages, norms, or set ranges of conditions. These norms or averages are used to provide that final calculated value that gives us that assurance regarding the design. We know, however, that as conditions change, they may have an impact. Personnel may be less able to perform tasks in extreme heat or cold, assets may be susceptible to certain conditions (e.g., low humidity leading to static electricity near computers), facilities may require that certain environments be maintained, information may require certain systems for handling in order for it to be considered trusted, etc. As we look at the item being examined (similar to a target), we may find that certain inputs into the system do not perform as well under certain conditions—for example, workers in high-heat areas may not be able to exert themselves the same way. This leads to the second type of fragility, natural fragility, so named because it is based on how the target would perform within the immediate environment. As has been noted by scientists and poets alike, change is a constant within our environment. Cyclical fragility brings together the major elements discussed earlier—the concept of systems being sustained by the efforts of various inputs (persons, objects, facilities, information, and activities), the concept of capacity and

34 ◾ Critical Infrastructure

demand attempting to maintain a level of equilibrium, and finally the fragility that is intrinsic at each point of time within the system. For personnel, one must remain aware of a number of cycles. In the longer-term view, we have the current issues associated with an aging population and the impact this will have on corporate knowledge. At the same time, there is the time involved in developing bodies of knowledge and communicating them to people, such as what we are seeing with the convergence issue. Within the medium term, the life cycle associated with business and with labor contracts provides another example. At the very short and immediate end, one might even argue that the various cycles are associated with fatigue and attention spans. As one will quickly realize, many of these do not impact the security realm—but they have a significant bearing on the concept of critical infrastructure assurance when looking at potential sources of disruption. Assets face similar challenges. When engineers design things, they generally include a life cycle based on adherence to a specific maintenance cycle and without certain constraints. We see this with our cars. They are anticipated to last a certain period—but only when you do not abuse them and keep the necessary maintenance up to date. Perhaps the most advanced bodies of knowledge in this regard involve life cycle management and safety programs. These programs track the use, maintenance, and age of assets as part of a means of reducing the risk of failures that can lead to either loss or accidents. Again, this type of approach has a significant bearing upon critical infrastructure. Facilities provide a nexus between two types of cycles. The first cycle, the age and usefulness of the facility, can be linked back to the same issues associated with assets. Materials deteriorate and require replacement. Structures become outdated in terms of the infrastructure they can provide. Another variable, weather, plays a significant role. Again, in the longer term, seasonal changes can affect the ability of persons, assets, or activities to perform as intended. Although some of these may be reasonably innocuous (e.g., a slight change in temperature), others may be profound, such as periodic flooding or dry spells. In the short term, the simple change between day and night may lead to different levels of risk. Information and data, however, are somewhat different. In this context, operational cycles are not attached so much to natural conditions as are the routines within the organization. Consider a table associated with the movement of a container—the value associated with the movement of the container shifts as one moves across the planning stage, through coordination and monitoring, and finally into audit and review. The cycles associated with information, one might argue, are inexorably linked to the timeliness and relevance of the data and what they represent. Consider the concept of activities or supporting services. Cycles also play a factor here. There are two elements to be considered. First, as noted in the previous paragraph, the value of the supporting activities may change depending on the operational stage. For example, routines associated with backup power generation

Demand, Capacity, Fragility, and the Emergence of Networks

◾

35

may be important during planning phases (to keep data centers operational), but may be critical during production phases when supporting operational technology controlling hazardous processes (e.g., metal forgeries). Second, we cannot discount the concepts of “wear and tear” and neglect. People and equipment suffer from fatigue over time. Similarly, neglecting to exercise people and equipment (such as running a backup generator) can result in components failing due to decay, drying out (e.g., pipeline seals), or seizing in place (e.g., rust). Thus, we cannot ignore that various activities are more relevant at some points than at others. These are generally associated with operations and coordination—points that permeate various systems and processes. So how do these factors impact critical infrastructure? The answer lies in the need to ensure that the critical services are, in fact, available on demand and can be relied on from a quality assurance perspective. Although this approach argues that these five categories (persons, objects, facilities, information, and activities) cover significant aspects of a process, it is still incumbent on those conducting assessments to examine each process thoroughly. The challenges associated with convergence and new ways of thinking play a significant role given that those deficiencies in current and forecasted ways of doing things lead to gaps in understanding and knowledge with respect to the risk to critical infrastructure. One significant paradigm shift has seen doctrine moving away from robustness toward resilience as a recognition of fragility’s increased importance. There is a recognition that those responsible for protecting these systems against various threats will not be able to prevent or stop all of them. There is an increased emphasis on detection and response with a focus on the goal of disrupting the threat before unacceptable levels of impact occur. For example, instead of looking at simply creating impenetrable perimeter controls, we see a structure, perhaps mostly clearly communicated, by NIST SP 800-61 (computer incident handling guide) that outlines concepts of containment, isolation, and remediation. Organizations, however, continue to take the easy route by outsourcing the ability to accomplish this shift, and in some cases, they are finding themselves unaware of the threats that they face.

2.5.4 Fragility and Destabilization of Systems At the regional or small system level, all the factors cited in the previous subsection have an influence on the capacity of the system. These influences can skew the balance between demand and capacity, shifting it in ways that lead to situations involving push, pull, lag, and delay. Where these influences stem from single infrastructure points, the effect manifests itself first in that local area. Depending on the nature of the effect, it will then influence those areas around it until the system is able to naturally restore balance. The immediately impacted area will often depend on the level of capacity delivered by the infrastructure into the overall system. A relatively inconsequential or insignificant piece of infrastructure may cause some destabilization within an area

36 ◾ Critical Infrastructure

that can be corrected reasonably quickly. On the other hand, where a key piece of infrastructure is disrupted, the immediately impacted area may be much larger and the system more destabilized; for example, the removal of a central hub within a transportation system or a key power production facility. How these disruptions cascade through the system will again depend on the system resiliency and redundancy. The second consideration is where the full small system is impacted. The factors involved in this case are those that span the full system—in any of the categories of personnel, assets, facilities, information, or activities. This could also be thought of as one event actually being several events, with the impact covering the whole population’s delivering capacity. An example of this would pertain to a severe storm being considered not as one storm (e.g., single event), but as the source of multiple events. In assessing the impact resulting from these events, we need to approach them not only as a single event, but also from the perspective of a compilation of a suite of impacts. Where these are involved, the capacity in the overall system becomes diminished, again leading to disruption of the equilibrium between demand and capacity.

2.5.5 Fragmentation and Dissolution of Networks Fragmentation and, catastrophically, dissolution of systems occurs when elements of the system are no longer able to communicate and coordinate their activities, essentially becoming individual entities encapsulated within the system. Although the local level looks at this in terms of a disruption, the same can be said at the small system or regional level. Following a disruption at an infrastructure point (e.g., a facility), the next phase involves fragmentation. Although the concepts of push, pull, lag, and delay provide a mechanical description of the system-level impact, one can also divide the impacts into two broad categories. The first category concerns disruptions involving the loss of infrastructure. This category involves situations where the infrastructure essentially fails, resulting in the contribution of capacity being lost to the system. We have seen these types of events in a range of bridge collapses, failures in the surface system, manufacturing sectors, and so on. The second category involves the fluctuation in the demand and capacity when systems come back online (e.g., power surges following blackouts). We have also seen this with the resurgence of travel and the effects of the transportation system that had atrophied over the course of the shutdowns during the pandemic but was then expected to meet an exceptional level of demand when the number of traveling patrons increased. So, when infrastructure is lost, the capacity is lost, and the loss of capacity skews the equilibrium between demand and capacity in such a way that the system suffers disruption until it can rearrange itself by determining new options on how to meet the demands placed on it. What is even clearer is that this rearrangement is more akin to the swinging of a pendulum than a simple correction.

Demand, Capacity, Fragility, and the Emergence of Networks

◾

37

Fragmentation occurs under two conditions. First, the disruption may be at a key point that severs two parts of the system, essentially creating smaller systems until the connection can be reestablished. In this context, the concept of fragmentation comes from the loss of what could be considered a key resource. It may be characterized by a single event, and because of its localized nature, there may be a significant focus on building up the robustness in terms of its ability to withstand impacts. The second category involves conditions where the system essentially fills due to a surplus of demand combined with a reduction in capacity (e.g., the airport scenario referenced earlier). If the capacity of the system involves a rate, then that rate becomes a very important factor, particularly where the system is attempting to work at near capacity. This is where an understanding of the potential rate of performance and the actual rate of performance becomes critical. Where the rate of performance begins to drop below the potential rate of performance (often due to an impact), we can see that rate drop result in a gap between the capacity and demand that manifests itself as a form of disruption, usually resulting in a delay. A reduction in the rate of being able to handle demand is essentially a reduction in capacity—and when demand is approaching the limit of capacity, the system will begin to fill. Once the system is filled, and if the demand continues to try to exploit the capacity, it will not be able to do so. As a result, the system will gradually slow down and, if the reduction in capacity is serious enough, the operations will abruptly halt. This essentially fragments the affected area from the system, although recovery can be attained once the rate at which demand is handled allows for the system to clear itself. Dissolution of the network involves fragmentation at a catastrophic level. In this case, the impacts are adequately severe so that the various components within the system can no longer communicate with each other. The end result is that the network becomes a community of individualities, unable to coordinate its activities. Dissolution of the network becomes a real risk where the network relies on a single service or a single type of service, or is subject to a sector-wide vulnerability. Consider, for example, the complex impact result from disruption of the telecommunication system that affected multiple infrastructures. Again, we have to return to the concept of persons, objects, facilities, information, and activities at this point. As with BCP, the concept of having single points of failure at the network’s strategic level should be anathema.

2.6 Dissolution and Convergence: An Emerging Risk Where all aspects of an infrastructure share common characteristics or where systems rely on a common point of service, the overall infrastructure or system becomes vulnerable. What has changed is that while convergence has been traditionally put

38 ◾ Critical Infrastructure

in terms of physical and logical systems occupying or relying on the same infrastructure, we now see certain services such as data storage, processing, or even security being concentrated into single providers. This consolidation of services is essentially creating potential targets that, if disrupted, could affect multiple sectors.

2.6.1 Convergence, Network Expansion, Open Architecture, and Common Criteria The concepts of open architecture and common criteria pose a significant challenge. By publishing the open architecture and common criteria, a determined attack planner can identify certain characteristics that are common across the system and can attempt to reverse-engineer those characteristics or criteria in an attempt to determine a weakness. Given that both of these concepts communicate on a global scale, one can only assume that this potential threat vector is likely to occur. However, the same concepts, in their development, also allow for a wide community challenge to the architecture and criteria, thereby reducing a number of the vulnerabilities in the system. The key here is in allowing for that broad and diligent consultative period before moving the overall structures into the public domain. This concept has been a challenge for cryptographers and crypto-analysts for quite some time. The result is reasonably simple. The encryption process uses a similar process in the development of new methods of protecting data against unauthorized disclosure or modification. For the critical infrastructure sectors, the principle may be similar. On one hand, the common criteria and open architecture may be globally available, but the specific and detailed information necessary to exploit something at the local level remains hidden from view. Again, however, the concept hinges on an approach that was rigorously challenged at the front and then monitored in terms of its effectiveness. Additionally, these common services now take on a level of criticality given the aggregate of what they could affect. For example, multifactor authentication relies on a stable telecommunication network. When we look at the number of businesses, and even people, that rely upon multifactor authentication because it is identified as a “best practice,” we see a situation where disrupting this service has the potential of impacting several infrastructure sectors. This will soon begin (if it has not already) to identify certain services as vital assets. We cannot call them critical infrastructure, as they themselves are not necessary to preserve life, etc., while at the same time, we cannot treat them as per any other asset as a result of the nature of the impacts their disruption can cause.

2.7 Marking the Journey Up to this point, we have looked at a theoretical situation that describes critical infrastructure assurance as an overarching, system-based, mission-focused view of

Demand, Capacity, Fragility, and the Emergence of Networks

◾

39

how critical infrastructure sectors have evolved over time. One might ask why this appears at the relative start of the work. The answer lies in three important steps. First, we understand the nature of the changes that occurred as a result of 9/11. Many of us do not realize that the changes at that time were a fusion of the changes that followed the Y2K concerns of 1999. Second, by providing two benchmarks based on the first and second editions of this work, we can define some of the changes to date. The first edition marks a point where one might argue that Western society was in a significant mitigation phase with respect to the 9/11 attacks—the term mitigation being used in its emergency preparedness context of those immediate steps used to contain damage. The second edition came at what might arguably be at the end of that phase. Third, we understand that the business of CIP, homeland security, and similar programs will continue to evolve but are likely to do so at an accelerating rate. We have looked briefly at convergence and the challenges of an evolving hybridized (physical and cyber) threat. There is also a new pressure to address economic and social issues—it may be argued that the old way of doing business (massive contributions and spending) is about to dry up as we look at renewed fiscal responsibility and restraint. Finally, the people involved are changing—from the retirement of many of the Cold War era security specialists through the process and systems engineers who defined what we now call critical infrastructure. Thus, this final step is about looking back into the past, and then looking at what is in place today and understanding and questioning the changes that have taken place. Finally, it is about extrapolating that information into the future to best estimate what is likely to be.

2.7.1 Overview The period following September 2001 was a period of treaties, legislation, and regulation—much of it done quickly to respond to perceived needs. The marine industry is the clearest example of this, where entirely new regimes were constructed from an amendment to a safety code (Safety of Life at Sea [SOLAS]) in response to the events.

2.7.2 Legislation: 107th Congress (2001–2002)20 As we look at the legislation that has been passed since the 107th Congress (2001– 2002) and up to the 110th Congress (2007–2008), we see what may be described as the response to one block of activity. In the 107th Congress, one might argue that the focus was on immediate responses to events—particularly within the Transportation Systems Sector (particularly aviation, seaports, and pipelines), border security, dams, and the beginning of the push into cyber security. One must also note the legislation that gave rise to the Department of Homeland Security.

40 ◾ Critical Infrastructure

2.7.3 Legislation: 108th Congress to 109th Congress We see, from the 107th Congress through to the 109th Congress (inclusively), a shift from the very general legislation to issues that are more granular. For example, in the Transportation Systems Sector, we see the initial marine security bills being general in nature, whereas in 2006, marine security was beginning to legislate the approach of layered defenses (HR4954) and increasing granularity up to 2008. We also need to understand that legislation, where none exists, can be challenging in democracies. As a result, we also see, particularly in Canada and the United States, a gradual shift from legislation to regulation through rule and measure making. There are challenges with this approach—the oversight mechanisms for each of these are fundamentally different. Although it has not been fully examined, one might wonder if there is a research opportunity for someone to examine the nature of this shift with respect to the oversight mechanisms used to create it.

2.7.4 The State Today: A Recap First, there are significant resource issues. An increasingly interconnected world is characterized not only by increased availability of information but also by misinformation. Conflicts continue but are showing signs of greater distribution—with conflicts not being limited to major conflicts but a host of smaller regional issues. Finally, there is the challenge of the reducing tax base caused by an aging population that packs two punches—reduced income through management of fixed incomes (pensions, etc.) and lost earnings (in terms of income tax), as well as the costs to Social Security and social support programs. We have now also experienced financial strain with the response to the pandemic. Understanding that these impacts are cumulative in nature, the importance now of long-term planning and its ability to use small incremental steps should now be at the forefront for financial planners and policy strategists. In essence, one might argue that although the cupboard is not bare, we have certainly seen the back of the cupboard and realized that things cannot carry on as they have. Second, there are significant knowledge base issues. The aging population noted earlier also carries within it a significant portion of the corporate knowledge associated with the infrastructure involved. Additionally, the complexity of the increasingly interconnected world means that creating the necessary workforces to maintain these systems becomes increasingly difficult. Shortfalls in the number of capable professionals across several security domains are now very evident when looking at current hiring practices. We are also finally beginning to make the shift from an asset protection mode (some would theorize this as being a mitigation response to 9/11) back to an infrastructure assurance mode where a new level of understanding has to be overlaid on top of traditional security and protection approaches. The issues of convergence mean that traditionally separate communities will now be forced, through necessity

Demand, Capacity, Fragility, and the Emergence of Networks

◾

41

(even if to survive in the economic sense), to interact and cross-pollinate, and as we address these issues within our own community, our adversaries and competitors are working on harnessing opportunities provided in the new structure and our readiness to accept it. The public-private partnership has become the norm in many areas, but it is now evolving past those partnerships and into wholesale outsourcing. With significant portions of the infrastructure operating outside of federal, or even government, ownership, governments have had to adjust their thinking from a span of control approach (e.g., through the dictating of plans) to a span of influence approach (indicated by the shift toward frameworks).

2.7.5 Government as a Driver of Change The regulators are now playing a new role. Where they previously restricted existing operations in the name of public safety, they are now actually driving change into the system. Consider the declaration regarding electric cars. In Canada, the Canadian government announced that all new vehicle sales would be electric by 2035. While this will certainly reduce emissions, it has far-reaching impacts in the critical infrastructure domain. Some questions to ask yourself: ◾ Will the power generation and distribution systems be able to handle this new load? ◾ How will this afect the ability to move goods? ◾ What happens if the power goes out for some reason and we lose not only telecommunications but a signifcant aspect of transportation? ◾ Are there any concerns about being able to generate the necessary number of batteries for the increased number of vehicles? And, how do we manage the batteries’ life cycle, including their recycling? If the timelines remain in place, we have 12 years to figure out these issues and resolve them. Governments, as the holders of certain regulations, will also need to make significant adjustments. For example, if infrastructure is destroyed in a major storm. should it be replaced. or should it be improved? If it was already destroyed once in a storm, it would stand to reason that if we have limited resources, we spend them perhaps more wisely and not set ourselves up for another failure in the future. One might propose that this could take two forms. The first might be to require builders and developers to demonstrate that the conditions of the building code apply—or for the government to declare if there is a need to build above code. The second may be a faster cycle for reviewing codes. In other words, governments are forcing the private sector to make significant changes—at their cost—on the hope that the private sector can innovate a suitable

42 ◾ Critical Infrastructure

solution. The question is, can the government match that pace of innovation in not only its oversight role, but also in supporting the plethora of capital projects that will be necessary to translate good ideas into practical solutions? This will force a drastic paradigm shift for regulators. Traditionally, regulators simply observed their respective industry and acted based on discovered information. The new paradigm that sees government agencies and regulators nearly imbedded in the infrastructure (for purposes of detection and response of events) means that they will be forced to either drop current practices (e.g., maintain the “status quo”), so that they can benefit from the private sector knowledge of the vulnerabilities in the system, or accept that government entities will be met with a wall of silence from the private sector, leaving them exposed to unexpected events. Thus, government entities will be forced to choose whether they want to remain in their comfortable role of an enforcing regulator, or become a partner in solving problems. As long as the government remains in their current paradigm, the fragility of our infrastructures will likely increase in scope and in intensity.21

2.7.6 Research and Understanding For those involved in CIP, homeland security, and emergency preparedness, concepts described here are those that are openly researched in the community—concepts that are driving new technologies and approaches to infrastructure management. These concepts are currently causing friction between communities, particularly those that are firmly attached to rigid doctrines and dogmas and are unwilling to expand the breadth and depth of those approaches into new areas.

2.8 Authors’ Notes Flexibility in thinking for the professional can be challenging—particularly when the profession demands that the professional remain compliant with a certain approach or in line with a certain body of knowledge. Today, the infrastructure and asset protection communities have a plethora of certifications that can be applied to certain aspects or sectors. Within organizations, there is a certain inertia that resists change. Pride in the organization’s culture, heritage, or traditions can be either an anchor in the storm or an anchor in the race to reach new destinations. The key is to see the anchor for what it is—a tool that needs to be applied correctly. Will organizational issues be a help or a hindrance—and can the conflicts and frictions that inevitably come with changes of culture be managed effectively, or will they pose greater vulnerability to the infrastructure in question? Finally, where does the leadership in the critical infrastructure assurance question lie? Does it lie with society and its duly elected representatives, or does it lie in

Demand, Capacity, Fragility, and the Emergence of Networks

◾

43

the private sector? If you have a specific answer to the question, what does this mean to the role of government and oversight? What if times change and new approaches are needed? Is our own organizational structure resilient enough to meet those challenges? These are some of the questions within this field—making it awesome in its scope and more than a little exciting in terms of its application.

Notes 1. This is being widely reported through public media outlets, such as that found at www.cbc.ca/news/canada/manitoba/manitoba-churchill-rail-service-1.4154221 on June 11, 2017. 2. www.whitehouse.gov/wp-content/uploads/2022/02/Capstone-Report-Biden.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter2/ch2ref11.pdf ). 3. www.federalregister.gov/documents/2021/03/01/2021-04280/americas-supplychains (alt URL: http://cipbook.infracritical.com/book5/chapter2/ch2ref11a.pdf). 4. www.govinfo.gov/content/pkg/FR-2021-03-01/pdf/2021-04280.pdf (alt URL: http:// cipbook.infracritical.com/book5/ch2ref11b.pdf ). 5. www.whitehouse.gov/briefing-room/presidential-actions/2022/01/19/memorandumon-improving-the-cybersecurity-of-national-security-department-of-defense-andintelligence-community-systems/ (alt URL: http://cipbook.infracritical.com/book5/ chapter2/ch2ref12.pdf ). 6. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf (alt URL: http://cipbook.infracritical.com/book5/ch2ref13.pdf ). 7. www.federalregister.gov/documents/2021/03/01/2021-04280/americas-supplychains (alt URL: http://cipbook.infracritical.com/book5/chapter2/ch2ref11a.pdf). 8. www.govinfo.gov/content/pkg/FR-2021-03-01/pdf/2021-04280.pdf (alt URL: http:// cipbook.infracritical.com/book5/ch2ref11b.pdf ). 9. w w w.cbc.ca/news/canada/nova-scotia/ed-er-report-hospitals-department-ofhealth-1.6296466. 10. www.tpr.org/public-health/2021-12-20/the-other-texas-drought-rural-healthcare-injeopardy-as-hospitals-shutter. 11. For those looking at this issue in the Transportation Systems Sector, consider intermodal shipping and public transportation. Containers are now double-stacked as a matter of course when moving by rail to reduce the length of trains. Similarly, double-decker buses are now being used more frequently in certain communities in order to reduce the length of road needed per person to move them, particularly into downtown core areas. Consider also the concept of home automation. Systems have evolved from wired systems, to wireless systems, to those that move command and control signals through the electrical network. The use of frequency modulation in multiplexing in order to move increased data through different distribution networks has become increasingly frequent and available. 12. One question that comes to mind involves community gardens. While local farms may be regulated, community gardens do not fall under regulatory oversight (such as the USFDA or Health Canada) that can allow for chemicals or organic materials to be inserted into the food supply chain.

44 ◾ Critical Infrastructure

13. For example, these routes (which are also referred to as “emergency detour passes,” alternatively called “emergency routes,” “evacuation routes,” or “incident bypasses”) have been established at the provincial (Ontario) or state levels (Michigan, Ohio, Pennsylvania, Arizona, to name some examples). These routes are signed to direct traffic around disruptions in order to try to relieve congestion or at least mitigate the impact of such events. An example of such signage is provided here: URL: https://www.news.iowadot.gov/.a/6a00e552358ec4883401b8d285c0ca970c-popup (alt URL: http://cipbook.infracritical.com/book5/chapter2/ch2ref15.jpg) or https:// www.news.iowadot.gov/.a/6a00e552358ec488340240a48073aa200d-pi (alt URL: http://cipbook.infracritical.com/book5/chapter2/ch2ref16.jpg) (courtesy of Iowa Department of Transportation), and https://www.noaa.gov/sites/default/files/legacy/ image/2020/May/hurricane-evacuation-route-sign-picture-id1010998086.jpg (hurricane evacuation route signage for states impacted by hurricanes, courtesy of the U.S. National Oceanic and Atmospheric Administration) (alt URL: http://cipbook. infracritical.com/book2/chapter2/ch2ref17.jpg ). 14. Idaho National Laboratory. (2006). Critical Infrastructure Independency Modeling: A Survey of US International Research, ed. P. Pederson, S. Dudenhoeffer, S. Hartley, M. Permann, August. http://web.archive.org/web/20150513011251/www5vip.inl.gov:80/ technicalpublications/documents/3489532.pdf (alt URL: http://cipbook.infracritical. com/book3/chapter2/ch2ref10.pdf ). 15. Sectors referring to an entity-specific group of industries. URL: https://www.cisa.gov/ topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors. 16. https://cyberlaw.ccdcoe.org/wiki/Predatory_Sparrow_operation_against_Iranian_ steel_maker_(2022) (alt URL: http://cipbook.infracritical.com/book5/ch2ref14.pdf). 17. https://web.archive.org/web/20161218183740/www2.f bi.gov/page2/dec08/coppertheft_120308.html (alt URL: http://cipbook.infracritical.com/book3/chapter2/ ch2ref3.pdf ). 18. https://web.archive.org/web/20161218183828/www2.f bi.gov/page2/dec08/unirac_121608.html (alt URL: http://cipbook.infracritical.com/book4/chapter2/ch2 ref4.pdf ). 19. www.csoonline.com/article/437873/IT_Admin_Locks_up_San_Francisco_s_ Network. 20. http://thomas.loc.gov/cgi-bin/bdquery/z?d109:HR04954:@@@D&summ2= m&|TOM:/bss/d109query.html (alt URL: http://cipbook.infracritical.com/ book5/chapter2/ch2ref5.pdf ). 21. w w w.c a n a d i a nc a r s h ippi n g.c om /2 02 2/0 4 /15/c a n a d a- a n nou nc e s- g oi n gall-electric-on-vehicle-sales-by-2035/.

Chapter 3

Consolidation of Power on Core Critical Infrastructure Sectors 3.1 Introduction This chapter outlines the movement beyond national frameworks to international frameworks. This most closely reflects the international nature of delivering the services associated with critical infrastructure and moves somewhat away from the administratively driven protection of physical infrastructure. While still early, we can perhaps track these efforts based on strategic interests (such as in energy) and economic ties (supply chains, etc.).

3.2 Meeting the Dragons on the Map Ancient maritime maps marked the edge of known territory with statements such as “Here be dragons.”1 From an administrative and policy perspective, we are entering a period where there are significant opportunities and risks that are becoming apparent. With the increasing complexity of issues and the continued movement towards global supply chains, governments are arguably the de facto final authority. Governments maintain control over their sovereign territory, but in terms of the realities of commerce, trade, and critical infrastructure, they are no longer the preeminent player on the stage.

DOI: 10.4324/9781003346630-3

45

46 ◾ Critical Infrastructure

For the first element, governments have been forced into largely collaborative roles if they wish to remain competitive, and those that forget this point do so at their peril in an increasingly complex environment. While some critical infrastructure sectors may operate with a limited number of operating partners (such as the energy sector in North America), the supply chains that service this infrastructure have grown more complex. Components may originate from a range of locations and, depending on the regulatory action being taken by governments, one misapplication of regulations can actually result in disruptions of supply chains that carry critical parts. Prescriptive regulatory frameworks can fall into this category over time as new threats evolve and vulnerabilities become more apparent for the adversary, meaning that an organization can continue to remain compliant, while at the same time now be insecure. In addition to the supply chains, the interconnectivity of systems, such as the banking/financial services infrastructure, can lead to a requirement for governments not only to protect the infrastructure, but to do so in a way that does not jeopardize sometimes precarious balances that can affect markets. Within the realm of transportation, the varied application of the international conventions by member states (such as those offering flags of convenience) may pose challenges to international bodies that are not willing to tolerate previous practices, particularly in more sensitive environments such as the Arctic. These kinds of challenges will force national or designated authorities into far more complex and collaborative roles than they are accustomed to. There is now also an extraterritorial aspect to government edicts. The recent executive orders by President Biden of the United States affect Canadian companies that participate in the U.S. Defense Industrial Base Sector. Those that can demonstrate that they at least meet the equivalent requirements as those placed on U.S.-based companies are still welcome to participate, but the consequences of nonadherence to the directive are as severe.2 Similarly, when looking at guidance into the cyber supply chain (beyond the executive order) and into baseline standards such as the NIST 800-161,3 we see a means of projecting national priorities and concerns through the supply chain participants without significant interference by national borders. To extend this further, the use of trade and supply chains as a tool in conflict has become apparent. Where nations choose to operate just under the threshold of conflict, key resources or supplies can be denied as a means of putting pressure on other nations. In Canada, the Meng Wanzhou case has been linked to Chinese decisions to block certain products, such as canola (oil and meal), soybeans, and pork. These kinds of actions mark an expansion of what is considered to be the competitive posturing between nations. Russia, on the other hand, has openly looked at disrupting oil and gas shipments into Europe, a decision that could have significant impacts in terms of not only heating, but powering the economy. While there is no doubt of the nature of the conflict between Russia and Ukraine, the expansion of conflict from military to economic actions that could disrupt Europe’s critical infrastructure (loss of energy supplies impacting multiple sectors) should

Consolidation of Power on Core Critical Infrastructure Sectors

◾

47

give Western strategists cause for concern as to how these kinds of conflicts can escalate quickly. The second element involves the private sector in lobbying international bodies that form the international conventions that become the basis for the national laws of signatory states. As the need for collaboration increases, the ability for private interests to insert themselves into lobbying and consultative processes also increases. For example, a trade association may develop its own requirements within an industry and then promote those requirements to an international standards body that then becomes the basis for inclusions in an international convention. The signatory states then take their requirements back to their various legislative bodies to be integrated into law. The end result of this is that the private sector entity, through effective lobbying and manipulation, manages to take its requirements and then have them enshrined in legal structures, as the regulator has little to no time to examine them through the regulatory process. We are currently seeing this play out in the realm of autonomous shipping. In this context, certain segments of the industry have pushed ahead with design work even though the full scope of regulations are still in their infancy. At the time of the drafting of this chapter, IMO MSC.1/16384 had just finished the regulatory scoping exercise. One might argue that that segment of the industry was pushing ahead with design work without being able to fully identify the requirements to be met, an approach that requires the industry to either “guide” the regulatory structure or face rework. And this is why we can call this the territory of dragons (“Here be dragons” on unfinished maps during the Age of Exploration). It is not because of potential threats. It is because these international frameworks operate at a level where their foundations are based upon the agreement of friendly competitors with secrets held between them, and not necessarily a single altruistic interest. For example, in addition to the United States’ National Response Framework (NRF) and National Response Plan (NRP), there is the Canada-United States Action Plan for Critical Infrastructure.5 Additionally, Canada has developed a cross-sector strategy for 2021–2023.6 This document openly recognizes, in its objective, the “interconnected nature of critical infrastructure” 7 and the need for collaboration across the border.8 One can also see this in The European Programme for Critical Infrastructure Protection,9 which, one may argue, is slightly more mature, given its inception through communication from the commission of December 12, 2006.10 When we contrast the situation in North America to that of the European Union, the potential for critical infrastructure supplies to be used as part of a more holistic conflict become quite apparent. In North America, we see an emerging but relatively benign conflict between Canada and the United States on the trade front (benign in that we are not talking armed forces here but not to make light of the economic impacts regionally). While the United States imposed various forms of duties on Canadian softwood, British Columbia’s reaction was to request that

48 ◾ Critical Infrastructure

Ottawa eliminate the movement of thermal coal through the Port of Vancouver. This not only had an impact on the stock prices of Westshore Terminals at the time, but also called into question the stability of coal shipments to Asia.11 Another example of conduct coming under direct threat as a result of conflict involves the gas supplies moving into Ukraine from Russia. While Russian gains in the area included a number of potentially rich energy sources, including much of the Black Sea offshore reserves, the second factor involved the potential for the disruption of the gas supply to affect many of the EU countries. While as much as 40% of the EU’s natural gas is moved through Ukraine, the recent vote by the United States Senate to strengthen sanctions against those companies that support Russian energy export pipelines was responded to negatively as a threat to the EU energy supply by both Germany and Austria. The main contrast here is one of complexity—while the Canada/U.S. dispute is relatively simple in terms of complexity, the use of the critical natural gas supply from Russia to Europe is complex and fits into a much larger picture that encapsulates not only political competition in a multi-polar world but also as part of an armed conflict with diplomatic and commercial implications.12 Where is the tipping point in this balance? While state actors can certainly exercise influence over the supply chains, they do so at critical political risk. For example, consider the movement of oil by pipelines in Canada. On May 29, 2018, the Canadian federal government announced intentions to buy the Trans-Mountain pipeline.13 While the Canadian government had never intended to become the permanent owner of the pipeline, challenges in building the pipeline (including cost increases of 70% or more) led the federal government to discontinue its funding of the incomplete project and direct other members of the consortium to seek funds from public debt markets or the banks. The Keystone XL pipeline project faced different challenges, but it was ultimately declared unviable following revocation of several permits and funding.14 What is common in both examples is the significant political controversy that plagued both projects. Considering the political capital that would need to be expended, it is not surprising that these projects were dropped quickly. In circumstances such as these, the conditions associated with updating or upgrading critical infrastructures needs to be better understood in terms of its political influence. While the oil pipeline projects have illustrated the impacts in environmental activism, other sectors face similar challenges originating from different sources. For example, Nova Scotia Power’s application for changes in solar generating contracts and a significant rate hike became a source of controversy to the point that the Nova Scotia provincial government declared itself as an intervener in front of the regulatory board threatening to block the proposal through legislation. The important part here is that the key partners in infrastructure projects (or the community) need to be able to find a more workable means of resolving disputes. This is where we see the multifaceted complexity of conflict in great detail. The Ukrainian conflict has aspects of traditional warfare, but it has expanded the

Consolidation of Power on Core Critical Infrastructure Sectors

◾

49

concept of warfare tactics to include sanctions and infrastructure systems as weapons. In the first example, the Russian seizure of a Ukrainian nuclear power generation plant should be looked at not only in terms of its value in providing power to the European grid, but also in terms of its ability to threaten Europe’s electric grid stability through novel means. This can include aspects such as sudden fluctuations and quality of output to the European grid, as well as its lack of contribution through lost power to the grid. For the second example, the Russian naval blockade that prevented wheat shipments to underdeveloped countries shows how quickly this regional conflict can take on a more global aspect. In mid-April, the world’s three largest container shipping lines—Denmark’s Maersk, France’s CMA CGM, and Swiss-based MSC— suspended their bookings to and from Russia. This was one of the many sanctions that aimed to stop the Russian invasion of Ukraine.15,16 Finally, for the third example, the imposition of trade restrictions by Russian chemical sources used in the production of agricultural fertilizer in the West has created a condition where future crop yields could be in question. Western Europeans have not heeded our strong requests to maintain long-term contracts for the supply of natural gas to European countries. This had a negative impact on the European energy market: gas prices crawled upward, after which fertilizer prices immediately increased, because a significant portion of fertilizers (primarily nitrogen fertilizers) are produced using gas as a feedstock. As soon as fertilizer prices crawled upward, many plants, including those in European countries, became unprofitable, and they began to close. The volume of fertilizers on the world market fell sharply, and prices rose dramatically—quite unexpectedly, it may be said, for many European politicians.17,18 It would appear that there is a significant potential for what may be described as a significant or near-perfect storm on this front. As state actors use sanctions and supply chains to wield influence at the strategic and political levels and those actions impact private interests, it is possible that those private interests will attempt to protect those interests, particularly during the consultative processes and regulatory development processes as best able. One might argue that this has been an ongoing challenge, but the primary difference here is that government and international bodies rely on these outside consultative processes, which may result in a situation where those interests take steps that essentially hijack the processes as they react to protect themselves.19 Consequently, the lines defining the roles and responsibilities between government and industry have become sufficiently blurred, such that it may become necessary to rethink the regulatory process to incorporate and stabilize these kinds of changes, while preserving the public interest.

3.3 Who Owns the Treasure? While the international influence caused some discomfort for domestic groups, the current structure causes a much broader level of discomfort. On one hand, the

50 ◾ Critical Infrastructure

international influence continues to appear (to some) to erode national sovereignty, and thus allow foreign interests to emerge into what were considered domestic issues. On the other hand, the inclusion of private sector mechanisms at the foundation of processes that are intended to be relatively benign creates its own level of concern. Standards organizations are intended to operate apart from political or individual interests and processes. When these processes are influenced either through the inclusion or exclusion of participants, or through the structure of the consultative process, the overall process could possibly be hijacked. This can then be brought into diplomatic and legislative processes by concealing it as a neutral process free of such influence. Additionally, where guidance is lacking, industries and academia focusing on those issues have formed associations espousing voluntary compliance regimes that have, in some cases, been accepted by regulators in the absence or in lieu of formal guidance. For example, the UK has a voluntary compliance regime that has been developed for the testing of autonomous vessels, an approach that Transport Canada considers acceptable.20 Another example would be the nuclear generation industry within the United States. In this example, the lobbying organization, the Nuclear Energy Institute (NEI), collaboratively established its own set of criteria with the industry, which was eventually accepted as regulation by the U.S. Nuclear Regulatory Commission (NRC).21 However, national frameworks and their plans may be described in terms of what we want to see happen for certain sectors. They are linked to the priorities of government, which are in turn linked to the government responsibility to protect its overall population. What is apparent is that these economic and defense (including critical infrastructure protection) frameworks have continued to retain divergent views, but these divergences have been reduced, in some areas, as a result of conflicts that have shown interconnections across multiple sectors.22,23 We have seen hints of this with the maritime blockade in Ukraine dealing with food shipments (such as wheat), but, more explicitly, also with the interruption of energy shipments from Russia to Europe. We have also seen this, as mentioned earlier, in terms of the use of trade sanctions in response to political conflicts or differences of opinion. Consider the nature of national security reviews in the trade structures. We are seeing these reviews within the telecommunications industry and similar industries not only in terms of owning, but even participation in certain sectors. While the mechanism to prevent the sale of a company to a foreign interest persists, this can be argued as now affecting corporate operations by requiring that the supply chains supporting business activities also be clear of attempts to gain access into certain activities, domains, or projects.24 International agreements are best described in terms of what can we live with. If any lesson has been taught in the recent series of conflicts, it is that even through military might and conquest, one is not necessarily assured that the outcome will be exactly what one wants. In negotiations, which are less intense than war, the goal is to be able to project your own interests outwards while protecting your core values

Consolidation of Power on Core Critical Infrastructure Sectors

◾

51

against undue or inappropriate influence. In short, the question of national sovereignty is answered by making nations ratify agreements or include the requirements of agreements in their own legal structures. So, we all own some of the treasure—but we own it in terms of a community of signatories and not as individual signatories.25 What has evolved since the Fourth Edition is that, with the rise of voluntary compliance frameworks, those that become involved in the generation of solutions, or at least in the tackling of such issues, are having greater opportunities to claim a larger share of the treasure. As such, this perspective does result in some erosion of national sovereignty—we cannot deviate from our agreements without making any decisions that would be contrary to our commitments and that are part of our belonging to that community.

3.4 What Value? The treasure can be defined in how these international agreements respond to the challenges that arise when nations are promoting their interests. This is another reason for looking at the international agreements in terms of an evolution of previous efforts, and not a catastrophic shift in philosophies. In short, we drifted onto the right part of the map.26 The core of these agreements focuses not only on the sharing of information, but also on the establishment of shared or common requirements across certain activities. While information is still used to develop common operating and intelligence pictures, the shared requirements reflect shared risk management decisions in the management of infrastructure and supply chains that cross international boundaries. In Canada, this information sharing aspect has undergone clarifications in 2015 through mechanisms such as the Security of Canada Information Sharing Act that allows federal entities to share personal information under a limited number of conditions but which essentially streamlines the ability to move that information in a more timely and seamless manner. While Canada and the United States have also expanded a number of emergency plans in support of maintaining critical infrastructure services that move between the nations, we see continuity across international agreements, but also refinements of national policies and priorities in support of those agreements. For example, the U.S. efforts, with respect to cybersecurity and supply-chain security, are often mirrored by similar Canadian efforts (e.g., Canada’s Bill C-26, which enables the Critical Cyber Systems Protection Act, or CCSPA).27,28,29 This dovetails nicely with the U.S. Executive Orders and the bill “S.3600—Strengthening American Cybersecurity Act of 2022.” While this is a noble effort between governments, systematic challenges continue to exist. One of these continues to be the “air-gap” between the government (often the regulator) and the private sector (the regulated). Although intelligence products are generally distributed through public (meaning government) lines of communication, the majority of security incidents and vulnerabilities reside within

52 ◾ Critical Infrastructure

private sector entities. The private sector organizations often form associations (or something similar) that can come together to share information, but this is often taking place within a closed context. Consequently, one can make only a general assumption that the data and information that is needed to generate the intelligence products is complete and accurate. This breaks the cycle of credibility that is the foundation for policy decisions that ultimately points towards legal and regulatory reform. Closed councils and other systems that hold the regulators at arm’s length and regulatory systems that move directly to enforcement even with those attempting to work with the regulators to find solutions will continue to support this air-gap. If the data and information that feeds into the system cannot be trusted entirely in terms of its completeness or its accuracy, then the decisions that are made at the policy level will be based on incomplete information. That, in itself, leads to the potential for vulnerabilities to be overlooked, to be incompletely defined (or described), or to be not understood in terms of their significance. The problem here can be boiled down to one question: “Who is going to blink first?” Government systems are well-entrenched in their regulatory processes and continue the argument that these processes must be fair, impartial, and consistently applied, and the general approach is that nobody in regulatory enforcement is actually “off the clock.” On the private sector side of the coin, senior management and associations will continue to protect their organizations as a matter of survival and will not simply compromise the business operations that could be subject to disruptions due to increased oversight, or become the focus of increased losses through administrative monetary penalties and other regulatory enforcement tools. In short, there needs to be a way to work past the impasse. One option involves the use of university or other academic communities that can act as the focal point of information and analysis activities. This approach was looked at both north and south of the border as part of the efforts to look at various forms of vulnerability assessments and to identify emergency management challenges. Two things became apparent. First, universities themselves are essentially business efforts, and while one might cast back to the altruistic view out of the Renaissance, one might look at academic institutions as being more in terms of being caught in an Industrial Age of “produce or die” with respect to research and information-based products. The second aspect is that academics, while extraordinarily intelligent in many aspects, work in a very different information paradigm that involves the broad sharing of information—including, in this case, active vulnerability information; this meant that there were significant concerns that the vulnerabilities would become public knowledge before any solutions were found and implemented. The academic community, therefore, became a second air-gap in that both the government and private sector both had concerns regarding the sharing of information. Finally, as academic institutions were often in competition with each other, competition between institutions also played a factor—particularly where government funding was brought into the picture.

Consolidation of Power on Core Critical Infrastructure Sectors

◾

53

To resolve the impasse, the system needs to answer two questions. First, how do we move from a competition where the funding overtakes the work? Given that the role of government involves protecting (or assuring) the safety, security, and economic well-being of its citizens or the national interest, one might propose that the governments would be the source of that funding. This also tracks to the fact that government revenues are based on taxes which should ideally be used to support the public interest. This would alleviate a common pressure on the academic institutions and industry that do not have the same sources of revenue. The second element involves establishing neutral territory that can operate outside of the normally competitive frame. To be clear, there needs to be some way to remove the concept of “competitive advantage” from the work involving analysis and assessment of these kinds of vulnerabilities; however, this means that what has become a lucrative market for some would have to be discontinued. This may involve establishing a commonly accessible means of obscuring the data and information so as to reduce its utility (in the sense of targeting), but leaving it intact enough to be useful as publicly distributed and available information upon which the normally competitive entities can build and promote their solutions. Those involved in the development of “open-sourced” solutions will already be familiar with this approach when developing new applications. The core difference is that this data and information would be in their own published or available state that is protected, in perpetuity, as public domain information under the authority of the governments using the existing information sharing agreements. The key to implementing this kind of system lies in the understanding of the value of intelligence. While intelligence can be generally useful, it is often not actionable. This means that an entity (usually with some form of hostile or competitive intent) can take that intelligence and identify a means or opportunity to use it for its own advantage or to the disadvantage of the subject of that intelligence. Removing the actionable element from the intelligence product may mean that it can be communicated within the closed community of the involved academics, regulators, and industry participants, but that a sanitization process would be applied to remove specific nouns (as these identify locations, operations, or timing that may allow an attack to proceed) before the information becomes widely available. This raises the age-old challenge in security: how much security is enough, and does it go too far? One might propose that the methodology used by both IT and OT threat profiles may be useful. In this structure, each partner would identify what specific information and kind of information should be withheld from the public view. The second step involves determining what information (under the “need to share” regimes) would be necessary in order to garner the best results for those analytic and assessment processes. Where such information was tagged as being too sensitive, but also necessary, closed communities would be formed that could meet both needs. The next element involves determining how to communicate that information.

54 ◾ Critical Infrastructure

While the technology necessary to “tag” information has existed for some time, it needs to be integrated into basic information management practices. Tagging involves labeling information so that its value is more readily apparent to systems and individuals. This would allow such tagged information to be automatically included or screened out of the information that is provided into cloud environments. While potentially counterintuitive to many information security specialists, this is one of the areas where cloud-enabled technology can be controlled within a community for the sharing of information. Linking the tags to an identity-management and access control measure that deals with screening tagged information in or out at a subject-object level can lead to relatively significant reductions in risks of inadvertent disclosure. Let’s look at the level of synthesis that needs to occur in today’s environment as compared to our current information sharing paradigms. The traditional paradigm involves simple data classification within established communities based on relatively known operations with consideration to identifying additional entities that could be of value and trusted to participate within the system. If we look at this in terms of decision-making paradigms such as the Observe-Orient-Decide-Act (OODA) model, this structure is not nearly resilient and fast enough to operate in an environment which can be characterized primarily in terms of evolution and change. In the recent past, the challenge was being able to form and dissolve groups that could meet specific challenges. Today’s competitive environment, which is energized in terms of the ability to gather information and communicate it far more rapidly than ever before, has moved even beyond this phase, to one where it is not the act of forming the groups that is critical; rather, it is the ability to set the parameters for group participation and then identify the timing on when to form and dissolve those groups that has become critically important.

3.5 Target Audiences There is an old adage that you have to write for your audience. This situation is no different. While the international agreements will define how states interact with each other, the national structures and frameworks continue to be of utmost importance to commercial organizations. The question is no longer whether or not to write for the audience, but who actually is the audience? This is because the process now consists of three steps, one of which is somewhat less visible to the general population. The first step, and nearly invisible, involves the setting of the agreement that results in the creation of an international agreement. In these cases, the designated authority from each state will represent its own public and private interests at the table. The fruit of that agreement is more directly applicable to nations than it is to the private sector. The second step is determined by the nation-state making adjustments to its own requirements that it places on

Consolidation of Power on Core Critical Infrastructure Sectors

◾ 55

its people. The third and final step becomes the various entities that fall under the control of that state making the necessary adjustments or incorporating the necessary requirements into their own efforts. At the grassroots level, the situation does not actually change all that much. The government entities responsible for overseeing certain activities make edicts and issue requirements, and the private sector looks at those requirements and integrates them into the working environment. For this reason, the NRF remains very relevant. The framework itself may be adjusted to fit the new requirements, but it is still the cornerstone of the national program. This structure works better in some industries than in others. This is generally the result of two kinds of bodies that can write their own “variations” on the theme. The first group of bodies is the international associations that have been granted some level of authority in overseeing the activities of their members. Consider, for example, the North American Electric Reliability Corporation (NERC), which is “certified by the U.S. Federal Energy Regulatory Commission to establish and enforce reliability standards for the bulk power systems.”30 In this context, the state does not develop its own standards; it relies upon the international body to develop and enforce those reliability standards, assess the adequacy of them annually, and monitor the bulk power system.31 This is the first variation on the theme. Remember that the main cycle involves the regulatory body going to the international body and then integrating the international requirements. In this case, the national body has shortened the loop by essentially delegating the international body to act on its behalf. In this case, the national endorsement of the international body can be removed by the federal authority should it be determined that the international body is no longer acting in line with the national interest. The second part of the variation involves the international authorities being able to exercise a level of direct oversight on the various individual members. Again, this occurs under the delegated authority (in this case certification) of the national body. This variation does incorporate some loss of national sovereignty in the sense that the international body interacts directly with the individual participants. The filter between the two groups is essentially removed. This is indicative of two situations—one where the overall body is clearly subject to impacts that can quickly affect the whole, and the second being where the issues are limited to technical issues. We see this in the evolution of the system following the August 2003 blackout that clearly demonstrated how far and fast impacts could spread through the energy grid.32 In this context, the requirement to maintain the electrical grid trumped political considerations, particularly during the response and recovery phases of the situation. While the issues surrounding the August 2003 blackout may illustrate a condition where the international body steps in more prominently to fill a technical role at the behest of the state, other conditions may still exist. These conditions do

56 ◾ Critical Infrastructure

not involve the state delegating authority to some international body, but that the international body assumes authority because events are occurring in a vacuum. This can be seen in the international response to piracy off the Horn of Africa. In that context, the International Maritime Organization (IMO) is charged with the “responsibility for the safety and security of shipping and the prevention of marine pollution by ships.”33 The variation on this theme involves the level of participation of the various individual actors—usually in the form of trade associations that are formed to represent certain interests. Instead of nation-states putting forward their requirement to the IMO and the IMO coordinating the overall response, one sees the IMO taking a front-seat role in the response, but the technical details of that response largely sidestepping the national priorities, many of which were not defined, and coming from the various private sector bodies without significant participation by the national bodies. This is particularly evident in the standardized contract put forward by BIMCO34 that pushed certain of its own priorities into the international arena, using the IMO as a voice to give its position authority.35 These two variations on the standard theme reveal a critical vulnerability within efforts to protect critical infrastructure. That vulnerability can be linked directly to the observe-orient-decide-act (OODA) loop of the international body and its national participants. The OODA loop is a structure that is used to measure the speed and efficiency with which organizations can adapt to changes in their environment. While the NERC structure was able to identify the change in its environment and adapt to it reasonably quickly, the challenges associated with piracy and international shipping cannot make the same claim. The difference here lies in the level of control that is assumed by the international body. The NERC is very clear in that it is certified by national bodies to perform certain roles that interact directly with the individual members. On the other hand, the IMO is equally clear in its role as a coordination body that produces not requirements, but rather issues guidance that is to be brought back to each individual nation. In short, the OODA loop involving NERC is relatively clear in that it is comprised of a single cycle that acts within a context set by the various certifying (i.e., national bodies) participants. The OODA loop for the IMO, however, can be described as being complicated in that, as a more participatory body, it can be vulnerable to situations where the individual participants fall prey to a slow or poorly defined OODA cycle.

3.6 Expanding beyond the Traditional Response In the third edition, the ability to respond to significant events was still emerging and still refined. The Incident Command System (acronym as “ICS,” not to be confused with “Industrial Control Systems”; however, from herein, the acronym “PCS,” or “Process Control Systems,” will be used in lieu of “ICS” to avoid any further confusion between incident-based systems and control-based systems) was well known, but organizations were still refining their roles, responsibilities, and

Consolidation of Power on Core Critical Infrastructure Sectors

◾

57

authorities with respect to how they would respond to major events. Organizations had a good understanding and baseline knowledge of how to respond to traditional events. This knowledge was put into practice during a number of significant events (floods in Louisiana 2016, Fort McMurray wildfires, and several localized events) and it is clear that organizations have established and are maintaining a cycle of lessons learned. For example, there were issues associated with the integration of federal (military) forces during the Fort McMurray wildfires but during the British Columbia (BC) fires, the Minister of Public Safety was clear that such forces being deployed would fall under the BC Emergency Management organization. A new challenge has emerged within the timeframe of this edition. This challenge involves how to manage infrastructure across the public sector/private sector divide. This is not an unforeseen challenge (it was identified in the Second Edition of this work), but it is now very apparent in a number of issues today. Three examples will be considered. The first of these involves the destruction of the rail link between Churchill, Manitoba, and the rest of Canada’s national transportation (rail) infrastructure that has left a community isolated and at risk. The second issue involves the management of expensive energy infrastructure in circumstances where the cost of operations has overtaken any return on investment—a destabilizing factor within the electrical production and distribution grids that can have far-reaching impacts across all sectors. The third element involves the current challenges in dealing with cyber-related threats that can disrupt critical services. Each of these examples points to a clear challenge with respect to moving beyond the traditional response frameworks. The events in Churchill, Manitoba, began in June 2017, following a severe storm that disrupted the single rail line to the northern town and cut its critical supply lines (impacting energy, food, and transportation). This event was widely reported in the news, as it was a part of a series of very significant storms that impacted central Canada in the spring and early summer.36 The rail line was formerly owned by OmniTrax, a large rail company operating out of Denver, Colorado, which had faced considerable financial challenges in the operating of that rail line over a number of years. The company has indicated that it has a plan that would involve the restoration of services, but it does not have the funds available to pay for those repairs and is seeking the participation of the federal, provincial, and First Nation governments in covering the costs.37,38,39 In looking at the frameworks and the maturity of the frameworks, there is an apparent maturity in how the framework is applied as long as it is dealing with known and previously encountered threats. The recent fires, while large and very damaging, still fall into the context of fighting forest fires—a capacity that has matured over time and long years of practice. As a result, organizations across the public and private sectors have adopted a common response framework (the Incident Command System) and have refined how they operate within that framework. The interaction between the public and private sectors in the context of critical transportation networks is more blurred and has only recently begun

58 ◾ Critical Infrastructure

to be examined more thoroughly. While the aviation and maritime sectors have had security regulations for some years, the regulations for the Transportation of Dangerous Goods by rail is only now in the Gazette process (the drafting of regulations in Canada similar to the U.S. Code of Federal Regulations) at the time of the drafting of this chapter. One might describe the current situation in the forest-fire fighting context as being in the “norming” and then moving into the “performing” phases of group dynamics, while the situation in Churchill was significantly different, such that it started in the “storming” phase and is now moving well into the “performing” phase.40 The former has clearly started processes of continuous improvement that work towards the management of issues and the reduction of risks. This illustrates a clear vulnerability in how the response frameworks are being applied. Those that administer and manage the current frameworks (such as firefighting) have not evolved the concepts to address the new frameworks that will become the norm under a range of management structures like the public-private partnerships or the outright divestiture of critical infrastructure. Two factors contribute significantly to this. Within the context of governments, those that manage specific kinds of responses are often experts in either a specific issue or application (such as a Business Continuity Planner, Continuity of Operations Specialty, or Emergency Manager). Their expertise may be applied, but the mechanics of bringing into force the controls necessary to give them the authority and ability to act are cumbersome. Within the private sector, the focus continues to be on the survival of the organization (profitability) and the private interests. It is clear that the mechanism needed to bridge this gap is either not present or still within its infancy. It is also apparent that there is a recalcitrance on the part of both parties to take the lead in what is a very expensive effort, but it is also an issue that has a timeline, as the infrastructure continues to degrade and the conditions that affect it continue to destabilize and deteriorate. Within this context, a number of potential avenues are available to resolve this issue. The first, and likely most obvious, is an agreement with the force of law (in whatever form) that clearly defines what is considered to be critical infrastructure and whether or not the physical infrastructure being owned, operated, or divested falls into that category. The second part of this would be a set of clear expectations and due diligence checks to ensure that the organization taking control of that infrastructure both understands its responsibilities and binds the government to certain levels of support in maintaining those responsibilities. The federal and provincial government would allow that operation to: 1 Operate with certain tax benefts to take into account the need to maintain the viability of the line. 2 Indicate a maximum level that they could provide in the case of disasters that could be made readily available.

Consolidation of Power on Core Critical Infrastructure Sectors

◾ 59

This would require a fairly careful approach to issues such as the divestiture of infrastructure—such as that being proposed for a number of Canadian airports— and changes to how that infrastructure is regulated (a broadening of scope). One approach to this involves efforts within the energy sector, such as the U.S. Future Energy Jobs Act (FEJA). This approach sets the framework for the interaction between the energy company, the overall sector, and the various levels of government so that the roles, responsibilities, and authorities are clear. Part of this issue is becoming more apparent due to the costs associated with the operation of aging nuclear reactors—a primary source of power generation, but one which is currently challenged as maintenance costs are overtaking any return on investment and the overabundance of natural gas. This kind of legislation creates a framework that can be divided into four major elements. The first element involves support for lower-income entities to protect against rising costs of production and distribution. For example, the Future Energy Jobs Act (FEJA) in Illinois commits up to $750 million for low-income communities. The second element provides support to the producers and distributors to preserve the existing capacity (in terms of both production and distribution). Given that the electrical grid can be described as being in a carefully managed state of balance, preserving this capacity has local but also grid-wide implications. The third element involves the identification of new opportunities that can be explored within the sector to help the sector exploit those opportunities. The final element involves setting goals and benchmarks to work with the sector to evolve past the current challenge. This level of collaboration within the energy sector is clearly lacking when we look back at the transportation sector, which has taken an approach of divestiture and cost-shedding. The structure evident in the FEJA approach is not limited to the energy sector. While it is clear that the transportation system could benefit from this kind of approach, other sectors (such as the water sector) could use the template of this approach as a potential roadmap for dealing with emerging and evolving challenges. Whereas the energy sector may look at the expansion into alternative forms of energy generation, the water sector may look at innovations that reduce the burden on the water supply within communities, notably in water usage and sewage treatment. To address these challenges, one might put forward the following mitigation (in the context of the emergency management cycle): 1. Tat the public sector (government) clearly enable legislation that allows for the private sector to innovate in ways to meet public goals (such as environmental protection, reduction of waste, etc.). For example, a car wash facility would not be fned for recycling wastewater that was still usable (thereby reducing the demand on a strained water infrastructure) but would be allowed to claim tax credits that reduce its operating costs in recognition of its eforts.

