Critical infrastructure : homeland security and emergency preparedness [Fourth edition.] 9781138057791, 1138057797

Table of contents :
Cover
Half Title
Title Page
Copyright Page
Dedication
Table of Contents
Preface
Authors’ Notes
Synopsis
Chapter 1: Introduction to Critical Infrastructure Assurance and Protection
Chapter 2: Demand, Capacity, Fragility, and the Emergence of Networks
Chapter 3: Beyond National Frameworks
Chapter 4: Public-Private Partnerships
Chapter 5: The Reinvention of Information Sharing and Intelligence
Chapter 6: Critical Infrastructure Information
Chapter 7: Supervisory Control and Data Acquisition
Chapter 8: The Evolution of Physical Security
Chapter 9: Insider Threats
Chapter 10: Safeguard Design
Chapter 11: Challenges in Regulatory Oversight
Chapter 12: Interdependencies
Chapter 13: Climate Change
Acknowledgments
Authors
Chapter 1: Introduction to Critical Infrastructure Assurance and Protection
1.1 Introduction
1.2 What Is Critical Infrastructure?
1.3 What Is the Private Sector?
1.4 What Is the Public Sector?
1.5 What Is CIP?
1.6 What Is CIA?
1.7 What Are Public-Private Partnerships?
1.8 Critical Infrastructure Functions
1.9 Evolution of Critical Infrastructure
Chapter 2: Demand, Capacity, Fragility, and the Emergence of Networks
2.1 Introduction
2.2 What Are We Trying to Protect? The Concept of Capacity
2.3 Demand: The Reason for Capacity
2.3.1 The Concept of Performance
2.3.2 Local Impact and the Influence on Capacity
2.3.3 Results of a Local Impact in the Immediate Sense
2.3.4 Relevance to CIP
2.3.5 Push, Pull, Lag, and Delay in the Network Environment
2.4 At the Regional (Small System) Level
2.4.1 Influence at the Small System Level
2.4.2 Current Efforts and Research
2.4.3 The Interdependency Hydra
2.4.4 Network Fragmentation and Dissolution
2.5 Cyberterrorism
2.5.1 The Pendulum of Convergence
2.5.2 Convergence and the Understanding of Threat
2.5.3 Setting the Stage for Fragility
2.5.4 Fragility and Destabilization of Systems
2.5.5 Fragmentation and Dissolution of Networks
2.6 Dissolution and Convergence: An Emerging Risk
2.6.1 Convergence, Network Expansion, Open Architecture, and Common Criteria
2.7 Marking the Journey
2.7.1 Overview
2.7.2 Legislation: 107th Congress (2001–2002)
2.7.3 Legislation: 108th Congress to 109th Congress
2.7.4 The State Today: A Recap
2.7.5 Research and Understanding
2.8 Authors’ Notes
Chapter 3: Beyond National Frameworks
3.1 Introduction
3.2 Meeting the Dragons on the Map
3.3 Who Owns the Treasure?
3.4 What Value?
3.5 Target Audiences
3.6 Expanding Beyond the Traditional Response
3.7 Areas of Potential Risk or Concern
Chapter 4: Public-Private Partnerships
4.1 Introduction
4.2 What Is a Public-Private Partnership (P3)?
4.3 The P3 Spectrum
4.4 Establishment of New Capacity
4.5 Maintenance of Existing Capacity
4.6 The Coming Financial Crisis
4.7 Other Forms of Public-Private Cooperation and the Erosion of Governance
4.8 Balancing Points
4.9 Authors’ Notes
Chapter 5: The Reinvention of Information Sharing and Intelligence
5.1 Introduction
5.2 Data vs. Information vs. Intelligence
5.3 The Importance of Background to Context
5.4 Context Affecting Sensitivity
5.5 Enter the Cloud
5.6 The Cloud as an Amplifier
5.7 Clouds and Concealed Conduits
5.8 Linking the Trusted Computing Base and User Communities
5.9 Barriers to Information Sharing
5.10 The Rise of Open Sources
5.11 Open-Source Information and Intelligence
5.12 An Approach to Information Sharing—The Consequence-Benefit Ratio
Chapter 6: Critical Infrastructure Information
6.1 Introduction
6.2 What Is Critical Infrastructure Information (CII)?
6.3 How Does the Government Interpret CII?
6.4 Exemption 3 of the FOIA
6.5 Exemption 4 of the FOIA
6.6 Section 214 of the Homeland Security Act
6.7 Enforcement of Section 214 of the Homeland Security Act
6.8 What Does “Sensitive but Unclassified” Mean?
6.9 Information Handling Procedures
6.10 Freedom of Information Act
6.11 Need to Know
6.12 “For Official Use Only”
6.13 Enforcement of FOUO Information
6.14 Reviewing Web Site Content
6.15 Export-Controlled Information
6.16 Enforcement of Export-Controlled Information
6.17 Within the Contracting Process
6.18 Enforcement of Source Selection Data
6.19 Privacy Information
6.20 Enforcement of Privacy Information
6.21 Unclassified Controlled Nuclear Information
6.22 Enforcement of UCNI
6.23 Critical Energy Infrastructure Information
6.24 Enforcement of CEII
6.25 Controlled Unclassified Information
6.26 Lessons Learned Programs
6.27 Infragard
6.28 Sensitive Unclassified Nonsafeguards Information (SUNSI)
6.29 Safeguards Information (SGI)
6.30 Authors’ Notes
Chapter 7: Supervisory Control and Data Acquisition
7.1 Introduction
7.2 What Are Control Systems?
7.3 Types of Control Systems
7.4 Components of Control Systems
7.5 Vulnerability Concerns about Control Systems
7.6 Adoption of Standardized Technologies with Known Vulnerabilities
7.7 Connectivity of Control Systems to Unsecured Networks
7.8 Implementation Constraints of Existing Security Technologies
7.9 Insecure Connectivity to Control Systems
7.10 Publicly Available Information about Control Systems
7.11 Control Systems May Be Vulnerable to Attack
7.12 Consequences Resulting from Control System Compromises
7.13 Wardialing
7.13.1 Goals of Wardialing
7.13.2 Threats Resulting from Wardialing
7.14 Wardriving
7.15 Warwalking
7.16 Threats Resulting from Control System Attacks
7.17 Issues in Securing Control Systems
7.18 Methods of Securing Control Systems
7.19 Technology Research Initiatives of Control Systems
7.20 Security Awareness and Information Sharing Initiatives
7.21 Process and Security Control Initiatives
7.22 Securing Control Systems
7.23 Implement Auditing Controls
7.24 Develop Policy Management and Control Mechanisms
7.25 Control Systems Architecture Development
7.26 Segment Networks between Control Systems and Corporate Enterprise
7.27 Develop Methodologies for Exception Tracking
7.28 Define an Incident Response Plan
7.29 Similarities between Sectors
7.30 US Computer Emergency Readiness Team CSSP
7.31 Control Systems Cyber Security Evaluation Tool (CSET)
7.32 SCADA Community Challenges
7.33 The Future of SCADA
7.34 SCADA Resources
7.34.1 Blogs
7.34.2 SCADASEC Mailing List
7.34.3 Online SCADA and SCADA Security Resources
7.35 Authors’ Notes
Chapter 8: The Evolution of Physical Security
8.1 Introduction
8.2 Core Offices Tested
8.3 First Responder
8.4 First Responder Classifications
8.5 Guideline Classifications
8.6 Example: North American Emergency Response Guidebook
8.7 Awareness-Level Guidelines
8.7.1 Recognize Incidents
8.7.2 Basic Protocols
8.7.3 Know Self-Protection Measures
8.7.4 Know Procedures for Protecting Incident Scenes
8.7.5 Know Scene Security and Control Procedures
8.7.6 Know How to Use Equipment Properly
8.8 Performance-Level Guidelines
8.9 Operational Levels Defined
8.10 Level A: Operations Level
8.10.1 Have Successfully Completed Awareness-Level Training
8.10.2 Know ICS Awareness Procedures
8.10.3 Know Self-Protection and Rescue Measures
8.11 Level B: Technician Level
8.11.1 Know WMD Procedures
8.11.2 Have Successfully Completed Awareness and Performance-Level Training
8.11.3 Know Self-Protection, Rescue, and Evacuation Procedures
8.11.4 Know and Follow Procedures for Performing Specialized Tasks
8.11.5 Know ICS Performance Procedures
8.11.6 Planning and Management-Level Guidelines
8.11.7 Successfully Completed Awareness, Performance, and Management Training
8.11.8 Know ICS Management Procedures
8.12 Know Protocols to Secure, Mitigate, and Remove HAZMAT
8.13 Additional Protective Measures
8.14 Understand the Development of the IAP
8.15 Know and Follow Procedures for Protecting a Potential Crime Scene
8.16 Know Department Protocols for Medical Response Personnel
8.17 National Fire Prevention Association 472
8.18 Osha Hazardous Waste Operations and Emergency Response
8.19 Skilled Support Personnel
8.20 Specialist Employee
8.21 DOT HAZMAT Classifications
8.21.1 DOT HAZMAT Class 1: Explosives
8.21.2 DOT HAZMAT Class 2: Gases
8.21.3 DOT HAZMAT Class 3: Flammable Liquids
8.21.4 DOT HAZMAT Class 4: Flammable Solids
8.21.5 DOT HAZMAT Class 5: Oxidizers
8.21.6 DOT HAZMAT Class 6: Toxic Materials
8.21.7 DOT HAZMAT Class 7: Radioactive Materials
8.21.8 DOT HAZMAT Class 8: Corrosive Materials
8.22 Importance of Implementing an Emergency Response Plan
8.23 Authors’ Notes
Chapter 9: The Insider Threat
9.1 Defining the Insider Threat
9.2 Intent and Commitment
9.2.1 What Motivates the Insider Threat?
9.2.2 The Changing Attitude Towards Employment
9.2.3 The Impact on Intent and Commitment
9.3 Knowledge, Skills, Abilities, and Resources
9.3.1 The Ability to Target
9.3.2 The Ability to Lengthen the Breach
9.3.3 The Ability to Abuse Processes
9.4 Proximity and Mobility
9.4.1 Proximity to the Community
9.4.2 Mobility within the Community
9.4.3 The Ability to Camouflage Activities
9.5 The Need for Organizations to Listen, Adapt and Control
9.5.1 Observing
9.5.2 Listening
9.5.3 Adapting
9.5.4 Controlling
9.6 The Alternative Approach to Staffing and Resource Management
9.7 Authors’ Notes
Chapter 10: Safeguard Design
10.1 Responding to the Threat
10.1.1 Understanding Intent
10.1.2 Understanding Capacity, Opportunity and Resources
10.1.3 Understanding Proximity and Mobility
10.2 Focusing the Control (Asset)
10.2.1 The Threat Outcome
10.2.2 Aligning Outcomes to Assets
10.3 Risk Management
10.3.1 Concentrating the Control
10.4 Control Design
10.4.1 Aligning Risk Management and Controls
10.4.2 Integration of the Harmonized Model
10.5 Authors’ Note
Chapter 11: Challenges in Regulatory Oversight
11.1 The Role of Regulatory Oversight
11.2 Balancing Public Safety and Business Operations
11.3 A Critical Challenge in the Regulatory Development Process
11.4 Consultation, Cooperation, or Coercion
11.5 Critical Capacities for Regulators
11.6 Balancing Resilience and Financial Responsibility
11.7 Picking the Right Mechanisms
11.8 The Emerging Role of Private Associations and Membership
11.9 Membership versus Competition?
11.10 Authors’ Note
Chapter 12: Interdependencies
12.1 Looking at the World—A Community
12.2 Current Trends in Business
12.3 The Shift and Change Government and Regulation
12.4 The Blurred Line between Government and Business
12.5 The Rise of the Networked Machines—The Internet of Things (IoT)
12.6 Trends in the Alignment of Interdependencies
12.7 The Emergence of the Key Sectors – Energy, Transportation, Telecommunications, and Financial
12.8 Comparing the Topography of Interdependencies with Flat/Hierarchical Networks
12.9 Conditions for the Perfect Storm
12.10 Authors’ Note
Chapter 13: Climate Change
13.1 The Challenge of a Changing Climate
13.2 Christening the Ground—The Basic Concepts of CIP
13.3 Responding to Longer-Termed Issues
13.4 Integrating Shorter-Termed Challenges of a Changing Climate
13.5 Authors’ Note
Appendix 1
Designated Sector-Specific Agencies and Critical Infrastructure Sectors
Appendix 2
Impacts
Glossary
Index

Citation preview

Critical Infrastructure Homeland Security and Emergency Preparedness Fourth Edition

http://taylorandfrancis.com

Critical Infrastructure Homeland Security and Emergency Preparedness Fourth Edition

Robert Radvanovsky Allan McDougall

CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2019 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed on acid-free paper International Standard Book Number-13: 978-1-138-05779-1 (Hardback) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright​ .com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Library of Congress Cataloging-in-Publication Data Names: Radvanovsky, Robert, author. | McDougall, Allan, author. Title: Critical infrastructure : homeland security and emergency preparedness / Robert Radvanovsky and Allan McDougall. Description: Fourth edition. | Boca Raton, FL : CRC Press/Taylor & Francis Group, [2019] | Includes bibliographical references and index. Identifiers: LCCN 2018018467| ISBN 9781138057791 (hardback : alk. paper) | ISBN 9781315164687 (ebook) Subjects: LCSH: Civil defense--United States. | War damage, Industrial--United States. | Emergency management--United States. Classification: LCC UA927 .R34 2019 | DDC 363.34/70973--dc23 LC record available at https://lccn.loc.gov/2018018467 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com

From Bob This book is dedicated to my loving wife, Tammy, who has always supported and been patient with me, especially while this book was being written. From Allan This work is dedicated to my wife, Angela, and those who make great efforts to continuously improve the overall critical infrastructure protection domain. My particular thanks to Martin and those who work across the academic, professional, and practitioner communities to keep our communities and societies safe and secure.

http://taylorandfrancis.com

Contents Preface................................................................................................................ xv Authors’ Notes..................................................................................................xvii Synopsis.............................................................................................................xix Acknowledgments...........................................................................................xxiii Authors............................................................................................................. xxv

1 Introduction to Critical Infrastructure Assurance and Protection.........1

1.1 Introduction.......................................................................................1 1.2 What Is Critical Infrastructure?.........................................................3 1.3 What Is the Private Sector?.................................................................4 1.4 What Is the Public Sector?..................................................................5 1.5 What Is CIP?......................................................................................7 1.6 What Is CIA?.....................................................................................8 1.7 What Are Public-Private Partnerships?.............................................11 1.8 Critical Infrastructure Functions......................................................11 1.9 Evolution of Critical Infrastructure..................................................12

2 Demand, Capacity, Fragility, and the Emergence of Networks.............15 2.1 Introduction.....................................................................................15 2.2 What Are We Trying to Protect? The Concept of Capacity..............15 2.3 Demand: The Reason for Capacity...................................................16 2.3.1 The Concept of Performance................................................16 2.3.2 Local Impact and the Influence on Capacity........................17 2.3.3 Results of a Local Impact in the Immediate Sense...............18 2.3.4 Relevance to CIP.................................................................20 2.3.5 Push, Pull, Lag, and Delay in the Network Environment....20 2.4 At the Regional (Small System) Level...............................................21 2.4.1 Influence at the Small System Level.....................................21 2.4.2 Current Efforts and Research...............................................22 2.4.3 The Interdependency Hydra.................................................23 2.4.4 Network Fragmentation and Dissolution.............................23

vii

viii  ◾ Contents

2.5 Cyberterrorism.................................................................................24 2.5.1 The Pendulum of Convergence............................................26 2.5.2 Convergence and the Understanding of Threat....................27 2.5.3 Setting the Stage for Fragility..............................................29 2.5.4 Fragility and Destabilization of Systems..............................31 2.5.5 Fragmentation and Dissolution of Networks........................31 2.6 Dissolution and Convergence: An Emerging Risk............................32 2.6.1 Convergence, Network Expansion, Open Architecture, and Common Criteria..........................................................33 2.7 Marking the Journey........................................................................33 2.7.1 Overview............................................................................ 34 2.7.2 Legislation: 107th Congress (2001–2002)........................... 34 2.7.3 Legislation: 108th Congress to 109th Congress...................35 2.7.4 The State Today: A Recap....................................................35 2.7.5 Research and Understanding...............................................36 2.8 Authors’ Notes..................................................................................36

3 Beyond National Frameworks...............................................................37

3.1 Introduction.....................................................................................37 3.2 Meeting the Dragons on the Map....................................................37 3.3 Who Owns the Treasure?.................................................................41 3.4 What Value?.................................................................................... 42 3.5 Target Audiences..............................................................................45 3.6 Expanding Beyond the Traditional Response...................................48 3.7 Areas of Potential Risk or Concern...................................................56

4 Public-Private Partnerships...................................................................59

4.1 Introduction.....................................................................................59 4.2 What Is a Public-Private Partnership (P3)?.......................................59 4.3 The P3 Spectrum..............................................................................60 4.4 Establishment of New Capacity........................................................62 4.5 Maintenance of Existing Capacity................................................... 64 4.6 The Coming Financial Crisis............................................................65 4.7 Other Forms of Public-Private Cooperation and the Erosion of Governance..................................................................................67 4.8 Balancing Points...............................................................................69 4.9 Authors’ Notes..................................................................................71

5 The Reinvention of Information Sharing and Intelligence...................73 5.1 Introduction.....................................................................................73 5.2 Data vs. Information vs. Intelligence................................................74 5.3 The Importance of Background to Context......................................75 5.4 Context Affecting Sensitivity............................................................78 5.5 Enter the Cloud................................................................................82

Contents  ◾  ix

5.6 5.7 5.8 5.9 5.10 5.11 5.12

The Cloud as an Amplifier............................................................... 84 Clouds and Concealed Conduits......................................................85 Linking the Trusted Computing Base and User Communities.........87 Barriers to Information Sharing....................................................... 90 The Rise of Open Sources.................................................................91 Open-Source Information and Intelligence......................................92 An Approach to Information Sharing—The Consequence-Benefit Ratio.................................................................................................93

6 Critical Infrastructure Information......................................................95

6.1 Introduction.....................................................................................95 6.2 What Is Critical Infrastructure Information (CII)?..........................96 6.3 How Does the Government Interpret CII?.......................................98 6.4 Exemption 3 of the FOIA...............................................................100 6.5 Exemption 4 of the FOIA...............................................................102 6.6 Section 214 of the Homeland Security Act.....................................102 6.7 Enforcement of Section 214 of the Homeland Security Act............105 6.8 What Does “Sensitive but Unclassified” Mean?..............................106 6.9 Information Handling Procedures..................................................108 6.10 Freedom of Information Act...........................................................109 6.11 Need to Know................................................................................109 6.12 “For Official Use Only”.................................................................. 111 6.13 Enforcement of FOUO Information..............................................112 6.14 Reviewing Web Site Content..........................................................112 6.15 Export-Controlled Information...................................................... 116 6.16 Enforcement of Export-Controlled Information............................. 117 6.17 Within the Contracting Process..................................................... 117 6.18 Enforcement of Source Selection Data............................................ 118 6.19 Privacy Information........................................................................ 119 6.20 Enforcement of Privacy Information..............................................120 6.21 Unclassified Controlled Nuclear Information.................................121 6.22 Enforcement of UCNI....................................................................122 6.23 Critical Energy Infrastructure Information....................................122 6.24 Enforcement of CEII......................................................................123 6.25 Controlled Unclassified Information..............................................123 6.26 Lessons Learned Programs..............................................................125 6.27 Infragard........................................................................................125 6.28 Sensitive Unclassified Nonsafeguards Information (SUNSI)..........126 6.29 Safeguards Information (SGI)........................................................127 6.30 Authors’ Notes................................................................................127

7 Supervisory Control and Data Acquisition.........................................129

7.1 Introduction...................................................................................129 7.2 What Are Control Systems?............................................................129

x  ◾ Contents

7.3 7.4 7.5 7.6

Types of Control Systems...............................................................131 Components of Control Systems....................................................131 Vulnerability Concerns about Control Systems..............................132 Adoption of Standardized Technologies with Known Vulnerabilities................................................................................133 7.7 Connectivity of Control Systems to Unsecured Networks..............134 7.8 Implementation Constraints of Existing Security Technologies......134 7.9 Insecure Connectivity to Control Systems......................................136 7.10 Publicly Available Information about Control Systems...................136 7.11 Control Systems May Be Vulnerable to Attack...............................137 7.12 Consequences Resulting from Control System Compromises.........138 7.13 Wardialing.....................................................................................138 7.13.1 Goals of Wardialing...........................................................139 7.13.2 Threats Resulting from Wardialing....................................140 7.14 Wardriving.....................................................................................140 7.15 Warwalking.................................................................................... 141 7.16 Threats Resulting from Control System Attacks.............................141 7.17 Issues in Securing Control Systems.................................................142 7.18 Methods of Securing Control Systems............................................143 7.19 Technology Research Initiatives of Control Systems....................... 145 7.20 Security Awareness and Information Sharing Initiatives.................146 7.21 Process and Security Control Initiatives.........................................147 7.22 Securing Control Systems...............................................................149 7.23 Implement Auditing Controls.........................................................149 7.24 Develop Policy Management and Control Mechanisms.................150 7.25 Control Systems Architecture Development...................................150 7.26 Segment Networks between Control Systems and Corporate Enterprise...............................................................150 7.27 Develop Methodologies for Exception Tracking............................. 151 7.28 Define an Incident Response Plan.................................................. 151 7.29 Similarities between Sectors........................................................... 152 7.30 US Computer Emergency Readiness Team CSSP........................... 152 7.31 Control Systems Cyber Security Evaluation Tool (CSET)..............154 7.32 SCADA Community Challenges....................................................156 7.33 The Future of SCADA.................................................................... 157 7.34 SCADA Resources.......................................................................... 158 7.34.1 Blogs.................................................................................. 158 7.34.2 SCADASEC Mailing List.................................................. 158 7.34.3 Online SCADA and SCADA Security Resources.............. 159 7.35 Authors’ Notes................................................................................ 159

Contents  ◾  xi

8 The Evolution of Physical Security...................................................... 161 8.1 Introduction................................................................................... 161 8.2 Core Offices Tested........................................................................162 8.3 First Responder..............................................................................168 8.4 First Responder Classifications.......................................................170 8.5 Guideline Classifications................................................................170 8.6 Example: North American Emergency Response Guidebook.........171 8.7 Awareness-Level Guidelines............................................................172 8.7.1 Recognize Incidents...........................................................173 8.7.2 Basic Protocols...................................................................173 8.7.3 Know Self-Protection Measures......................................... 174 8.7.4 Know Procedures for Protecting Incident Scenes...............175 8.7.5 Know Scene Security and Control Procedures................... 176 8.7.6 Know How to Use Equipment Properly.............................177 8.8 Performance-Level Guidelines........................................................178 8.9 Operational Levels Defined............................................................178 8.10 Level A: Operations Level...............................................................179 8.10.1 Have Successfully Completed Awareness-Level Training....179 8.10.2 Know ICS Awareness Procedures.......................................180 8.10.3 Know Self-Protection and Rescue Measures....................... 181 8.11 Level B: Technician Level...............................................................182 8.11.1 Know WMD Procedures...................................................182 8.11.2 Have Successfully Completed Awareness and Performance-Level Training........................................183 8.11.3 Know Self-Protection, Rescue, and Evacuation Procedures................................................184 8.11.4 Know and Follow Procedures for Performing Specialized Tasks...............................................................186 8.11.5 Know ICS Performance Procedures...................................188 8.11.6 Planning and Management-Level Guidelines.....................189 8.11.7 Successfully Completed Awareness, Performance, and Management Training................................................190 8.11.8 Know ICS Management Procedures..................................190 8.12 Know Protocols to Secure, Mitigate, and Remove HAZMAT....... 191 8.13 Additional Protective Measures......................................................193 8.14 Understand the Development of the IAP........................................193 8.15 Know and Follow Procedures for Protecting a Potential Crime Scene...................................................................................194 8.16 Know Department Protocols for Medical Response Personnel.......195 8.17 National Fire Prevention Association 472.......................................195

xii  ◾ Contents

8.18 8.19 8.20 8.21

Osha Hazardous Waste Operations and Emergency Response.......196 Skilled Support Personnel...............................................................197 Specialist Employee........................................................................197 DOT HAZMAT Classifications....................................................198 8.21.1 DOT HAZMAT Class 1: Explosives.................................199 8.21.2 DOT HAZMAT Class 2: Gases........................................199 8.21.3 DOT HAZMAT Class 3: Flammable Liquids...................199 8.21.4 DOT HAZMAT Class 4: Flammable Solids.....................199 8.21.5 DOT HAZMAT Class 5: Oxidizers..................................199 8.21.6 DOT HAZMAT Class 6: Toxic Materials........................ 200 8.21.7 DOT HAZMAT Class 7: Radioactive Materials.............. 200 8.21.8 DOT HAZMAT Class 8: Corrosive Materials................. 200 8.22 Importance of Implementing an Emergency Response Plan...........201 8.23 Authors’ Notes................................................................................201