60 ◾ Critical Infrastructure

2. Tat the public sector (government) clearly set down criteria for infrastructure that delivers critical services and create lists of infrastructures that fall into those categories with the understanding that any arrangement for the operations of that infrastructure (publicly or privately) meet certain requirements, including continuity of operations. Tese lists exist in several contingency planning contexts at this time, but they have not been routinely integrated into discussions such as those involved in the divestiture of infrastructure by government. 3. Tat the public and private infrastructure owners establish an infrastructure bank, with the support of the insurance industry, that can maintain levels of contingency funds on one hand while also working to improve mitigation and preparedness activities that would ultimately reduce the costs associated with the response and recovery from disasters or similar events. While this would introduce a third party into the fold, the charter for such entities could follow existing rules for not-for-profts with the exception of the maintenance of contingency funds. 4. Te fourth element involves looking at the strategic issues on the horizon (ranging from sea-level changes, fooding, fre spreading, etc.) and deciding whether or not to limit new activity that could be susceptible to those threats, to reposition existing activities that may be susceptible to those threats, or simply to accept the consequences on the understanding that those impacted have been informed of the risks they face. For example, sea-level changes and fooding are no longer expected to hold of impacting coasts for a hundred years, the National Oceanographic and Atmospheric Agency has published reports that state that, in the case of continued activity and no change, the impacts are likely to arrive as early as 2030 (if not sooner), and most major coastal cities are now aware of issues associated with the increased severity of storms and storm surges. It may be time to look at those environments and to take steps in one of the aforementioned directions so that such changes can be brought about gradually and not in a calamitous fashion. 5. Te ffth element deals with the inability to meet environmental goals against current environmental obligations. For example, the California state energy grid in 2022 experienced unfathomed numbers of rolling blackouts due to excessive heat and use of the electric grid for cooling.41 Tis, combined with promised goals of meeting environmental objectives of all drivable vehicles (both cars and light-duty trucks) being sold to be entirely electric by 2035, has raised signifcant questions of goals matching these objectives.42 In comparison to California, Nova Scotia Power has asked the Nova Scotia Utility and Review board to raise current electrical rates by 11.6% by 2024 to accommodate for the increasing demand in their local grid. Nova Scotia Power is attempting to think forward to accommodate goals against their objectives, but the realities of what needs to happen to achieve those goals creates conficts and concerns in other areas such as afordability.43

Consolidation of Power on Core Critical Infrastructure Sectors

◾

61

6. Te sixth and fnal element may be to increase the individual’s ability to withstand such events and to reduce the load on the various infrastructures. Changes to building codes can be made to incorporate the means of generating local power safety (i.e., not returning power to the grid where it could put workers at risk), reducing water consumption, incorporating practices such as those put forward under the Leadership in Energy and Environmental Design (LEED), reducing the risks associated with fre damage, and other factors.44 Tere are activities similar to this (such as the 72-hour preparedness kits), but such measures would be challenged when one looks at the impact associated with the 2017 ice storm in New Brunswick, Canada. These six measures may provide a framework that can be coordinated through government and supported by industry to address the majority of issues that arose in 2016 through 2022. Cybersecurity brings to light another issue with respect to these framework challenges—that of an infrastructure that does not respect international boundaries but that operates (at least in part) with its own sense of geography and topography. This challenge can be illustrated in the recent decision by Google to challenge a Supreme Court of Canada ruling that sought to limit search engine results. Google’s contention is that such a move interferes in the national sovereignty of other nations and would be unduly restrictive on the citizens of other countries that would, by extension, be subjected to the most stringent requirements. Canada and Google are not the only entities that have had this debate in the recent past; a number of European Union countries have had similar debates or even legal challenges. In this context, the resolution of the framework issue may be changing the approach to law. Most legal and regulatory structures use one of a territorial or a national perspective. For example, when looking at shipping, the port state control measures that are used to enforce regulations on shipping refer to the flag state of the ship (where it is registered). Similar structures are used for aircraft. At the same time, individuals claiming citizenship may be subject to national laws even when operating abroad. Environmental laws pertaining to pipelines also tend to operate internationally based on where the specific section of pipeline is located. In the context of the Internet, however, it may be very difficult to operate in this manner. One would have to locate (conclusively) the nation where the perpetrator committed the crime and even the crime could be distributed across several nations (such as botnets45) that could claim some form of involvement. One option would be to shift from the current approach to one that involves the passive personality theory or the protective theory that begins with the primary jurisdiction being assigned from the nationality of the victim and not the alleged perpetrator. Once this is established, one could then exert a concept such as the Universality Theory that allows for the international character of the offense to allow for the involvement of other nations.46 In short, an attack against the national infrastructure of one country would allow for the laws of that country to claim precedence. The next

62 ◾ Critical Infrastructure

step would be to work backwards towards the perpetrator, which would then be subject to conditions under the Universality Theory and then face extradition to that country or a court having international jurisdiction. A structure similar to that of the port state control system could be applied in this context. The location of the victim would act as the equivalent of the territorial waters or airspace and would mean that the state initiating the action would be clearly identifiable. The second layer would involve those states whose infrastructure was used in the attack. This would involve the country of the registration for the Internet service provider or carrier or the location of the servers (etc.) that were used. The final step would involve the refinement of the location of the attacker. At that point, the same legal structures as used in the port state control structures (which exist for other activities) would then become active, and the individual could face arrest and prosecution. This structure is very similar, if not equivalent, to that of the Budapest Convention for Cybercrime (circa 2001) and may well work as a model at a global level.47 Additionally, the UN has introduced, sometime in December 2019, the U.N. General Assembly adopted a resolution that set in motion a process to draft a global comprehensive cybercrime treaty. Negotiations will commence in January 2022 and are expected to conclude in 2023. Te initiative advanced despite a total of 93 states either voting against or abstaining from the 2019 resolution, compared with 79 votes in favor of it. Te U.N., the U.S., the EU, and many States parties to the Budapest Convention made up the opposition. Leading digital rights organizations warned against rushing ahead with the treaty because the proposal’s treatment of cybercrime is extremely vague and open to abuse, it supplants ongoing work elsewhere in the U.N., and the process so far has excluded civil society.48 Having found a means of resolving jurisdiction, the next step is to look at the specific measures that can be applied to mitigation and preparedness. Again, the challenge here is that a significant number of parties are involved, and those parties do not necessarily share the same strategic goals, never mind operational or tactical objectives. Internet service providers will focus on private sector issues and competitive advantages, companies will look towards the generation of wealth, and governments will look more towards national issues and interests. Ultimately, the common thread is a network that operates free of unwanted intrusion and disruption. Again, the universality principles may be of benefit here in terms of categorizing the Internet as a tool in support of humanity and subject to a number of delicate balancing points (such as net neutrality). One approach to this issue may be to treat the Internet not as the Wild West, but as the High Seas. In the context of the High Seas, organizations are responsible for operating their own aspects or parts of the whole in accordance with internationally accepted principles that are enshrined in their applicable national laws. They are not, however, responsible for fixing issues “off the ship,” so to speak.

Consolidation of Power on Core Critical Infrastructure Sectors

◾

63

This would refine the roles and responsibilities adequately to move past the current debate of government involvement in the management of private networks— governments would set down performance-based objectives that are a condition of producing connected or connectable (such as for the Internet of Things) technology but would remain detached from basic network operations (such as the company’s file sharing server). Where an organization sought to produce goods or deliver services, it would have to adhere to the nationally driven performance goals that may include aspects such as the following: 1. Credible and attestable identity management so that each subject and object pairing was uniquely identifable.49 2. Appropriate access control that builds upon that identity management but that also includes reasonable authentication before the objects or services can be accessed by any particular subject. 3. Elimination of backdoors and hidden communications channels coming out of the object so as to reduce the opportunity for hidden communication channels such as those used by botnets or other forms of malware.50 4. Appropriate protection of the communications channel, through methods similar to hashing, that prevents the insertion of unauthorized or inappropriate coding into the communication channel. Tis does not necessarily mean encryption across all communications, but it does mean that the system has to be able to protect itself against the insertion of unauthorized material onto its network infrastructure. 5. Unless the patches required are afliated with safety-specifc and automated systems, (patch management requirements are more stringent)51,52 their application requires a set of more thoroughly tested approaches and doctrine. Even though the aforementioned document pertains more so to the maritime sector, much of the contents may be applied to other sectors utilizing automation systems. It must be understood that other sectors may have similar regimes that are specifcally defned for their infrastructure sector and industry. Te point, however, is that there is a growing efort and need to formalize the alignment between technologies that could pose public (or personal) safety risks, and the baseline level of an assurance (security) that those systems must ofer to be considered adequately reliable. For IT systems, mandatory patch management or baseline standards associated with patch management ensure that patches are sought from and installed from trustworthy sources as they become available. The application of these five principles would become national baseline requirements that serve as the minimum standard for any appliance or service that intends to connect to the greater network community. This approach would preserve two very important aspects of the Internet. The first involves the concept of net neutrality. While the communications channels are protected against unwanted or hostile activity, the content on those channels could continue to

64 ◾ Critical Infrastructure

operate reasonably independently from that system. The second element is that the network could continue to operate with some level of expectation of privacy. While there are certainly needs to detect illegal activity (such as threats to the lives of people), this is again one of those balancing points that needs to be carefully watched and protected— preventing what is a legitimate action protecting the safety and security of persons from becoming a tool used to enforce or impose inappropriate controls on people. The final element of the framework involves how security is approached. With in the protection of networks and information systems, there is an ongoing debate between compliance-based (a.k.a. feature-based) and risk-managed (a.k.a. performance-based) security. This debate is like debating which is the better part of a chocolate chip cookie—the cookie, or the chocolate chip? Risk management is vital with respect to ensuring that networks and other infrastructure are both appropriately protected and do not pose operational risks (such as through configuration and similar conflicts) to other systems. At the same time, networks and information systems work with the realm of engineers in that they follow the laws of physics and relatively set patterns of behavior. As a result, best practices and similar structures can be integrated to address specific issues. These measures operate within the overall context of risk-managed security. One might illustrate this difference in looking at the issue of bulletproof vests. One determines the need for a bulletproof vest based on less precise sciences such as those involved in policing or criminology—they are not exact sciences because they involve human intent and behavior and focus on preventing the consequences of an inappropriate act. The physics associated with stopping bullets, however, is in the realm of physical sciences and not subject to interpretation based on those softer or less precise principles. The former applies to the risk-management approach, while the latter applies to the compliance-based approach. When looking at these three different challenges, the common themes are the same within the framework approach. The common themes involve the establishment of proper governance based on the need to preserve and assure the continuity of a service or operation. The second involves putting that need ahead of the need of the various individual participants involved in the issue. The final theme is that there needs to be a broader perspective understood and accepted by all parties involved, and certainly beyond their own individual mandates or priorities. Those themes involve the establishment of leadership based not just on authority but also on capacity and under the auspices of making sure that critical services are, in fact, continuously delivered on time, where needed, in usable form, and for reasonable costs.

3.7 Areas of Potential Risk or Concern Of particular concern is the potential shift of requirements from state control to private industry control. This shift is subtle in nature. Under the national systems,

Consolidation of Power on Core Critical Infrastructure Sectors

◾

65

private sector entities would contribute to national systems that would then render out the national priorities and cycle them back as requirements, based on public priorities. With the rise of private sector associations, the nature of control is shifting, and in circumstances where less robust international controls are in place, private sector controls become more prominent. Two vulnerabilities contribute to this scenario. The first involves the lack of credible expertise that operates on behalf of the national bodies (that would check the progress of requirements falling into this category) or at least with no vested interests. The second involves organizations that have allowed themselves to become too participatory in nature, essentially shifting their focus from coordination to one of accommodation. Where these conditions can be found, private sector entities can, through their associations, move to have their own requirements (based on profit and not public interest) communicated back to the national bodies that have agreed to adopt them. This can lead to conditions where private interests are able to influence laws without having to go through the necessary checks and balances associated with the national system. With an increasing understanding that many of the infrastructures operate internationally, this risk, even if remote, must be watched for carefully. This is particularly true during difficult economic times and credit restructuring, where private sector entities will seek to gain or establish any advantage that they can.

Notes 1 The phrase “Here be dragons” (often shown using Latin: ‘Hic sunt dracones” on the maps) symbolizes areas that are considered dangerous or are unexplored territories, and is usually represented through demonstration of the practice of putting mythological medieval dragons, sea serpents, and other mythological creatures in uncharted, unexplored areas of maps and sea charts. URL: https://education.nationalgeographic.org/resource/here-be-dragons/ National Geographic Society website, “Here Be Dragons”. 2. www.whitehouse.gov/wp-content/uploads/2022/02/Capstone-Report-Biden.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter2/ch2ref11.pdf ). 3. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter2/ch2ref13.pdf ). 4. wwwcdn.imo.org/localresources/en/MediaCentre/HotTopics/Documents/MSC.1Circ.1638%20-%20Outcome%20Of%20The%20Regulatory%20Scoping%20 E xerciseFor %20T he%20Use%20 Of %20Ma rit i me%20Autonomou s%20 Surface%20Ships .  .  . %20(Secretariat).pdf (alt URL: http://cipbook.infracritical. com/book5/chapter3/ch3ref1.pdf ). 5. www.cisa.gov/sites/default/files/publications/ip-canada-us-action-plan-2010-508.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter3/ch3ref2.pdf). 6. www.publicsafety.gc.ca/cnt/rsrcs/pblctns/2021-ctn-pln-crtcl-nfrstrctr/2021-ctn-plncrtcl-nfrstrctr-en.pdf (alt URL: http://cipbook.infracritical.com/book5/ch3ref3.pdf). 7. Ibid.

66 ◾ Critical Infrastructure

8. www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/index-en.aspx (alt URL: http://cipbook.infracritical.com/book5/chapter3/ch3ref4.pdf ). 9. https://ec.europa.eu/commission/presscorner/api/f iles/document/print/en/ memo_06_477/MEMO_06_477_EN.pdf (alt URL: http://cipbook.infracritical.com/ book5/chapter3/ch3ref5.pdf ). 10. Ibid. 11. One can find this story in the public domain through a range of media sources, including www.cbc.ca/news/canada/british-columbia/b-c-moves-to-ban-u-s-coaltransport-in-retaliation-for-softwood-duties-1.4086688. 12. Several analytic articles discuss various aspects of this, including www.ft.com/ content/27e28a44-51b0-11e7-a1f2-db19572361bb. 13. www.reuters.com/business/energy/trans-mountain-sees-expansion-project-costalmost-doubling-ceo-retire-2022-02-18/. 14. www.npr.org/2021/06/09/1004908006/developer-abandons-keystone-xl-pipelineproject-ending-decade-long-battle. 15. www.mdpi.com/2304-8158/11/14/2098/pdf (alt URL: http://cipbook.infracritical. com/book5/chapter3/ch3ref6.pdf ). 16. w w w.developmentaid.org/news-stream/post/142729/how-does-the-russianinvasion-of-ukraine-change-shipping-and-freight-rates. 17. www.fao.org/fileadmin/user_upload/faoweb/RussianFederation/pdf/IMPACT_ OF_W ESTER N_ SA NC TIONS _ON_GLOBA L _ FOOD_CR ISIS _ A ND_ FERTILIZER_MARKET.pdf (alt URL: http://cipbook.infracritical.com/book5/ chapter3/ch3ref7.pdf ). 18. www.reuters.com/business/sanctions-bite-russia-fertilizer-shortage-imperils-worldfood-supply-2022-03-23/. 19. https://tc.canada.ca/en/marine-transportation/marine-safety-management-systemtp-13585-e-tier-i-policies/tier-i-policy-oversight-small-maritime-autonomous-surface-ships-mass (alt URL: http://cipbook.infracritical.com/book5/ch3ref8.pdf). 20. Ibid. 21. www.nrc.gov/docs/ML1011/ML101180437.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter3/ch3ref9.pdf ). 22. www.bis.doc.gov/index.php/documents/pdfs/2447-huawei-entity-listing-faqs/file (alt URL: http://cipbook.infracritical.com/book5/chapter3/ch3ref10.pdf ). 23. www.whitehouse.gov/briefing-room/presidential-actions/2021/06/03/executiveorder-on-addressing-the-threat-from-securities-investments-that-finance-certaincompanies-of-the-peoples-republic-of-china/ (alt URL: http://cipbook.infracritical. com/book5/chapter3/ch3ref11.pdf ). 24. Ibid. 25. Ibid. 26. Utilizing the analogy of dragons and sea serpents on maps and sea charts. 27. www.canada.ca/en/public-safety-canada/news/2022/06/protecting-critical-cybersystems.html (alt URL: http://cipbook.infracritical.com/book5/chapter3/ch3ref12. pdf ). 28. www.justice.gc.ca/eng/csj-sjc/pl/charter-charte/c26_1.html (alt URL: http://cipbook. infracritical.com/book5/chapter3/ch3ref13.pdf ). 29. www.ncbi.nlm.nih.gov/pmc/articles/PMC9975875/. 30. www.nerc.com. 31. Ibid.

Consolidation of Power on Core Critical Infrastructure Sectors

◾

67

32. The August 2003 blackout was significantly different in that while electrical events in the past had been investigated by regional councils, the size and scope of this event (affecting three NERC regions) led to the NERC assembling a group of international experts to investigate. This can be found in the North America Electric Reliability Council’s Technical Analysis of the August 14, 2003 Blackout: What Happened, Why and What Did We Learn? July 13, 2004, as found at https://fluidcodes.com/wp-content/ uploads/2020/06/pa_rrm_ea_August-14-2003-Blackout-Investigation-DL_NERC_ Final_Blackout_Report_07_13_04.pdf (alt URL: http://cipbook.infracritical.com/ book5/chapter3/ch3ref15.pdf ). 33. www.imo.org/About/Pages/Default.aspx. 34. www.bimco.org/about-us-and-our-members/about-us. 35. In this context, the Baltic and International Maritime Council (BIMCO) met in a limited group to generate a standardized contract referred to as Guardcon. It was revealed in the explanatory notes to Guardcon that a number of the requirements were put in place in order to affect changes in the industry that BIMCO had been pushing forward, including reducing the number of smaller security companies offering antipiracy services. Once Guardcon had been circulated broadly throughout the private sector clubs, the lack of resistance by IMO became the tacit approval for its use. 36. These reports can be found through a range of media, including at www.theglobeandmail.com/news/national/northern-manitoba-rail-line-cut-off-after-catastrophicflood-damage/article35279392/. 37. This is widely reported in open media, as illustrated in www.cbc.ca/news/canada/ manitoba/omnitrax-president-responds-1.4165559. 38. While there was confusion in the leadership of the issue, the situation reached a point where a consortium of First Nations has, with support, been able to take control of the port and line. The Arctic Gateway Group (as it is now called) has received support from both federal and provincial governments to not only get stability into the system, but also to resolve many of the longstanding issue with connectivity into the north. 39. https://mbchamber.mb.ca/2022/08/03/arctic-gateway-groups-hudson-bay-railwayon-track-to-support-northern-connectivity/ (alt URL: http://cipbook.infracritical.com/ book5/chapter3/ch3ref16.pdf ). 40. These concepts come from the theories put forward by Tuckman in the formingstorming-norming-performing model in 1965. 41. https://sencanada.ca/content/sen/committee/421/TRCM/Reports/COM_RPT_ TRCM_AutomatedVehicles_e.pdf (alt URL: http://cipbook.infracritical.com/ book5/chapter3/ch3ref17.pdf ). 42. ww2.arb.ca.gov/news/california-moves-accelerate-100-new-zero-emission-vehiclesales-2035 (alt URL: http://cipbook.infracritical.com/book5/chapter3/ch3ref18.pdf). 43. https://atlantic.ctvnews.ca/nova-scotia-power-wants-to-raise-the-cost-of-electricityby-11-6-per-cent-by-2024-1.6065687. 44. To find more information on LEED, please visit (United States) at www.usgbc.org/ leed, or (Canada) at www.cagbc.org/CAGBC/LEED/CAGBC/Programs/LEED/ Going_green_with_LEE.aspx?hkey=54c44792-442b-450a-a286-4aa710bf5c64 (alt URL: http://cipbook.infracritical.com/book5/chapter3/ch3ref19.pdf ). 45. A “botnet” is an automated, network-based attack performed against multiple target sites and systems.

68 ◾ Critical Infrastructure

46. Those unfamiliar with the term “Universality Theory” are likely familiar with its application. These are crimes that apply against humanity—such as war crimes, torture, violation of certain rights, etc. These crimes are universally accepted. 47. This provides a synopsis of information that can be found in a range of sources. One particularly clear source comes from the European Journal of Legal Studies in terms of Cybercrime, Cyberterrorism and Jurisdiction. The article can be found at www.ejls. eu/6/78UK.htm. 48. www.hrw.org/news/2021/08/13/cybercrime-dangerous-new-un-treaty-could-beworse-rights. 49. The subject-object pairing is an information technology term. The subject seeks to access the object in some form of exchange (such as being given access to a system). The object is configured in such a way as to be able to allow or block the subject from gaining access to it. This is one of the basic elements associated with identificationauthentication in the access control domain. 50. A botnet can be described as a collective that is made up of several (potentially millions or even billions) of entities that operate independently but in a manner managed or configured to achieve some common goal (such as disrupting a service by flooding its infrastructure beyond its capacity). 51. https://iacs.org.uk/publications/unified-requirements/ur-e/ur-e22-rev2-cln/ (alt URL: http://cipbook.infracritical.com/book5/chapter3/ch3ref20.pdf ). 52. https://iacs.org.uk/download/4054 (alt URL: http://cipbook.infracritical.com/book5/ chapter3/ch3ref21.pdf ).

Chapter 4

The New Role of Government 4.1 Introduction This chapter focuses on the concept of public-private partnerships (also referred to as PPPs or P3) and how they can have a significant influence in the critical infrastructure protection (CIP) and critical infrastructure assurance (CIA) domains. With government organizations renewing infrastructure but seeking to avoid significant capital costs, the P3 has risen to a prominent position in some countries. CIP efforts, as the reader will recall, focus on protecting our infrastructure. This focus is on the protection of assets that provide a service and must be considered as a sub-element to the concept of critical infrastructure assurance that seeks to assure the continuity of services necessary to the safety, security, and economic well-being of a nation. They deal with a structure that essentially protects an asset from some kind of harm caused by a threat when it exploits a vulnerability. When looking at critical infrastructure, the goal is critical infrastructure assurance, while the various objectives that need to be accomplished to achieve that goal can be described as critical infrastructure protection.

4.2 What Is a Public-Private Partnership (P3)? A public-private partnership (P3) can be described in several ways. Some common themes run through all of them: DOI: 10.4324/9781003346630-4

69

70 ◾ Critical Infrastructure

◾ It is cooperative in nature (between the public and private sector). ◾ Each partner brings forward specifc knowledge, skills, abilities, resources, or expertise. ◾ It is intended to meet public needs but has a strong commercial interest for the private sector entities involved. The reason there are a number of different descriptions regarding public-private partnerships is because this label describes a number of different arrangements. At one end of the spectrum, one can find the contracting out of services, and at the other end, one might find the concept of privatization. The former represents the traditional way that government would engage the private sector, while the latter represents how government would essentially shed its accountability for certain kinds of infrastructure and operations (divestiture). Since the last edition of this work, however, this concept has become more refined and is used more in the context of a specific arrangement between the government (as the client), a private sector entity (owning and managing the infrastructure), and a financial services provider (providing the outlay of initial capital). What should be clear is that this concept represents a further privatization of certain types of infrastructure. While the accountability for the service remains part of the public interest, the responsibility for maintaining that service shifts to the private sector. As noted earlier in the situation with Churchill, Manitoba, the rail line is owned and operated by the private sector. While the government still has an accountability to its citizens, the responsibilities associated with specific activities, in the eyes of the government, have been transferred to the private sector entity—including the maintenance of the infrastructure (in this case, the rail line). While the private sector continues to own a significant percentage of the critical infrastructure, certain kinds of infrastructure (water treatment plants, etc.) remain in the hands of national and regional (state, provincial, etc.) governments. Perhaps the clearest definition of the divide would be that the infrastructure that has direct life safety implications (such as water treatment) continues to reside with some level of government, largely due to the public interest and the need to maintain a service, even if at a loss. That infrastructure that is not directly involved in life safety issues, however, continues to drift towards privatization. Canada’s plan for the further privatization of airports is one such example of this. This trend is likely to continue. Certain countries (Canada, Australia, and the United Kingdom, among others) have established government entities to assist in coordinating this activity.

4.3 The P3 Spectrum The P3 spectrum describes that range of activities that fall somewhere between the basic contracting services and full divestiture through privatization. This is more

The New Role of Government ◾

71

than simple construction. It can involve any one or more of the following in various combinations: ◾ ◾ ◾ ◾ ◾

Financing (banking arrangements). Design (engineers, architects). Construction (surveyors, engineers, build teams). Operations (facility management). Maintenance (repairs).

The first major set of criteria involves defining the relationship between the public and private sectors with respect to the delivery of the critical services. After this is resolved, the next step involves the organization of the persons, assets, facilities, information, and activities in such a way that the critical services are delivered and overseen effectively. While there will certainly be additional variations of this, some of the major arrangements are identified as follows: 1. Private Sector (Entirely). In circumstances where there is no apparent need for oversight, the infrastructure may be completely divested. For example, small airports and seaports that operate in a manner having limited safety or security implications may be completely divested to the private sector. One also sees this in the divestiture of ofce and administrative buildings. Tis is often proposed to increase short-term revenues that may be generated through the sale, to relieve long-term budget pressures, and to refne the full portfolio of entities delivering critical services when looking at emergency management or preparedness activities. 2. Private Sector with Public Sector Oversight. Tis approach is most evident when looking at activities that have signifcant regulatory oversight—such as the banking, energy, transportation, and similar sectors. In this context, the regulator still has the ability to limit and direct courses of action (in terms of regulatory controls, measures, etc.) but only steps in which circumstances demand that the state takes the lead (such as might be seen in the coordination of a major maritime event). In this context, the government may possess adequate knowledge and resources to set goals and limitations, but the private sector has the expertise necessary to maintain complex operations efectively and efciently. Te core diference between this step and divestiture is that the while the government benefts from short-term revenues, relief from longerterm costs, and other similar factors, the government has a clearer accountability and responsibility that comes from the requirement to maintain control through regulatory oversight activities such as inspections and enforcement. 3. Public Sector with Private Sector Support. Tis approach is essentially an exercise in risk sharing. Te government may be limited in terms of what activities can be passed to the private sector (either due to the risks involved or through international agreements that demand that the state has control over certain

72 ◾ Critical Infrastructure

activities). In circumstances where there are specifc government responsibilities that cannot be maintained adequately or legitimately passed to the private sector, the government maintains control. For all other aspects, control is divested to private entitles. Tis is very similar to divestiture and the regulatory structure but is far more granular in nature in that it is the shifting of specifc activities that result in longer-term costs being reduced while services are maintained. What is also evident in this respect is that this level marks the divide where government does not realize the benefts associated with shortterm revenues, only through the reduction of longer-term costs. 4. Public Sector with Private Sector Contribution. Where it is not appropriate that the private sector be involved in the delivery of the service, short-term costs are overcome through private sector funding, longer-term shortfalls are overcome through temporary arrangements, and there is a need to deliver the service. These four approaches have now become mainstream for major capital projects, specifically critical infrastructure projects (such as transportation and energy, etc.). We are now seeing a paradigm shift from the building of capacity through the P3 efforts, to the management of that capacity that involves greater involvement from the private sector. The private sector focus has shifted from project management (establishment of capacity) to infrastructure management (management of the services delivering the capacity). Consequently, consumers find themselves with regulated services that seek to minimize operational costs while increasing revenue, often based on user fees or other charges. For the consumer, therefore, the focus shifts from wondering how the government is spending money, to having to monitor the various regulatory boards and oversight mechanisms that may approve rate increases and new charges unbeknownst to them. We have witnessed this kind of interplay recently as U.S. and Canadian energy companies have requested significant rate increases to cover costs associated with movement to a “Green Grid”1,2—where the government had to step in as an intervener and put a halt to the proposals. This will potentially lead to a conflict in which the private sector balks at government mandates as being unachievable without some source of new or additional revenue. Furthermore, government grants specifically aimed at “green energy”3 have diminished significantly, also driving costs further upward. This conflict of interests between the private sector, which is revenue-driven, and the public sector, which is savings-driven but is now showing signs of becoming increasingly more revenuedriven, creates an unbridgeable divide. This divide is now apparent, specifically with “green energy.”4 The challenge is that as time progresses toward the mandated deadlines that governments are imposing, the effort needed to bridge that divide will become increasingly more difficult. An example would be the electrical grid projects to bring the number of electric cars online. This involves not only power generation and distribution, but also the number of charging stations (amongst other things). If we approach this challenge logically and incrementally, then the

The New Role of Government ◾ 73

impacts are at least manageable. If, however, the industry tries to perform this all at once, the costs involved will be astronomically prohibitive. This then leads to the final question of whether we can afford the impacts associated with the inactions that fail to address the other challenges tied to climate change and the severity of those impacts. Either way, there is a cost. If the changes are conducted slowly and methodically, the distributed costs will be more manageable.

4.4 Establishment of New Capacity As noted in previous editions of this work, there is a need to maintain a balance between demand and capacity. This is not strictly a one-to-one ratio. The balancing point involves the demand being in balance with the capacity when taking into account the need to maintain the resiliency of the overall network delivering the service. Again, the difference in the philosophy between the public sector and private sector factors significantly. When looking at private sector involvement in the management of infrastructure, one must remain cognizant that the private sector’s focus is not always on the public good. While the public sector may be able to justify or rationalize a certain level of infrastructure and operating costs based on the need to deliver services above baseline levels at all times, the private entities have a different view. The focus for the private sector, again, is on the generation of wealth and specifically profit. Profit, in general terms, can be influenced by either reducing costs (such as maintenance, etc.) or by increasing revenues, meaning that costs are maintained based on an adherence to minimum costs or requirements, not necessarily best costs or approaches. The other aspect of this challenge is the reality of mathematics. If capacity does not meet demand, then there are shortfalls. What needs to be understood, particularly in the Energy Sector, is that the technology that delivers capacity to meet demand may not be ideologically perfect. It is unlikely that as we move to place increasing demands on the electrical grid, we will be able to avoid nuclear generation or similar technologies to address demand shortfalls. Simply put, there is not geographic space for all of the solar panels, or wind farms, to meet the current energy requirements, let alone future requirements. There are two distinct terms describing the importance between the two forms of energy produced on the grid: the demands on the grid are only going to increase both the base5 and peak loads.6

4.5 Maintenance of Existing Capacity While new capacity may be needed to meet increasing demand, this does not absolve organizations of their need to maintain the existing infrastructure. In this

74 ◾ Critical Infrastructure

context, the public and private sector philosophies each have strengths and weaknesses. Within the public sector, particularly at the government level, there may be a tendency to manage infrastructure up to the next election or mandate, leaving the next government dealing with the implications of positive short-term decisions that may have long-term ramifications. One might argue that this has been clearly evident in activities such as Canada’s defense procurement structures, which have seen politics step into the process over several elections. While the reasons for that involvement may have been appropriate from a political perspective, the overall result was military forces that are not moving gracefully through technology but that are having to implement stopgap and interim measures in their major capacity life cycle management activities (such as evident in the current ship and aircraft procurement strategies). Conversely, the private sector is far more susceptible to economic factors (such as downturns) that can limit its ability to raise or maintain the capital base necessary to follow all aspects of life cycle management activities. The result is that certain elements may be put off until conditions are more favorable, a situation that allows for the degradation of the infrastructure to reach more dire levels while the organization continues to focus on patching critical issues. Perhaps one the best examples of this challenge comes from the electrical sector and the conversion of Ontario Hydro into its five companies (later known as Hydro One, Ontario Power Generation, Independent Electricity System Operation, Electrical Safety Authority, and Ontario Electrical Financial Corporation). This transition proved to be particularly challenging. The challenge lies on two fronts. As part of the transition, the decision was made that the previous debt had to be serviced outside of operating costs. The result was a debt retirement charge that is intended to pay down approximately one-third of the former debt and includes an additional 0.7 cents per kilowatt hour with certain exceptions.7 This charge is included on the bills for most consumers. The second challenge lies in the ability to achieve profitability. The majority of revenue comes from the payments made by electrical consumers. The rates paid by consumers are closely regulated by the Ontario Energy Board that sets prices for off-peak, mid-peak, and on-peak periods. The end result for consumers, however, was a cost that was broken down to include the costs of generation, transmission, debt retirement, and other costs. So what does this mean in terms of critical infrastructure assurance? CIA refers to the ability to assure that critical services are being delivered. The public sector management approach was failing in this respect, or could even be argued to have failed, because the government, in order to reduce costs, divested itself of the infrastructure and decided it could no longer deliver the service. The for-profit model ensures, with sound management, that the resources required to run the infrastructure are appropriately balanced with its costs, addressing this particular vulnerability in terms of a lack of financial stability. From the critical infrastructure protection perspective, the for-profit model also makes a level of sense. By ensuring that the revenues and costs remain at least

The New Role of Government ◾ 75

balanced, each individual infrastructure generates revenue essentially based on the demand being placed on it. Similarly, the silo that is created through user fees means that infrastructure costs can be balanced in such a way that significant underperformers do not put a drain on the whole system or overall network.

4.6 The Coming Financial Crisis The coming financial crisis in the realm of critical infrastructure assurance and critical infrastructure protection can be linked to what may be described as an emerging perfect storm. This perfect storm consists of an aging population that results in both a reduced tax base as well as higher costs on certain sectors, higher costs of borrowing that are on the horizon, a diminishing disposable income across much of the population that is the direct result of costs increasing across a broad spectrum of requirements (fuel, food, healthcare, education, and so forth), aging infrastructure (such as evident in electrical distribution networks, road networks, and similar infrastructure), and increased pressures on that infrastructure that result from factors associated with the fragility of that infrastructure (increased demand, performance closer to the thresholds of safe operations, and more difficult environmental factors). In addition to the aging population and shrinking tax base, governmentdriven mandates also add financial pressures that reduce the amount of disposable income across the sectors. For example, utilities (such as electricity and water) now face a situation where more than 100% of their expected revenue would need to be committed in order to meet transitional costs. This situation creates a condition that only has two possible, logical resolutions: increase the revenue by increasing costs to consumers,8 or attempt to find novel and inexpensive revenuegenerating alternatives that can meet the demand.9 The first option offers a clear route, whereas the latter has significant uncertainty as it depends upon innovative tactics. Consequently, much of the focus is on adopting the first option. This has now introduced an economic condition whereby consumers are now being forced to choose between staying warm (or cool, depending upon the season) and buying food. This financial crisis will be exacerbated by inflationary pressures that will drive other sector costs higher. Costs of fuel, for example, will drive food costs higher in areas where food must be imported. These inflationary pressures may also drive people to use credit or other forms of borrowing to cover basic costs, thereby putting increasing pressure on their own financial stability as debt loads increase. In brief, the costs associated with meeting all of the mandates has exceeded the ability of society to pay for it. Either nonessential costs are reduced or removed, or some of the mandates will need to be delayed. We can expect to see companies undergoing wholesale restructuring as they attempt to maintain profitable earnings-to-cost ratios.

76 ◾ Critical Infrastructure

This is not an attempt to paint some apocalyptic picture, but it is one that demands that actions start now where the steps can be incremental, as opposed to catastrophic later. Consider the issue of rising sea levels, storm surges, and the challenges associated with emergency management. Now consider the steps that would be needed if countries were actually to attempt to shift their population bases and critical services back from those areas that are at greatest risk. Now consider the various short-term and long-term costs that are associated with both real and potential losses in either direction. In this storm, we would not be looking at issues such as weather instability, increases in natural events, or rising sea levels. The focus is on the challenge that arises when structures like the P3 arrangement reach a point of diminishing returns in terms of savings. If one examines four critical sectors (Healthcare and Public Health, Energy, Communications, and Transportation Systems) one finds that there have been significant per capita increases. In Canada, which often touts itself as having a model system, the costs to family groups range between a 19% increase for those who are least impacted to over 30% for those who are most impacted.10 One of the most significant costs associated with this involves the cost of healthcare insurance—a factor necessary to cover costs which have been increasing as certain public benefit plans reduce their coverage or increase deductibles in order to maintain their overall viability. Within the energy sector, this has been apparent in terms of not only the increases in certain costs, but also in the inclusion of new billing streams. While arguments can be made in several directions—ranging from the need for investment to move back from system collapse, to the need for research and development to move away from environmentally harmful generating technology—the outcome is the same for the consumer and manifested in terms of increased costs. This brings the issue to a critical balancing point. The public expectation is that certain activities and services would be managed publicly and provided with modest increases in cost—often tied to administratively determined cost-of-living increases. In short, public expectations led to the belief that one could benefit from a world-class infrastructure on one hand and for not much cost. Where the public or the private sector fails in achieving this, then we are likely to see shifts in the other direction. Where the government fails, then private sector entities will play an increased role. On the other hand, where the private sector fails, then government will have to step in order to maintain its own accountability in a crisis. The result is an emerging instability, as cost pressures, risk thresholds, diminishing returns, and shrinking sources of revenue come together. Perhaps the cleanest route is on the localization of critical and supporting services. The first layer is at the individual or household level—such as what might be illustrated by building codes requiring green roofs (gardens), limited solar generating capability, rain water capture, and similar elements. The idea here will not be to somehow promote a green agenda. It will be the only way that the system will be able to assure that individuals are able to weather a disruption in services without

The New Role of Government ◾ 77

significant government input for the first critical phases. One might also argue that that critical phase should not be looked at in terms of the publicly advertised 72 hours, but in terms of potential weeks depending on the location of the household and where it fits within the various service restoration plans and priorities. The second level of this will be tied to community-based and locally based activities. The use of common parks with water features, community farms (or gardens), community centers, and other forms of community-supporting services will have to become more prevalent. Again, the link to “green” programs is tangential and suitable for public consumption, but the harsher reality is that these are also very closely tied to the fact that the coming burden on various services will not be supportable under the current organization and structures, including cost. These two forms of micro-projects are likely to be the next wave of public-private partnerships and have already started in the electrical generation and food sectors.11

4.7 Other Forms of Public-Private Cooperation and the Erosion of Governance The need for this oversight also extends into the development of laws, regulations, and policies. Each of these has traditionally involved a consultative process that is used to gauge the impact and benefits associated with the development, implementation, monitoring, and review. This consultative process is often used by various interest groups, associations, organizations, or even individuals to present points of view in the hope of making a convincing enough argument that they suffer less disruption or are able to gain some benefit from the new measures. This structure assumes that there is a clear understanding of the roles and responsibilities of each group. The government is there to conceptualize, design, implement, monitor, enforce, and, if appropriate, adjust the various controls on persons and activities that fall within its jurisdiction. The private sector is there to provide an understanding of the potential consequences of those decisions and, in some cases, propose alternatives for consideration by the governing body. This has been shifting toward the private sector’s advantage over time in a number of industries—often those that are involved in the self-regulation exercise or in terms of performance-based regulation. These structures allow for the private sector entity to put forward its own requirements as long as it meets certain goals. Given that these goals are often aligned with the need to prevent or respond effectively to situations that would disrupt the infrastructure or cause injury to society, including the local population, there is a very clear need to define what the outcome should be and then to test, in a credible manner, whether or not that outcome is being achieved. The requirements communicated out of the private sector have used a structure that relies upon the conduct of risk assessments and the development of plans— followed by the verification that the plans are actually in force. The assumptions in

78 ◾ Critical Infrastructure

this structure are that the risk assessment has identified at least the threats, vulnerabilities, and risks of most significant concern, and that the plan is adequately able to appropriately mitigate, prepare for, respond to, or recover from the events associated with those conditions. This structure is becoming more and more apparent in the transportation, energy, and communications domains, where the private sector has been increasingly relied upon to provide technical input into the formation of the various forms of regulation.12 Where the inspection process is based upon the legal or administrative requirement to “have a plan and put it in place,” the public sector element runs a significant risk of shifting onto a structure that simply verifies that the plan is in force but fails to determine if the plan is valid or appropriate in the first place.13 This system can be overbalanced in the other direction. Prescriptive regulations, including management by set standards and best practice, can lead to conditions where a false sense of security becomes a risk of its own. Again, the assumptions being made are that: ◾ Te prescriptive standard is, in fact, the best option with respect to dealing with certain risks. ◾ Te prescriptive standard is actually applicable and took into account the ranges of conditions associated with the threat and operating conditions. In these structures, CIA and CIP activities become standards-driven. This has been particularly applicable in the information technology domain and certain other regimes that are subject to technical or legal liability, including insurance-related challenges.14 Arguments associated with cost, efficiency, and regulatory compliance, particularly where audits and inspections are involved, factor significantly. The overseeing body, in some cases even a third-party certification body, provides checklists of what is to be presented. The private sector entity then ensures that each item on the checklist has been addressed and recorded—a practice that greatly facilitates the oversight process but that can lead to the inspection or audit cutting corners when looking at the issue from a whole assurance or whole compliance point of view.

4.8 Balancing Points These challenges point to a critical need for the P3 to operate in a balance between the public and private sectors. This balance must exist in at least the following: ◾ ◾ ◾ ◾

Te use of a common defnition base. Education, training, and expertise. Roles and responsibilities. Governance and enforcement.

The New Role of Government ◾ 79

This balance is needed to achieve clear communications that attain the necessary balance between prescriptive (ensuring that baselines are met) and performancebased (ensuring that assurance, resiliency, and protection goals are achieved). This begins with the basic definitions that are used. One challenge is that there are still a significant number of definition bases being used, and in some cases, persons have become involved in the system who lack the knowledge, skills, training, or experience, singly or in combination, and who, by virtue of their position or simple rhetorical ability, create their own. Without having that clear understanding of the basic definitions, a condition similar to the “fruit of the poisoned tree” comes into play—the confused definition base providing a foundation for unclear or even convoluted communications.15 With a common definition base, there is a need to establish a common and accepted approach or doctrine. Again, the assurance and protection communities are at a stage in their maturity where this is not a simple task. Those who have been involved in the asset protection and security domain will be very familiar with the competition between disciplines in the information security, physical security, business continuity, and other domains. With each discipline continuing to operate within its silos and attempting to promote its own view of the others from within that silo, one might comment that the arguments that arise, from a senior management perspective, are best described in terms of an unhealthy sibling rivalry that draws attention and efforts away from the running of the corporate family. This is particularly true in the P3 environment, where government policies and private sector practices can come into conflict. On one hand, policies such as the Policy on Government Security in Canada provide a structure or set of frameworks that government security programs and those doing business with the government are supposed to recognize and adhere to. Depending on whether or not these policies, including any supporting standards, are kept up to date, they can have varying degrees of utility, as they are written with a government-centric focus. The private sector element to the equation has greater flexibility and may opt to follow no specific path, a path along the line of a professional or trade association, or a combination of approaches that allow it to demonstrate enhanced capabilities within a set of apparently valuable domains through membership or certification. While the private sector is vulnerable in terms of the requirement to be subjected to many regimes, it has the flexibility to make certain decisions within its own management as to how it will approach those challenges. While the private sector may be vulnerable in terms of the number of regimes it can be subjected to, the public sector has a dissimilar challenge. Most persons involved in the inspection and oversight process are employees that are protected through collective bargaining or similar arrangements. The result is that certain organizations tend to focus on the training directly associated with the job process, but not necessarily the discipline involved. This places the public sector organization into a difficult position, as the individual in the field:

80 ◾ Critical Infrastructure

◾ May not be able to recognize measures that may not work. ◾ Understand how the measures function individually or as an integrated system. ◾ Understand the extent and nature of the risks inherent in the environment that the public sector is attempting to regulate. The final result, particularly if the public sector fails to keep up the training for its personnel, is an inspectorate that deploys into the field simply to have preconceived questions answered while exposing the private sector entity to officially induced errors.16 There is an imbalance between the private sector, which seeks out the most skilled and valuable person for the organization (usually represented through enhanced education, training, or experience), and the public sector, which may, if not prudent, allow persons to become stagnant in their knowledge, skills, and abilities. While this may seem inconsequential to some, the disparity is significant when looking at how many regulations are enforced. While some fall under systems similar to those used in criminal or civil proceedings, regulations are generally enforced through administrative tribunals. These administrative tribunals allow for slightly broader or relaxed standards with respect to evidence and the provision of expert opinion. To give an expert opinion, however, the individual must be able to show an appropriate level of knowledge, skills, and experience. Where there are two dissenting opinions, favor may be given to the expert that can better demonstrate the more enhanced level of education, training, or experience. When this is combined with a regulatory regime that does not have very clear and measurable criteria to meet, the outcome can be a balance that shifts significantly toward the private sector entity that can demonstrate that its personnel have enhanced levels of third-party accredited training and experience in the field as opposed to public sector workers. This in turn shifts the balance of probability that the private sector will be successful in its presentation to the administrative tribunal and degrades the ability of the regulator to enforce its own regulations without being constantly pulled into the administrative legal system.

4.9 Authors’ Notes The P3 does offer significant opportunities for the public and private sectors to operate more efficiently. It is also one that must be understood in terms of the potential risks involved. The first step is to understand the nature of the operations involved and how that may influence the long-term relationship between the public and private service when delivering the product. It means ensuring that the roles and responsibilities of the public and private sector are clearly defined, and that these roles and responsibilities, at a minimum, also identify the requirement to ensure that each side is able to interact (if only

The New Role of Government ◾ 81

doctrinally) by using common and trusted frameworks. It also means that while the public sector may be enjoying some immediate benefits, it has responsibilities to oversee the operations in general (to protect the public from gouging or other unscrupulous trade practices) and to maintain the necessary expertise to be able to oversee those operations. These responsibilities must also be looked at in terms of the enforcement mechanism that will apply in the P3 arrangement if it is to be applied successfully. In essence, the P3 can be described as a potentially more streamlined manner by which CIA and CIP activities can take place, but is by no means a “cure-all” or “magic bullet” when looking at the broad range of effort needed to maintain the agreement.

Notes 1. The term “Green Grid” is a consortium of information technology companies and professionals seeking to lower the overall consumption of power in data centers around the globe. The organization is chartered to develop meaningful, platform-neutral standards, measurement methods, processes, and new technologies to improve energy efficient performance of global data centers. URL: www.fedcenter.gov/Bookmarks/ index.cfm?id=8503&pge_id=1606 (alt URL: http://cipbook.infracritical.com/book5/ chapter4/ch4ref1.pdf ). 2. An alternative explanation of the “Green Grid” is that it is a consortium of information technology providers, consumers, and other stakeholders, The Green Grid seeks to improve the energy efficiency of data centers around the globe. The association takes a holistic and comprehensive approach to data center efficiency. The Green Grid membership includes many of the global leaders in the data center storage market. URL: www.energystar.gov/sites/default/files/specs//The_Green_Grid_Comments_ Draft_2_Version_1.0_Specification.pdf (alt URL: http://cipbook.infracritical.com/ book5/chapter4/ch4ref2.pdf ). 3. The term “green energy” has been used for decades and is also known by other names such as “green power,” “sustainable energy,” and “clean energy.” It is defined simply as any form of energy created from renewable resources. No fuel is consumed or burned to create the energy. This form of energy includes solar, wind, hydroelectric, and geothermal. This means no fossil fuels like coal and gas, even though they are derived from the earth. However, to some, and depending upon the source information obtained, nuclear power is considered “green energy” as it releases zero carbon emissions. URL: www.fredericksburgva.gov/1850/Green-Energy-in-Fredericksburg (alt URL: http://cipbook.infracritical.com/book5/chapter4/ch4ref3.pdf). 4. Ibid. 5. Two terms need to be defined regarding the term “base load”: (1) the term “base load” itself; and, (2) the term “base load capacity.” The term “base load” is “the minimum amount of electric power delivered or required over a given period of time at a steady rate.” The term “base load capacity” is “the generating equipment normally operated to serve loads on an around-the-clock basis.” URL: www.eia.gov/tools/glossary/?id=B (alt URL: http://cipbook.infracritical.com/book5/chapter4/ch4ref4.pdf).

82 ◾ Critical Infrastructure

6. Two terms need to be defined regarding the term “peak load”: (1) the term “peak load” itself; and, (2) the term “peaking [or peak load] capacity”. The term “peak load” is “the maximum load during a specified period of time.” The term “peaking [or peak load] capacity is the “capacity of generating equipment normally reserved for operation during the hours of highest daily, weekly, or seasonal loads; some generating equipment may be operated at certain times as peaking capacity and at other times to serve loads on an around-the-clock basis.” URL: www.eia.gov/tools/glossary/index. php?id=P (alt URL: http://cipbook.infracritical.com/book5/chapter4/ch4ref5.pdf). 7. www.fin.gov.on.ca/en/guides/drc/pdf/101.pdf. (alt URL: http://cipbook.infracritical. com/book4/chapter4/ch4ref1.pdf); UPDATE: www.ontario.ca/document/debtretirement-charge (alt URL: http://cipbook.infracritical.com/book5/chapter4/ ch4ref6.pdf ). 8. www.cbc.ca/news/canada/prince-edward-island/pei-heating-oil-islanders-react1.6616664. 9. www.irishtimes.com/news/social-affairs/people-forced-to-choose-between-heatingor-eating-warns-charity-1.4795111. 10. One would find a view of this analysis through the Fraser Institute’s research, which can be found at www.fraserinstitute.org/sites/default/files/price-of-public-healthcare-insurance-2015-rev.pdf. 11. One might look at the IGA (officially called “Independent Grocers Alliance”) grocery store in Quebec that has established a field on its roof for vegetables. The result is that at least a portion of its food sales are no longer subject to the transportation costs and have much shorter supply chains from field to fork. 12. In the maritime security regime (an example of a performance-based regulation), the public sector identifies certain goals to be achieved. The private sector then conducts the security assessment (risk assessment or question) and develops the security plan (risk management or answer) to achieve those goals. Given that these regimes are generally inspected against the plan, this results in a significant vulnerability in the structure, as it is premised on the assumption that the assessments and plans were developed in good faith and were kept free of attempts to reduce or otherwise manipulate conditions to the private sector’s advantage. Several nations were involved in discussions with industry that saw regimes, such as the ISPS, become limited in scope to certain activities (such as ships in port and not in transit), despite sound security practices and doctrine that establish baseline controls that must be maintained at all times. 13. The counterargument used by regulators is that this approach allows businesses the flexibility to balance security and operations. What is less communicated is that this approach also includes rationalizations that the approach reduces the legal liability to the government because it did not direct a specific measure, and therefore the due diligence associated with specific measures is shifted back onto the private sector. 14. Several groups clearly indicate that their security programs are managed according to a range of standards in the energy, financial, medical, transportation, and communications sectors. For the reader, a review of public websites can provide a clear indication as to how deeply this approach has permeated into certain industries. 15. The term “fruit of the poisoned tree” refers to a legal principle in which evidence or information that is the direct result of some action that is deemed to be inadmissible also becomes inadmissible.

The New Role of Government ◾ 83

16. The concept of officially induced error involves situations where a regulated organization receives information from an authoritative source (the regulator) that actually causes it to come into conflict with the regulations in question or with the regulations in another domain. The company, in following the official’s guidance, is punished for following that direction because it contravenes the requirements of another regulating body.

Chapter 5

The Reinvention of Information Sharing and Intelligence 5.1 Introduction This chapter examines the role of information sharing within the critical information protection (CIP) and critical infrastructure assurance (CIA) domains. The distinction between these two activities is profound—protection focusing largely on the activities of an organization to be adequately robust and resilient in their operations, and assurance focusing on the ability of the system to continue to deliver critical services at levels that meet or exceed the demand for those services. This latter part incorporates critical infrastructure protection and a range of other activities. The first step in addressing any critical situation is being able to detect and identify what and where that situation is. While this statement may seem simplistic, it is one of the greatest challenges in the industry today, where the challenges associated with isolated administrative processes, incompatible processes, competitive influences, regulatory approaches, legislation (including the laws of other countries), and even personal interpretations come into play. Those that have worked in the establishment of information sharing centers (or similar entities) will be all too familiar with the sheer volume of work and complexity of identifying who should be at the stakeholder table. This chapter therefore looks at some of the core elements of information sharing that need to be in place when addressing these challenges.

DOI: 10.4324/9781003346630-5

84

The Reinvention of Information Sharing and Intelligence

◾

85

5.2 Data vs. Information vs. Intelligence When approaching the issue of information sharing, one needs to understand the difference between data, information, and intelligence. This is a matter of nuance and subtlety that is often not apparent, and which is becoming increasingly confusing as amateurs promote services that are mislabeled. Data involves a set of singularities and is the absolute basic building block when looking at the data, information, and intelligence hierarchy. Data represents a single unit and is often highly empirical in nature. For example, at an airport, one can confirm that a runway is a particular length. A sensor will send a signal, and the signal represents data as it is a single observation, from a single point, and lacks context. Because data is empirical in nature, it can be described in terms of completeness, accuracy, and repeatability. The length of the runway should remain relatively constant over time. It is at the data level that inspections and audits factor most significantly. Gaps or errors in the collection, handling, distribution, or retention of data factor heavily in audit reports. Those who have sat through board meetings will have experienced the challenge of demonstrating that the data has been collected free of bias. Those who read studies critically will notice that the author(s) of some studies can tailor their research in such a way to collect only data that they know will support their conclusion(s). Because data is empirical in nature, it can be described in terms of completeness, accuracy, and repeatability. As only one or a limited few sources of data are extracted with no comparative analysis performed, the results are foregone conclusions. This characteristic exists both in private and public sectors. When data is collected, organized, and given meaningful context, it moves into the realm of information. Another way of putting this is that information is a useful collection of data. Data would be used to describe the length of a runway. Information would take a number of data items and assemble them to give an idea of how the runways are laid out. Intelligence would involve understanding the impacts of that layout on what kinds of aircraft could land at the airport. When looking at another system at the airport, such as runway lights, a sensor may record the voltage passing through the wire to the light. This would be data. The system may record a sudden drop in voltage that results from the circuit being broken (no more current) that indicates that the light is burned out. Intelligence may involve being able to compare the rate of lights burning out with other factors to show that there is a condition that is affecting the life span of the bulbs. For the operator, and the engineer, it is important to understand the relationship between the raw collected data, how it can then be formed into useful information (such as the mean time between failure), and how it can ultimately be valued as intelligence. There are several approaches in assessing information. Information is assessed based on its foundation of data (completeness, accuracy), and then put into a context through critical analysis and unbiased assessment. In another approach,

86 ◾ Critical Infrastructure

information may be looked at in terms of the reliability and credibility at another (often confirming the data). For those familiar with the various forms of information gathering, like the Admiralty Code, reliability is basically a technical assessment that describes whether the source of the information has the ability to collect, gather, and present it. Credibility, on the other hand, refers to the ability to corroborate the information through other sources. Depending on the nature of the information collection exercise, these two factors will present a relatively clear view as to whether or not information can be acted upon. Finally, intelligence is used to describe information that has been brought together, collated, analyzed, assessed, and prepared for dissemination. Intelligence takes the information presented and provides an explanation as to why that information is important to that organization. This is a formal process that is used to answer the fundamental question of “So what?” Returning to our example of the runway, intelligence may look at the layout of the airport and arrive at the conclusion that given the aircraft that are being used by companies, there may be a need to adjust or reinforce the runways to handle the increased stresses of aircraft landings. While infrastructure may present reasonably concrete arguments, the mana gement of critical infrastructure often involves organizational or human factors. As a result, the intelligence production process becomes much more complex, as multiple viewpoints now need to be considered. Additionally, where infrastructure issues are reasonably empirical in nature, organizational and human issues may be influenced through subjectivity that is the result of the analyst having different education, training, and experience. Infrastructure issues then can be refined into provable conclusions, but organizational issues can be presented only as supportable arguments. This last distinction can result in intelligence that is more difficult to interpret in a way that is fully accepted. This is particularly important when considering the nature of a threat or a vulnerability. Cyber threats, natural disasters, and similar threats operate in accordance with the set and predictable patterns. Organizational and human threats operate differently in that they can be assessed in terms of probability, but not pure predictability. Therefore, the predictable threats and vulnerabilities can be mitigated using tactics, techniques, and processes (TTP)1 that can be assured to work; whereas organizational and human threats and vulnerabilities operate with multiple outcomes offering (at best) a reasonable probability of success. These three layers (data, information, and intelligence) are very much interconnected. Bad data can lead to unreliable or perhaps incredible information, which can lead to bad intelligence. This bad intelligence is then fed into the decisionmaking processes and leads to the organization either making the wrong decision or failing to make the right decision. In either case, it exposes the organization to various levels and kinds of risk. It is also noteworthy that this operates as a linked process, where good data can be turned into bad information or where good information can be turned into bad intelligence. Like a physical chain, the process is

The Reinvention of Information Sharing and Intelligence

◾

87

only as strong as its weakest link. For this reason, it is important that all individuals, systems, or activities associated with this process are appropriately trained and capable of maintaining the integrity of the overall system.

5.3 The Importance of Background to Context As stated earlier, while data is relatively empirical in nature, context plays a much more significant role when looking at the transitioning process from data to information, and it provides a critical role when looking at the transitioning process from information to intelligence. The transitioning process from data to information involves data being organized. How that organization will be structured will be based on the mission of the organization and how success is measured. A container facility that needs to move a certain number of containers through its facility per hour will likely measure things in terms of either containers processed or time. For example, if the loss of an information technology system means that the processing of containers has to happen manually, the impact is likely to be assessed in terms of the reduced number of containers that can be processed with the same assurance that they are being moved appropriately. Similarly, an electric generating station that needs to generate so many volts of electricity may measure its impacts in terms of the amount of electricity it can generate while maintaining the assurance that it is generating clean electricity that can be pushed onto the electrical distribution grid. Medical facilities may measure impacts in terms of the rate and accuracy of diagnosing and treating patients effectively. The reason for this approach is simple—each component of an organization is expected to contribute to the overall success of the organization, and senior management measures the performance of the organization in terms of its ability to meet goals that it sets. With the increased use of cloud services and computing, either using internal (e.g., private) clouds or third-party services, another metric needs to be considered— the integrity of the processes used to categorize data. The challenge here lies in the nature of organizations and their willingness to be disciplined. Failing to meet this challenge results in what may be described as how a squirrel would approach information management. A squirrel does not know where it buried nuts, but it can recognize that a certain a location looks like a good place to bury a nut. Where data categorization goes awry, a similar condition evolves such that we don’t know where the information is exactly, only that a location looks good. Returning to the squirrel analogy, the squirrel has to run around and check each location where it thinks it might have buried a nut, but that doesn’t mean that it buried its nut there. As a result, it expends a significant amount of time and energy searching for a nut, with that search becoming increasingly difficult as the number of nuts available decreases. The key difference between the squirrel and data comparison is that we are not looking for any nut, but rather a specific nut. The squirrel would not survive

88 ◾ Critical Infrastructure

in this environment. The issue with many organizations utilizing cloud services are that they usually rely solely upon the cloud service provider to organize their own data, rather than controlling it themselves. Using the squirrel analogy, this would apply where the squirrel would rely solely upon another squirrel to find its nuts. On a more serious note, this means that an organization needs to worry not only about data loss, but also the disruption or manipulation of the search and retrieval functions that allow them access their data. Additionally, many critical infrastructure organizations are slowly converting their operations to share operational and telemetry data with industry-wide vendors and other critical infrastructure organizations. While this may work for historical records or archives (i.e., no current operational impacts), the challenge becomes more consequential when current operational instructions are routed through these means. This is a simple question of attack surface. Rather than targeting multiple targets, the number of targets is drastically reduced to only a few, making it easier to attack. When considering this from a cyber kill chain2 perspective, an attacker can infer the best point of attack without exposing themselves during their reconnaissance. This degrades the ability of the defender to monitor and detect any suspected activity that could point towards a potential attack. As certain countries are operating as a matter of divesting their infrastructure into the private sector in order to reduce costs, there is a significant risk that this context can evolve into a public safety or policy challenge. For example, the conversion to “green energy” from traditional sources of energy will cost money. This money is generally raised through rate changes. Where this conflict arises is when those rate changes become political in nature (such as cost of living), which can place the sector in an impossible position. Without the revenue, the conversion cannot happen. Decisions from outside that arbitrarily cap rate changes essentially for the sector to fail or become noncompliant. This represents an expansion of regulators’ need to exercise due diligence not only in the divestiture of infrastructure, but also in policies that closely interact with that infrastructure. A corporate perspective that focuses exclusively on economics may look at the annual losses associated with the payment of fines (or administrative monetary penalties) as a cost of business where the annual costs associated with maintaining a high-assurance infrastructure exceeds it. One might argue that the concept of understanding the contexts that are part of the organization’s culture should become part of the due diligence checks in the divestiture process, and that controls should be in place to ensure that any organization that moves into this domain are well aware of the additional roles and responsibilities that are to be assumed. The second element involves the movement of data into the information domain. If the distinguishing feature between data and information is that data is assembled to form information, then the process through which it became information must be understood in terms of the context of its design and its application. One can argue that this process is, in its basic form, interpretive in nature, with

The Reinvention of Information Sharing and Intelligence

◾

89

decisions on how to assemble data having elements of subjectivity and bias built into them and also evident in their application. For this reason, one might argue that information management may be critical in terms of maintaining corporate knowledge, but the survival of the organization and its resilience will rely more solidly on the management of its “big data”3 picture. Consider two important elements in the concept of CIP and CIA—the threat assessment and the security clearance. There is a tendency to look at the threat assessment in terms of three primary sources of information: (1) other threat assessments, (2) information derived from data sources, and (3) information provided by outside sources. In the case of the other threat assessments, the challenge here resides in the age of the data and information that feeds the assessment. Can that data and information be considered timely, relevant, accurate, and complete? This degrades over time. In the second case, that of the security clearance, one might argue that this is a clear example of data and information being used to form a conclusion that is not fully understood or accepted in its applicability. While the data and information collected on an individual is relevant during the background screening, it also has an expiration date that can be tied to the exposure of the individual to various sources of threat and different circumstances. In short, the security clearance result provides a snapshot up to a certain point, after which it should be assumed that supervision, detection of suspicious or suspect activities, and reporting become much more important. For this reason, one might argue that the security clearance decision is a snapshot in time and becomes increasingly less relevant, timely, accurate, and complete as it moves through its period of validity. At this point, the knowledge, skills, abilities, and experience of the individual will factor significantly. These are the foundations upon which the individual will make the determination as to what is worthy of consideration (information) and how it is important (intelligence). This will, in turn, affect how the individual collects and collates the data to form information and certainly how the individual interprets the relevance of information when creating intelligence products. An individual who has an engineering background will base these decisions on different thinking from that of an individual that has a liberal arts background. The engineer may be much more precise and process-driven but unable to grasp the less tangible issues that the individual with the liberal arts background can. Conversely, the individual with the liberal arts background may not possess the mathematical or similar analytic skills to be able to identify the connections between things that are not apparent on the surface. The result of these differences is that the data-information transition may not be equal at all times, and it is less likely that the informationintelligence transition will be equal. When this is extended beyond the realm of intelligence, the organization’s decision-making processes can be affected. Management bases its decisions on two major activities. The first involves risk management, or the manipulation of conditions so that an organization’s exposure to loss (a factor of probability and impact)

90 ◾ Critical Infrastructure

is reduced to acceptable levels. For example, management may determine that it is not willing to accept a project incurring financial losses after a certain period. The second part of the process is the cost-benefit analysis that will look at the net return on investment associated with the various alternatives. This is where things can become difficult, because the impacts against an organization can be assessed but not necessarily measured. This may be the result of different persons assessing the scope of an impact differently (immediate losses vs. future earnings, for example) or the result of factors not having precise values (such as impacts on an organization’s branding or credibility). The challenge may be described in terms of watching water move as a river. The water is in constant physical motion, and other aspects of the river (such as fish) are part of that overall ecosystem. The brain, however, does not allow us to see that continuous motion. Rather, it collects a series of still images and then assembles them fast enough to give the illusion of that movement. The reality is, however, that there are a number of things that could happen in the periods between images that may be of importance. This image is comparable to the information that is then formed into the intelligence product. As a result, the intelligence we form and that is used in decision-making is flawed from its inception because of these gaps. The key here is for organizations to move beyond information management and to refine their information management, taking into account data management. This comes in two parts. The first part is identifying the source of the information in terms of its foundation in data. For example, the information regarding this threat is based upon the following sources that were provided on this date. The second element is describing the processes and context in which the data was collected and collated to form information. Information management, therefore, must not be seen as the root of the information management process but needs to be refined to include credible and reliable data management practices. The second key to this involves the concept of semi-automation. Semi-automation, in the view of the authors, outweighs full automation because it allows those processes that are repetitive and structured (such as checking for a keyword in a file) to be automated so as to increase the assurances that the information is complete and accurate. Judgment on the part of the user is still required to ensure that the processes are applied in the right context and that, if gaps begin to appear, the processes can be adjusted (with those changes documented through automated auditing) so as to give a better assurance of relevance. While there has already been a shift towards the concept of “big data” management, the key element that is missing is the understanding of how to craft and establish those processes that are used to bridge the automation and judgment divide. One thought that comes to mind in this challenge involves the current challenges of how to protect networks in the Internet of Things (abbreviated as “IoT”)4 environment. There is a growing concern that this new, evolving, and expanding technology is opening up new threat vectors that can impact more sensitive

The Reinvention of Information Sharing and Intelligence

◾ 91

networks. For example, an individual may have an unprotected smartphone that connects to a refrigerator that helps with shopping. This refrigerator, however, is connected to the home network, which also has a connection to a work network. The threat can then hop through the smartphone, to the refrigerator, to the home network, and ultimately to the work network. While perimeter protection may offer one level of benefit, there is an increasing belief that improving the ability to detect suspicious activity within the network communication streams is becoming increasingly necessary to limit or manage this kind of vulnerability. This may operate at the physical levels (through the physical or datalink layers) but can also be present in some form as the attacker attempts to hop across virtual networks, such as what may be established in certain kinds of shared or cloud services.

5.4 Context Affecting Sensitivity It is impossible to assess sensitivity without understanding the context. The concept of sensitivity is directly linked to the impact that an organization accepts as arising should the asset fall outside of appropriate care and control. This impact, often referred to as an injury in the asset protection and security domain, is factored with the probability of such an occurrence arising to give an idea of the risk involved. This risk is the same type of risk that is prioritized and given to management for their consideration and, if warranted, decisions with respect to managing that risk. When looking at context, it is important to note that context is not a static or fixed entity. This continues to challenge organizations today as they continue to build their asset protection programs without taking into account the future changes. A prime example of this would be flood control management. If one looks at context in terms of a movie, much of how we approach context comes from what may be described as a “snapshot in time” by looking at one frame in the film. Unlike a movie, which will proceed at a reasonably constant 30 frames per second (so it is moving), context does not have a steady rate of progress. It can change either quickly or slowly depending on the factors that act upon it or new influences that are brought to bear on it. Therefore, the valuation of assets (which is closely tied to context) cannot be looked at as a fixed and permanent value but must be considered as one that exists in a state of flux and change. This will influence that outcome of any risk assessment methodology, in the same way that changing any variable in a relational equation would affect that equation’s ultimate resolution. Context as it changes may significantly affect how we view impact. With the example of flood control management, as we experience significantly different weather patterns, areas that once had only a few minor floods per year now experience routine flooding with a greater likelihood of severe flooding. This means that planning infrastructure projects must now take this into consideration this as an impactful factor as part of those changes. Additionally, events previously believed

92 ◾ Critical Infrastructure

to be rare must now be considered. Post-tropical storm Fiona, in intersecting with another weather pattern, evolved from a disorganized post-tropical storm into a historic storm that could not be considered as a post-tropical storm, but at the same time, could not be considered a hurricane. In southern Ontario and western Quebec, the derecho5 storm created a damage path similar in impact to a tornado, but it was several miles wide and stretched the entire length by slightly over 600 miles (over 1,000 km).6,7,8 During the 50-year period, US$ 202 million dollars in damage occurred on average every day. Economic losses have increased sevenfold from the 1970s to the 2010s. Te reported losses from 2010–2019 (US$ 383 million per day on average over the decade) were seven times the amount reported from 1970–1979 (US$ 49 million). Storms were the most prevalent cause of damage, resulting in the largest economic losses around the globe. It is the sole hazard for which the attributed portion is continually increasing.9 Tables 5.1 and 5.2 illustrate such ranked disasters. Table 5.1 Top 10 Disasters Ranked by Deaths from 1970 through 2019 Rank

Event type

Country

Deaths

Year

1

Drought

Ethiopia

300,000

1983

2

Storm (Bhola)

Bangladesh

300,000

1970

3

Drought

Sudan

150,000

1983

4

Storm (Gorky)

Bangladesh

138,866

1991

5

Storm (Nargis)

Myanmar

138,866

2008

6

Drought

Ethiopia

100,000

1973

7

Drought

Mozambique

100,000

1981

8

Extreme Temperature

Russian Federation

55,736

2010

9

Flood

Bolivarian Republic of Venezuela

30,000

1999

10

Flood

Bangladesh

28,700

1974

Source: “WMO Atlas of Mortality and Economic Losses from \Weather, Climate and Water Extremes (1970–2019),” World Meteorological Association. WMO-No. 1267.

The Reinvention of Information Sharing and Intelligence

◾

93

Table 5.2 Top 10 Disasters Ranked by Economic Loss from 1970 through 2019 Rank

Event type

Country

Economic losses (in US$ Billion)

Year

1

Storm (Katrina)

United States

163.61

2005

2

Storm (Harvey)

United States

96.94

2017

3

Storm (Maria)

United States

69.39

2017

4

Storm (Irma)

United States

58.16

2017

5

Storm (Sandy)

United States

54.47

2012

6

Storm (Andrew)

United States

48.27

1992

7

Flood

China

47.02

1998

8

Flood

Thailand

45.46

2011

9

Storm (Ike)

United States

35.63

2008

10

Flood

Democratic People’s 25.17 Republic of Korea

1995

Source: “WMO Atlas of Mortality and Economic Losses from Weather, Climate and Water Extremes (1970–2019),” World Meteorological Association. WMO-No. 1267.

Who and how such physical, large-scale events can also impact various segments of populations and industries, costing lives and causing billions in economic harm (see Figures 5.1–5.3) As part of this calculation, the organization must remain aware of how the context is affecting the process that leads up to the prioritized list of risks. This may include the following: ◾ Impact. As previously shown, the context may result in an individual assigning a higher, lower, or appropriate value to the asset. Where assets are overvalued, the risks associated with it will naturally appear more signifcant, and the organization may waste resources in responding. Where assets are undervalued, the risks may be understated and leave the organization exposed to unforeseen losses.

94 ◾ Critical Infrastructure

United Nations Country Classification

World Bank Country Classification

5% 24%

29%

30%

Number of disasters Total = 11,072 disasters 12% 71% 29%

Developed economies Economies in transition Developing economies

High-income Lower-middle-income Upper-middle-income Low-income

Figure 5.1 Distribution of number of disasters globally (1970–2019): (left) per United Nations country classification; (right) per World Bank country classification. Source: Illustration based on “WMO Atlas of Mortality and Economic Losses from Weather, Climate and Water Extremes (1970–2019),” World Meteorological Association. WMO-No. 1267.

◾ Probability. Te context may result in the probability of certain scenarios being overvalued, undervalued, or even discounted. Consider personnel with military or law enforcement backgrounds. Tese groups have been in direct contact with certain kinds of threats and signifcant amounts of information regarding those threats that are not readily available to the public at large. Because of this experience, the context in which the information and intelligence is presented is often diferent from that held by management—sometimes leading to conf ict as management refuses to accept the probability of certain scenarios. Another aspect that has come to pass, however, is the understanding that we are currently dealing with a greater degree of uncertainty in many areas. T is includes geopolitical uncertainty as we move to an increasingly multipolar geopolitical landscape. It also includes increased uncertainty with respect to both climate and weather. ◾ Vulnerabilities. Tese are indicative of the lack of something or incomplete application of something that allows a threat to cause injury to an asset. Tese are heavily contextual in nature and frequently challenged. Tey are often identifed by an individual based on his or her knowledge, skills, experience, or motivation. Similarly, the operational, environmental, fnancial, regulatory,

The Reinvention of Information Sharing and Intelligence

6% 3%

12%

Number of deaths Total = 2,064,929 deaths

◾

95

6%

29%

53%

91%

Developed economies Economies in transition Developing economies

High-income Lower-middle-income Upper-middle-income Low-income

Figure 5.2 Distribution of number of deaths from disasters globally (1970–2019): (left) per United Nations country classification; (right) per World Bank country classification. Source: Illustration based on “WMO Atlas of Mortality and Economic Losses from Weather, Climate and Water Extremes (1970–2019),” World Meteorological Association. WMO-No. 1267.

and threat contexts may make certain vulnerabilities more relevant than others. Vulnerabilities at a strategic level may also be the result of well-intentioned decisions that leave us unprepared for events. Te lack of a reliable pipeline within Canada, for example, limits its ability to respond to the European energy shortage. Similarly, the lack of production capability and understanding of potential demand curves after the pandemic resulted in global shortages, and in having to make emergency purchases of fu vaccines and other medications. ◾ Tresholds. Risk management is based on the risk being perceived as crossing certain thresholds. Often these thresholds are imprecise or range-based on the personal tolerances of management. Where the context changes, such as new fnancial restraints or conditions, threats to operations, or regulatory requirements, management decisions regarding how to approach the risks may also change. One aspect that is becoming more apparent is that change is a thread that weaves through multiple events, and is no longer linear in nature. In fact, change has become more complex to the point of appearing chaotic. Change itself has become its own paradigm. Context, however, is more than the physical environment. The legal, regulatory, environmental, operational, cultural, and threat environments also factor

96 ◾ Critical Infrastructure

3% 25% 38% Value of economic losses Total = US$3.6 trillion

2% 63%

59%

10%

Developed economies Economies in transition Developing economies

High-income Lower-middle-income Upper-middle-income Low-income

Figure 5.3 Distribution of economic losses from disasters globally (1970–2019): (left) per United Nations country classification; (right) per World Bank country classification. Source: Illustration based on “WMO Atlas of Mortality and Economic Losses from Weather, Climate and Water Extremes (1970–2019),” World Meteorological Association. WMO-No. 1267.

significantly. These all become part of the larger context that encapsulates management decisions. It is this combination of context and the characteristics of the individuals involved that come together to form the perception of risk. The mechanics of this influence, touched upon earlier, can be described when looking at the roots of risk. Beginning with the five major categories of sensitivity (at this point, in no particular order of priority): ◾ Confdentiality. Te need to restrict access to something so that it is available only to an identifed, authorized, and appropriately trusted community. ◾ Integrity. Te ability to ensure that something has not been added to, changed, or deleted from without appropriate checks and balances being met and using only trusted processes. ◾ Availability. Te ability to rely upon something to be available for use upon demand and to have it function as intended. One emerging approach is that of resilience that looks at the ability of infrastructure to either absorb the impact or bring itself back to a functional state. ◾ Relative Value. In terms of the dollar value or equivalent of something. ◾ Social Value. Te importance of the asset to the community or population has now become increasingly more subjective depending on difering viewpoints and perspective.

The Reinvention of Information Sharing and Intelligence

◾

97

One challenge that faces those practicing in the domain is the prioritization of these five categories. The prioritized order will not only shift based on the asset protection and security domain, but may also be influenced significantly by the perspective and other subjective factors tied to the individual doing the analysis. What needs to be clear is that the value of an asset is often stood on its head as a means of rapidly assessing the impact associated with some kind of threat. While this does offer a method for assessing the impact, it often fails to accurately describe the overall impact of something. Consider the electronic control chip for modern vehicles. Such a chip may cost only a hundred dollars or so to produce and may be marked up only slightly due to the volume of sales, but the loss of the chip has two major contexts. The first is the lost revenue to those that manufacture the chip and sell it to the automaker. The second, less apparent context involves the loss of production and delay in sales that results when an inexpensive but critical component in the vehicle is missing. A second element involves how that control chip interacts with the integration of new technology—such as the automation of a vehicle. Suddenly, the integrity of data coming through that chip has to be looked at in terms of its impact on the automation processes. This interaction could be minimal, or it could be significant enough to affect the safe operation of the vehicle. This introduces a layer of complexity because the value of the chip must now also be looked at in terms of its role in the system and design and architecture, which, for the individual conducting the analysis and assessment, means looking at the chip not only in isolation but in the operational context. One may want to look at this in the context of attempting to locate electrons within an atom. The paradox is that the energy that is applied to the electron to “see” it, is actually enough to ensure that its location has changed. What may be more relevant is to stop looking for the exactly precise answer and to look instead at the concept of operating based on ranges of possibilities. An organization may not be able to agree that the total cost of an event is a certain value. As a result, it never fully establishes the impact criteria for risk and proceeds no further. What it can agree upon is that the impact value is certainly no lower than one value and no higher than another. The same applies for frequency. While this information will not provide as clear a snapshot for the executives, it provides a much more relevant set of outcomes and actually covers a broader range of potential scenarios. The outcome may be a communicated risk based on a lowest/highest impact, with a lowest and highest number of events. It should be clear that the concept of perspective and context are intertwined. Individuals have perspectives that are formed through their education, training, experience, and motivation. This perspective forms the basis of how they interpret the data, organize it into information, and build the context around them. That perspective and context drive how we assess the value of assets, and this in turn feeds into the risk management and enterprise management decision-making processes. We are witnessing an evolution in the use of tools to change the perspective

98 ◾ Critical Infrastructure

or thinking of communities. Warfare has changed from a purely military activity to a whole of government, including propaganda and influence operations, that seek to create either the conditions favorable for success or to erode the ability of an adversary to wholly commit to a course of action. Doctrines espoused by thinkers such as Primakov and Gerasimov have adopted this kind of thinking.10 The influence of context is a major if not determining factor in the debate on how to approach Operational Technology (often considered by several communities of interest as a culmination of the Internet of Things, the Industrial Internet of Things, and Process Control Systems, Safety Systems, etc.) as opposed to Information Technology. Without becoming too engrossed in the labels, the contexts here are divergent. The former is preoccupied with managing the state and changes of state in an environment that controls physical activity. An example is are the controls managing the valves on pipelines or chemical manufacturing processes. The latter is preoccupied with the management of files or other forms of information that are, by comparison, largely static and distributed or used as needed. In brief, one might argue that the application of practices from one field to the other may be possible within the realm of physics, but not in the context of their functionality. Information Technology focuses on a hierarchical order of confidentiality, integrity, and availability associated with the objects in the subject-object pairing (most often information files). This triad is largely based upon maintaining the ability to use information as required and not have it pass outside of acceptable controls or environments. This structure only loosely applies to Process Control Systems. In this context, the values are interlinked and cannot be considered unique or independent. The service may be available, but still remain dangerous when the integrity aspect is not present. Also, Process Control Systems have an additional factor in terms of availability, and that is one of precision. A document can be available in terms of either an electronic or hard copy and meet the criteria for being available on demand. Within the Process Control System context, the range of options that meet the availability and integrity pairing are far more limited. One might look at this in the context of a Venn diagram, where Information Technology may look at the union of the overlapping characteristics (i.e., it appears in either, or uses the OR function), whereas the Process Control System function can accept only both being present concurrently (i.e., it falls into both or uses the AND function). This rather subtle distinction changes the manner in which the asset valuation process has to approach the confidentiality-integrity-availability triad. Consider a chemical manufacturing process. Ultimately, the goal is to keep the plant from operating unsafely in the context of safety (i.e., not on fire or not exploding). This means that the chemical reactions are the determining concern. Too much or too little of a reaction can lead to the unsafe conditions that we seek to avoid. Availability is important in this context, but only when that availability is operating within safe parameters (so much of a chemical being inserted into a reaction in a calculated period). If availability is considered in isolation, one cannot state

The Reinvention of Information Sharing and Intelligence

◾

99

with confidence that the negative outcomes will be avoided. Integrity, however, cannot be considered in isolation except when factoring availability, due to the fact that the concern is a process, not simply the infrastructure. Again, the intersection between availability and integrity is the appropriate characteristic, not simply availability or integrity. When considering many of the risk assessment methodologies, these two aspects are treated independently (such as the Harmonized Threat and Risk Assessment methodology) or by using an OR function. Within the context of the Process Control System, they cannot be considered independently (AND function), making those models less effective.

5.5 Enter the Cloud The challenge of context creates a trap for those assessing the risks inherent in systems. Does one use an existing model and attempt to reform it to fit? This can lead to gaps or errors, as described earlier. Does one attempt to create new models which will take significant time and effort to promulgate through both the technical and business communities until they are finally accepted? As we have seen with other models and structures, particularly in Canada’s Public Safety11 and the United States’ Homeland Security communities, this could take years to design, implement, refine, and ultimately adopt. So how does one break free of this trap? There are two possible solutions. The first involves building a system that attempts to take as much of an individual’s prejudices or perspectives out of the equation. This approach is difficult in that it is nearly impossible to validate, and it is nearly impossible to apply consistently. The second is to use a number of perspectives and a Delphi kind of approach to look at the perspectives, contexts, and, ultimately, risks to the organization. This is where the concept of cloud computing comes into play. There are really three elements to the cloud that come into consideration. The first is that data is held in such a way that it is accessible across a broader community. In its purest form, cloud data would be accessible to everyone, but this is, quite frankly, not realistic. The second is that the computing power, the analysis of the data, and its organization would actually be subjected to a number of intermediary processes on the way to being transformed or translated into information. The third element is that the information produced in a cloud format would likely be more accessible and, as a secondary element to this, also likely available in its interim form and not simply in its final form. Each of these needs to be understood, including the potential impacts associated with misuse or even hostile use, before an organization decides to move its data into a cloud format. The first element is the result of a gradual shift in terms of how data, information, and intelligence are handled by organizations. While intelligence, particularly in its most sensitive forms, is still guarded closely, the raw data and information

100 ◾ Critical Infrastructure

have been the subject of a gradual loosening of controls. Consider the period around Y2K—organizations largely held their data, information, and intelligence on proprietary systems. Those proprietary systems needed to be maintained and protected at the cost of the company—sometimes an expensive endeavor. Gradually, organizations sought to realize efficiencies by outsourcing, first, parts of the ability to hold data and information. Off-site storage centers and data repositories, particularly for use as backup sites, became more prevalent. This in turn led to organizations seeking to make arrangements with third parties that could handle certain parts of the processing of data and management of information. Finally, we now see network-based organizations using third-party suppliers entirely for their data holding and information management requirements. This transition has significant impacts when looking at the overall ability of an organization to protect and ensure the services it delivers. This migration has forced organizations to adapt how they look at controlling their data, information, and intelligence holdings. In the more traditional models, where organizations controlled the personnel, assets, facilities, information, and supporting infrastructure, the focus was on ensuring that the organization applied the necessary administrative, physical, procedural, and technical security controls. As certain parts of this processing and storage capability were moved to known third parties, the only significant element that changed was the span of control that the organization exercised when planning, designing, implementing, monitoring, and adjusting these controls. As a result, outside networks needed to be certified against certain criteria, and a risk management decision was made through the accreditation process. The design of how data is managed is becoming an increasingly important element in project management and execution. This may involve appropriately identifying, labeling, and categorizing data that is the product of the work. It may also involve the same factors for data and information that is brought to the work. For example, if one were to conduct a series of vulnerability assessments, one should understand how data may be used (intentionally, but also later through discovery) within the organization before setting down hard and fast data and information management structures. Oddly enough, this is where skills developed in such sciences as the library sciences become very important to project managers, as those sciences look at how to store information not only in an organized manner, but also in a manner such that one can identify its value and retrieve it again later. One emerging challenge is the concept of data sovereignty. This challenge begins with the number of definitions and how those definitions are interpreted. Within certain clouds, data may be held in multiple jurisdictions. This is where the various laws associated with ownership, control, and distribution of data can become complex. Data or information that is completely legal in one jurisdiction may be illegal in another. Where does the onus lie with respect to preventing the movement of the

The Reinvention of Information Sharing and Intelligence

◾

101

legal data in ways that could place the data owner in legal jeopardy? At the same time, many people (or in some cases, nations) do not want to see the data entrusted to them moving outside of their control. This results in contracts actually stipulating where the data can actually evolve into a supply chain issue, where a contractor who has subcontracted to a data storage service discovers that the data provided to it may move beyond the conditions of the contract. This supply chain involves being able to understand the flow of data through various agreements and subcontracts until the actual point of data residency can be located. Depending on the nature of the contract, the nature of the constraints in the contract, and the structure of services that eventually lead to a final residency point for the data, people may be surprised to find the number of different transactions involving data that is thought to be tightly controlled. As various organizations move towards the cloud, a concern must be raised from the Critical Infrastructure Protection perspective. As organizations become increasingly reliant on certain services (such as the cloud data storage or multifactor authentication), those services create what may be described as super- or mega single points of penetration. While the infrastructure itself may be well protected, the data that guides and records the activities in that infrastructure may face different kinds of exposure. If cloud services rely on a dozen major cloud providers, what would the strategic impact be if an attacker decided to attempt a scorched-earth approach by directly attacking those services?

5.6 The Cloud as an Amplifier The integration of the cloud into the computing base (note that this is not necessarily the trusted computing base) will simply be an amplification of this principle. The main challenge for executives and managers with responsible charge positions will be to maintain their focus on their own mission and determine to what extent the cloud’s capabilities can be exploited. This includes asking the following questions: ◾ Has the organization appropriately identifed the sensitivity of its data, information, and intelligence both from an operational point of view and the means and opportunity it can provide a competitive or hostile entity? ◾ Has the organization appropriately identifed the requirements that must be met to appropriately manage the risks associated with the confdentiality, integrity, availability, relative value, and social value of the data, information. and intelligence? ◾ Has the organization designed and implemented a strategy that will allow the organization to ensure that these requirements are met and maintained? As a second part of this, has the organization also implemented a strategy that ensures that, once in place, they remain in place?

102 ◾ Critical Infrastructure

◾ Has the organization put in place the necessary administrative, physical, procedural, and technical controls so that it can monitor the location, condition, and access to its data, information, and activity? Can it exert the necessary infuence to control the same? ◾ Has the organization considered this risk from not only its own perspective but also from the perspective of how that service aggregates data and access, and if that would make the service a more attractive target? ◾ Finally, has the organization designed and implemented the necessary administrative, physical, technical, and procedural controls so that it can recover its data, information, or intelligence at the same level of confdence or trust? This reflects the perspective that organizations may seek to exploit the capabilities offered by the cloud, but prudent managers, often linked to accountability, will look at the cloud as a tool that serves the organization as it attempts to accomplish its goals and achieve its objectives. Perhaps the greatest challenge for those seeking to protect and assure critical services will be to identify, achieve, and maintain an appropriate balance when looking at exploiting the opportunities offered by cloud computing. This will rely heavily on those that can assess the sensitivity of data, information, and intelligence to the organization, and the opportunities that the same data, information, and intelligence would offer to competitive or even hostile entities. It will also involve a significant effort to manage the expectation of clients and users who will have been inundated with communications extolling the latest and greatest capabilities associated with cloud computing.

5.7 Clouds and Concealed Conduits In this context, identifying the cloud as a concealed conduit may be of some value to the protection or assurance practitioner. This concealed conduit does not necessarily mean that the cloud penetrates the access control measures around the known network. It can also latch onto points where data, information, or intelligence is passed outside of the trusted network infrastructure. For the protection and assurance practitioner, some of the questions that should come to mind are the following: ◾ Does the organization share infrastructure with competitive or hostile parties? Is the infrastructure kept separate? ◾ Does the cloud, when establishing the resources necessary to store or process data or information, establish a partition that can be protected against outside interference, intrusion, or monitoring? ◾ Does the cloud, when communicating data, information, or intelligence, maintain an appropriate level of protection so that only trusted parties receive or have other access to it?

The Reinvention of Information Sharing and Intelligence

◾

103

◾ Does the cloud create duplicates or copies of data, information, or intelligence, and are these protected to the same extent? ◾ Does the management of the cloud’s storage, processing, or communications routines or processes ensure that only those persons identifed by the client as meeting certain criteria have access? ◾ Are there organizations that have been given access to data and information as part of End User License Agreements, such as those entities that use the characteristics of data and information to target marketing or services? To what extent do these organizations have access—do they see headers and metadata, or are they able to plunge into the message body? Te person signing of on the EULA may not be the data owner—something that can muddy the waters in a legal challenge should the information be compromised. ◾ Does the data actually impart value to the infrastructure, and/or does it mean that the owners of the infrastructure have the right to exploit data and information for their own value? While the debate over the use of media content continues to rage, one of the more pressing legal issues is how the various parties in the dispute have to compensate each other with respect to derivative works. Here we are essentially discussing the trusted computing base (TCB). This can be described in terms of that infrastructure under control where the hardware, software, and firmware involved operate at a level where management does not face any significant risks associated with losses of confidentiality, integrity, or availability of data or services. Dealing with cloud-based issues, when put in this context, is a simple exercise contextually but may pose some challenges in terms of implementation. Integration of the cloud simply involves expanding the trusted computing base in terms of processing and storage. In mature systems where there is an implemented certification/ accreditation regime in place, this is a simple matter of activating the appropriate change control protocols. At this point, the issue becomes complex and offers the opportunity to open up concealed channels. The first issue involves identifying the scope of infrastructure that may be involved. This can be divided into a series of questions: ◾ Where can data be sent or stored as part of the processes directly involved in the computing or storage processes? For example, what servers and lines of communication are identifed as being able to handle the data? ◾ Where can data be sent or stored as part of the processes that are indirectly involved in the computing or storage process or, in other terms, may be involved in supporting the overall operations of that infrastructure? For example, does the infrastructure involve backup routines or systems that will copy the data and hold it in other locations?

104 ◾ Critical Infrastructure

The second involves being able to trust what we know about that infrastructure. In the information technology realm, this generally involves the concept of certification and accreditation. Certification involves an expert determining the level of compliance, or adherence, with specific standards. Accreditation involves management looking at the level of adherence to those standards, determining specific steps needed to manage any unacceptable levels of risk, and then commissioning the network to operate within certain constraints. This leads to two kinds of concealed conduit. While both involve the actual conduit being present, the difference comes from whether or not the accrediting body detects those concealed conduits. In cases where there is an appropriately conducted threat and risk assessment, inspection, and other forms of checks, the conduit may be fairly apparent to the accrediting body. That is because of the work that was done to identify it and communicate it. The second comes from situations where the conduit is there but remains undetected for some reason. This could be the result of many factors, including the following: ◾ ◾ ◾ ◾ ◾

Failing to identify the appropriate criteria to be met. Failing to use appropriately capable persons (expertise). Failing to conduct the full assessment. Over-relying on end documentation (such as certifcates). Refusing to accept what is presented in the technical reports.

The overreliance on certification documentation has a number of elements to it. The education industry has often been challenged by the following: ◾ Programs that are not accredited but hold themselves out to be. ◾ Institutions that hold themselves out to be competent and capable but that operate without oversight. ◾ Simple business enterprises that will sell an ofcial-looking certifcate that can be used to fraudulently bypass hiring or similar controls. We also see this practice entering into other certification regimes. This also comes in various forms—ranging from unethical practitioners to disreputable business enterprises. Consider the recent exposure of organizations that offer college and university degrees for sale. While on the surface, this may appear to be fraudulent, one has to look at why it might be considered so. Universities (fully accredited) sometimes offer course credit for those who have performed certain jobs (life credits). Even certain organizations will equate the time an individual performs at a certain level as meeting certain educational requirements. Another approach to this is translating trade credits (training) to stand for academic credits (education) due to the overlapping of material. The key element lacking in these degree mills is that there is no

The Reinvention of Information Sharing and Intelligence

◾

105

link to the common criteria used to determine if the individual should, in fact, hold that level of qualification or attestation. This issue, however, permeates far deeper than education and training. Should an individual who is a professional auditor be able to certify and make recommendations regarding accreditation of something outside of the audit process? One might argue that they most certainly should not, as they lack the technical knowledge and experience relative to the domain. They should be clearly limited to stating only those elements within the certification structure that they could or could not prove through documentation, observation, or interviewing. Yet today, we see several organizations accepting the outcomes of these kinds of audits not just in terms of what is lacking, but also in terms of what steps the auditor proposes should be taken in order to resolve any gaps. It is this latter element that poses the most significant risk to those looking at the issue of cloud computing. This is because the organization may well take steps to mitigate the risks associated with certain detected and assessed vulnerabilities, but it may well fail to act if those vulnerabilities are not identified. This failure to act means that the overall process has not delivered the value that it should have, and it also leaves the organization, and potentially the overall system, vulnerable.

5.8 Linking the Trusted Computing Base and User Communities When looking at information sharing, one has to look at who is sharing the information, what is the information being shared on, and whether it is appropriate to be sharing the information. These three elements are the core of any effective information sharing structure—ranging from conference calls to multimillion-dollar fusion centers. Having looked at what the information is being shared on, we need to return to the authorized user community. This community has three things in common: ◾ Tey are identifed, and that identity is authenticated through trustworthy sources. ◾ Tey are authorized to have access to the assets involved, ranging from the TCB to the information held on it, after having undergone a formal authorization process. ◾ Tey are all bound to abide by certain conditions, generally set down as part of the certifcation and accreditation process. This community represents more than simply the end users and managers of the TCB. It also includes a range of support services and other secondary roles that may have incidental access to the system or the data contained on it.

106 ◾ Critical Infrastructure

There are potential conflicts that need to be overcome when looking at information sharing and the TCB. The first involves the philosophy of how the authorized user community should be defined. The TCB sets these definitions in terms of the need to know—limiting access to those who have met the criteria defined earlier. People, however, do not operate based on the need-to-know principle. They operate on the basis of what might be more appropriately termed the need to share. This does not mean that the user is compelled through some feature of character to give away secrets to all under the sun. It means that the user evaluates individuals on a case-by-case basis and ultimately makes a personal judgment call based on (1) personal trust and (2) the need to share the information in order to accomplish the goals. This does not represent an attack on the concept of the need to know. That concept is still being preserved under the need-to-share regime. It does represent, however, two shifts in doctrine. The first is that it moves the need-to-share information back to the user/operations level and away from the administrative level. It also means that the need-to-know decision becomes decentralized, with the authority being taken by the user level and often justified through the argument that the sharing was vital in order to reach the objectives and maintain the goals of the organization. This decentralization of the decision to share information, sometimes even outside of apparently normal practices, means that those overseeing the information sharing arrangements and the TCB must place significant emphasis on education, training, and oversight. It also changes the applicability and solidity of such roles as the data owner and data custodian within the information security domain. This applies through the entire cycle that an individual may have access to the information and the TCB, including the following: ◾ ◾ ◾ ◾ ◾

Background screening as a mandatory part of selection. Training. Ongoing familiarization. Active monitoring of the individual and use of the network. Active monitoring of the individual and the communication of controlled information.

After the individual is selected and before granting access, the individual must be made aware of the various restrictions that operate within the system. This is a basic principle linked to the concept of natural justice—before enforcing something, there must be a reasonable expectation that the restriction is well known and understood. This also applies to the consequences associated with violating the consequences. This requirement is often overlooked or bypassed in large or distributed organizations, leaving the organization vulnerable in terms of a lack of ability to enforce its own requirements with those with access.

The Reinvention of Information Sharing and Intelligence

◾

107

Meeting this requirement in the need-to-share environment requires more than simply having signed statements on file. As the user has additional responsibilities in terms of the decision to share information or allow access, he or she must also be well educated and competent in making decisions that remain in line with management’s intent. It also requires the user to have the confidence necessary to make the appropriate decision to share or not to share. A significant part of this is understanding that the management involved applies rules consistently and fairly on one hand, but on the other hand makes decisions and exercises judgment when individuals can be clearly shown to be operating in a way that takes appropriate precautions and meets management’s intent. Corporate culture and how it accepts or rejects the risk environment will also factor heavily in this. Where an organization’s corporate culture is well aware of the threats, vulnerabilities, risks, and consequences, it is much more likely to ensure that various restrictions stay in force and will limit its decisions to those that align with both the intent of the restrictions and operational needs. An organizational culture that does not accept these will not abide by the restrictions except in circumstances where it believes that individuals will be detected and punished. While this may be adequate in the eyes of some management, it is a weak posture. From the perspective of information sharing, this means that a balance exists with respect to access within the user community and TCB and the privileges that can be exercised as part of the need to share. This balancing point will be weighted as a result of a number of decisions with respect to how risk is managed. These decisions and requirements will be the result of requirements including, but not necessarily limited to, the following: ◾ Laws, regulations, and similar measures that generally cannot be risk managed except by the most senior levels of government with the support of the courts. ◾ Overarching policies that are the result of parent organizations making risk management decisions. ◾ Restrictions that are the result of information sharing or asset sharing agreements. ◾ Internal decisions that are the result of management’s decision to manage risks in a certain way. It is important to note that the principles of risk management are an important element in the need-to-share principles. One of these principles is that only the owner of the risk management decision has the authority to make decisions that run contrary to his or her previous direction. This is that individual who bears the accountability associated with the appropriate protection or use of the assets involved and, as a result, holds delegated authority from the more senior layers of management— usually the highest levels. Those who decide to manage risks differently for their

108 ◾ Critical Infrastructure

own purposes without first seeking the consent of that delegated officer or individual run a significant risk of running afoul in their decision-making. Ultimately, the requirements and constraints placed on individuals must be clearly communicated. This is once again accomplished through the informand-acknowledgment process. The individual is informed of the sum total of the requirements, the relevant consequences, and the method of clarifying issues. The individual then acknowledges that he or she has been informed, assents to being subjected to the sanctions that may arise from breaking them, and acknowledges the process by signature or some other attestable means.

5.9 Barriers to Information Sharing The key barriers to information sharing come from a lack of trust and teamwork between the government, industry, and academic parties. The level of trust will vary from interaction to interaction, but the lack of trust between institutions is clearly evident. From the government perspective, the reasons the private sector refuses to share information can be reduced to the following: ◾ Te desire to conceal information that may lead to the government detecting shortfalls in regulatory compliance. ◾ Te concern that the revelation of the information could be used to assign or increase the level of liability or other similar forms of risk that an organization assumes. ◾ A lack of trust that assurances given by the ofcers in one part of government will be adhered to by ofcers in another part of government. ◾ A lack of confdence that information provided in confdence will be maintained in confdence due to public disclosure rules. From the private sector perspective, concerns surrounding the sharing of information rotate around a number of core issues. These include the following: ◾ Tat information shared in consultative processes may be used by the government as part of a regulatory enforcement action. ◾ Tat information shared in a consultative process can make it to the hands of the competition, causing loss of market position. ◾ Tat information shared in consultative processes can end up in the hands of the public and lead to a loss of public confdence or brand credibility. The academic community has been proposed as one potential alternative to break this stalemate. The academic community is seen as being free of vested interest and can be trusted, when appropriately directed, to remain free and clear of competitive

The Reinvention of Information Sharing and Intelligence

◾

109

issues. This, one might argue, may operate within the realm of the academic, but when one approaches the university as a business within a competitive market, it begins to break down as they can compete amongst each other. One significant concern, however, is that the academic community is also subject to a number of laws requiring the disclosure of information, and this could again expose the information. If looking to build communities that allow for the sharing of information, a change in many of these attitudes will be required. Government regulators, often overly concerned with practices to ensure absolutely equal fairness, will need to understand that such practices may need to be adjusted somewhat if the private sector is going to expose itself to additional risks. Similarly, all parties will need to understand that any information revealed during these processes must be protected against disclosure, even if under the authority of exceptions to existing disclosure information or under the authority of new legislation. The final barrier to information sharing lies with organizations that seek to advance their position by having access to data, information, or intelligence that others do not. Administrative processes, including security clearances, will need to be adjusted to allow for regional (provincial, state, territorial) and municipal governments’ participation. Many of these barriers are in need of adjustment to reflect new operational and CIP/CIA realities. The focus, particularly in a world where joint operations and international teams are involved, must be on the ability to share data, information, and intelligence in such a way that the overall parameters for mission success are achieved.

5.10 The Continuing Rise of Open Sources Open-source data and information comes from the computer industry’s use of open-source software, or software where the code is freely available. Organizations are now placing more and more information into the public domain, often as a tool to attract business or to demonstrate their own capabilities. Researchers access this data and information to perform research that would have been impossible in the past. An arising risky aspect of open-source research involves the use of crowdsourced data. Consider weather forecasting. This requires sensors to collect data, and the more sensors that you have, the greater the probability of accurate or at least reasonable models. As governments and other institutions reduce the number of sensors (often due to cost constraints), the risk of crowd-sourced data to replace the lost collection capability is becoming a factor in how certain predictive services are managed. The question is how to assure that those collection points are providing reliable and credible data into those systems. The vulnerability associated with open sources comes from the potential for researchers to fail to apply quality controls or checks to the data. While governments

110 ◾ Critical Infrastructure

and academic institutions have often limited the overall access to information, treating it as a marketable commodity, they have done so with an understanding that such data was published only after undergoing stringent checks to ensure its reliability and credibility. The risks associated with open sources, as a result, involve a loss of credibility of the research at one level or, at a more fundamental level, a loss of accuracy or completeness. It should be clear, however, that these risks can be mitigated and addressed through the formation of networks of private researchers. Several organizations, ranging from formal associations such as ASIS International and the International Association of Maritime Security Professionals, to less formal networks such as SCADASEC12 and similar research lists, form networks of persons who can comment on the validity and context of the data and information while the data is on its transformative process to information and ultimately intelligence.

5.11 Open-Source Information and Intelligence What researchers need to be cognizant of is the difference between open-source information and open-source intelligence. The difference between the two closely parallels the difference between information and intelligence. Open-source information is intended to provide facts, but not to explain the importance of such facts. Intelligence, on the other hand, is data and information that have undergone that formal process of collection, collation, analysis, and dissemination. As with data and information, there is a need for the researcher to be cautious. There are several companies that indicate that they produce intelligence, where in fact they are simply regurgitating open sources of information. These firms are often little more than media monitoring companies that can provide lists of commentary. The second challenge is that those companies that do produce intelligence need to be understood in the context of what they deliver as business lines. In short, as with other information, the context in which it organized the data needs to be understood. That being said, there is a notable increase in the number of organizations that sell or trade in what can be described as open-source intelligence. These involve organizations gathering together publicly available information and, with the assistance of specially trained or skilled individuals, working that information through the analysis process to become intelligence. Some of this intelligence is placed into the public domain in order to demonstrate the capability of the organization, while the rest is held on to in order to develop clients. These organizations may be less susceptible to certain kinds of contextual pressures, but still need to be understood in terms of their business contexts, including relationships with other clients or service providers. A significant number of these groups have risen because of the need for credible intelligence in the private sector and, as noted earlier, the inability of the private sector to work through various information sharing requirements in a timely manner.

The Reinvention of Information Sharing and Intelligence

◾

111

5.12 An Approach to Information Sharing— The Consequence-Benefit Ratio As these organizations arise, there is an opportunity to change the model. At the grassroots level, open sources of information and intelligence can be supplemented by the more proprietary sources. The emphasis, however, would shift from those proprietary sources to publicly available sources that can be reviewed and quality controlled. Where a proprietary source must be used, consideration may well be given to the establishment of a “Good Samaritan” law. This would involve a relief from liability, where the disclosure of such information was necessary to prevent grievous harm to individuals or the national interest. While this may seem somewhat Orwellian, the early forms of this capability have been applied in the medical community, allowing medical practitioners to communicate information that, if withheld, could lead to a loss of life or risk of grievous bodily harm. This open-source information can be brought together through various forms of technology. For information that has no significant value in terms of compromise and sensitivity, the Internet and other wide broadcast tools may be appropriate. As information becomes progressively more sensitive, the shift may be toward the more traditional restrictions. Ultimately, however, to break out of the current deadlock, the government needs to look at information sharing in terms of cost and benefit. Where the consequences can be mitigated and limited to areas that do not overly affect the safety, security, and economic well-being of citizens, the benefits in terms of contributing to operational success can be weighed. If there is sufficient imbalance in favor of operational success, then the information is shared within the trusted community or, as a second tier, the community that is working toward the common interest.

Notes 1. Please note that there are three slightly varying definitions—all from NIST— regarding the term “tactics, techniques, and procedures.” In some regards, they all represent the same concept behind the term. URL: https://csrc.nist.gov/glossary/ term/tactics_techniques_and_procedures (alt URL: http://cipbook.infracritical.com/ book5/chapter5/ch5ref1.pdf ). 2. www.commerce.senate.gov/services/files/24d3c229-4f2f-405d-b8db-a3a67f183883 (alt URL: http://cipbook.infracritical.com/book5/chapter5/ch5ref2.pdf). 3. The term “big data” refers to data sources that are constantly and rapidly changing, consisting of extremely large amounts, both in size as well as depth of information collected, and are referenced from a plethora of multiple sources. URL: www.census. gov/topics/research/big-data.html (alt URL: http://cipbook.infracritical.com/book5/ chapter5/ch5ref3.pdf ).

112 ◾ Critical Infrastructure

4. www.nist.gov/internet-things-iot (alt URL: http://cipbook.infracritical.com/book5/ chapter5/ch5ref4.pdf ). 5. A “derecho” (pronounced similarly to “deh-REY-cho”) is a widespread, long-lived wind storm that is associated with a band of rapidly moving showers or thunderstorms. Although a derecho can produce destruction similar to the strength of tornadoes, the damage typically appears in one direction along a relatively straight swath. As a result, the term “straight-line wind damage” sometimes is used to describe derecho damage. By definition, if the wind damage swath extends more than 240 miles (about 400 kilometers) and includes wind gusts of at least 58 mph (93 km/h) or greater along most of its length, then the event may be classified as a derecho. URL: www.weather. gov/lmk/derecho (alt URL: http://cipbook.infracritical.com/book5/chapter5/ch5ref5. pdf ). 6. https://globalnews.ca/news/9164190/derecho-damages-ontario-quebec/#:~: text=Referred%20to%20as%20a%20derecho,high%20as%20195%20km%2Fh. 7. www.ibc.ca/on/resources/media-centre/media-releases/derecho-storm-ranks-6thlargest-insured-loss-event-in-canadian-history. 8. www.thestar.com/news/canada/2022/11/17/newfoundlands-fishing-towns-werebuilt-to-survive-but-fiona-changed-the-game.html?rf. 9. https://public.wmo.int/en/media/press-release/weather-related-disasters-increaseover-past-50-years-causing-more-damage-fewer (alt URL: http://cipbook.infracritical.com/book5/chapter5/ch5ref6.pdf ). 10. ht t p s://c a r ne g ie endow ment .or g /2 019/0 6/05/pr i m a kov-not- g er a si movdoctrine-in-action-pub-79254. 11. https://www.publicsafety.gc.ca/index-en.aspx (alt URL: http://cipbook.infracritical. com/book5/chapter6/ch6ref7.pdf ). 12. https://scadasec.groups.io (mailing list); http://scadas.ec (blog website) (alt URL: http://cipbook.infracritical.com/book5/chapter5/ch5ref7.pdf ).

Chapter 6

Challenges Facing Vital Services 6.1 Defining Vital Services A vital service is a service that exists outside of a specific critical infrastructure sector but acts as an input to multiple sectors and activities in such a way that the impact mirrors a disruption in critical services. Other sectors are dependent upon this input for their proper and secure functioning, making these services a potentially high-value target for supply chain attacks. These may also be of value to an attacker that seeks to disrupt the critical infrastructure sector by misdirecting response efforts towards the vital services or by degrading the ability to respond to the discovery of an attack. These forms of attacks are where adversaries might target the secondary, or even the tertiary, vital services (of a critical infrastructure sector) indirectly impacting (eventually) the primary set of services. Thus, at a tactical level, vital services may also be looked at in terms of vital or critical dependencies that support the mission of the facility as it delivers the capacity necessary to meet those demands. For example, an HVAC system affects multiple systems beyond the mission of a control room of a power generation plant. On the one hand, this will act as a dependency that affects the primary target; but, on the other hand, this will also serve to disrupt and confound secondary services. The key distinction here is that a vital service at the strategic level acts across multiple facilities or organizations at the same time. Microsoft’s or Google’s Multifactor Authentication service, for example, may be used as part of the access control for multiple organizations. By disrupting this service, at least a portion of primary critical infrastructure activities would be disrupted. DOI: 10.4324/9781003346630-6

113

114 ◾ Critical Infrastructure

Other kinds of examples of these conditions are personnel that provide vital services to multiple organizations (such as key maintenance personnel), assets (certain specific tools), spaces (testing laboratories, etc.), information sets (datasets shared across a sector) or other supporting services. While these can be looked at in terms of the dependency on them by one sector, the fact that they act as a dependency across multiple sectors creates an exposure to disruption by targeting this common point. One example of this can be found in the shipping industry when considering safety critical systems. These systems are necessary to ensuring that the conditions on board vessels do not become intolerable or even unlivable. The safety critical systems are defined in MSC-FAL.1/Circular 31 or in the International Association of Classification Societies (IACS) Unified Requirements E22.2 Technical personnel able to work on these systems may be in short supply, meaning that the organizations employing these people rely upon the trustworthiness and capability of these individuals. Given the culture of safety within the maritime industry, those involved in the drafting of the maintenance instructions and the calibration instructions may also come close to falling into this category.

6.2 Trends Creating Vital Services Vital services can form as a result of competition within the open markets. Consider cloud services. Microsoft, Google, and AWS hold a significant share of the overall market, with the remaining providers being very distant. These kinds of markets can create a condition that begins to approach a strategic-level single point of failure (SPOF)3 that resides outside of the span of control of any particular sector. While markets may create these SPOFs, vital services can also form as a result of the service becoming attached or associated with critical infrastructure sectors or critical infrastructure information. A service may begin with reasonably humble beginnings, but as time passes, it collects “clients” that may hold access or information at a more sensitive level. These systems may, or may not, have rules or warnings that advise their clients of the limits of their security assurance. At the same time, the volume of “client” data in aggregate can also create conditions where the service’s level of sensitivity increases. Let’s consider three examples: (1) autonomous shipping, (2) 2FA/password management services,4 and (3) a specialized service (any service that would cater to a specific industry, such as HAZMAT response, airline incidents, online tracking services, etc.). For the first example, the sensitivity of the ship has to be looked at in two contexts: the first is the ship itself and what impact it could cause; and the second is the cargo that it carries. When addressing the ship as its own impact, we can look at the Halifax 1917 explosion incident. In this example, the Mont Blanc and the Imo collided, causing a significant disruption at the port. Further, the load of

Challenges Facing Vital Services

◾

115

ammunition and explosives on the Mont Blanc caught fire, and it resulted in the largest man-made explosion until the atomic explosion at Hiroshima, Japan. While the collision was disruptive, the nature of the cargo and how it was loaded exacerbated the impact and took it to catastrophic levels. When we address autonomous shipping (specifically remote-piloted Degree 2 and Degree 3,5,6 the main issues are: determining who is the authority having jurisdiction,7 and determining how the incident occurred and where the fault lies. Was the fault the result of an action performed by the ship’s operator, or was it the result of flaws or deficiencies in the communication’s provider, or the architecture between the ship’s operator and the onboard control systems? More importantly, how do you investigate an incident such as this, and then prosecute wrongdoing? The various service providers, and potentially the investigative organizations, may fall into the category of “vital services.” So, for example, for all communications for the autonomous shipper that are routed through a communications service provider, we would have to look at their service in the context of the potential impacts to the public welfare and safety. The next example pertains to two-factor authentication and/or password management services (or similar services that become gateways across a large number of communities), where an organization depends on that service for access of their own data, whether internal or cloud-based. Some prime examples might include file sharing, electronic mail, and application databases. These kinds of services offer a would-be attacker two kinds of opportunities: (1) to attack a broad base of services that rely on the additional authentication process and (2) to conceal the true attack by hiding their attack in the clutter (or noise). Once again, the challenges lie in the increased sensitivity associated with this service through both the aggregation of the targets and the potential inclusion of more sensitive individual targets. Essentially, these services were not designed with this level of sensitivity or impact in mind.8 The third and last example pertains to specialized services that may see an increase in their sensitivity depending on what they track or what they support. A tracking service that provided up-to-date information as to the whereabouts of packages may be less sensitive than the systems that track the movement of spent nuclear material. In this case, the challenge is that the reasonably nonsensitive tracking system could find itself used to track much more sensitive items than was foreseen as conceptualized in its design. For example, the package tracking system may today be used to track online purchases of specific sensitive items (such as firearms). When considering services such as HAZMAT response, the sensitivity of these services need to be tied to the organizations or infrastructure that they support. A response team located in a rural area may not have as great of a need of response as that of a metropolitan area, or one that services the reservoirs of an urban water supply. So, with the nature of the incident, such as cleaning up an isolated, non-evacuative semitruck HAZMAT spill, versus an areawide fire in a facility near a downtown centralized core, their responses are based on the circumstances and their potential impacts.

116 ◾ Critical Infrastructure

These three examples show a need to maintain an ongoing understanding of how certain services and capabilities are used. As this use increases in sensitivity, there is a need to understand if those services will impact critical infrastructure sectors (even if indirectly) or the ability to respond to critical infrastructure-related events.

6.3 The Role of Regulatory Oversight In the previous section, we identified a set of conditions or circumstances that did not begin with an obvious connection to public safety but that evolved into one. The key responsibility of any government involves protecting the safety, security, and economic-wellbeing of its citizens. These are elemental to the state, and any state that fails in this regard soon finds itself first diminished on the world stage and ultimately loses its ability to maintain its own core values and philosophies as it is subverted to other interests. While this view may, to a few, appear to be somewhat harsh, it is the reality of the world. Social programs and soft power do not exist except on a foundation that has assured the safety, security, and economic well-being of a nation. Without the economic engine, the country cannot project its interests abroad (militarily or socially) except through rhetoric and being reliant on the actions of others. Where the safety of the nation’s population is concerned, legal and ethical considerations begin to drive the agenda of governments. Where the security of the state is threatened, then this issue can consume the priorities and agenda of the government in such a way that all other priorities fall by the wayside. The role of business, on the other hand, is the generation of wealth and the returning of reward for some form of investment. A business that fails in this respect will, like the state, first find itself diminished and, ultimately, failing and fading as its market share is diminished and ultimately swallowed up by its competition. One has only to look at the challenges for the big box retail stores over the past five years to see more than a few examples of the realignments, mergers, and outright failures in the sector. One might also argue that the realignment of food retailers and drug retailers in Canada follows the same pattern. Businesses may choose several different routes in their affairs, but there are really three major factors: 1. Te generation of adequate wealth to cover costs and realize proft. 2. Te reduction of costs to increase the net income of the organization. 3. Te stabilization of a core market share and, as the need to generate more revenues increases, the expansion of that market share outwards. Achieving these goals can take many forms. Some will focus on the generation of new wealth followed by the reduction of costs. Some will involve the reduction

Challenges Facing Vital Services

◾

117

of costs to become lean followed by building reserves with which they move to expand. Some involve forming alliances with other companies (or simply taking them over) to reduce the losses and energy associated with competition. Others may simply adopt new technology and approaches, essentially trailblazing into new markets or business lines. Understanding this dynamic is important, as much of the critical infrastructure is owned and operated by the private sector. This creates a situation that may be described as a delicate balance or partnership in positive situations. This is most likely the most positive end state when it comes to establishing a symbiosis in terms of knowledge, skills, abilities, and resources. This is not always the case, and failing to recognize this imbalance can lead to dire situations in which the potential for injury and damage are compounded significantly as the two communities remain locked in conflict. While there are many positive examples of government and industry working together, there have been some examples of how this tenuous balance can fall into conflict. In 2008, the Canadian federal government and a private rail firm entered into an agreement that required the private firm to operate, maintain, and repair the rail line in a timely manner until March 31, 2029. In 2012, the federal government made a shift that, the private company argued, shifted the demand for the rail line and caused many of its clients to shift to alternative ports. The rail line began and continued to lose money for a period. In the spring of 2017, a significant storm eroded significant parts of the rail line and rendered them inoperable—severing the major transportation link between the community of Churchill, its outliers, and the main transportation network to the south. With the private rail line indicating that it would not repair the rail line without assistance and the government taking the stand that the company had to meet its contractual obligation, it became apparent quickly that the town of Churchill was going to be isolated for a significant period of time, would have to rely on air transportation for much of its movement of persons and goods, and could even face increasing risks associated with fuel availability for the winter months. This conflict escalated quickly. Mid-October saw the federal government issue an ultimatum to the private firm, declaring that it had 30 days to fix the rail line or it would face an $18.8 million lawsuit.9 Mid-November saw little movement towards a resolution, with each side making public statements that accused the other of sabotage in the issue in court filings that saw the federal government initiating its lawsuit while the private firm (a U.S.-based company) filed under the NAFTA agreement indicating that it would sue the federal government for $150 million if arbitration did not result in a settlement.10 While a solution to this challenge eventually presented itself, the situation was preventable. Fortunately, the circumstances surrounding this particular challenge are in the public domain, allowing lessons learned to be generated and communicated. For lessons learned, we may want to look at how public property is divested and what is the nature of due diligence checks that need to be conducted,

118 ◾ Critical Infrastructure

particularly where the property being divested can be considered critical or vital infrastructure. This should be tied to a formalized structure and admonishment to the organization or the department divesting itself of the property that there still is a standard of care owed to support that community (or least not undermine or subvert it), and that officials should be made aware of this duty of care. In this example, the rail line had a history that should have raised concerns or questions that should have been resolved before the sale was finalized. The consortium that came forward to manage the rail line (and to manage the port) should be examined in terms of its ability to sustain operations. This is not to say that there are any indications of instability; rather, the approach offers an opportunity for a candid discussion about how the different parties can contribute to the project’s success and long-term viability. These discussions need not only to address past issues, but also to chart a mutually agreeable structure for future efforts and improvements. While this situation is currently resolved, the opportunity exists for all parties to innovate for any upcoming challenges.

6.4 Balancing Public Safety and Business Operations Business, in general, consists of organizations whose priority is generating wealth, not necessarily for serving the public good. Government bodies, on the other hand, are focused on the public good and the maintenance of the state, not focused on generating wealth. This does not necessarily mean that they are mutually exclusive to each other. They do, however, approach issues from very different viewpoints. This can lead to a conflict that needs to be balanced. For this section, we will review three situations requiring greater scrutiny. These situations, two of which involve interactions between corporations and local governments, and the third with an entire industry. There is a natural tension between the business and regulatory communities. This tension has resulted in the following major challenges: ◾ Challenges associated with abilities to resolve conficting priorities between government at a policy level and business operations at a continuity level. For example, the government directing a public utility (or an independent system operator, or “ISO”)11 to make major infrastructure changes while placing a cap on any rate increases that would pay for those changes (e.g., Nova Scotia Power, ERCOT in Texas—see Figure 6.1). ◾ Challenges associated with the sharing of vulnerability information between regulatory bodies and the private sector. Tis pertains particularly to the government sharing of meaningful threat information, but also the private sector’s sharing vulnerability information and operational impacts. ◾ Challenges associated with ensuring that the regulatory process is not usurped by the private sector to further its own agenda. Te current state of guidance

Challenges Facing Vital Services

◾

119

Figure 6.1 A map of Regional Transmission Organizations/Independent System Operators (RTOs/ISOs) in the United States.

with respect to autonomous shipping illustrates how industry can drive regulatory processes. ◾ Challenges within the public sector/regulatory bodies in maintaining the ability to maintain efective monitoring of the implementation of regulatory requirements and ensuring an appropriate level of enforcement. Any cyber-related regime illustrates the challenges faced by regulators in terms of how to inspect, how to enforce, and how to maintain a body of competent individuals. These three challenges currently threaten the balance between the public and private sectors in a way that can have significant impacts on both public safety concerns and the ability of private sector entities to compete within emerging markets. The sharing of vulnerability information within the critical infrastructure domain continues to be challenging. Ultimately, one would propose that having access to relevant vulnerability information is necessary when considering the evolution, or even reform, of regulations. The source of that vulnerability information often comes from entities that are themselves regulated by the same body. Many regulatory bodies, however, have taken the approach that they will move into an investigative and enforcement mode upon the discovery of any information that

120 ◾ Critical Infrastructure

appears to be a willful failure to meet regulatory requirements. As a result, private sector entities tend to be less than enthusiastic about sharing such information with the regulator. Private sector entities within the same domain are often in competition with one another. With brand reputation and other similar concerns being a significant factor (influencing market share, the ability to raise capital through stock offerings, etc.) in the success of businesses, the sharing of such information may result in a balance that affects the company’s competitive advantage. Again, this limits the ability to gather that vulnerability information. This leads to the second challenge. While some organizations will attempt to conceal vulnerability information to protect their reputation or to avoid regulatory impacts, some companies may attempt to maintain control over the regulatory process to protect their own goods, products, or services. An organization may seek to escalate its own practices into regulations or best practices to enshrine them in regulations, essentially capturing a market. An organization may similarly attempt to tailor the requirements demanded by regulations to limit or manipulate the competitive market. For example, costs associated with audits and insurance may be set high enough that small businesses have little to no hope of generating the revenues necessary to maintain their memberships. The larger firms within an association may attempt to push these limits through, using the association’s name and influence, to sweep the competitive field. Concurrently, an organization may attempt to present new technology in such a manner that the regulatory bodies do not have the time necessary to assess it before it comes to market. In these cases, the private company may appear to be helpful, providing guidance and advice with respect to how to operate the technology safely and securely based on their own testing and evaluation. This is then presented to regulatory bodies in such a manner that the proposed practice becomes an acceptable practice in the eyes of the regulatory body. Depending on the nature of the regulations, this provides a level of what may be considered “official recognition” that assists in the marketing of the product or service. These two conditions can lead to a circumstance where the regulator loses the ability to enforce its own regulations. The first aspect (the loss of awareness of the vulnerabilities inherent in the industry) challenges the inspector with respect to what may be considered reasonable and the level of baseline security across the sector. This can lead to underenforcement in circumstances where the inspector becomes convinced that confronting one entity can lead to repercussions coming back from the industry. Given that regulatory measures are generally appealed in tribunals that weigh the balance of probabilities (as opposed to criminal court, where things must be proven beyond a reasonable doubt), this can pose challenges for the inspectors as they attempt to justify apparent differences in treatment (why one facility may have been targeted and another not targeted, etc.). The second challenge involves the ability to maintain a level of oversight while not allowing the regulatory process to become a limit to legitimate and appropriate

Challenges Facing Vital Services

◾

121

competition. This was referred to in the second challenge but involves three flaws. The first flaw arises when the regulatory body accepts, on faith (i.e., not conducting their own testing or testing through a neutral third party that is kept clear of external influences), the statements made by organizations that are seeking to have their products approved for use. This is a flaw because most regulatory regimes clearly indicate that an individual cannot be put in a position where they approve their own work. At the least, this deficiency in the approach may put the regulatory body in a position where it can be challenged with respect to whether it upheld its duty of care or met a standard of care. The second element involves the regulator being able to detect whether there are unacceptable deficiencies prior to an event. Would an inspector be able to detect a flaw within the communications system that may allow for a vessel or vehicle to be taken over? Would the inspector possess the necessary knowledge, skills, abilities, and resources to detect vulnerabilities within the system? If the inspector does not, and the regulatory body has set requirements that the inspector cannot assess, what options are available to the regulator with respect to allowing that individual to sign off on an inspection that may be counted upon to trust that a system is operating safely and securely? From a public perspective, would an individual in the public be comfortable if it was determined that inspections were simply a matter of verifying documentation and that inspectors were less able to make credible technical assessments with respect to what they are signing off? When practices and technology begin to outpace the ability of the regulatory body to assess impacts, implement or communicate requirements, or make the necessary adjustments to its oversight processes, these questions become very significant given the potential impacts.