9 The Insider Threat...............................................................................203 9.1 9.2

9.3

9.4

9.5

9.6 9.7

Defining the Insider Threat............................................................203 Intent and Commitment............................................................... 204 9.2.1 What Motivates the Insider Threat?.................................. 204 9.2.2 The Changing Attitude Towards Employment...................205 9.2.3 The Impact on Intent and Commitment............................205 Knowledge, Skills, Abilities, and Resources................................... 206 9.3.1 The Ability to Target..........................................................207 9.3.2 The Ability to Lengthen the Breach...................................207 9.3.3 The Ability to Abuse Processes.......................................... 208 Proximity and Mobility................................................................. 208 9.4.1 Proximity to the Community........................................... 208 9.4.2 Mobility within the Community.......................................209 9.4.3 The Ability to Camouflage Activities.................................210 The Need for Organizations to Listen, Adapt and Control.............210 9.5.1 Observing..........................................................................212 9.5.2 Listening............................................................................212 9.5.3 Adapting............................................................................213 9.5.4 Controlling........................................................................ 214 The Alternative Approach to Staffing and Resource Management.... 215 Authors’ Notes................................................................................216

10 Safeguard Design................................................................................217

10.1 Responding to the Threat............................................................... 217 10.1.1 Understanding Intent......................................................... 218 10.1.2 Understanding Capacity, Opportunity and Resources...... 220 10.1.3 Understanding Proximity and Mobility............................ 222

Contents  ◾  xiii

10.2 Focusing the Control (Asset)..........................................................224 10.2.1 The Threat Outcome..........................................................224 10.2.2 Aligning Outcomes to Assets.............................................225 10.3 Risk Management..........................................................................227 10.3.1 Concentrating the Control................................................ 228 10.4 Control Design.............................................................................. 228 10.4.1 Aligning Risk Management and Controls......................... 228 10.4.2 Integration of the Harmonized Model...............................232 10.5 Authors’ Note................................................................................ 234

11 Challenges in Regulatory Oversight...................................................235 11.1 The Role of Regulatory Oversight...................................................235 11.2 Balancing Public Safety and Business Operations...........................237 11.3 A Critical Challenge in the Regulatory Development Process........240 11.4 Consultation, Cooperation, or Coercion.........................................241 11.5 Critical Capacities for Regulators.................................................. 244 11.6 Balancing Resilience and Financial Responsibility........................ 246 11.7 Picking the Right Mechanisms.......................................................248 11.8 The Emerging Role of Private Associations and Membership.........249 11.9 Membership versus Competition?...................................................249 11.10 Authors’ Note.................................................................................250

12 Interdependencies................................................................................251 12.1 12.2 12.3 12.4 12.5

Looking at the World—A Community..........................................251 Current Trends in Business.............................................................252 The Shift and Change Government and Regulation.......................254 The Blurred Line between Government and Business.....................255 The Rise of the Networked Machines—The Internet of Things (IoT)...............................................................................256 12.6 Trends in the Alignment of Interdependencies...............................256 12.7 The Emergence of the Key Sectors – Energy, Transportation, Telecommunications, and Financial...............................................259 12.8 Comparing the Topography of Interdependencies with Flat/Hierarchical Networks....................................................261 12.9 Conditions for the Perfect Storm....................................................265 12.10 Authors’ Note................................................................................ 266

13 Climate Change...................................................................................267 13.1 13.2 13.3 13.4 13.5

The Challenge of a Changing Climate............................................267 Christening the Ground—The Basic Concepts of CIP...................269 Responding to Longer-Termed Issues.............................................271 Integrating Shorter-Termed Challenges of a Changing Climate......277 Authors’ Note.................................................................................292

xiv  ◾ Contents

Appendix 1...................................................................................................295 Appendix 2...................................................................................................301 Glossary.......................................................................................................305 Index............................................................................................................ 311

Preface By failing to prepare, you are preparing to fail. Benjamin Franklin This fourth edition represents a culmination of research activity that has gone on over the past several years and builds upon previous editions. The intent of presenting the materials in this book is to represent the significant strides and changes made in understanding the fundamentals behind securing, protecting, and safekeeping the operations of our world’s infrastructures—their relevant industries, their landmarks, as well as their national assets—that are considered critically vital to the continued economic success and operation of our society. From the time that the first edition of this book was conceived to present day, the importance of identifying what is critical to our society—worldwide—has evolved into new perspectives to many countries throughout the world. As nations explore their response to the critical infrastructure protection challenge, we have seen a shift from the hard postures of robustness and force protection to more fluid postures associated with resiliency and the establishment of redundant infrastructure. While this effort continues, the domain is also seeing increased attention being paid to the interaction between the physical, cyber, and various forms of control and automation systems that are integrated into this infrastructure. While most will recognize the strides being made in communications technology, communities may well want to be prepared for a paradigm shift as quantum computing and processing is now visible on the horizon. Similarly, the boundaries between physical, cyber, and procedural controls is becoming increasingly blurred new technology enables both those protecting infrastructure and those attacking it. What is becoming more apparent is that if certain nations want to retain their competitive advantage or position in the world’s international hierarchy, they need to become far more resilient and creative in their thinking so that they can identify new opportunities for efficiency. Otherwise, their current efforts to protect their infrastructure will have the unintended consequence of stifling their industries and economic engines, causing the nation to ultimately fail in its overall goal to protect its international position, citizens, economies, and sovereignty.

xv

xvi  ◾ Preface

Facing this challenge will require the full security domain (not just government, industries or individuals) to break the silos that continue to permeate the security industry. This will require updates in the doctrines of all security domains (including physical security and information technology) as well as a significant effort in modernizing the training materials and approaches used to develop those communities. Since the initial inception of this book, there have been significant strides in efforts of safeguarding the operations of our world’s infrastructures. This edition represents further developments since the third edition of this book appeared.

Authors’ Notes This publication offers an aid in maintaining professional competence, with the understanding that the authors, editor, and publisher are not rendering any legal, financial, or any other professional advice. Due to the rapidly changing nature of the infrastructure security industry, the information contained within this publication will become outdated, and therefore the reader should consider researching alternative or other professional or more current sources of authoritative information. The significant portion of this publication was based on research conducted over several years from a plethora of government and public domain resources, publications, and Internet-accessible websites, some of which may no longer be publicly available or may have been restricted due to laws enacted by a particular country’s government. The views and positions taken in this book represent the considered judgment of the authors and editor. They acknowledge with gratitude any input provided and resources offered that contributed to this book. To those who have contributed to the book’s strengths and characteristics, we thank you for your contributions and efforts. For any inconsistencies that may be found, we alone share and accept the responsibility for them and will gladly make corrections as needed. One additional note concerns the evolutionary process that we are witnessing within this industry. We are seeing a shift from the force-protection doctrine that concentrates on the protection of vital nodes and infrastructure to a doctrine that relies more heavily on the assurance of critical services and establishing and then maintaining resilient networks. Realistically, private citizens, corporations, and governments alike all see the flow of services and goods, such as electricity, drinkable water, etc., as a service; we turn on a light switch or a faucet, and it just works, and we do not concern ourselves much with the route that the service or product takes to get to its final destination. This paradigm shift is being driven by the continuously evolving threats and the realization of increasing costs associated with the force-protection doctrine’s relatively reactive approach to risk management. In an effort to keep the references available for the readers, we have provided a set of “snapshot of the website” links for all government and public domain website references. As these website references change, become deleted, etc., it is important that readers know what the references were at the time of the writing of this book. xvii

xviii  ◾  Authors’ Notes

This will ensure that those references are “frozen in time,” and will not be changed or altered in any fashion whatsoever. We consider this a value-added feature to this book, and invite you to review those website references now in case they become unavailable over time. You may access this information via a dedicated website at http://cipbook.infracritical.com.

Synopsis This book is divided into thirteen chapters, each of which deals with a specific evolution within the critical infrastructure domain. These chapters are intended to stand alone but present information and build on the third edition.

Chapter 1: Introduction to Critical Infrastructure Assurance and Protection This chapter provides the basis for the entire book and what is described in some of the historical backgrounds of critical infrastructure, and why it is important to society. There are some terms and definitions covering a brief synopsis of the intent of this book and what is to be expected from critical infrastructure assurance and protection specialists and professionals.

Chapter 2: Demand, Capacity, Fragility, and the Emergence of Networks This chapter is more theoretical than most in that it identifies an emerging trend in thinking rather than describing some of the changes in the strategic infrastructure that have taken place since the first edition appeared. At the time of the first edition, much of the focus on critical infrastructure protection efforts was at the very local level—how to protect key facilities. Recent infrastructure issues have highlighted the fact that this infrastructure is subject to impacts that can flow along interdependencies and also disruptions within its networked environment. This chapter reflects that current trend.

Chapter 3: Beyond National Frameworks In March 2008, the Department of Homeland Security (DHS) created the National Response Framework (NRF), which is a guide to conduct all-hazards xix

xx  ◾ Synopsis

responses—from the smallest incident to the largest catastrophe. This key document establishes a comprehensive national, all-hazards approach to domestic incident response. The framework identifies the key response principles, roles, and structures that organize national response. This chapter revises the current US-based framework and expands into a more globalized context.

Chapter 4: Public-Private Partnerships This chapter discusses the relationships between governments (public sector) and corporate entities (private sector). The reader should understand that the divide between the public and private sectors is becoming more gray and flexible through the concept of public-private partnerships.

Chapter 5: The Reinvention of Information Sharing and Intelligence This chapter outlines the shift from the concept of the need to know to the concept of the need to share, and how it affects the movement of information between organi­ zations and the nature of the controls that need to be in place in order to share information. By comparing regimes that are based upon restrictive principles (need to know), and the challenges that have arisen in that approach, to the concept of the ability to have information flowing freely within trusted clouds, it will become clear that the current approach toward information security needs to evolve.

Chapter 6: Critical Infrastructure Information Critical infrastructure is largely owned by the private sector, yet the administrative checks and balances are tailored toward government and public institutions. This chapter looks at the current challenges associated with establishing a trusted network across various sectors and how the current approach to oversight constitutes a significant vulnerability to the concept of critical infrastructure assurance. It will also look at models of how information can be categorized and communicated within trusted communities to better assure the public-private relationship. This chapter outlines and attempts to summarize all classifications of information that would apply to critical infrastructures. Additionally, any legal ramifications and enforcement capabilities, along with the definition of the term critical infrastructure information, are outlined.

Synopsis  ◾  xxi

Chapter 7: Supervisory Control and Data Acquisition This chapter discusses control systems used within and throughout just about every sector. Control systems consist of two subset topics: distributed control systems, which are the distribution mechanisms of a large geographical area, and supervisory control and data acquisition (SCADA) systems, which are devices that interface with non-computing functions that are critical to that sector (value control, switch control, flow metering, etc.). This chapter also discusses some of the current challenges faced with SCADA and control systems security-related issues, and how to possibly address them.

Chapter 8: The Evolution of Physical Security This chapter discusses changes arising from a level of confusion when discussing emergency management. For those with a national perspective, emergency management may focus on the national response plans that bring together various levels of government and outside entities in response to major events. Within the asset protection and security community, this has been confused in several organizations with emergency management that focuses on the contingency plans used to protect personnel, assets, and operations within an organization’s facilities (ranging from campuses to individual buildings).

Chapter 9: Insider Threats The insider threat has become significantly more present in critical infrastructures sectors, ranging from information leaks to the granting of access. This chapter discusses the issue between the potential for conflict between the enhanced use of business assets for personal use, the use of personal assets for business use, and the need to monitor and control individual activity.

Chapter 10: Safeguard Design Given the challenges associated with security screening (time and privacy, difficultto-detect threats), physical security (costs, complexity) and business continuity (also costs and complexity), we look at the approach to these elements within a protective system. This chapter reviews the shift from purely preventive controls to those that blend in aspects such as supervision, detection of suspicious activity, and similar changes.

xxii  ◾ Synopsis

Chapter 11: Challenges in Regulatory Oversight During the time of the third edition, the governments had essentially set down requirements for private industry but were also beginning to divest infrastructure providing critical services. Today, we are seeing examples of a clash of cultures between the needs of regulators and the needs of industry. Using case studies, this chapter examines some of the issues that may arise when the relationship between government and industry falls out of balance or is not well formed before being put back into operation. This chapter also expands upon some of the regulatory challenges that become apparent in this clash, including in performance-based regulatory approaches.

Chapter 12: Interdependencies At the time of the third edition, societies were treating critical infrastructure sectors as interdependent but connected systems. What has evolved since that edition is that these interdependences are far deeper across sectors to the point that we not only see less division between sectors but also a stratification of sectors. This chapter looks at how the influences of government, business operations, and new technology have begun to create super-sectors. By looking at the relationship between sectors along interdependent lines, we can begin to better map the flow of impacts across sectors and through society.

Chapter 13: Climate Change While there is still debate within certain circles regarding the specifics of climate change, there are certain facts that can be recognized. Urbanization along coastal and littoral areas needs to consider the changes in the world’s oceans. Building architects and engineers face increasing uncertainty in the weather conditions that they may face as a result of more intense or rapidly changing weather patterns. Within the concept of environmental and cyclical fragility, these changes can have a profound effect on the planning, design, implementation, and maintenance of infrastructure. Similarly, strains on various emergency management and response capabilities are causing a shift not only in the protection of populations but in the local capacities that need to be maintained to assure the continuity of services.

Acknowledgments Some materials used in this book were taken in part or in their entirety from several very reliable and useful sources. Any information that may appear to be repetitive in its content from those sources was taken to provide a more introspective perception of what defines critical infrastructure assurance. The authors, editor, and publisher thank the following organizations for their contributions of references and materials: US Department of Homeland Security (www.dhs.gov) Federal Emergency Management Agency (FEMA), which is part of the US Department of Homeland Security’s National Preparedness Directorate (www.fema.gov) US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ics-cert.us-cert.gov) Public Safety Canada (www.publicsafety.gc.ca)

xxiii

http://taylorandfrancis.com

Authors Robert Radvanovsky is an active professional in the United States with knowledge in security, risk management, business continuity, disaster recovery planning, and remediation. He has significantly contributed toward establishing several certification programs, specifically on the topics of critical infrastructure protection and critical infrastructure assurance. Robert has special interest and knowledge in matters of critical infrastructure and has published a number of articles and white papers regarding this topic. Although he has been significantly involved in establishing security training and awareness programs through his company, Infracritical, his activities include working for several professional accreditation and educational institutions on the topics of homeland security, critical infrastructure protection and assurance, and cyber security. He is the owner of the SCADASEC mailing list for SCADA and control systems security discussion forums, while working as an active participant with the several US Department of Homeland Security Critical Infrastructure Protection Advisory Council (CIPAC) working groups. Additionally, he has written numerous books pertaining to critical infrastructure protection and assurance, homeland security, policy management, information security and privacy, infrastructure protection law, regulatory and compliance standards for cyber security, cybercrime, transportation systems security, industrial control systems’ security, and more. He has co-authored with Allan McDougall on the Critical Infrastructure: Homeland Security and Emergency Preparedness (Second and Third Edition) and the Transportation Systems Security books, as well as coauthored/co-edited with Jacob Brodsky on the Handbook of SCADA/Control Systems Security (First and Second Edition) books. Allan McDougall is the Executive Vice President of Knowledge Advancement Solutions in Ottawa, Ontario, Canada. A seasoned asset protection and security practitioner, he has over 25 years between military, public sector, and private sector experience, in addition to being highly active within the research community. A former combat engineer, his approach to problem solving can be described as pragmatic. His public-sector experience has included service in the National Coordinator Security Policy and Projects at the Department of Fisheries and xxv

xxvi  ◾ Authors

Oceans, senior positions within the Fleet Security organization of the Canadian Coast Guard, the senior inspector for ports and marine facilities, and as the manager and technical authority for physical security at the Canada Border Services Agency. Allan is highly active in several professional capacities. A member of the ASIS International Physical Security Council, he has been recognized within that association for his efforts to promote personal and professional development amongst practitioners. He has also been involved in the development of several international standards associated with human rights, workplace violence, and infrastructure assurance. He is currently actively involved in international efforts associated with the future of cyber security in the maritime domain and the evolving need for certification and accreditation. Allan holds several professional certifications, including the Professional in Critical Infrastructure Protection, the Certified Master Anti-Terrorism Specialist, the Computer and Information Systems Security Professional, the Certified Protection Professional, and the Physical Security Professional. In addition to his three other co-authored works, he has been published in several trade association publications and spoken at several educational sessions, ranging from local colleges to the National Defense University in Washington, DC.

Chapter 1

Introduction to Critical Infrastructure Assurance and Protection 1.1 Introduction Critical infrastructure protection (CIP) is a topic that is now beginning to span generations. The basic concept of critical infrastructure protection finds its roots in concepts such as vital point protection that can cast back several thousand years with the protection of key shelter points, food stores, and other features such as water sources. Those involved in the planning of conflicts extended this to such infrastructure as food, water, ammunition, fuel and equipment. Civil infrastructure followed the same course, with the need for protecting vital points gradually expanding from vital points to the protection of distributed infrastructure (such as transportation, telecommunications, water, and other networks) to the more holistic protection of critical services described in previous editions. Some will remember the year 2000 (Y2K) issue as an emerging crisis that was one of the first clear examples of this expansion, involving the surveys of several critical infrastructures (such as the electrical grid) in preparation for the possible disruption of services that included power, communications, financial services, and transportation. For others, the issue began shortly after the attacks on September 11, 2001. While acts of terrorism have continued, other threats such as severe weather, climate change, and cyber threats and others have re-emerged and the threat spectrum has again broadened to cover a more holistic approach. What this book addresses is a fundamental shift in how we look at CIP—changing the approach from one that can

1

2  ◾  Critical Infrastructure

be described as a series of connected, consecutive mad dashes to one that better approximates a marathon. Within recent (albeit growing more distant) memory, the mad dashes began with Y2K when the situation became dire enough that airline executives had to board aircraft to fly across 0 hour in order to demonstrate that their planes were still safe. While Y2K caused concerns at a technical level, it represented on narrow band on the overall threat spectrum The attacks of 9/11 broadened the focus to include terrorist attacks while natural disasters around the world and including Hurricanes Katrina and Sandy at home broadened it even further. Populations have become less confident that critical services can be protected and delivered at all times. Since the last edition, however, the threat spectrum itself has changed. The various categories of events have broadened. Terrorist attacks have evolved from the actions of small groups, to coordinated efforts (such as ISIS) using internal resources to ideologically inspired events where individuals have carried out “lone wolf attacks” not because of their membership within a group but as a result of their being inspired to such events by messages carried through various media services (ranging from the internet enabled to traditional media). The spectrum has also changed in terms of the pace of events. While threats were often looked at in a manner that would align with the preparedness measures (a single natural disaster), the sheer scope of certain challenges like climate change and the complexity of these kinds of issues have perhaps broadened this beyond thinking largely at the preparedness phase of the Emergency Management cycle to include thinking more aligned with the mitigation level. While what might be described as the breadth and depth of the challenge has increased, so has the nature of those involved. While the issue of critical infrastructure protection involved significant resources for the Y2K challenge, these focused on narrower groups of technical and government teams. This broadened to include various other security domains quickly and has further evolved to include many traditional and social sciences as sources of conflict and the sources of changes within complex systems are sought and explored. As these groups have expanded and evolved, so have the methods used to examine this domain and its associated challenges. As one examines the community now engaging this challenge, not all the changes have been positive. While governments, academic institutions, and private sector entities have continued to take up the challenge, there has been an increasing politicization of the issue, notably through those that have tainted scientific and critical issues in order to promote political and other interests. The security community has not been immune to this. In short, the issue of critical infrastructure protection which once resided in the public domain has expanded to become its own business line and, like any other business line, there are those that continue to attempt to serve the public interest while others have identified the issue as a potentially lucrative source of funds. As a result, the data, information, and intelligence

Introduction to Critical Infrastructure Assurance and Protection  ◾  3

associated with climate change has become tainted through communications and spin-doctoring, meaning all conclusions must be put under a far more critical eye.

1.2 What Is Critical Infrastructure? The term critical infrastructure refers to assets of physical and logical systems that are essential to the minimum operations of the economy and government. This much, at least, has not changed. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems, and emergency services, both governmental and private. As these systems become further interconnected, we see two major trends becoming apparent. The first trend involves the pace at which technology evolves. This is not a constant around the world, and as time progresses, we continue to see examples of certain societies and communities progressing at different rates and the emerging challenges associated with the replacement of aging infrastructure. The second trend involves understanding that the specific elements that make up a critical infrastructure are not constant across all communities and may be subject to physical, sociological, and cultural factors. As a result, CIP practitioners need to understand the contexts (economic, environmental, cultural, and political) within which critical infrastructures can be found. Thus, due to advances in information technology and efforts to improve efficiencies in these systems, infrastructures have become increasingly automated and interlinked. These improvements have created new vulnerabilities relating to equipment failure, human error, weather and other natural causes, as well as physical and computer-related attacks. Over the past decade, various levels of government have been held responsible for the protection of their own infrastructure. As the world moves inexorably toward a global-centric network, we are seeing levels of government, along with the private sector, and even individual citizens, having responsibilities take a more global approach. It is not unusual for individuals to call service centers halfway around the world to assist them with their networking difficulties. At the same time, global supply chains require that private entities become much more aware of events around the world that can affect the resilience of their supply chains. What this means is that local efforts that were seen as manageable, if somewhat uncomfortable, have grown exponentially into international “monsters.” As a result, the previous process associated with critical infrastructure assurance has grown in scope from consistent testing and evaluation of local infrastructures to one that is at its beginning of understanding the vast influences that operate at a much more global level. This has changed the playing field—significantly—from one where the edicts coming from national capitals are now the second step in a much grander process that involves balancing of international interests and priorities with national responsibilities.

4  ◾  Critical Infrastructure

1.3 What Is the Private Sector? The private sector of a nation’s economy consists of those entities not controlled by the state, such as private firms and companies, corporations, private banks, nongovernmental organizations (NGOs), etc.1 Many nations have entities that are established to deal with the private sector. Often these are linked to applying requirements or to the contracting arrangements that can be made between the government and the private sector. What needs to be understood here is how controls differ between the two. The private sector entity may influence laws or government policy, but does not have the authority to set that policy. The policy controls which are often referred to in today’s asset protection community are management decisions that remain largely constrained to its own persons, assets, and operations. Even in arrangements where the government delegates work, it is always done under the oversight of some legal mechanism. The private sector may also have to respond to authorities that are outside of the nation—such as those imposed on it by parent companies, partners, or even financial institutions. This can lead to a level of complexity when attempting to determine what the requirements being placed on the private sector actually are. The second aspect to remember about the private sector is the nature of its finances. Regardless of good intentions and public messaging, the private sector entity seeks to generate wealth. In return for some consideration, companies that operate for-profit business models tend to seek to increase that wealth, while those that operate not-for-profit business models attempt to balance their cash flows with their operations. In short, decisions are made with a very clear understanding that there are financial risks involved. This financial risk is also different than that of the government. The government operates on a fiscal year that allows for budgets to be reset to a starting point and also has a significant ability to determine its level of debt, although the past few years have seen a pressure on government financial controls to reduce waste and limit spending, resulting in a similar decline in resources in, or even elimination of, some activities. The private sector does not have this. Budgets are linear in that if money out is greater than money in, then eventually the company will first go into debt, then insolvency, and then finally cease to exist. This has a profound effect on how organizations look at their budgets and new requirements—the government may see issues in terms of “costs of doing business,” while the private sector may interpret those new measures as another step on the road toward “going out of business.” 1

FEMA Emergency Management Institute, US Department of Homeland Security Federal Emergency Management Agency, Principles of Emergency Management Supplement, p. 5, released September 11, 2007; http://training.fema.gov/EMIWeb/edu/08conf/Emergency%20 Management%20Principles%20Monograph%20Final.doc (alt URL: http://cipbook.infracritical​ .com/book3/chapter1/ch1ref10.doc).

Introduction to Critical Infrastructure Assurance and Protection  ◾  5

With increases in globalization, differences in the competitive playing field can either exacerbate this challenge or mitigate it. In the context of critical infrastructure assurance (making sure it’s there), we need to take a whole-picture approach to this issue. If competition is based on lowest dollar value or even best dollar value approaches, entities operating within those states with lower costs of production are able to market their goods or services globally at a lower cost. This is a major issue associated with issues such as outsourcing or offshore production that, while reducing financial issues and fostering a competitive position on the surface, may actually result in a condition where various sectors begin to lose control over their supply chains. What is important to understand here is that the management of the company makes these decisions in the private sector unless they are constrained through regulation or law or by being aware of issues that could arise, such as damage to brand (stock value).