6.5 Consultation, Cooperation, or Coercion A critical question for both the public and private sector entities involves determining whether the proper course of action is one of consultation, cooperation, or coercion. Each of these represents a different level of involvement. The consultative regime can best be described in terms of a challenge and response structure. One side of the equation requests information of the other, and the other entity provides what it considers to be an appropriate response. The onus is on the side asking the questions to ask the right questions, or at least, appropriate questions; while the other side may be held accountable later for having provided incomplete or less-than-completely accurate responses. The consultative regime is also the one that offers the regulator the greatest flexibility. In demanding the question of industry, the regulator can either accept the response, challenge the response, or even override the response based on higher priorities. It can also challenge the industry if the industry fails to identify a potential impact, and it can indicate that the industry had its opportunity to guide the regulator down another path but failed to do so.

122 ◾ Critical Infrastructure

While the consultative regime may offer the greatest flexibility in some regards, it can still be viewed with skepticism by industry if the response points towards something considered a violation of, or a deficiency in, the application of regulations. If the regulator chooses to use a consultative process as the means of gathering information for enforcement purposes, the system becomes unbalanced, as the private sector participants see involvement as exposing them to risk. At the same time, if an inspector starts an enforcement proceeding against one organization for something that another organization is given “a pass” on in another area, there may be a challenge of procedural fairness or the consistency of enforcement actions. The regulator needs to decide where the priority lies—is it with securing the system by having access to good information, or with protecting the regulatory framework by maintaining a rigidity in its application? Today’s challenge within the consultative regime lies in being able to identify the right question. This returns to the question of the “Unknown-Unknown” (essentially, we don’t know what we don’t know). This situation is increasing as the complexity and interconnectivity of systems increases. For example, we may not have a full understanding of the unknowns associated with automated vehicles. We may also have an incomplete understanding with respect to the severity and frequency of certain kinds of storms. Where this becomes challenging is at the intersection of these two—how would this technology behave under the adverse conditions associated with these storms? In the cooperative regime, the challenge involves the combination of scope, duration, and spans of control/influence. While consultation is a relatively narrow scope that allows each side to limit and tailor its answers to specific circumstances, cooperative regimes see each member of the group making a commitment to tackle the challenges that emerge. This can involve several iterations of what might be compared to the consultative regime. It may also involve topics that are either unforeseen at the start of the project or that may have levels of complexity or sensitivity that challenge the system. Comparing these two systems yields an understanding that the consultative approach provides an advantage for the public sector when looking at the development of regulations in terms of a project. As most project managers will attest, there is a challenge that involves the balancing of scope, time, and resources. The consultative process allows that to become a natural part of the formalized process. When there is a need for the regulations to be published or brought into force on a certain date, one may well expect to see a bias towards the consultative approach. The cooperative approach is often integrated after the regulations have been passed. This is because the core deadlines have been met and the scope can be limited to addressing issues that appear in the regulations. The pressures associated with deadlines have also been largely lifted. This shifts the focus to a longerterm effort, involving identifying those elements of the regulations that need to be added, modified, or removed to address issues, reflect changes, or respond to evolving threat and operating conditions. This is where the reader will find various

Challenges Facing Vital Services

◾

123

working groups, committees, and other forms of partnerships that focus on longerterm and less defined issues. The gap that can occur in this process, however, occurs when the scope of the regulations takes precedence over the intent of the regulations. Consider the issue with autonomous or remote-controlled ships. When the International Ship and Port Facility Security (ISPS) Code was brought into being as an amendment to the Safety of Life at Sea convention, there was a presumption that ships were manned. Remote controlled vessels may have been conceptualized and on the horizon, but it was a relatively distant horizon. While the ISPS Code spoke to the need to assess and secure network and communications equipment, the application of this subsection in Part B was considered more in terms of being able to communicate securely and to protect systems on board the vessel or in port. While there is a natural extension of this to the communications and network infrastructure and operations for such concepts as the “bridge of the future,” this is one of those issues that operate at the fringe of the scopes. As a result, the need to address the issue may be identified, but it may not appear to be as critical to those that approach the regulatory renewal process as a process and not as an exercise in risk management. The concept of coercion in the regulatory space is challenged by the fact that the public sector entities do not actually own the infrastructure or companies that they are attempting to direct. We are currently seeing this in the energy sector, as government attempts to reduce the use of fossil fuels by pushing infrastructure onto the electrical grid while also attempting to limit the rate increases utilities can charge consumers because of high inflation. In Nova Scotia, this was handled through the use of legislation which prompted Nova Scotia Power and Emera (its parent company) to respond that the utility would be challenged in terms of meeting the province’s “green initiatives.”12 As an aside, the press release could have been phrased in terms of “you cannot have your cake and eat it too.”13,14 The reality is that while the government has the ability and authority to regulate, the private sector can simply declare that it will no longer operate under those conditions and, unless there is some binding mechanism that compels that cooperation, very little can be done except to attempt to find a mutually beneficial solution. This coercive or authoritative approach doesn’t necessarily involve only publicprivate relationships. It may also involve issues between levels of government—such as federal and state or federal and provincial. The healthcare debate in Canada, for example, sees the provinces demanding greater funding for the healthcare system, while the federal government indicates that such funding would need to come with conditions on its use and oversight to ensure that any increases in funding were used for suitable purposes. This debate has reached an impasse. What is clear is that with no indicators of movement in the immediate future, the focus on fixing the issue is becoming less clear. We see a similar challenge when looking at Canada’s ability to export oil. Alberta has faced significant challenges with the movement of oil. While rail was used previously, it is not a terribly efficient method for moving the volumes that

124 ◾ Critical Infrastructure

need to be moved, and the risks of accidents along the rail lines can raise challenges. The construction of pipelines to move the oil, however, also faced challenges from various groups that saw the infrastructure as either posing environmental risks, failing to respect certain treaty obligations, or a combination of both. The end result is very much an export capability for Alberta’s oil, often to the south through the United States. The need for authoritative power (based on legal structures or mandate) in this structure is relatively clear. It is based on the need to be able to drive all parties towards a resolution of an issue and, should an issue appear to be unresolvable to the satisfaction of all parties, then pressing towards a consensus that all parties can live with. If this is not possible, then the authority must be able to finally set the pin in the sand by stating that the debate has gone on for long enough and reach a decision. This is not just an issue of basic leadership—it involves ensuring that the processes used to identify, form, and manage groups have a sound foundation that is unassailable. In the case of Canada’s healthcare system, the crossed mandate lies at the root of several issues and has resulted in a stalemate as both halves of the equation “dig in.” Additionally, the United States has similar, if not more complex issues between its citizens, the healthcare industry, and both state and federal governments. When considering the conflict between Alberta and British Columbia, the need for strong underpinning structures (in this case involving federal-provincial affairs) guided by strong leadership that understands at what point authority must be exercised becomes critical. This coercive structure is also being exhibited in both the Canadian and the U.S. responses to a number of challenges within critical supply chains and telecommunication services. In Canada, the proposed Bill C-2615,16 respecting cyber security will require not only incident reporting, but the formation of security programs and an ability to respond to the direction of Public Safety17 to impose controls to protect critical infrastructure. While it is not being stated explicitly, there is a belief within the security practitioner community that the general recalcitrance of man organizations to do this on their own accord has led the government to using legislative and regulatory tools. We see a similar approach being taken with supply chains where both Canada (again through C-2618) and the United States (through Executive Order 1402819 and 1406720) have taken steps to direct industry to take certain steps or face consequences ranging from administrative monetary penalties, criminal proceedings, or simple expulsion from being able to enter into contracts with the federal government. Given challenges such as increased automation, the need for faster and more comprehensive data analysis, and increasingly fault-intolerant systems, one might reasonably expect to see the regulatory process move in the following directions over the short to medium term: ◾ Governments and other entities that have clear time frames and mandates that are supported by legitimate authority (the ability to exercise coercive power if needed) are likely to press towards a consultative structure. Tis will

Challenges Facing Vital Services

◾ 125

largely focus on the policy and program areas where the organizations are tied directly or closely to political mandates and promises, and which are therefore considered to be under signifcant public scrutiny or pose a risk to the public reputation of the administrations involved. ◾ Scientifc and development communities that are addressing complex issues will likely adopt a blend of the consultative and cooperative approach. Te nature of this blend will depend upon the neutrality of the organization pressing the issue forward, while the focus will involve the perceived risks in terms of market share and reputation. For example, a company promoting a new form of technology may attempt to launch a cooperative efort but may also attempt to exert signifcant infuence (referential and political) to protect its own goods and services. ◾ Professional associations, trade associations, and similar entities are likely to press towards cooperative processes during and after the regulatory process. While the structure of these discussions will trend towards the cooperative, they are likely to be bounded by those entities’ eforts to protect their mandate, reputation, and market share. Tis area, however, is likely to see the most activity due to the growing changes in how these associations reach broader (international) communities and can communicate to reach broader audiences. Te lobbying activities of these groups (both formal communities and informal/issue-driven communities) is likely to see the increased use of social media and communications tools in their eforts to promote change through the creation of internal and external pressures on decision-makers.

6.6 Balancing Resilience and Financial Responsibility For the regulator, this leads to the next challenge—that of balancing the ability to maintain a resilience in their operations while also demonstrating a level of financial responsibility. This is a clear case of cost-benefit analyses. The cost aspect is perhaps the clearest issue. Consider the scenario where a cooperative approach is used, and the regulator relies upon the use of contractors or consultants for their technical knowledge. First, the regulator has not actually shed its accountability by going to an outside source of information—that accountability remains, and it becomes accountable for the decisions associated with the use of those resources. Second, there is the issue of cost. Consultants with significant technical knowledge are not inexpensive. Consider that a senior advisor within the Canadian system could cost the government approximately $150,000 per year between salary dollars and other forms of support. That value represents a full year’s work at 7.5 hours per day. A consultant making $1,000 per day would consume these resources in 150 person-days, or slightly over seven working months if allowed to be consumed by one person. As a result, one may be able to build the business case for the use of consultants and contractors for

126 ◾ Critical Infrastructure

specific, short-duration issues (addressing a specific issue), but it becomes increasingly difficult to justify their prolonged use from an economic standpoint. There are also challenges that come from the ability to maintain corporate knowledge and contain information regarding potential vulnerabilities in the system. These can also lead to significant financial impacts (meaning dollars spent, as opposed to an impact on the economy) against the organization as it attempts to reconstitute its knowledge base or defend itself. Responding to this cost issue can become challenging. The regulator is often dealing with an environment that has been defined through negotiations with respect to the expectations placed on its employees—such as in labor contracts and similar mechanisms. Adding new requirements or limiting powers (or advancement) based on new requirements can lead to significant challenges should individuals attempt to use the grievance process to reduce their burden. Similarly, arguments regarding work-life balance have created an environment in many areas where there is an expectation that any training and professional development must be done on “work time,” and that the employee is due additional consideration should they be required to commit their own time or resources. This is where basic project management comes into play with the management of scope, time, and resources. For the regulator, the question is the same. It involves the amount of work (and expectations), the number of resources available, and time. The running truism is that a project authority can pick two of the three, but the third will be decided. If one picks scope and time, then resources will be dictated. If one picks time and resources, then scope will take its place. For the regulator, determining this priority will be contextual in nature. When looking at these three, there is a natural priority. The scope of regulations is determined by the regulations themselves and the laws that apply. Being selective in what laws or regulations will be enforced is difficult territory to operate within. At the same time, one can argue that in a globally competitive environment, time is also of the essence. The time lost waiting for regulatory decisions and the uncertainty that arises during that period are anathema to innovators as they commit their own resources and effort to finally reaching a point where they can benefit from that innovation. As a result, there is a bias towards the issue revolving around the amount of resources available or to be committed. When looking at the resources, which can be translated into people and the tools available to perform work, one cannot simply expect to operate at 100% all the time. Military forces long since learned that there were elements that were deployed, elements preparing for deployment, and elements that would reconstitute themselves following deployment. A similar structure needs to be looked at in terms of setting a structure in place that allows for some persons within the organization to be in the training and development system while others are deployed and doing the work in the field. Some would argue that this conflicts with the need to reduce costs, and the size of government as a number of persons may not be directly working in the field as they are acquiring new knowledge and skills.

Challenges Facing Vital Services

◾

127

This, however, becomes an issue of “best dollar” versus “lowest dollar.” Again, the question of time, resources, and scope come into play. If stating that resources are the key element (lowest dollar), then one will have to make up the loss or gap from either the scope (deregulation) or time (time to market and operational impacts). This also forces the organization back into the trap of becoming reliant on consultants and contractors for their day-to-day operational needs as opposed to specific operational requirements. When looking at the best dollar value, there is a calculation to be made. If the issue is a short term, single-event issue, then it may well be worth engaging consultants. Where such events become part of the baseline operating environment, there will need to be an adjustment of the baseline knowledge, and that will require training. In this case, determining the number of persons that need to develop expertise in the area to meet demand needs to be established, that number needs to be adjusted to allow for any requirements for ongoing learning and upkeep, and ultimately, the organization needs to adjust its size based on the reasonable expectation that it can meet the obligations made under the various agreements (including its collective agreements—which it can renegotiate later using the appropriate mechanisms).

6.7 The Emerging Role of Private Associations and Membership In some cases, the regulator may determine that it cannot achieve the necessary level of oversight and may attempt to share its authority from within a legislative frame. Traditional regulations involve the government and tribunals acting as the key source of authority. There are some areas that involve the concept of selfregulation—where the industry is expected to organize itself and to ensure that its members all meet the requirements set down by the government. In this context, expertise within government is critical, so that the government can maintain an oversight of its decision to allow for self-regulation. The government may also look towards something referred to as hybrid regulations, where the authority is shared between the government and a professional body that is given legal authority and standing on technical matters. One sees this in engineering, legal, and medical colleges that can sanction their members should those members come into conflict with that body’s acceptable codes of practice. The coming challenges with the foreseeable evolutions in technology and movement of populations (ranging from normal migration, to political issues, to climate change, etc.) come in two major forms. The first of these involves the care and effort that it takes to establish such bodies (if that route is to be explored) to ensure that matters of public safety (in its broad sense) are treated first and that the regulator maintains an adequate capability to oversee these organizations. This will again necessitate an assurance of loyalty and competence that may well require regulators to demand that their personnel maintain that level of parity with those that they are regulating.

128 ◾ Critical Infrastructure

The second criteria involves coordinating the interaction between these organizations to ensure that individuals still have mobility and that there are reasonable expectations that organizations can compete. Organizations and associations that place baseline restrictions limiting participation based on requirements that are not in line with the requirements to be met (such as setting an unnecessarily high insurance carrier or setting significantly high baseline memberships) must be prevented if the governments wish to argue fairness in competition. Organizations that promote or establish this kind of practice have little to no business using the authority of the state to protect their attempts at generating de facto monopolies.

6.8 Membership versus Competition? There are emerging systems that have membership to certain operations as a prerequisite for operations. This is another area that is likely to be challenged legally should these kinds of requirements continue to flourish. The question becomes, at what point should those associations be allowed to remove members if membership is a regulatory requirement? Does this, in fact, provide a method of regulatory sanction without providing for an appeal mechanism for those involved? Under what conditions should the organization be required to provide a reasonable means for membership for businesses that cannot be reasonably expected to pay significant fees? The danger here is that associations can attempt to use internal decision-making powers for such factors as fees, bylaws, internal discipline, and other factors to manipulate the market. For example, an association may set a requirement for individual membership at several thousand dollars. This may limit, if not eliminate, the ability for several individuals to participate in the market. Similarly, those members that operate at the fringe of the membership may find themselves forced to adopt hostile or damaging measures to retain their memberships. The question becomes whether this practice becomes a protectionist control that runs afoul of fairness and competition conventions and legislation or not.

6.9 Authors’ Note Regulators will likely face significant pressures over the coming years. Environmental factors such as climate change, changes in the threat environment, and the evolution of technology (with some significant possibilities on the near horizon) will put pressure on regulatory bodies to find ways to appropriately oversee the design, implementation, use, control, and removal from service of technology and other security controls in the critical infrastructure protection domain. These pressures will be influenced by factors such as scope, resources, and time. As a result, one

Challenges Facing Vital Services

◾

129

might see areas left unregulated, or even a measure of deregulation. One may see increased reliance on professional associations and see these organizations given expanded powers. At the same time, the regulators will be under increasing pressure to meet the need for increased training and development cycles so that they are not pushed into situations where they cannot discharge their functions or oversee those that are delegated to support them in the discharging of those functions. This, in turn, may well lead to conflicts and comments with those seeking to press for the reduction of internal government costs to ensure adequate resources for other government activities, or simply for political capital.

Notes 1. www.gard.no/Content/23896593/MSC-FAL.1-Circ.3.pdf (alt URL: http://cipbook. infracritical.com/book5/chapter6/ch6ref1.pdf ). 2. https://iacs.org.uk/download/4054 (alt URL: http://cipbook.infracritical.com/book5/ chapter3/ch3ref21.pdf ). 3. A “single point of failure” (also called a “first-order fault”) represents a design flaw or weakness of one (or more) component(s) or subsystem(s) of a system that is sufficient to cause a system failure. A “failure” represents an impact to an operation, but its cause is unknown, whereas a “fault” represents an impact to an operation, and its cause is known; however, why it occurred is unknown. 4. “2FA” is an abbreviation for the “two-factor authentication”. It is an authentication process which uses two or more factors to achieve a successful authentication. Factors include: (i) something you know (e.g., password/personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). URL: https://csrc.nist.gov/glossary/ term/2faterm (alt URL: http://cipbook.infracritical.com/book5/chapter6/ch6ref6. pdf ). 5. www.imo.org/en/MediaCentre/PressBriefings/pages/MASSRSE2021.aspx (alt URL: http://cipbook.infracritical.com/book5/chapter6/ch6ref2.pdf ). 6. wwwcdn.imo.org/localresources/en/MediaCentre/PressBriefings/Documents/ MSC.1-Circ.1638%20 -%20Outcome%20Of %20The%20Regulator y %20 Scoping %20E xerciseFor %20T he%20Use%20Of %20Ma rit ime%20 Autonomous%20Surface%20Ships .  .  . %20(Secretariat).pdf (alt URL: http://cipbook.infracritical.com/book5/chapter6/ch6ref3.pdf ). 7. https://lewisbass.com/what-is-an-authority-having-jurisdiction-ahj-and-why-shouldyou-care/. 8. www.cybersecuritydive.com/news/lastpass-breach-exposes-passwords/639469/. 9. This was widely reported in open sources, such as www.thestar.com/business/ 2017/10/13/ottawa-threatens-to-sue-railway-owner-over-broken-rail-line-tochurchill-manitoba.html. 10. At this point, the issue had become a major news story across the nation, as the government and private sector company appeared entrenched in the conflict and the community increased its own communications calling for a resolution. Such stores can be found in sources such as www.winnipegfreepress.com/local/omnitrax-filesnafta-claim-against-ottawa-threatens-150m-suit-457491683.html.

130 ◾ Critical Infrastructure

11. www.ferc.gov/power-sales-and-markets/rtos-and-isos (alt URL: http://cipbook.infracritical.com/book5/chapter6/ch6ref4.pdf, and the image: http://cipbook.infracritical. com/book5/chapter6/ch6ref4a.png ). 12. www.businesswire.com/news/home/20221019005846/en/Emera-Inc.-and-NovaScotia-Power-Respond-to-Government-of-Nova-Scotia-Electricity-Rate-Legislation. 13. www.merriam-webster.com/dictionary/have%20one%27s%20cake%20and%20 eat%20it%20too. 14. w w w.urbandictionary.com/define.php?term=you%20can%27t%20have%20 your%20cake%20and%20eat%20it%20too. 15. www.canada.ca/en/public-safety-canada/news/2022/06/protecting-critical-cybersystems.html (alt URL: http://cipbook.infracritical.com/book5/chapter3/ch3ref12. pdf ). 16. www.justice.gc.ca/eng/csj-sjc/pl/charter-charte/c26_1.html (alt URL: http://cipbook. infracritical.com/book5/chapter3/ch3ref13.pdf ). 17. https://www.publicsafety.gc.ca/index-en.aspx (alt URL: http://cipbook.infracritical. com/book5/chapter6/ch6ref7.pdf ). 18. Ibid. 19. www.whitehouse.gov/briefing-room/presidential-actions/2022/01/19/memorandumon-improving-the-cybersecurity-of-national-security-department-of-defense-andintelligence-community-systems/ (alt URL: http://cipbook.infracritical.com/book5/ chapter2/ch2ref12.pdf ). 20. www.whitehouse.gov/briefing-room/presidential-actions/2022/03/09/executiveorder-on-ensuring-responsible-development-of-digital-assets/ (alt URL: http://cipbook.infracritical.com/book5/chapter6/ch6ref5.pdf ).

Chapter 7

Management of Critical Infrastructure Resiliency 7.1 Introduction This chapter will look at the fundamental mind shifts that need to happen if we want to maintain our critical infrastructures in the current environment and in the future. Today, we have many supposed professionals who simply work down the checklists of controls recommended by regulators or think tanks and argue that as long as you can show that each control is addressed, the organization should be fine. Similarly, we have operators of critical infrastructure that are so slavishly adherent to regulations and “best practices” that they make the erroneous assumption that their organization and the capacity it delivers are well prepared to meet the challenges of the future. As we challenge these assumptions, we will try to break our thinking free of this particular malaise so we can get onto the business of being ready to take on the challenges that are fast approaching.

7.2 What Is Resilience? Some individuals would be surprised that the National Institute of Standards and Technology (NIST) does a lot more than simply examine computer systems and propose ways to remediate technical flaws. The organization, part of the U.S. Department of Commerce, offers a significant body of knowledge and makes considerable effort in the domains of resilience within communities and in the context of disaster recovery. While its approach will challenge the traditional linear thinking of more than a few security and infrastructure assurance practitioners, it should be required reading for those that are looking to practice in the field. DOI: 10.4324/9781003346630-7

131

132 ◾ Critical Infrastructure

So what is resilience? In the simplest terms, resilience can be described as the ability to bounce back. For those who need a more robust description, resilience can be broken down into a core definition based on the definitions of community resilience, system resilience, and network resilience. Community resilience, as presented by NIST, describes a state in which the community has “the ability to prepare for anticipated hazards, adapt to changing conditions, and withstand and recover rapidly from disruptions.”1 In the NIST Online Glossary, resilience is portrayed as “the ability to maintain required capability in the face of adversity.”2 Those involved in systems engineering have used this latter definition when considering how systems need to behave in the face of adversity.3 Each of these definitions positions resilience as an emergent system attribute and not just an approach to problem solving or drafting plans. Those planning the management structures can follow all the recipes for cookie-cutter plans that they can lay their hands on, but if the system can neither withstand the adversity in front of it nor recover to deliver the capacity it is supposed to deliver, it is not resilient. This is not a question of whether those involved need to follow structured approaches. That still needs to happen. What is important, however, is that the outcome of each of those steps will factor into the likelihood of success based on how they were conducted. The practitioner can argue that they conducted a threat assessment as per the instructions, but the question is really if the practitioner examined the conditions, selected the appropriate form of risk assessment, and then exercised reasonable care and diligence in the performance of that risk assessment so that the outcome was as close to accurate and complete as practicable. This raises the second important point in this effort. While this approach can be hammered into a quantitative structure, the benefits of that approach are limited. Contrary to some of the commonly accepted views, critical infrastructure is not necessarily a computer network. Critical infrastructure is, and will continue to be, “processes, facilities, technologies, networks, assets, and services essential to the health, safety, security or economic well being of [citizens] and the effective functioning of government.”4 Computer networks may be vital in supporting the activities that ultimately lead to the achievement of the goals associated with meeting this challenge, but they are ultimately a tool in the toolbox. Critical Infrastructure Protection (CIP) and Critical Infrastructure Assurance (CIA) must be looked at as a system that is made up of a range of different kinds of systems, including human, technical, physical, and operational. While the latter three kinds of systems can be brought into a quantitatively measured framework, human systems can only really be looked at in terms of being measured using ranges of probabilities. Simply put, human beings are not necessarily the most consistent entities on the planet and can be easily influenced by a range of different conditions that drive complexity into the picture. For those who had hoped to measure their CIP program’s performance to say that there will be a 79.995% probability (an arbitrary number) that it will be successful may want to look carefully at the assumptions that they are making and understand that becoming overly precise can mean that you’re being blind to the reality of the complex variables in your system.

Management of Critical Infrastructure Resiliency ◾

133

7.3 Alignment with the Mission The mission of critical infrastructures will depend on the specific sector, but there is some utility in establishing a generic mission statement for critical infrastructure assurance. The shift to CIA is the first step in this, in that the goal of critical infrastructure (casting back to the definition presented in Section 7.2) involves the continued delivery of a capacity, not the protection of infrastructure.5 The infrastructure is protected because it is part of the means of assuring that the ability to deliver enough capacity to meet demand (Figure 7.1). We can validate this thinking by asking ourselves a few very simple questions. First, when you go to turn on the lights in your home, do you care that the power was generated at Facility X, or that the lights came on? When you turn on the tap, do you care that your water comes out of a well or a city system, or do you care that it comes out of the tap and is safe to drink? What is ultimately cared about is that the service that is relied upon to preserve your health, safety, or economic wellbeing is present, in a usable state, when it is needed, and for a reasonable cost. We can apply this kind of definition to transportation networks in terms of the delivery of persons and goods to their intended destination so that they arrive on time, in acceptable condition, and for a reasonable cost. When this is not achieved (as we have seen with some of the recent weather disruptions), there are usually enough upset people to have the heads of organizations being called upon to explain why they aren’t getting the job done. This gives us the opportunity to refine the delivery of a critical infrastructure’s capacity into some goals that can be used to characterize success in this domain. The first of these is that the service arrives at the point that it is needed. For critical

Figure 7.1 The relationship between Critical Infrastructure Protection and Critical Infrastructure Assurance should be as balanced as possible.

134 ◾ Critical Infrastructure

infrastructure, the destination is the point of consumption. The second aspect involves the concept of time and can be looked at in terms of (1) being available on demand and (2) not being unavailable to the point that health, safety, security, or economic well-being are irrevocably damaged (i.e., people die). The third attribute involves quality. People can make do with things not being perfect, but there is a point where the loss of quality begins to adversely affect systems (or people) relying upon the services. We see this when we consider “dirty power” (in terms of frequency or phase) or “dirty gasoline” (impurities causing wear and tear) and the effects that they can have. Not only can they cause failure if the quality is poor enough, but the lack of quality (in the context of being out of alignment with assumptions made in the design of the design of something) can lead to more rapid degradation of the consumer of that power. This consumer may be an individual who needs to consume slightly contaminated water, an engine forced to use dirty fuel, or electronic components that are subjected to the issues of dirty power. Essentially, the mean time before failure tends to decrease as we put strains on things. These can be described as the core subgoals. The final subgoal involves being able to achieve all this for a reasonable cost. The challenge here is that this is highly dependent on the viewpoint from which you approach the challenge. For a consumer, an increase in electrical generation rates may be completely unacceptable, as they attempt to balance household budgets. They may still insist that they receive the service even if it is becoming prohibitively expensive to generate and distribute. At the same time, the electrical generation company may be faced with having to locate funds to offset its own costs and to meet the infrastructure upkeep priorities. This conflict can lead to situations where solutions prioritize short-term thinking at the sacrifice of longerterm or more strategic thinking.6,7 Similarly, we can look at the maintenance of vital supply chains and see this played out as the system tries to find an acceptable equilibrium between reducing inflation (increased shipping costs being an inflationary pressure) while also attempting to find ways to reduce the carbon emissions from ships (which has its own costs in terms of better fuels or scrubbing technology). Figure 7.2 illustrates an optimal ideal model for a balanced operation of a critical infrastructure. While it is somewhat reasonable to treat cost separately from the other three subgoals (point of consumption, time, quality), it comes at a price. When we look at this issue in the context of the emergency management cycle, the nature of this cost becomes much clearer. The emergency management cycle costs of the following major phases: ◾ Prevention and mitigation focus on taking steps to reduce the risks associated with emergencies and often involves longer-term thinking. ◾ Preparedness focuses on being ready for specifc events and involves taking steps to ensure that the people, assets, facilities, information, and supporting services necessary to respond to those events are in place.

Management of Critical Infrastructure Resiliency ◾

Figure 7.2

135

An ideal model for a balanced operation of a critical infrastructure.

◾ Response focuses on executing the plans that serve to preserve life and property and that are triggered upon the occurrence of an incident. ◾ Recovery focuses on restoring the community back to a normal (if somewhat adjusted) condition.8 What essentially occurs when these decisions are taken can be described in two parts. The first part is that the overall project is “kicked down the road” to be dealt with later. As a result, the costs associated with achieving that particular outcome (1) become compressed into a smaller number of budget cycles, meaning that they have a greater impact per billing cycle, and (2) the costs likely increase as the pressure to perform under progressively tighter constraints mount. We set ourselves up in a way that our chances of ultimately failing to reach strategic goals increase by addressing the short-term priorities in isolation.

7.4 Communities, Operations, and Infrastructure This raises the second consideration that needs to be emphasized in today’s climate of critical infrastructure protection and the need to move towards resilient

136 ◾ Critical Infrastructure

infrastructures—that of understanding that this is a whole-of-community exercise. This can be challenging in an environment where each organization seeks to maintain its own priorities. This has been illustrated in the recent testimony to Canada’s Transportation Committee9 regarding the challenges that many passengers faced during the Christmas vacation.10 In this instance, the airlines were called to account for conditions where travelers were stranded, communications were sometimes lacking, and delays plagued the system. What emerged in the testimony, however, were indications that the individual components of the system were not actually functioning as a system. Sunwing indicated in its testimony that “the Saskatchewan decision was necessary because the airline’s application to bring 63 foreign temporary pilots on board for the winter was denied, leaving it unable to staff all its flights.”11 Questions have been raised, however, about this statement, given reports in other media in December 2022 indicating that Sunwing had “[backed] away from the intention to hire temporary foreign pilots.”12 Other airline executives pointed out that while the airlines were subject to regulatory controls and accountabilities, others that could cause delays in flights, including Government of Canada arms’ length agencies, were not held to the same level of accountability and called on Transport Canada to set the level of accountability across the entire system. Stepping back from the debates arising in the testimony, the key is that organizations are working from within their mandates. The tone of the testimony (including the responses and questions) has left a very clear sense that the industry is fragmented. Airline executives, in addition to blaming weather, also pointed towards other parties that could cause delay and called for reforms that would see those organizations held to the same level of accountability as the airlines.13 Other comments pointed towards failures within the airport infrastructure (such as deicing and baggage handling system failures) that at least exacerbated delays. These comments and the ensuing debate can lead to two conditions. Anyone watching the debate did not see a unified front tackling the challenge. They saw a house divided. The second is that there is little sense that the situation is likely to improve given that many editorials and opinion pieces focus less on fixing the issue than on reporting on or mapping the political drama associated with accountability in the system. From the mission perspective, this means that the focus fails to address that important goal of getting the job done. We see this challenge becoming apparent through many of the current critical infrastructure projects. In autonomous shipping, significant debate and design work has been done with respect to solving the engineering-related challenges on the ship, but there are some significant questions as to whether that technology is likely to cause other issues. For example, the use of heavy magnetic docking infrastructure in the ports has been considered but not necessarily taking into account the power requirements and infrastructure for the port or the impacts of magnetic fields on fish.14 These issues will certainly come into view as the debates continue, but the question is, will the timing of the question be such that solutions can be worked on or will the impact of the question set back important work?

Management of Critical Infrastructure Resiliency ◾

137

This level operates at what may be described as the strategic level. In this context, the focus is on an industry, not an organization. One might attempt to describe the goal of the critical infrastructure sector in terms of a reliable and capable sector where reliability and credibility are established by a consistent performance that achieves the objectives of on demand (time), at the point of consumption (right destination), and acceptable quality. The layer below the strategic level can be described as being either tactical or structural in nature. At the tactical level, the focus is on the various organizations that make up the overall industry. This would logically consist of two levels. It would consider the local group of organizations such as a port authority, an airport authority, water distribution, local power grid, and so on. At this point, we need to look at the structure of how the various organizations or contributors are brought together. To return to our example of the aviation industry, they may operate in the same area and understand each other’s operations, but the strong bonds that form an operational community are obviously lacking or, at best, fragile. What is lacking is the common purpose and the positive relationships that form a community and that can address more significant challenges. We see a similar gap when considering the problem-solving aspects of autonomous shipping. The engineering solutions focusing on the ship emphasize the scope of the immediate problem, not necessarily forming the bonds that need to be formed within the port (facility) community. This leads to the first critical aspect of resilient critical infrastructure—an understanding that this is the challenge not of one organization, but of one community. No one organization within the community of organizations affected by the storms over Christmas would have been able to handle the issue in isolation. The goals of this community are to build the awareness of the state of the infrastructure, to build the positive relationships that ultimately lead to organizations cooperating where needed (even if normally competing), and to work towards a common purpose defined by the success of the overall sector. Ultimately, this is where there is a significant role for the government to play beyond that of the regulator. In essence, there needs to be an aspect of leadership. The government exists as a representative of the people and as the coordinating body for resources devoted to the people. As the body that sets the specific requirements of regulations (including their enforcement) but that also has the authority to make necessary adjustments to those regulations in terms of exemptions, the government entities also play a role in how the various industry participants perform within the industry. In brief, one can see the role of the government in Figure 7.3. The initial steps in this can be found in the projects associated with supply chain resilience. These projects seek to maintain the flow of trade in support of the economy, both in terms of the gross domestic product (GDP) and the gross national product (GNP). While the overt goal may be to keep trade moving (and therefore the economy), the subgoal involves maintaining the services of the transportation network at a strategic level. For example, if the movement of goods runs through the East Coast and one port is disrupted (for whatever reason), then the overall

138 ◾ Critical Infrastructure

Figure 7.3

An optimal diagram of a government’s role in society.

system has the awareness of that disruption, is aware of the location of its surplus capacity, and can count upon a unity of purpose and goodwill to allow the shifting of shipments through an alternate port to minimize the impact of the disruption. This raises the question of architecture and topology. Critical infrastructure architecture and topology at the strategic level are largely established. Energy grids, transportation networks, communications systems, and other critical services are all established. That means that the question of architecture is only partly associated with design. It is also a significant constraint for new projects. The power generation company is not going to reorganize how it delivers power or rewrite safety protocols associated with power distribution to accommodate a community project. As a result, those conducting work to improve the system may consider making incremental adjustments (wholesale change being out of the question), or may propose realignment of certain capacities, but it needs to be done understanding the impacts in terms of infrastructure, operations, and financial costs. At the strategic level, there are some biases towards certain kinds of topologies depending on the different sectors. Those with significant emergency services functions tend to favor the mesh structure, with the major constraints being response time, distance, and local resources. When you consider how ambulances route patients to hospitals, they operate in zones. If one hospital is overwhelmed, they

Management of Critical Infrastructure Resiliency ◾

139

shift to the next hospital within that zone, until there is no more capacity available within the zone; then, depending on what’s needed, they may route outside of the zone. Transportation and distribution networks tend to focus on hub-and-spoke configurations due to the efficiencies they offer in terms of infrastructure and maintaining flows of traffic. Regional airports service the major international airports that connect to the other major airports. A flight from Moncton, New Brunswick, may proceed to Pearson International Airport (Toronto, Ontario) before proceeding to Gatwick (England) or Paris (EU). Communications networks, such as cellular services, may use mesh topographies operating in cells. Hybrids of these different architectures and topologies will also exist. The electrical grid, for example, may use different topologies based on (1) the distance the power has to travel, (2) the difficulty in running lines or the means of distribution, and (3) how the communities need to be served. This drives further complexity into the management of the grid. This raises the question of how the infrastructure elements are connected to each other. Consider the concept of “coupling,” a term used within the data engineering domain. This is the relationship that has one element’s work affecting another element’s work. Within the transportation sector, these are best described as very tight. An airplane failing to leave one airport means that it will not arrive at the next airport. Loose couplings describe conditions where the disruption at one location may result in an impact at the neighboring systems, but others respond to the deficiency and the system works towards reestablishing its operating balance. This doesn’t mean the system overall is in complete balance (that would be the perfect world), but it is working within tolerable levels of disruption. As we look towards establishing resilience, there is a need to have extraordinarily robust, tight couplings, but ideally, these couplings would be much looser to allow rebalancing within the system’s performance. Where the aircraft fails to launch the aircraft for the next airport, the system can locate an aircraft at another airport that can be brought to fill the need. As we drill down from the strategic to the tactical level, couplings begin to transform into the concept of cohesion of a system (Figure 7.4). How do those internal systems function together? Can they locate potential disruptions and communicate those potential disruptions back into the strategic layer? This becomes increasingly important as the tightness of the coupling at the strategic layer increases, since those tight couplings represent what may be described as “stiff” relationships which, when you look at things from an elasticity perspective, break instead of bend. When looking at the concept of coupling and cohesion in the critical infrastructure domain, we can use a structure that uses a simple matrix to focus our efforts to get the balance between coupling and cohesion (Table 7.1). Ideally, we want good cohesion at all levels of the infrastructure, but we want to avoid signations where the coupling creates brittleness (i.e., low coupling). The critical infrastructure has good connections and, if that connection is somehow interrupted or disrupted, can essentially heal itself or form another appropriate connection. If we slip, however, and allow cohesion to be weak as well, we have a situation in which the organizations

140 ◾ Critical Infrastructure

Figure 7.4

Coupling and cohesion.

Table 7.1 A Simple Coupling and Cohesion Matrix  

Low cohesion

High coupling Overly complex systems that impede operations and constrain resilience.

High cohesion Centralized vulnerabilities that can negate resilience in the system.

Low coupling Fragile systems exhibiting Structured relationships brittleness under strain supporting capacity and that leads to fragmentation. resilience.

don’t actually come together, or they fragment under the slightest strain. In the maritime sector (treated as a system), where there is too much complication in the interaction between ships and ports, the cohesion never happens, and the couplings are also weak—represented by the shipping companies and ports dealing only at a transactional level. This transactional level would be diminished (i.e., lost capacity) but also very fragile, meaning that the network could fragment very easily at this point. Where we have high coupling and low cohesion, the situation evolves where you have unnecessary complexity in the connections within the infrastructure and these can become their own operational impediment. These represent a situation where the critical infrastructure is not structured efficiently and crossed, or missed

Management of Critical Infrastructure Resiliency ◾

141

communications can lead to missteps that then erode the cohesion in the system. Finally, when there is very high cohesion and very high coupling, the critical infrastructure sector creates a point that might be described as a centralized vulnerability that can affect the entire system. This central point can act across any of the administrative (regulators), operational (critical hubs), information (common services), or procedural (incorrect documentation or out-of-date training). For the critical infrastructure sectors, we need to look at these strategic-level architectures and topologies in terms of their vulnerabilities and not just in terms of their various opportunities for efficiencies. The aviation sector is learning this through a series of harsh lessons in Canada (and other locations) as two major sets of disruptions (one post pandemic restrictions and one over the Christmas holidays) have led to the major companies being summoned to explain their lack of services and the stranding of passengers. The first aspect of looking at these challenges is to understand that critical infrastructure is now firmly in what may be described as an “Era of Resilience.”15 It is not enough to look at the infrastructure, compare it to a set of prescribed scenarios, address those scenarios, and then declare that the system is good enough. This era is characterized by unpredictability and impact, ranging from geopolitical events (outright warfare) to weatherrelated events (severe storms and unusual weather interactions). The expectation in the public view is not that reasonable steps were taken, but that the systems were managed to take the hit and then get back up and running as quickly as possible. Resilience at the strategic level is about the reorganization of existing infrastructure and the incremental establishment of additional or surplus capacity. Where systems operate with no surplus capacity, they lose the resilience in the overall network in such a way that the impact of the failures resonate or travel through the affected system. The result is a system-wide disruption. In the case of the aviation sector, three major hubs were affected almost simultaneously—Vancouver, Toronto, and Halifax. As a result, a total system collapse resulted. Consider the steps used when dealing with network-related events—containment, isolation, and remediation. In the aviation sector, containment lies within the realm of operations and customer services. Keeping people informed, ensuring they know the problems are being worked on, and taking steps to ensure that they are cared for as the challenges are worked through contain the issues and prevent social media and media storms. The second challenge involves isolating the issues and taking steps to remediate those issues. Those will be more dependent on local conditions. Underneath the strategic level is what may be described as the tactical level (when considering networks) or the structural level (from a systems engineering perspective).16 While resilience at the strategic level is about ensuring the availability and reachability of surplus capacity, the resilience of infrastructure is largely focused at the tactical level. The airport network may offer some surplus capacity, but ensuring that that capacity is available will generally operate at the level of the airport authority. The airport authority is simply a collection of organizations that manage to keep the system up and running—basically a different kind of system,

142 ◾ Critical Infrastructure

Figure 7.5

Different levels and their functions in terms of resilience.

in that the individual elements of that system do not involve technology but rather organizations. The question of resilience needs to look across the organizational (administrative), physical, technical, and procedural linkages between these organizations to ensure that the work needed to support the capacity of that tactical-level system is assured (Figure 7.5). The question, therefore, is how to make the tactical level function. Organizational leadership will always have to focus within their own scope of authority. The mechanism that binds these organizations together are the contracts and, by extension, service level agreements. Ensuring that the conditions of these agreements includes an acceptance of the overall goal, the need to participate in the community working towards that goal, transparency with partners so as to build the tactical level’s selfawareness, the management of the organization’s resources so that there is an ability to surge capacity to meet changes in demand or confront challenges, and finally the mindfulness that is linked to communications and the ability to settle disputes all factor significantly. Where any one or more of these are missing, cracks begin to form between the organizations, and these cracks (or friction between organizations) become the fissures and fault lines in the system that breaks it apart. Once these fissures and cracks manifest themselves, we have entered a condition where we need to worry about the fragmentation of the tactical level system, which, when the disruption occurs, then begins the process of fragmentation or even dissolution at the strategic level. The recent disruptions in Canada show that these principles were inconsistently applied, at best, across an industry.

7.5 The Core Elements This brings us to the core elements of resilient systems. We can look at this in terms of the attributes of organizational goals on one hand, or the resiliency goals from a purely system-driven approach on the other. On the organizational front, we have touched on the attributes of a resilient system in terms of the following:

Management of Critical Infrastructure Resiliency ◾

143

◾ Purpose, ensuring that each element of the organization has accepted what the ultimate purpose for the system is and drives towards it, and that it is not focused solely on their own self-interest. ◾ Positive interactions, in terms of clearly defned and accepted expectations and outcomes that are tied to the performance of the organization within the system. Tis aligns with the purpose attribute. Agreements focus on a single or an agreed-upon set of shared goals and objectives that are tied directly to the infrastructure’s mission and not each participant’s self-interest. ◾ Self-awareness, in terms of their own capacity but also their own fragility and other forms of vulnerabilities that may be exploited to afect the ability to meet demands on them. Tis term is somewhat at odds with cyber resilience (it doesn’t appear there) but it needs to be understood in the context of the system’s ability to identify its own condition and the infuences on it. Tis might be explained in terms of not only having an awareness of the microcosm layer (the tactical and operational layers that represent organizations and processes) but also the macrocosm (the strategic layer that represents the whole of the infrastructure) level (Figure 7.6). ◾ Ability to heal, in terms of the ability to not only correct issues but also maintain a focus of “failing forward” or “seeing errors as learning opportunities,” avoiding the temptation to become defensive and engrossed in shifting blame. Tis attribute can be aligned with the systems’ engineering resilience goals of withstanding, recovering, and adapting.17 Te infrastructure, like an

Figure 7.6 Boxes represent ties to the macrocosm (whole infrastructure), while the arrows reflect microcosm issues (organizations).

144 ◾ Critical Infrastructure

organism, not only fxes injuries to its structure but also repairs to a greater level so that it does not sufer the same level of injury the next time the event occurs. ◾ End-user empathy, in terms of being able to build the system in such a way that consideration for the end user is also a major factor for success. Tis links back to the purpose of the system but ensures that the risk management decisions focus on the purpose of the critical infrastructure (the delivery of the critical service). Within the more system-engineering-driven realm, the attributes that need to be promoted in this context are forward-looking (anticipation), robustness (withstanding), elasticity (recovery), and adaptability.18 The concept of anticipation refers to the ability of the organization not only to maintain an understanding of its current threats, risks, and vulnerabilities (in the context of being able to deliver capacity), but also to recognize the changes within the environment that may exacerbate any one or more of those factors. This will be important when considering how responses are planned, but also in terms of the nature of recovery—do you build back the existing infrastructure, or do you adapt to consider the potential threats? Robustness looks at the ability to weather (no pun intended) events and to be able to withstand their impacts. To do this, you need to understand the various factors that can affect your ability to deliver capacity and have realistic plans on how to deal with them. This robustness is more than simply protective infrastructure; it encompasses the full cycle of identification, protection, detection, response, and recovery that permeates not just the NIST Cyber security Framework but approaches in other domains as well.19 The goal of this needs to maintain a dual focus on not just on infrastructure but also capacity through productivity. The concept of elasticity or the ability to recover back through progressive phases of acceptability to (ultimately) the trusted operational baseline is arguably one of the most complicated exercises given the traditional segmentation of security domains. This can be looked at as two streams of activity: (1) maintaining as much useful capacity as possible, and (2) reestablishing disrupted capacity by resolving issues across the various elements (persons, assets, facilities, information, and supporting services). Finally, there is the concept of adaptability. In this context, we look at how an organization learns, can restructure itself, can shift its governance, and manages the life cycles of not only its technology but also its doctrine and processes. This adaptability can be confirmed by also including a testing and exercise plan that keeps pace with the anticipated environment and is not driven by out-of-date scenarios. A third cycle needs to be considered when looking at resilience. This involves the pace at which an organization can make decisions and adjust its position. Remember, this is not a company at this level, but it is better represented by a group of companies that are brought together under some umbrella structure such as an authority or similar structure. Consider the following:

Management of Critical Infrastructure Resiliency ◾

145

◾ How does that organization maintain its understanding of its situation? ◾ How does it make decisions with respect to risk management or future courses of action? ◾ How does it manage those actions? ◾ Finally, how does it implement those decisions and ultimately learn from them? This can be resolved using a decision-making structure similar to the OODA loop (observe, orient, decide, act) for decisions while maintaining the principles of cycles such as the Deming Cycle for Quality Management (often referred to in an iteration of Plan, Do, Check, Assess).20,21 The goal here is to be able to proceed through the OODA loop’s structure more cleanly and quickly than the circumstances change around you as a means of maintaining the initiative in a contested environment. The Quality Management Structure under the PDCA/PDSA structure follows more slowly but looks at the quality of those decisions in the longer term to make the adjustments to the organization’s doctrine, agreements, standing operating procedures, and other structures. These are kept linked but operate relatively independently, as the OODA structure is used when dealing with situations where time is often a critical factor. These two key cycles align with different aspects of the attributes associated with resilience. The OODA loop aligns with the more operational or responsive cycle of the IPDRR (identify, protect, detect, respond, and recover of the NIST Cyber Security Framework) cycle that can be linked to how the organization responds to events. Certain aspects of this will occur more quickly than others, in that the identification of threats (or hazards in the context of resilience) and protection against them may involve slower activities such as the establishment of protective works or infrastructure; while detection and response cycles may involve the slower projects in the implementation of infrastructure, but decisions may need to be made in close to real time depending on what that infrastructure detects.

7.6 The Supply Chain and Third-Party Risks While a great deal of attention had been paid to the design of things as well as the environment that they were built in, the supply chain was largely looked at in terms of quality alone. This has changed, partly due to disruptions in the supply chain, the realization that certain key projects rely on scarce resources (such as some of the minerals needed for battery production), and that certain organizations can become involved in rather nefarious activities such as institutionalized intellectual property theft. The result is that increased attention is being paid to the supply chain. In the United States, software development and critical services are now being directed through presidential executive orders to ensure that certain development practices are followed, including those within their supply chain.22 Similarly,

146 ◾ Critical Infrastructure

Executive Order 14028 looks to improve cybersecurity within the software supply chains, particularly where such software may be used or impact federal systems.23 These have been in response to a range of different cyberattacks and cyber threats. The supply chain threats extend well beyond the cybersecurity realm. Beyond the concern that malware or additional code (often used to help send information to a collection entity), supply chain issues can involve counterfeit items being substituted for approved items or substandard materials being used. When considering the third-party risks to the work, it is vital to understand why the work is important in its own right. Is it because the systems are critical to safety systems (such as Category 3 systems that, if disrupted, pose an immediate threat to life safety)? Is it because the technology is highly proprietary, and if an adversary got their hands on that information, it could then seek to reverse engineer it and look for weaknesses in its performance? Having this understanding will answer questions about two sets of attributes. What do I need to protect in terms of the traditional security attributes of confidentiality, integrity, or availability (or some combination thereof)? How much confidence needs to be maintained with respect to these attributes? This raises the question of how to preserve the necessary levels of accountability (ownership), auditability (traceability), and non-repudiation. Put in simple terms, for each of the security attributes, how much detail, granularity, and confidence must be present before trust is eroded? Moving past the product itself, we begin to enter the realm of the environment in which the infrastructure was assembled. This third layer (surrounding our confidence in the confidentiality, integrity, and availability) focuses on the four major elements of the supply chain: operations that support the infrastructure, the strength of methods used for the infrastructure’s integration, the confidence in the purchasing processes, and the supply chains involved in that purchasing. While layers 1 and 2 give confidence around the product itself, the third layer offers a level of comfort that the environment was appropriate to be able to trust that those attributes will remain stable. The final layer is the provenance, or history, of the product. This final level gives us the final indication of whether the infrastructure could be affected by potentially hostile or impacted by untrustworthy parties (Figure 7.7). For those involved in software development or system design and integration, this approach is relatively common in the more mature enterprises. The principles can be applied at higher levels when the focus is shifted from a system made up of components to one made up of organizations. The business purpose becomes the importance of the system in the business context. Instead of it being important to have a good navigation system, it may be the delivery of healthcare in a region, the generation and distribution of electricity, the provision and distribution of clean drinking water, or the delivery and distribution of goods. At this level, the attributes tend to shift away from traditional confidentiality, integrity, and availability to availability, integrity, and, finally, confidentiality. This is because of critical infrastructure’s focus on delivering those key services. The attributes of accountability, auditability, and non-repudiation remain important. The structure still needs to have a solid understanding of the roles

Management of Critical Infrastructure Resiliency ◾

Figure 7.7

147

The layers of how an infrastructure is be developed.

and responsibilities as well as the ability to determine that the tasks assigned to those roles are being carried out. Ultimately, it must also consider the attestability of the services necessary to maintain the level of trust within the overall system. These are surrounded by the more corporate operations in terms of quality or robustness of the work done, the purchasing structures that ensure that only good inputs are used, and the credibility of supply chains to maintain not just the necessary number of inputs but also the quality and characteristics of those inputs. Finally, the aspect of provenance can be treated in terms of potential entry points into the overall activity, making each organization that can influence the final outcome part of the equivalent of an attack surface for the overall activity. The challenge then becomes how to communicate requirements throughout the overall network of entities that help deliver the supporting goods and services necessary to carry out the delivery of the critical infrastructure. The starting point for this involves ensuring that the aspects of resilience and the attributes necessary to achieve the level of resilience commensurate to the sensitivity of the project appears in the contracting documents. These may be design documents or just the simple agreements that describe the relationship between two or more organizations. The second aspect is ensuring that the information requested and analyzed achieves the necessary rate of exchange to remain ahead of the reasonably foreseen adversaries. This does not limit itself to the collection of the information being quick. It means that the full cycle of collection, collation, analysis, assessment, and

148 ◾ Critical Infrastructure

dissemination (or outputs) resulting from the assessment is completed in a way that is useful to maintaining control within the critical infrastructure environment. Consider this in three contexts: natural disasters, cyberattacks by state-sponsored entities, and disruption due to labor shortages. The attributes of the infrastructure have not changed in terms of their importance (determinable by impact), but the nature of the disruption is different depending on the kind of threat. The natural disaster may cause widespread damage to infrastructure, leading to a significant effort being needed to reestablish services and likely forcing a risk-managed approach to the prioritization of that effort (such as restoring power to hospitals first, etc.). Our second ring of confidence in the controls necessary to preserve those attributes are answered by the treatment of accountability, auditability, and attestability. In the case of the natural disaster, this may focus on the strength of the infrastructure to withstand the event (robustness) but then may focus on the degree of confidence that can be held in terms of the resilience that comes from being able to detect failure, respond appropriately with necessary resources, and ultimately reestablish the previous operating state. In the case of cyberattacks, the focus may be on critical systems (determined by decomposing the system using models such as the Criticality Assessment Model described by NIST IR 817924) and then looking at the strength of the mechanism, the strength of processes used in integration, the environment in which work was done, and the supply chain—all in an effort to identify the potential means and opportunities available to potential attackers and ultimately maintaining an appropriate level of security. When considering the labor shortage, the focus may shift more towards being able to understand each role (identification), ensure that reserve capacity is available (protection), and then identify, analyze, and respond to conditions that require response plans to be brought to bear (detection, response, and recovery). The approaches to each of these three different threat types are similar, but the outputs of those approaches are different to reflect the differences in the risks they present to the organization.

7.7 Aligning Standards and Baselines The role of standards and baselines are to provide guidance at the tactical and operational levels. Those who prefer this approach need to remain aware of two core differences. The first is that standards are generated by communities reaching consensus on a specific subject. Consequently, they provide guidance but should not be used as much more than a guide on how to address certain issues. This is because they are not adequately granular when considering an organization’s specific operations, threats, vulnerabilities, and culture. Risk assessments, and sound risk management, require that these three factors be reasonably granular and detailed. The fourth, organizational culture, is one that is often not included in the discussion. Those that have attempted to manage security programs, however, will likely be quick to point out that forgetting the organizational culture is a sure way to increase the level of resistance to any changes proposed by the security program.

Management of Critical Infrastructure Resiliency ◾

149

Baselines are generated by the organization and represent the minimum level of control needed to maintain what may be considered an acceptable level of risk. These should be specific to the organization but may map to an organizational standard. For example, the best management practices published by an association represent a standard, and the baseline security controls (across all domains) would be mapped as applicable to that standard. This is where things can become somewhat convoluted when adopting a requirement-based approach (such as systems engineering). Requirements are commonly written against seven attributes. These include being clear and consistent, correct, feasible, flexible, unambiguous, singular, and verifiable.25 The tendency to write a requirement that states that infrastructure will be managed in accordance with “such and such” fails to meet these criteria in many regards, one of which is that the standards themselves often state that they are not intended to be used as checklists but rather as guides. The final aspect involves adaptability. Recent storms, the pandemic, and other events have shown two things. First, we are dealing with a number of instances where relatively unique, if not totally unique, events can occur. The derecho in southern Ontario and western Quebec was relatively unique, and the conditions associated with Fiona were relatively rare in nature. Black Swan events, while challenging, are not completely unfamiliar to those in the risk assessment and risk management domains. This brings in the second aspect of adaptability, and that is changing into a state that reflects the new reality. When dealing with insurance, there is often a restoration back to the original state. This may make sense from a personal insurance perspective but should not be similarly applied within the realm of infrastructure. Should personal insurance companies be more flexible in this regard and allow for reasonable improvement to personal property where infrastructure fails? One would argue that it makes sense in the long term but is likely to be subject to several different attempts to manipulate it beyond dealing with what is necessary to what is desired. This is where the approach to standards should reside at the level of approaching challenges and not offer specific guidance unless dealing with relatively simple systems. Simple systems, in this context, are those that do not contain variables that are influenced by multiple factors or influences. People, for example, are complex factors in that they are relatively unpredictable and somewhat capricious in nature. If preventing a certain type of malware from affecting a peripheral, then technical standards can be applied. When providing instructions for a specific and simple task, this may also apply. But as the complexity and range of inputs begins to increase, this becomes increasingly difficult.

7.8 The Core Challenges The core danger here involves becoming focused on the standard and forgetting that the standard is an approach to addressing a challenge. Organizations do not face a singular risk. They face a multitude of risks, and this needs to be kept in context.

150 ◾ Critical Infrastructure

This is further compounded when we consider some of the goals in the resilience model, specifically those of anticipation, withstanding, and adapting. The first of these (adaptation) speaks to not only understanding the historical events that have challenged the organization (still important), but also having a situational awareness of how the operating and threat environments are evolving around them. To go a step further, the anticipation aspect would then require not only analysis of these conditions but also assessment to answer the question of relevance to the organization. This hyper-focusing on one issue is not uncommon. When we consider the response to COVID-19, there is little debate to be had that the primary focus was on one set of needs (in respect to COVID-19). This is not to state that the responses were either appropriate or inappropriate (they were what they were), but it is to state that even if responding to what may be considered a crisis, other issues cannot be allowed to slip through the cracks. For example, we now face a significant backlog of surgical procedures that resulted from cancellations that came out of pandemic restrictions. Other issues are certain to arise as the impacts of both the disease and the restrictions become clearer with further analysis. This hyper-focus comes at a price. If we think of the management of critical infrastructure being along the lines of a spinning plate, all radii around the balancing point need to be in balance for the plate to spin. While analogy may be suspect, we can look at this in terms of the major elements of any systems: the people involved, assets, facilities, information, and supporting services. These can be further refined until the organization sees not only the categories, but also its own infrastructure and operations appropriately affected in the model. This approach prevents some of the challenges faced during the pandemic, such as the shortage of frontline workers. These workers were not normally listed in the plans, as the plans tended to concentrate on unique positions or key delegations. In fairness, this is where the industry guided practitioners to put their focus.

7.9 Why Over the Walls When Through the Gates? Many of these standards and new directions have included direction to those applying them to pay attention to the supply chain and third-party risks. This acknowledges the condition in which we find much of our infrastructure. Key installations and points of service have become quite robust over time. Significant investments have been made by organizations to protect their own personnel, property, and operations. Reports from organizations such as Gartner indicate that worldwide security and risk management spending was expected to pass $150 billion in 2021 and was still expected to grow, particularly in the information technology domain.26 The question today is, “Why storm the castle walls when they have left the gates open?” The issue of supply chain security has two parts. The first part involves ensuring that you can access or leverage the goods and services that are to be provided

Management of Critical Infrastructure Resiliency ◾

151

by third parties. In this context, we look towards concepts like having a risk management culture, collaboration, redundancy, agility, and so on. The overarching goal is to have access to appropriate and trustworthy inputs into the processes, even if a location in the supply chain is impacted. The second avenue looks at the supply chain as an avenue for attack. This can take many forms. On the most basic of levels, the targeting of subcontractors and their sensitive information holdings are often easier targets than the main organization itself. We have seen this breach in action with a number of compromises of defense and government contracts. At the same time, we have seen employees of some subcontractors attempt to remove sensitive material or even carry legitimately supplied sensitive material for their own gain. Assets have been compromised through the insertion of malware or additional code intended to turn the input into an informationgathering source. The use of supporting services within facilities can almost be a classic form of attack. In all these instances, the common theme is that the organizations have not taken a full view of their overall systems and have forgotten to examine the supply chains. This can be easier said than done. Contracted arrangements often limit the additional efforts that can be asked of a subcontractor before those requests begin to incur significant costs. Where the subcontractor is facing reasonably tight margins or is trying to hold firm to an expected profit, significant resistance to adding work to the contract can be expected. As a result, the need to provide details regarding the design processes, history, source of components, and production environments (in physical terms and logical terms) needs to be spelled out in the main contracts with any subcontractors. This can be taken to a ridiculous extreme, however, and needs to be managed realistically. Consider complex electronic components. How far should one insist that the research into the supply chain go? One can almost imagine the comedy of the supply chain auditor’s “Meditations on First Suppliers” as one continuously takes one more step along the production process until the step of following unsuspecting miners into the copper mines. Of course, this is an absurdity. This should not be confused with the concept of Total Quality Management (TQM),27 where the supply chain is fully known; it is to be looked at in terms of the additional verifications insisted upon. The logical response would be that the supply chain evaluation should proceed only so far as needed to address the potential for compromise— often at the component level’s hardware, software, and firmware. When examining the security at this level, we are really looking at determining how much confidence can be had in any claims regarding the component’s performance. This needs to look at three major aspects. The first involves the design itself and its likelihood of being able to perform under reasonably foreseeable difficult environments. Meeting these requirements is often covered through testing plans but is a gateway (in the context of no progress until its requirements are met) to any further consideration. The second aspect involves the strength and credibility

152 ◾ Critical Infrastructure

of the integration and assembly processes. Some of these can be communicated in the following: ◾ Were sound principles and practices followed? ◾ Were the tests credible, comprehensive, and completed successfully? ◾ Finally, were environmental controls in place to appropriately reduce the means and opportunities available to potential threat actors? Each of these three elements needs to be looked at to build the level of confidence or trust that the component will perform as anticipated. When considering the management of critical infrastructure, the structure needed to provide this level of confidence requires effort at several levels. The first involves ensuring that one’s own contracting and procurement processes are overseen and controlled in such a way that any goods or services that can directly (or indirectly) affect the critical services being provided adheres to the need to follow these two supply chain approaches. At the senior management level, this means that there will likely be instances where waste occurs because the commitment of resources may not directly link to the production or service delivery efforts. These instances need to be looked at as a form of an insurance policy. The next level involves ensuring that Service Level Agreements (SLAs) are in place to clearly identify performance thresholds and the potential consequences of failing to meet them. Contracts need to be very clear with respect to the requirement to provide certain information regarding the provenance of components and descriptions of activities but should not be made without understanding that such information is likely highly proprietary to the supplier and protecting it will likely be required in return. Failing to do this is likely to drive unanticipated delays and costs into any exchanges involving the supply chain. The final level, often overlooked by management, involves the oversight regimes necessary to bring this kind of activity to fruition. This is because the Deming Model is not applied fully in this aspect of security. Risk management activities may be completed (plan), plans and claims may be made (do), but organizations tend to forget about the “check” or “study” aspect that serves to confirm that those claims have any credibility. As a result, many organizations are operating based on what can only be described as a “good faith” model, where they assume that all suppliers (credible and diligent on one hand but also those willing to say anything to make a sale) can be trusted to the same extent. While it is understandable that costs need to be controlled, there comes a point at which their own organization’s claims will be put to the test and found wanting if they fail to include the oversight aspects. The structures of supply chain risk management that enable this kind of exchange and its integration within an organization’s enterprise risk management framework are becoming more pervasive. For those facing this challenge, caution

Management of Critical Infrastructure Resiliency ◾

153

and forethought need to be applied. This structure, again returning to the Deming Model, has four major steps. Many of these steps can be populated by approaches defined in structures such as systems engineering that essentially follow the mantra of “plan what you’re going to do, do it, check that you’ve done it, and correct any mistakes” (which sounds frighteningly like the Deming Model by another name). Within the planning phases of this process, one can align the Business Importance, Stakeholder Needs and Requirements, Project Planning, Risk Assessment, Supply Chain, and Acquisitions activities. The goal of this phase is to identify the supply chain (understanding that it will evolve), understand the criticality of the various elements within the supply chain (from both the procurement and security viewpoints), and identifying how the risks presenting within the supply chain should be managed. The second phase involves the “doing” part of the cycle, and this lies largely in the domain of contracting and procurement. The first step here needs to be to communicate the senior management’s risk management decisions to those negotiating contracts or communicating requests for proposals in no uncertain terms. Security costs, rightly or wrongly, are often seen as adding complexity and cost into a project, and some organizations will attempt to bypass the security concerns to reduce the costs of inputs into their processes. As noted earlier, however, if these considerations are not written into the initial calls for proposals, they will either be ignored or be treated as a significant change request in the contract. Finally, when looking at requirements being communicated into the supply chain, there needs to be a sense as to how those requirements will be verified and validated. The level of rigor and frequency will likely depend upon the criticality of the supplier to the overall activity, but it is important not to ignore any suppliers or let any slip through the cracks. Again, the trap here lies in failing to apply adequate rigor at the start of the process. While it may be comfortable to think that everyone we do business with will be honest and forthright about their challenges, this is something that should be earned and not assumed. Where a company demonstrates a history of good performance, then an organization can slowly move towards a more monitoringfocused regime.

7.10 The Rise in Counterfeits and Substandard Parts At the time this work is being drafted, North America is at risk of entering into a recession (or at least that’s the public message). This raises the other aspect of supply chain security risk that is often overlooked. In recessions and when dealing with companies that put their own margins above their contracted obligations for quality, counterfeit and substandard parts may be introduced to (1) reduce costs and thereby increase their margin, (2) address issues in their own supply chain, or (3) in some cases as part of the actions of a fraudster working within the supplier (making

154 ◾ Critical Infrastructure

Figure 7.8 This figure shows both a genuine and counterfeit fiber connector used to connect fiber to networking devices. The upper left image is the top of the genuine connector, and the upper right image is the bottom of the genuine connector. The lower left image is the top of the counterfeit connector, and the lower right image is the bottom of the counterfeit connector.

both the supplier and contractor victims). Detecting these counterfeit parts can be particularly challenging for those that are not quite familiar with what the component is supposed to look like. Consider Figures 7.8 and 7.9 that follow. Reference points A, D, and E show a plastic latch along with a plastic “spring” instead of a metal latch with a small plastic handle on the latch. Reference points B and C show screws holding the housing of the connector together. One significant warning indicator to note is that the housing can be easily taken apart and a small processor chip inserted inside, allowing would-be adversaries easy access to secured networks. One more feature, not previously mentioned, is the number “07” on the bottom edge of the genuine connector; usually, counterfeit connectors do not have a number assigned. The linkage here is that the inclusion of counterfeits can be considered both a security challenge (in terms of fraud) and a quality challenge (in terms of adherence to the contract). Systems such as ordering a certain percentage extra of a product on the understanding that the specific product will be identified at random from the batch and then inspected (even destructively) may deter those who may seek to attempt this.

7.11 The Rise of Unknown Vulnerability in the Home Office The second set of challenges within the supply chain can be described in terms of how our physical and logical work environment is changing. The physical work

Management of Critical Infrastructure Resiliency ◾

155

Figure 7.9 shows two different genuine Cisco fiber connectors. Newer Cisco fiber connectors now have small holographic strips, along with a QR code identifying the part number.

environment now involves significant pressure for remote work with a significant percentage of employees within certain fields considering the ability to work remotely as a key factor in determining what job offers to take. While the specific numbers of employees who prefer working from home over working at the office still indicate a significant degree of flexibility, surveys show that in Canada around 75% of the employees tend to prefer the home environment over the work environment, while in the United States the numbers are slightly lower. The risk here involves the physical and environmental controls and the different levels of protection that one can assume in an office (or similar) environment over a home environment. Many public servants were able to work from home during the pandemic using remote connections, but it is questionable whether those public servants were required to undergo the same vetting processes for their home offices as private contractors. The second aspect involves that of the natural interactions that occur within the environments. Controlled organizational spaces can establish a baseline in terms of expectations, security screening, and so on. This does not occur in the home, where family and friends can occur. This does not mean that the home office is a massive security risk; it means that it must (like all environments) be managed through a combination of policies, training and awareness, and oversight.

156 ◾ Critical Infrastructure

We can approach this challenge the same way that organizations approached the challenge of “bring your own device.” This is where the domains of critical infrastructure assurance and other domains part ways. The key in the workfrom-home environment is that there needs to be a clear boundary established and maintained. This boundary should ideally be based on a combination of sensitivity (considering the confidentiality, integrity, and availability of security attributes) and criticality (based on the importance of the work to the delivery of the critical service). A threshold needs to be established and accepted by all that states that if the home environment is going to be used to cross this level of sensitivity, then the employee does so on the understanding that this will impact their home. This may be that the home office needs to have certain equipment (cabinets, shredders, its own connections, etc.), and that certain routines need to be adhered to within that space. This does not mean that the home office should be considered nonviable. Again, it is a question of striking the right balance. Consider the issue of emergency response. Depending on the role of the individual, the home office approach may actually be preferable given that the person is (1) close to the family and issues that will normally distract them and (2) not delayed in terms of traveling to the office. This, of course, assumes that the connectivity between the organization and the home office can be trusted to survive the event. Depending on the goals of the organization (deliver a critical service), the vulnerabilities involved (access or data leakage), and benefits (lower response time, cost, employee engagement), the organization will simply need to look at its obligations outside of its span of control, its internal risk tolerances, and the costs and benefits of where to establish the balancing point.

7.12 The Movement towards Clouds The second balancing point involves the use of cloud services. This balancing point ties together the capabilities of the cloud service provider (in terms of robustness and resilience) and the needs of the critical infrastructure sector. This is treated after supply chains because the challenges with using a cloud service provider parallel (closely) the challenges associated with supply chain security. Ensuring that the service provider is required to maintain certain baselines, to communicate acts or conditions that may affect those baselines, and to be willing to share information regarding those baselines has to begin at the very start of the relationship. Similarly, the need for the service provider to participate actively in incident response means more than just responding to the plan requirement; they should be providing information regarding the challenges (threats and hazards) they face in their operations that may cascade into the critical infrastructure’s operations. The basis of this need is fairly simple and described in two parts. First, the service provider is an outside

Management of Critical Infrastructure Resiliency ◾

157

entity with its own priorities, and while it may be an upright member of the business community (or not), it still exists outside of the organization’s span of control for risk management except through contracting processes. Second, practitioners in the business continuity domain will tell you that avoiding single points of failure (SPOFs) is one of the key activities. What we see with cloud services, however, is that many organizations (including those in the critical infrastructure domain) have moved to a limited number of cloud service providers. When looking at this from more of a “red” or adversarial perspective, we can then see the value of that cloud service provider increasing because of how the impacts of its disruption could affect multiple entities and critical infrastructures. One might argue that this points to a regulatory gap when looking at critical infrastructure protection and critical infrastructure assurance. Should consideration be given to setting down limitations with respect to what these service providers offer? The secondary impact of this is that those restrictions may put a brake on the ability of the critical infrastructure to operate effectively and may, therefore, be a situation where good intentions lead to poor outcomes. Perhaps consideration should be given to forming a community of Critical Cloud Service providers that work with the critical infrastructure sectors, the government (as representing the population and regulators), and key stakeholders, so that the regulatory controls are still applied but become part of the solution sets to taker on the challenges inherent with supporting those critical infrastructures. Data sovereignty becomes an issue when dealing with the cloud. Most do not fully understand how these “clouds” function and simply assume that one’s data goes everywhere. This is not the case. Data can be contained within geographic boundaries, but this needs to be identified at the start of the relationship, not the end. The key here is that the data, where it moves through and where it resides, can touch only those geopolitical areas that have the appropriate data-handling agreements. For example, Canada would resist sending Canadian data on certain topics to the United States while the Patriot Act is in force due to Canada’s privacy laws. At the same time, the United States may restrict data moving to Canada under “No Foreign” rules. Being clear with the service provider that these kinds of restrictions (not necessarily these specific restrictions or just these restrictions) exist allows for a level of clarity that can prevent difficult conditions later on.

7.13 Authors’ Note The concept of network resilience is an emerging field. As a result, there is a challenge in that the definition base for this particular domain is still emerging. Consequently, we have attempted to use “plain English” and align the terminology with the critical infrastructure domain. There will be a time to debate the refined

158 ◾ Critical Infrastructure

definitions in the future as the field progresses, but at this early stage, we need to set the frameworks before proceeding to that level of refinement.

Notes 1. National Institute of Standards and Technology. (2023). Community Resilience. www.nist.gov/community-resilience (alt URL: http://cipbook.infracritical.com/book5/ chapter7/ch7ref1.pdf ). 2. Ibid. 3. Hefner, Rick. (2020). Resiliency in Systems Engineering. www.incose.org/docs/ default-source/leveland-northern-ohio/2020-08-18-20incose_resiliency_hefner. pdf?sfvrsn=68fd9ac6_2. 4. Public Safety Canada. (2023). Canada’s Critical Infrastructure. www.publicsafety. gc.ca/cnt/ntnl-scrt/crtcl-nfrstrctr/cci-iec-en.aspx (alt URL: http://cipbook.infracritical.com/book5/chapter7/ch7ref2.pdf ). 5. Refer to Chapter 1 Section 1.5 (“What Is CIP?”) and Section 1.6 (“What Is CIA?”). 6. Witners, Paul. (2022). Cap on Electricity Prices Drives Down Nova Scotia Power’s credit rating. CBC Online. www.cbc.ca/news/anada/nova-scotia/rate-cap-drives-downnova-scotia-power-credit-rating-1.6662100. 7. Canadian Press. (2022). Emera Puts Clean Energy Projects in Nova Scotia on Hold after Rate Cap. www.cbc.ca/news/canada/nova-scotia/emera-clean-energyprojects-on-hold-1.6649246. 8. Public Safety Canada. (2022). Emergency Planning Guide. www.publicsafety.gc.ca/ cnt/rsrcs/pblctns/mrgnc-mngmnt-pnnng/index-en.aspx#section_two (alt URL:http:// cipbook.infracritical.com/book5/chapter/ch7ref3.pdf ). 9. Standing Committee on Transport, Infrastructure and Communities. (2023). 44th Parliament, 1st Session, Evidence Number 046, Thursday, January 12, 2023. https://publications.gc.ca/collections/collection_2023/parl/xc27-1/XC27-1-2-44146-eng.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter7/ch7ref10. pdf ). 10. Taylor, Stephanie, and Djuric, Mickey. (2023) “Not Hiding”: Transport Minister Says Ottawa Will Be Accountable on Travel Mess. https://o.canada.com/news/national/ airlines-airports-transport-minister-to-testify-on-holiday-travel-mess-at-committee. 11. Ibid. (2022). Testimony of Len Corrado of Sunwing Airlines (video insertion). https://o.canada.com/news/national/airlines-airports-transport-minister-to-testifyon-holiday-travel-mess-at-committee. 12. Unifor. (2022). Sunwing Backs Away from Intention to Hire Temporary Foreign Pilots. www.newswire.ca/news-releases/sunwing-backs-away-from-intention-to-hiretemporary-foreign-pilots-835311966.html. 13. Aiello, R. (2023). Minister Vows Accountability Over Holiday Travel Chaos, as Airline Executives Cite Extreme Weather. www.iheartradio.ca/virginradio/winnipeg/ airlines-airport-authorities-and-transport-minister-testifying-today-about-holidaytravel-chaos-1.19073116. 14. Krylov, V., Iziumov, U.I., Izvekov, E., and Nepomniashchikh, B. (2019). Magnetic Fields and Fish Behaviour. https://pubmed.ncbi.nlm.nih.gov/25438567/#:~:text=The%20 geomagnetic%20field%20can%20be,an%20effect%20on%20fish%20behavior.

Management of Critical Infrastructure Resiliency ◾

159

15. Hefner, R. (2020). Resiliency in Systems Engineering. www.incose.org/docs/ default-source/cleveland-northern-ohio/2020-08-18-20incose_resiliency_hefner. pdf?sfvrsn=68fd9ac6_2. 16. NIST. (2021). Developing Cyber Resilient Systems (NIST SP 800-160 volume 2). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v2r1.pdf (p8) (alt URL: http://cipbook.infracritical.com/book5/chapter7/ch7ref4.pdf). 17. NIST. (2022). Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (NIST SP 800-160 Volume 2). https://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-160v2r1.pdf (alt URL: http://cipbook.infracritical. com/book5/chapter7/ch7ref5.pdf ). 18. Ibid. (p. 10). 19. You can see the concepts of IPDRR illustrated in other security doctrines when looking at doctrines such as the time-to-breach doctrine, the Public Services and Procurement Canada Contract Security Manual Section 6 on Facility protection or the RCMP Lead Agency publications for Physical Security G1-025 Protection, Detection and Response. 20. The Mind Tools. (n.d.). www.mindtools.com/a3ldgz1/ooda-loops. 21. The Deming Institute. (2023). https://deming.org/explore/pdsa/. 22. Biden, J. (2022). Executive Order 14067—Ensuring Responsible Development of Digital Assets. www.presidency.ucsb.edu/documents/executive-order-14067-ensuringresponsible-development-digital-assets (alt URL: www.whitehouse.gov/briefingroom/presidential-actions/2022/03/09/executive-order-on-ensuring-responsibledevelopment-of-digital-assets/) (alt URL: http://cipbook.infracritical.com/book5/ chapter7/ch7ref6.pdf ). 23. Biden, J. (2021). Executive Order on Improving the Nation’s Cybersecurity. www. whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-onimproving-the-nations-cybersecurity/ (alt URL: http://cipbook.infracritical.com/book5/ chapter7/ch7ref7.pdf ). 24. National Institute of Standards and Technology (NIST IR 8179). (2018). NIST IR 8179, Criticality Analysis Process Model: Prioritizing Systems and Components. https://csrc. nist.gov/pubs/ir/8179/final (web page), https://nvlpubs.nist.gov/nistpubs/ir/2018/ NIST.IR.8179.pdf (document) [alt URL: http://cipbook.infracritical.com/book5/ chapter7/ch7ref9.pdf (web page), http://cipbook.infracritical.com/book5/chapter7/ ch7ref9a.pdf (document)]. 25. De Weck, Olivier. (n.d.). Fundamentals of Systems Engineering: Session 2 Requirements Definition. https://ocw.mit.edu/courses/16-842-fundamentals-of-systems-engineering-fall-2015/7f2bc41156a04ecb94a6c04546f122af_MIT16_842F15_Ses2_Req.pdf. 26. Gartner Group. (2020). Gartner Forecasts Worldwide Security and Risk Management Spending to Exceed $150 Billion in 2021.www.gartner.com/en/newsroom/press-releases/ 2021-05-17-gartner-forecasts-worldwide-security-and-risk-managem. 27. Energy’s Quality Journey—Total Quality Management Implementation Guidelines, U.S. Department of Energy, December 1993, Page 42, Appendix 1—Terminology, under the term “Total Quality Management,” which means, “A management philosophy that involves every-one in an organization in controlling and continuously improving how work is done in order to meet customer expectations of quality. URL: https://www.osti.gov/servlets/purl/10126365 (alt URL: http://cipbook.infracritical. com/book5/chapter7/ch7ref8.pdf ).

Chapter 8

The Coming Resurgence of Interdependencies 8.1 Looking at the World—A Community People tend to categorize the world around them. This is a natural effort, as people attempt to bring order and understanding to the world. This approach has had some positive trends—the ability to organize activities, to build communities, and building understanding—but it has also led to some negative trends—such as racism and discrimination. The challenge with this form of categorization is that it not only loses detail in examination, but it often fails to identify how the various boxes are connected and reliant upon each other. This is why people can use such broad sweeping statements in demographics, which fail to recognize the cultural and social differences that exist within those communities, and they gain some level of recognition. Consider the approach represented by this kind of thinking as akin to a decision tree. If something fits into a certain category, then a branch is chosen and the decision proceeds. This may somewhat resemble modern computing today—if not 0, then 1, and vice versa. Something generally applies to a category, or it does not. We see this argument when attempting to deal with control systems. Is it something unique, or is it simply an information technology network? Resolving this question becomes the priority before dealing with the myriad of issues that permeate that technology— because we need to know how to label it in order to understand how to respond to it. Take another example, the family home. What is the family home? It has its own label. For many sectors, however, the family home represents something that fits within the client or consumer category. Within that category, it has a range of profiles, but they all generally fall under the category of consumer of goods or services. It is often the terminus when considering the distribution of that good or service. It is also often the initiating point for payment of that service. We have power, natural gas, water, and such delivered to DOI: 10.4324/9781003346630-8

160

The Coming Resurgence of Interdependencies ◾

161

our homes, and we pay a fee for that service. The same falls true for factories—they are an end consumer of the product or service, and they pay for that good or service. While this approach allows us to essentially organize and tidy the world around us, it can leave significant gaps. Consider pandemic planning. One of the first assumptions was that a few employees could become ill and would not show up to work. This was expected; an organization is not immune to this kind of thing because it holds a certain position in the plan. What was less expected was the number of persons that could be absent. This was a much higher number. What was also unexpected was that many of these people were not ill; they were identifying their need to take care of their family over their need to be at work. In short, the box that the organization chose failed to recognize that their people may choose another box, leading to a loss of personnel during the crisis.

8.2 Current Trends in Business Certain trends have been identified as being fundamental shifts in how business is likely to conduct itself in the near to medium-term future. These trends can be summarized in four major areas that will challenge how we look at interdependencies. ◾ Te use of analytics and ultimately artifcial intelligence (AI) to refne the relationship with consumers is likely to continue. Te focus on these eforts has been largely in terms of targeting advertising and marketing eforts to increase the return on investment in those business activities. Tis also involves approaches businesses take using the full population of datasets within their organizations to guide their operations and improve their business intelligence. ◾ Te use of social methods of learning, such as peer-group learning, the use of social media, interactive applications and similar technologies. ◾ Te transition of the workforce from being an institutionally supporting and career-driven population of workers to one that seeks self-actualization and advancement. What does this mean from the perspective of looking at interdependencies? When we look at these three trends, one might reasonably expect that our understanding of interdependencies can be influenced in the following manner: ◾ Our understanding of the impacts associated with events will become far more granular as the ability to analyze the event increases using analytical tools. Similarly, the increases in computing power, and the potential revolution that may come from the integration of quantum computing, will allow a greater population of scenarios (and their impacts) to be identifed and

162 ◾ Critical Infrastructure

assessed. Tis increase in the number of datasets and the speeds at which they can be processed can lead to signifcant refnement in our understanding of potential cascading impacts and events arising from failures of interdependent infrastructure. ◾ Te use of social media methods of learning ofers a signifcant opportunity for both governments and industries to inform and educate populations with respect to how to handle events. Similarly, the ability to identify, form, manage, and exploit the thinking of groups using social media tools (or similar proprietary tools) may allow organizations to communicate its information requirements and instructions to those populations more quickly and accurately using common platforms. Tis capacity can be further enhanced using analytics. ◾ Te changes in the focus from a career-oriented to an actualization-focused working population, however, pose a risk from the interdependency perspective. Unless organizations have very clear and enforced information management systems, the increased rate of transition can lead to increased losses of corporate knowledge, including the frsthand accounts of events associated with the failures of interdependent infrastructures within the organization. Consequently, organizations may fnd some utility in either bolstering their information management systems or adjusting their stafng processes so that persons can realize their goals towards self-actualization within the same organization. Businesses continue to focus on the concept of “just in time” delivery, with the premise being that the transportation network (carrying the materials) replaces the warehousing infrastructure normally used to maintain reserves of inputs (ranging from food to manufacturing). The challenge here is that the “just in time” system leaves the organization or community exposed to a loss of critical or needed materials under two circumstances. The first of these circumstances involves a disruption of a shipment that means a period during which the demand strips the availability of the product, service, or data from the system. The second involves the circumstance during which the demand cannot be met as the system attempts to rebalance itself after an event. The first impact (a loss or delay) leads to an absence during the event, while the second impact (a lag or pull) results in either an absence in the period immediately following an event or a loss of quality (integrity) that comes from suppliers or providers attempting to meet the demand faster than they can normally handle. These impacts (push/pull/lag/delay) are common across all networked environments, not just the transportation sector or the shipping activity. While sea containers full of material (or trucks) may be the common image, similar principles apply to networks (think of data packets instead of trucks), electrical distribution grids (noting the issues associated with surges and quality of power), water distribution systems, and so forth. Understanding how impacts affect systems in terms of

The Coming Resurgence of Interdependencies ◾ 163

these four factors is becoming critical, particularly when looking at interdependent events. One approach for mitigating this scenario involves switching from a “just in time” system to a “just in case” system. This system involves identifying common impacts and then maintaining adequate local reserves and capacity that can be used to cover that impact while the normal flow of inputs and services resumes. This approach reduces the benefits of the “just in time” system, as it requires some level of maintenance of inventories and warehousing capabilities (or storage of some kind). The advantage of this system is that these reserves can act as a sort of shock absorber within the supply chain that limits or contains the impact of events that cascade through the supply chain. Once again, this applies to more than the transportation system. Consider your computer. Do you own an uninterruptible power supply? If so, you are already recognizing this principle within the context of protecting yourself against a failure through a dependency on power. Within the realm of data, one might look at the use of backup systems, particularly resilient systems such as properly configured (or appropriately configured) cloud-based systems to preserve data holdings. It also applies to systems that integrate the checking of data flows for lost packets and that maintain the ability to replace damaged or lost packets during the transmission process. Within the realm of water, one might simply look at having five days of potable water (or some other amount) available to have a supply on hand should some form of contamination occur. When looked at from a commonsense point of view, the “just in case” system refers to a more prudent and balanced approach to efficiency, whereas the “just in time” system refers to one that is intended to maximize efficiency under normal conditions, but which can leave the organization at increased risk. The key is balancing the application of the “just in case” system within operating and threat environments that are becoming increasingly unpredictable and in such a way that the organization maintains its resources and competitive advantage.

8.3 The Shift and Change Government and Regulation This is where the movement towards performance-based regulations becomes significantly important. Given a service or capability being declared essential, it achieves what may be described as an “always on” or “always up” status. This, of course, is impossible to guarantee and organizations are generally forced to risk manage decisions based not only on civil liability but also regulatory liability (administrative monetary penalties and the like). The other aspect to this is that performance-based systems are generally more descriptive of goals than of specific measures—meaning that the organization is given the flexibility in how they respond to those goals. This comes with an augmentation in accountability because the measures that the organization proposes to take are assumed to be reasonable and achievable.

164 ◾ Critical Infrastructure

This factor must also be looked at in terms of how it may influence legal and civil liability. While each case would need some form of legal contribution (to determine specifics), one might reasonably assume that if an organization has the flexibility to meet a goal in its own way, it should be able to maintain that capacity under most conditions. Returning to the Churchill, Manitoba, event in the spring of 2017 (an event that shows all the hallmarks of an interdependent event), one sees this principle in action. An organization commits to a course of action through a contracting process, and that service is disrupted through an event that goes beyond the organization’s willingness or ability to recover the service. Given that the route was a single point of failure, the community also began to look at the company in terms of subsequent potential issues, such as the lack of availability of fuel for the winter. While this work is not intended to make any comments on the specific liabilities, it does serve as a good example of how corporate decision-making (for good or bad) can lead to events cascading through the interdependencies of services.

8.4 The Blurred Line between Government and Business The role of government within the CIP and CIA domains has been one not of ownership but more of regulator. Most critical infrastructure is not actually operated by government entities (although some are). What is also becoming clear, however, is that the consultative processes used by government and the reliance on outside technical support services has also been increasing over time. In healthcare, benefits packages are often configured or drawn from private enterprises. Power generation and energy are supplied not through government operations but through private companies. Except for certain circuits, telecommunication services and capacity also reside within the private sector domain, with many of those services also supporting general government operations. One might state that the distance between companies and government has been closing. While government services may be delivered and supported through private sector enterprise, the performance-based regulatory structure allows for private ownership of critical infrastructure protection at two levels. The first (and less obvious) level involves the use of consultation processes in the development of rules and measures. The second involves the corporate plans (as approved by the regulator) to become the controls that protect that infrastructure and assure that service.

8.5 The Rise of the Networked Machines— The Internet of Things (IoT) While the divide between the regulator and regulated becomes more blurred, the other factor that must be considered is the permeation of networked technology.

The Coming Resurgence of Interdependencies ◾ 165

From the perspective of an interdependency, a new fragility has entered into the system in that the speed and convenience with which technology is used has reduced the ability to operate without that technology. Wireless communications devices connecting equipment within a sea container shipping yard are vital to maintaining the speed of performance that is the key performance indicator if the terminal is likely to be profitable, or even viable. Heavy equipment is making increased use of network-enabled technology to monitor the performance of key systems (such as engines) and to allow the manufacturer to make subtle adjustments without having to go on site to maintain the equipment except in the case of significant failure. Homes are showing signs of increased automation and remote control using wireless or electrical infrastructure to maintain a comfortable living environment. Each of these examples illustrates the penetration and permeation of network-enabled technology into the baseline operations and critical paths of various activities. In the race for convenience, however, this permeation is showing signs of augmenting certain kinds of risks. The Internet of Things has allowed for network connectivity to permeate spaces normally outside its reach. Combined with the permeation of smartphones and similar personal devices, the ability to physically protect infrastructure against interference is facing a fundamental shift in emphasis. While physical attacks will likely still occur, the increased knowledge and skills evident in the hacking (criminal versus ethical) and the increased level of skills means that criminal organizations or individuals no longer need to rely upon physically “attacking” an organization. While an organization used to need only to manage its own network topography and architecture in a way that prevented less trustworthy systems from interacting with more sensitive operations, these two factors have built bridges around many of those controls. This also has a profound effect on both the criminal and cyberattack cycles that allow those seeking to cause injury to conduct their reconnaissance into systems and an organization through less monitored (or even unknown) channels and reducing their risk of detection by security or other members of the organization. As a result, many of the attacks that occur can be expected to be along the lines of “zero-day” exploits in that there will be little to no warning in these circumstances unless an organization is aware of these potential vectors or channels.

8.6 Trends in the Alignment of Interdependencies One aspect that has accelerated within the critical infrastructure protection domain is the stratification of the various sectors. The importance of this stratification is that different approaches to critical infrastructure assurance and protection will need to evolve as this stratification continues. The first sector involves those that are critical to a life-sustaining environment but that operate at local or regional levels only. This includes:

166 ◾ Critical Infrastructure

◾ Water and wastewater. ◾ Food and agriculture. ◾ Emergency services. Without these three elements present within an environment, maintaining the basic services to sustain a population and order within society becomes nearly impossible. A lack of water, such as that experienced in Cape Town, can threaten the existence of the community at large. Similarly, drought in California has clearly indicated some of the challenges that could arise in balancing water requirements between a population’s drinking water, the water needed for agriculture, and that needed for more esthetic purposes. The challenge here is that a collapse of the water system (particularly drinking water) needs to be addressed urgently given that life safety is impacted in a matter of days. Addressing a systematic shortfall in this sector may be vital to the continued viability of a community. Food and agriculture can be affected significantly by extreme water levels. Crops can be destroyed by drought, but they can also be impacted significantly by flooding. The difference here is on the urgency needed to respond to loss of support from that sector. While not as immediately critical as water, the sector still has limitations within which issues must be addressed. Food stocks, however, can be brought in from outside the area, and so forth. Emergency services also fall into this category in that they are necessary for maintaining order within society. The failure of either the water sector or the food sector, however, can lead to increased demand on this sector—above and beyond the baseline requirements. Emergency services may need to protect vital points that are involved in the distribution of water or food to populations. This demand will become increasingly critical as conditions persist. These services are also drawn from the local populations and may also be facing local impacts. These three sectors, however, illustrate what may be described as an accelerated clustering of interdependencies. These sectors tend to operate at what may be described as a primary level when looking at the preservation of a community—the failure of any one or more leads to the collapse of the community. The secondary level of this may be described as the Commercial Facilities Sector and Government Facilities Sector. The reason why these are considered secondary is because the services can be delivered from outside those facilities, but the lack of these facilities makes the delivery far more complicated and place strains on the primary sectors. This strain is most clearly felt with the Emergency Services Sector that must provide unique or expanded services to facilities that may be operating on a contingency or improvised basis. The ability to maintain adequate food and water at a football stadium during a period of crisis poses significant logistical challenges. At the same time, maintaining “law and order” within that facility also poses challenges. These are not considered as being primary, as the services can be delivered using alternatives—where a football stadium is not available, another location with similar characteristics may do.

The Coming Resurgence of Interdependencies ◾ 167

Contrasting these two relationships leads to what may be called a vital dependency. When considering sectors such as food and water, there is no way to substitute the service with something else. Should these sectors fail, another source of the same product (or service, in the case of wastewater) must be found quickly to meet the demand. In this context, drinking water is obviously the most critical in that people will die if they do not gain some access to it quickly. If the water cannot be sourced locally, then it must be brought in from somewhere else. Those involved in disaster relief activity (for natural disasters and not IT related) understand that the next critical element involves the ability to deal with sewage, or at least the treatment of it. Without this, disease flourishes within the camp and, again, lives are put at risk. Finally, one must look at the issue of food. Again, one cannot really replace food; one must find another source of that food. An interdependency that links flexible sectors (such as with the commercial and government facilities), however, would be looked at in terms of several other factors—such as whether the issue is transitory or not. In this context, one looks at the interdependency in terms of its impact (operationally), its persistence (how long it lasts), and whether it is cyclical in nature. A very significant impact that happens once but that is not permanent may be considered transitory or nonpermanent. A similar impact that recurs periodically may be described as both significant but also cyclical in nature. While it may be important to have a plan that allows the organization to work through the first kind of interdependency (the transitory), it may be vital for the organization to make efforts to address the root causes of failures in interdependencies of a cyclical nature. Where interdependencies are transitory or cyclical in nature, unique combinations of interdependencies can lead to impacts that cross over between them—like an electrical current arcing between two wires. Consider a disruption of food and water in an area. While this may not impact the transportation sector directly, the failure of communications within the area (requiring longer delays for drivers) may cause an arc between the two systems that impacts the transportation system through the driver’s ability to operate safely. The direction of these interdependencies must also be considered. A dependency will usually describe an impact that flows in one direction. For example, the loss of a government facility within an area disrupts several government services but does not necessarily affect other sectors significantly. Life goes on. There are also interdependencies where the impact will create something like a feedback loop—such as one might find when relating energy and transportation. A lack of fuel Impacts transportation in that it can no longer function. The lack of transportation limits the amount of fuel that can enter an area to resolve the issue. This kind of interdependency needs to be identified and addressed in the planning and preparation stages (within the context of emergency management), pre-positioning materials or services to break the cycle before that cycle can begin to establish itself.

168 ◾ Critical Infrastructure

The next cluster of interdependencies involves those sectors that operate relatively independently but that require the support of specialized services. The Chemical Sector, for example, may require a range of response capabilities if dealing with accidents (ranging from hazardous materials response, evacuations, or mass casualty treatment). Dams require specific and specialized engineering support services to prevent disasters and specific response capabilities should it appear that the structure is going to fail. Finally, the Nuclear Reactors, Materials, and Waste Sector faces similar challenges when dealing with various materials. The common thread in this category is in the nature and severity of the potential impacts. These all have a strong possibility of involving massive losses of life and property. Within this category one must separate dependencies and interdependencies. These sectors will require very clear assurances that they will receive appropriate support from other entities or sectors. Where these organizations are providing support, that support would be considered a dependency. The interdependency occurs when those supporting services require inputs from the affected sector. This becomes particularly critical in that the disruption in the affected sector could then cycle through the responding sector and back to the originally impacted sector by delaying or disrupting the needed response. This exacerbates the impacts associated with the disruption quickly and with potentially dire impacts. There is a similar possibility when considering the Defense Industrial Base Sector and the Critical Manufacturing Sector. In this case, the impact is most likely to be strategic in nature and not local. Disruptions in key supply chains may not affect people in terms of a loss of life but may put significant strains on industries or forces that are involved in projecting national interests or priorities abroad. In most other respects, however, they would be very similar to those described for the Chemical and other sectors described earlier.

8.7 The Emergence of the Key Sectors—Energy, Transportation, Telecommunications, and Financial The interdependencies linking four sectors are particularly important to note. These stem from the interdependencies between the Energy, Transportation Systems, Communications, and Financial Services Sectors. These are paired and ordered this way for a reason. The Energy Sector underpins both the Transportation Systems and Communications sectors. During the August 2003 blackout, eastern Ontario approached a situation in which the lack of fuel was impacting the ability to move fuel for the backup generators into the area. Should that threshold have been breached, the disruption in power would have had a critical impact on the remaining critical services such as hospitals, cooling centers, water treatment, food shipment, and others. Similarly, there are strong ties between the Communications and Financial Services sectors. This is becoming increasingly important in an age of Electronic Funds Transfer (EFT) and is also likely to be one of the key vulnerabilities when

The Coming Resurgence of Interdependencies ◾

169

looking at electronic currencies such as Bitcoin (and similar variants) should they evolve into an accepted financial tool. The evolving reliance on EFTs operates at both local and strategic levels. These two pairs, however, can come together to create what may be described as a perfect storm within the interdependency realm. This perfect storm describes conditions under which the system cannot recover. The right combination of these not only affects the response to an event, but also reduces the ability to identify and define the nature of the impacts in such a way that determining what response is needed or what responses have been effective is also difficult or even impossible. Evolving technologies may lead society closer to these conditions. Consider autonomous vehicles—ranging from cars, aircraft, rail, and even ships. This bridges the connection between the two sector pairs in a way that provides what may be described as a single point of attack against all four sectors should the Communications and Energy sectors be affected. While the conditions under which this may occur are still not fully understood, the potential for this kind of impact across the full community requires an additional level of care when considering the deployment of this technology. Similarly, the convergence of traditional telephony services (analog and later digital) to protocols such as Voice-over-Internet (VOIP) cluster these sectors in a way that emphasizes these factors. The clustering of these four sectors requires a balanced and thoughtful approach from both the government regulatory communities and the business communities. Given the nature of the critical impacts on society, the government regulatory communities may be argued as having a higher duty of care with respect to the integration of newer technologies that can lead to these conditions. This will largely affect the consultative process that has become increasingly balanced towards the private sector entities. One might argue that the government regulatory services must be able to conduct their own independent security assessment and accreditation on systems to verify vendor claims (prior to sale) but must also be mindful of technological solutions that promote certain approaches. Within the private sector community, this will require that organizations understand a need to control the enthusiasm and exuberance associated with the adoption and integration of newer technologies. At the fundamental level, the business needs drove the development of tools. This required a significant amount of time and effort, particularly in the development of proprietary tools. This has evolved to include situations where the business needs are tailored to fit readily available solutions, which may (or may not) cover the full suite of vulnerabilities associated with that application. The pace at which technology can be designed and deployed can outpace the various checks and balances applied from outside of the business community (such as regulatory). This is a cultural issue that, in some cases, may border on technophilia as certain communities bring or attempt to bring their technologies to market in search of solutions.

170 ◾ Critical Infrastructure

8.8 Comparing the Topography of Interdependencies with Flat/Hierarchical Networks A flat topography is used in the context of those that work within the IT security domain. Networks are often separated into various nodes or hierarchies, often using gateways, switches, or routers. The areas that fall within these nodes or hierarchies are generally referred to as broadcast zones. A flat network involves an architecture that is moving to, or operating within, a single broadcast zone. All devices fall within the same hierarchy or broadcast center. This is generally done to reduce the costs associated with switches, routers, and gateways but can leave the network exposed should something breach the perimeter and enter the broadcast zone. For a network, an event breaching the perimeter of one broadcast zone may be contained within that broadcast zone by cutting the connection points with the rest of the network. Similarly, a hierarchal configuration can also allow for certain zones within the space to be protected by additional or more rigorous controls. Those involved in incident response and incident management have become well-versed in working to isolate and contain events before they cause significant network disruption. Now consider the hub-and-spoke configuration as applied to other sectors (such as Transportation Systems, Energy, Communications, and Financial Services). Each locality can be described as having hierarchical characteristics through efforts such as business continuity planning. The business impact analysis done at the start of the planning processes stratifies business activities from the critical to those that are less critical. The controls that are placed around these processes and business lines creates what may be described as a hierarchical structure. These points in the hub-and-spoke network operate heretically at regional levels. Outlying points, often less protected due to smaller resources and apparently lower threats, interact with the central hub. The central hub acts as a sort of regulator by limiting how it can be affected by impacts from an outlying site. A central airport will not subvert all its operations (supporting all outlying sites) simply to assist one site. This creates another layer of hierarchical structure. When one considers the central hubs, however, these operate in more of a mesh topography. The challenge with the mesh topography is that it more closely resembles or approximates a flat network. Consider the impact of a disruption at one of the major airports. The impacts cascades through the entire system if the operations connect either directly or indirectly to the affected central hub. Direct impacts may be described as delays in flights, the inability to send flights, and then the challenges associated with updating the operations. When looking at the mesh network, capacity will generally balance itself between nodes (distribution centers, etc.) and conduits (routes and lines, etc.) as best able when demand exceeds capacity. The challenge happens when the supporting

The Coming Resurgence of Interdependencies ◾

171

nodes and conducts begin to fail under the demand. This is what ultimately leads to the fragmentation and potential dissolution of the network, as the network cannot reestablish routes past the disruption. This describes a state of criticality in the overall network, which, in this case, represents sectors. Within the four key sectors (energy, transportation, telecommunications, and financial), certain relationships may be described as “strong.” Energy and transportation, for example, share a “strong bond” involving the availability of fuel. The energy sector relies on transportation to deliver the fuel past its major distribution points (such as trucks to gas stations), but the trucks also rely on those gas stations for their own fuel. A loss of availability of fuel at the stations can trigger failures that occur not only at the sector level but across this bond. Consider the August 2003 blackout that saw many parts of eastern Ontario with fuel in the gas stations but no electricity to run the pumps to distribute the fuel to vehicles. The result approximated a fuel shortage. In this case, the linkage between the electrical distribution system and the fuel distribution system shares what may be described as a “strong bond.” While the characteristics of a “strong bond” can be very generally characterized as involving a direct impact, these bonds share characteristics based on the interdependency between the affected sectors. For the August 2003 blackout, this bond can be considered bi-directional or even cyclical in nature when considering fuel shipment. When considering the electrical failure, the bond may be considered strong from the electrical sector to the transportation sector (the lack of power affecting distribution) but weaker when considering the impact of the lack of fuel on the electrical sector. As the event progressed, however, the lack of fuel began to affect generator reserves, illustrating what may have been initially described as a “weak bond” becoming “stronger.” The same principle holds true between the financial and telecommunications sectors. EFTs require the use of the telecommunications infrastructure. When the telecommunications infrastructure is disrupted, the funds cannot be moved. This would be indicative of another “strong” bond pairing. While these pairs of sectors show “strong bonds,” they are also connected through a number of “weak bonds.” Consider the impact of a loss of communications on the airline industry. Aircraft can still fly, but, depending on the nature of the disruption, passengers cannot board the aircraft. An example of this involves failures in communications systems that handle the aircraft boarding and reservation systems. This is considered a “weak bond” because the impact is less direct than a strong bond. It affects a supporting service and not a service that falls on the critical path. A disruption may result in impacts across both “strong” and “weak” pairings. A power failure may impact the telecommunications sector through “strong pairings” as the telecommunications sector’s critical operations fail or are put at an increased risk of failing. It may also flow along “weak” bonds. For those assessing the impacts, it should be noted that these bonds can be linked together like links

172 ◾ Critical Infrastructure

in a chain, and some mitigation can occur at every link (such as backup generators compensating for lack of power). These bonds will closely mirror the interdependencies between the various sectors and services. While it is perhaps convenient simply to follow the flow of operational impacts, it is vital to understand the topography of these bonds between the various sectors in order to predict accurately the volatility and secondary impacts that may flow from single events. It should also be noted that the prevalence of specific vulnerabilities across key sectors also impacts these bonds. The relationship amongst the four key sectors is not linear but itself a mesh of strong and weak pairings. Consider the EFT system. This technology is widely deployed across all the other sectors. Thus, a vulnerability that is exploited to cause a critical impact flows along the strong and weak pairings to affect those connected sectors. This can in turn trigger the impacts between other pairings that are considered “weak” but which then affect the operations in those other sectors in terms of operational pressure, but not necessarily failure. This will push the affected sector towards a state of failure, but this may or may not be immediately apparent to those operating in that sector. As the effects become more prevalent or significant, they will pass the fragility thresholds (leading to failure) and as these events continue, the affected sector will approach the fragility levels associated with regional or network levels. When considering attacks that may occur through bonds or interdependencies, there are two scenarios that need to be considered. The first is a single point of attack that results in impacts flowing along the interdependencies and bonds from that originating point. These will be influenced by the local topography of the networks and, depending on their severity, may cross into other flat networks. In this context, the overall impact may eventually become severe but may also be limited to a specific region. When considering a single vulnerability in a sector that has that technology deployed into multiple sectors, this flow of impacts may have multiple entry points into the second level of sectors. For example, if a vulnerability can be exploited in such a way that it affects the full telecommunications sector, the impact may be felt in several locations simultaneously. When considering the fragmentation and dissolution of a network, this second scenario is far more complex, given that the initially impacted points will all have impacts that flow along the bonds or interdependencies. The difference would be comparable to tracking the effect of waves that result from a dripping faucet to looking at a similar exercise in a pond while it is raining. Outside environmental or operational factors can influence the impacts that flow naturally through interdependencies and bonds in a way that can either create new impacts or amplify existing impacts. The key factor is the system’s ability to absorb changes or impacts without suffering disruptions. Peak operating periods (or where the system is operating at full or beyond fully intended capacity) may result in conditions where the organization has little to no resilience. Similarly, environmental factors may result in the system being placed under additional strain, such

The Coming Resurgence of Interdependencies ◾

173

as what may occur when the electric power grid suffers brownouts during periods of extreme heat in the summer due to increasing demands by cooling systems. When these conditions exist, two or more impacts existing naturally between infrastructures can be exacerbated or amplified, leading to a third kind of impact which would not normally occur under other conditions. Using the high-heat period as an example, this may result in the degradation of the power supply that is used to feed the grid, which in turn is used to power telecommunications. While the telecommunications sector may be able to withstand limited impacts of this nature, it may face challenges should those conditions persist longer than it has been able to prepare for. Thus, the relationship between sectors cannot be simply looked at in terms of linear dependencies or even interdependencies. When modeling potential impacts, the topography of bonds, dependencies, and interdependencies must be understood to effectively map and predict the impacts associated with certain kinds of attacks. This, however, is not a stable playing field. In addition to the mechanics (in the physical and logical sense) of attack, those seeking to predict the flow impacts must also consider various external factors that can affect demand (such as peak travel periods) and the available capacity of the network (such as high demand for additional power to support cooling). The relationship must therefore be looked in terms of time, the frequency and duration of conditions, the impact of these cycles in terms of the fragility of the infrastructure, and the interrelationship of various primary and secondary impacts. For organizations, therefore, there is an inherent risk in attempting to overemphasize preventive controls. The number of potential kinds, permutations and combinations of events can lead to a level of complexity that would overtax most systems’ ability to predict and implement effective preventive controls. This is not to say that preventive controls should not be part of the suite of controls used to protect the capacity of the infrastructure. It is to say that preventive controls are only one aspect of the controls needed to properly assure systems where this level of complexity exists. The other suite of controls may be normative controls that focus on maintaining the equilibrium across the system. These controls may include interim preventive controls but also include detective and response controls operating at local, regional, and system-wide levels. When designed and implemented appropriately, these controls serve to maintain the capacity of the sector to meet demand, to contain impacts as best as possible, to respond effectively to those impacts, and to speed appropriate recovery.

8.9 Conditions for the Perfect Storm The perfect storm describes rare conditions that can lead to the full collapse of several infrastructures across at least regional levels. The general conditions of a perfect storm consist of the following:

174 ◾ Critical Infrastructure

◾ Te initial event fragments the network in such a way that demand cannot be met. ◾ Te scale of this disruption is at least regional in scope. ◾ Te impact fows along the interdependencies and bonds that also afects the sector’s ability to detect and respond to the event. ◾ Te impact degrades the organization’s ability to focus and complete its recovery eforts. These conditions describe a scenario in which the only option to restore functionality involves resetting the system after complete failure. Essentially, the sector must “reboot.” The key effort that sectors can make to prevent “perfect storm” conditions involves the following: ◾ No vulnerable service is relied upon across all operations. ◾ No vulnerable service is incorporated into all preventive, detective, and response controls or systems (in terms of interconnected and managed processes). This will lead to a circumstance in which certain sectors are argued as being “too big to fail” as the impacts associated with such a failure would be cataclysmic. This term has been used in economic contexts but also applies with respect to general operational contexts. Within the domain of CIP and CIA, this creates a new layer of criticality when looking at sectors. One question that remains involves the roles and responsibilities associated with the management of those sectors and what support and expectations should be in place to prevent their failure. The other question is whether regulatory bodies (primarily concerned with public safety issues) should allow for sectors to evolve to a point where they lack the resilience necessary to meet the demands on the sector should key organizations fail. The challenge here is that this will involve major rethinking of policies and practices that prevent regulatory bodies from interfering in sectors based on the success of organizations as opposed to their failure, and it is therefore improbable.

8.10 Authors’ Note Given the growing interconnectivity of infrastructure and the trends towards globalization and distributed services, the ability to identify, assess, manage, and monitor the full suite of any organization’s dependencies and interdependencies is growing increasingly complex and certainly beyond the range of any organization’s subdepartment. Business owners, at the executive level, may wish to direct their various asset and process owners to capture this information as part of their day-to-day

The Coming Resurgence of Interdependencies ◾ 175

activities and ensure that it is being communicated to a central or official repository (well-backed up) so that a comprehensive awareness can be built. Business owners are also warned about a current trend within the asset protection and security community towards the adoption of standardization and compliance. Within the context of interdependent systems and links, there are two significant issues. The first issue involves the necessity of becoming compliant (i.e., expending resources) for the sake of compliance alone. The second involves the fact that what works well in one operational/threat environment does not necessarily mean it works well with all. There will be significant pressure to adopt the standardization approach, not because of business reasons, but because such an approach requires less effort than undertaking comprehensive analyses of the business. As standards and best practices fall under either a baseline model (based on consensus) or a high watermark model (most rigorous solution), adopting this approach can trap businesses into significant expenditures to belong to a community but at the expense of their own operations and without being linked to any real (initial or residual) risks.

Chapter 9

The Evolution of Physical Security In this chapter we will look at an approach that provides a structured and critical analysis of what physical security measures ought be in place to both achieve the necessary level of robustness (withstanding an attack) and resilience (recovering quickly from an attack). This involves a structure that treats the physical security posture on two fronts. The first involves the strength of mechanisms (such as walls, doors, etc.) that are placed in such a way as to delay the attacker. The second involves the assurance case that provides the reasonable expectation that an organization can trust its physical security infrastructure to perform as anticipated both in normal and in enhanced (or even contested) environments.

9.1 Introduction This chapter discusses the need for physical security doctrine and approaches to evolve given the increasingly complex operating and threat environment. While physical security has doctrinally held the position that threat and risk assessments would precede the development of specific security measures, the application of physical security principles and practices has fallen well short of this mark. Instead, many organizations have moved to a position of simply conducting security surveys or similar kinds of reviews of security against organizational baselines and then using that as the foundation for their activities. While this method may work in a stable environment, we can see that the environment around us is now best characterized by a level of uncertainty, and change is probably one of the more stable elements within it. DOI: 10.4324/9781003346630-9

176

The Evolution of Physical Security

◾

177

Since the last edition, we continue to see an evolution of the threats presenting themselves. Previously, our primary concern was the “lone-wolf” attacker that had been motivated through a difficult-to-detect channel. This does not mean that other threats were not present, only that there appeared to be a clear front-runner in terms of threats that were challenging our ability to succeed in protecting people, infrastructure, and operations. Today, however, our community of threats has broadened significantly across each of the categories of deliberate, accidental, and natural threats. We are also seeing an emerging issue that is (finally) beginning to grapple with the challenge of using law enforcement and security personnel beyond their training and capabilities. Social activists and community groups have very rightfully pointed out that police doctrine and resources are not optimally suited for dealing with social issues such as homelessness, mental illness, and similar circumstances. This is not to say that the police have turned their backs on calls for assistance, or that they lack the necessary heart and compassion to address these challenges. Rather, their training, tools, and supporting infrastructure are not well aligned to deal with these kinds of issues. Like certain military forces, the role of being the equivalent of the Swiss army knife has been thrust upon them as likely the best out of limited (and potentially more difficult) choices. This raises the question of what mindset is most appropriate for physical security. Is the traditional law enforcement approach optimal? The traditional law enforcement mentality is one that looks at compliance with certain rules and then bringing the situation (first) under control and then (second) in line with the rules. This lends itself to activities such as inspections and similar kinds of activities, but not necessarily problem solving. Would more modern approaches to law enforcement be more suitable? Contexts such as community policing and similar approaches offer a greater degree of flexibility, and problem solving as part of the focus involves looking for the root causes of issues. Leadership within the physical security community needs to look more towards skillsets and mindsets that are adept at addressing complex environments and situations and then working to address issues. Structured thinking, such as used in engineering or social sciences, becomes much more important when dealing with our changing environment. Change, however, operates at a contextual level, and while it may describe a host of different conditions, simply saying that the threat environment is changing does not provide enough in the way of useful information. What is the nature of that change? In this context, change can be looked at in terms of the two major factors in risk—probability and impact. With increased global geopolitical tensions and competition in the world—largely the result of its continuing shift towards a multipolar environment—threats ranging from warfare and military clashes (Ukraine, Asia), social unrest, and political activism (as seen in the conflict of competing political ideologies both in Canada and the United States), the risk in criminality as a result of basic living costs moving out of reach of people all places significant pressure on

178 ◾ Critical Infrastructure

the ability to protect infrastructure. While some may ask if a petty criminal is likely to attack critical infrastructure, the short answer is “not in the way that you think.” What has been seen, however, are cases in the Maritime Provinces of Canada where copper theft has increased to the point that it has disrupted telecommunications and energy grids as thieves become more brazen in the kind of infrastructure, they are willing to attack. These conditions have become desperate enough that people have actually risked their health (or lives) to commit these acts. The physical security domain also sees challenges arising in the accidental realm. While the traditional nonacceptance of threats continues in some circles, the work-from-home regime that rose to prominence during the pandemic has created a new interface between the work and threat environments. We see this in the use of personal infrastructure and the blurring of lines between “where the company begins and the individual ends.” Consider the contracting rules communicated by Public Services and Procurement Canada (PSPC) for contracts that seek to have document safeguarding capabilities in their offices. The offices are reviewed in terms of designs, tenants, infrastructure, security equipment, and a host of other factors. Were the houses used by public servants to process their information during their period of working from home placed under the same level of scrutiny? Likely not. The use of personal environments (such as home offices), home infrastructure, and (in some cases) personal devices creates a new suite of threat vectors that blend the physical and cyber threats when we look towards issues such as the threat of intellectual property and supply chain-based threats, This is not to say that people are being willfully negligent, but as a society we have become far too trusting of the various services that have been pushed to us for the sake of convenience, only to discover that a number of those services have been engaged in activities such as information collection. Finally, there is the issue of climate change and weather. These two are put together in that climate change focuses on macro and long-term issues and weather is the reality we face when we step outside our homes or offices. Without entering the politicized debate about whether climate change is real, we can categorically state that the weather today is certainly more intense and has shifted as compared to the weather of yesterday. We are also seeing that extreme weather, including rare weather events such as Fiona in the Maritimes, are becoming more prevalent. The challenge here within the physical security domain stretches throughout the full life cycle of the infrastructure. When we consider the devastation in coastal communities such as Port aux Basques, the rich cultural heritage of a community runs hard into the wall of reality in that risk avoidance may be the only option (i.e., not building in that environment). Similarly, rebuilding the infrastructure to the same standards after having massive failures can only be described as a long-term act of folly. What this illustrates is that part of the physical security activities in this domain must now refuse to simply accept “building to code” for the sake of convenience and include challenging the architects and engineers to show that their designs have

The Evolution of Physical Security

◾

179

also considered the trends indicated by historical data. Again, this is not to say that engineers and architects would willingly put people at risk (their professional values and ethics speak strongly against doing just that), but that we need to move past the codes and back into analysis in the current environments. We continue to see technology increasing in terms of its availability to the attacker. What has evolved, however, are the marketplaces and services that will make more complex attacks possible for attackers in various areas such as the “dark web.” Smart technology, interconnected networks, increased automation, and other similar technologies mean that incident response must involve a coordinated physical and logical response. The prevalence of this kind of technology has also led to circumstances where infrastructure that has been relied upon in the past is overwhelmed by the demands placed on it, complicating or even hindering an organization’s ability to respond. Additionally, geopolitical conflict has shown a darker side in the conflict in Ukraine, where the attacks on critical infrastructure, particularly the energy grids, leading up to the winter months can only be described as the deliberate targeting of a mass civilian population to crush its will to resist. While we have not seen this level of conflict in North America, we have seen attacks linked to this conflict extend past the borders of Ukraine into Europe’s energy infrastructure, most notably being the attacks on the subsea natural gas pipeline and on shipping leaving Ukraine.