1.4 What Is the Public Sector? The public sector consists of government-owned or government-controlled corporations, as well as government monetary institutions.2 This includes the various entities (often organized into departments, agencies, commissions, authorities and so forth) that receive funding through the legislation that enables government organization of funds and that derive their authority from enabling legislation. These can be organized at various levels in both the United States (federal, district, state, municipal and tribal) as well as Canada (federal, provincial/territorial, tribal nations and municipal) with it being important to note that each wields its own influence on the population. In these structures, there are three significant trends. First, the balancing of budgets have often been at the expense of lower levels of government through a process called downloading where the higher level of government forces costs onto the lower level of government and ultimately onto the taxpayer. While this practice helps balance the budget of the higher level of government, it places a strain on government levels beneath it and should be viewed in terms of the rebalancing of accounts as opposed to the fixing of issues. The second involves the concept of divestment. This practice involves the government restricting both its internal and outsourced operations that it considers undesirable due to costs or complexity. This, however, can have consequences, such as recently illustrated by the divestment of the Port of Churchill in Canada that ultimately led to its closure a short time 2

National Archives (United Kingdom), Cabinet Papers 1915–1978, the International Monetary Fund and Bretton Woods Conference; http://www.nationalarchives.gov.uk/cabinetpapers​ /themes/bretton-woods-conference.htm (alt URL: http://cipbook.infracritical.com/book3​ /chapter1/ch1ref4.pdf).

6  ◾  Critical Infrastructure

after—costing Canada one of the shortest routes into Europe and the local community its major employer.3 Third, there is also a rise in the apparent importance of first nations government organizations, particularly when dealing with major infrastructure projects and in partnership with the federal and provincial governments. Public sector entities may be involved in two major functions. The first function is regulating the behavior of those persons or entities that fall within their jurisdiction. This is accomplished through legal tools that may include laws, regulations, rules, measures, or a direction of current trends that would side more so towards an increased reliance on regulation as opposed to legislation. Compliance with any of these is considered mandatory in the eyes of the state, and breaches of compliance may result in penalties ranging from financial penalties to significantly something more severe. The increasing use of regulation and other structures that fall under administrative law has a significant impact on how the government enforces its requirements on the population. While criminal code infractions in Canada and the United States are governed through the Bill of Rights (United States) and Charter of Rights and Freedoms (Canada), regulatory enforcement is conducted through tribunals that differ significantly. Within the domain of critical infrastructure protection, it is far more likely that an organization would face an administrative action (such as an Administrative Monetary Penalty or AMP) imposed through an inspector under regulation rather than a criminal charge, although the latter may still remain available, this option would be used only under the severest of conditions.4 The concept of jurisdiction is also important, particularly when looking at issues that involve international operations—such as shipping. In these cases, the mechanism by which the state generates its requirements often involves participation in groups of various sizes and whose decision-making processes are guided by consensus that is taken back to the various national governments. Depending on the nature of the international group within which the nation-state is participating, The Port of Churchill sat on a great circle that was one of the shortest to the European market. The Port had been identified as being strategically important in the opening of the Arctic to economic activity but had continued in decline. The divestment and ultimate closure of the Port, including some commentary on the impact can be found at http://www.cbc.ca​ /news​/canada/manitoba/port-churchill-layoffs-1.3694830 and http://www.cbc.ca/news/canada​ /thunder-bay/churchill-port-closure-thunder-bay-1.3697342. 4 Criminal courts involve the police laying specific charges with the state (used generically) then laying a charge and introducing evidence to support that charge in the court. This evidence must provide beyond a reasonable doubt that the individual is, in fact, guilty within administrative law, the Administrative Monetary Penalty is laid through the inspector’s department or agency and the onus is on the individual to contest it through an administrative tribunal which bases its decision on a balance of probabilities. While administratively less burdensome, one might also have concerns regarding the shift in the presumption of innocence that would shift between the two systems—the criminal system requiring the state to prove guilt while the organization must defeat a penalty in administrative court of continue to face the impacts of the enforcement action. 3

Introduction to Critical Infrastructure Assurance and Protection  ◾  7

the laws and regulations that it passes may be constrained in terms of operating within the constraints of the consensus of the international group or body. This leads to the second function, which is the protection of people, property, and operations under its care. This often operates hand-in-hand with the former as many regulations are intended to provide a level of protection for society against activities that would appear to run afoul of public safety concerns or societal norms. Generally, public safety will look more toward people and property, with operations being included as part of the suite of business risks. The nation-state will operate bodies that are designed to protect those persons that are abiding by its requirements in most legitimate forms of government, and against significant events such as natural disasters, fire, etc. This level of constraint may also have an involuntary aspect. Over the past decade, the world has seen an increase in international bodies becoming involved in settling national disputes. Organizations such as the United Nations, Gulf Cooperation Council, and other similar bodies have taken on an increasing role in determining what constitutes acceptable national behavior. We see this in international bodies sanctioning actions that range from trade restrictions to enforcement through military intervention. As we move toward more international operations, these international bodies are taking on increasing roles in overseeing the decisions of their individual members. This has been particularly evident in situations associated with the financial sector in Europe, where the EU essentially dictated what financial controls the Greek government was to put in place in order to receive bailout funds. Similarly, the United Nations and other international bodies have taken a significant interest in the state’s response to the migration of persons, making comments on the states’ response and, one might argue, leading a two front campaign—one being legal and the other being in the court of public opinion. This can be further complicated as certain issues which are being addressed at global levels (such as migration due to climate) are at or near the root of many national issues, such as migration, disease, the movement of invasive species and even, for some nations, the potential for resettlement. While this dynamic is still evolving with respect to critical infrastructure assurance and protection doctrine, the fact that international bodies appear to be becoming more active should at least be in the back of the researcher’s mind when looking at potentially evolving challenges.

1.5 What Is CIP? The term CIP pertains to activities for protecting critical infrastructures. This includes people, physical assets, information and communication cyber systems that are indispensable for national, state, and urban security, economic stability, and public safety. CIP methods and resources deter or mitigate attacks against critical infrastructures caused by people (terrorists, other criminals, hackers, etc.), natural calamities (hurricanes, tornadoes, earthquakes, floods, etc.), and accidents

8  ◾  Critical Infrastructure

which may as innocuous as a vehicle crash to those involving hazardous material exposure, nuclear, radiological, biological, or chemical substances. Essentially, CIP is about protecting those assets considered invaluable to society and that promote social well-being.5 CIP is often considered a reactionary response to threats, risks, vulnerabilities, or hazardous conditions. It does entail some preventative measures and countermeasures but usually is reactive by nature. CIP has two goals. The first goal can be related back to an alternative way of thinking. By definition, a critical infrastructure involves physical and logical systems necessary to support the safety, security, and economic well-being of communities (to paraphrase the growing list of definitions). The second goal should be more concerned with the protection of the infrastructure (in its physical and constructional contexts), and whether it is capable of delivering its anticipated services to the community. At this point, the reader needs to be cautious about how he or she looks at the term CIP. Certain organizations, such as the North American Electric Reliability Corporation (NERC), have promoted the approach in their communications that uses the term CIP only to describe a narrow aspect of infrastructure protection. In the case of the NERC, the term has been cast to identify only critical resources (physical and cyber) that are specific to the North American power grid. Failing to understand these contextual issues can lead to discussions or debates where the scope of the discussions is not understood by all involved. Citical infrastructure assurance goes beyond the concept of CIP in that it seeks to assure the viability of the services provided by that infrastructure. This implies a strong focus on proactive and preventive controls. In this context, the concepts of robustness, resiliency and redundancy factor much more significantly because the activities balance the need for protection and the potential impacts associated with failure. This kind of approach to the issue of CIP was much closer to the intent of the original goals of assuring the population that critical services would not be disrupted and, in the off chance that they were disrupted, that the infrastructure was designed and managed to restore the necessary level of services as quickly and effectively as possible.

1.6 What Is CIA? Most asset protection programs and their efforts often begin with determining why something needs to be protected. The first part of this involves understanding the mission or purpose of the organization and what service it provides or what good it produces. The second element of this involves working backwards from the successful achievement of these goals and looking at how various managed systems 5

www.usfa.fema.gov/subjects/emr-isac/what_is.shtm (alt URL: http://cipbook.infracritical​ .com/book3/chapter1/ch1ref1.pdf).

Introduction to Critical Infrastructure Assurance and Protection  ◾  9

come together. As one reduces from systems, to sub-systems and ultimately to processes, one sees the most granular level—that of the asset. These various inputs are identified and assigned value based on their contribution to the given system and its desired outputs or results. For example, the value of a facility may be that it provides a clean and sterile environment for research. Something that breaches the controls that protect that sterility would fall into the threat category as the organization has lost a valuable part of its activities through the loss of the space. The second part focuses on threats and assets (things) that can or might disrupt processes and cause the organization not to be able to realize the full value or potential of those assets. These steps become the foundation for such statements as risk being a “possibility of loss or injury” of “a factor of asset value, threat, and vulnerability.” The value associated with a critical infrastructure can be divided into several parts. The first part involves circumstances in which the critical infrastructure provides a unique service within and to a community. This is often the case where infrastructure costs are relatively (or even prohibitively) high, such that the community can only afford one of the installation types. An example that supports this premise might be that it is unlikely that you will see a town of 7,500 inhabitants with a water purification plant able to handle a population of 15,000 suddenly decide that it is time to put in place a second similar installation. In this example, the concept of physical security or force protection6 becomes vital, given any potential impacts associated with the interruption, loss, or destruction of that particular infrastructure—in this case, the loss of fresh drinking water to the local community. In a networked environment, an additional layer of protection is possible when leaving the local level as one begins to look at state/provincial, regional, or even national levels. Depending on the nature of the service being provided, the networked environment allows for an application of robustness, resilience, and redundancy to be designed. When one infrastructure suffers a negative impact, the loss of its performance in one area is offset by the remaining elements within the network by either increasing or reallocating their own contributions so as to either reach the desired level of overall performance or, in more extreme cases, reduce the amount of impact associated with the disruption. The question becomes whether to protect an individual infrastructure or the ability of the networked environment to perform at a level that meets the demands. The truth is that both are needed. Individual nodes and conduits associated with an infrastructure network are intrinsic to that network’s ability to function. Simultaneously, individual nodes operating in isolation must be looked at closely 6

A term used by the military establishment of the United States and other countries to define the following: “preventative measures taken to mitigate hostile actions against Department of Defense personnel (to include family members), resources, facilities, and critical information. Force protection does not include actions to defeat the enemy or protect against accidents, weather, or disease” (Joint Publication 1-02, Department of Defense Dictionary of Military and Associated Terms, April 12, 2001 (as amended through August 26, 2008), pp. 213–14).

10  ◾  Critical Infrastructure

in terms of residual risks allowed into a system that is essentially a single point of failure. Another harsh reality of the critical infrastructure domain is that there are people (i.e., families) who rely on those operating in that field ensuring that services are there when needed. A range of events illustrates this reality. During the 1998 ice storm in Canada as well as the August 2003 blackout that affected much of the northeastern portion of the United States and Canada, the challenge was that electrical power was not available to maintain either heating and sumps (ice storm) or refrigeration and heating, ventilation, and air-conditioning systems (2003 blackout). This lack of availability prompted the declared states of emergency, and resulted in organizations putting their business continuity plans in motion and practicing other extraordinary measures. The use of Canadian National Railway locomotives and generators to supply electricity (in response to the ice storm) tends to point toward a lack of electricity being the problem and not simply a specific electrical transmission line being disrupted. Consider another example involving the US postal system. Does it really matter what street the mail comes from before it gets to your home? The response would be “of course not.” What does matter is that your mail arrives at your home on time and in unbroken condition. The concern sets in when we wonder whether the mail or post is actually being delivered at all—something that affects our paying of bills, receipt of ordered goods, and other forms of communication. Finally, consider the US water supply systems. Again, we are less concerned with whether the water is coming through a central pipe or some peripheral parts of the system. We tend to become significantly concerned if the water supply fails to provide water to our homes. Other examples will tend to follow the same suit, because it is the lack of critical services that poses the risk to society. Some might argue that the population is only concerned about protecting critical infrastructure insofar as that protection ensures the availability of the service to the public. This leads to the concept and definition of CIA. The definition of CIP focuses on protecting the nodes and conduits of any given infrastructure that delivers services to its community through force protection. Although CIP tends to focus on an all-hazards approach, it tends to operate at a very basic or local level—say, one facility, one road, etc. CIA, on the other hand, tends to focus on a layer higher than CIP, which includes the necessary arrangements to shift production around within the network or surrounding networks so that demand is met, even if a local node or conduit is disrupted. If we were to take our two power-based examples, we would see the difference in the approach. CIP would tend to focus on a very granular level—power production facilities would be protected against various types of physical attacks or hazards. CIA looks at the entire power grid, ensuring that the system can detect disruption, shift capacity to meet demand, and ensure that services are being met—often transparently to the consumer. In this context, it might be argued that CIA is the holistic view that is actually sought by most CIP professionals.

Introduction to Critical Infrastructure Assurance and Protection  ◾  11

1.7 What Are Public-Private Partnerships? The divide between the public and private sectors is becoming more gray and flexible through the concept of public-private partnerships. A public-private partnership is an agreement between a public agency and a private sector entity that combines skills and resources to develop a technology, product, or service that improves the quality of life for the general public. The private sector has been called upon numerous times to use its resources, skills, and expertise to perform specific tasks for the public sector.7 Historically, the public sector has frequently taken an active role in spurring technological advances by directly funding the private sector to fulfill a specialized need that cannot be completed by the public sector. What this arrangement seeks to accomplish is a stable relationship between the two that allows a more efficient and effective delivery of services. This is discussed in detail in Chapter 2.

1.8 Critical Infrastructure Functions Defining, using, and maintaining critical infrastructure is a combination of processes. When looking at what should be defined as a critical infrastructure, we need to move beyond the convenient definition and shopping lists promulgated by governments and associations and ask three fundamental questions: ◾◾ Is the infrastructure necessary for the preservation of life or the continuation of a society? ◾◾ Is the infrastructure operating in a very limited context or across a much broader context? Meaning, is that infrastructure only specific to a local community, or does it interconnect with other communities to make a much larger, more fragile community? This may influence whether the infrastructure is considered to be a critical infrastructure in the national context or a vital asset at the local level. ◾◾ Is the infrastructure operating as a singly or uniquely organized entity, or is it a community of coordinated efforts put forth by several parties? This is important to understand because the infrastructure, and its capacity, needs to be understood in terms of assurance to its operations. The answers to each of these three questions will have a profound impact on the methods needed to protect the infrastructure and ensure delivery of its services. This in turn will have an impact on the various methodologies and measures that are available to those seeking to accomplish the same. It should not be looked upon as a purely administrative process guided by checklists and prescriptive formulas. 7

http://www.dhs.gov/xlibrary/assets/st_innovative_public_private_partnerships_0710_version_2​ .pdf (alt URL: http://cipbook.infracritical.com/book3/chapter1/ch1ref12.pdf).

12  ◾  Critical Infrastructure

1.9 Evolution of Critical Infrastructure What many policy makers consider critical infrastructure has been evolving and is often ambiguous. Twenty years ago, the word infrastructure was defined primarily with respect to the adequacy of the community’s public works. In the mid-1990s, however, the growing threat of international terrorism led policy makers to reconsider the definition of infrastructure in the context of security at national levels. Successive government policies and laws have become refined and more understood based on the expanded number of infrastructure sectors and the types of assets considered critical for purposes of an economy’s security.8 This definition was adopted, by reference, in the Homeland Security Act of 2002 (P.L. 107-296, Sec. 2.4),9 and it established the US Department of Homeland Security (DHS). The national strategy adopted the definition of critical infrastructure in P.L. 107-56, providing the following list of specific infrastructure sectors and its assets falling under that definition. Sectors include: Agriculture and food production Banking and finance Chemical production Critical manufacturing Communications Emergency services Energy Government facilities Information technology Nuclear energy and facilities Postal shipping Public health and healthcare Transportation and logistics services Water and wastewater treatment Key resources include: Defense industrial base Commercial facilities Dams National monuments and icons Library of Congress, CRS Report for Congress, Guarding America: Security Guards and US Critical Infrastructure Protection, CRS-RL32670, November 2004; https://fas.org/sgp/crs​ /RL32670.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter1/ch1ref5.pdf). 9 http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid​ =f:publ296.107.pdf. 8

Introduction to Critical Infrastructure Assurance and Protection  ◾  13

The critical infrastructure sectors within the national strategy contain many physical assets, but only a fraction of these could be viewed as critical according to the DHS and Public Safety Canada definitions. For example, out of 33,000 individual assets cataloged in the DHS national asset database, the agency considers only 1,700, or 5%, to be nationally critical.10 Of the 33,000 assets listed in the DHS database, only a small subset is defined as critical infrastructure sectors.11 Because federal, state, and local governments, as well as the private sector, often have different views of what constitutes criticality, compiling a consensus list of nationally critical assets has been an ongoing challenge for both DHS and Public Safety Canada. The critical infrastructure sectors have also undergone a doctrinal shift since the last edition of this work. While CIP has been the focus, the concept of CIA has been largely approached through the concept of resilience which aligns much more closely with the concept of CIA at the networked level and which has a profound impact at the local level by allowing a greater degree of flexibility than the former CIP models.12 This shift may afford greater flexibility for business, but also opens up the need for improved oversight by those authorities as it allows for better or expanded use of administrative and procedural controls.

Liscouski, Robert, Asst. Sec. Infrastructure Protection, Department of Homeland Security, testimony before the House Select Committee on Homeland Security, Infrastructure and Border Security Subcommittee, April 21, 2004. Note that DHS’s list of 1,700 critical assets may not include the 430 US commercial airports with passenger screeners, whose security is primarily administered by the Transportation Security Administration; https://fas.org/sgp​ /crs/RL32670.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter1/ch1ref5.pdf). 11 For example, in the chemicals sector, DHS has identified 4,000 facilities as potentially critical out of 66,000 total US chemical sites. See Liscouski, Robert, Asst. Sec. Infrastructure Protection, Department of Homeland Security, testimony before the House Committee on Government Reform, Subcommittee on National Security, Emerging Threats and International Relations, Combating Terrorism: Chemical Plant Security, serial no. 108-156, February 23, 2004, p. 13; www.access.gpo.gov/congress/house/house07ch108.html or http://bulk.resource.org​ /gpo.gov/hearings/108h/94257.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter1​ /ch1ref6.pdf and http://cipbook.infracritical.com/book3/chapter1/ch1ref6a.pdf). 12 The resilience model has an increased emphasis on the restoration of operations. While robustness or preventive controls continue to factor significantly, the concept of detection, response and recovery (using Canadian physical security doctrine as per G1-025) or the response and recovery phase in the Emergency Management cycle figure more prominently; http://www​ .rcmp-grc.gc.ca/physec-secmat/pubs/g1-025-eng.htm; alternate URL will be here: http://cip​ book.infracritical.com/book5/chapter1/ch1ref12.pdf. 10

http://taylorandfrancis.com

Chapter 2

Demand, Capacity, Fragility, and the Emergence of Networks 2.1 Introduction The concepts described in this chapter have evolved significantly since the first edition and continue to evolve as new and emerging factors continue to impact infrastructure. These factors include well-debated issues such as climate change, migration of populations, integration of new technology, increasing regulatory burdens and economic factors. What has been apparent is that an increasing number and frequency of infrastructure issues are highlighting the fact that infrastructure, and even whole communities, can be impacted through interdependencies and disruptions within the networked environment.

2.2 What Are We Trying to Protect? The Concept of Capacity If critical infrastructure is really about the infrastructure necessary to preserve the safety, security, and economic well-being of citizens, then shouldn’t the focus necessarily be on protecting infrastructure or assuring that a given service continues to be delivered as required? Although the former is certainly important, the latter aligns much more closely with the stated goals of critical infrastructure protection (CIP). 15

16  ◾  Critical Infrastructure

The fact is that a given infrastructure at the local level is there to provide some level of contribution into the system. The sum of these contributions, the ability to coordinate how those services are delivered, and the means of delivering them to their intended recipients may be best described as the capacity of the system. These three elements (safety, security, and economic well-being) are important because they operate similarly to the fire triad (heat, oxygen, and chemical reaction). If the infrastructure can generate a significant amount of the service but cannot identify where it is useful or deliver it to those points, then the system has essentially failed. At the same time, a well-coordinated and well-maintained grid that does not have anything sent through it is still failing to meet the final goal. The ability of the system to produce, distribute, and deliver can be described as the system’s capacity. The symbiosis that exists between the ability to generate capacity and distribute that capacity has become much more evident, particularly when looking at the fringes and expanding edges of society’s networked infrastructure. Communities (which may range from settlement to economic bases of operation) are expanding into environments such as the north. Similarly, the demand for technology is spreading outwards into increasingly remote locations. For those seeking a clear example of the challenges that can arise, one only needs to look at the damage caused by the recent (2017) events that have damaged the transportation network to communities such as Churchill, Manitoba. In this specific example, the main ground transportation route (a rail line) suffered catastrophic damage to the point where economic interests and even the community’s survival has been called into question.1

2.3 Demand: The Reason for Capacity Demand and capacity exist in a constant balancing act. This is not to say that they are always in equilibrium—they rarely are. It simply means that where there is a demand, capacity will attempt to fill that demand. Where there is surplus capacity, there is likely going to be a demand attempting to exploit that capacity. Those with a background in a supply-and-demand economics will find this concept very familiar.

2.3.1 The Concept of Performance The concept of performance basically describes whether the system works with sufficient capacity to meet its demand. For example, if there is a demand for 500 units

1

This is being widely reported through public media outlets, such as found at http://www.cbc​ .ca/news/canada/manitoba/manitoba-churchill-rail-service-1.4154221 on 11 June 2017.

Demand, Capacity, Fragility, and the Emergence of Networks  ◾  17

of something, then the system would be considered in balance when it delivers those 500 units, and otherwise out of balance. Because of the nature of critical infrastructure, it can be reasonably argued that three imbalances have to be considered. The most serious of these involves a situation where the capacity does not meet the demand. This may be represented by a situation in which some portion of the population does not receive an expected level of the critical service—such as occurs during a power failure. The second most serious condition occurs when the capacity exceeds the demand, but leads to a response where the capacity is reduced, leaving the system vulnerable to a spike in demand. This might be exhibited in situations where the private sector is primarily involved in the delivery of the service, but due to a surplus of supply, businesses leave the market because they become intolerably unprofitable. The final imbalance is a sustained surplus of capacity. The example of Churchill, Manitoba illustrates an important factor in looking at the demand and capacity balance. The local community has a vested interest in the performance of regional infrastructure, particularly since that regional infrastructure is essentially a single point of failure. With no viable replacement of the rail system (i.e. no road) and the only alternative being air transportation, the movement of critical supplies and stores (such as food) are impacted in terms of cost and availability to the point where the impacts cascade through the community. Concerns regarding Canada’s ability to sustain sovereignty operations in the area are impacted due to the challenges. The example here is showing how the impacts in terms of the performance of infrastructure need to be examined in a more coordinated fashion between local (including business), regional, and national (including strategic) perspectives.

2.3.2 Local Impact and the Influence on Capacity When infrastructure is disrupted at the local level, that disruption loses its ability to provide the expected level of capacity into the overall system. At the local level, the clearest understanding regarding the loss of capacity will flow from activities less associated with physical security, but rather with business continuity planning (BCP). Within BCP, thresholds are communicated that are used to determine the severity of impacts or losses of key resources, etc. Although BCP generally ends at the edge of the organization’s responsibility or mandate, the concept of CIP urges this approach to be carried on throughout the organization and into progressively larger systems. Some care has to be taken here to ensure that the quality of service is maintained at a manageable level. What if the final product (e.g., a fuel) fails to reach that level of quality for it to be usable in the system? This aspect of integrity is somewhat different than the traditional “nothing added, nothing deleted, and only authorized changes made through well-formed or defined processes” and more closely in line with the traditional views of quality assurance and quality management.