9.2 Core Offices Tested The core offices (lead departments) in both Canada and the United States continue to be tested, in terms of not just the intensity of certain events but also the range of events. While severe storms were the main challenges in 2017, these core offices are now seeing much more systemic issues rising. Water shortages in certain parts of the United States continue to pose challenges across several sectors. We have seen other issues also rising, such as the shootings of power substations that led to significant blackouts in North Carolina and a state of emergency being declared as the restoration of power took several days. The challenge involves two aspects. First, the breadth of issues forces resources within those departments to be spread more thinly, as there are simply more issues to deal with. The second involves the breadth and depth of training and resourcing needed within those offices in order to keep pace with the range of evolving issues. This can become even more extreme as the need for resources in these core offices forces governments to begin to restrict (or even cancel) funding to smaller or less-visible entities. In Canada, however, the challenges for the government involve a combination of factors, largely tied to the credibility of programs intended to support recovery efforts. This credibility has been attacked on two fronts. The first front consists of the public perceptions with respect to how long and complicated claims processes

180 ◾ Critical Infrastructure

are. Property damage claims from the 2022 derecho are still being processed, and support promised into Cape Breton (Canada) from Fiona has not been provided some months after the events. One of the greater challenges, however, involves the lack of skilled labor needed to (1) assess the damage for insurance companies and (2) affect the repairs. This challenge is further compounded as many of the most seriously hit areas are communities with higher percentages of persons on fixed income that lack property insurance. As a result of this, we see a percentage of the population caught, in that they “chose” not to have insurance in order to save money (the question of whether the insurance costs were affordable to people hasn’t been asked significantly in public forums) and being disqualified from disaster relief as a result of that choice. The outcome of this is likely to be a topic for any after-action report with respect to systemic unfairness based on economic status. While this tends to focus more on disaster relief than security, the principles and root causes are the same. The first principle involves the availability of a labor force of trained and capable persons that can perform the needed work. We saw something similar during the pandemic, with the lack of cashiers and store shelf stocking personnel in grocery chains. While these positions may appear to be at “lower levels” when dealing with the grand strategic plan, they have just been shown to be vital elements when looking at the organization’s ability to deliver services. The second principle involves the ability or decision to engage that capable labor force in a timely manner. In the case of Nova Scotia, several homes were going into a Canadian winter unrepaired (or only temporarily repaired) not because programs were not available, but because contractors could not be found to perform the work. The capacity to meet the market demand after the storm was simply insufficient in terms of both numbers (of contractors) and supplies. This raises a new challenge for the physical security practitioner—that of a loss of technical skills at the tactical and operational levels. As with the disaster response, those who are both cleared and technically able to construct certain kinds of spaces and certain kind of infrastructure are in short supply. Consequently, the capacity of the security industry to meet the demands being placed upon it are in significant imbalance. One does not need to look too far past defense contracting and the certification of spaces against certain standards that has delayed the commissioning of such spaces for years. The lack of these spaces (and other forms of infrastructure) can lead to significant challenges when attempting sensitive work, which now includes aspects of “assurance” that the work was done in the appropriate environments and using appropriate techniques.

9.3 Resetting the Role of Physical Security Physical security focuses on the protection of persons, assets, and operations from physical threats. There is an impression that physical security should use only physical barriers. This is not the case and is frankly a road that can lead to significant

The Evolution of Physical Security

◾

181

waste. The role of physical security is to ensure that appropriate controls are in place to mitigate risks that operate in the physical space, to address physical vulnerabilities, and to take steps to close the means and opportunities available to threats to use physical avenues of attack. These attacks range from the violence of attacks that mimic conflict or warfare, that involve the physical removal of sensitive assets, that involve attempts to gain physical access to sensitive assets, and that seek to cause damage or injury to persons, assets, or operations. Doctrinally, an opportunity exists for the physical security and the information technology security communities to align, at least at the framework level. The physical security community has long used the structure of delaying attackers to the point that an effective response can be mounted against them. This has been a basic premise in warfare and in various form of protective works for centuries. It remains enshrined to this day not only in government direction to security practitioners, but also in the doctrine of various professional associations that focus on asset protection. Within the information technology community, the use of the Cyber Security Framework developed by the National Institute for Standards and Technology enshrine these five “security functions” (identify, protect, detect, respond, and recover)

9.4 The Critical Infrastructure Protection (CIP) Perspective As with many security doctrines, physical security has long been saddled with a community that focuses on confidentiality, often at the expense of integrity and availability. Within the CIP (and CIA) domains, this needs to shift. By definition, critical infrastructure delivers services necessary for the safety, security, and economic well-being of citizens. As a result, there is a need to shift away from a focus on confidentiality and to begin to look at the security attributes of availability and integrity more seriously. When we turn on the lights, the first question is, “Did they come on?” The second question involves the quality of the power and making sure it is not causing damage. This raises the question about how we look at physical security in this space. To simplify this question, consider the strategic, tactical, and operational levels. The strategic level may involve the provision of the critical service across the nation. The tactical level may be tied to more regional networks in nature. Finally, the operational level focuses on the individual production and distribution points. What we need to find is that appropriate balance between robustness and resilience. When considering the strategic, tactical, and operational levels of an issue, physical security resides at the tactical and operational levels. Strategic layers in critical infrastructure look at the balance between robustness and resilience. Given the costs associated with establishing the “perfect” robust infrastructure (one impervious to any reasonable form of threat), the scale had to tip towards resilience. We know that

182 ◾ Critical Infrastructure

the costs of security following the attacks of 9/11 appeared necessary at the time, but we also know that the resources that needed to be committed to protect the safety and security of the populations came with human, financial, and opportunity costs. The other reason physical security resides at the tactical and operational levels is because it serves to protect a capacity. At the strategic level, the resilience of the networks assures those that rely on the critical infrastructure that the services will be delivered. It can do this because the network of infrastructure that delivers this capacity is able to generate enough capacity to meet the demands placed on it. Physical security looks to protect that tactical level against a range of threats to ensure that the system does what it is supposed to do—deliver. While physical security as a domain operates at the tactical level, the various security mechanisms and controls that it puts in place and manages as a protective posture function at the operational level. The concept of identification, protection, detection, response, and recovery happen at similar levels. Our inventories of assets and rosters of personnel are particular to the site and its operations, and then those can be assembled to form a higher level (tactical levels). In the end, however, we expect the employee to show up for a specific job using certain tools and in support of specific tasks. This represents the operational level. How does one reposition physical security to remain relevant in this current climate? This is not a simple task, but we can use a variant of the OODA loop used for decision-making and responding to situations as an approach. As discussed earlier, the OODA loop looks at a cycle of observation, orientation, decision-making, and acting. The more quickly an organization can move through this cycle cleanly (i.e., without significant errors), the more likely the organization can remain in control of the situation. In this approach, physical security needs to understand its own decision-making and adjustment cycles to stay ahead of the issues. This will involve an exercise that might well be described as using estimates to buy time. Where the physical security posture can adjust quickly, the distance ahead that it needs to project its estimates can be closer to the reality of that day. This distance, representing how far out into the future the projects are pushed, increases as the ability to work through the cycle slows. Issues that are within the organization’s span of control can be resolved quickly and decisively, meaning that physical security practitioners do not need to press their estimates further into the future. When dealing with facilities, however, the time it can take to make major structural changes may be several years into the future, meaning that the physical security practitioners will need to project their estimates into the future. For example, what will the maximum wind load be on an office tower near the coast? For the physical security practitioner, this may affect the kind of glazing that is recommended. Can a reasonable estimate be made? If we know that the financial status of the organization (assuming we do not rely upon insurance) will require ten years before we can return to that specific part of the project, then we need to make a reasonable estimate that can survive that length of time. Obviously, collaboration with the engineers and architects will be important in this regard, but

The Evolution of Physical Security

◾

183

even they may be working off existing data and may face challenges in making those estimates. We see this challenge playing out in disaster recovery. Only recently has the government, never mind insurance companies, come to realize that if it breaks once, you should probably build it a bit better next time. This, however, is still not applied consistently. In Canada, we continue to see hydro poles snap in high winds associated with storms. We then see the trucks installing the same kind of poles. The end result has been higher generator sales, as the population served by the grid loses confidence in its ability to withstand conditions. If we were to apply this principle, the power company might look to lessons learned in other areas that suffer high wind events—such as Florida. While the Florida poles were designed because termites like concrete less than wood, they also found that the poles did not snap in the high winds. In applying this concept, one might propose replacing the poles for the trunk lines with the stronger poles (at the start). The concrete poles will still fall in extreme winds but there is a significant difference between the winds in a Category 4 hurricane as opposed to the storms seen further north. Setting the potential solution aside, the approach to the problem here is the important part. The crux of this challenge involves two factors. First, we need to determine how far out we need to estimate. This is fairly straightforward because we can link this to our own internal cycles and how quickly we intend to address issues. If we intend to address an issue in ten years, then the estimation needs to go out ten years. The second challenge lies in the accuracy of those estimates. Given the instability of the various environments affecting infrastructure, it becomes progressively more difficult to make an accurate and defensible estimate of the conditions that are going to be in place. While we can relate this challenge easily to weather (as we are moving into climate with the long-term view), there are a host of other factors that may influence factors that impact physical security. For example, if we did not have the COVID-19 pandemic, would we have seen such a shift to people working from home? The challenge can be summarized by saying that the real world that influences activities like physical security is a complex environment, and there needs to be real thought put into not only what the changes are likely to look like in the future, but what events could throw a spanner into the works by introducing unforeseen factors driving change in different directions or at different rates. Having identified what the problem space looks like, we need to find the approach that addresses the challenges. We can characterize the challenges with physical security in a few clear statements. Physical security still needs to ensure that persons, assets, and operations are afforded an appropriate level of protection. That statement will need to be refined somewhat in the near future. Physical security efforts need to be relevant to the operations they are protecting, not cause undue impacts or disruptions in those operations, and need to remain rational in terms of costs. There are other factors that are beginning to rise. For example, how do you process an individual for a security clearance when they are newly arrived in the country and have little verifiable history? This may not have been a significant

184 ◾ Critical Infrastructure

factor ten years ago when the security screening policies and standards were written, but as North America attempts to attract more immigrants to replace those retiring, have we created an unfair playing field by restricting those newcomers from certain positions? Or are we simply being prudent? Or is it fair to those that have lived here for the full ten years to have to submit this information while exceptions are made for those that cannot? These are not easy questions to answer and will take time (if not a degree of activism), but they are questions that gnaw away under the surface of physical security’s doctrine, much like our not-so-friendly Florida termites. What does this structure actually look like, and what are the main elements that we need to include in it? When we look at how to describe this from a more “operationalized” perspective, we can use the life cycle approach that flows from any system. There are the planning, design, development, implementation, testing, operations and maintenance, and removal from service. For those that are already involved in dealing with critical infrastructure protection, you will quickly realize that you are not beginning with a clean slate. Often, you have inherited the challenges of previous efforts that remained uncompleted. As a result, you may need to backfill some of this information in order to bring the overall efforts on track. Those who have an IT security background will find that this approach approximates the life cycle management approach used in the design of IT systems. This is not by accident. The approach is drawn from doctrines that can be used by both communities for a very simple reason: they need to work together, and organizations have very low tolerance thresholds for groups that develop approaches that are so unique that they cannot function within the larger organizational context. This does not mean that the unique requirements, constraints, and restraints (these will be looked at shortly) should not be included. It does mean that when you line up the two systems in a side-by-side comparison, there should be little doubt about how they line up.

9.5 Picking an Appropriate Approach The next step involves ensuring that you are focused on the right level of effort. Is going through the full life cycle approach appropriate to what you are trying to accomplish? To answer this question, you may want to set a clear threshold for when you would actually trigger the design process. This will depend somewhat on your organization’s comfort zones and security program maturity, but a good rule of thumb is that when the work is replacing or establishing infrastructure, then you may want to seriously consider taking this approach. Where the work is simply fixing existing infrastructure, then you may not need to consider it (Figure 9.1). We do not need advanced engineering degrees to understand that when you have a hole under your fence as large as the one in Figure 9.1, you are likely not going to slow down an attacker. Do you need a design project to figure out how to fix this? Of course not. The problem is relatively obvious. The fence is meant to

The Evolution of Physical Security

◾

185

Figure 9.1 Photograph of a fence showing poor maintenance (note the bottom of the fence in the center of the picture). Source: Photo by A. McDougall.

delay individuals, and the space under the fence offers a significantly easier route that is less likely to accomplish the 12-second delay offered by this kind of fence. The solution? Fill the hole. There is no real label for this kind of approach other than exercising a level of common sense. Now consider a different scenario. Say you are maintaining the fence (i.e., not letting it get to the condition in Figure 9.1), but as you go out and check on its condition, you find that people have been cutting through the fabric of the fence in order to create a shortcut to work. This is a bit different in that the fence is present but is not functioning as intended. If we were to look at the root of why the fence is not functioning as intended or is being bypassed, we are likely to conclude that the fence either (1) failed to consider some organizational issue such as the distance needed to travel to a site, or (2) failed to take into account a certain kind of threat that would attempt to bypass the control. In this specific context, if we assume that all persons are supposed to go through some form of entry point, the options are simple: build a new entry point or reinforce the fence line. In this case, and as shown in Figure 9.2, the organization chose to improve the fence in this area as they had a regulatory requirement to ensure that all persons presented to security

186 ◾ Critical Infrastructure

Figure 9.2 An improved fence line that used a basic risk assessment process to determine the course of action.

upon entry and the organization did not have any appetite for creating another entry point. This level of work is where the security personnel will begin to see the transition from the “commonsense approach” to a more “design-based approach.” A level of judgment needs to be applied here on the part of security. Doctrinally, it may be more prudent to go through the whole design approach in detail. Does this reflect the reality of the work to be done? Again, we are being asked to fix a specific issue with the existing infrastructure. The key element here will be the levels of education, training, and experience in the security practitioner tackling the problem. For those with significant levels across all three, the solution may be readily apparent. For those with lesser amounts in any of the three, it may be worth having them work through the more complete cycle at the start of their tenure within the organization, so they build good habits and establish the level of confidence in their work before being allowed to work within the more fluid regime. The final method involves the full design feature. This full design approach applies to complex issues or challenges that may involve the establishment of capacity. This may include the integration of new technology (such as smaller fissionbased reactors in generating electricity) or the expansion of the critical infrastructure network (in the sense of service delivery, not just information technology) into new areas. Consider when the transportation networks and supply chains for Europe were expanding and ports were being established in North America. Maintaining control over the waterways and territory surrounding the ports required fortifications

The Evolution of Physical Security

◾

187

to be built to keep them operating. This took perimeter control and canalization well past the concept of the fence line into a whole range of interconnected design features and capabilities. The key considerations at this point involve two salient points. First, the nation establishing the fortification could not afford to lose the fort to another nation. The second was that the fortress was designed to act not only as a central point within the community but also as the central point in defenses that included a network of fortifications, batteries, Martello Towers, and garrisons intended to make the area unassailable (Figure 9.3). If we consider structures such as NIST Interagency Report (IR) 8179, Criticality Assessment Process Model,1 we can see how impacts are used to help determine the level of rigor imposed in the controls. One can find similar structures in the Royal Canadian Mounted Police (RCMP)/Communications Security Establishment (CSE) Harmonized Threat and Risk Assessment Methodology, Section B,2 when considering tables such as the Expanded Injury Table. Finally, we can see this thinking when considering one of the two major inputs into the risk management activities proposed under the CSE Information Technology Security Guide (ITSG) 33.3 The thinking behind this is relatively simple. As an organization, we seek to limit our liability. That liability can be tied to the nature of injury suffered through either our actions or inaction. The greater the injury, the greater the extent or cost of that

Figure 9.3 Fortification designs, often seen as being primitive, were different interlinking aspects of defense.

188 ◾ Critical Infrastructure

liability, as well as the more extensive the direction is to limit that liability (from suggestions and recommendations at the lower end to criminal law at the upper end). Even the base definition of risk being a factor of probability and impact can be used to support this approach. Let’s look at this in terms of a very basic triaging of impacts. Without proposing a specific set of criteria, let’s consider Table 9.1 as being a rough definition of low, medium, and high levels. These will be used as the foundation for determining what level we should be using when considering the nature and extent of due diligence exercises involved in the work.

9.6 The Security Goal in Critical Infrastructure Protection Within the context of CIP, we can situate the security goal based on the assumable level of impact. The loss or significant disruption of critical infrastructure, by definition, may involve loss of life (or serious injury), may affect a region or larger, and can be very complex to recover. As a result, we need to situate our thinking so that we aim towards a full design activity and limit our use of the simple risk assessment and commonsense approaches to specific instances at the tactical or operational levels.

Table 9.1 A Very Primitive Example of Using Impacts to Assess the Level of Rigor Level of rigor

Persons

Area

Sensitivity

Recoverability

High—full design activity

Involves loss of life or serious injury

Region or greater

Classified

Very difficult and time consuming

Medium—risk assessment approach

Injuries to many but no loss of life

Immediate Noncommunity national interest

Low— commonsense approach

Discomfort Immediate but no real area risk of injury

Potentially sensitive but generally publicly available

Effort is required but does not take longer than one day Recoverability almost immediate

The Evolution of Physical Security

◾

189

Our first question is, how do we communicate the overarching security goal? Oddly enough, there are dozens of organizations and opinions with respect to what the high-level security goal is, or ought to be. We also find that there is a bit of confusion with respect to this terminology. For example, some organizations will couch the security goals as being security requirements, a concept that is at odds with the basic tenets of systems engineering. Others list the security goals in terms of the security functions of the NIST Cybersecurity Framework in terms of identify, protect, detect, respond, and recover. These approaches represent a “crossing of swim lanes” that adds complexity but not necessarily value to this exercise. We can resolve this by asking the question, “What value should a security program be to its host organization?” Contrary to the thinking of some security practitioners, most organizations do not come into being because a security program needed a home. Rather, the security program exists because of one (or both) of two needs: to comply with something, or to support operations. Ideally, both are met. So, we can say that the role of security (at its highest level) is to assure the operations of the organization through helping maintain an acceptable and appropriate risk environment. We can further refine our understanding of this by describing risk in terms of a factor of probability and impact. Probability can be further refined in terms of the number of instances that something could happen within a population of instances. This speaks to examining the means and opportunities associated with committing acts or creating conditions that could run contrary to the mission. The means of the event involve knowledge, skills, and resources (including tools). Opportunities may be involved with having the time and space necessary to carry out the attack or event without undue fear of the attack being disrupted. We can look at the impact in terms of the various methods of measuring impact: compliance with laws (using the penalties and legal consequences as a measurement), financial (dollar value in terms of real and potential earnings), operational impacts (disruptions of services and what that entails), and so on. These begin to provide some granularity to the context. We can further refine the goal of the security program by situating how the organization wants to respond to those risks. Once again, we see some similarities between the cybersecurity approach communicated in the NIST Cybersecurity Framework (version 1.1) that lists the security functions of identify, protect, detect, respond, and recover. These can be compared to physical security doctrine such as found in the RCMP Lead Agency Publications such as G1-025 Protection, Detection, and Response.4 These can be broken down into certain management approaches depending on the legal and regulatory constraints placed upon organizations (such as avoiding the issue of negligence in the criminal context) and risk management thresholds. We can state that “Identify” is present in both regimes in that both tacitly accept that you cannot do any of this effectively if you (1) don’t know what you have, (2) don’t know what you’re doing with it, and (3) don’t understand what may be working against you. The condition of mitigating (addressing) risks to the

190 ◾ Critical Infrastructure

extent that the organization has an assurance that the events will not occur may well serve to describe protection. The management of risks may be equivalent to the combined concept of detection and response. Finally, recovery is a common element in that organizations seek to return to tolerable, then acceptable, and then ideally optimal levels of performance. We need to look at constraints that influence this approach. The first of these involve legal requirements, particularly those associated with the preservation of life and the need for organizations to take reasonable steps to prevent harm. Canada’s Criminal Code, for example, has a whole section that focuses on the issue of criminal negligence. Without getting into the full legal argument, we need to understand that this involves “doing something” or “not doing something” (Section 219). It also describes this in terms of a “wanton reckless disregard for the lives or safety of other persons” (Section 219). These further extend to identify instances where an individual or organization interferes with the safe operations (such as what might be found in the operation of aircraft). The United States has similar sections within the U.S. Code of Federal Regulations (46 CFR 5.29) that place penalties on reckless and wanton behavior that leads to harm against the state or other individuals. In the legal context, the description of “willful and wanton” conduct can be described in terms of actions that are taken that meet two major criteria. First, there was a knowledge of the impending danger. The second involves that steps were not taken in response to that impending danger so that the defendant can be successfully accused of acting with disregard to the safety of the persons involved. So, what prevents an organization from simply not conducting risk assessments and making the legal argument that they were unaware of the impending danger and therefore cannot be held responsible? This is where the concept of the duty of care comes into play. In this case, we will limit the concept of duty to those that are imposed legally (although others may be needed to adhere to social norms) such as those that you would find in safety regimes. These require organizations to take steps to identify and communicate certain kinds of risks that involve death or injury as well as taking reasonable steps to prevent that harm. So, we can arrive at a basic statement that describes the overarching security goal for the overall security program as being to “protect against reasonably foreseeable threats while maintaining an ability to detect and respond effectively to threat events.” This statement could be broken down into two subgoals—protecting against reasonably foreseeable threats and detecting and responding to threat events. These two statements can be further broken down until we finally reach several statements that represent singular outcomes. Where we design the system, we use this process to describe what we need to put in place, and later, as we test and validate the system, we can use this as the basis for our argument that the overall security goal has been achieved (Figure 9.4). As we conduct analysis and assessments, we will have a greater understanding of these three elements (threats, vulnerabilities, and impacts). We may begin with

The Evolution of Physical Security

Figure 9.4

◾

191

Very primitive breakdown of one of two overarching goals.

something within our span of control and begin to understand our own assets and operations. We can then look to see what threats exist that could pose a risk to our operations and determine if there is an alignment between what we have and the way that the threat behaves (exposure to vulnerabilities). What we will notice, however, is that as we become more granular, we lose the generalities of the top statement and begin to get more specific and concrete. This allows us to step back from a process that will be too subjective and debated to one that can be observed, tested, and measured.

9.7 Establishing the Overall Context and Organization Not every issue belongs to physical security, and we need to be cognizant of how security roles and responsibilities interact. It should be clear to most practitioners that significant overlaps exist. For example, allowing access to spaces only to those who have a requirement for access and are appropriately trustworthy (such as through a security clearance) requires an interface between physical security and the organization responsible for background checks (sometimes referred to as security screening). Governance needs to manage these interrelationships by ensuring that the different groups understand (1) their roles and responsibilities, (2) the limits of their roles and responsibilities, and (3) the need to communicate. It should also include methods for resolving disputes. The danger with governance is that organizations can mire the need for good organization in mandates and politics, creating

192 ◾ Critical Infrastructure

systems based so much on compromise and consensus that they cannot function efficiently or effectively. Where this begins to occur, it is absolutely critical for the senior leadership of the organization to end that particular approach and remind those involved that they are a supporting organization that is there to serve the best interests of the organization and not to simply promote their own sub-interests. This leads to the second reason why the overarching security goal is the first step in establishing what physical security is supposed to do in this context. We need to ensure that we have the governance set up appropriately so that the roles and responsibilities don’t (1) start working against each other and (2) don’t become unmanageable for the organization. It is at this step that we can identify the goal of the physical security organization and apply it into the overall structure and security posture of the organization. In this context, we may see physical security in terms of managing the physical barriers and infrastructure necessary to detect physical intrusion into the site. This step, however, will largely depend on a combination of the management culture, resources available, and operations of the organization, as it reflects an internal decision. What is clear is that the functions should be well defined, have clearly identified leadership, and be guided in a manner that ensures the various security sub-disciplines.

9.8 Establishing the Infrastructure Underpinning the Organization Having established the governance structure (i.e., roles, responsibilities, authorities, and mandates), the next set of conversations can begin with the security organization. This involves establishing the thresholds associated with acceptable, uncomfortable, and intolerable risk. Given that the center of this effort involves CIP, the first focus involves availability or ensuring that the service remains available to meet demand. The second area of concentration involves integrity and ensuring that any available service continues to be usable and not pose its own risks to the populations. Confidentiality is not forgotten, but it does not play the central role in this case except in the context of individuals or processes being given access to sensitive assets. After the thresholds associated with the critical services have been identified, the more corporate risks are addressed. Generally, the hierarchy of subjects associated with risks can be described in terms of the diagram shown in Figure 9.5. Coordination and cooperation now require two steps in the establishment of the physical security program. The first element involves the establishment of several key registers and information holdings. These are used to track key information sets that will be necessary for the management of the program. These registers include the following: ◾ Key stakeholders—including their identity and connection to the efort.

The Evolution of Physical Security ◾

General hierarchy of the priority of topics in risk management.

193

Figure 9.5

194 ◾ Critical Infrastructure

◾ Key functions and activities—likely derived with organizations focusing on Business Continuity Planning or Continuity of Operations Planning. ◾ Assets—particularly those that are involved in the delivery of the service or that hold a particular degree of sensitivity. Tis include linkages to any elements of systems including persons (HR), assets (asset management), spaces (facility management), information (information management), and services (contracting and procurement). ◾ Activities—both organizational processes/functions and those specifc to the security functions. ◾ Treats—including identity, intent, knowledge, known skills, past practice, and level of commitment. ◾ Vulnerabilities—that may be exploited by threat actors that seek to cause damage to assets. ◾ Risks—beginning with the general security risks but also including risks particular to the physical security environment. ◾ Security mechanisms—these are the specifc controls that are applied in specifc locations. Tese may be rolled up into control categories or even families, but need to be tracked individually for monitoring purposes. These key registers need to be established so that the overall security organization can generate a trustworthy image of the organization’s security posture. Taking this step reduces the potential for conflict that comes from disparities in terms of what the organization’s security state can be described as. The second aspect of infrastructure involves having a structure within which this information will be managed and that can be used to refine the threat assessment process. It is not enough simply to have registers. The organization needs to maintain and manage the evidence that underpins these information holdings. This is particularly important in the CIP domain given that certain threats are likely able to “play the long game” and may become evident only when considering trends over long periods of time. Within the context of physical security, the key linkage is between the facilities (or spaces) and the capacity that can be delivered because of work done within those spaces. Trends need to be looked for that would point towards an adversary (1) conducting research or reconnaissance, (2) planning for something and selecting a target, (3) preparing or positioning resources, or (4) conducting the attack itself. The physical security organization (and potentially parallel security activities) may also benefit from the availability of specific tools. These tools need to be looked at in terms of their own life cycles and in terms of the training necessary to leverage their use appropriately. These tools can be divided into two broad categories. The first are research and analysis tools that assist in processes such as threat assessment, vulnerability exposure assessments, and risk assessments. Applications that allow for modeling the threat and building systems that can make profound contributions in terms of assisting the physical security organization focus their attention, efforts, and resources to where

The Evolution of Physical Security

◾

195

they are most needed. They accomplish this by processing scenarios and potential outcomes to a much deeper level of granularity than could be achieved manually. Finally, the physical and logical environments around this information and these tools need to be treated as being close to a sanctum. Networks holding this information should be restricted to the security organization and be protected to a high degree of confidentiality, both at the server level and in terms of the end points and communication channels between the two. In this context, the network profile that would be use could be considered a high-confidentiality, high-integrity, and medium-availability profile given that the focus of the network is not protecting the critical infrastructure itself but rather indirectly protecting the critical infrastructure by protecting the information that could be of benefit to an adversary. The same holds true for the physical spaces. While the security practitioner may be held to a higher degree of background screening, the access into the spaces where they work, to the tools that they use, and to the information they collect must all be protected as though they were part of the organization’s crown jewels or most sensitive assets.

9.9 Robustness and Assurance The concept of robustness can be described in terms of the organization’s ability to take a hit without suffering damage. These can be described in terms of the standard security functions of protection, detection, and response. The protective controls look to delay or block the attacker while detection and response works to identify suspect conditions, determine if they pose a threat, gather information about that potential threat, notify the appropriate entities, and then trigger an appropriate response that will either disrupt the threat or take steps to contain, isolate, and remediate the threat. The robustness of the system can be looked at in terms of some basic rules. First, we can consider the impact involved. Once again, this impact focuses on the disruption of the critical service and the potential impacts that could occur because of that disruption. If we look at this in terms of potential losses of life, disruption of the economy, or similar kinds of impacts, then it would be difficult to argue that these impacts would fall into anything other than a “high” category. The second factor involves the gravity of the adversary that could attempt the attack. A review of any number of open-source intelligence reports, including those published by lead investigative bodies like the FBI in the United States and CSIS in Canada, indicate that very sophisticated threat actors, potentially with state support, do attempt to establish footholds or beach heads in our critical infrastructure systems and services. When considering this methodology, and using the IT structures as a benchmark, we can see that the physical security around our critical infrastructure needs to be one step higher than what would be considered best in commercial positions.

196 ◾ Critical Infrastructure

While the robustness of the physical security is set, how much confidence do we have in the infrastructure that we are putting in place? This raises the question of what might be described as the assurance case. The assurance case describes the level of trust that an organization can place in its infrastructure to behave as it should in both the normal operating environment and a contested environment, such as an attack. The National Defense Industrial Association,5 in its Engineering for Systems Assurance, describes system assurance as “the justified confidence that the system functions as intended and is free of exploitable vulnerabilities, either intentionally or unintentionally designed or inserted in the system at any time during its life cycle.”6 For those involved in physical security, this takes a slightly different form to accomplish what might be described as the same end. For the physical infrastructure (such as fences, gates, bollards, windows, and so on), this involves various forms of testing performed by accredited laboratories to support the claims that an infrastructure will behave as intended. This needs to show the following three parts: ◾ Tat the testing done represents the conditions or reasonably approximates the threat involved. ◾ Tat the testing is done in a manner that generates reliable and credible results (usually in the form of an accepted and described test method). ◾ Tat the product received can be directly linked in terms of quality to the testing that was successfully passed. The first phase of this is particularly important. Consider the issue of bollards. For high-speed crashes, one can easily refer to the various Department of Justice standards or ASTM F26567 for high-speed crashes. This testing does not cover low speeds, such as might be found in parking areas. For that, the ASTM F3016 (or 3016M)8 might be more suitable. Within certain contexts, it may be prudent to have both. For those involved in security design, the diagram show in Figure 9.6 provides how the assurance case can be laid out to support the claim that “the building’s perimeter is provided reasonable protection against direct vehicle strikes by a set of bollards.” This is where good modeling software may be useful. This software serves to ensure as complete coverage as is reasonable when looking at the design of the building. Software, such as SecuriTree, can be used to identify specific routes for attackers to reach vital points within the facility and assisting (1) in identifying potential routes that the attacker may choose to take to be successful and (2) in helping identify the ability of the security defenses to delay that attack. This can be somewhat laborious to set up and requires a degree of research to ensure that the data being used is relevant, timely, and accurate. What these systems can generate for those building the design is a list of prioritized attack routes with the attacker’s required time to succeed that can then be compared against the response time of

The Evolution of Physical Security

◾ 197

Figure 9.6 A general description of incorporating design criteria as part of establishing an assurance case.

the organization to reach that point. Where detection and response outpace the attacker, a favorable outcome can be expected if the response includes arriving at the specific location as well as the time necessary to set up any defensive positions or similar activities. The next aspect of assurance involves the technical systems that control much of the security infrastructure at the site. This is sometimes overlooked in the design process given that the security infrastructure may be separate from the operational infrastructure. In this context, the assurance case necessary for the system includes the various assurances from the vendors, supported by reliable and credible testing laboratories using appropriate standards, necessary to support their claims that their systems are appropriately secured against disruption and modification. For those involved in the design, this involves statements regarding the development processes used to design and implement the various elements in the package being provided to ensure that it has used the Secure Development Life Cycle (SDLC)9 in its creation. This is all well and good if we are building our critical infrastructure, but how do we establish this case on existing systems? There are some subtle differences to be considered when looking to test these kinds of systems. The first distinction is that much of the infrastructure exists outside of controlled spaces. Access card readers, cameras, lighting, and other similar kinds of infrastructure often exist in spaces where the attacker has access. As a result, we need to assure that the attacker may attempt to bypass the control by affecting the end device in some way. The second distinction involves the infrastructure supporting the system. Does the system, including its outlying devices, rely upon any services that can disrupt either the infrastructure or its ability to communicate information back to the central point? For example, does the peripheral device require

198 ◾ Critical Infrastructure

a steady stream of power, have a limited battery backup, or incorporate other means of conserving power? Does the peripheral device require a constant communications connection to any central hubs, and can these be disrupted either deliberately (jamming, etc.) or inadvertently (conflict with other signals in the area)? Finally, can the peripheral device and its communications infrastructure withstand a reasonably determined attack given the kinds of attackers that were identified in the threat assessment? This speaks to features such as anti-tampering being built into the system and going into an alarm state (notifying the monitoring structures) that an attempt is being made. Once these aspects are understood, the systems can be tested in terms of Vulnerability Assessments and Penetration Tests (VAPT) to determine what vulnerabilities exist and to ensure that compensatory controls are put in place to manage those exploits. This testing should be conducted by companies or personnel that are (1) competent to conduct this kind of testing, (2) willing to be completely transparent regarding what they will do, are doing, and might do, and (3) trustworthy in terms of background checks. This testing should include a written report that clearly identifies what worked and what needs to be improved, with the latter results also including recommendations as to how the identified vulnerability can be addressed. Where it cannot be addressed directly, the assessment team should make recommendations as to how the architecture of the overall system can be adjusted to ensure that the means and opportunity of attack are denied, or at least made discoverable. Finally, those conducting the testing should be clearly bound by nondisclosure and no-further-use agreements to ensure that any information regarding the vulnerabilities is contained. This includes ensuring that the testing organization can provide some form of evidence that it can protect the data if any of it is to remain on their own systems. What this looks like as we move through the life cycle can be described in Table 9.2.

9.10 Applying Architecture to Physical Security There are two aspects to consider when we look at the architecture of a physical security structure. First, will it support the organization’s operations by protecting it appropriately against reasonably foreseeable threats and being able to detect and respond effectively to attacks? This is about more than simply having protective controls and technology in place. The organization will need these to delay and detect the attack, but at some point the response needs to occur. This will require a capable response capability (not just a warm body sitting in a chair watching events unfold) by someone who is trained and equipped to deal with the threats involved. The second involves ensuring that the security organization does not put undue strain on the system, particularly in terms of interfering with the delivery of the core service. These delays are generally the result of (1) barriers that slow activity,

Table 9.2 Looking at Various Life Cycle Phases and Considerations Consideration

Comments

Planning

The system’s role is identified within the security system and the degree of assurance is determined. The conditions for success are identified, as are the measures of effectiveness and objectives to be achieved by the system. The latter is to propose a means of measurement that can be linked to demonstrating that the protective system is functioning as intended.

The degree of assurance is tied to the level of threat and impact on the performance of the security system using Annex 2 of ITSG-33 or something similar.

Design

The design considers the performance of the system (in terms of functional requirements) and the assurance case (nonfunctional requirements. The design can show that these have been modeled or otherwise examined using the measurement system (from above) and thresholds to be achieved.

The typical design statement should be couched in terms of requirements that are specific, atomic, unique, measurable, and relevant to how the system will work within the protective security posture.

Implement

The implementation instructions should provide clear instructions and checkpoints to ensure that the system is installed completely and correctly.

In some cases, this will involve documenting the full implementation process and maintaining control over it. This applies particularly to systems and spaces where very sensitive systems or operations may occur.

Operations The design and implementation phase should also and provide documentation that describes the operations of maintenance the equipment, maintenance cycles, troubleshooting, and how to access more capable support if needed.

Removal from Any steps needed for the disposal of parts, retention of The removal from service should ensure that service data, and sanitization of the system should be identified. equipment is either completely devoid of remnant data or destroyed (as appropriate).

◾ 199

As part of pre-implementation testing, these documents should be used and followed exactly to ensure that they represent the true operations of the system. Note that upon implementation, verification that all default passwords have been changed and recorded appropriately.

The Evolution of Physical Security

Phase

200 ◾ Critical Infrastructure

(2) processes that increase the burden on the organization, and (3) reporting requirements that may increase the administrative burden on an organization. This does not mean that these should be avoided or that there won’t be any impact. It does mean that they should be acknowledged and managed in such a way that they are incorporated into planning with senior management understanding and support. At a conceptual level, the use of layers of defense provides an organization with the ability to accomplish three major goals. First, it allows the organization to create a degree of complexity that comes from a combination of a difficult attack and also difficulty in completing the reconnaissance phase of an attack. While security through obscurity is never a first choice, forcing the would-be attacker to expose their activities and potentially their intentions earlier in the attack cycle (consisting of initial reconnaissance, planning, detailed reconnaissance, preparation, execution, and escape) provides an ability to gather information and disrupt the attack. The second benefit involves being able to position and configure the barriers to degrade the attacker’s capability as they move into the facility. The use of barriers or obstacles that force the attacker to slowly give up their tools to progress further allows for the responding force to meet an attacker with reduced capability. Finally, the layers of defense allow the organization to create the equivalent of zones in which organizations can operate without a significant degree of disruption. The interaction between these zones needs to be covered by a set of governing principles. These principles provide assurance that more sensitive assets held in more controlled zones are not unduly influenced by attackers, attacks, or conditions that exist in less protective zones. These rules are the following: ◾ More sensitive zones (confdentiality) cannot write to less secure zones. Similarly, less secure zones (confdentiality) cannot read from more secure zones. ◾ More trusted zones (integrity) cannot be supported by less trusted zones, and where more trusted zones pass assets or operations through less trusted zones, the level of trust in those assets and operations is reduced to the lower zone level. ◾ More assured zones (availability) cannot be supported by less assured services, and where a less assured service is used to support a more assured service, a risk of disruption is entered that equates to the probability of the less assured service being disrupted. ◾ Where assets or operations are being moved between zone levels, compensatory controls may be placed on the entry of the higher zone (such as screening) to assist in raising the security condition of the asset or operation or may be placed on the asset or around the operation to isolate it from being contaminated in the lower zone.

The Evolution of Physical Security

◾

201

Figure 9.7 General concept of a layer of defense; additional sources of this, such as RCMP G1-026 can be referred to.

When combining the concept of the zones and the movement of assets and operations, the boundaries around the different levels of sensitivity form the natural boundaries around the different security zones. The specific definitions associated with public, operational, security, and high-security zones will be largely tied to the nature of operations and client requirements (Figure 9.7). When considering the layers of defense in this kind of structure, we need to be able to calculate what this approach affords us. This can be looked at in terms of some rather simple math. Consider, in this case, that each layer of defense is 50% effective. At the outer barrier, this 50% translates to one half of the attackers failing and the other half making it through. Of the 50% that make it through, the next layer stops the next 50%. This means that 75% of the attackers have now been stopped. Of the 25% of attackers that have made it that far, the next 50% are blocked at the next barrier, meaning that an additional 12.5% have been blocked, bringing our success rate up to 87.5%. Notice that there is a point where the law of diminishing returns begins to influence this. This will impact the cost-benefit analysis greatly. If we take this to five layers total, then we add another 6.25% and 3.125% worth of success, meaning that our total of five layers is nearly 97%

202 ◾ Critical Infrastructure

effective. Of course, the math in the real world is not likely to be this simple, but the principles remain the same. We can perform a similar calculation when we look at the operational impacts. The key aspect of physical security in the CIP context lies in that we are seeking to preserve a capacity to meet demand by protecting the inputs and infrastructure that delivers that capacity. As a result, there is a balancing point at which the physical protection of assets may be of lesser value than having a degree of redundancy (protected away from events that affect the primary asset) to assist in the response and recovery. For example, if the facility is involved in the distribution of electricity, it may be worth having additional assets that would normally take significant time to procure readily available and protected so that they can be pressed into service quickly. Determining the location of where to store these assets is a combination of being able to protect the stockpiles, being able to move the equipment to where it is needed effectively and efficiently, and being able to keep the stockpile from being affected by the same events that took out the primary system. When considering the concept of resilience, this involves building the physical security posture in a way that can anticipate, withstand, recover from, and adapt as a result of attacks. It also infers learning from events so that the next time they appear on the horizon, the facility is better prepared for them. Once again, the goals communicated in the cyber domain and physical domain can be aligned in this regard. This involves much more than simply having a lot of physical security infrastructure. It includes ensuring that the persons, assets, spaces, information and supporting services can all be linked into a cycle of continuous improvement and adaptation spurred on by promoting what has worked and adjusting what needs to be improved. For those seeking to implement this kind of structure, it need not be more complicated than a basic quality management structure focused on security services, implementing the Deming Model (plan, do, check, and act), and then having the organizational discipline and rigor to maintain that structure. The final aspect of the tactical level architecture involves how to position the ability to identify, protect, detect, respond, and recover. This is also linked to the layers of defense. A barrier that is not monitored to see if an attacker is attempting to bypass or breach it is only really accomplishing half of its role. There needs to be detection and response. At the same time, we need to be able to detect and respond to the indicators and warnings that the infrastructure may be at risk of failing. We can rely, to an extent, on the inner layers to pick up some of the slack in a failure, but to maintain the effectiveness and efficiency of the overall security posture, we need to be able to move quickly once these conditions are identified. We identify the potential for failure by linking the various technical performance specifications of the infrastructure and monitoring for signs of (1) instability and (2) degradation. This means that we first need to have knowledge of those technical performance specifications, a means of monitoring them, processes that are used to both detect changes and then respond effectively to those changes, and, ultimately, the means of taking steps to recover and improve the system. Understanding this at

The Evolution of Physical Security

◾

203

the planning stage and setting up the technical specification requirements (or simply generating them for existing infrastructure) is an investment in time and effort when considering how much effort can be spent attempting to gain the resources necessary to improve the security posture without the evidence behind it.

9.11 Some Technical Specifications and Performance Measurement to Continue Some technical specifications and measures are worth knowing when applying this kind of approach to CIP. These are focused on the performance of systems and their ability to inform the monitoring center if they are operating in a less trustworthy state. ◾ Fencing – Security Fencing Considerations Guide.10 ◾ CCVE – Generally, one will want this to have a high-color rendition index (CRI not less than 80%), good frame rate (32 frames per second [fps] is what the human eye sees at roughly) and be protected in terms of glare, temperature, humidity/freezing, and wind. Note that a single camera at full HD resolution and 32 fps will likely require around 0.6 MB/s for storage and 4.5 Mb/s for network communications. ◾ Alarms – Guidance may be found through the Underwriters Laboratories website that deals with the Fire and Security Alarms certifcation program at https:// canada.ul.com/ulcprograms/freandsecurityalarmcertifcateprograms/ ◾ Bollards – Where bollards are used to protect against crashes at higher speeds, then consideration should be given to ASTM F2656, while at lower speeds consideration should be given to ASTM F3016. ◾ Walls – Walls need generally accomplish three purposes. When considering the design of the wall to prevent penetration, consideration can also be given to using construction standards that improve the strength of the wall. Such standards include design guides published in both the United States and Canada that are tied to certifcation criteria for specifc zones. – Sound attenuation, or the ability to block sound at the wall so that it cannot be overheard outside, is another consideration. Generally, good speech privacy will involve a construction rating that achieves STC 52 or better ratings, noting that a normal conversation within the room may be in the area of 80 decibels while a whisper may be around 40 decibels.

204 ◾ Critical Infrastructure

– Emanations security is a highly specialized discipline. While TEMPEST11,12 and similar rating systems are used for highly credible systems,13 those working with the Government of Canada may seek (through the Communications Security Establishment if registered in the appropriate programs) access to ITSG-11A.14 Ultimately, this involves the use of materials or construction techniques that block waves (such as Farraday cages). ◾ Glazing – Glazing will largely depend on the kind of threat that is being considered. Tis may involve burglary (UL 972), ballistic (UL 752) or air blast loading (UFGS 08 58 53). ◾ Blast – RCMP guidance for Air Blast or Blast Loading considerations point towards CSA S850-12.15 See Figure 9.8 for an illustration of a layered approach.

9.12 Impact Shifts with Strategic Level Architecture When considering how the critical infrastructure sector is organized to deliver its capacity to meet demand, certain configurations point towards shifts in criticality

Figure 9.8

Layers of physical security.

The Evolution of Physical Security

◾

205

that may, or may not, be obvious. For those involved in the physical security aspects of CIP, this becomes important as it can assist in identifying vital points or key facilities that warrant additional protection. The following is intended to provide some guidance to assist in identifying these conditions: ◾ Te hub-and-spoke topography that resembles the star topography in networks can lead to the central point being a key failure point. Disrupting the central point means that the connections to other central points are disrupted (spreading the impacts into other regions), while the whole region can be impacted. While this topography is used due to its efciency in moving persons and goods, the central node must look at having a high degree of resilience if it is not to be considered a key failure point in the network. ◾ Te tree topography is often used in supply chains to describe how goods and services move upwards towards a fnal assembly or integration point. As a result, disruptions at lower levels (smaller branches) can cascade upwards. Tis leads to a condition where a criticality analysis on the overall supply chain is warranted to identify critical branches while the key joints within those branches can also act as disruption points upstream and downstream. Tis topography must also be looked at in terms of the opportunity and means that it can aford an attacker to insert substandard or counterfeit parts into the system and erode the assurance case. ◾ Line or linear topographies involve the capacity being delivered down a straight path, very similar to pipelines, water systems, and power systems (lines, not grids). In this case, a disruption at any point along the line may disrupt both upstream and downstream demand given that the full line may need to be closed in order to bring it back into service. ◾ Mesh topographies are often the most resilient but may also be the most diffcult to manage. In this structure, activity is routed around the disruptions so that impacts can be contained and isolated relatively quickly. Tis, however, has signifcant operational impacts in terms of costs, resources, and efort that may make it more difcult to apply.

9.13 Conclusion The role of physical security has not diminished, even if the attention to it has somewhat with the rise of cyber-related events. Those involved in the activity, however, need to take a broad (if not holistic) view of the organization and its operations to determine what needs to be protected. This would be followed shortly thereafter by the criticality analysis that determines which assets are vital to the delivery of the critical service. Other protective requirements (such as those enshrined in legislation, regulations, and certifications) provide the list of assets that must be protected. Following these steps,

206 ◾ Critical Infrastructure

the threat assessment and vulnerability assessment (often conducted through the onscene survey) becomes critical to understanding the risks to the organization. While physical security tends to operate at the tactical and operational levels, this does not mean that the strategic level is forgotten. The first step in this is in understanding the topography of the network that delivers the critical services. This can identify vital points or key infrastructures that warrant protection due to their increased potential impact on the system. We then need to look at redundancy and resiliency to ensure that the overall network can survive foreseeable events while recovering quickly to its nominal operating state. Finally, the tactical and operational levels see design activities at the facility and activity level that seek to preserve that capacity from disruption following a structured design approach.

Notes 1. National Institute of Standards and Technology (NIST IR 8179). (2018). NIST IR 8179, Criticality Analysis Process Model: Prioritizing Systems and Components. https:// csrc.nist.gov/pubs/ir/8179/final (web page), https://nvlpubs.nist.gov/nistpubs/ir/2018/ NIST.IR.8179.pdf (document) [alt URL: http://cipbook.infracritical.com/book5/ chapter7/ch7ref9.pdf (web page), http://cipbook.infracritical.com/book5/chapter7/ ch7ref9a.pdf (document)]. 2. https://publications.gc.ca/collections/collection_2017/cstc-csec/D96-7-2007-eng.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter9/ch9ref1.pdf). 3. https://www.cyber.gc.ca/sites/default/files/itsg-33_-_overview.pdf (alt URL://cipbook.infracritical.com/book5/chapter9/ch9ref2.pdf). 4. https://www.rcmp-grc.gc.ca/physec-secmat/pubs/g1-025-eng.htm (alt URL: http:// cipbook.infracritical.com/book5/chapter9/ch9ref3.pdf ). 5. https://www.ndia.org/. 6. National Defense Industry Association System Assurance Committee. (2008). Engineering for System Assurance. Arlington, VA: NDIA. www.ndia.org/-/media/ sites/ndia/meetings-and-events/divisions/systems-engineering/sse-committee/systems-assurance-guidebook.ashx. 7. ASTM F2656. (2015). Standard Test Method for Vehicle Crash Testing of Perimeter Barriers. https://www.astm.org/f2656-07.html. 8. ASTM F3016. (2019). Standard Test Method for Surrogate Testing of Vehicle Impact Protective Devices at Low Speeds. https://www.astm.org/f3016_f3016m-19.html. 9. NIST Special Publication 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations, a System Life Cycle Approach for Security and Privacy, December 2018, Chapter 1, Page 2, and Appendix B, Page 109. “The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation”. URL: https://nvlpubs. nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter9/ch9ref8.pdf ). 10. Royal Canadian Mountain Police. (2022). Security Fencing Considerations Guide, GCPSG-009.https://www.rcmp-grc.gc.ca/physec-secmat/pubs/gcpsg-gsmgc-009-eng. htm (alt URL: http://cipbook.infracritical.com/book5/chapter9/ch9ref4.pdf).

The Evolution of Physical Security

◾

207

11. “TEMPEST: A Signal Problem,” Page 26, document redacted, portions released to the general public as ‘UNCLASSIFIED’. URL: https://www.cyber.gc.ca/en/toolsservices/canadian-industrial-tempest-program-citp (for Canada) (alt URL: http:// cipbook.infracritical.com/book5/chapter9/ch9ref5.pdf ). 12. Approved for Release by NSA on 09-27-2007, FOIA Case #51633. URL: https://www. nsa.gov/Portals/75/documents/Cybersecurity/National%20Security%20Agency%20 TEMPEST%20Certification%20Program.pdf (alt URL: http://cipbook.infracritical. com/book5/chapter9/ch9ref6.pdf). 13. https://www.nsa.gov/portals/75/documents/news-features/declassified-documents/ cryptologic-spectrum/tempest.pdf (alt URL: http://cipbook.infracritical.com/book5/ chapter9/ch9ref7.pdf). 14. Canadian Centre for Cyber Security. (2019). Emission Security (EMSEC) Guidance ITSG-11A. https://www.cyber.gc.ca/en/guidance/emission-security-emsec-guidanceitsg-11a (alt URL: http://cipbook.infracritical.com/book5/chapter9/ch9ref10.pdf). 15. Royal Canadian Mounted Police. (2021). Blast Mitigation Considerations Guide, GCPSG-002. https://www.rcmp-grc.gc.ca/physec-secmat/pubs/gcpsg-gsmgc-002eng.htm (alt URL: http://cipbook.infracritical.com/book5/chapter9/ch9ref9.pdf).

Chapter 10

Paradigm Shift of Nationally Sensitive Information, and Networks This chapter will look at how the recent pandemic and other factors have forced a paradigm shift that affects the management of critical infrastructures. While the previous paradigm had individuals working on dedicated networks within highly controlled spaces, the new paradigm required that a significant amount of work take place in isolated areas (such as home offices) or outside of those zones. The question now concerns whether we are to attempt to reestablish the current paradigm, or push forward past the disruption of the pandemic (etc.) into a new approach to the secure management of critical infrastructure.

10.1 Introduction While critical infrastructures are important, the increasing demand for critical services have pushed the need for digital services and infrastructure to the point where the loss of those supporting services may mimic the loss of the infrastructure itself. As such, several of these digital services have become increasingly bigger targets by varying adversarial groups and foreign nations, and, in recent years, have managed to not only disrupt critical services, but have also damaged (or worse, destroyed) them, requiring significant time, materials, and money to repair and restore those services. DOI: 10.4324/9781003346630-10

208

Paradigm Shift of Nationally Sensitive Information

◾

209

As such, information about these services, particularly information that has a level of national importance, becomes the target for data theft by adversarial groups and foreign nations for use in either future exploitations (such as economic warfare, as previously mentioned in this book), wide area disruptions, or outright damage (or destruction) resulting in operational outages, some even for extensive periods of time. One of the paradigm shifts, however, is that while we are used to various confidentiality ratings (such as “Top Secret”), the ability to search through and relate public data has progressed to the point where we need to look at the potential benefits offered to would-be attackers that are offered when aggregates of normally nonsensitive or even public data are combined. The value here lies not in the sensitivity of the data, but in the opportunity it provides a potential adversary to speed its research and reconnaissance in the planning phases of an attack. This chapter outlines challenges faced by infrastructure service workers/ contractors who work from home and require access to nationally secured information that would otherwise be accessed only from a centralized location. Additionally, interdependent sectors pivot accordingly to adapt to these new paradigm shifts, focusing on challenges and pitfalls associated with acquiring, maintaining, and deleting nationally sensitive information—in this case, specific to critical infrastructures. With an increased emphasis on the importance of our critical infrastructures, specifically information that is not only vital but mission critical to the continued operations of our infrastructures, now more than ever, both governments and private sector organizations are faced with difficult issues specific to their operations that are not easily remediable. Last, as several key critical infrastructures have become so vital, and so important, private sector employees are now required either to undergo extensive training and certification programs, or to carry security clearances to discuss and share information with not only each other, but with public service workers as well.

10.2 How COVID Impacted Organizations The sudden closure of many offices and workplaces during the COVID-19 pandemic ushered in a new era of remote work for millions of employees and contractors, and could herald significant changes to the workforce in the future. Most workers who say they could do most of their work from home before the pandemic almost rarely or never worked remotely. Only 1 in 5 say they worked prior to the pandemic from home either completely or partially. Approximately 71% of these workers now work from home almost all or most of the time. And more than half said they would likely continue working from home after the pandemic if they had the option.1 One area in which there were significant discrepancies were between administrative and office workers versus human services and/or craft workers (also referred

210 ◾ Critical Infrastructure

to as tradespersons).2 These discrepancies continue to exist, despite efforts made by organizations to hire more, better-paid workers. The most impacted workers resulting from the pandemic were not the administrative and office workers, but the human services and craft workers. Almost all administrative workers had few to no issues, as many would access an organization’s resources via remote connectivity via the Internet. Similarly, telecommunications and teleconferencing issues were minimal for the same or similar reasons. There were issues with human services office workers who worked on-premise in the organizations’ offices, as many were required to perform on-premise, inperson support for the administrative workers. In-person and on-site premise office workers (such as janitorial, clerical, supply, etc.) were quickly removed from work locations in fear of further spread of the contagion. Some organizations provided furloughs compensating workers; many did not. Additionally, for those who were furloughed, their compensations were minimal, and compensation funding withered quickly. Though not as severely impacted were hospitality human services workers, craft workers experienced similar challenges when faced with the dilemma of their organizations’ needs for determining priorities of those workers who were considered as “essential workers”3,4,5 versus those who were not.6,7 Differentiation between essential and nonessential sparked controversy as workers who were classified as nonessential were either laid off or furloughed with little or no financial protection.8 According to one survey, approximately 60% of respondents indicated that at least one project was canceled entirely, with approximately 33% of current projects placed on hold, some of them indefinitely due not only to the pandemic, but to budgetary costs from lack of funding within the organization.9 Nearly one-third of the respondents who participated in the survey indicated that their workers were either furloughed or terminated (laid off) due to the pandemic, and were ordered by government organizations or project owners within those organizations. Of the one-third of organizations that either furloughed or laid off workers, almost onehalf of them indicated that both employees and contractors refused to return, citing unemployment benefits, family issues, or other personal reasons, leaving many organizations with huge employment discrepancies of open job positions that now must be filled.10 Very few of these organizations have yet to recover at the time of writing this book, circa early 2023. For example, grocery stores or grocery services (organizations that pick up and deliver food to households), experienced shortages of cashiers and stockers within the stores. Under normal conditions, hiring individuals to work those roles, whether permanent, temporary, or even seasonable, had little to no impact on the businesses that required those people to operate. With the pandemic, many of these organizations required individuals within the grocery stores to work double, or even triple, work duties, along with working long and arduous hours, just to keep the stores open and functioning as normally as possible. The grocery services experienced

Paradigm Shift of Nationally Sensitive Information

◾

211

shortages of delivery drivers, often delivering food later than expected by their customers. A few of these service organizations either temporarily postponed their services, or shuttered them completely. The same held true for other significantly more critical human services. But none was more impacted by the pandemic than the healthcare workers and first responder providers. Hospitals, healthcare clinics, and nursing homes, all experienced severe operational issues due to medical staff contracting the contagion, either through patients at their facility or from their own home environments. One of the weakest links of a household contracting the contagion were through the children of the household.11

10.3 The Impact on Critical Infrastructure Workforces While COVID-19 continued to pose a risk to the critical infrastructure workforce, the constant exposure of many frontline essential workers to the virus led to disproportionate illnesses (and in extreme cases, death) in multiple sectors. Healthcare workers, law enforcement, other first responders, and workers in the transportation, food, and agricultural sectors were just a few of the workers that continued risking exposure based on the nature of their jobs. Additionally, operations centers and control rooms that operate 24/7 rely on unique equipment, and they usually require specialized trained personnel who were difficult to replace. As a result, specialized and lengthy staff training times meant higher risks in maintaining reliable operations. Fortunately, many operations centers and control rooms are usually isolated and physically protected, and as such, may have been more convenient to isolate personnel on-site if necessary. In August 2020, the U.S. Department of Homeland Security released Version 4.0 of the “Essential Critical Infrastructure Workforce Guidance.”12,13 The document identified essential workers that require specialized risk management strategies to ensure that they can work safely as well as how to begin planning and preparing for the allocation of scarce resources used to protect essential workers against COVID-19. With newer and more contagious variants of the virus emerging, DHS emphasized private and public sector organizations to encourage the use of the guidelines outlined within the document to further reduce the frequency and severity of the virus’s impact on essential workers and the infrastructures they operate. The latest release of the “Essential Critical Infrastructure Workforce Guidance,”14,15 as of this writing, provided assistance on how various jurisdictions and critical infrastructure owners could define a strategic list to prioritize the ability of essential workers to operate safely while supporting ongoing infrastructure operations across the country. Earlier releases of the document were primarily intended to help government officials and nongovernmental organizations identify essential work functions in order to allow them access to their workplaces during times of community restrictions. Portions taken from this document included the development of a

212 ◾ Critical Infrastructure

series of several risk categorization factors that could be applied to their workforce, based on a series of questions: ◾ Are workers primarily indoors or outdoors? Do they operate in both environments where they may introduce other contamination factors, such as other additional pathogens, which in doing so, would further weaken workers to become more vulnerable to the vaccines that they are attempting to protect against? ◾ Are workers vaccinated, and how often are they re-vaccinated? Some vaccines are more efective than others; are workers being vaccinated by the same manufacturer’s vaccine, or are they mixing vaccine types and manufacturers? ◾ How physically close are workers (and customers) to each other? ◾ Do any of the workers touch shared surfaces, common items (such as cleaners, utensils, etc.), and other workers or customers, and how often are those surfaces disinfected? ◾ How often are entire areas or facilities cleaned and/or disinfected? Are cleaning personnel protected from contracting the pathogen, and if so, how do they remove their protective equipment once they have left the contaminated area(s)? ◾ How long does an average in-person interaction last? Do workers protect themselves through limited exposure such as distancing, facial masks or respirators, and other protective equipment (such as gloves and boots)? ◾ Which workers face heightened risk due to their age or any medical conditions? Are there any contingencies for those workers who are vital to those environments, and if so, has any cross-training been performed? ◾ Are there currently any screening protocols that will protect the workers, as well as the customers, from interactions with other people who may be contagious? What became clear, however, is that certain groups of workers were essential. This was quickly evident in healthcare and in the food retail sector. The invaluable roles played by nurses, orderlies, and support staff suddenly came into focus within the medical sector. Within the food retail sector, cashiers and shelf stocking suddenly became important as stores realized that these kinds of positions, often overlooked in traditional plans, played important roles.

10.4 Challenges in Administering the Critical Infrastructure Workforce The pandemic also illustrated challenges within the various public sectors. Many government-secured jobs often require security clearance approval for obtaining and handling classified information. Exchanging of such information would

Paradigm Shift of Nationally Sensitive Information

◾

213

require that an individual perform a set of carefully defined tasks prior to being granted their clearance, and eventually obtain access to compartmentalized information where they were permitted to review, edit, and delete.16,17 However, economic issues resulting from the pandemic created more problems than solutions. Many workers were laid off due to lack of work resulting from removal of office spaces in fear of viral contamination. As a result, these workers sought unemployment, which had consequential results as their income quickly shrank. Interruptions from normal, personal daily life were further complicated, especially for individuals who were exposed to or had contracted the virus, now facing long quarantine periods resulting in their inability to work. Thus, a massive number of workers’ financial hardships were reflected in their credit reports or bank statements. There is one reason why security clearances are often denied—financial hardships. Many U.S. clearance applications were appealed, with nearly 50% denied for financial reasons. Financial hardship is often viewed as a reason for clearance application denials because said individual either (1) is now vulnerable to bribery or coercion or (2) could introduce other personal reasons lacking judgment, such as performing highly unlikely and otherwise abnormal tasks requested from extremist organizations due to their leverage, such as holding family members and/or friends hostage, or exposing those individuals through ransoms. Fortunately, many military organizations clarified that such financial hardships were due to improper saving and/or spending habits, rather than financial hardships resulting from the pandemic. The biggest determining factors were the causes for the high debt, not actually the debt itself. Such factors would include: medical bills, student loans, identity theft, financial hardships resulting from death of a family member, job loss (laid-off workers), divorce, or supporting child care (resulting from a divorce) may have been highly scrutinized, but careful review of past and current financial responsibilities of the applicant would determine whether they were a risk.18 On March 23, 2020, the NCSC issued the following statement: During this time of unexpected challenges to our nation as a result of COVID-19, we are acutely aware of the potential for economic hardship on security clearance holders. It is imperative that we ensure trusted security clearance holders, or applicants, who may sufer fnancial hardship as a result of the virus, are not unduly penalized because of circumstances beyond their control.19 One other significant factor impacted an applicant’s clearance process, grounding it to a complete halt—fingerprints. All security clearance applicants must submit— in person—their fingerprints for on-record filings. During the pandemic, it was impossible once quarantines were issued, causing a “logjam”20,21,22 of applicants needing their fingerprints to continue the clearance process.

214 ◾ Critical Infrastructure

10.5 Challenges Due to Changes in Available Infrastructure for the Critical Infrastructure Workforce During the pandemic, almost all government workers requiring clearances had a difficult time performing their daily work with classified material. The national security community has faced dilemmas in that protecting classified information requires certified personnel to work in classified information facilities.23,24 As a result, program and technology development, particularly public-private partnerships, are often impeded by delays, escalating costs, or access to new technologies. The COVID-19 pandemic raised several alarms, particularly with how a nation is to maintain its security programs before, during, and after a worldwide pandemic. To sustain this important public-private partnership, there are several questions that should be asked: ◾ What conditions must exist, and how will information be accessed? More importantly, what will be the methods of access required? ◾ Who needs the access? Where will they need it, and when? ◾ How will the federal government promote and maintain a remote workforce while continuing protecting national security, as well as ensuring further spread of the contagion? Typical classified work practices require most public-private sectored work to be conducted within SCIFs during their normal daily operations. An issue with SCIFs is that they’re not only expensive, but also geographically restrictive, meaning workers must deal with and have to go through great lengths to ensure classified materials are handled and protected properly. However, unexpected issues arising from external factors such as armed conflicts (or war), regionwide natural disasters, or other catastrophic events (such as a pandemic) not only limit access to such materials, but can effectively idle the workforce, causing any daily work to grind to a screeching halt. Although such environmental conditions may appear to have stopped the federal government from operating its national security machine, there are a few options to consider. One possible method of addressing this issue was to develop a classified versus less-than-classified to nonclassified configuration program. This program was labeled as a “low-to-high-side development”25 program. Obviously, the “low-side” would represent the less-than-classified to nonclassified related work; whereas, the “high-side” would represent the classified work. Many organizations that operated in this manner often have found that almost all of the work development can occur within the less-than-classified to nonclassified workspace, as it is the data itself that is classified, not the work. With only a very small fraction remaining, the remaining work that does require access to classified data can be completed at facilities that do have SCIFs.26

Paradigm Shift of Nationally Sensitive Information

◾

215

As a vast majority of work development is performed in less-than-classified to nonclassified environments, any issues pertaining to any SCIF-related concerns and challenges that would have impacted and imposed these environments by natural disasters, weather delays, armed conflicts, or even pandemics, are now vastly minimized. Moving forward, many organizations that once demanded workers use secured environments to perform their daily work, which was mostly less-thanclassified to nonclassified by nature, are now shifting their work in other, more useful methods. Through these alternative work methodologies, workers are still capable of performing their jobs more effectively, while those who are constantly immersed in areas demanding high levels of security continue their mission of maintaining the status quo of our national security. Thus, this solves a very large concern of reducing the number of workers who perform hardly any to no classified work, to reside in a SCIF. Additionally, this greatly reduces any costs of developing a SCIF anywhere. Having a “low-high-side development”27 program significantly changes how public-private partnerships and collaborations operate, as it is here that the magic begins. For example, as a visiting representative of a large corporation that is meeting with a fellow government worker, regardless of whether the government worker is handling classified materials, if there are any such materials located within that building, the entire building needs to be secured; thus, additional hassles, such as visitor screenings, are required, making the meeting difficult. By utilizing the “low-side” method of work, if the corporate representative were meeting a government worker that did not require a secured environment, none of the extra security precautions would be as necessary. In doing so, this improves the public-private partnerships and makes them more of what they should be—a partnership. Another suite of issues associated with the federal government mobile workforce was the availability of secured remote connections, and their numbers. This especially included working (at least) with sensitive (and not necessarily classified) information associated to national security. This form of information is information administered and maintained by government organizations associated with several key-critical public infrastructures, most notably public utilities (water, natural gas, and electricity), but also transportation (rail, air and, maritime), food, healthcare, and first responders. Much of this information is retained internally with and through federal communities only; however, there were times when critical infrastructure organizations representing the private sectors would conduct (tele) conference calls between public and private sectors. The issues in particular were associated with both availability and quantity of open telecommunications lines for both remote federal government workers and supporting private sector interests. Many workers expressed frustration and extreme disappointment regarding lack of support in performing their job roles adequately as communications were rationed; in some extreme cases, federal workers would often perform their duties during overnight hours.28,29,30

216 ◾ Critical Infrastructure

In early 2023, the U.S. Congress introduced a bill requiring federal government workers who teleworked remotely to return to their offices. Indirectly, this freed up congestion of the telecommunications issues that once were problematic during the pandemic.31,32

10.6 Securing the Mobile Workforce The securing of sensitive work, however, goes beyond the computer network carrying it, and this was another area significantly challenged by the pandemic. Three strata can be considered when looking at the physical spaces involved in this regard. First, there are the government facilities and compounds that incorporate significant controls, often employee guard services, and can be used (when certain spaces are included) to process the more sensitive information. The second level involves private sector facilities that may mirror the government facilities in terms of infrastructure and capability that that generally fall under industrial security programs (such as DISA in the United States or the Industrial Security Program in Canada). Finally, there are the home offices and similar kinds of smaller facilities. The pandemic essentially rebalanced the working space arrangement from the facilities into the homes. Outside of the challenges associated with the network, consider the unique challenges in the mass workforce suddenly working from the home environment. The core of this challenge lies in how we treat the home as almost a sanctuary. Police and other similar entities cannot simply enter the home unless very specific conditions are clearly met or warrants are sought. Regulatory enforcement is similarly challenging, and policies, even if stemming from legal requirements, face even greater challenges. This is not to say that it shouldn’t be this way—but a balance needs to be struck. There are three major suites of controls when considering baselines set within NIST—personnel screening, physical/environmental controls, and supply chains. The great complication on the personnel screening side of the home office environment is that of family and those allowed to enter the home. Should this stop? Again, no. But there needs to be a recognition that the cost of having the ability to work from home is that certain controls may need to be in place around home offices or similar spaces. In short, this does not mean that the family has to leave the house during the day. But it should mean that if sensitive work is being done, there is a way to physically control access to the specific space (such as a closed office). While there may be some instances where differences of opinion promote conflict based on the work being done, the greater risk comes from inadvertent disclosure that begins with unauthorized access. The family members are not necessarily going to have the same appreciation for the sensitivity or gravity of the work being done. Where the home office is being used, there is a slight ability to offer protection, as such a location might be identified as being private. Should people begin to

Paradigm Shift of Nationally Sensitive Information

◾

217

work in living rooms or kitchens (for whatever reason), then we need to understand that one of the cardinal security principles (zoning) is being violated and the risks will increase. This applies not only to the family members, but also to those that the family routinely interacts with. The pandemic has illuminated this challenge, particularly as the vast number of public servants in Canada and the United States worked from home in differing environments. The second challenge becomes the question of the security posture around the community. At a basic level, our protective controls delay an attacker to the point that we can detect and respond effectively to the attacker’s activities. Can the home office be considered in the same light as very sensitive processing facilities? At the extremes, this is unlikely as much for being able to maintain a level of confidence with certification bodies as for any mitigation of security risks. It will also be highly dependent upon the environment around the facility. The threat environment in a downtown city core is fundamentally different from that of a rural area. As we work inwards, the differences between the various construction standards (such as the building code) versus security guidance provided by technical offices in government will become increasingly apparent. The construction standard also raises a secondary observation regarding the pandemic. Those who contract with government entities are expected to achieve certain standards in their workspaces with respect to security. For example, a facility under Canada’s Industrial Security Program is required to pass a document safeguarding inspection before it can receive sensitive information. To pass through this inspection, a significant amount of information must be provided to the certifying body and meetings held. These requirements were put in place in order to ensure that sensitive assets were afforded the same degree of protection in the private sector as they were in the public sector. This raises a question for many corporate security offices in government—what is the regime in place to verify the home offices of public servants? Or is there such a regime? The sensitivity of the information involved has not changed, nor have the threats that may be interested in gaining access to that threat, so does it stand to reason that the public servant’s home office area should be subject to the same requirements as public buildings and the approved private sector facilities? This second challenge is further complicated by the concept of detection and response. This is the second half of the security posture described earlier, but the pandemic brought to light new challenges in the paradigm shift. Government facilities and private sector facilities generally occupied spaces where they could have on-site security (either proprietary services or contracted services). This is not the case with the home office environment. Companies would be hard pressed to apply corporate security rules into employee homes except in very limited conditions. At the same time, the organization responding to events at the home could be the corporate security organizations but are as likely to be the local police having jurisdiction. The question, therefore, becomes: how does one look at the work-from-home environment in the context of home alarms, the need for monitoring (including maintaining a point of contact for alarm companies), and the response?

218 ◾ Critical Infrastructure

Of course, the home office environment needs to be understood in a larger context. While certain parts of an organization may be delivered from that environment, many critical services cannot be delivered using this paradigm. We only have to look to services such as water purification, power generation, transportation, energy, and a host of other critical services to realize that only certain parts of the entities delivering those services can essentially work from these environments. In these cases, we need to balance the need for a good work environment with reasonable controls to provide a safe working environment. While there has been a tendency towards open-concept offices, hoteling (i.e., people being able to sign up for desk spaces), and other approaches intended to promote both a positive workplace experience and cost reductions, the pandemic has left it apparent that a more holistic view of space design needs to be considered.

10.7 The Challenge of Enabling Information Strange as it may sound, geospatial and engineering specification(s) information is as important to specific functions of an infrastructure. In this section, an illustrative example using dams is presented. The principles in this example, however, apply to most infrastructures that function as a network of services that deliver the critical service (such as power grids, water distribution systems, banking systems, etc.). Within the United States, there are tens of thousands of dams, ranging from small sluice flood control gates to very large hydroelectric dams. The dams are categorized by a plethora of factors ranging from size (obviously), to the function of the dam, its type and makeup (soil vs. sand vs. concrete), and most importantly, what the critical implications of a failure are should a dam be breached. The U.S. Army Corps of Engineers, in cooperation with the U.S. Geological Survey (USGS) and the U.S. Department of Homeland Security’s Federal Emergency Management Agency (FEMA), have spent years developing and maintaining a very large database containing the aforementioned factors, along with a considerable amount more— approximately six dozen identifiable factors to the safety and secure keeping of these dams. The most important of any of the dozens of factors that are located within the national database is flood exposure; that is, if a dam were to fail (meaning to break apart, releasing anywhere from several hundred gallons to millions of gallons of water), what impacts would affect those downstream from the dam, starting first with the amount of casualties? Failures of these dams not only shift people’s lives, bringing daily activities to a standstill, but may cause other casing failures that other dependent critical infrastructures rely upon. Other than the impacts to society, failures of dams may also hamper disaster response, potentially delaying post-disaster recovery and remediation. Given the importance of dams even during natural disasters (such as heavy or

Paradigm Shift of Nationally Sensitive Information

◾

219

long-continuous rainfalls, earthquakes in the western United States, etc.), disaster risk calculations are often included as an indicator of assessment social vulnerabilities and their resiliencies. From non-natural-disaster-based consequence considerations, for example, throughout the world, key dams are used for supporting drinking water for large population areas which are crucial to maintaining current expectant social levels of use; that is, without the dams in question, society would unravel, causing chaotic and cataclysmic events to follow. Information particularly relating to these dams is valuable, and if exposed to would-be adversaries, it would allow them to compromise those dams for their purposes, ranging from wide-scale devastation of a society to economic impacts (such as performed by a hydroelectric dam). All of these considerations are what make information about these dams so vitally important. Some of the more obvious factors that are considered critical for maintaining information about dams include (and not necessarily in order of criticality and importance): ◾ ◾ ◾ ◾ ◾ ◾ ◾ ◾ ◾

Locality and placement of the dam. Age and composition of the dam. Capacity of the amount of water held behind the dam. Fragility based on seasonal events (such as snowpack melts). Fragility based on frequency and the likelihood of dam failure. Maintainability of the dam (as in how often is maintenance performed). Criticality of the dam (electricity vs. potable water). Cost incurred for recovery and remediation of the dam. Number of causalities resulting from the dam failure.

These and dozens more such factors make up information that many individuals, let alone impacted private sector critical infrastructure organizations, have yet to consider.33 What information is being released that is considered sensitive vs. information that is considered public? As there has been an overwhelming amount of sensitive information that was previously publicly available, some of that information is now being made public again, but with a few provisions. Such provisions now include portions of information still considered as sensitive; thus, this information continues to remain redacted. However, to what degree that information is identified, how it is utilized, and what and how security controls are designed and enforced, still remains an issue.

10.8 Challenges Faced with Critical Infrastructure Information As critical infrastructure information becomes increasingly more important, information from those environments will require additional research, ensuring that data

220 ◾ Critical Infrastructure

is more easily incorporated, determining how to communicate such information, its threats to private sector critical infrastructure organizations, and retaining its level of importance without conveying too much information that could be utilized for either unfair economic advantages or leaked to adversarial groups. Critical infrastructure organizations are currently faced primarily with three important factors: 1. Ubiquitous computing, allowing data and information to be openly available to anyone, anywhere, and at any time. Such underlying technologies can be utilized in intruding manners (such as the Internet), confict with electronic countermeasures to data and information that is highly sensitive, and should be contained to specifc individuals and communities. 2. Te continued digital connectedness of all electronic devices. Tis is particularly true for systems that control critical important functions whereby physical objects, once controlled manually, are now controlled utilizing specialized equipment and software to continually maintain and operate in unsafe and hazardous environments. As this specifc type of equipment becomes more interconnected, so does the risk associated with who has access to what data or information, what time, and where it is being processed. 3. Te abundance of data and information; more specifcally, the overabundance of data and information. Controlled operational environments can generate hundreds of thousands of individual data points within a matter of hours. Determining what is pertinent, while sifting through such a large collection of mass data collected, is a huge and often overwhelming task. Tis, in and of itself, poses increasingly complex challenges pertaining to increasingly more manual-to-automatic (or even semi-automatic) operations. Such knowledge and experience of such data and information is as vitally important as the data and information itself. Tis issue, more than anything else, continues to elude methods of controlling such information by careful determination of how it should be secured and disseminated. Other challenges faced include the overclassification of data and information that was once publicly available,34 now regarded as either sensitive, highly sensitive, or perhaps even classified information. The overclassification35 of data and information comes at a terrible cost,36 not only demonstrating that the federal government lacks transparency, but also necessitating efforts that would incur additional costs in order to maintain such data and information. Transparency promotes accountability and provides information for citizens about what their government is doing.37 The “approach to classifying vast amounts of information is so flawed that it harms national security and diminishes public trust in government.”38 And, it is not publicly known how much information is classifed by the government, but watchdogs and open-government activists believe such a

Paradigm Shift of Nationally Sensitive Information

◾

221

trove is likely to include billions of records and is rapidly expanding, in part because of the explosion of digital communications.39 Thus, this has embroiled much debate since the beginning of the 21st century, dating perhaps even further back.40 Another aspect not previously considered is devices, such as fitness devices and their applications, which emit RF signals from them. In environments that truly are highly sensitive areas, federal government civilian workers and military personnel have been beleaguered with potential security control issues. Suppose for instance that an employee or soldier were working at a secured facility. From an external view, very few points of entry, and those entrances that are known, are secured fortified (heavily). If an employee or soldier were walking, jogging, or riding a bicycle within the confines of that area, RF emissions would reveal interior-specific and detailed information. This has been particularly true for soldiers wearing their fitness devices in aircraft, marine craft, or armored convoys. Though disclosure of sensitive or classified information may not be directly disclosed by the individual intentionally, the disclosure is inadvertently, unintentionally disclosed by their fitness device. This has been particularly true of such devices that include GPSenabled tracking capabilities to pinpoint routes of exercisers’ paths. This is referred to as a “Strava Heatmap.”41,42,43,44 Since its discovery, both federal government civilian workers and military personnel, are now encouraged to follow strict guidelines when using these fitness devices.45,46,47

10.9 Why Does Critical Infrastructure Information Require a Clearance? Since the introduction of “critical infrastructure information” (which, incidentally, is prevalent predominantly in the United States), several key infrastructure sectors (such as healthcare, transportation, and energy) required more stringent duty of care security controls other than simply allowing or denying access to sensitive information. This information may well go beyond what was considered “sensitive” to greater importance as “critical.” Such information becomes not only vitally important to the private sector organizations, but to society overall. If these organizations were compromised, and data theft resulted directly from their being compromised, then adversarial groups, foreign nations, or extremist groups could utilize this information as leverage in taking warfare to a whole new level—economic warfare—one in which the fights are no longer on a physical battlefield, but in cyberspace. Adversaries are becoming more sophisticated, utilizing ever-changing approaches to not only acquire this critical information, but possibly to subterfuge it; thus, identifying larger targets and protecting any information that is vital to critical

222 ◾ Critical Infrastructure

physical and cyber infrastructure are more important than ever to ensure their continued operation. Achieving this simple, yet difficult task will require a concerted effort from both federal and private sector organizations. Thus, those who are entrusted with such information now require additional measures, ensuring that the information remain protected and within the confines of that organization. This information may be exchanged under a secured environment between private sector organizations only, or would be collaboratively conducted between the private sector infrastructure industry and the government. Such a forum would allow for highly critical and sensitive information to be exchanged and discussed in much greater detail, rather than in less-than-opportune environments. As such, several sectors either require a certification that is practically the equivalent of a clearance, or a federally issued security clearance for a much more secure environment to disclose any and all such information without any legal and/ or regulatory ramifications from either governments or regulatory agencies.

10.10 Individual Certifications vs. Industry Certifications Individual (or professional) certifications are regularly conducted examinations containing a comprehensive personal assessment of management, operational, and technical controls of a given system, created to support an accreditation to an applicant and to determine the extent to which any controls identified are implemented correctly, operating as intended, produced as desired, of which any outcomes produced (at least) meet and adhere to minimally accepted controls and standards based on a person’s knowledge of that given system. Essentially, an individual certification determines and demonstrates an individual’s capabilities of understanding and working with information, operations, and processes that are considered generally accepted by a given industry or community-at-large. Such individual certifications include processing certifications (such as the Project Management Professional [PMP]48), operations certifications (such as the Certified Emergency Manager [CEM]49), and security-based certifications (such as Certified Protection Professional [CPP]50 for physical security, and Certified Information Systems Security Professional [CISSP]51 for information/cyber security). Obtaining one of these certifications means that an individual understands and comprehends basic and minimally established requirements to indicate that they are knowledgeable in that line of work to that particular community-of-interest. However, not only are individuals encouraged to obtain their professional certifications, but in some industries, they are required to obtain industry-based certifications. For the healthcare sector, it is an annual testing on healthcare and patient information, its handling, and storage (both HIPAA52,53 and HI-TECH54). Other sectors are far more rigid in their requirements, as potentially catastrophic results

Paradigm Shift of Nationally Sensitive Information

◾

223

may happen, such as releasing radioactive materials or partially or completely shutting down regional grids; thus, such certifications are heavily required and enforced. Once such sector that comes to mind is the energy sector, specifically the electric industry within the United States. In it, and depending upon what role and function an individual would have within this industry, along with whether or not it were nuclear- or non-nuclear-based, a plethora of both regulatory requirements as well as industry self-imposed, self-accepted standards were established. From this, a plethora of regulatory bodies, standards organizations, and lobbying organizations were created, forming the backbone of how electricity is generated, stored, transmitted, and distributed throughout North America (which encompasses both Canada and United States). Formed in mid-1968 as the National Electric Reliability Council, NERC was created from the need of producing and transporting electricity throughout the United States as a direct impact of the Great Northeast Blackout of 1965,55,56 affecting millions of people. NERC is a nonprofit regulatory organization, and its primary mission is to assure the effective and efficient reduction of risks to the reliability and security of “The Grid.”57,58,59 NERC develops and enforces what are referred to as “reliability standards”; that is, they provide both standard and regulatory roles, functions, and factors which are mutually agreed upon between governments and private sector organizations. Additionally, NERC conducts annual assessments, monitors the bulk power system, and, through system awareness and education, trains personnel in both public and private sector organizations; it also educates, trains, and certifies industry personnel. NERC is the Electric Reliability Organization (ERO) for North America, subject to oversight by the Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. NERC’s jurisdiction includes users, owners, and operators of the Bulk Power System (BPS)— area wide—serving several hundred million people. Sometime between 2006 and 2008,60 several U.S. federal government organizations, along with NERC, established the NERC Critical Infrastructure Protection Standards,61,62,63 consisting then of 12 standards (now 14 standards64 at the time of this book) focusing on operation, safety, process, and security. This was established a few years following the August 2003 northeastern blackout,65 which far surpassed the number affected earlier from the 1965 and 1977 blackouts.,66,67,68 As such, personnel in both public and private sector organizations must now complete successfully a suite of mandated training courses consisting of several areas representing reliability, operational safety, security, and continued legal obligations. This is an annual requirement that has been agreed upon by all interested parties pertaining to NERC CIP standards.69,70 To some degree this is a mandated “certification,”71,72 acting more as a “clearance.” Without successful completion, personnel are not authorized to work or visit critical areas that have been designated as “NERC CIP PROTECTED”; additionally, neither access to nor distribution of nor discussion about anything pertaining to or related with NERC CIP is permitted.

224 ◾ Critical Infrastructure

Another certification, which requires substantially more evaluative testing, belongs to the nuclear energy generation industry. Referred to as the “Critical Group,”73,74,75 this group consists of a plethora of individuals responsible for operating and maintaining the daily operations of a nuclear power plant. This includes individuals from security staff, site management, administrative staff, IT staff, craft workers, and even on-site cafeteria staff. Essentially, for any individual who works at a nuclear power plant located within the confines of a zone commonly referred to as the “Protected Area” (PA),76,77 testing and successful completion of those exams are vital and strictly adhered to—more importantly, they are enforced with severe criminal penalties if not complied. These certifications define the personnel duties in and around protected areas on nuclear power plant grounds. Some personnel must take substantially more certifications due to operational and secured accessibility to critical areas (such as the control room). Here the problem lies with individuals who are required to successfully complete multiple certifications to perform their daily duties for their specific job role(s). The complication of defining multiple siloed areas of expertise and compliance with as well as within each other, causes confusion with those who decide (and must) work within those environments. It should be noted that such individuals, where they are certified to access or operate within NERC CIP controlled environments, to federally licensed control room operators, determine the level of security background checks that are performed. Both require (to some degree) background checks; however, based upon the criticality of the position and job role(s), some background checks are far more intimately aligned with being considered more of a clearance, rather than as a certification. For example, let’s consider an operations manager at a nuclear power plant. An operations manager must be certified and cleared, as he or she would need to know every operational aspect of the plant, both inside and out. In this example, the operations manager would need to be NERC CIP certified, certified and cleared for any interaction with licensed control room operators, and cleared for any interaction with critically sensitive information with either on-site regulators (such as on-site NRC auditors) and/or federal government workers and regulators back in Washington, D.C. The number of certifications, the number of clearances, and the total amount of time needed to pass successfully through all examinations, as well as regulatory and legal obligations, can consume anywhere from days to years.

10.11 Why Are There So Many Different Levels of Clearances? For the most part, the overall certification and clearance process is “broken”; that is, each individual “system”78 (and its subcomponents) are concerned primarily with their own specific area of expertise and (legal) responsibility. Everyone is thinking within their own silos (system N+1 approach)

Paradigm Shift of Nationally Sensitive Information

◾ 225

There is a basis for these silos. The checks behind the individual’s certifications and clearances tend to focus on issues that are most relevant to those industries. For example, a Transportation Security Clearance will involve checks to determine if the individual was involved in crimes that exploited transportation networks (such as smuggling). Where the system faces challenges, however, is when critical infrastructure sectors begin to interact with each other; for example, energy and transportation. This raises the question of whether both sides of that discussion require each other’s clearance, or whether the discussion should be managed to limit exposure of the most sensitive information. Ultimately, in the realm of critical infrastructure protection and assurance, the response that best serves the public should be the response given.

10.12 Should There Be a CII Certification That Covers All Sectors? This question has been raised in some corners and, while good in theory, needs a bit closer examination. Three options are considered here: ◾ Te frst is to maintain the status quo, with each sector having their own structures. ◾ Te second is to maintain a common clearance, where everyone gets one clearance, like a general SECRET level clearance. ◾ Te third is to fnd the goldilocks (right ft) level of clearance that fts the public and infrastructure management needs without overburdening the system. The challenge, as alluded to earlier, is that the individual silos may function for individual sectors, but we are living in an environment of interconnected sectors. For example, can we separate energy in the context of fuel from transportation? Can we separate power generation and telecommunications? Where the sector silos become too rigid, we lose the ability to operate at that higher (n+1) level. If we look at a completely common clearance for all critical infrastructure sectors, will we achieve the necessary level of granularity in the checks before the retirement of the person being screened? This is said somewhat tongue-in-cheek; however, consider the depth of clearance for each of the current silos and then multiply that by the number of different sectors. We do need to recognize that each sector faces its own unique challenges. The impacts associated with the loss of containment in a nuclear reactor may be somewhat difficult to equate to the losses associated with the financial records of all internet-based commercial transactions. So, we cannot simply brush off the idea of sectors facing unique, or distinct, challenges from other sectors that may need to be considered in the clearance process. The “goldilocks” approach is about looking at whether a common clearance can operate at one level of sensitivity (the “just right” level) as opposed to trying to cover all levels of sensitivity. Would the level of sensitivity needed to examine a complex

226 ◾ Critical Infrastructure

challenge specific to one sector likely be more complex than the discussions associated with how different sectors interact? The silo may apply to the very small number of technical experts within a field but need not be applied to every employee in that specific sector. It would relate to work requirements and potential levels of inadvertent access to material. An example is in how militaries look at clearances. They are based not on rank, but on real and reasonably foreseeable access. So, the approach may be to educate those who assign clearance levels in how to apply the clearances judiciously on one hand while also establishing an interoperable clearance that would be based on a reasonable set of checks as opposed to the full suite of checks. The other aspect is to educate clearance holders and organizations that clearances are not “commodities” that should be used in the market. The “goldilocks” level is about returning the security screening process to a reasonable and measured approach based on work-related sensitivity and reasonable expectations of access.

10.13 Authors’ Note In this chapter, one might feel that there is a degree of criticism being leveled against the “current system.” While there are certainly areas of improvement, the pandemic illuminated several issues within our system that could stand improvement. For those with a background in security management (or any one or more of its subdomains), they will realize that this is simply part of the natural order of things. It is not a matter that there are “evildoers” or “ne’er-do-wells” in the system. It is simply that the pandemic has provided what may be gently described as a number of “teachable moments.”

Notes 1. www.pewresearch.org/social-trends/2020/12/09/how-the-coronavirus-outbreak-has-and-hasnt-changed-the-way-americans-work/psdt_12-09-20_ covid-work-00-0/. 2. w w w.govinfo.gov/app/details/CFR-2011-title41-vol1/CFR-2011-title41-vol1sec61-300-2, and www.govinfo.gov/content/pkg/CFR-2011-title41-vol1/pdf/CFR-2011title41-vol1-sec61-300-2.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref1.pdf), under section 61-300.2, titled “What Definitions Apply to This Part?” Taken from 41 CFR § 61-300.2: “(vi) Craft workers means individuals in positions that include higher skilled occupations in construction (building trades craft workers and their formal apprentices) and natural resource extraction workers. Examples of these types of positions include: boilermakers; brick and stone masons; carpenters; electricians; painters (both construction and maintenance); glaziers; pipe layers, plumbers, pipefitters and steamfitters; plasterers; roofers; elevator installers; earth drillers; derrick operators; oil and gas rotary drill operators; and blasters and explosive workers. This category also includes occupations related to the installation, maintenance and part

Paradigm Shift of Nationally Sensitive Information

3.

4.

5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18.

◾

227

replacement of equipment, machines and tools, such as: automotive mechanics; aircraft mechanics; and electric and electronic equipment repairers. This category also includes some production occupations that are distinguished by the high degree of skill and precision required to perform them, based on clearly defined task specifications, such as: millwrights; etchers and engravers; tool and die makers; and pattern makers.” www.dhss.delaware.gov/dhss/dph/php/files/defessnonessshocrole.pdf (altURL: http:// cipbook.infracritical.com/book5/chapter10/ch10ref2.pdf). An ‘essential worker’ is a worker who’s “position is designated as an essential position and the employee’s presence at work is required to assist the agency and/or division in meeting its operational needs.” This was applied to not only public sector workers, but private sector as well, especially, those sectors which were critically vital to the United States, such as food production and distribution, transportation (rail, air, and maritime), healthcare, public utilities (water, natural gas, and electricity), and first responders. www.ncsl.org/labor-and-employment/covid-19-essential-workers-in-the-states.All employees that were required to maintain the status quo of operations of those organizations were classified as “essential workers.” Retaining these workers and classifying them as “essential workers” helped society maintain some semblance of normalcy, even if operational functions were slower or delayed. www.cdc.gov/vaccines/covid-19/categories-essential-workers.html (alt URL: http:// cipbook.infracritical.com/book5/chapter10/ch10ref3.pdf ). Ibid. www.michigan.gov/frontliners/community-college/faq/eligibility/what-is-an-essential-industry-or-frontline-worker (alt URL: http://cipbook.infracritical.com/book5/ chapter10/ch10ref4.pdf ). www.ncbi.nlm.nih.gov/pmc/articles/PMC8012742/. www.enr.com/articles/49996-survey-craft-workers-in-short-supply-despite-covid19-layoffs-project-delays. w w w.pewresearch.org/social-trends/2020/12/09/how-the-coronavirus-outbrea k-ha s-a nd-ha snt-cha nged-t he-way-a meric a ns-work /psdt _12- 09-20 _ covid-work-00-1/. www.mayoclinic.org/diseases-conditions/coronavirus/in-depth/coronavirus-inbabies-and-children/art-20484405. www.cisa.gov/sites/default/files/publications/essential_critical_infrastructure_workforce-guidance_v4.1_508_0.pdf (alt URL: http://cipbook.infracritical.com/book5/ chapter10/ch10ref5.pdf). NOTE: Document referenced is “Version 4.1”. www.cisa.gov/sites/default/files/publications/CISA_Insight_Provide_Medical_ Care_Sep2021.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10 ref6.pdf ). Ibid. www.cisa.gov/identifying-critical-infrastructure-during-covid-19 (alt URL: http:// cipbook.infracritical.com/book5/chapter10/ch10ref7.pdf ). https://molaw yersmedia.com/missouriinhouse/2021/01/26/op-ed-securityclearance-concerns-amid-recession-pandemic/. www.telework.gov/reports-studies/reports-to-congress/2019-report-to-congress.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref8.pdf). https://twitter.com/NCSCgov/status/1242166775409774594 (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref9.png). This was clearly specified under the Security Executive Agent Directive 4 (SEAD 4), Guideline F, under Financial Considerations, where the NCSC indicated that:

228 ◾ Critical Infrastructure

(b)the conditions that resulted in the fnancial problem were largely beyond the person’s control (e.g.; loss of employment, a business downturn, unexpected medical emergency, a death, divorce or separation, clear victimization by predatory lending practices, or identity theft), and the individual acted responsibility under these circumstances.

19. Ibid. 20. https://dictionary.cambridge.org/us/dictionary/english/logjam. The term “logjam” refers to “a situation in which neither group involved in an argument can win (or gain) an advantage and no action can be taken.” This is evident when specific, fixed (and unwavered) steps required to proceed cannot be fulfilled, thus causing an increasing number of requests that will—eventually—result in a higher-than-normal resumption of the process once fixed or remediated. 21. www.militarytimes.com/opinion/commentary/2020/05/13/security-clearanceconcerns-and-the-covid-19-pandemic/. 22. Prior to the pandemic (circa 2019), the backlog for security clearance requests were approximately 200,000. 23. https://csrc.nist.gov/glossary/term/sensitive_compartmented_information_facility (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref10.pdf). The term “SCIF” means “secured compartmented information facility”; an area, room, group of rooms, buildings, or installation certified and accredited as meeting Director of National Intelligence security standards for the processing, storage, and/or discussion of sensitive compartmented information (SCI). 24. w w w.gsa.gov/directive/sensitive-compartmented-information-facilit y-use%28scif%29-policy (alt URL: http://cipbook.infracritical.com/book5/chapter10/ ch10ref11.pdf and http://cipbook.infracritical.com/book5/chapter10/ch10ref11a.pdf ). 25. www.cyberdefensemagazine.com/low-to-high/. 26. “SCIF” means “sensitive compartmented information facility”. URL: https://csrc. nist.gov/glossary/term/sensitive_compartmented_information_facility (alt URL: http://cipbook.infracritical.com/chapter10/ch10ref45.pdf). 27. www.cyberdefensemagazine.com/low-to-high/. 28. https://federalnewsnetwork.com/workforce/2020/03/teleworking-among-fedsramped-up-but-plenty-of-issues-remain/. 29. www.fedweek.com/fedweek/dod-revises-pandemic-policies-on-telework-occupancylimits-other-issues/. 30. www.bls.gov/opub/mlr/2021/article/teleworking-and-lost-work-during-the-pandemic-new-evidence-from-the-cps.htm (alt URL: http://cipbook.infracritical.com/ book5/chapter10/ch10ref12.pdf ). 31. https://oversight.house.gov/ (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref13.pdf ). 32. www.fedsmith.com/2023/01/13/legislation-reintroduced-to-slash-telework-flexibilities-for-federal-employees/. 33. https://nid.sec.usace.army.mil/ (alt URL: http:/cipbook.infracritical.com/book5/chap ter10/ch10ref14.pdf ). 34. https://oversight.house.gov/hearing/examining-costs-overclassification-transparencysecurity/ (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref15.pdf) along with .  .  . http://cipbook.infracritical.com/book5/chapter10/ch10vid15a.mp4 thru ch10vid15d.mp4, and ch10ref15a.pdf thru ch10ref15c.pdf).

Paradigm Shift of Nationally Sensitive Information

◾

229

35. www.npr.org/2023/01/17/1149426416/the-u-s-has-an-overclassification-problemsays-one-former-special-counsel. 36. www.govinfo.gov/content/pkg/CHRG-114hhrg26177/html/CHRG-114hhrg26177. htm (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref16.htm). 37. https://obamawhitehouse.archives.gov/realitycheck/the_press_office/Transparency_ and_Open_Government (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref46.pdf). 38. www.moran.senate.gov/public/index.cfm/in-the-news?ID=61D59167-F309-4EF7B64B-685DAC7B0089 (alt URL: http://cipbook.infracritical.com/book5/chapter10/ ch10ref17.pdf ). 39. Ibid. 40. www.govinfo.gov/content/pkg/CHRG-108hhrg98291/html/CHRG-108hhrg98291. htm (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref18.htm). 41. www.jbsa.mil/News/News/Article/1431108/safety-of-dod-members-families-driveselectronic-device-review/ (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref19.pdf ). 42. www.jbsa.mil/News/News/Article/1427532/dod-looking-into-the-impact-of-fitnesstrackers-on-service-member-safety/ (alt URL: http://cipbook.infracritical.com/ book5/chapter10/ch10ref20.pdf ). 43. www.445aw.afrc.af.mil/News/Photos/igphoto/2001872399/ (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref43.pdf and http://cipbook.infracritical.com/book5/chapter10/ch10ref43a.pdf ). 44. www.doncio.navy.mil/chips/ArticleDetails.aspx?ID=9971 (alt URL: http://cipbook. infracritical.com/book5/chapter10/ch10ref21.pdf ). This includes US federal government civilian and military workers, and soldiers who exercise regularly with RF-emitting tracking devices. Officials were gravely concerned as to the wide and secured available of such tracking information showing detailed information of US military personnel in secured locations. The alarm comes from a “heat map” posted by Strava—the makers of a fitness tracking application that shows the routes service members run or cycle in their daily exercises. These maps can show military bases and may be used to target individuals. Wearable electronic fitness trackers upload data to Strava, which then publishes a heat map of the activity so people can download the maps to find good running or cycling routes. Such devices are also popular with many people eager to monitor and increase their physical activity throughout the day. 45. www.army.mil/article/199811/dod_looking_into_the_impact_of_fitness_trackers_on_soldier_safety (alt URL: http://cipbook.infracritical.com/book5/chapter10/ ch10ref22.pdf ). 46. www.soc.mil/IdM/publications/docs/socialMedia/Fitness_Apps.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref23.pdf ). 47. https://apps.dtic.mil/sti/trecms/pdf/AD1114556.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref24.pdf ). 48. www.pmi.org/certifications/project-management-pmp. 49. www.iaem.org/Certification/FAQs. 50. www.asisonline.org/certification/certified-protection-professional-cpp/. 51. www.isc2.org/Certifications/CISSP/experience-requirements. 52. www.hhs.gov/hipaa/for-professionals/index.html (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref25.pdf ).

230 ◾ Critical Infrastructure

53. www.hhs.gov/hipaa/for-professionals/training/index.html (alt URL: http://cipbook. infracritical.com/book5/chapter10/ch10ref26.pdf and http://cipbook.infracritical. com/book5/chapter10/ch10ref26a.pdf ). 54. www.healthit.gov/topic/certification-ehrs/certification-program-health-it (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref27.pdf ). 55. www.osti.gov/biblio/5244283 (alt URL: http://cipbook.infracritical.com/book5/ chapter10/ch10ref28.pdf ). 56. w w w. g o v i n f o . g o v/c o nt e nt /p k g /C H RG - 8 9 h h r g 6 657 7p1/p d f /C H RG 89hhrg66577p1.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter10/ ch10ref29.pdf ). 57. www.eia.gov/energyexplained/electricity/images/elect_power_regions.jpg (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref30.jpg ). 58. www.eia.gov/energyexplained/electricity/delivery-to-consumers.php (alt URL: http:// cipbook.infracritical.com/book5/chapter10/ch10ref31.pdf and http://cipbook.infracritical.com/book5/chapter10/ch10ref31a.jpg). It should be noted that “The Grid” (alternatively referred formerly to as “The U.S. Grid” or “The National Grid,” now referred to as “The North American Grid”) consists of approximately nine smaller interconnecting grids spread throughout the United States and Canada. Cooperation between private sector organizations, NERC, FERC, NRC (for nuclear only), and DOE provides standards and regulatory requirements to ensure safe operations, transportation, and security to the grid. 59. www.epa.gov/green-power-markets/us-grid-regions (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref32.pdf, as well as http://cipbook.infracritical. com/book4/chapter10/ch10ref44a.jpg and ch10ref44b.jpg). 60. www.nist.gov/system/files/documents/2017/06/06/040813_nerc.pdf (alt URL: http: //cipbook.infracritical.com/book5/chapter10/ch10ref32.pdf ). 61. www.pnnl.gov/main/publications/external/technical_reports/PNNL-27062.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref33.pdf ). 62. www.nrel.gov/docs/fy22osti/81827.pdf (alt URL: http://cipbook.infracritical.com/ book5/chapter10/ch10ref34.pdf ). 63. It should be noted that “NERC Critical Infrastructure Protection” (CIP) vs. “critical infrastructure protection” (also CIP) are vastly different and have caused significant confusion with those who work in their respective industries. NERC CIP is specific only to the aspect of the electric industry in the transportation of electricity to local distribution systems; whereas CIP is specific to all infrastructure sectors that are considered critically vital for continued operational sustainability of a society. 64. www.osti.gov/biblio/1357442 (alt URL: http://cipbook.infracritical.com/book5/chap ter10/ch10ref34.pdf ). 65. www.nerc.com/news/Documents/NERC%20Timeline%20Fact%20Sheet.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref43.pdf ). 66. Ibid. 67. www.ferc.gov/sites/default/files/2020-05/ch7-10.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref35.pdf ). 68. www.nerc.com/AboutNERC/Resource%20Documents/NERCHistoryBook.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref36.pdf ).

Paradigm Shift of Nationally Sensitive Information

◾ 231

69. www.eia.gov/energyexplained/electricity/delivery-to-consumers.php. (alt URL: http: //cipbook.infracritical.com/book5/chapter10/ch10ref31.pdf and http://cipbook.infracritical.com/book5/chapter10/ch10ref31a.jpg ). 70. www.ferc.gov/sites/default/files/2020-05/05-11-06-nerc-assessment_0.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref37.pdf ). 71. https://niccs.cisa.gov/education-training/catalog/captiva-solutions-llc/nerc-criticalinfrastructure-protection-nerc-cip (alt URL: http://cipbook.infracritical.com/book5/ chapter10/ch10ref38.pdf ). 72. Ibid. 73. www.nrc.gov/docs/ml0037/ML003720802.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref39.pdf ). 74. www.nrc.gov/docs/ML1419/ML14199A645.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref40.pdf ). 75. www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0056.html (alt URL: http://cipbook.infracritical.com/book5/chapter10/ch10ref41.pdf ). 76. www.nrc.gov/security/domestic/phys-protect/areas.html (alt URL: http://cipbook. infracritical.com/book5/chapter10/ch10ref42.pdf ). 77. www.ucsusa.org/resources/nuclear-reactor-access-zones. 78. In this example, “system” represents an individual organization responsible for certifying, clearing, and/or regulating personnel to operate with and within specifically designated areas considered (critically) sensitive.

Chapter 11

Considerations to Be Maintained in Paradigm Shifts 11.1 Introduction This chapter will present an approach for those that must put forward significantly disruptive plans (in the context of a radical shift) or that are involved in coordinating shifts in how critical infrastructures and services are organized or delivered. Strategic-level issues, such as climate change and extreme weather, are likely to be tied not to a single factor, but rather to a multiplicity of factors. The communications regarding these kinds of issues, however, has become polarized in many areas to the point where pressures are put on leaders, organizations, communities, and individuals to change without necessarily having looked at the full impacts of those changes.

11.2 What Are Considered Paradigm Shifts? A paradigm can be described as a model or something similar that is typical of a population. We see this through processes such as a scientific method, a structured method of thinking that is used to address multiple different kinds of challenges. What does this mean from the critical infrastructure protection (CIP) and critical infrastructure assurance (CIA) perspectives? Both CIP and CIA represent paradigms, with one focusing on the protection of infrastructure as the means of addressing challenges, and the other focusing more on the capacity to meet demand. DOI: 10.4324/9781003346630-11

232

Considerations to Be Maintained in Paradigm Shifts

◾

233

We also see this represented in the concept of sectors (chemical, communications, etc.) that each have their own specific challenges. The second aspect of paradigm shifts that will be examined are some of the structures within society. For example, the movement away from fossil fuels towards electrical or other forms of energy is a prime case. When we consider the movement towards electric cars and away from fossil fuels (such as fuel oil) for heating, what does this mean from the CIP and CIA perspectives? What if we were to consider the movement away from working in centralized offices to an increasingly hybrid model or, in some cases, a shift towards the movement of working within a home infrastructure? Are there other shifts occurring that challenge our current understanding of CIP and CIA? The hybrid work model1 allows workers (or contractors) to utilize the benefits of both working models of a remote (or telework) working model and an on-site premise working model. Workers may alter the number of days per week that they will work remotely or from the workplace, which is either determined or agreed upon by the employment organization. Some of the benefits include: ◾ Workers may perform their jobs when or how they may be most productive (difering times, diferent locations). ◾ Workers may feel more comfortable with a better work-life balance, perhaps allowing greater fexibility, and thus encouraging better work production output. ◾ Organizations may hire workers from other locations in other states, or other countries. ◾ Organizations may reap savings by investing in smaller, more efcient workspaces. There are, however, also several disadvantages with the hybrid work model: ◾ Collaboration with other workers may become more difcult for a number of reasons: – Lack of in-person meetings, possibly allowing for ofine conversations. – Work-hour discrepancies with workers in diferent time zones, especially with out-of-country workers. – Poor or suitable lack of technologies allowing some workers to be available online during agreed-upon working hours, often making it difcult for some remote or on-site workers to collaborate with those who sufer from poorer working conditions. ◾ Organizations may have issues with the oversight of remote workers. ◾ Workers utilizing a hybridized working model may experience overly aggressive organizations imposing strict(er) oversight methods of ensuring that remote workers are performing their job roles and functions.

234 ◾ Critical Infrastructure

◾ Not all infrastructure sectors may work suitably with hybridized work models or specifc types of workers, such as services and craft workers, who are required to be on site during their work shifts. A shift in a paradigm, as outlined earlier, is when we cannot consider these critical infrastructure sectors to actually be independent entities. This challenges a natural desire to organize things into neat buckets. Consider the Transportation Systems Sector. This sector is meaningless when it is isolated from the other three key sectors: financial, telecommunications, and energy. Without the financial services sector, the Transportation Systems Sector loses its meaning in the context of the global economy and trade. The impacts here are that the movement of fuel or other goods basically stop moving with a range of subsequent consequences. When we consider a disruption in the energy sector, we can see the Transportation Systems Sector quickly grinding to a halt. If the disruption is in terms of fuel, then the movement stops. If we look at energy in the context of electrical power, then we see the unpinning of safety systems losing their availability, and the system relying on electricity may be forced to stop. When the financial sector is disrupted, the movement of funds allowing procurement of goods and services halts unless the system moves into a complex crediting system. Without attempting to belabor the point, the key here is to understand that the trend to treat the different sectors as being independent does not reflect the realities of today’s infrastructure environment. The paradigm shift that comes to play when looking at the social and economic interactions between infrastructures can be described in the context of entanglement. To what extent is a sector interwoven through the other sectors, and how would disrupting that infrastructure affect the overall infrastructure web? The term “entanglement” is used because the relationship between the various systems cannot be simply described as a product of each individual infrastructure. When we look at the four primary sectors of financial, transportation systems, energy, and telecommunications, we can no more lose one sector and have the system function as intended than we could expect a marathon runner to run the entire race on one leg. Let’s consider building this out without delving too much into the realm of subatomic particles. Can you accomplish any real form of transportation without energy? Of course not. Either the mode of conveyance with not be able to move, or the systems that guide that mode of conveyance will not function in the required manner. How about the financial services sector? Can we accomplish movement without financial services? This may be possible but is highly improbable. Those who provide that critical service will have expended resources or made commitments in return for resources that must be addressed and honored. The system is not unlike a gas station at this point—the mode of conveyance is needed, the fuel is needed, and so is the cash necessary to pay for the fuel. Finally, we can look at the telecommunications sector. What would the impact be if we removed this sector from the web? Financial transactions could not be processed, instructions

Considerations to Be Maintained in Paradigm Shifts

◾

235

could not be passed, data could not be exchanged, and so on. Without energy, telecommunications quickly stops, as this energy is what essentially carries the signal that moves vital information. The four sectors, therefore, cannot be looked at and understood only in isolation but need to be understood in terms of their entangled relationship with the other sectors. While we can look internally within a sector and see how an impact may affect the performance of that sector, we must also understand how the final changes associated with that impact then translate into the entangled network. Let’s take the working example of a movement towards electrical vehicles. While we may be able to state that the movement towards electric vehicles addresses one issue, we need to be cognizant of other sectors that may be affected through the entangled web of sectors. Consider, for example, the energy sector. Will the energy sector be able to generate enough electricity with the infrastructure that it has now, and will its distribution network be able to carry that energy to where it needs to be available? Consider the range of the vehicles and the agricultural context. What are the impacts on the ability to move produce in situations where the electric vehicle does not have the range of diesel vehicles. This is not to dissuade people from moving towards electrical vehicles; the intent is to put forward the thought that before we push quickly to adopt a new technology, we should first understand the entanglements that it finds itself part of and how its impacts may move and evolve between impacted sectors (Figure 11.1).

Figure 11.1 Interdependencies between the “Big Four”—energy, telecommunications, transportation, and financial sectors.

236 ◾ Critical Infrastructure

Measuring a critical infrastructure sector is somewhat different from attempting to measure entangled systems. First, we can measure the performance of the system against its design, so long as the design has taken measurement into account. Where the design may not have taken measurement into account, we can derive the performance values based on system performance levels and then work down to specific activities that need to be measured. Where this becomes more complicated is at the strategic level, where the performance of the critical infrastructure may be one of many different influences on its performance. When this happens, the key is to measure the surrounding systems and their conditions, and then look for patterns that arise when different aspects of the interconnected systems interact. Consider a very simplistic model where trucks passing through a checkpoint must do so at a certain rate. Under design conditions (i.e., there are no external factors that would detract from the performance of the system), the truck approaches the gate, it stops, the security guard performs the walkaround inspection, and then the truck moves on. Let’s say that this entire process from the arrival at the wait line to the rear of the truck passing the gate is supposed to take two minutes. Under good conditions, this may be possible. Now let’s consider ice at the gate that slows the approach of the truck for safety reasons and slows the rate at which the guard walks around the truck due to traction. The need to process the truck within a certain time has not changed, but the conditions have now placed restrictions on how quickly certain steps can be taken. This means that either the process will be slowed or that time must be made up elsewhere. The key here is to take the time to examine the system from outside of the design way of thinking and place it into the real-world environment and look for those external influences that may affect the design. Failure to accommodate any extraneous conditions that will impact the overall work will have a negative impact on the ability to assure that the system will work as designed. Second, this involves looking at how the changes to the critical infrastructure sector may affect other critical services. For example, an ambulance dispatching system was updated as part of the efforts to improve healthcare, with some of the functionality being tied through the cellular system. But what if the cellular service within an area is below standard and messages are often dropped or missed? The lack of a key attribute in the telecommunications network (reliability of service) now affects the emergency services, because without the message requesting assistance getting through, there is no response. What is worse is that this upgrade project could have detected the issue by talking with operators on the ground, who would have pointed to a litany of complaints that cellular service in the area was reliable only from the rooftops. If the cellular service were to be disrupted, then how do we capture the impact on the emergency services? This is one area where critical infrastructure regulators may need to step in, guide those conducting assessments, and spur them to assess the downstream impacts of decisions within their own sector as a way of avoiding impacts in other systems.

Considerations to Be Maintained in Paradigm Shifts

◾

237

11.3 The Need for Diligence and Care The basis for this need to expand the impact assessment can be tied to principles associated with delivering services and standards of care. Consider our example. Is there a standard of care associated with the reliability of the cellular communications service? In reality, there may be contractual commitments between the service provider and the client, but ultimately there is an argument to be made when considering the cellular communications system in complete isolation. Does this change, however, when something like the emergency first responders and emergency dispatch systems rely on the cellular communications system? The outcome changes because there are legal obligations to ensure that systems such as the 911 emergency call numbers and emergency services are not unduly affected.2 It is one thing when a storm destroys certain towers, but quite another when business decisions result in similar kinds of disruptions. In those cases, there is adequate case history to argue that those who put profits over life by making decisions that knowingly and recklessly increase the risk to the public (or their consumers) could face significant legal issues.3 The next challenge comes from the nature of the critical infrastructure itself. By its own definition, critical infrastructure’s services are necessary to support the safety, security, or economic well-being of the nation (including the effective functioning of government).4 This raises two questions. First, should the interference with the operations of declared critical infrastructure carry more severe consequences than traditional property crime? 5 The second aspect of this question is whether a more stringent level of care needs to be exercised when determining if “adequate protection” or “reasonable precautions” have been taken. In this context, we can fall back on the basic premises of any risk management structure that would point to higher-value assets likely needing more care and rigor than less sensitive assets. The difference is that critical infrastructure would, by its nature, be very close to the apex of value when looking at the combination of availability and integrity security attributes. So, is there a reasonable expectation that those making policy and operational decisions in the critical infrastructure space owe a duty of care or must follow a standard of care? The answer may surprise you. Those making the decision certainly have a duty of care in that their decisions have the ability to cause harm to others. The question lies less in whether there is a duty of care owed to what makes up a reasonably expected standard of care. This is where the cracks begin to show in the system. Except when discussing things at a “higher” level, there is very little consistency in how specific activities used to identify, analyze, assess, and avoid acts, conditions, or omissions actually take place. One can easily make the statement before conducting a risk assessment prior to putting in place controls. Describing how that risk assessment ought to be conducted is another issue. Consider, for example, the guidance put forward by Public Safety Canada for Cyber and Infrastructure Resilience Assessments, and consider the application of the resilience assessments

238 ◾ Critical Infrastructure

put forward (the physical, cyber, and multimedia). Can these assessments be done in the time identified? For some facilities, potentially. For other facilities, one might debate the speed at which such assessments might have to proceed.6 This becomes more complex when considering sector-specific assessments (such as a Port Security Assessment or the Threat and Risk Assessment for a nuclear reactor) that have their own structures. The point here is not to poke holes in the public safety approach, but to emphasize that while the requirement to exercise a duty of care may be clear, the expectation(s) associated with the standard of care tied to that duty of care are not, as there is little consistency within the domain.

11.4 The Need to See the Whole Picture With the duty of care being to prevent harm, or to at least take all reasonable steps to prevent harm, those working with the infrastructure need to be able to see the infrastructure and the services it delivers from more than one administrative mandate. Function, in this case represented by the services being delivered, needs to drive the form of the assessment. Consider again the emergency services being routed through the cellular communications system. While a comprehensive review of clients would indicate that there are critical services relying on this service, there is a tendency in some circles to attempt to limit the scope of these kinds of assessments to their administrative organizations. Two alternatives present themselves when attempting to face this challenge. The reality of entangled systems is that it will be very difficult, if not unlikely, that the full list of interdependencies or dependencies can be identified all at once. The first option is to cast the net very broadly using structures such as those proposed in the Systems Security Engineering doctrine under the identification of stakeholders. When we look at this approach, the identification of stakeholders takes place before any significant direction is set.7 Relying upon stakeholders to define who their infrastructure relates to, however, can be suspect in that the infrastructure may not know the importance of its services across broad swaths of society. Consider the power production grid. While the electricity-generating companies will know a great deal about who uses their services (both in terms of specifics and generalities), they are not likely to have a full understanding of all the projects and activities that may draw upon their services. The alternative is to cast the net completely into the open and call for participants. This can lead to a chaotic set of returns that may simply use the opportunity to press forward their own agendas or issues with the infrastructure, which may result in potentially catastrophic conditions. The third option is to break the mold of linear thinking and build the process so that it can be iterative in nature. More than a few meetings have been held where somebody puts up their hand and says that they know of another group, organization, or individual that may have some interest or input into an issue.

Considerations to Be Maintained in Paradigm Shifts

◾

239

There are also more than a few examples of how refusing to bring them in at the later date led to friction between the organization and the group that ultimately led to disruptions. The key, then, is to conceptualize the management of activities so that there are a number of points where new entities can be brought into the picture in a controlled way slowly. This will likely slow the immediate processes because time will need to be taken to align the new organizations with the main group, in terms of both information and agreement. Overall, however, it reduces the risks associated with that new entity finding a way to either (1) catastrophically block the process or (2) create disruptions at later phases when adjustments require greater effort.

11.5 Building an Understanding Through Models By taking the approach used to deal with entangled systems, we can begin to ask some very relevant questions that will help us build the resilient infrastructure. These questions can be summarized in the following:8 1. Anticipate—are there other systems that we can watch that will give us indicators or warnings that there is likely to be a disruption in the infrastructure? 2. Withstand—are there other systems that can be manipulated in a way that will help the infrastructure sector weather the storm? 3. Recover—are there steps that can be taken in other sectors that will assist us in the recovery of the infrastructure? 4. Adapt—are there lessons to be learned from other sectors that may apply in the sector being studied? First we need to understand how the different infrastructures relate, and we need to establish a structure for describing those relationships. We can look at these relationships in terms of two major criteria. The first looks at the nature of causality and is described in terms of primary, secondary, and tertiary relationships. The primary relationship is the strongest of these bonds in that the events in one infrastructure directly impact the other infrastructure. Secondary relationships occur when a primary bond is affected and the changes result in forces that cause changes in other systems. Finally, tertiary changes are very weak but may still be present when looking at impacts that flow even further out from secondary impacts. The second category involves the nature of impact and is looked at in terms of strong, conditionally strong, or weak. Strong bonds are bi-directional in nature. These are relatively rare but can have profound effects on the system. Conditionally strong bonds are bi-directional in nature but exist only under certain conditions. Finally, weak bonds are likely to be unidirectional and represent a potential avenue for change but may not actually result in changes. Consider some of the recent examples that illustrate how these impacts can occur.