18  ◾  Critical Infrastructure

2.3.3 Results of a Local Impact in the Immediate Sense When something is disrupted, we return to the concept that the availability of the critical service has been reduced. This leads to three important events that are worthy of study. The first event involves what the loss or reduction of that service means to the overall system. This revolves around the concept of what consequences arise should the organization fail to meet its goals—again, a power failure, loss of transportation, etc. The second event involves what the loss or reduction of that service means to the internal use or management of inputs that would normally be used to maintain that level of service delivery. How do the unused inputs survive the impact? Are they perishable or must they be used within a certain time frame before they are no longer of value? Are they persistent in that they can be stored nearly indefinitely without a loss of value? These factors should generally be included in the basic impact analysis—often in consultation with operations or material management personnel. The third event involves how the organization manages the fact that it is no longer consuming those inputs at the same rate. Does this mean that it will stop purchases of future inputs or that it will simply delay the delivery of some? These upstream impacts are also important factors to be considered both in the local impact analysis and later in the understanding of the impact on the overall system. For those seeking parallels, concepts defined in supply chain management and logistics provide some input. What we are seeing is what may be described as an increase in how fast the impacts can move through fragile and interdependent systems. When one considers the 1987 disruption in Canada on the movement of grain and the loss of exports of coal from certain areas of the western US, the impacts moved through the system quickly but in a matter of days and weeks. These can largely be described in terms of their root being economic in nature (one being a labor dispute and the other being a collapse of an economy). The example of Churchill, Manitoba illustrates two factors that have almost immediate impacts. The cessations of operations by the private sector interest had an impact on the supply chain, and the economy within the surrounding area. It cascaded quickly to other events, such as the closure of the Canada Border Services Agency (CBSA) office in the town due to a lack of need for operational support. The damage to the rail line also has an immediate impact that will last some time (before repairs can be affected) but which is also related to the first impact. The question will be whether there is adequate economic demand for a restoration of full services without the seaport. Consequently, it is not enough to simply look at these impacts as being completely isolated from each other. One might propose looking at the impacts more in terms of the same principles as supportive and destructive waves—where two impacts collide and create a far more significant or difficult situation. Generally, at the local level, four classes of impacts are observed. The first are delaying impacts that essentially slow the inward flow of something into the system. This concept is seen when warehouses are filled—at some point, the warehouse is

Demand, Capacity, Fragility, and the Emergence of Networks  ◾  19

full but we still need to store the material. The second involves the concept of lag. This category of disruption describes the condition where something else is slowed down because the necessary amount of inputs is not being received. Finally, at the other end of the spectrum, the system will attempt to balance itself through either the third class, push (seeking to find new demand), or the fourth class, pull (seeking to find surplus capacity that can be aligned against unmet demand). While the concept of push, pull, lag, and delay may operate independently at a conceptual level, greater care needs to be taken to identify conditions where a single event can lead to multiple impacts. Currently, many networked environments have been making significant efforts to “fit more capacity into the same space” so as to be getting the best return on investment with respect to the use of infrastructure. This is clearly evident when looking at issues in the transportation system (more efficient switching systems, intermodal systems, freight forwarding), electronic networks (increasing bandwidth, compression technology and multiplexing), and centralization.2 The impact here is that the current model (push-pull-lag-delay) now operates at multiple levels. The disruption of a node or conduit may not just impact something coming into the system but is becoming increasingly likely to impact movement in the opposite direction. This is not new but is becoming far more apparent. The other aspect comes from the fragility that is inherent in fringe communities or communities that have not matured to the point where they have robust, resilient and redundant infrastructures. This can come in the form of new communities but also in terms of new activities within communities that place additional demands on that community. One might postulate that we are going to see several working examples of this in the expansion into the North. An impact that is becoming far more prevalent across a number of sectors might be referred to as “load shedding”, a term often coined in the electrical power generation community. In the electrical generating capacity, this involves distributing production capacity so that a loss of production capacity is reduced in severity at one level. At the same time, however, it introduces several new layers of “moving parts” that can, if not balanced and managed appropriately, lead to its own issues in terms of cascading impacts. While the electric grid has seen this in terms of solar farms, personal generating capability and similar forms or programs, it is evident in other sectors as well. We are now seeing increases in 2



For those looking at this issue in the Transportation Sector, consider intermodal shipping and public transportation. Containers are now double-stacked as a matter of course when moving by rail to reduce the length of trains. Similarly, double-decker busses are now being used more frequently in certain communities in order to reduce the length of road needed per person to move them, particularly into downtown core areas. Consider also the concept of home automation. Systems have evolved from wired system, to wireless systems to those that move command and control signals through the electrical network. The use of frequency modulation in multiplexing in order to move increased data through different distribution networks has become increasingly frequent and available.

20  ◾  Critical Infrastructure

the number of community gardens, water supply and purification, outsourced services and small service providers in telecommunications. As these distribute capacity while reducing the probability of a catastrophic failure at one level, they also can come at the price of increased instability or even vulnerability unless carefully coordinated at levels including technical, scientific and regulatory oversight.3

2.3.4 Relevance to CIP The concepts of push, pull, lag, and delay are becoming increasingly understood at the local level. This was initially established through bodies of knowledge associated with supply chains and logistics; it then moved into the realm of BCP and has now become more understood in the realm of CIP. Where the divide currently resides is between the local and regional (small system) levels when you look at the CIP services that have stemmed from such concepts as force protection, infrastructure protection, etc. Today, the reader will be able to find no shortage of integrators and information management services, both proprietary and cloud-based, that will allow them to achieve this level of interaction and integration. These systems range from fully integrated hardware and software solutions (where one system handles all elements) to specific or proprietary services that allow for the formerly independent activities to be linked through dashboards, information management systems, domain awareness systems or even systems that allow for the formation, management and dissolution of communities on an issue-by-issue basis.

2.3.5 Push, Pull, Lag, and Delay in the Network Environment The concept of push, pull, lag, and delay is not unique to the transportation system— but is rather characteristic of any system that involves exchanges. The concept is familiar within the energy sector in pipelines and across transmission lines. These topics are also familiar in water systems and networks, and although they illustrate applications in physical networks, the concept is similar to various other concepts, such as bandwidth, throughput, and buffering within the logical realm. For the CIP professional, an understanding of how these four elements operate is of vital importance. Fortunately, these sectors have already carried out significant research with respect to each of these elements as they work on understanding and refining their understanding of their own risks.

3

One question that comes to mind involves community gardens. While local farms may be regulated, community gardens do not fall under regulatory oversight (such as the USFDA or Health Canada) that can allow for chemicals or organic materials to be inserted into the food supply chain.

Demand, Capacity, Fragility, and the Emergence of Networks  ◾  21

2.4 At the Regional (Small System) Level Returning to the first principle, we find that the core values associated with critical infrastructure services can be prioritized in order of availability, integrity, and confidentiality, as we migrate to a smaller system, usually at a regional level. Understanding what the concept of push, pull, lag, and delay means within that small system plays a vital role in the ability to assure delivery of critical services— now being thought of in some limited circles as critical infrastructure assurance.

2.4.1 Influence at the Small System Level When attempting to assure these services, it is most important to understand how these concepts operate at the small system (regional) level. Consider that each node (or intersection) and each channel (or conduit) can only handle a certain capacity. If there is no release to the surplus demand (e.g., through a release of pressure), then the system simply operates as it is best able to. Beyond that, however, the system begins to clog as the surplus demand that cannot be handled attempts to find other options and, if this is not possible, remains in place. This concept can be seen in most metropolitan automotive traffic congestion conditions quite clearly. A route can handle a certain number of cars in a certain amount of time. When that level is exceeded, the route begins to fill. When the space between intersections is full, cars cannot pass through the intersection or will block the intersection, thus compounding the problem, and the system begins to fill. In response to this situation, certain jurisdictions have established Emergency Detour Routes or Emergency Diversion Routes that are intended to bypass disruptions.4 What becomes important at this point is the ability to identify that a disruption has taken place, find alternatives that can release the pressure, and then route or reroute the demand onto those alternatives. The release of pressure, if balanced correctly, allows the system to break the cycle of cascading and expanding failure, and regain that delicate operating balance between capacity and demand. There are two factors that have a serious influence on this. First, what if there is no surplus capacity available in the system? In this instance, the system fills. It is also important to note that where the system is full, it, too, denies further movement through the system. The second factor may be whether surplus capacity within the system can actually be reached from the disruption. The routes between nodes fill as a result of the surplus demand; here again we have a situation where the impact is cascading and expanding. 4

For example, these routes (which are also referred to as Emergency Detour Passes) have been established at the provincial (Ontario) or state levels (Michigan, Ohio, Pennsylvania, Arizona, to name some examples). These routes are signed to direct traffic around disruptions in order to try to relieve congestion or at least mitigate the impact of such events.

22  ◾  Critical Infrastructure

One aspect that the reader may want to consider, particularly as more services are layered on the same infrastructure, involves the prioritization of services. This concept is already well known in the telecommunications sector where certain numbers are identified as priority numbers that must either be maintained or must be restored first. The identification of routes for emergency vehicles and the identification of zones for critical service restoration all fall into these categories and are a natural part of the prioritization of disaster recovery and business resumption. For the individual, it means that community-driven services are restored prior to individual services—something that individuals may want to consider when looking at how long they should be able to sustain themselves before assistance arrives.

2.4.2 Current Efforts and Research As the reader will soon see, the legislation, regulation, and other forms of oversight regarding the local layer associated with critical infrastructure have evolved somewhat since the first edition of this book. The first significant line of research has focused on the concept of interdependencies. Interdependency is where the level of one system’s product is reduced, and this reduction causes an impact in another system. For example, a loss of fuel production impacts the transportation sector or a loss of electrical power affects telecommunications. For those involved in BCP, the concept of interdependency may appear to be complicated from an operational viewpoint but is considered relatively simple to accept from a theoretical level. The challenge here is that the concept of interdependencies is approaching a situation much like cancer research. Most of us understand that the term cancer actually represents a significant number of different diseases. As a result, one might fund “cancer research” (and we would certainly not discourage you from doing so) but not have a clear sense as to what form of cancer is being researched. The same might be argued for interdependencies (see the example reports within the footnotes, especially the one from Idaho National Laboratories5). The second challenge is associated with the concept of network fragmentation and dissolution. Since the first edition, significant work has been carried out in the transportation and energy sectors to try to understand how the disruption in one part of the system impacts the rest of the system. For some, it is simply akin to the butterfly effect—an assumption that may hold true for nearly inconsequential parts of the system, such as a terminal or isolated node. On the other hand, disruptions at major infrastructure points may be apparent rather quickly, as the impacts 5

Idaho National Laboratory, Critical Infrastructure Independency Modeling: A Survey of US International Research, ed. P. Pederson, S. Dudenhoeffer, S. Hartley, M. Permann, August 2006; http://web.archive.org/web/20150513011251/http://www5vip.inl.gov:80/technicalpublications​ /documents/3489532.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter2/ch2ref10​ .pdf).

Demand, Capacity, Fragility, and the Emergence of Networks  ◾  23

flow throughout the various connections and begin to influence the capacity at other locations. Documentation has been published through the US Department of Homeland Security’s Transportation Security Administration fairly early on, and recently, entire works have been dedicated to the concept of using technology such as intelligent transportation systems as a safeguard against this type of issue.

2.4.3 The Interdependency Hydra We have alluded to the concept that the term interdependency is becoming used to describe a number of states within and between networks and their interrelation between other systems. Research into interdependencies have now taken on a six-­dimensional model. The first three dimensions are obviously the physical domain. The fourth involves time both in terms operations and other similar factors. The newer research today is focusing on the fifth and sixth elements of this effort—that of the inter-relationship between administrative structures and organizations while the sixth involves the impact of the logical topography and geography that may influence outcomes. One particular area of concern in this regard involves the expansion of concepts such as cyber-war and whether or not a cyber-attack against what may be a legitimate military target can actually cascade to have a similar impact to a weapon of mass destruction. When considering interdependencies, one might argue that there needs to be a basic understanding of how the impact flows between or across sectors. These might include, as a basic system of categorization, the following: ◾◾ Interdependencies flowing out of one system (host) and impacting an independent system in that the impact does not cycle back onto itself (the host)—henceforth, this would be more of a dependency rather than an interdependency. ◾◾ Interdependencies flowing out of one system (host) and impacting a system that provides a direct good or service back into the host system, leading to an elevated rate of deterioration attributable to the initial disruption. ◾◾ Interdependencies flowing out of one system (host) and impacting a system that then provides a service to another sector that then has an influence on the host. There is still a significant amount of work to be done with respect to the proper categorization and definition of these types of events. The questions that persist across a number of blogs and discussions where researchers tend to communicate continue to center on a general acceptance that some of the underpinning principles appear to be common but are still difficult to quantify.

2.4.4 Network Fragmentation and Dissolution The concept of interdependencies and cascading impacts has also worked in parallel and even contributed to a growing amount of research into the fragmentation and dissolution of networks. Much of this still focuses on the concept of mathematical

24  ◾  Critical Infrastructure

models and translations of informatics systems into physical infrastructure. Again, there is merit to this research: Where such concepts translate gracefully into the physical domain, they are worth keeping. Where a concept is discounted, the results of the research still have value in that they can narrow the focus of other research based not on pet theories or whimsical intuition, but rather on sound scientific bases. For those entering the arena of critical infrastructure assurance, the concept of network fragmentation and dissolution is relatively simple to explain—if one does not get bogged down in the complexity. Consider capacity and demand. Where there is a surplus of demand, it will seek out spare capacity (or where there is an ability to meet the demand, surplus capacity will be sought). This goes back to what was discussed in terms of how impacts affect the small system level. What has become increasingly important to researchers is the ability to predict how that system will collapse and break apart. This is important for two reasons. A predictive model enables effective preventative measures (focusing on the robustness of the system); however, it also pre-positions mitigation and response strategies (focusing on the recovery aspects) to be established. To return to the traffic congestion example, this is somewhat akin to being able to identify where the traffic jam is most likely to appear next. It is perhaps fortuitous that this research has coincided with difficult economic times. This is because both US and Canadian administrations appear to have committed to working on significant infrastructure upgrades as part of their economic recovery packages. Prudent planning would involve a forward-looking approach that identifies what capacity will be needed, rather than simply restoring overburdened infrastructure to its original design. These difficult economic times can also spawn issues at another level of interdependency. Consider the competition between nations for global influence and economic position. While military conflict may involve a range of hostilities, there are other avenues that can be taken to achieve similar ends. Instead of breaching the various security controls over highly protected systems (such as satellite surveillance systems used for military reconnaissance), could not the same ends be achieved by gaining control over the proprietary information of value by purchasing the companies involved in its manufacture? At the time of drafting this edition, this debate is very much in the forefront of certain communities as a result of the sale of this kind of company to a country that is known to be in direct competition with a number of national and allied interests—including the potential for military conflict in the South China Sea. Taking into account this new level of complexity and interdependencies will likely become a growing concern as a multipolar political environment.

2.5 Cyberterrorism In addition to the physical and operational safeguards, the concept of cyber warfare has approached the forefront of many critical infrastructure issues. Outside of

Demand, Capacity, Fragility, and the Emergence of Networks  ◾  25

Hollywood’s extrapolation of potential events, the world has seen clear examples of the results of coordinated cyberattacks in Estonia and Georgia as part of political and military campaigns. We are also seeing similar tactics being used between the two threats with cyber-terrorists using criminal tactics as a means of fundraising while cyber-criminals use tactics previously associated with cyber-terrorism to launch increasingly large-scale and lucrative attacks. As one example, one may point to the criminal act that paralyzed a significant part of the UK’s hospital system—an action that would normally be linked to terrorist tactics but in this case being used for criminal means. Similarly, we have also seen the rise of groups acting out of ideological beliefs that have used a range of tactics to bring what they consider to be awareness to issues of social or societal importance. At the outermost edge of this, we have also seen the rise of cyber-warfare units being organized into the traditional orders of battle for a number of countries, some of which are recognizing that the cyber capability has the ability to act as a major force multiplier for nations that have been traditionally considered less capable on the conventional battlefield. One potential issue that will arise from this will be the increased number of potential hackers or cyber warriors that may enter into private, criminal or other organizations. The Gilmore Commission6 noted that the “cyberattacks incident” to conflicts in the Middle East “emphasized the potentially disastrous effects that such concentrated attacks can have on information and other critical government and private sector electronic systems.”7 The commission concluded that although not “mass destructive,” attacks on critical infrastructure would certainly be “mass disruptive.” It also concluded that likely perpetrators of cyberattacks on critical infrastructures are terrorists and criminal groups rather than nation-states. As a result, the commission predicted that detection of these attacks would fall primarily to the private sector and to local law enforcement authorities.8 The Gilmore Commission is an advisory panel that assesses the capabilities for responding to terrorist incidents in the United States involving weapons of mass destruction. Response capabilities at the federal, state, and local levels are examined, with a particular emphasis on the latter; the secretary of defense, in consultation with the attorney general, the secretary of energy, the secretary of health and human services, and the director of the Federal Emergency Management Agency, entered into a contract with the RAND National Defense Research Institute, a federally funded research and development center, to establish the advisory panel, which released its fifth and final report in December 2003. 7 80-337PS/2003 Homeland Security: The Federal and New York Response, field hearing before the Committee on Science House of Representatives, One Hundred Seventh Congress, Second Session, June 24, 2002, serial no. 107–71; http://commdocs.house.gov/committees​ /science/hsy80337.000/hsy80337_0.htm (alt URL: http://cipbook.infracritical.com/book3​ /chapter2/ch2ref9.pdf). 8 Committee on Science, US House of Representatives, Hearing Charter, Cyber Terrorism—A View from the Gilmore Commission, October 17, 2001 http://web.archive.org/web/20011121084537​ /http://www.house.gov/science/full/oct17/full_charter_101701.htm (alt URL: http://cipbook​ .infracritical.com/book3/chapter2/ch2ref7.pdf). 6

26  ◾  Critical Infrastructure

This statement, however, has taken on additional importance. There is now increased recognition within industry and government that if key resources (this term is chosen specifically to align with BCP approaches) are connected through Internet-enabled technology, cyber-related threats to those key resources need to be recognized and addressed.

2.5.1 The Pendulum of Convergence Convergence, simply put, is the gradual integration of physical and logical infrastructure. For those without degrees in architecture (logical or physical), it may be described as the gradual march onto the network-enabled system. Convergence is really being driven by two interrelated variables. The first variable involves the need for increased efficiency and situational awareness. This is a direct result from the need to be increasingly competitive on a global stage. Where North American markets used to be serviced by North American companies, one might argue that the past 35 years have essentially destroyed that concept, particularly when considering issues associated with supply chains and offshore production. As a result, there is an increasing intolerance for isolated or stand-alone systems that cannot be expanded as operationally required or as per the will of management. The second variable involves changes in technology. While analog systems continue to have a very limited presence in many systems, one must also note that the system is moving past the concept of the simple TCP/IP and point-specific architecture that makes up the traditional star, hub, and similar topographies to those that would be more aptly described as fully connected or mesh structures that are prevalent in cloud-enabled technologies. This next evolution of capabilities is a significant challenge to organizations that are having to rethink continuity of operations and business continuity plans as some of their critical services are now more subscription-based than owned (such as software-as-a-service). The end result, however, is the deployment of key resources using a type of technology that may, if not treated carefully, be subject to the same types of attacks that were present within the context of cyberterrorism but with much greater impact should these centralized clouds be disrupted. These two factors, the increasing pressure toward network-enabled systems and the decreasing supply of those able to work in past logical environments, will likely change the face of physical security and enterprise security. The concept of convergence does not simply mean a change in the application of technology; it also requires a change in organizational culture and personal approaches to the issue of security. Some of the basic concepts will, of course, be consistent. As we look at how issues are identified, problems and issues are scoped, challenges are met, and solutions are applied, however, the traditionally diverging IT and physical and personnel security communities will be forced back to

Demand, Capacity, Fragility, and the Emergence of Networks  ◾  27

the same tables. At least one federal department in Canada and another in the United States has actually created a condition where a cyber security expert has to be directly involved in the design of any physical security infrastructure. Although the security industry is in for some interesting years as the various elements in these communities go through the normal processes associated with storming and finally norming, the end result for industry may well be worth the effort if both sides remember the primacy of operations.

2.5.2 Convergence and the Understanding of Threat Convergence is also going to impact on how threats are considered within an organization. The all-hazards approach has been front and center in the past—but its application has largely looked at the surface layers of threat. For example, keeping a cybercriminal at bay was a matter of installing a firewall, whereas keeping a prowler out was a matter of locking the door. Today’s criminal, however, has access to both tools, and with the change of technology, it may be that the prowler is unknowingly working for the cybercriminal and has access to complex tools specifically conceptualized, designed, and used for defeating security infrastructure through logical means. Within the modern context, the cyber-threat is now being looked at in terms of all seven layers of the OSI networking model and not just those may affect the transport, session, application and presentation layers. Physical and insider threats are now being looked at in terms of their ability to manipulate configuration and the protection of all layers, not only those that exist in electronic form. At the same time, there are increasing efforts to understand the relationship between traditional security controls, IT Security measures and those that are involved in the various control and automation technologies. One element of this involves the concept of bi-directional threats, including in the realm of SCADA and control systems. While there has been a significant amount of research that looks at the potential impacts associated with the threat moving from the central processing capabilities (where operations are controlled from) to the perimeter of the network, the increased pressure to integrate memory and processing capabilities onto these networks is beginning to raise the question of threats that may originate on a peripheral device to attack the central processor. This is currently much more prevalent in the physical security community where the integration of memory and processors has opened up potential threat vectors. The pressure to integrate operational, control and automation systems into networked environments will only compound this challenge. Perhaps this example can be described by providing three divergent threat ­scenarios—each of which intersects with the critical infrastructure and key resources domain. First, consider the Federal Bureau of Investigation (FBI) report on December 3, 2008, that identified another threat to US infrastructure—the theft of copper that is being fed by an increasing demand for the metal, including

28  ◾  Critical Infrastructure

in overseas markets.9 Although it may be argued that all network infrastructure runs on fiber optics (it does not), it should be noted that this is not the type of traditional threat that might appear on a technical vulnerability analysis. The second threat involves personnel. Again, the FBI published (December 16, 2008) a report describing how certain elements of organized crime were able to infiltrate, through financial means, seaports along the East Coast.10 In this case, the threat vector was not asset based, but rather personnel based as the gradual trapping of individuals who had been given access. Finally, in a similar report in CSO magazine, a network administrator was able to establish himself as the key source of control over much of the city’s network infrastructure.11 These three events show how a potential adversary or attacker could gain access over key resources using indirect methods. Of significant concern today is the concept of the hybrid attack. As noted earlier, changes in technology and the availability of more and more processing power (an ongoing challenge) are leading to situations where adversaries have a wider array of tools at their disposal. Thus organizations that tend to focus their security activities in such a way that any one of the personnel, information, or physical safeguards are often left more exposed may be at risk of an attacker identifying, examining, and finally exploiting that vulnerability. Consider, for example, a meeting room in a public area. On one hand, the fact that it is intended for public access and resides outside of the more sensitive work areas is good; on the other hand, one has to examine whether the IT infrastructure installed in that boardroom is sufficiently hardened. This should be done so that an attacker does not simply bypass the physical security infrastructure by using the network connectivity to pass through the barrier in a way similar to crawling over a dropped ceiling or defeating a weak lock. Although hard connections are reasonably simple to address, the propensity of several organizations to work toward wireless access points or capabilities means that the physical security expert will have to look not only at the physical design, but also at how to establish the necessary levels of shielding and standoff—particularly if the adversary can simply sit in public areas where it is difficult to control his or her activities. Combined with this is the increasing availability of new technology, including surveillance devices, that challenge even this concept with the costs associated with significant surveillance packages being within the reach of the individual and not simply limited to larger organizations or nation states.

https://web.archive.org/web/20161218183740/https://w w w2.f bi.gov/page2/dec08​ /coppertheft_120308.html (alt URL: http://cipbook.infracritical.com/book3/chapter2/ch2ref3​ .pdf). 10 https://web.archive.org/web/20161218183828/https://w w w2.f bi.gov/page2/dec08​ /unirac_121608.html (alt URL: http://cipbook.infracritical.com/book4/chapter2/ch2ref4.pdf). 11 www.csoonline.com/article/437873/IT_Admin_Locks_up_San_Francisco_s_Network. 9

Demand, Capacity, Fragility, and the Emergence of Networks  ◾  29

2.5.3 Setting the Stage for Fragility Given a basic understanding of some of the pressures within the system and some of the upcoming challenges associated with understanding how the infrastructure is protected, we can begin to look at fragility. Fragility, in this context, is not mystical— it has been inferred in such fields as reliability engineering for some time. Fragility can be described in terms of the propensity of something to fail. At the local level, this aligns reasonably closely with the concept of the risk of loss associated with availability and, as a secondary factor, integrity. In reality, this can be divided into three major categories. The first of these categories refers to the design of objects. When an engineer designs something, he or she indicates some level of assurance with respect to the design actually performing as intended. This is largely tied to the amount of effort spent in design, implementation, and other aspects of quality assurance. Aircraft manufacturers and other entities are subject to strict safety regimes; for example, they may have remarkably low tolerances for failure. Other industries, where the impacts are not so grave, may have considerably lower thresholds. Thus, given that an engineer may ensure that an aircraft design will work 99.5% of the time, whereas another engineer may only have to ensure that his product will work 75% of the time, we have our first significant difference in fragility. This fragility, however, is often based on averages, norms, or set ranges of conditions. These norms or averages are used to provide that final calculated value that gives us that assurance regarding the design. We know, however, that as conditions change, they may have an impact. Personnel may be less able to perform tasks in extreme heat or cold, assets may be susceptible to certain conditions (e.g., low humidity leading to static electricity near computers), facilities may require that certain environments be maintained, information may require certain systems for handling in order for it to be considered trusted, etc. As we look at the item being examined (similar to a target), we may find that certain inputs into the system do not perform as well under certain conditions—for example, workers in high-heat areas may not be able to exert themselves the same way. This leads to the second type of fragility, natural fragility, so named because it is based on how the target would perform within the immediate environment. As has been noted by scientists and poets alike, change is a constant within our environment. Cyclical fragility brings together the major elements discussed earlier—the concept of systems being sustained by the efforts of various inputs (persons, objects, facilities, information, and activities), the concept of capacity and demand attempting to maintain a level of equilibrium, and finally the fragility that is intrinsic at each point of time within the system. For personnel, there are a number of cycles that one must remain aware of. In the longer-term view, we have the current issues associated with an aging population and the impact this will have on corporate knowledge. At the same time, there is the time involved in developing bodies of knowledge and communicating

30  ◾  Critical Infrastructure

it to people, such as what we are seeing with the convergence issue. Within the medium term, the life cycle associated with business and with labor contracts provides another example. At the very short and immediate end, one might even argue that the various cycles are associated with fatigue and attention spans. As one will quickly realize, many of these do not impact the security realm—but have a significant bearing on the concept of critical infrastructure assurance when looking at potential sources of disruption. Assets face similar challenges. When engineers design things, they generally include a life cycle based on adherence to a specific maintenance cycle and without certain constraints. We see this with our cars. They are anticipated to last a certain period—but only when you do not abuse them and keep the necessary maintenance up to date. Perhaps the most advanced bodies of knowledge in this regard involve life cycle management and safety programs. These programs track the use, maintenance, and age of assets as part of a means of reducing the risk of failures that can lead to either loss or accidents. Again, this type of approach has a significant bearing upon critical infrastructure. Facilities provide a nexus between two types of cycles. The first cycle, the age and usefulness of the facility, can be linked back to the same issues associated with assets. Materials deteriorate and require replacement. Structures become outdated in terms of the infrastructure they can provide. Another variable, weather, plays a significant role. Again, in the longer term, seasonal changes can affect the ability of persons, assets, or activities to perform as intended. Although some of these may be reasonably innocuous (e.g., a slight change in temperature), others may be profound, such as periodic flooding or dry spells. In the short term, the simple change between day and night may lead to different levels of risk. Information and data, however, are somewhat different. In this context, the cycles are not attached so much to natural conditions, but rather to operations and what the information describes. Consider, for example, a table associated with the movement of a container—the value associated with the movement of the container shifts as one moves across the planning stage, through coordination and monitoring, and finally into audit and review. The cycles associated with information, one might argue, are inexorably linked to the timeliness and relevance of the data and what they represent. Finally, consider the concept of activities. Cycles play a factor here. Looking at activities, we cannot ignore the effects of fatigue associated with persons and their assets. Thus we cannot ignore that various activities are more relevant at some points than others. These are generally associated with operations and coordination— points that permeate various systems and processes. So how do these factors impact critical infrastructure? The answer lies in the need to ensure that the critical services are, in fact, available on demand and can be relied on from a quality assurance perspective. Although this approach argues that these five categories (persons, objects, facilities, information, and activities) cover significant aspects of a process, it is still incumbent on those

Demand, Capacity, Fragility, and the Emergence of Networks  ◾  31

conducting assessments to examine each process thoroughly. The challenges associated with convergence and new ways of thinking play a significant role given that those deficiencies in current and forecasted ways of doing things lead to gaps in understanding and knowledge with respect to the risk to critical infrastructure.

2.5.4 Fragility and Destabilization of Systems At the regional or small system level, all the factors cited above have an influence on the capacity of the system. These influences can skew the balance between demand and capacity, shifting it in ways that lead to situations involving push, pull, lag, and delay. Where these influences stem from single infrastructure points, the effect manifests itself first in that local area. Depending on the nature of the effect, it will then influence those areas around it until the system is able to naturally restore balance. The immediately impacted area will often depend on the level of capacity delivered by the infrastructure into the overall system. A relatively inconsequential or insignificant piece of infrastructure may cause some destabilization within an area that can be corrected reasonably quickly. On the other hand, where a key piece of infrastructure is disrupted, the immediately impacted area may be much larger and the system more destabilized; for example, the removal of a central hub within a transportation system or a key power production facility. How these disruptions cascade through the system will again depend on the system resiliency and redundancy. The second consideration is where the full small system is impacted. The factors involved in this case are those that span the full system—in any of the categories of personnel, assets, facilities, information, or activities. We see this illustrated in terms of weather, labor disruptions, certain types of cyberattacks, and similar types of threat vectors. Where these are involved, the capacity in the overall system becomes diminished, again leading to disruption of the equilibrium between demand and capacity.

2.5.5 Fragmentation and Dissolution of Networks Fragmentation and, catastrophically, dissolution of systems occurs when elements of the system are no longer able to communicate and coordinate their activities, essentially becoming individual entities encapsulated within the system. Although the local level looks at this in terms of a disruption, the same can be said at the small system or regional level. Following a disruption at an infrastructure point (e.g., a facility), the next phase involves fragmentation. Although the concepts of push, pull, lag, and delay provide a mechanical description of the system-level impact, one can also divide the impacts into two broad categories.

32  ◾  Critical Infrastructure

The first category concerns disruptions involving the loss of infrastructure. This category involves situations where the infrastructure essentially fails, resulting in the contribution of capacity being lost to the system. We have seen these types of events in a range of bridge collapses, failures in the surface system, manufacturing sectors, and so on. When that infrastructure is lost, the capacity is lost, and the loss of capacity skews the equilibrium between demand and capacity in such a way that the system suffers disruption until it can rearrange itself by determining new options on how to meet the demands placed on it. Fragmentation occurs under two conditions. First, the disruption may be at a key point that severs two parts of the system, essentially creating a number of smaller systems until it can be reestablished. In this context, the concept of fragmentation comes from the loss of what could be considered a key resource. It may be characterized by a single event, and because of its localized nature, there may be a significant focus on building up the robustness in terms of its ability to withstand impacts. The second category involves conditions where the system essentially fills due to a surplus of demand combined with a reduction in capacity. If the capacity of the system involves a rate, then that rate becomes a very important factor, particularly where the system is working at near capacity. A reduction in the rate of being able to handle demand is essentially a reduction in capacity—and when demand is approaching the limit of capacity, then the system will begin to fill. Once the system is filled, and if the demand continues to try to exploit the capacity, it will not be able to do so. As a result, the system will gradually slow down and, if the reduction in capacity is serious enough, the operations will abruptly halt. This essentially fragments the affected area from the system, although recovery can be attained once the rate at which demand is handled allows for the system to clear itself. Dissolution of the network involves fragmentation at a catastrophic level. In this case, the impacts are adequately severe so that the various components within the system can no longer communicate with each other. The end result is that the network becomes a community of individualities, unable to coordinate its activities. Dissolution of the network becomes a real risk where the network relies on a single service, a single type of service, or is subject to a sector-wide vulnerability. Again, we have to return to the concept of persons, objects, facilities, information, and activities at this point. As with BCP, the concept of having single points of failure at the network’s strategic level should be anathema.

2.6 Dissolution and Convergence: An Emerging Risk Where all aspects of an infrastructure share common characteristics or where systems rely on a common point of service, the overall infrastructure or system becomes vulnerable. Given the trend toward convergence and network-enabled

Demand, Capacity, Fragility, and the Emergence of Networks  ◾  33

infrastructure, it would be worthwhile to include some brief and introductory comments regarding the risk of dissolution and the concept of convergence.

2.6.1 Convergence, Network Expansion, Open Architecture, and Common Criteria The increasing reliance on networks illustrates one potential avenue that could become a sector- or system-wide vulnerability if not handled diligently. First, convergence describes a condition by which the physical and asset protection infrastructure is becoming increasingly network enabled. Similarly, operational networks are expanding with new partnerships being formed to streamline delivery of services. The concepts of open architecture and common criteria pose a significant challenge at this point. By publishing the open architecture and common criteria, a determined attack planner can identify certain characteristics that are common across the system and can attempt to reverse-engineer those characteristics or criteria in an attempt to determine a weakness. Given that both of these concepts communicate on a global scale, one can only assume that this potential threat vector is likely to occur. However, the same concepts, in their development, also allow for a wide community challenge to the architecture and criteria, thereby reducing a number of the vulnerabilities in the system. The key here is in allowing for that broad and diligent consultative period before moving the overall structures into the public domain. This concept has been a challenge for cryptographers and crypto-analysts for quite some time. The result is reasonably simple. The encryption process uses a similar process in the development of new methods of protecting data against unauthorized disclosure or modification. For the critical infrastructure sectors, the principle may be similar. On one hand, the common criteria and open architecture may be globally available, but the specific and detailed information necessary to exploit something at the local level remains hidden from view. Again, however, the concept hinges on an approach that was rigorously challenged at the front and then monitored in terms of its effectiveness.

2.7 Marking the Journey Up to this point, we have looked at a theoretical situation that describes critical infrastructure assurance as an overarching, system-based, mission-focused view of how critical infrastructure sectors have evolved over time. One might ask why this appears at the relative start of the work. The answer lies in three important steps. First, we understand the nature of the changes that occurred as a result of 9/11. Many of us do not realize that the changes at that time were a fusion of the changes that followed the Y2K concerns of 1999.

34  ◾  Critical Infrastructure

Second, by providing two benchmarks based on the first and second editions of this work, we can define some of the changes to date. The first edition marks a point where one might argue that Western society was in a significant mitigation phase with respect to the 9/11 attacks—the term mitigation being used in its emergency preparedness context of those immediate steps used to contain damage. The second edition came at what might arguably be at the end of that phase. Third, we understand that the business of CIP, homeland security, and similar programs will continue to evolve but are likely to do so at an accelerating rate. We have looked briefly at convergence and the challenges of an evolving hybrid (physical and cyber) threat. There is also a new pressure to address economic and social issues—it may be argued that the old way of doing business (massive contributions and spending) is about to dry up as we look at renewed fiscal responsibility and restraint. Finally, the people involved are changing—from the retirement of many of the Cold War era security specialists through the process and systems engineers who defined what we now call critical infrastructure. Thus this final step is about looking back into the past, and then looking at what is in place today and understanding and questioning the changes that have taken place. Finally, it is about extrapolating that information into the future to best estimate what is likely to be.

2.7.1 Overview The period following September 2001 was a period of treaties, legislation, and ­regulation—much of it done quickly to respond to perceived needs. The marine industry is the clearest example of this, where entirely new regimes were constructed from an amendment to a safety code (Safety of Life at Sea [SOLAS]) in response to the events.

2.7.2 Legislation: 107th Congress (2001–2002)12 As we look at the legislation that has been passed since the 107th Congress (2001– 2002) and up to the 110th Congress (2007–2008), we see what may be described as the response to one block of activity. In the 107th Congress, one might argue that the focus was on immediate responses to events—particularly within the transportation sector (particularly aviation, seaports, and pipelines), border security, dams, and the beginning of the push into cyber security. One must also note the legislation that gave rise to the Department of Homeland Security.

12

http://thomas.loc.gov/cgi-bin/bdquery/z?d109:HR04954:@@@D&summ2=m&|TOM:/bss​ /d109query.html (alt URL: http://cipbook.infracritical.com/book4/chapter2/ch2ref5.pdf).

Demand, Capacity, Fragility, and the Emergence of Networks  ◾  35

2.7.3 Legislation: 108th Congress to 109th Congress We see, from the 107th Congress through to the 109th Congress (inclusively), a shift from the very general legislation to issues that are more granular. For example, in the transportation sector, we see the initial marine security bills being general in nature, whereas in 2006, marine security was beginning to legislate the approach of layered defenses (HR4954) and increasing granularity up to 2008. We also need to understand that legislation, where none exists, can be challenging in democracies. As a result, we also see, particularly in Canada and the United States, a gradual shift from legislation to regulation through rule and measure making. There are challenges with this approach—the oversight mechanisms for each of these are fundamentally different. Although not fully examined, one might wonder if there is a research opportunity for someone to examine the nature of this shift with respect to the oversight mechanisms used to create it.

2.7.4 The State Today: A Recap Today’s situation puts the critical infrastructure protection and critical infrastructure assurance domains at a crossroads. First, there are significant resource issues. The collapses within the financial and automative sectors continue to impact, although at a reduced level, the economic engines but with new issues arising, particularly in the real estate market. An increasingly interconnected world is characterized not only by an increased availability of information, but also misinformation. Conflicts continue but are showing signs of greater distribution—with conflicts not being limited to major conflicts but a host of smaller regional issues. Finally, there is the challenge of the reducing tax base caused by an aging population that packs two punches— reduced income through management of fixed incomes (pensions, etc.) and lost earnings (in terms of income tax), as well as the costs to social security and social support programs. In essence, one might argue that although the cupboard is not bare, we have certainly seen the back of the cupboard and realized that things cannot carry on as they have. Second, there are significant knowledge base issues. The aging population noted earlier also carries within it a significant portion of the corporate knowledge associated with the infrastructure involved. We are also finally beginning to make the shift from an asset protection mode (some would theorize this being a mitigation response to 9/11) back to an infrastructure assurance mode where a new level of understanding has to be overlaid on top of traditional security and protection approaches. The issues of convergence mean that traditionally separate communities will now be forced, through necessity (even if to survive in the economic sense), to interact and cross-pollinate, and as we address these issues within our own community, our adversaries and competitors are working on harnessing opportunities provided in the new structure and our readiness to accept it.

36  ◾  Critical Infrastructure

Finally, there is the concept of public-private partnerships. With significant portions of the infrastructure operating outside of federal, or even government, ownership, governments have had to adjust their thinking from a span of control approach (e.g., through the dictating of plans) to a span of influence approach (indicated by the shift toward frameworks).

2.7.5 Research and Understanding For those involved in CIP, homeland security, and emergency preparedness, these are also exciting times in the research community. The concepts described here are those that are openly researched in the community—concepts that are driving new technologies and approaches to infrastructure management. These concepts also cause friction between communities, particularly those that are firmly attached to rigid doctrines and dogmas and are unwilling to expand the breadth and depth of those approaches into new areas.

2.8 Authors’ Notes Flexibility in thinking for the professional can be challenging—particularly when the profession demands that the professional remain compliant with a certain approach or in line with a certain body of knowledge. Today, the infrastructure and asset protection communities have a plethora of certifications that can be applied to certain aspects or sectors. Within organizations, there is a certain inertia that resists change. Pride in the organization’s culture, heritage, or traditions can be either an anchor in the storm or an anchor in the race to reach new destinations. The key is to see the anchor for what it is—a tool that needs to be applied correctly. Will organizational issues be a help or a hindrance—and can the conflicts and frictions that inevitably come with changes of culture be managed effectively, or will they pose greater vulnerability to the infrastructure in question? Finally, where does the leadership in the critical infrastructure assurance question lie? Does it lie with society and its duly elected representatives, or does it lie in the private sector? If you have a specific answer to the question, what does this mean to the role of government and oversight? What if times change and new approaches are needed? Is our own organizational structure resilient enough to meet those challenges? These are some of the questions within this field—making it awesome in its scope and more than a little exciting in terms of its application.

Chapter 3

Beyond National Frameworks 3.1 Introduction This chapter outlines the movement beyond national frameworks to international frameworks. This most closely reflects the international nature of delivering the services associated with critical infrastructure and moves somewhat away from the administratively driven protection of physical infrastructure. While still early, we can perhaps track these efforts based on strategic interests (such as in energy) and economic ties (supply chains, etc.).

3.2 Meeting the Dragons on the Map Ancient maritime maps marked the edge of known territory with statements such as “here be dragons.”1 From an administrative and policy perspective, we are entering a period where there are significant opportunities and risks that are becoming apparent. With the increasing complexity of issues and the continued movement towards global supply chains, governments are arguably the de facto final authority. Governments

1

The phrase “here be dragons” symbolizes areas that are considered dangerous or are unexplored territories, and is usually represented through demonstration of the practice of putting mythological medieval dragons, sea serpents, and other mythological creatures in uncharted, unexplored areas of maps and sea charts.

37

38  ◾  Critical Infrastructure

maintain control over their sovereign territory, but in terms of the realities of commerce, trade and critical infrastructure, they are no longer the pre-eminent player on the stage. For the first element, governments have been forced into largely collaborative roles if they wish to remain competitive and those that forget this point do so at their peril in an increasing complex environment. While some critical infrastructure sectors may operate with a limited number of operating partners (such as the energy sector in North America), the supply chains that service this infrastructure have grown more complex. Components may originate from a range of locations and, depending on the regulatory action being taken by governments, one misapplication of regulations can actually result in disruptions of supply chains that carry critical parts. Prescriptive regulatory frameworks can fall into this category over time as new threats evolve, and vulnerabilities become more apparent for the adversary, meaning that an organization can continue to remain compliant, while at the same time, now be insecure. In addition to the supply chains, the inter-connectivity of systems, such as the banking/financial services infrastructure, can lead to a requirement for governments to not only protect the infrastructure but to do so in a way that does not jeopardize sometimes precarious balances that can affect markets. Within the realm of transportation, the varied application of the international conventions by member states (such as those offering flags of convenience) may pose challenges to international bodies that are not willing to tolerate previous practices, particularly in more sensitive environments such as the Arctic. These kinds of challenges will force national or designated authorities into far more complex and collaborative roles than they are accustomed to. The second element involves the private sector in lobbying international bodies that form the international conventions that become the basis for the national laws of signatory states. As the need for collaboration increases, the ability for private interests to insert themselves into lobby and consultative processes also increases. For example, a trade association may develop its own requirements within an industry and then promote those requirements to an international standards body that then becomes the basis for inclusions in an international convention. The signatory states then take their requirements back to their various legislative bodies to be integrated into law. The end result of this is that the private sector entity, through effective lobbying and manipulation, manages to take its requirements and then have them enshrined in legal structures in a roundabout way. And this is why we can call this the territory of dragons. It is not because of potential threats. It is because these international frameworks operate at a level where their foundations are based upon the agreement of friendly competitors with secrets held between them and not necessarily a single altruistic interest. For example, in addition to the National Response Framework (NRF) and National Response Plan (NRP), there is the Canada-United States Action Plan for

Beyond National Frameworks  ◾  39

Critical Infrastructure.2,3,4 This document openly recognizes, in its objective, the “interconnected nature of critical infrastructure”5 and the need for collaboration across the border.6 One can also see this in The European Programme for Critical Infrastructure Protection,7 which one may argue is slightly more mature, given its inception through communication from the commission of December 12, 2006.8 When we contrast the situation in North America to that of the European Union, the potential for critical infrastructure supplies to be used as part of a more holistic conflict become quite apparent. In North America, we see an emerging but relatively benign conflict between Canada and the United States on the trade front (benign in that we are not talking armed forces here but not to make light of the economic impacts regionally). While the United States imposed various forms of duties on Canadian softwood, British Columbia’s reaction was to request that Ottawa eliminate the movement of thermal coal through the port of Vancouver. This not only had an impact on the stock prices of Westshore Terminals at the time, but also called into question the stability of coal shipments to Asia.9 Another example of conduct coming under direct threat as a result of conflict involves the gas supplies moving into the Ukraine from Russia. While Russian gains in the area included a number of potentially rich energy sources, including much of the Black Sea off-shore reserves, the second factor involved the potential for the disruption of the gas supply to affect many of the EU countries. While as much as forty percent of the EU natural gas is moved through the Ukraine, the recent vote by the US Senate to strengthen sanctions against those companies that support Russian energy export pipelines was responded to negatively as a threat to the EU energy supply by both Germany and Austria. The main contrast here is one of complexity—while the Canada/United States dispute is relatively simple in terms of complexity, the use of the critical natural gas supply from Russia to Europe is complex and fits into a much larger picture that encapsulates not only political competition in a http://www.dhs.gov/canada-us-action-plan-critical-infrastructure (alt URL: http://cipbook​ .infracritical.com/ book3/chapter3/ch3ref3.pdf). 3 http://www.publicsafety.gc.ca/prg/ns/ci/cnus-ct-pln-bkgr-eng.aspx (alt URL: http://cipbook​ .infracritical.com/ book3/chapter3/ch3ref4.pdf). 4 http://www.dhs.gov/xlibrary/assets/ip_canada_us_action_plan.pdf. (alt URL: http://cipbook​ .infracritical.com/ book3/chapter3/ch3ref5.pdf). 5 http://www.dhs.gov/xlibrary/assets/ip_canada_us_action_plan.pdf. (alt URL: http://cipbook​ .infracritical.com/ book3/chapter3/ch3ref5.pdf). 6 http://www.publicsafety.gc.ca/prg/ns/ci/cnus-ct-pln-eng.aspx (alt URL: http://cipbook. infra​ critical.com/book3/chapter3/ch3ref1.pdf). 7 http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/06/477 (alt URL: http:// cipbook.infracritical.com/book3/chapter3/ch3ref6.pdf). 8 http://europa.eu/legislation_summaries/justice_freedom_security/fight_against_terrorism​ /l33260_en.htm (alt URL: http://cipbook.infracritical.com/book3/chapter3/ch3ref2.pdf). 9 One can find this story in the public domain through a range o media sources, including http://www.cbc.ca/news/canada/british-columbia/b-c-moves-to-ban-u-s-coal-transport-in​ -retaliation-for-softwood-duties-1.4086688 2

40  ◾  Critical Infrastructure

multi-polar world but also as part of an armed conflict with diplomatic and commercial implications.10 Where is the tipping point in this balance? While state actors can certainly exercise influence over the supply chains, they do so at critical political risk. With Russian exports of natural gas making up a significant part of the EU natural gas supply, it becomes a tool by which political influence can be wielded. The structure is simple: apply too many sanctions or sanctions that become intolerable, basic elements of supply-demand economics can push your natural gas heating costs up significantly as the supply is impacted. The question then becomes whether or not those applying the sanctions have the stomach to carry it through. This is where we see the multifaceted complexity of the Ukrainian issue in great detail. While sanctions are applied by the United States against the Nord Stream 2 gas pipeline, the impact is most keenly felt not in the United States but in Europe. From the critical infrastructure protection perspective, this movement has a significant impact primarily on German economic interests but also impacts the European energy security planning on three levels. The first is that it drives a wedge deeper in the conflict between the United States and Germany which will simply make further efforts to resolve a broader range of issues more difficult and which may spill into other sectors (including strategic and military). The second level is that it reduces the potential for the EU to have a second system able to carry Russian exports—this time under the Baltic Sea. It may be worth noting and watching the interaction between Russia, Estonia and Latvia over the next few years as this project and similar projects interact with expanding military activity. These kinds of strategic activities pose significant challenges to political and military planners that have to look at a much broader battlefield than the traditional limited wars over the past thirty years. The third element to this is economic. In Vancouver, the Westshore Terminals stock fell significantly with the political announcements on the ban of movement, particularly through Delta Port which is largely reliant on coal exports. The expansion of the Nord Stream 2 pipeline, however, also has a significant impact on Western European energy companies that can face an increasing supply of Russian natural gas into the market and undermining their competitive position and share prices. While these kinds of influences are not new (Russia has cut natural gas supplies a number of times over ten years), they appear to be more readily available in the political toolbox. While the issue in BC was in direct response to the softwood lumber trade conflict, much of the public messaging (necessary to maintain political support) was directly linked to climate change in a tactic that was used with some success to undercut the success of the pipeline projects and activities in the Oil Sands of Alberta, Canada.

10

There are several analytic articles that discuss various aspects of this, including https://www​ .ft.com/content/27e28a44-51b0-11e7-a1f2-db19572361bb

Beyond National Frameworks  ◾  41

It would appear that there is a significant potential for what may be described as a significant or near-perfect storm on this front. While state actors use sanctions and supply chains to wield influence at the strategic and political levels and those actions impact private interests, there is a possibility that those private interests will attempt to protect those interests, particularly during the consultative processes and regulatory development processes as best able. While one might argue that this has been an ongoing challenge, the primary different here is that the government and international body reliance on these outside consultative processes may result in a situation where those interests take steps that essentially hijack the processes as they react to protect themselves.