240 ◾ Critical Infrastructure

Hurricane Fiona, a storm that hit the Atlantic Canada coast in the fall of 2022, illustrates a number of these relationships. First, the storm affected the power grid through the disruption of electrical distribution and transmission networks. Tree branches fell over lines, essentially cutting the system down to the point of collapse. The lack of locally distributed electrical power, however, meant that many of the gas stations (that lacked generators) were no longer able to pump gasoline. We can describe this in terms of there being a primary bond that is conditionally strong. As long as the power is running, fuel can be pumped. Under the condition of a disrupted distribution network, however, the fuel flow stops, and this leads to a conditionally strong bond that will persist for as long as the electrical system is disrupted. The other aspect to note is that while this is a conditionally strong primary impact, the impact largely moves in one direction. The loss of electrical power acts as a critical service where one service supports the operations of many. This provides a reason for the imbalance when considering the impacts. Let’s move to the second aspect of this impact, the disruption of the transportation network. The transportation network requires fuel to function. When cars and trucks run out of gas, then the system slowly grinds to a halt. Further, the demand for fuel will increase (due to generator use, etc.), but the number of functioning stations will decrease, meaning that the system will actually move quickly to its fully impacted state. As the number of trucks available to deliver fuel decreases as well (due to local shortages), this only exacerbates the challenges.9 We can describe the relationship between the transportation infrastructure and the energy (in this case fuel) as being a primary bond because a disruption in one causes a disruption in the other. We can also say that it’s a strong bond in that when one is impacted and the impact flows to the other sector, it is bi-directional and results in significant changes to the other. When we look at the three infrastructures together in this context, we begin to see a primitive structure forming in their relationship (Figure 11.2). Other impacts will flow out of the transportation sector impact, but there is an important factor to look at first, The red arrow, representing the strong, primary bond between the energy and transportation sectors, creates a feedback loop. These represent what might be considered “worst case scenarios” that need to be anticipated, and then steps need to be taken to break them. Consider, however, the mitigating control of establishing a requirement for all gas stations to have generators that can keep the pumps moving. This illustrates part of the value of this kind of model in that it can point out simple solutions that may have more profound results later. These representations can be developed in strings of impacts, but these strings may interact with each other as well. For example, the loss of the electrical grid and the fuel system together could have impacts in the cellular communications structure, as the generators used to power the towers slowly go off line and the cellular communications network (even if structured as a mesh) begins to fragment. Examining this impact, we need two conditions to exist. The first condition involves the loss of the primary power source or the electrical grid, and the second condition

Considerations to Be Maintained in Paradigm Shifts

◾

241

Figure 11.2 Impacts cascading across infrastructures, with the red arrow representing a primary, strong bond that creates a feedback loop.

involves the failure of the backup power system due to the exhaustion of the fuel supply, meaning that there may have had to be a significant passage of time. We might describe this impact as being a conditionally strong but secondary impact. These represent sort of a logical “AND” scenario where those managing the critical infrastructure can work on negating one or both conditions to prevent that secondary impact. Our two logical conditions (loss of primary power and exhaustion of backup fuel supply) only need to have one disrupted. This might involve multiple ties to grids, the establishment of deeper reserves of fuel to outlast the impact, or having multiple arrangements that can be triggered when fuel levels drop below a certain point.10 We can see a key difference between the primary strong bond and the secondary conditionally strong bond. The primary strong bond has a level of clarity to it that the conditionally strong secondary bond does not. Also, the solution set for the primary strong bond is relatively evident, whereas the conditionally strong secondary bonds present a range of options that may produce either good or limited results. Finally, the primary strong bond has a sense of immediacy about it, whereas the secondary conditionally strong bond does not. As we carry on this route and map the various bonds that represent the impacts moving across infrastructures, we can validate this model through examining normal operations.

242 ◾ Critical Infrastructure

This is where the concept of measurement in entangled systems comes into play, where we have the first shift in the paradigm. Many people invoke an engineering-like doctrine of measuring specific steps within the system and limit the scope of their thinking to only within the given system. Adaptive systems, however, may be well-served by measuring some of the aspects of the systems outside the primary system or system of interest. By identifying the presence of different bonds within a given system overarching another system, we can begin to build a more fulsome understanding of the overall picture (Figure 11.3). Similarly, this kind of approach may also offer opportunities for those that need to actually manage the critical infrastructure to build and reinforce external lines of communication that become beneficial when moving past the mitigation phase in the emergency management cycle, and into preparation and potentially even response. The understanding of these different bonds needs to include three major elements. First, it needs to be evidence-based. This aspect is crucial in determining what is going to be measured at both ends of the impact and what can be tracked over time. Second, the element is that the model, even if appearing to be stable, needs to be looked at as a living and evolving model, requiring constant monitoring and “tweaking.”11 The critical infrastructure sectors, like other sectors, are in their own periods of upheaval and change, and we cannot assume that these changes will not impact the relationships between sectors. And third, we need to understand that our comprehension of these models will evolve and change over time as well. What is being presented here should be considered as slightly more than a step evolving our understanding (in terms of granularity) of how dependencies and interdependencies function within a critical infrastructure sector. Those working within this domain should be willing to reach into other domains to conduct research to refine

Figure 11.3 A basic structure of thinking for those using this structure of thinking (the arc model).

Considerations to Be Maintained in Paradigm Shifts

◾ 243

even more fully the understanding of how these function at either the levels where systems interact or how people, assets, facilities, information, and other supporting services can influence the relationship. Thus, think of this concept as a form of quality assurance, but on a much wider and grander scale.

11.6 The System+1 Approach The “System+1” (alternatively called “N+1”)12 approach is not actually a novel concept but is intended to reinforce a practice that has been falling by the wayside as certain organizations or entities attempt to become more “efficient.”13 The goal of this step is to ensure that those working on the critical infrastructure understand the larger picture and how their particular work fits within that picture. Essentially, society or the community at large is treated as the highest-level system, and then this is broken down until the work being done is arrived at. Consider, for example, some recent notable failures. An emergency services dispatch system shows considerable promises but fails to take into account that it requires cellular services, a service that is notoriously poor in the area. Or the positioning of an a runway in such a way that the marine facility actually has to reposition ships because their radio antennae intrude into the flight path of that runway (see Figure 11.4). The need for this kind of approach is not limited to this work; it is also promoted in various doctrines such as systems engineering (the BA family of activities in NIST SP 800-160 vol 1, for example) and in various other engineering-led disciplines.

Figure 11.4 Failing to look at the overall community of systems can lead to some long-term challenges, such as what can arise here should larger ships be put in at this facility.

244 ◾ Critical Infrastructure

Because critical infrastructure services are vital to survival and the sustainability of communities, there is a specific need for this level of caution and consideration before launching into projects. This model logically resides with the government as the entity that is responsible for the safety, security, and economic well-being of its population. The role of private sector corporations is not to support society (regardless of what they may say)—it is to generate wealth. As a result, they have a pressure to build revenues on one hand and to cut costs on the other. In the working example of Nova Scotia Power, the parent company of the utility, according to media reports, was approached by the Utility and Review Board in Nova Scotia to “voluntarily lower its profit margin in order to provide broad relief to rate payers.” The company instead offered to make a charitable donation to help those that were most vulnerable of its ratepayers.14 The government’s primary role, on the other hand, is not intended to generate profits, but to achieve a balanced approach that funds activities and pays down previous debts. Consequently, the maintenance of that model becomes useful not only in terms of setting regulatory requirements placed on the various utility (and other critical services) to be placed upon the operators, but also functions to promote that broad understanding of the overall changes in the environment that will help the anticipated function. One example of this anticipation returns to the electrical grid. Consider that in February, a cold snap led to conditions that involved not only unusually high demands on the system but also led to conditions where certain electrical equipment “was not operating” because of the temperatures. The result was a significant number of people that were left without heat, frozen pipes (which became the next challenge as they burst and then later thawed), and other challenges.15 We can state that the challenges associated with climate change are not unfamiliar to the utility in that they have faced this challenge since before 2019, when they claimed that the failure to reach outage targets were due to climate change.16 What was also observed, however, is that low voltage conditions were experienced even when power was restored, with at least some areas reporting 95V to 98V on the 120V system, causing generators to identify the brownout and to kick in to stabilize the electric power (where they were installed). Now, consider the System+1 approach that looks at the electrical generation in the context of the community and looks across the community in general. Can we point to any particular concerns? Taking this approach puts a number of current government initiatives in sharp relief. For example, if the exceptional conditions were enough to cause this level of disruption to the grid and such conditions are not likely to get better (most climate change forecasts indicate that extreme weather is likely to become more frequent), should efforts be made to improve the grid before the promotion of electrical vehicles and increasing the load on the grid? Would it be prudent, given conditions, to change building codes to require all multiple unit dwellings and critical infrastructure points to maintain a backup source of power that can be used to prevent further damage? Taking the approach of the

Considerations to Be Maintained in Paradigm Shifts

◾ 245

strong, conditionally strong, and weak bonds, we can draw certain lines. Without delving too deeply into the situation in Nova Scotia, Canada, similar questions are being asked on this particular topic across North America. Concurrently, is it reasonable to expect private sector entities to meet certain government priorities on one hand while limiting their ability to raise funding needed to carry out changes to the infrastructure on the other? At this point in the evolution of critical infrastructure, there are still more questions than answers.

11.7 The Use of System Thinking to Map Dependencies Using this particular challenge, however, we can show how this approach (sometimes referred to as the ARC model) can benefit both operations and policy makers. First, say we adopt the System+1 approach that raises our thinking beyond the critical infrastructure sector to the level where the end user of the infrastructure is impacted directly (strong bonds) and indirectly through other sectors (conditionally strong bonds and weak bonds). We can see that the increased reliance on the grid can create some new challenges. For example, the loss of the electrical grid would no longer involve just an indirect disruption of the transportation system if we moved to an electric system; it is a direct impact. Are we anticipating this challenge by addressing the question through sound research? There is certainly a great deal of research, but political messaging is also present, making it difficult to distinguish the validity of such research or the reassuring statements made from politicians. With respect to adaptation (and with a sub-benefit towards withstanding), the message within the disaster recovery communities has been to “build back better.”17 This approach, however, has still not passed the gates of many private insurance companies, which limit their costs by ensuring that the payouts replace the lost capacity and do not necessarily take into account the need to prevent future recurrences. For example, a claim resulting from a power surge may replace the lost equipment but does not cover the installation of an inline surge protector to protect the household against similar future losses. Adaptation, therefore, may be improving in areas where there are no issues considered to be more significant—such as protecting against massive losses or profit degradation. Compounding this challenge is that attempts to find the balancing point that represents the possible solution can meet responses that are focused not on finding the realistic solution, but that focus only within the singularity of their own issue. Perhaps one area of potential improvement that could come from the “System+1” approach would be for the various governments to communicate any requirements for a standard of care that would apply to all organizations involved in the delivery of critical infrastructure services, and not just one. The communication of this requirement, through regulatory means, would create a clear expectation on all fronts (community, company, and government) of where the focus for the service must reside in order to avoid challenges of failing to exercise a duty of care,

246 ◾ Critical Infrastructure

mismanagement, or even negligence. This measure may be warranted given the pressures evidenced across various sectors where competing priorities are being passed to the consumer. When we look at the ARC model in this context, there is a tendency to think that the ARC model and mapping the dependencies between infrastructures align. This is not necessarily the case. The ARC model looks at the movement of impacts, and not all these impacts are operational in nature. The impacts may be in areas that are non-operational in nature but just as unacceptable. Consider the use of significant magnets to hold autonomous ships in ports. This is one potential solution when considering how to secure Degree 4 (fully automated with no crew) autonomous ships when they come into port. What are the effects of that magnetic field on local fish within the port and spawning grounds? This may seem relatively inconsequential until the project has to demonstrate that it has completed a reasonably fulsome environmental impact assessment before it starts work. Thus, we can say that all dependencies between systems will somehow align to the ARC model approach, but there may be additional impacts beyond the operational impacts tied to the availability and integrity security attributes.

11.8 Not All Change Is Equal This dynamic structure must also be looked at in terms of not having one-to-one relationships between events and impacts. Consider again Fiona, or any significant storm. The storm itself may take only a few hours or a day, but cleaning up the impacts may take several months. Similarly, small changes over time may lead to a threshold being crossed that leads to a catastrophic result. We cannot look at the categories of bonds described previously in terms of buckets or as having hard-andfast limits. They need to be looked at in the context of a system that is in continuous flux. The question becomes how to look at the interaction between the different factors. The straight factoring used by many risk assessment methodologies may be useful in presenting a prioritized list of risks for management plans, but in terms of attempting to anticipate these kinds of events, more complex structures may need to be used. One might propose that instead of looking at critical infrastructure as being in a resting state, it should be looked at in an almost continuous state of unstable equilibrium. The question then becomes looking for that point at which the infrastructure, having been influenced by the myriad of factors on it, moves out of its normal unstable equilibrium, passes a critical threshold, and then moves into a new stable state of failure (or collapse). Consider the electrical grid. While it would appear stable, it is in a constant set of activities that seek to imbalance and then rebalance it. Power consumption rates change, weather conditions may influence those changes, and equipment may fail from time to time. Does this mean that the infrastructure is being managed poorly? Not at all. It means that the infrastructure is operating in the real world.18

Considerations to Be Maintained in Paradigm Shifts

◾

247

This state represents the unstable equilibrium of the infrastructure. What needs to be understood are the thresholds that may tip that infrastructure past the point where it can remain within this unstable equilibrium and it enters the new state of collapse. The entanglement measurement approach (measuring the performance of the infrastructure not just by the steps in its design, but in terms of the changes around the infrastructure) aligns reasonably well in that the two theories help identify those key points that may tie to our “tipping point.”19 The nature of the interaction between those influences and their impacts can be described in terms of the ARC model described earlier in the chapter. Consider temperature and the grid. The cold may influence the infrastructure in several ways. It may spur on demand for heat in the context of demand. This demand may be tied to the rate of consumption of power. It may strain infrastructure and make it more fragile, or operate at an increased probability of failure. In brief, the power grid cannot be looked at as an entity per se but should rather be looked at as a complex adaptive system. When considering cold, the condition of cold actually influences a number of these touchpoints (and in different ways). As a result, the complex adaptive system (in its state of unstable equilibrium) can be quickly unbalanced through an influence or condition like cold due to the number of variables that the cold affects. When enough of these touchpoints pass their individual thresholds, the complex adaptive system moves to a state of fragility and ultimately failure.

11.9 Managing the Complex Adaptive Critical Infrastructure How does one approach the management of this kind of a complex adaptive system? This is not an easy task, particularly where the organizational culture may be to attempt to categorize and simplify rather than embrace and understand complexity. The first aspect of this involves the understanding of the complex system in terms of its basic physical, logical, and operational structure. The physical structure is exactly as it sounds. It describes how the various components that make up the system are laid out. At the onset, this will require a significant level of detail, especially if we do not understand the interconnections between systems. This, of course, can be balanced by ensuring that failures at these certain interconnections are well investigated to determine the specific causes of the failure. The second involves the logical structure of the infrastructure. This is overlaid on the physical but speaks to data repositories, instruction and process libraries, and the flows of signals (on/off), data, and information throughout the system. Finally, there is the operational layer that describes how the first two layers come together and how a certain input yields the necessary or desired output. This will naturally progress from a reasonably “high” or generalized level to becoming more specific as details are known. The next paradigm shift comes in that management of these kinds of systems is not likely to be accomplished in silos.

248 ◾ Critical Infrastructure

The silo can be described as an individual, vertical system with a specific mandate and a community with similar backgrounds and experiences focusing on that mandate. This approach is at odds with the entanglement approach that is better served by having a flatter organization that can examine the issue from multiple directions. The idea here is that the multidisciplinary structure has a greater probability of detecting the presence and patterns of touchpoints within the system. The second reason for the broader approach is because the organization will need to be constantly forming and testing hypotheses and challenging assumptions. Managing this knowledge base is the next aspect of the paradigm shift. While an organization still has responsibilities to be resilient (in terms of dealing with difficulties) and sustainable (through succession planning), two options present themselves for managing this kind of organization. The organization can create the multidisciplinary team as a working or formed entity. This can come at the expense of resilience, as the ability to backup gaps in the organization may be limited. The other is to structure the organization in terms of talent pools that can be drawn upon to address challenges. These groups will form based on the challenge to be met and then will unform once the challenge has been met. The challenge lies in how to capture the knowledge and build up suitable databanks of that knowledge to establish and maintain a learning system.

11.10 Alternative or Interim Approaches Most organizations cannot simply shed their organizational structure and implement a new one on a whim. An interim approach or a compromise must be found. This involves either (1) shifting mandates so that a community of organizations under a lead group becomes responsible, or (2) the same lead group remains accountable but has a constraint that involves ensuring realistic and broad consultation. This constraint, however, may be abused as organizations attempt to push their own view through by simply shortening the consultation process to its absolute minimum under the guise of program efficiency management or limiting disruptive discussions. An overseeing body may be warranted to ensure that appropriate processes are followed to ensure that the various critical points and interactions between these systems are identified, analyzed, appropriately assessed, and then integrated into the overall system’s awareness. The second challenge lies in the rate at which oversight bodies and innovators work. Oversight bodies, such as the various government bodies, must, as part of their work, be able to show that key steps have been taken ranging from appropriate impact assessments to broad consultations and other forms of due diligence. This is not part of the red tape of society; it is part of how governments remain accountable to their people. Consequently, they move relatively slowly. Innovators, on the other hand, move as quickly as they can to pass certain gateways in order to realize reward from their ideas (usually in the form of financial profits) and to protect their

Considerations to Be Maintained in Paradigm Shifts

◾

249

efforts (and intellectual property) from various forms of abuse. We don’t want to stifle either process—innovation is vital for competition, but the pace for overseers needs to allow time for thoughtful consideration and for different groups to be able to formulate, discuss, and adjust their thoughts. The middle ground is to look at a structured approach and set of requirements that can be used to establish an interim operating capability. Requiring those involved in innovation to take into account public safety and similar challenges on their side may slow the innovative process but can be applied across the board as a condition of operating. At the same time, the overseers can give temporary authorization (with restrictions communicated up front) to proceed to a certain point and support those activities until a pause is taken and the system can resynchronize itself. The complexity of critical infrastructure today, particularly in its unstable environment, leads to a condition where there can still be progress but also effective oversight

11.11 The Clouds and Critical Infrastructure When considering the cloud in this context, we see an example of how certain technologies can race ahead of the overseers, but the systems can become unattached and then reattach. Loosely speaking, we can look at two forms of cloud computing. The first involves services that are hosted and then delivered over the Internet, which may offer Infrastructure as a Service (IaaS), Software as a Service (SaaS), or Platform as a Service (PaaS). This has been expanding into other more specialized domains such as safety, security, and other specific activities. Private clouds basically have all the same attributes as these kinds of clouds, but the computing resources are dedicated and proprietary to the organization in question. The other difference involves the customer base in that the public cloud may have multiple customers that have different and competing priorities, whereas the private clouds usually cater to smaller communities of dedicated customers. This can itself become a form of paradigm shift in that the cloud services, as the number of users and critical infrastructure sectors become more involved increases, they themselves reach a point whereby their disruption can actually affect the overall performance of the critical infrastructure sectors in a meaningful way. Consider, for example, if all major banks and shipping companies used the same platform as a service. The disruption of that platform now has multiple impacts across various domains, and we return to the challenge of when the complex adaptive system begins to shift away from its stable imbalance. This is not limited to clouds. One of the next areas to watch for as we see the paradigms shift are those acts, conditions, or services that could affect the critical number of services or conditions that support one or more critical infrastructure sectors. We have already seen this in terms of IT, where networked technology has become so enmeshed across activities that it takes on an importance of its own. This has created a bit of a challenge in that communications within the CIP and CIA

250 ◾ Critical Infrastructure

space confuse the contexts of a critical infrastructure versus a vital service. We could still survive without it, although we would likely take several steps backwards. If the priority, however, is not to allow a reduction in the quality of life and its supporting services, then the overall systems of IT systems must be considered at least vital.

11.12 Authors’ Note We have attempted to use terminology in a way that applies to critical infrastructure, but there is a challenge in that the terminology is still used inconsistently across various domains. It is the author’s intent to use “plain language” so that we are focusing the attention on the significant challenges within the domain and not the pedantic issues associated with which viewpoint should be considered authoritative.

Notes 1 https://envoy.com/blog/what-is-a-hybrid-work-model/. 2 There is a need to understand the difference between a government’s directive to an industry (911 must function—period) and the corporate liability of a participant within that industry. 3 This is not intended to present a legal argument, as the authors are not attorneys. A common reading of both the US and Canadian criminal codes, however, are quite explicit in how negligence is approached. 4 Public Safety Canada. (2023). Canada’s Critical Infrastructure. www.publicsafety. gc.ca/cnt/ntnl-scrt/crtcl-nfrstrctr/cci-iec-en.aspx (alt URL: http://cipbook.infracritical.com/book5/chapter11/ch11ref1.pdf ). 5 It should be noted that this is a matter for courts and policy makers, not the authors of this work. 6 Public Safety Canada. (n.d.). Cyber and Infrastructure Resilience Assessments. www. publicsafety.gc.ca/cnt/ntnl-scrt/crtcl-nfrstrctr/crtcl-nfrstrtr-rrap-en.aspx (alt URL: http://cipbook.infracritical.com/book5/chapter11/ch11ref2.pdf ). 7 NIST. (2022). Engineering Trustworthy Secure Systems. (NIST SP 800-160 Volume 1 Revision 1). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800160v1r1.pdf (alt URL: http://cipbook.infracritical.com/book5/chapter11/ch11ref3.pdf). 8 https://csrc.nist.gov/glossary/term/cyber_resiliency—def: cyber resiliency; this can be applied to any given system, whether cyber-related, physical, or logic (process-drive, but not necessarily cyber-driven). 9 There would be an unbalanced acceleration over time as the system continues to remain disabled or nonfunctional. Such was the case with the statewide electrical outage in the state of Texas in February 2021 due to unexpectantly cold conditions which caused generation stations to halt electricity production. Demand for electricity soared to an unsustainable level exponentially, whereby the entire system quickly collapsed. 10 This is defined as a “race condition,” in which an unanticipated or unexpected event occurs when one or more systems, or subcomponents of a single given system, attempt to perform more than one operation or process; but, due to the nature of how a system

Considerations to Be Maintained in Paradigm Shifts

11

12

13 14 15 16 17

18 19

◾

251

has been designed, and that the operation must be performed in a specific sequence, this causes a complete cascaded failure. This is often associated with either sequential or systemic impacts. The term “tweaking” means adjusting conditions of a given system based on its safety (if a factor), reliability, and its performance. This means that constant monitoring and adjustments are required in order to keep the system within either specified or accepted outputs. A “System+1” (alternatively called “N+1”) approach to a given system defines how resilient that a given system, ensuring its availability in the event of a component or subcomponent, or an adjacent, tightly coupled system would operate resulting from a failure. The term “efficient” here refers to a loosely defined set of factors ensuring that a given system is operational, performing as expected or anticipated, producing the expected output safely, and within expected constraints. Henderson, Jennifer. (2020). Emery: No, We Won’t Reduce Our Guaranteed Profit. (Halifax Examiner: Environnent). www.halifaxexaminer.ca/environment/emera-nowe-wont-reduce-our-guaranteed-profit/ Nenic, Karla. (2023). Thousands of N.S. Customers Out of Power Amid Strong Winds, Cold Snap. (Global News). https://globalnews.ca/news/9460274/nova-scotiapower-outages-extreme-cold-weather/. Nova Scotia Utility and Review Board. (2020). MO9472 Nova Scotia Power Inc. re 2019 Annual Performance Standards. https://nsuarb.novascotia.ca/sites/default/files/ M09472%20-%20Decision%20Letter.pdf. Public Safety Canada. (2017). Eighth Annual National Roundtable on Disaster Risk Reduction: Building Back Better. www.publicsafety.gc.ca/cnt/rsrcs/pblctns/pltfrmdsstr-rdctn-2017/pltfrm-dsstr-rdctn-2017-en.pdf. (alt URL: http://cipbook.infracritical.com/book5/chapter11/ch11ref4.pdf ). The term “real world” means “drawn from or drawing on actual events of situations”; www.merriam-webster.com/dictionary/real-world. The term “tipping point” is when an unstable equilibrium changes from its current state to a state of stable degradation, and ultimately, system failure. This term can also be viewed as the range of fragility within which a system begins to fail out of control (refer to the previously mentioned term “race condition”), eventually reaching a state where it will completely collapse.

Chapter 12

Climate Change 12.1 Introduction This chapter will examine some of the climate and weather-related challenges faced by those that manage critical infrastructure services. Focusing on the challenges, the chapter will not engage in the debate of whether climate change is real, a result of human activity, or other areas beyond the expertise of the authors. By using the emergency management cycle, it will look at some of the main challenges in a systematic way.

12.2 Climate versus Weather? Confusion still exists with respect to the difference between climate and weather. Climate describes “what weather is like over a long period in a specific area.”1 Weather refers to the “mix of events that happen each day in our atmosphere.”2 Why is this important? Weather is something we can measure immediately. We can look out the window and see the weather and what is going on. Climate is more difficult. We can see the symptoms of climate (weather), but it requires a more studious and rigorous approach than simply looking out the window before we can argue that climate is changing. Perhaps the clearest way to distinguish these would be to understand that extreme weather is what is going to cause immediate damage, whereas climate change is changing the frequency, intensity, and nature of that extreme weather. This is where we also need to understand how we understand both weather and climate. Weather forecasting essentially collects data from multiple sources such as the NOAA’s various satellites, Doppler Radars, radiosondes, ground stations, and the like.3 Data from aircraft and ships may also be brought into the DOI: 10.4324/9781003346630-12

252

Climate Change

◾ 253

picture to help provide a richer or more complete data environment.4 This is one of the weak conditional bonds from the previous chapter. A rise in transportation costs or a reduction in demand that leads to a reduction in the number of flights leads to a reduction in data that leads to greater uncertainty in our ability to predict weather. These predictions differ significantly from models such as those produced by the Geophysical Fluid Dynamics Laboratory of the NOAA (Figure 12.1). Within models such as the Global Climate Model, components such as “atmosphere, land surface, ocean, and sea ice” come into play.5 Why is it important to understand the distinction? Understanding the distinction between these becomes important in terms of understanding how to filter through the significant amount of biased and, in some cases, completely false information. This work is not going to get into whether climate change is real (of course it is) or its sources (a much more difficult question to answer and probably best described as being a congruence of many factors, not just one). What is important is that we begin to cut through the rhetoric that surrounds this debate and return to the science supporting it. This work,

Figure 12.1 Rising global temperatures (NOAA).

254 ◾ Critical Infrastructure

however, will proceed on the premise that climate change is occurring and that we are facing a more complex and difficult weather environment (Figure 12.2).

12.3 The First Impact—Uncertainty Uncertainty involves not being able to achieve the necessary level of confidence regarding something, including an outcome or result. This may be the result of conditions that have become increasingly random or that have become complex beyond our ability to maintain predictive models. It may also be that the sources of data needed to achieve certainty are no longer available. In both cases, the outcome is the same. Plans are no longer trusted to the same extent by those who will be supported by them or who will be implementing them. Severe weather events and conditions have become both more difficult to predict and more complex in nature. Researchers such as Deffenbaugh (2020) argued that predictions that relied solely upon historical data “frequently underestimated” both the effects of climate change and severe weather evens and tied this to the increased warming conditions. (p. 1)6 Other atmospheric conditions have also contributed to what is being seen as an increase in the difficulty in predicting weather. Consider what this means for those involved in the major projects designing critical infrastructure. The ability to withstand events (robustness) in the contexts of both asset protection and resilience relies heavily on design. Where we did not face these changes in weather, we could rely upon (and did for decades) historical

Figure 12.2 Global temperature projections. Source: USGCRP, 2017: Climate Science Special Report: Fourth National Climate Assessment, Volume I. Authors. Wuebbles, CJ; Fahey, DW, Hibbard, KA; Dokken, DJ.

Climate Change

◾

255

data that could be analyzed to determine such features as the ability to withstand wind loading, temperature, and other factors.7 Where events tend towards the averages of conditions over time, predictions are reasonably possible. Information drawn from NOAA that tracks the deviation of average surface conditions from the longer term of average of conditions over a longer period show a clear upward trend (Figure 12.3).8 The important aspect of Diffenbaugh (2020) lies in the gradual increase of the deviation from the average and what that means in terms of the continuing, and increasing, uncertainty. While the period from 1940 to 1980 appears relatively flat, the similar period from 1980 to 2020 shows a continuous trend that exceeds the deviation for all previous recordings. While there appear to be periodic movements back towards the average (noting the shape of the curve both above and below the average), it is noteworthy that the return towards the average appears tied more to

Figure 12.3 Global average surface temperature graphic (“NOAA Climate Change: Global Temperature,” from the research of Rebecca Linsdey and Luann Dahlman published in 2023. Source: NOAA.

256 ◾ Critical Infrastructure

the curve than to the average. If Diffenbaugh’s research holds true, the probability of increasingly severe and underestimated weather will increase.

12.4 Adjusting Emergency Management What does this mean from a critical infrastructure protection (CIP) perspective? Consider the attributes of CIP in terms of availability and then integrity. If we look at this from a purely protective standpoint, then we face a challenge in terms of how to reestablish that comfortable safety margin in the more uncertain environment. Will the design of the infrastructure be able to meet the requirements to both deliver and maintain the service within acceptable quality levels? How much confidence do we need to have before we consider reasonable risks to have been managed? These questions will increase in intensity as the uncertainty increases. The second option is to carry on with the concept of resilient networks. These common goals for resiliency can be described in terms of the ability to anticipate and withstand challenges, recover from events, and then adapt and learn so that the system is less likely to fall prey to the same event twice.9 Once again, however, we are faced with the same challenge. The increased uncertainty erodes our ability to anticipate severe weather and also our ability to determine the thresholds that would be applied to the design in order to withstand the severe weather. Additionally, the challenge with severe weather is that it normally affects larger areas, if not whole regions. Thus, techniques that may be used to build more resilient networks may be challenged when attempting to determine the outer edge of the impacted area. We see this challenge being played out in a number of areas and in different manners. Consider the drought in the southwestern United States. The drought conditions in the area are tied to temperatures (particularly warmer) that have been both uncertain and deviating from the long-term average. While the whole list of techniques used to achieve resilience may not be relevant, certain techniques may be useful in this context. Principles such as segmentation may be used to ensure that critical services receive water while other less critical aspects do not. Other elements, such as diversity and non-persistence, can be used to distribute the loads and impacts of conditions in a way that allows for resources to recover while others are used. In a second example, consider the derecho that struck southern Ontario and western Quebec. In this context, there would be very little way for resources to be positioned outside of the area. However, once again, segmentation and other techniques may be used in order to attempt to at least minimize the impacts. What should be clear is that this level of complexity is going to require thinking beyond traditional CIP and CIA treatments. One potential answer to this challenge may involve how we look at critical infrastructure not from the distribution across the region, but in the verticals associated with strategic (such as the grid), tactical (regional), or operational levels (houses). The first step would be to make houses and key infrastructure points

Climate Change

◾ 257

resilient through the use of protection against common impacts and redundancy. For example, a home may have a backup generator and surge protection where the grid is prone to failure. Combined with battery backups (to cover the period between the failure and the generator kicking in), the house may well be able to weather the failure of the power grid for a time and buy the utility time to buy power. With the increase in uncertainty, the evolution in CIP and CIA doctrine will need to shift from looking at a two-dimensional (such as one might have looked at a map) to one that considers the refinement as one moves from the strategic through the tactical to the operational (such as might occur when “zooming in” on a digital map online.

12.5 The Ability to Withstand The ability to withstand, in this context, involves being able to identify critical services at each level of the strategic, tactical, and operational levels. By assuring the critical services at the operational (household) level, we can roll up this success through the tactical level and ultimately to the strategic level. When we consider this in the context of climate change, we see a situation where the following applies: ◾ People need to become increasingly aware of the conditions in their area in terms of both weather and also how infrastructure responds to those weather conditions. ◾ People need to become increasingly aware of what their critical services actually are and how those may shift over time. ◾ People need to become increasingly engaged in terms of building up the understanding of conditions on the ground so that the operational and strategic pictures can be formed on real data. Then the work to deal with climatic issues and severe weather can begin to take form. We can then shift to looking at the risk management options that present themselves at the local level. During Fiona that hit the Canadian Maritime Provinces in the fall of 2021, more than a few people did not have the basic measures in place to survive such a storm. Backup generators and fuel could be found in short supply in some regions. This extended beyond simply running an extension cord to something. The loss of power meant that well and septic systems were no longer functioning as designed. Combined with the disruption of telecommunications networks and road infrastructure (fallen trees, etc.), one might argue that certain capabilities within the region were prepared, but one could easily find pockets of non-preparedness.

258 ◾ Critical Infrastructure

12.6 The Ability to Respond The ability to respond might well be more complicated than the ability to withstand an event. This is because the response to severe weather events and climate change actually precedes the events, and we need to see response not as part of separate phase of activities but rather as a transition between preparedness, damage control, and finally recovery. Having assets pre-positioned to reduce risks associated with attempting to get them into position is one example of this kind of thinking. This needs to be fed backwards into the preparation phase so that the right supporting infrastructure can be in place to support those activities. The other aspect of response involves the safety of responders. Where the uncertainty surrounding conditions increases, we need to be increasingly mindful of those that are responding. Consider the power outage caused by downed power lines. The limitations on operations due to wind is more than simply a sustained wind. Factors such as wind gust, frequency of gusts (that may result in oscillation), and other factors must also be considered.10,11 Previously, organizations might state that if winds were above a certain level, workers could not be deployed. With the increased degree of uncertainty, we now need to think in ranges. While the power line technician offers a clear example, those involved in the management of responders will need to become situationally more aware of both the limitations of the equipment and the potential for changes in condition. Severe weather generally acts across regions and is only rarely point specific (thinking of tornadoes and microbursts). This can pose other challenges for those who need to respond to events. Before the repair crews can determine the safety of the specific site, they need to get to the site. Severe weather can easily lead to a number of different challenges, two of which involve blocked roads and disrupted telecommunications. Finally, there are some events where the only response involves moving back from the environment. Coastal erosion provides one example of this. Fiona illustrated what a severe storm could do to a softer coastline when it wreaked significant damage to both communities along the coast but also sandy beaches and dunes. The single storm’s impact is most telling in the photographs provided (Figures 12.4a and b). These severe weather events also create conditions where responders may be put in extraordinarily difficult conditions. While the beaches may be considered an environmental disaster given the time it will take the dunes to recover, they were not the most significant impacts. The combination of communities built along the coast and the impact of the storm created life-threatening conditions for some people, as homes were washed out to sea. While the dunes may illustrate the overall impact of an event, this illustrates the need for the response to begin at the point of impact. Essentially, given the nature of severe weather, the need for capable response begins at the homeowner or occupant level, not the community level.

Climate Change

◾

259

Figure 12.4a and 12.4b Before and after photographs taken of damage incurred from Hurricane Fiona at Canada’s Prince Edward Island National Park. Images are from an archived web page for the PEI National Park URL: https://parks.canada. ca/nature/science/impliquez-involved/~/~/link.aspx?_id=0DCCE7C8803B427C8 E246EDBBD5A30B3 (alt URL: http://cipbook.infracritical.com/book5/chapter12/ ch12ref6.pdf). Source: A research paper provided by the U.S. National Oceanic and Atmospheric Administration (NOAA): Richard J. Pasch, Brad J. Reinhart, and Laura Alaka, National Hurricane Center. (2023). National Hurricane Center Tropical Cyclone Report. Hurricane Fiona (AL072022), September 14–23, 2022, Page 6, and Pages 10–11, URL: https://www.nhc.noaa.gov/data/tcr/AL072022_Fiona.pdf (alt URL: http://cipbook. infracritical.com/chapter12/ch12ref9.pdf).

12.7 The Ability to Recover Recovery poses the most significant challenge, and the effects of climate change can create a rather significant trap most evident in the insurance industry. Many insurance companies dealing with homeowners continue the policy of replacing a capability and do not allow the homeowner to make improvements. From the insurance company’s perspective, this is simply cost management, and there is an element that rings true in this context. From the homeowner’s perspective, this can

260 ◾ Critical Infrastructure

Figure 12.4aand 12.4b

(Continued)

be significantly challenging if labor shortages exist. This can create two spirals. The first spiral involves the degradation of property value and enjoyment that comes from having properties remain in some state of disrepair while awaiting contracted services. The second is more significant in that the increase in insurance rates that tend to follow making a claim place additional pressures on homeowners and may result in some homeowners having to abandon their insurance policies. The outcome of this becomes a downward cycle as storm seasons progress and uninsured impacts or costs mount. The connection between this challenge and the critical infrastructure domain lies in the availability of specialists needed to answer certain questions and how these resources can be stretched to the point of disruption. Electrical grids were disrupted in three major ways during Fiona. The first involved damage to the distribution grid itself, through trees falling on lines and similar events. The second involved masts connecting houses to the grids being damaged or detached from homes, which were not repairable by the utility and required certified electricians to repair. The third involved damage within homes (such as through power surges affecting appliances and the loss of neutral grounds). Insurance companies required electrician notes or opinions on the repairability of appliances, leaving claims

Climate Change

◾

261

hanging for weeks and in some cases months before an electrician could look at them. This challenge returns to one of the basic premises of CIP—the delivery of a capacity meeting demand. This becomes relevant in the context of severe weather because of the area affected and how these kinds of delays adversely affect the ability to return things to a normal operating state. At regional and national levels, the key significant improvement since the last edition has been the stabilization of the concept of building back better after these kinds of events. A recognition that building infrastructure that failed the first time may not be the most efficient solution when the infrastructure is to face similar events in the future. The next challenge in this regard, however, will be feeding that information into systems into (1) the insurance companies where there is a potential issue as per the previously discussed challenge at the household level, and (2) with respect to building codes and other strategies.

12.8 The Role of the OODA Loop The OODA loop (observe, orient, decide, and act) is one structure that can be used to walk through how individuals, entities, or organizations make decisions. As we look at the role of severe weather and climate change as compared to some of the mitigation tools, two challenges come to mind. The first of these involves land use. Given the nature of severe weather (be it atmospheric rivers and flooding, snowfalls, wind storms, drought, or severe storms) and the reduced certainty, there is a need to identify the potential for designated certain areas as being too high a risk for habitation unless construction methods can be demonstrated as meeting the anticipated conditions for at least the majority of the structure’s anticipated life span. While idyllic, the days of wooden-framed homes perched on the edge of sandy dunes by the sea shore should be understood as being largely at an end. The second aspect is in the approach to building and construction standards. Building to code is actually adherence to a minimum standard. Where these higher-risk events are taking place, there may be a need to move beyond building codes for construction projects that are exposed to the severe weather. This means declaring these higher-risk areas as being potentially unsuitable for “design by code” and requiring proper engineering studies to validate design before construction. This will require more than a simple administrative change.

12.9 Factors to Improve Observation The first challenge lies in observation and achieving what may be called situational awareness. Three domains need to be considered in this awareness. The first involves the true state of the infrastructure in terms of the ability to deliver its services and under what conditions this assurance remains valid. The second involves

262 ◾ Critical Infrastructure

the conditions being experienced in the area and that can be reasonably expected as we look into an increasingly uncertain future set of conditions. The final aspect involves the nature of the environment and how it responds to these threats. As discussed earlier, the nature of uncertainty is making it more difficult to rely upon purely historical data. While this data does have its uses and certainly plans an important role, it needs to be understood as being a part of the picture and not the whole picture. This is to say that the historical data needs to be positioned along the curve with respect to time and then used to help determine the upper and lower ranges of what may be considered reasonable. While many federal entities are slowly publishing databases or databanks of information regarding natural disasters (a very positive step), the next phase involves the development and distribution of models that can, based on the understanding of the day, begin to address the uncertainty.

12.10 Improving Orientation Upon gaining an appreciation for the range of reasonably foreseeable conditions and how the local environment may respond to those conditions, the next step involves how to orient our thinking towards the use of that land. Formal education and experience need to intersect at this point, but only in a context where motivations and intentions are clear. The various political debates need to be placed aside, and the focus needs to be understood in terms of protecting an environment, potentially improving an environment’s ability to withstand certain events, and what may be considered safe and reasonable use. For example, where atmospheric rivers are involved, one of the core issues may well be drainage and steps to prevent lower-level areas from flooding. While sewer systems and other infrastructures may provide a solution, so might ensuring that ground cover allows for a rate of absorption that can reduce the pooling of water. The concept of land (and ocean) stewardship comes into play at this point. Again, regardless of the various competing political and economic priorities, it needs to be understood that we are examining a system subject to the laws of nature. We also need to look towards some innovative solutions, and this means broadening our perspectives to include less traditional approaches that can still be validated in terms of critical thinking. Community consultation, including indigenous populations, is one area where this can benefit the solution space.

12.11 Improving Decision-Making The goal involves making better decisions that balance the infrastructure needs with other needs, and this involves making decisions that leverage the expertise and experience of communities from different viewpoints. It should be clear,

Climate Change

◾

263

however, what the limits of those viewpoints are. Traditional knowledge may well describe certain things (such how flooding may proceed under certain conditions) but may not be able to describe how modern infrastructure needs to be designed safely. At the same time, more than a few lessons from history that predate long-term records (usually going back to the 1800s) may provide useful insight. Building these communities requires that all parties come to the table with a focus on the questions to be answered, and without ulterior motives. To accomplish this, the infrastructure projects need to be clearly described in terms of goals (what capacity it is intended to deliver) and the constraints around it (such as not within certain distances of populations, etc.). Then the viewpoints can be looked at in terms of how to accomplish those goals or in determining what adjustments need to be made.

12.12 Improving Actions Ultimately, the goal here needs to focus on managing risks appropriately. Those risks range from public (community safety), to personal safety (homes), to infrastructure assurance (aligning with safety of infrastructure). The key elements that will allow actions to be improved can be described in terms of the following. First, adequate time for proper planning, consultation, and research and maintaining an appropriate scope during those activities. Once the decision to build infrastructure has been made (which should have its own consultations), the question of “if ” the infrastructure is to be built needs to be set aside as being answered. This doesn’t mean that it cannot be revisited based on new and relevant information, but it is no longer the focus. The focus needs to be on accomplishing the work. Second, there needs to be an appreciation of the work through the full life cycle. It is not enough to say that there will be a good pipeline running from A to B. There needs to be an understanding of the design process, building processes, management of the infrastructure, and also how that infrastructure may be retired from service. The considerations associated with severe weather and climate change need to be incorporated across each of those phases in the life cycle. This is not only to answer the question of “why” something should be built a certain way, but also to begin to answer the questions associated with what requirements need to be integrated into the later phases of the infrastructure’s life cycle. For example, the need for a pipeline may be significant, but so are the things that will need to happen when the pipeline reaches its end of life. This approach, common in certain engineering practices, needs to be implemented rigorously in the project management contexts as well. The challenge of climate change in the critical infrastructure context can be looked at as being catalytic in nature. Through necessity, it will force changes in how we approach design, implementation, and management challenges.

264 ◾ Critical Infrastructure

12.13 Authors’ Note The linkages between climate change and critical infrastructure protection are becoming more apparent. While this is another emerging field (similar to the gradual shift from network robustness to network resilience), these are fields that are being aligned. Consequently, the authors have refrained from presenting arguments using the specific jargon of one domain or the other, opting instead to maintain a “plain English” approach.

Notes 1. www.ncei.noaa.gov/news/weather-vs-climate#:~:text=What%20exactly%20is%20 climate%3F,time%20in%20a%20specific%20area. (par 4) (alt URL: http://cipbook. infracritical.com/book5/chapter12/ch12ref1.pdf ). 2. Ibid. 3. www.noaa.gov/stories/6-tools-our-meteorologists-use-to-forecast-weather (alt URL: http://cipbook.infracritical.com/book5/chapter12/ch12ref2.pdf ). 4. w w w.w a s h i n g t onp o s t .c om /w e a t he r/2 02 0/05/12 /w e a t he r-f or e c a s t i n gcoronavirus-flights/. 5. w w w.gfdl.noaa.gov/climate-modeling/#:~:text=Beginning%20in%20the%20 1960s%2C%20GFDL,in%20a%20growing%20modeling%20community (alt URL: http://cipbook.infracritical.com/book5/chapter12/ch12ref3.pdf ). 6 Diffenbaugh, N. (2020). Verification of Extreme Event Attribution: Using Out-ofSample Observations to Assess Changes in Probabilities of Unprecedented Events. Science Advances. (Vol 6 Issue 12). www.science.org/doi/10.1126/sciadv.aay2368. 7. Jordan, Rob. (2020). Stanford Researcher Reveals Influence of Global Warming on Extreme Weather Events Has Been Frequently Underestimated. (Stanford Woods Institute for the Environment). https://news.stanford.edu/2020/03/18/ climate-change-means-extreme-weather-predicted/. 8. Dahlman, L., and Lindsey, R. (2023). Climate Change: Global Temperature. (Climate. gov). www.climate.gov/news-features/understanding-climate/climate-change-globaltemperature (alt URL: http://cipbook.infracritical.com/book5/chapter12/ch12ref4. pdf and http://cipbook.infracritical.com/book5/chapter12/ch12ref4a.png for the graph; additional graphs may be found in URL: http://cipbook.infracritical.com/ book5/chapter12/ch12ref4b.png and http://cipbook.infracritical.com/book5/chapter12/ch12ref4d.png ). 9. NIST. (2021). Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (NIST SP 800-160 vol 2 revision 1). https://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-160v2r1.pdf (alt URL: http://cipbook.infracritical. com/book5/chapter12/ch12ref5.pdf ) (p. 10). 10. Olson, J. (2022). Understanding Wind Speed Limitations on Utility Equipment. https://incident-prevention.com/blog/understanding-wind-speed-limitations-on-utility-equipment/ (paras 2–4). 11. https://parks.canada.ca/pn-np/pe/pei-ipe/Principal-Main-Fiona/fiona-archive (altURL: http://cipbook.infracritical.com/book5/chapter12/ch12ref7.pdf ).

Index Note: Page numbers in italics indicate a fgure and page numbers in bold indicate a table on the corresponding page.

A Administrative Monetary Penalty (AMP), 7 Admiralty Code, 86 assurance, 12, 18, 19 clouds and concealed conduits, 93 balance with resiliency, and protection, 79 and fragility, 33 and information sharing, 84 of loyalty, 127 of operations, 12 and paradigm shifts, 232 and physical security, 180, 199, 200 of relevance, 90 and robustness, 195 –198, auditing, automated, 90 AWS, 114

B Baltic and International Maritime Council (BIMCO), 56 big data, 89, 90 botnet, 61, 63 Budapest Convention for Cybercrime, 62 budget, 5, 6, 71 cycles, 135 business continuity planning (BCP), 19 business operations, 52 and balancing public operations, 118 –121

C Canada Border Services Agency (CBSA), 21 Canada’s Bill C-26, 5, 6 Canada-United States Action Plan for Critical Infrastructure, 47

capacity, 17–23, 33; see also assurance demand as reason for, 18 –19 and performance, 19 local impact on, 19 –20 immediate result of local impact on, 20–22 and push, pull, lag, and delay concept, 22 relevancy to CIP, 22 –23 carbon emissions, 134, 254 CBSA, see Canada Border Services Agency (CBSA) Churchill, Manitoba, 18, 19, 21, 57, 70, 164 critical infrastructure changes after 9/11, 39 common criteria, 38 convergence, 30 –31 convergence and understanding of threat, 31–33 current research of, 26 –27 current status, 40 – 41 and cyber as new confict domain, 29–30 defnition of, 3 – 4 fusion of changes after Y2K, 39 government role, 41– 42 interdependency hydra, 27–28 legislation, 107th Congress (2001–2002), 39 – 40 legislation, 108th Congress to 109th Congress, 40 mitigation, 39 and network fragmentation and dissolution, 28 –29 network expansion, 38 open architecture, 38 private sector, 4 – 6 public sector, 6 – 8 at small system (regional) level, 23–25

265

266

◾

Index

CIA, see critical infrastructure assurance (CIA) CIP, see critical infrastructure protection (CIP) climate change ability to recover, 259–261 ability to respond, 258–259 ability to withstand, 257 actions, 263 decision-making, 262–263 emergency management, 256–257 improving actions, 263 improving decision making, 262–263 improving observation, 261–262 improving orientation, 262 OODA loop, 261 push, pull, lag, and delay, relevance to, 22 risk management, 257, 263 situational awareness, 261 uncertainty, 254–256 vs. weather, 252–254 cloud as amplifer, 101–102 computing, 99, 249 and concealed conduits, 102–105 -enabled technologies, 30 coercion, concept of, 123, 139 –140 Commercial Facilities Sector, 166 concept of assurance, see assurance concept of capacity, see capacity concept of coupling, 139 –140 concept of performance, 19 conficts, 2, 41, 50, 214 –215 convergence, 31–32, 37–38 common criteria, 38 COVID-19 pandemic, 5, 183, 208 –226 CII certifcation, 225 –226 clearances, levels of, 224 –225 critical infrastructure information, challenge of, 219 –222 critical infrastructure workforces administration, challenges in, 212 –213 critical infrastructure workforces administration, changes in, 214 –216 critical infrastructure workforces administration, impact on, 211–212 enabling information, challenge of, 218 –219 fngerprints, 213 individual vs. industry certifcations, 222 –224 mobile workforce, secure, 216 –218 organizations, impact of, 209 –211

Critical Cloud Service, 157 critical infrastructure assurance (CIA), 1–13, 232 Administrative Monetary Penalty, 7 budget, balancing of, 6 CIP, defnition of, 8–9 critical infrastructure, defnition of, 3–4 critical infrastructure, evolution of, 12–13 critical infrastructure functions, 11–12 defnition of, 9–11 downloading, 6 fnancial risk, 5 global-centric network, 4 international “monsters,” 4 nongovernmental organizations, 4 private sector, defnition of, 4–6 public-private partnerships, defnition of, 11 public sector, defnition of, 6–8 terrorist attacks, 2 threat of international terrorism, 12 threat spectrum, 1, 2 critical infrastructure protection (CIP) 17, 232 as basic concept, 1 as business line, 2 vs. critical infrastructure assurance, 132 and critical infrastructure sectors, 13 and computer networks, 132 during COVID-19, 5 and fnancial crisis, 75 for-proft model, 74 and cloud, 101 government objectives, 63 and security domains, 2 stratifcation of various sectors, 166–167 and resilient infrastructures, 135–136 cyberterrorism, 29 –37 convergence, 30–31 destabilization of systems, 35–36 dissolution of networks, 36–37 fragility, 33–36 fragmentation, 36–37 threat, understanding of, 31–33 cyclical fragility, 33

D “dark web,” 179 demand CIP, 22–23 and concept of performance, 19 local impact, 19–20

Index

local impact in immediate sense, 20–22 push, pull, lag, and delay, 23 as reason for capacity, 18–19 Deming Cycle for Quality Management, 145 Deming Model, 202 denial of access, 30 denial of data, 30 denial of operations, 30 design of objects, 33 DHS, see US Department of Homeland Security (DHS) disasters, see also natural disasters ranked by deaths, 92 ranked by economic loss, 93 distribution of number of, 94, 95, 94–96 recovery from, 60 dissolution, 37–38 due diligence, 237–238

E economic espionage, 2 electrical grid, 1, 55, 73 electric cars, 41, 72, 233 Electronic Funds Transfers (EFT), 168 Emergency Detour Routes, 24 –26 Emergency Diversion Routes, 26 End User License Agreements (EULA), 103 Essential Critical Infrastructure Workforce Guidance, 211 European Programme for Critical Infrastructure Protection, 47

F Federal Bureau of Investigation (FBI), 32 Federal Energy Regulatory Commission (FERC), 55 frewall, 31 food control management, 91 fooding, 24, 34, 91, 166, 261 fragility (reliability engineering), 34 –35 fragmentation and dissolution of networks, 36 –37 Future Energy Jobs Act (FEJA), 59

G global-centric network, 4 “goldilocks” approach, 225 “Good Samaritan” law, 111

◾

267

Google, 61, 114 government role, 41– 42, 138 green energy, 72

H Harmonized Treat and Risk Assessment methodology, 99 Homeland Security Act of 2002, 12 hurricane, 8, 25, 92, 183, 259 HurricanesKatrina and Sandy, 2 hybrid attack, 32 hybridized threat, 39

I Incident Command System (ICS), 56 information sharing and intelligence, 84 –111 background to context, 87–91 barriers to information sharing, 108–109 cloud as amplifer, 101–102 cloud computing, 99–101 clouds, 102–105 concealed conduits, 102–105 consequence-beneft ratio, 111 context afecting sensitivity, 91–99 corporate perspective, 88 credibility, 86 data vs. information vs. intelligence, 85–87 “Good Samaritan” law, 111 impact, 93 injury, 91 Internet-of-Tings environment, 90 linking, trusted computing base, 105–108 lost revenue, 97 need-to-know principle, 106 open-source information, 110 open sources, rise of, 109–110 probability, 94 reliability, 86 risk management, 89 sensitivity, categories of, 96 smartphone, unprotected, 91 threat assessment, 89 threat vectors, 90 thresholds, 95 user communities, 105–108 vulnerabilities, 94–95 Information Technology, 98 Infrastructure as a Service (IaaS), 249 intellectual property theft, 2

268

◾

Index

intelligence, value of, 53 interdependencies, 160 –175 alignment of, 165–168 business, 164 change government, 163–164 cluster of, 168 Commercial Facilities Sector, 166 energy, 168–169 fnancial, 168–169 vs. fat networks, 170–173 government, 164 Government Facilities Sector, 166 vs. hierarchical networks, 170–173 hub-and-spoke network, 170 Internet of Tings, 164–165 just in time concept, 162 network capacity, 170 networked machines, 164–165 pandemic planning, 161 perfect storm, 173–174 regulation, 163–164 shift, 163–164 “strong bonds,” 171 telecommunications, 168–169 transportation, 168–169 trends in, 161–163 vital dependency, 167 vulnerability, 172 “weak bond,” 171 “zero-day” exploits, 165 International Association of Classifcation Societies (IACS), 114 international frameworks, 45 – 65 “air-gap,” 51 backdoor elimination, 63 botnet, 61, 63 cloud environments, information, 54 competition, 52 dragons on the map, 45–49 due diligence checks, 58 electrical grid, 55, 59 governments, collaborative roles of, 46 intelligence, value of, 51–53 international agreements, 51 international infuence, 49–50 Internet of Tings, 63 Internet service providers, 62 IT threat profles, 53 lack of credible expertise, 57 observe-orient-decide-act loop, 56 passive personality theory, 61

potential risk or concern, 64–65 risk management, 51 security, approach to, 64 standards organizations, 50 strategic activities, 49 target audiences, 54–56 traditional response, 56–64 treasure defned, 51 treasure owners, 49–51 Universality Teory, 61 International Maritime Organization (IMO), 56 International Ship and Port Facility Security (ISPS) Code, 123 international terrorism, threat of, 12 Internet of Tings, 63, 164 –165

J “just in case” system, 163 “just in time” system, 163

L Leadership in Energy and Environmental Design (LEED), 61 legislation 107th Congress (2001–2002), 39–40 108th Congress to 109th Congress, 40 “load shedding,” 22 “lone wolf attacks,” 2

M malware, 149, 151 mental health issues, 2 Microsoft, 114 mitigation, 39, 40

N N+1 approach, see System+1 approach NAFTA agreement, 117 National Electric Reliability Council (NERC), 223 National Institute of Standards and Technology (NIST), 131 National Oceanographic and Atmospheric Agency, 52 National Response Framework (NRF), 47 National Response Plan (NRP), 47

Index

natural disasters, 148, 167, 214, 218, 262 natural fragility, 33 network environment expansion, 38 push, pull, lag, and delay concept in, 23 NIST Cybersecurity Framework (CSF), 13 nongovernmental organizations (NGOs), 4 North American Electric Reliability Corporation (NERC), 8, 55 NRF, see National Response Framework (NRF) NRP, see National Response Plan (NRP) Nuclear Energy Institute (NEI), 50

O observe-orient-decide-act (OODA) model, 54, 182, 261 OmniTrax, 49 open architecture, 38 Operational Technology, 98 overt state involvement, 2 OSI model, 31

P paradigm shifts, 232 –250 alternative/interim approaches, 248–249 CIA, 232 CIP, 232 clouds, 249–250 complex adaptive system, 247–248 critical infrastructure, 249–250 diligence, 237–238 duty of care, 238 energy, 235 fnancial sectors, 235 map dependencies, 245–246 measurement, 242 representations, 240 resilient infrastructure, 239 small changes, 246 standard of care, 237–238 System+1 approach, 243–245 system thinking, 245–246 telecommunications, 235 thinking, structure of, 242 transportation, 235 performance, see concept of performance physical security architecture, 198–203 assurance, 195–198

◾

269

CIP, 181–184 commonsense approach, 186 cooperation, 192 coordination, 192 core ofces, 179–180 design-based approach, 186 hub-and-spoke topography, 205 infrastructure establishment, 192–195 line/linear topographies, 205 mesh topographies, 205 organization, 191–192 overall context, 191–192 performance measurement, 203–204 robustness, 195–198 role of, 180–181 security goal in CIP, 188–191 security organization, 192–195 shifts, 204, 204–205 strategic level architecture, 204–205 technical specifcations, 203–204 tree topography, 205 Platform as a Service (PaaS), 249 private clouds, 249 private sector defnition of, 4–6 with public sector, 71 Process Control Systems (PCS), 56, 98 public clouds, 249 public-private partnerships (P3), 69 – 81 balancing points, 78–80 coming fnancial crisis, 75–77 criteria, 71 critical services, localization of, 76 defnition of, 11, 69–70 energy sector, 72 erosion of governance, 77–78 establishment of new capacity, 73 maintenance of existing capacity, 73–75 major arrangements, 71 overbalanced system, 78 spectrum, 70–73 transportation sector, 72 public safety, 118 –121 Public Safety Canada, 13 public sector defnition of, 6–8 with private sector, 71–72 Public Services and Procurement Canada (PSPC), 178 push, pull, lag, and delay concept dissolution of networks, 36 –37

270 ◾

Index

and fragility of systems, 35 –36 in network environment, 23 relevance to CIP, 22 –23 single event, multiple impacts, 22

R reliability engineering, 33 resilient critical infrastructure aligning standards, 148–149 alignment with mission, 133–135 anticipation, concept of, 142 baselines, 148–149 cloud services, 156–157 coercion, concept of, 139–140 communities, 135–142 core challenges, 149–150 core elements of, 142–145 counterfeits, 153–154 coupling, concept of, 139–140 defnition of, 131–133 “Era of Resilience,” 141 functions in, 142 gateway, 150–153 infrastructure, 135–142 operations, 135–142 substandard parts, 153–154 supply chain, 145–148 third-party risks, 145–148 vulnerability in home ofce, 154–156 robustness, concept of, 195 –198

S SCADASEC, 110 Secure Development Life Cycle (SDLC), 197 SecuriTree, 196 semi-automation, defnition of, 90 September 11 (2001) attacks, 2, 39 single points of failure (SPOFs), 157 situational awareness, 30 small system level dissolution, 28–29 eforts, 26–27 infuence, 23–26 interdependency hydra, 27–28 network fragmentation, 28–29 research, 26–27 social media, 2, 125, 161–162 Software as a Service (SaaS), 31, 249 solar farms, 22

standard of care, 237–238 strategic-level single point of failure (SPOF), 114 subject-object pairing, 98 subscription-based services, 31 supply chains bodies of knowledge associated with, 22 global, 4 impact on, 21 serving infrastructure sectors, 46 stand-alone systems and, 30 state actors and, 48 System+1 approach, 243 –245

T tactics, techniques, and processes (TTP), 86 TCB, see trusted computing base (TCB) TCP/IP, 30 terrorist, 8 attacks, evolution of, 2 threat(s) hybrid, 39 international terrorism, 12 spectrum, 2 understanding of, convergence and, 31–33 vectors, 32 transportation network, damaged, 16 trusted computing base (TCB), 103

U Universality Teory, 62 U.S. Department of Commerce, 131 U.S. Department of Homeland Security (DHS), 12 –13, 211 U.S. Department of Homeland Security’s Federal Emergency Management Agency (FEMA), 218 U.S. Nuclear Regulatory Commission (NRC), 50

V vital services, 113 –129 balancing public safety, 118–121 balancing resilience, 125–127 business, role of, 116 business operations, 118–121 consultation, 121–125 cooperation or coercion, 121–125 defnition of, 113–114 fnancial responsibility, 125–127

Index

membership, role of, 127–128 membership vs. competition, 128 private associations, 127–128 regulatory oversight, role of, 116–118 trends creating, 114–116 Voice-over-Internet (VOIP) cluster, 169 Vulnerability Assessments and Penetration Tests (VAPT), 198

Y Year 2000 (Y2K) issue, 1, 100

Z “zero COVID,” 5 “zero-day” exploits, 165

◾

271