3.3 Who Owns the Treasure? While the international influence caused some discomfort for domestic groups, the current structure causes a much broader level of discomfort. On one hand, the international influence continues to appear (to some) to erode national sovereignty, and thus allow foreign interests to emerge into what were considered domestic issues. On the other hand, the inclusion of private sector mechanisms at the foundation of processes that are intended to be relatively benign creates its own level of concern. Standards organizations are intended to operate apart from political or individual interests and processes. When these processes are influenced either through the inclusion or exclusion of participants, or through the structure of the consultative process, then there is a possibility that the overall process can be hijacked. This can then be brought into diplomatic and legislative processes by being concealed as being a neutral process free of such influence. National frameworks and their plans may be described in terms of what we want to see happen for certain sectors. They are linked to the priorities of government, which are in turn linked to the government responsibility to protect its overall population. What is apparent is that these economic and defense (including critical infrastructure protection) frameworks continue to have divergent views. Consider the concept of national security reviews in the trade structures between Canada and China. Recently, the Canadian government indicated that there was no need for a significant national security review of the sale of a high-tech company to China, even though the company was directly involved in a number of defense contracts and services. On the other hand, China continues its practice of requiring National Security Reviews under the authority of its Panel as a matter of course even if a foreign entity begins to purchase significant blocks of shares in a previously domestic company. While China appears to have identified, acknowledged and put into practice controls to protect its own national security, one may draw other conclusions when looking at certain examples in the West.11 11

https://www.whitecase.com/publications/insight/national-security-reviews-global-perspective​ -china; https://www.oesrc.researchcompliance.vt.edu/node/39

42  ◾  Critical Infrastructure

International agreements are best described in terms of what can we live with. If any lesson has been taught in the recent series of conflicts, it is that even through military might and conquest, one is not necessarily assured that the outcome will be exactly what one wants. In negotiations, which are less intense than war, the goal is to be able to project your own interests outwards while protecting your core values against undue or inappropriate influence. In short, the question of national sovereignty is answered by making nations ratify agreements or include the requirements of agreements in their own legal structures. So we all own the treasure—but we own it in terms of a community of signatories and not as individual signatories. From a pure perspective, this does result in some erosion of national sovereignty because we cannot deviate from our agreements without also making the decision to go against our commitments that are part of our belonging to that community.

3.4 What Value? The treasure can be defined in how these international agreements respond to the challenges that arose when nations were operating in isolation. This is another reason for looking at the international agreements in terms of an evolution of previous efforts and not a catastrophic shift in philosophies. In short, we drifted onto the right part of the map.12 The core of these agreements focuses on the sharing of information. This information is used to develop awareness of the threats to infrastructure, how infrastructure operates, and how the various sectors (both public and private) would respond to incidents. In Canada, this information sharing aspect has undergone clarifications in 2015 through mechanisms such as the Security of Canada Information Sharing Act that allows federal entities to share personal information under a limited number of conditions but which essentially streamlines the ability to move that information in a more timely and seamless manner.13 Concurrently, Canada and the US have also expanded a number of emergency plans in support of maintaining critical infrastructure services that move between the nations, including in the Canada-United States Framework for the Movement of Goods and People Across the Border During and Following an Emergency and which continues to support the overarching set of activities that led to the Government of Canada and the Government of the United States of America Emergency Management Cooperation that was set down in December of 2008.14 12 13

14

Utilizing the analogy of dragons and sea serpents on maps and sea charts. The conditions for the sharing of information can be found publicly on the Public Safety website at https://www.publicsafety.gc.ca/cnt/ntnl-scrt/cntr-trrrsm/shrng-frmwrk-en.aspx. One can find the public release of this at https://www.publicsafety.gc.ca/cnt/ntnl-scrt/crtcl​ -nfrstrctr/mrtm-nnx-cnd-ntd-stts-frmwrk-en.aspx.

Beyond National Frameworks  ◾  43

While this is a noble effort between governments, systematic challenges continue to exist. One of these continues to be the “air-gap” between the government (often the regulator) and the private sector (the regulated). Although intelligence products are generally distributed through public (meaning government) lines of communication, the majority of security incidents and vulnerabilities reside within private sector entities. The private sector organizations often form associations (or something similar) that can come together to share information, but this is often taking place within a closed context. Consequently, one can only make a general assumption that the data and information that is needed to generate the intelligence products is complete and accurate. This breaks the cycle of credibility that is the foundation for policy decisions that ultimately points towards legal and regulatory reform. Closed councils and other systems that hold the regulators at arm’s length and regulatory systems that move directly to enforcement even with those attempting to work with the regulators to find solutions will continue to support this air-gap. If the data and information that feeds into the system cannot be trusted entirely in terms of its completeness or accuracy, then the decisions that are made at the policy level will be based on incomplete information. That, in itself, leads to the potential for vulnerabilities to be overlooked, to be incompletely defined (or described), or not to be understood in terms of their significance. The problem here can be boiled down to one question: “who is going to blink first?” Government systems are well-entrenched in their regulatory processes and continue the argument that these processes must be fair, impartial and consistently applied and the general approach is that nobody in regulatory enforcement is actually “off the clock.” On the private sector side of the coin, senior management and associations will continue to protect their organizations as a matter of survival and will not simply compromise the business operations that could be subject to disruptions due to increased oversight or become the focus of increased losses through administrative monetary penalties and other regulatory enforcement tools. In short, there needs to be a way to work past the impasse. One option involves the use of university or other academic communities that can act as the focal point of information and analysis activities. This approach was looked at both north and south of the border as part of the efforts to look at various forms of vulnerability assessments and to identify emergency management challenges. Two things became apparent. First, universities themselves are essentially business efforts and while one might cast back to the altruistic view out of the Renaissance, one might look at academic institutions as being more in terms of being caught in an Industrial Age of “produce or die” with respect to research and information-based products. The second aspect is that academics, while extraordinarily intelligent in many aspects, work in a very different information paradigm that involves the broad sharing of information—including in this case active vulnerability information—that meant that there were significant concerns that the vulnerabilities would become public knowledge before any solutions were found

44  ◾  Critical Infrastructure

and implemented. The academic community, therefore, became a second air-gap in that both the government and private sector both had concerns regarding the sharing of information. Finally, as academic institutions were often in competition with each other, competition between institutions also played a factor—particularly where government funding was brought into the picture. To resolve the impasse, the system needs to answer two questions. First, how do we move from a competition where the funding overtakes the work? Given that the role of government involves protecting (or assuring) the safety, security and economic well-being of its citizens or the national interest, one might propose that the governments would be the source of that funding. This also tracks to the fact that government revenues are based on taxes which should ideally be used to support the public interest. This would alleviate a common pressure on the academic institutions and industry that do not have the same sources of revenue. The second element involves establishing neutral territory that can operate outside of the normally competitive frame. To be clear, there needs to be some way to remove the concept of “competitive advantage” from the work involving analysis and assessment of these kinds of vulnerabilities; however, this means that what has become a lucrative market for some would have to be discontinued. This may involve establishing a commonly-accessible means of obscuring the data and information so as to reduce its utility (in the sense of targeting) but leaving it intact enough to be useful as publicly-distributed and available information upon which the normally competitive entities can build and promote their solutions. Those involved in the development of “open-sourced” solutions will already be familiar with this approach when developing new applications. The core difference is that this data and information would in its own published or available state that is protected, in perpetuity, as public domain information under the authority of the governments using the existing information sharing agreements. The key to implementing this kind of system lies in the understanding of the value of intelligence. While intelligence can be generally useful, it is often not actionable. This means that an entity (usually with some form of hostile or competitive intent) can take that intelligence and identify a means or opportunity to use it for its own advantage or to the disadvantage of the subject of that intelligence. Removing the actionable element from the intelligence product may mean that it can be communicated within the closed community of the involved academics, regulators and industry participants but that a sanitization process would be applied to remove specific nouns (as these identify locations, operations, or timing that may allow an attack to proceed) before the information becomes widely available. This raises the age-old challenge in security: how much security is enough and does it go too far? One might propose that the methodology used by IT threat profiles may be useful. In this structure, each partner would identify the information what specific information and kind of information should be withheld from the public view. The second step involves determining what information (under the “need

Beyond National Frameworks  ◾  45

to share” regimes) would be necessary in order to garner the best results for those analytic and assessment processes. Where such information was tagged as being too sensitive, but also necessary, closed communities would be formed that could meet both needs. The next element involves determining how to communicate that information. While the technology necessary to “tag” information has existed for some time, it needs to be integrated into basic information management practices. Tagging information involves labelling information so that its value is more readily apparent to systems and individuals. This would allow such tagged information to be automatically included or screened out of the information that is provided into cloud environments. While potentially counter-intuitive to many information security specialists, this is one of the areas where cloud-enabled technology can be controlled within a community for the sharing of information. Linking the tags to an identity-management and access control measure that deals with screening tagged information in or out at a subject-object level can lead to relatively significant reductions in risks of inadvertent disclosure. Let’s look at the level of synthesis that needs to occur in today’s environment as compared to our current information sharing paradigms. The traditional paradigm involves simple data classification within established communities based on relatively known operations with consideration to identifying additional entities that could be of value and trusted to participate within the system. If we look at this in terms of decision-making paradigms such as the Observe-Orient-DecideAct (OODA) model, this structure is not nearly resilient and fast enough to operate in an environment which can be characterized primarily in terms of evolution and change. In the recent past, the challenge was being able to form and dissolve groups that could meet specific challenges. Today’s competitive environment which is energized in terms of the ability to gather information and communicate it far more rapidly than ever before has moved even beyond this phase to one where it is not the act of forming the groups that is critical, it is the ability to be able to set the parameters for group participation and then identify the timing on when to form and dissolve those groups that has become critically important.

3.5 Target Audiences There is an old adage that you have to write for your audience. This situation is no different. While the international agreements will define how states interact with each other, the national structures and frameworks continue to be of utmost importance to commercial organizations. The question is no longer whether or not to write for the audience, but who actually is the audience? This is because the process is now a three-step process, one of which is somewhat less visible to the general population. The first step, nearly invisible, involves the setting of the agreement that results in the creation of an international agreement. In these cases, the designated authority from each state will represent its own

46  ◾  Critical Infrastructure

public and private interests at the table. The fruit of that agreement is more directly applicable to nations than it is to the private sector. The second step is determined by the nation-state making adjustments to its own requirements that it places on its people. The third and final step becomes the various entities that fall under the control of that state making the necessary adjustments or incorporating the necessary requirements into their own efforts. At the grassroots level, the situation does not actually change all that much. The government entities responsible for overseeing certain activities make edicts and issue requirements, and the private sector looks at those requirements and integrates them into the working environment. It is for this reason that the NRF still remains very relevant. The framework itself may be adjusted to fit the new requirements, but it is still the cornerstone of the national program. This structure works better in some industries than in others. This is generally the result of two kinds of bodies that can write their own “variations” on the theme. The first group of bodies is the international associations that have been granted some level of authority in overseeing the activities of their members. Consider, for example, the North American Electric Reliability Corporation (NERC), which is “certified by the Federal Energy Regulatory Commission to establish and enforce reliability standards for the bulk power systems.”15 In this context, the state does not develop its own standards; it relies upon the international body to develop and enforce hose reliability standards, assess the adequacy of them annually, and monitor the bulk power system.16 This is the first variation on the theme. Remember that the main cycle involves the regulatory body going to the international body and then integrating the international requirements. In this case, the national body has shortened the loop by essentially delegating the international body to act on its behalf. In this case, the national endorsement of the international body can be removed by the federal authority should it be determined that the international body is no longer acting in line with the national interest. The second part of the variation involves the international authorities being able to exercise a level of direct oversight on the various individual members. Again, this occurs under the delegated authority (in this case certification) of the national body. This variation does incorporate some loss of national sovereignty in the sense that the international body interacts directly with the individual participants. The filter between the two groups is essentially removed. This is indicative of two situations—one where the overall body is clearly subject to impacts that can quickly affect the whole, and the second being where the issues are limited to technical issues. We see this in the evolution of the system following the August 2003 blackout that clearly demonstrated how far and fast impacts could spread through

15 16

http://www.nerc.com. Ibid.

Beyond National Frameworks  ◾  47

the energy grid.17 In this context, the requirement to maintain the electrical grid trumped political considerations, particularly during the response and recovery phases of the situation. While the issues surrounding the August 2003 blackout may illustrate a condition where the international body steps in more prominently to fill a technical role at the behest of the state, other conditions may still exist. These conditions do not involve the state delegating authority to some international body, but that the international body assumes authority because events are occurring in a vacuum. This can be seen in the international response to piracy off of the Horn of Africa. In that context, the International Maritime Organization (IMO) is charged with the “responsibility for the safety and security of shipping and the prevention of marine pollution by ships.”18 The variation on this theme involves the level of participation of the various individual actors—usually in the form of trade associations that are formed to represent certain interests. Instead of nation-states putting forward their requirement to the IMO and the IMO coordinating the overall response, one sees the IMO taking a front-seat role in the response, but the technical details of that response largely sidestepping the national priorities, many of which were not defined, and coming from the various private sector bodies without significant participation by the national bodies. This is particularly evident in the standardized contract put forward by BIMCO19 that pushed certain of its own priorities into the international arena, using the IMO as a voice to give its position authority.20 These two variations on the standard theme reveal a critical vulnerability within efforts to protect critical infrastructure. That vulnerability can be linked directly to the observe-orient-decide-act (OODA) loop of the international body and its national participants. The OODA loop is a structure that is used to measure the speed and efficiency with which organizations can adapt to changes in their environment. While the NERC structure was able to identify the change in its environment and adapt to it reasonably quickly, the challenges associated with piracy 17

18 19 20

The August 2003 blackout was significantly different in that while electrical events in the past had been investigated by regional councils, the size and scope of this event (affecting three NERC regions) led to the NERC assembling a group of international experts to investigate. This can be found in the North America Electric Reliability Council’s Technical Analysis of the August 14, 2003 Blackout: What Happened, Why and What Did We Learn? July 13, 2004, as found at http://www.nerc.com/docs/docs/blackout/NERC_Final_Blackout​ _Report_07_13_04.pdf. http://www.imo.org/About/Pages/Default.aspx. https://www.bimco.org/about-us-and-our-members/about-us In this context, the Baltic and International Maritime Council (BIMCO) met in a limited group to generate a standardized contract referred to as Guardcon. It was revealed in the explanatory notes to Guardcon that a number of the requirements were put in place in order to affect changes in the industry that BIMCO had been pushing forward, including reducing the number of smaller security companies offering antipiracy services. Once Guardcon had been circulated broadly throughout the private sector clubs, the lack of resistance by IMO became the tacit approval for its use.

48  ◾  Critical Infrastructure

and international shipping cannot make the same claim. The difference here lies in the level of control that is assumed by the international body. The NERC is very clear in that it is certified by national bodies to perform certain roles that interact directly with the individual members. On the other hand, the IMO is equally clear in its role as a coordination body that does not produce requirements, but rather issues guidance that is to be brought back to each individual nation. In short, the OODA loop involving NERC is relatively clear in that it is comprised of a single cycle that acts within a context set by the various certifying (i.e., national bodies) participants. The OODA loop for the IMO, however, can be described as being complicated in that, as a more participatory body, it can be vulnerable to situations where the individual participants fall prey to a slow or poorly defined OODA cycle.

3.6 Expanding Beyond the Traditional Response In the third edition, the ability to respond to significant events was still emerging and still refined. The Incident Command System (ICS) was well known but organizations were still refining their roles, responsibilities, and authorities with respect to how they would respond to major events. Organizations had a good understanding and baseline knowledge of how to respond to traditional events. This knowledge was put into practice during a number of significant events (floods in Louisiana 2016, Fort McMurray Wildfires, and several localized events) and it is clear that organizations have established and are maintaining a cycle of lessons learned. For example, there were issues associated with the integration of federal (military) forces during Fort McMurray wildfires but during the British Columbia (BC) the Minister of Public Safety was clear that such forces being deployed would fall under the BC Emergency Management organization. A new challenge has emerged within the timeframe of this edition. This challenge involves how to manage infrastructure across the public sector/private sector divide. This is not an unforeseen challenge (it was identified in the 2nd edition of this work) but it is now very apparent in a number of issues today. Three examples will be looked at. The first of these involves the destruction of the rail link between Churchill Manitoba and the rest of Canada’s national transportation (rail) infrastructure that has left a community isolated and at risk. The second issue involves the management of expensive energy infrastructure in circumstances where the cost of operations has overtaken any return on investment—a destabilizing factor within the electrical production and distribution grids that can have far reaching impacts across all sectors. The third element involves the current challenges in dealing with cyber-related threats that can disrupt critical services. Each of these three example point to a clear challenge with respect to moving beyond the traditional response frameworks. The events in Churchill, Manitoba began in June 2017 following a severe storm that disrupted the single rail line to the northern town and cut its critical supply

Beyond National Frameworks  ◾  49

lines (impacting energy, food, transportation). This event was widely reported in the news as it was a part of a series of very significant storms that have impacted central Canada in the spring and early summer.21 The rail line is owned by OmniTrax, a large rail company operating out of Denver, Colorado which has faced considerable financial challenges in the operating of that rail line over a number of years. The company has indicated that it has a plan that would involve the restoration of services but does not have the funds available to pay for those repairs and is seeking the participation of the federal, provincial and First Nation governments in covering the costs.22 The current situation directly contrasts the fire-fighting efforts in the west in that the situation in Churchill, MB currently has no clear leadership taking charge of the issue and there is considerable rhetoric and political efforts to position the accountability for the issue rather than fixing the issue.23 On one hand, the private sector OmniTrax has indicated that it has no funds for fixing the rail line and argues that the current discussions essentially position the rail line as a public utility that then falls under government responsibility. Whereas, the federal government has indicated that OmniTrax has responsibilities to maintain the infrastructure as the owner. What is clear is that there is a population caught in the middle with food prices that have already tripled and where heating fuel will have to be shipped in so that the community can withstand the winter months. In looking at the frameworks and the maturity of the frameworks, there is an apparent maturity in how the framework is applied as long as it is dealing with known and previously-encountered threats. The recent fires, while large and very damaging, still fall into the context of fighting forest fires—a capacity that has matured over time and long years of practice. As a result, organizations across the public and private sectors have adopted a common response framework (the Incident Command System) and have refined how they operate within that framework. The interaction between the public and private sectors in the context of critical transportation networks is more blurred and has only recently begun to be examined more thoroughly. While the aviation and maritime sectors have had security regulations for some years, the regulations for the Transportation of Dangerous Goods by rail is only now in the Gazette process (the drafting of regulations in Canada similar to the US Code of Federal Regulations) at the time of the drafting of this chapter. One might describe the current situation in the forest-fire fighting context as being in the “norming” and moving into the “performing” phases of group dynamics while the situation in

21

22

23

These reports can be found through a range of media, including at https://www.theglobeandmail​ .com/news/national/northern-manitoba-rail-line-cut-off-after-catastrophic-flood-damage​ /article35279392/. This is widely reported in open media as illustrated in http://www.cbc.ca/news/canada​ /manitoba/omnitrax-president-responds-1.4165559. This issue has been in media discussing this very aspect of the challenge and published through articles such as http://www.cbc.ca/news/canada/manitoba/propane-shipment-churchill-1.4215877.

50  ◾  Critical Infrastructure

Churchill is very much in the “storming” phase.24 The former has clearly started processes of continuous improvement that work towards the management of issues and the reduction of risks. The latter is still very much working on resolving who has what authority—a clear marker of the “storming” phase. This illustrates a clear vulnerability in how the response frameworks are being applied. Those that administer and manage the current frameworks (such as firefighting) have not evolved the concepts to address the new frameworks that will become the norm under a range of management structures like the public-private partnerships or the outright divestiture of critical infrastructure. Two factors contribute significantly to this. Within the context of governments, those that manage specific kinds of responses are often experts in either a specific issue or application (such as a Business Continuity Planner, Continuity of Operations Specialty or Emergency Manager). Their expertise may be applied, but the mechanics of bringing into force the controls necessary to give them the authority and ability to act are cumbersome. Within the private sector, the focus continues to be on the survival of the organization (profitability) and the private interests. What is clear is that the mechanism needed to bridge this gap is either not present or still within its infancy. What is also apparent is that there is a recalcitrance on the part of both parties to take the lead in what is a very expensive effort but it is also an issue that has a timeline as the infrastructure continues to degrade and the conditions that affect it continue to destabilize and deteriorate. Within this context, there are a number of potential avenues available to resolve this issue. The first, and likely most obvious, is an agreement with the force of law (in whatever form) that clearly defines what is considered to be critical infrastructure and whether or not the physical infrastructure being owned, operated or divested falls into that category. The second part of this would be a set of clear expectations and due diligence checks to ensure that the organization taking control of that infrastructure both understands its responsibilities but also binds the government to certain levels of support in maintaining those responsibilities. In a circumstance such as that of Churchill, the government would allow the private sector company to operate the line with the understanding that plans are in place (with appropriate cost estimates) and with certain funds for critical repairs being kept available. The federal and provincial government would allow that operation to: 1. Operate with certain tax benefits to take into account the need to maintain the viability of the line; and, 2. Indicate a maximum level that they could provide in the case of disasters that could be made readily available.

24

These concepts come from the theories put forward by Tuckman in the forming-stormingnorming-performing model in 1965.

Beyond National Frameworks  ◾  51

This would require a fairly careful approach to issues such as the divestiture of infrastructure—such as being proposed for a number of Canadian airports—and changes to how that infrastructure is regulated (a broadening of scope). One approach to this involves within the energy sector, such as the US Future Energy Jobs Act (FEJA). This approach sets the framework for the interaction between the energy company, the overall sector and the various levels of government so that the roles, responsibilities and authorities are clear. Part of this issue is becoming more apparent due to the costs associated with the operation of aging nuclear reactors—a primary source of power generation but one which is currently challenged as maintenance costs are overtaking any return on investment and the overabundance of natural gas. This kind of legislation creates a framework that can be divided into four major elements. The first element involves support for lower income entities to protect against rising costs of production and distribution. For example, the Future Energy Jobs Act (FEJA) in Illinois, commits up to $750 million for low income communities.25 The second element provides support to the producers and distributors to preserve the existing capacity (in terms of both production and distribution). Given that the electrical grid can be described as being in a carefully managed state of balance, preserving this capacity has both local but also grid-wide implications. The third element involves the identification of new opportunities that can be explored within the sector and to help the sector exploit those opportunities. The final element involves setting goals and benchmarks to work with the sector to evolve past the current challenge. This level of collaboration within the energy sector is clearly lacking when we look back at the transportation sector which has taken an approach of divestiture and cost-shedding. The structure evident in the FEJA approach is not one that is limited to the energy sector. While it is clear that the transportation system could benefit from this kind of approach, other sectors (such as the water sector) could use the template of this approach as a potential roadmap for dealing with emerging and evolving challenges. Whereas the energy sector may look at the expansion into alternative forms of energy generation, the water sector may look at innovations that reduce the burden on the water supply within communities, notably in water usage and sewage treatment. To address these challenges, one might put forward the following mitigation (in the context of the emergency management cycle): 1. That the public sector (government) clearly enable legislation that allows for the private sector to innovate in ways to meet public goals (such as environmental protection, reduction of waste, etc.) For example, a car wash facility would not be fined for recycling waste water that was still usable (thereby

25

http://www.futureenergyjobsact.com/about.

52  ◾  Critical Infrastructure









26

reducing the demand on a strained water infrastructure) but would be allowed to claim tax credits that reduce its operating costs in recognition of its efforts; 2. That the public sector (government) clearly set down criteria for infrastructure that delivers critical services and create lists of infrastructures that fall into those categories with the understanding that any arrangement for the operations of that infrastructure (publicly or privately) meet certain requirements, including continuity of operations. These lists exist in several contingency planning contexts at this time, but have not been routinely integrated into discussions such as those involved in the divestiture of infrastructure by government; 3. That the public and private infrastructure owners establish an infrastructure bank, with the support of the insurance industry, that can maintain levels of contingency funds on one hand while also working to improve mitigation and preparedness activities that would ultimately reduce the costs associated with the response and recovery from disasters or similar events. While this would introduce a third party into the fold, the charter for such entities could follow existing rules for not-for-profits with the exception of the maintenance of contingency funds; 4. The fourth element involves looking at the strategic issues on the horizon (ranging from sea-level changes, flooding, fire spreading, etc.) and deciding whether or not to limit new activity that could be susceptible to those threats, reposition existing activities that may be susceptible to those threats or simply to accept the consequences on the understanding that those impacted have been informed of the risks they face. For example, sea level changes and flooding are no longer expected to impact coasts a hundred years, the National Oceanographic and Atmospheric Agency has published reports that state that, in the case of continued activity and no change, the impacts are likely as early as 2030 (if not sooner) and most major coastal cities are now aware of issues associated with the increased severity of storms and storm surges. It may time to look at those environments and to take steps in one of the above directions so that such changes can be brought about gradually and not in a calamitous fashion; and, 5. The final element may be to increase the individual’s ability to withstand such events and to reduce the load on the various infrastructures. Changes to building codes can be made to incorporate the means of generating local power safety (i.e. not returning power to the grid where it could put workers at risk), reducing water consumption, incorporating practices such as those put forward under the Leadership in Energy and Environmental Design (LEED), reducing the risks associated with fire damage and other factors.26 One can find information on LEED in the USA at https://www.usgbc.org/leed and in Canada at http://www.cagbc.org/CAGBC/LEED/CAGBC/Programs/LEED/Going_green_with_LEE​ .aspx?hkey=54c44792-442b-450a-a286-4aa710bf5c64.

Beyond National Frameworks  ◾  53

There are activities similar to this (such as the 72 hour preparedness kits), but such measures would be challenged when one looks at the impact associated with the 2017 Ice Storm in New Brunswick Canada. These five measures may provide a framework that can be coordinated through government and supported by industry to address the majority of issues that arose in 2016 and 2017. Cyber security brings to light another issue with respect to these framework challenges—that of an infrastructure that does not respect international boundaries but that operates (at least in part) with its own sense of geography and topography. This challenge can be illustrated in the recent decision by Google to challenge a Supreme Court of Canada ruling that sought to limit search engine results. Google’s contention that such a move by the Supreme Court of Canada interferes in the national sovereignty of other nations and would be unduly restrictive on the citizens of other countries that would, by extension, be subjected to the most stringent requirements. Canada and Google are not the only entities that have had this debate in the recent past with a number of European Union countries having similar debates or even legal challenges. In this context, the resolution of the framework issue may be changing the approach to law. Most legal and regulatory structures use one of a territorial or national perspective. For example, when looking at shipping, the port state control measures that are used to enforce regulations on shipping refer to the flag state of the ship (where it is registered). Similar structures are used for aircraft. At the same time, individuals claiming citizenship may be subject to national laws even when operating abroad. Environmental laws pertaining to pipelines also tend to operate internationally based on where the specific section of pipeline is located. In the context of the Internet, however, it may be very difficult to operate in this manner. One would have to locate (conclusively) the nation where the perpetrator committed the crime and even the crime could be distributed across several nations (such as botnets27) that could claim some form of involvement. One option would be to shift from the current approach to one that involves the passive personality theory or the protective theory that begins with the primary jurisdiction being assigned from the nationality of the victim and not the alleged perpetrator. Once this is established, one could then exert a concept such as the Universality Theory that allows for the international character of the offence to allow for the involvement of other nations.28 In short, an attack against the national infrastructure of one country would allow for the laws of that country to claim precedence. The next 27

28

A “botnet” is an automated, network-based attack performed against multiple target sites and systems. Those unfamiliar with the term Universality Theory are likely familiar with its application. These are crimes that apply against humanity—such as war crimes, torture, violation of certain rights, etc. These crimes are universally accepted.

54  ◾  Critical Infrastructure

step would be to work backwards towards the perpetrator which would then be subject to conditions under the Universality Theory and then face extradition to that country or a court having international jurisdiction. A structure similar to that of the port state control system could be applied in this context. The location of the victim would act as the equivalent of the territorial waters or airspace and would mean that the state initiating the action would be clearly identifiable. The second layer would involve those states whose infrastructure was used in the attack. This would involve the country of the registration for the internet service provider or carrier or the location of the servers (etc.) that were used. The final step would involve the refinement of the location of the attacker. At that point, the same legal structures as used in the port state control structures (which exist for other activities) would then become active and the individual could face arrest and prosecution. This structure is very similar, if not equivalent, to that of the Budapest Convention for Cybercrime that may well work as a model at a global level.29 Having found a means of resolving jurisdiction, the next step is to look at the specific measures that can be applied to mitigation and preparedness. Again, the challenge here is that there are a significant number of parties involved and those parties do not necessarily share the same strategic goals, never mind operational or tactical objectives. Internet service providers will focus on private sector issues and competitive advantages, companies will look towards the generation of wealth and governments will look more towards national issues and interests. Ultimately, the common thread is a network that operates free of unwanted intrusion and disruption. Again, the universality principles may be of benefit here in terms of categorizing the Internet as a tool in support of humanity and subject to a number of delicate balancing points (such as net neutrality). One approach to this issue may be to treat the Internet not as the Wild West, but as the High Seas. In the context of the High Seas, organizations are responsible for operating their own aspects or parts of the whole in accordance with internationally accepted principles that are enshrined in their applicable national laws. They are not, however, responsible for fixing issues “off the ship” so to speak. This would refine the roles and responsibilities adequately to move past the current debate of government involvement in the management of private networks— governments would set down performance-based objectives that are a condition of producing connected or connectable (such as for the Internet of Things) technology but would remain detached from basic network operations (such as the company’s file sharing server). Where an organization sought to produce goods or deliver

29

This provides a synopsis of information that can be found in a range of sources. One particularly clear source comes from the European Journal of Legal Studies in terms of Cybercrime, Cyberterrorism and Jurisdiction. The article can be found at http://www.ejls.eu/6/78UK.htm.

Beyond National Frameworks  ◾  55

services, it would have to adhere to the nationally-driven performance goals that may include aspects such as the following: 1. Credible and attestable identity management so that each subject and object pairing was uniquely identifiable30; 2. Appropriate access control that builds upon that identity management but that also includes reasonable authentication before the objects or services can be accessed by any particular subject; 3. Elimination of backdoors and hidden communications channels coming out of the object so as to reduce the opportunity for hidden communication channels such as those used by botnets or other forms of malware31; 4. Appropriate protection of the communications channel through methods that are similar to hashing that prevent the insertion of unauthorized or inappropriate coding into the communication channel. This does not necessarily mean encryption across all communications, but does mean that the system has to be able to protect itself against the insertion of unauthorized material onto its network infrastructure; and, 5. Mandatory patch management or baseline standards associated with patch management to ensure that patches are sought from and installed from trustworthy sources as they become available. The application of these five principles would become national baseline requirements that serve as the minimum standard for any appliance or service that intends to connect to the greater network community. This approach would preserve two very important aspects of the Internet. The first involves the concept of net neutrality. While the communications channels are protected against unwanted or hostile activity, the content on those channels could continue to operate reasonably independently from that system. The second element of this is that the network could continue to operate with some level of expectation of privacy. While there are certainly needs to detect illegal activity (such as threats to the lives of people), this is again one of those balancing points that needs to be carefully watched and protected—preventing what is a legitimate action protecting the safety and security of persons from becoming a tool used to enforce or impose inappropriate controls on people. 30

31

The subject-object pairing is an Information Technology term. The subject seeks to access the object in some form of exchange (such as being given access to a system). The object is configured in such a way as to be able to allow or block the subject from gaining access to it. This is one of the basic elements associated with identification-authentication in the access control domain. A botnet can be described as a collective that is made up of several (potentially millions or even billions) of entities that operate independently but in a manner managed or configured to achieve some common goal (such as disrupting a service by flooding its infrastructure beyond its capacity).

56  ◾  Critical Infrastructure

The final element of the framework involves how security is approached. Within the protection of networks and information systems there is an ongoing debate between compliance-based (a.k.a. feature-based) and risk-managed (a.k.a. performance-based) security. This debate is like debating which is the better part of a chocolate chip cookie—the cookie or the chocolate chip. Risk management is vital with respect to ensuring that networks and other infrastructure are both appropriately protected and do not pose operational risks (such as through configuration and similar conflicts) to other systems. At the same time, networks and information systems work with the realm of engineers in that they follow the laws of physics and relatively set patterns of behavior. As a result, best practices and similar structures can be integrated to address specific issues. These measures operate within the overall context of risk-managed security. One might illustrate this difference in looking at the issue of bullet-proof vests. One determines the need for a bullet proof vest based on less precise sciences such as those involved in policing or criminology—they are not exact sciences because they involve human intent and behavior and focus on preventing the consequences of an inappropriate act. The physics associated with stopping bullets, however, is in the realm of physical sciences and not subject to interpretation based on those softer or less precise principles. The former applies to the risk-management approach while the latter applies to the compliance-based approach. When looking at these three different challenges, the common themes are the same within the framework approach. The common themes involve the establishment of proper governance based on the need to preserve and assure the continuity of a service or operation. The second involves putting that need ahead of the need of the various individual participants involved in the issue. The final theme is that there needs to be a broader perspective understood and accepted by all parties involved and certainly beyond their own individual mandates or priorities. Those themes involve the establishment of leadership not just based on authority but also on capacity and under the auspices of making sure that critical services are, in fact, continuously delivered on time, where needed, in usable form, and for reasonable costs.

3.7 Areas of Potential Risk or Concern Of particular concern is the potential shift of requirements from state control to private industry control. This shift is subtle in nature. Under the national systems, private sector entities would contribute to national systems that would then render out the national priorities and cycle them back as requirements, based on public priorities. With the rise of private sector associations, the nature of control is shifting, and in circumstances where less robust international controls are in place, private sector controls become more prominent.

Beyond National Frameworks  ◾  57

There are two vulnerabilities that contribute to this scenario. The first involves the lack of credible expertise that operates on behalf of the national bodies (that would check the progress of requirements falling into this category) or at least with no vested interests. The second involves organizations that have allowed themselves to become too participatory in nature, essentially shifting their focus from coordination to one of accommodation. Where these conditions can be found, private sector entities can, through their associations, move to have their own requirements (based on profit and not public interest) communicated back to the national bodies that have agreed to adopt them. This can lead to conditions where private interests are able to influence laws without having to go through the necessary checks and balances associated with the national system. With an increasing understanding that many of the infrastructures operate internationally, this risk, even if remote, must be watched for carefully. This is particularly true during difficult economic times and credit restructuring, where private sector entities will seek to gain or establish any advantage that they can.

http://taylorandfrancis.com

Chapter 4

Public-Private Partnerships 4.1 Introduction This section focuses on the concept of public-private partnerships (also referred to as PPPs or P3) and how they can have a significant influence in the critical infrastructure protection (CIP) and critical infrastructure assurance (CIA) domains. With government organizations renewing infrastructure but seeking to avoid significant capital costs, the P3 has risen to a prominent position in some countries. CIP efforts, as the reader will recall, focus on protecting our infrastructure. This focus is on the protection of assets that provide a service and must be considered as a sub-element to the concept of critical infrastructure assurance that seeks to assure the continuity of services necessary to the safety, security, and economic well-being of a nation. They deal with a structure that essentially protects an asset from some kind of harm caused by a threat when it exploits a vulnerability. When looking at critical infrastructure, the goal is critical infrastructure assurance, while the various objectives that need to be accomplished to achieve that goal can be described as critical infrastructure protection.

4.2 What Is a Public-Private Partnership (P3)? A public-private partnership (P3) can be described in several ways. There are some common themes that run through all of them: ◾◾ It is cooperative in nature (between the public and private sector). 59

60  ◾  Critical Infrastructure

◾◾ Each partner brings forward specific knowledge, skills, abilities, resources, or expertise. ◾◾ It is intended to meet public needs but has a strong commercial interest for the private sector entities involved. The reason there are a number of different descriptions regarding public-private partnerships is because this label describes a number of different arrangements. At one end of the spectrum one can find the contracting out of services, and at the other end one might find the concept of privatization. The former represents the traditional way that government would engage the private sector, while the latter represents how government would essentially shed its accountability for certain kinds of infrastructure and operations (divestiture). Since the last edition of this work, however, this concept has become more refined and is used more in the context of a specific arrangement between the government (as the client), a private sector entity (owning and managing the infrastructure), and a financial services provider (providing the outlay of initial capital). What should be clear is that this concept represents a further privatization of certain types of infrastructure. While the accountability for the service remains part of the public interest, the responsibility for maintaining that service shifts to the private sector. As noted earlier in the situation with Churchill, Manitoba, the rail line is owned and operated by the private sector. While the government still has an accountability to its citizens, the responsibilities associated with specific activities, in the eyes of the government, have been transferred to the private sector entity—including the maintenance of the infrastructure (in this case, the rail line). While the private sector continues to own a significant percentage of the critical infrastructure, certain kinds of infrastructure (water treatment plants, etc.) remain in the hands of national and regional (state, provincial, etc.) governments. Perhaps the clearest definition of the divide would be that the infrastructure that has direct life safety implications (such as water treatment) continues to reside with some level of government, largely due to the public interest and the need to maintain a service, even if at a loss. That infrastructure that is not directly involved in life safety issues, however, continues to drift towards privatization. Canada’s plan for the further privatization of airports is one such example of this. This trend is likely to continue. Certain countries (Canada, Australia, and the UK, among others) have established government entities to assist in coordinating this activity.

4.3 The P3 Spectrum The P3 spectrum describes that range of activities that fall somewhere between the basic contracting services and full divestiture through privatization. This is more

Public-Private Partnerships  ◾  61

than simple construction. It can involve any one or more of the following in various combinations: ◾◾ ◾◾ ◾◾ ◾◾ ◾◾

Financing (banking arrangements). Design (engineers, architects). Construction (surveyors, engineers, build teams). Operations (facility management). Maintenance (repairs).

The first major set of criteria involves defining the relationship between the public and private sectors with respect to the delivery of the critical services. After this is resolved, the next step involves the organization of the persons, assets, facilities, information, and activities in such a way that the critical services are delivered and overseen effectively. While there will certainly be additional variations of this, some of the major arrangements are identified below: 1. Private sector (entirely). In circumstances where there is no apparent need for oversight, the infrastructure may be completely divested. For example, small airports and seaports that operate in a manner that have limited safety or security implications may be completely divested to the private sector. One also sees this in the divestiture of office and administrative buildings. This is often proposed to increase short-term revenues that may be generated through the sale, to relieve long-term budget pressures, and to refine the full portfolio of entities delivering critical services when looking at emergency management or preparedness activities. 2. Private sector with public sector oversight. This approach is most evident when looking at activities that have significant regulatory oversight—such as the banking, energy, transportation, and similar sectors. In this context, the regulator still has the ability to limit and direct courses of action (in terms of regulatory controls, measures, etc.) but only steps in which circumstances demand that the state takes the lead (such as might be seen in the coordination of a major maritime event). In this context, the government may possess adequate knowledge and resources to set goals and limitations, but the private sector has the expertise necessary to maintain complex operations effectively and efficiently. The core difference between this step and divestiture is that the while the government benefits from short-term revenues, relief from longer-term costs, and other similar factors, the government has a clearer accountability and responsibility that comes from the requirement to maintain control through regulatory oversight activities such as inspections and enforcement. 3. Public sector with private sector support. This approach is essentially an exercise in risk sharing. The government may be limited in terms of what

62  ◾  Critical Infrastructure

activities can be passed to the private sector (either due to the risks involved or through international agreements that demand the state control over certain activities). In circumstances where there are specific government responsibilities that cannot be maintained adequately or legitimately passed to the private sector, the government maintains control. For all other aspects, control is divested to private entitles. This is very similar to divestiture and the regulatory structure but is far more granular in nature in that it is the shifting of specific activities that result in longer term costs being reduced while services are maintained. What is also evident in this respect is that this level marks the divide where government does not realize the benefits associated with short-term revenues, only through the reduction of longer-term costs. 4. Public sector with private sector contribution. Where it is not appropriate that the private sector be involved in the delivery of the service, short-term costs are overcome through private sector funding, longer-term shortfalls are overcome through temporary arrangements, and there is a need to deliver the service. While the first two approaches have been pre-eminent since the drafting of the last work, one may argue that we are on the cusp of an increase in the latter approach. For many, this trend is already evident—through costs associated with electrical generation and distribution, increased user fees, and similar factors. What has been disturbed in this respect is the difference in the philosophical approaches that lie at the foundation of critical infrastructure assurance and protection. For governments, the primary focus is not on the generation of wealth but should reside firmly on the effective and efficient delivery of core services. One might argue that this structure most closely mirrors the not-for-profit structures in business where it is anticipated that revenues and the spending are kept in close balance. For the private sector, however, the focus is on the generation of wealth and profit for those with an interest or stake in the organization. Under public control, services such as electrical generation would be priced based on a combination of life cycle management costs, administrative costs, and research and development. Under private control, however, the pricing must also include an element of profitability that is ultimately passed onto the consumer. One might point to the challenges recently faced by the Ontario government in the privatization of certain electrical generating and distribution infrastructure to show how this could evolve—in this case, requiring the reinsertion of government control to limit costs that started to move beyond the reach of those relying on the services.

4.4 Establishment of New Capacity As noted in previous versions of this work, there is a need to maintain a balance between demand and capacity. This is not strictly a one-to-one ratio. The balancing

Public-Private Partnerships  ◾  63

point involves the demand being in balance with the capacity when taking into account the need to maintain the resiliency of the overall network delivering the service. Again, the difference in the philosophy between the public sector and private sector factors significantly. When looking at private sector involvement in the management of infrastructure, one must remain cognizant that the private sector’s focus is not on the public good. While the public sector may be able to justify or rationalize a certain level of infrastructure and operating costs based on the need to deliver services above baseline levels at all times, the private entities have a different view. The focus for the private sector, again, is on the generation of wealth and specifically profit. Profit, in general terms, can be influenced by either reducing costs (such as maintenance, etc.) or by increasing revenues, meaning that costs are maintained based on an adherence to minimum costs or requirements, not necessarily best costs or approaches. Two examples can be used to illustrate this point. The first involves the transportation sector and the construction of new roads. The 407 ETR was constructed to relieve traffic congestion in the Toronto, Ontario, Canada, area and runs approximately 108 km from Burlington to Pickering. The highway was the result of a tender that generated slightly over $3.1 billion (Canadian) for the provincial government.1 In return, the corporation is able to bill on a pay-per-use basis with light vehicles paying a per-kilometer fee to the corporation in return for traveling on the highway. While the initial revenue generated for the province appears to be substantial, it must be put into the context of the tolls that are collected by the road operator. In 2010, the total number of kilometers traveled by all commuters was $2.336 billion.2 Considering that the revenue per trip is slightly over $5.00 per trip, while the expenses per trip were approximately $1.00, with approximately 114 million trips recorded in 2010, profits can be estimated at slightly under half a billion dollars. A quick look at the bond maturity profiles provides a very clear example of the profitability of the infrastructure. The Illinois Tollway provides another example. In 2010, the Tollway had revenues of approximately $673 million (USD), while the allocations are approximately $686 million. It should be clear, however, that this number includes approximately $206 million for renewal, replacement, and improvement, and $255 million for maintenance and operations. What can be seen when comparing these two sets of numbers is that the Ontario 407 ETR is far more open in declaring itself to be well-run business venture. Profits are generated, there is a clear return on investment, and there is an attempt to gather further business (profit) by portraying enhanced services to its clients. On the other hand, the 2010 Illinois Tollway presentations tend to focus

1 2

https://www.407etr.com/en/highway/corporate/background-information1.html. Ibid.

64  ◾  Critical Infrastructure

more on portraying a break-even status, with an emphasis on social responsibility and participation. The current conflict between the public and private interests associated with the rail-line to Churchill illustrate the opposite end of this spectrum—one where the roles and responsibilities were not clearly defined, accepted, and enforced. From the private sector perspective, the issue revolves around the fact that the costs (estimated at over $60 million to repair the tracks) are beyond the reach of the company. While there is likely empathy for the people in the town, the “realities of business” outweigh such sensitivities. From the public sector perspective, the argument is that there is a legal requirement for the company to maintain that infrastructure. One might argue that this argument itself fails to recognize the private sector realities in that without funds or some form of coverage, the legal argument is moot— the company would simply be driven towards bankruptcy and the issue will persist. Taking this conflict into the context of the establishment of the implementation or development of new capacities, the emphasis on appropriate governance and clearly understood roles, responsibilities, and limitations cannot be overstressed.

4.5 Maintenance of Existing Capacity While new capacity may be needed to meet increasing demand, this does not absolve organizations of their need to maintain the existing infrastructure. In this context, the public and private sector philosophies each have strengths and weaknesses. Within the public sector, particularly at the government level, there may be a tendency to manage infrastructure up to the next election or mandate, leaving the next government dealing with the implications of positive short-term decisions that may have long-term ramifications. One might argue that this has been clearly evident in activities such as Canada’s defense procurement structures that have seen politics step into the process over several elections. While the reasons for that involvement may have been appropriate from a political perspective, the overall result was military forces that are not moving gracefully through technology but that are having to implement stop gap and interim measures in their major capacity life cycle management activities (such as evident in the current ship and aircraft procurement strategies). Conversely, the private sector is far more susceptible to economic factors (such as downturns) that can limit its ability to raise or maintain the capital base necessary to follow all aspects of life cycle management activities. The result is that certain elements may be put off until conditions are more favorable, a situation that allows for the degradation of the infrastructure to reach more dire levels while the organization continues to focus on patching critical issues. Perhaps one the best examples of this challenge comes from the electrical sector and the conversion of Ontario Hydro into its five companies (later known as Hydro One, Ontario Power Generation, Independent Electricity System Operation,

Public-Private Partnerships  ◾  65

Electrical Safety Authority, and Ontario Electrical Financial Corporation). This transition proved to be particularly challenging. The challenge lies on two fronts. As part of the transition, the decision was made that the previous debt had to be serviced outside of operating costs. The result was a debt retirement charge that is intended to pay down approximately one-third of the former debt and includes an additional 0.7 cents per kilowatt hour with certain exceptions.3 This charge is included on the bills for most consumers. The second challenge lies in the ability to achieve profitability. The majority of revenue comes from the payments made by electrical consumers. The rates paid by consumers are closely regulated by the Ontario Energy Board that sets prices for off-peak, mid-peak, and on-peak periods. The end result for consumers, however, was a cost that was broken down to include the costs of generation, transmission, debt retirement, and other costs. So what does this mean in terms of critical infrastructure assurance? CIA refers to the ability to assure that critical services are being delivered. The public sector management approach was failing in this respect, or could even be argued to have failed, because the government, in order to reduce costs, divested itself of the infrastructure and decided it could no longer deliver the service. The for-profit model ensures, with sound management, that the resources required to run the infrastructure are appropriately balanced with its costs, addressing this particular vulnerability in terms of a lack of financial stability. From the critical infrastructure protection perspective, the for-profit model also makes a level of sense. By ensuring that the revenues and costs remain at least balanced, each individual infrastructure generates revenue essentially based on the demand being placed on it. Similarly, the silo that is created through user fees means that infrastructure costs can be balanced in such a way that significant underperformers do not put a drain on the whole system or overall network.

4.6 The Coming Financial Crisis The coming financial crisis in the realm of critical infrastructure assurance and critical infrastructure protection can be linked to what may be described as an emerging perfect storm. This perfect storm consists of an aging population that results in both a reduced tax base as well as higher costs on certain sectors, higher costs of borrowing that are on the horizon, a diminishing disposable income across much of the population that is the direct result of costs increasing across a broad spectrum of requirements (fuel, food, health care, education, and so forth), aging infrastructure (such as evident in electrical distribution networks, road networks, and similar infrastructure), and increased pressures on that infrastructure that 3

https://www.fin.gov.on.ca/en/guides/drc/pdf/101.pdf. Alt url: http://cipbook.infracritical.com/book4/chapter4/ch4ref1.pdf.

66  ◾  Critical Infrastructure

result from factors associated with the fragility of that infrastructure (increased demand, performance closer to the thresholds of safe operations, and more difficult environmental factors). This is not an attempt to paint some apocalyptic picture, but it is one that demands that actions either start now where the steps can be incremental as opposed to catastrophic later. Consider the issue of rising sea levels, storm surges and the challenges associated with emergency management. Now consider the steps that would be needed if countries were actually to attempt to shift their population bases and critical services back from those areas that are at greatest risk. Now consider the various short-term and long-term costs that are associated with both real and potential losses in either direction. In this storm, we would not be looking at issues such as weather instability, increases in natural events or rising sea-levels. The focus is on the challenge that arises when structures like the P3 arrangement reach a point of diminishing returns in terms of savings. If one examines four critical sectors (health care, energy, telecommunications, and transportation) one finds that there have been significant per capita increases. In Canada, which often touts itself as having a model system, the costs to family groups range between a 19 percent increase for those least impacted to over 30 percent for those that are most impacted.4 One of the most significant costs associated with this involves the cost of health care insurance—a factor necessary to cover costs which have been increasing as certain public benefit plans reduce their coverage or increase deductibles in order to maintain their overall viability. Within the energy sector, this has been apparent in terms of not only the increases in certain costs but also in the inclusion of new billing streams. While there are arguments that can be made in several directions—ranging from the need for investment to move back from system collapse to the need for research and development to move away from environmentally-harmful generating technology—the outcome is the same for the consumer and manifested in terms of increased costs. This brings the issue to a critical balancing point. The public expectation is that certain activities and services would be managed publicly and provided with modest increases in cost—often tied to administratively determined cost-of-­living increases. In short, public expectations were formed led to the belief that one could benefit from a world-class infrastructure on one hand and for not much cost. Where the public or private sector fail in achieving this, then we are likely to see shifts in the other direction—where the government fails, then private sector entities will play an increased role. On the other hand, where the private sector fails, then government will have to step in order to maintain its own accountability in a crisis. The result is an emerging instability as cost pressures, risk thresholds, diminishing returns, and shrinking sources of revenue come together. 4

One would find a view of this analysis through the Fraser Institute’s research that can be found at https://www.fraserinstitute.org/sites/default/files/price-of-public-health-care-insurance-2015​ -rev.pdf.

Public-Private Partnerships  ◾  67

Perhaps the cleanest route is on the localization of critical services. The first layer is at the individual or household level—such as might be illustrated by building codes requiring green roofs (gardens), limited solar generating capability, rain water capture, and similar elements. The idea here will not be to somehow promote a green agenda. It will be the only way that the system will be able to assure that individuals are able to weather a disruption in services without significant government input for the first critical phases. One might also argue that that critical phase should not be looked at in terms of the publicly advertised 72 hours, but in terms of potential weeks depending on the location of the household and where it fits within the various service restoration plans and priorities. The second level of this will be tied to community-based and locally-based activities. The use of common parks with water-features, community farms (or gardens), community centers, and other forms of community-supporting services will have to become more prevalent. Again, the link to “green” programs is tangential and suitable for public consumption but the harsher reality is that these are also very closely tied to the fact that the coming burden on various services will not be supportable under the current organization and structures, including cost. These two forms of micro-projects are likely to be the next wave of public-private partnerships and have already started in the electrical generation and food sectors.5

4.7 Other Forms of Public-Private Cooperation and the Erosion of Governance The need for this oversight also extends into the development of laws, regulations, and policies. Each of these has traditionally involved a consultative process that is used to gauge the impact and benefits associated with the development, implementation, monitoring, and review. This consultative process is often used by various interest groups, associations, organizations, or even individuals to present points of view in the hope of making a convincing enough argument that they suffer less disruption or are able to gain some benefit from the new measures. This structure assumes that there is a clear understanding of the roles and responsibilities of each group. The government is there to conceptualize, design, implement, monitor, enforce, and if appropriate, adjust the various controls on persons and activities that fall within its jurisdiction. The private sector is there to provide an understanding of the potential consequences of those decisions and, in some cases, propose alternatives for consideration by the governing body. This has been shifting toward the private sector’s advantage over time in a number of industries—often those that are involved in the self-regulation exercise or in 5

One might look at the IGA store in Quebec that has established a field on its roof for vegetables. The result is that at least a portion of its food sales are no longer subject to the transportation costs and have much shorter supply chains from field to fork.

68  ◾  Critical Infrastructure

terms of performance-based regulation. These structures allow for the private sector entity to put forward its own requirements as long as it meets certain goals. Given that these goals are often aligned with the need to prevent or respond effectively to situations that would disrupt the infrastructure or cause injury to society, including the local population, there is a very clear need to define what the outcome should be and then to test, in a credible manner, whether or not that outcome is being achieved. The requirements communicated out of the private sector have used a structure that relies upon the conduct of risk assessments and the development of plans—­ followed by the verification that the plans are actually in force. The assumptions in this structure are that the risk assessment has identified at least the threats, vulnerabilities, and risks of most significant concern, and that the plan is adequately able to appropriately mitigate, prepare for, respond to, or recover from the events associated with those conditions. This structure is becoming more and more apparent in the transportation, energy, and communications domains where the private sector has been increasingly relied upon to provide technical input into the formation of the various forms of regulation.6 Where the inspection process is based upon the legal or administrative requirement to “have a plan and put it in place,” the public sector element runs a significant risk of shifting onto a structure that simply verifies that the plan is in force but fails to determine if the plan is valid or appropriate in the first place.7 This system can be overbalanced in the other direction. Prescriptive regulations, including management by set standards and best practice, can lead to conditions where a false sense of security becomes a risk of its own. Again, the assumptions being made are that: ◾◾ The prescriptive standard is, in fact, the best option with respect to dealing with certain risks. In the maritime security regime (an example of performance-based regulation), the public sector identifies certain goals to be achieved. The private sector then conducts the security assessment (risk assessment or question) and develops the security plan (risk management or answer) to achieve those goals. Given that these regimes are generally inspected against the plan, this results in a significant vulnerability in the structure, as it is premised on the assumption that the assessments and plans were developed in good faith and were kept free of attempts to reduce or otherwise manipulate conditions to the private sector’s advantage. Several nations were involved in discussions with industry that saw regimes, such as the ISPS, become limited in scope to certain activities (such as ships in port and not in transit) despite sound security practices and doctrine that establish baseline controls that must be maintained at all times. 7 The counterargument used by regulators is that this approach allows businesses the flexibility to balance security and operations. What is less communicated is that this approach also includes rationalizations that the approach reduces the legal liability to the government because it did not direct a specific measure, and therefore the due diligence associated with specific measures is shifted back onto the private sector. 6

Public-Private Partnerships  ◾  69

◾◾ The prescriptive standard is actually applicable and took into account the ranges of conditions associated with the threat and operating conditions. In these structures, CIA and CIP activities become standards-driven. This has been particularly applicable in the information technology domain and certain other regimes that are subject to technical or legal liability, including insurancerelated challenges.8 Arguments associated with cost, efficiency, and regulatory compliance, particularly where audits and inspections are involved, factor significantly. The overseeing body, in some cases even a third-party certification body, provides checklists of what is to be presented. The private sector entity then ensures that each item on the checklist has been addressed and recorded—a practice that greatly facilitates the oversight process, but that can lead to the inspection or audit cutting corners when looking at the issue from a whole assurance or whole compliance point of view.

4.8 Balancing Points These challenges point to a critical need for the P3 to operate in a balance between the public and private sectors. This balance must exist in at least the following: ◾◾ ◾◾ ◾◾ ◾◾

The use of a common definition base. Education, training, and expertise. Roles and responsibilities. Governance and enforcement.

This balance is needed to achieve clear communications that attain the necessary balance between prescriptive (ensuring that baselines are met) and performancebased (ensuring that assurance, resiliency, and protection goals are achieved). This begins with the basic definitions that are used. One challenge is that there are still a significant number of definition bases being used, and in some cases, persons have become involved in the system who lack the knowledge, skills, training, or experience, singly or in combination, and who, by virtue of their position or simple rhetorical ability, create their own. Without having that clear understanding of the basic definitions, a condition similar to the “fruit of the poisoned tree” comes

8

Several groups clearly indicate that their security programs are managed according to a range of standards in the energy, financial, medical, transportation, and communications sectors. For the reader, a review of public Web sites can provide a clear indication as to how deeply this approach has permeated into certain industries.

70  ◾  Critical Infrastructure

into play—the confused definition base providing a foundation for unclear or even convoluted communications.9 With a common definition base, there is a need to establish a common and accepted approach or doctrine. Again, the assurance and protection communities are at a stage in their maturity where this is not a simple task. Those who have been involved in the asset protection and security domain will be very familiar with the competition between disciplines in the information security, physical security, business continuity, and other domains. With each discipline continuing to operate within its silos and attempting to promote its own view of the others from within that silo, one might comment that the arguments that arise, from a senior management perspective, are best described in terms of an unhealthy sibling rivalry that draws attention and efforts away from the running of the corporate family. This is particularly true in the P3 environment where government policies and private sector practices can come into conflict. On one hand, policies such as the Policy on Government Security in Canada provide a structure or set of frameworks that government security programs and those doing business with the government are supposed to recognize and adhere to. Depending on whether or not these policies, including any supporting standards, are kept up to date, they can have varying degrees of utility, as they are written with a government-centric focus. The private sector element to the equation has more flexibility and may opt to follow no specific path, a path along the line of a professional or trade association, or a combination of approaches that allow it to demonstrate enhanced capabilities within a set of apparently valuable domains through membership or certification. While the private sector is vulnerable in terms of the requirement to be subjected to many regimes, it has the flexibility to make certain decisions within its own management as to how it will approach those challenges. While the private sector may be vulnerable in terms of the number of regimes it can be subjected to, the public sector has a dissimilar challenge. Most persons involved in the inspection and oversight process are employees that are protected through collective bargaining or similar arrangements. The result is that certain organizations tend to focus on the training directly associated with the job process, but not necessarily the discipline involved. This places the public sector organization into a difficult position as the individual in the field: ◾◾ May not be able to recognize measures that may not work. ◾◾ Understand how the measures function individually or as an integrated system. ◾◾ Understand the extent and nature of the risks inherent in the environment the public sector is attempting to regulate.

9

The fruit of the poisoned tree refers to a legal principle in which evidence or information that is the direct result of some action that is deemed to be inadmissible also becomes inadmissible.

Public-Private Partnerships  ◾  71

The final result, particularly if the public sector fails to keep up the training for its personnel, is an inspectorate that deploys into the field simply to have preconceived questions answered while exposing the private sector entity to officially induced errors.10 There is an imbalance between the private sector, which seeks out the most skilled and valuable person for the organization (usually represented through enhanced education, training, or experience), and the public sector, which may, if not prudent, allow persons to become stagnant in their knowledge, skills, and abilities. While this may seem inconsequential to some, the disparity is significant when looking at how many regulations are enforced. While some fall under systems similar to those used in criminal or civil proceedings, regulations are generally enforced through administrative tribunals. These administrative tribunals allow for slightly broader or relaxed standards with respect to evidence and the provision of expert opinion. To give an expert opinion, however, the individual must be able to show an appropriate level of knowledge, skills, and experience. Where there are two dissenting opinions, favor may be given to the expert that can better demonstrate the more enhanced level of education, training, or experience. When this is combined with a regulatory regime that does not have very clear and measurable criteria to meet, the outcome can be a balance that shifts significantly toward the private sector entity that can demonstrate that its personnel have enhanced levels of thirdparty accredited training and experience in the field as opposed to public sector workers. This in turn shifts the balance of probability that the private sector will be successful in its presentation to the administrative tribunal and degrades the ability of the regulator to enforce its own regulations without being constantly pulled into the administrative legal system.

4.9 Authors’ Notes The P3 does offer significant opportunities for the public and private sectors to operate more efficiently. It is also one that must be understood in terms of the potential risks involved. The first step is to understand the nature of the operations involved and how that may influence the long-term relationship between the public and private service when delivering the product. It also means ensuring that the roles and responsibilities of the public and private sector are clearly defined, and that these roles and responsibilities, at a minimum, also identify the requirement to ensure that each side is able to interact (if only doctrinally) by using common and trusted frameworks. It also means that 10

The concept of officially induced error involves situations where a regulated organization receives information from an authoritative source (the regulator) that actually causes it to come into conflict with the regulations in question or with the regulations in another domain. The company, in following the official’s guidance, is punished for following that direction because it contravenes the requirements of another regulating body.

72  ◾  Critical Infrastructure

while the public sector may be enjoying some immediate benefits, it has responsibilities to oversee the operations in general (to protect the public from gouging or other unscrupulous trade practices) and to maintain the necessary expertise to be able to oversee those operations. These responsibilities must also be looked at in terms of the enforcement mechanism that will apply in the P3 arrangement if it is to be applied successfully. In essence, the P3 can be described as a potentially more streamlined manner by which CIA and CIP activities can take place, but is by no means a “cure-all” or “magic bullet” when looking at the broad range of effort needed to maintain the agreement.

Chapter 5

The Reinvention of Information Sharing and Intelligence 5.1 Introduction This chapter examines the role of information sharing within the critical information protection (CIP) and critical infrastructure assurance (CIA) domains. The distinction between these two activities is profound—protection focusing largely on the activities of an organization to be adequately robust and resilient in their operations and assurance focusing on the ability of the system to continue to deliver critical services at levels that meet or exceed the demand for those services. This latter part incorporates critical infrastructure protection and a range of other activities. The first step in addressing any critical situation is being able to detect and identify what and where that situation is. While this statement may seem simplistic, it is one of the greatest challenges in the industry today, where the challenges associated with isolated administrative processes, incompatible processes, competitive influences, regulatory approaches, legislation (including the laws of other countries), and even personal interpretations come into play. Those that have worked in the establishment of information sharing centers (or similar entities) will be all too familiar with the sheer volume of work and complexity of identifying who should be at the stakeholder table. This chapter therefore looks at some of the core elements of information sharing that need to be in place when addressing these challenges.

73

74  ◾  Critical Infrastructure

5.2 Data vs. Information vs. Intelligence When approaching the issue of information sharing, one needs to understand the difference between data, information, and intelligence. This is a matter of nuance and subtlety that is often not apparent. Data involves a set of singularities and is the absolute basic building block when looking at the data, information, and intelligence hierarchy. Data represents a single unit and is often highly empirical in nature. For example, one can confirm that a runway is a particular length. This can also confirm that a person holds a certain opinion. Because data is empirical in nature, it can be described in terms of completeness, accuracy, and repeatability. The length of the runway should remain relatively constant over time. An opinion may change over time, but the changes can be detected by going back to the person and confirming what his or her current opinion is. It is at the data level that inspections and audits factor most significantly. Gaps or errors in the collection, handling, distribution, or retention of data factor heavily in audit reports. This is because data is the basis of decision making—the foundation upon which the management structure rests. When data is collected and organized, it moves into the realm of information. Data may involve describing the length of a runway. Information would take a number of data items and assemble them to give an idea of how the runways are laid out. Intelligence would involve understanding the impacts of that layout on what kinds of aircraft could land at the airport. When looking at another system at the airport (let’s consider runway lights), a sensor may record the voltage passing through the wire to the light. This would be data. The system may record a sudden drop in voltage that results from the circuit being broken (no more current) that indicates that the light is burnt out. Intelligence may involve being able to compare the rate of lights burning out with other factors to show that there is a condition that is affecting the lifespan of the bulbs. For the operator, and the engineer, it is important to understand the relationship between the raw collected data, how it can then be formed into useful information and can ultimately be valued as intelligence. Information is assessed on completeness, accuracy, and repeatability at one level (often in terms of confirming the data) and reliability and credibility at another. For those familiar with the various forms of information gathering, like the Admiralty Code, reliability is basically a technical assessment that describes whether the source of the information has the ability to collect, gather, and present it. Credibility, on the other hand, refers to the ability to corroborate the information through other sources. Depending on the nature of the information collection exercise, these two factors will present a relatively clear view as to whether or not information can be acted upon. Finally, intelligence is used to describe information that has been brought together, collated, analyzed, assessed, and prepared for dissemination. This is a

The Reinvention of Information Sharing and Intelligence  ◾  75

formal process that is used to answer the fundamental question of “So what?” Returning to our example of the runway, intelligence may look at the layout of the airport and arrive at the conclusion that given the aircraft that are being used by companies, there may be a need to adjust or reinforce the runways to handle the increased stresses of aircraft landings. These three layers are very much interconnected. Bad data can lead to unreliable or perhaps incredible information, which can lead to bad intelligence. This bad intelligence is then fed into the decision-making processes and leads to the organization either making the wrong decision or failing to make the right decision. In either case, it exposes the organization to various levels and kinds of risk. It is also noteworthy that this operates as a linked process where good data can be turned into bad information or where good information can be turned into bad intelligence. Like a physical chain, the process is only as strong as its weakest link. For this reason, it is important that all individuals, systems, or activities associated with this process are appropriately trained and capable of maintaining the integrity of the overall system.

5.3 The Importance of Background to Context As stated earlier, while data is relatively empirical in nature, context plays a much more significant role when looking at the transitioning process from data to information, and provides a critical role when looking at the transitioning process from information to intelligence. The transitioning process from data to information involves data being organized. How that organization will be structured will be based on the mission of the organization and how success is measured. A container facility that needs to move so many containers through its facility per hour will likely measure things in terms of either containers processed or time. For example, if the loss of an information technology system means that the processing of containers has to happen manually, the impact is likely to be assessed in terms of the reduced number of containers that can be processed with the same assurance that they are being moved appropriately. Similarly, an electric generating station that needs to generate so many volts of electricity may measure its impacts in terms of the amount of electricity it can generate while maintaining the assurance that it is generating clean electricity that can be pushed onto the electrical distribution grid. Medical facilities may measure impacts in terms of the rate and accuracy of diagnosing and treating patients effectively. The reason for this approach is simple—each organization is expected to contribute to the overall success of the organization, and senior management measures the performance of the organization in terms of its ability to meet goals that it sets. As certain countries move towards the divestiture of infrastructure into the private sector in order to reduce costs, there is a significant risk that this context can evolve into a public safety challenge. With the first element, a corporate perspective

76  ◾  Critical Infrastructure

that focusses exclusively on economics may look at the annual losses associated with the payment of fines (or administrative monetary penalties) as a cost of business where the annual costs associated with maintaining a high-assurance infrastructure exceeds it. One might argue that the concept of understanding the contexts that are part of the organization’s culture should become part of the due diligence checks in the divestiture process and controls should be in place to ensure that any organization that moves into this domain are well aware of the additional roles and responsibilities that are to be assumed. The second element involves the movement of data into the information domain. If the distinguishing feature between data and information is that data is assembled to form information, then the process through which it became information must be understood in terms of the context of its design and its application. One can argue that this process is, in its basic form, interpretive in nature with decisions on how to assemble data having elements of subjectivity and bias built into them and also evident in their application. For this reason, one might argue that information management may be critical in terms of maintaining corporate knowledge, but the survival of the organization and its resilience will rely more solidly on the management of its “big data” picture. Consider two important elements in the concept of CIP and CIA—the threat assessment and the security clearance. There is a tendency to look at the threat assessment in terms of three primary sources of information: (1) other threat assessments, (2) information derived from data sources, and (3) information provided by outside sources. In the case of the other threat assessments, the challenge here resides in the age of the data and information that feeds the assessment. Can that data and information be considered timely, relevant, accurate, and complete? This degrades over time. In the second case, that of the security clearance, one might argue that this is a clear example of data and information being used to form a conclusion that is not fully understood or accepted in its applicability. While the data and information collected on an individual is relevant during the background screening, it also has an expiration date that can be tied to the exposure of the individual to various sources of threat and different circumstances. In short, the security clearance result provides a snapshot up to a certain point, after which it should be assumed that supervision, detection of suspicious or suspect activities, and reporting become much more important. For this reason, one might argue that the security clearance decision is a snapshot in time and becomes increasingly less relevant, timely, accurate, and complete as it moves through its period of validity. At this point, the knowledge, skills, abilities, and experience of the individual will factor significantly. These are the foundations upon which the individual will make the determination as to what is worthy of consideration (information) and how it is important (intelligence). This will, in turn, affect how the individual collects and collates the data to form information and certainly how the individual interprets the relevance of information when creating intelligence products. An individual who has an engineering background will base these decisions on different thinking

The Reinvention of Information Sharing and Intelligence  ◾  77

than an individual that has a liberal arts background. The engineer may be much more precise and process-driven but unable to grasp the less tangible issues that the individual with the liberal arts background can. Conversely, the individual with the liberal arts background may not possess the mathematical or similar analytic skills to be able to identify the connections between things that are not apparent on the surface. The result of these differences is that the data-information transition may not be equal at all times, and it is less likely that the information-intelligence transition will be equal. When this is extended beyond the realm of intelligence, the organization’s decision-making processes can be affected. Management bases its decisions on two major activities. The first involves risk management or the manipulation of conditions so that an organization’s exposure to loss (a factor of probability and impact) is reduced to acceptable levels. For example, management may determine that it is not willing to accept a project incurring financial losses after a certain period. The second part of the process is the cost-benefit analysis that will look at the net return on investment associated with the various alternatives. This is where things can become difficult because the impacts against an organization can be assessed, but not necessarily measured. This may be the result of different persons assessing the scope of an impact differently (immediate losses vs. future earnings, for example) or the result of factors not having precise values (such as impacts on an organization’s branding or credibility). The challenge may be described in terms of watching water move as a river. The water is in constant physical motion and there are other aspects of the river (such as fish) that are part of that overall ecosystem. The brain, however, does not allow us to see that continuous motion. Rather, it collects a series of still images and then assembles them fast enough to give the illusion of that movement. The reality is, however, that there are a number of things that could happen in the periods between images that may be of importance. This image is comparable to the information that is then formed into the intelligence product. As a result, the intelligence we form and that is used in decision making is flawed from its inception because of these gaps. The key here is for organizations to move beyond information management and to refine their information management, taking into account data management. This comes in two parts. The first part is identifying the source of the information in terms of its foundation in data. For example, the information regarding this threat is based upon the following sources that were provided on this date. The second element is describing the processes and context in which the data was collected and collated to form information. Information management, therefore, must not be seen as the root of the information management process but needs to be refined to include credible and reliable data management practices. The second key to this involves the concept of semi-automation. Semi-automation, in the view of the authors, outweighs full automation because it allows those processes that are repetitive and structured (such as checking for a keyword in a file) to be automated

78  ◾  Critical Infrastructure

so as to increase the assurances that the information is complete and accurate. Judgement on the part of the user is still required to ensure that the processes are applied in the right context and, if gaps begin to appear, the processes can be adjusted (with those changes documented through automated auditing) so as to give a better assurance of relevance. While there has already been a shift towards the concept of “big data” management, the key element that is missing is the understanding of how to craft and establish those processes that are used to bridge the automation and judgement divide. One thought that comes to mind in this challenge involves the current challenges of how to protect networks in the Internet-of-Things environment. There is a growing concern that this new, evolving, and expanding technology is opening up new threat vectors that can impact more sensitive networks. For example, an individual may have an unprotected smartphone that connects to a refrigerator that helps with shopping. This refrigerator, however, is connected to the home network which also has a connection to a work network. The threat can then hop through the smartphone to the refrigerator to the home network and ultimately to the work network. While perimeter protection may offer one level of benefit, there is an increasing belief that improving the ability to detect suspicious activity within the network communication streams is becoming increasingly necessary to limit or manage this kind of vulnerability. This may operate at the physical levels (through the physical or datalink layers) but can also be present in some form as the attacker attempts to hop across virtual networks, such as may be established in certain kinds of shared or cloud services.

5.4 Context Affecting Sensitivity It is impossible to assess sensitivity without understanding the context. The concept of sensitivity is directly linked to the impact that an organization accepts as arising should the asset fall outside of appropriate care and control. This impact, often referred to as an injury in the asset protection and security domain, is factored with the probability of such an occurrence arising to give an idea of the risk involved. This risk is the same risks that are prioritized and given to management for their consideration and, if warranted, decisions with respect to managing that risk. When looking at context, it is important to note that context is not a static or fixed entity. If one looks at context in terms of a movie, much of how we approach context comes from what may be described as a “snapshot in time” by looking at one frame in the film. Unlike a movie, that will proceed at reasonably constant 30 frames per second (so it is moving), context does not have a steady rate of progress. It can change either quickly or slowly depending on the factors that act upon it or new influences that are brought to bear on it. Therefore, the

The Reinvention of Information Sharing and Intelligence  ◾  79

valuation of assets (which is closely tied to context) cannot be looked at as a fixed and permanent value but must be considered one that exists in a state of flux and change. This will influence that outcome of any risk assessment methodology the same that changing any variable in a relational equation would affect that equation’s ultimate resolution. As part of this calculation, the organization must remain aware of how the context is affecting the process that leads up to the prioritized list of risks. This may include the following: ◾◾ Impact. The context may result in an individual assigning a higher, lower, or appropriate value to the asset. Where assets are overvalued, the risks associated with it will naturally appear more significant and the organization may waste resources in responding. Where assets are undervalued, the risks may be understated and leave the organization exposed to unforeseen losses. ◾◾ Probability. The context may result in the probability of certain scenarios being overvalued, undervalued, or even discounted. Consider personnel with military or law enforcement backgrounds. These groups have been in direct contact with certain kinds of threats and significant amounts of information regarding those threats that are not readily available to the public at large. Because of this experience, the context in which the information and intelligence is presented is often different from that held by management—sometimes leading to conflict as management refuses to accept the probability of certain scenarios. ◾◾ Vulnerabilities. These are indicative of the lack of something or incomplete application of something that allows a threat to cause injury to an asset. These are heavily contextual in nature and frequently challenged. They are often identified by an individual based on his or her knowledge, skills, experience, or motivation. Similarly, the operational, environmental, financial, regulatory, and threat contexts may make certain vulnerabilities more relevant than others. ◾◾ Thresholds. Risk management is based on the risk being perceived as crossing certain thresholds. Often these thresholds are imprecise or range-based on the personal tolerances of management. Where the context changes, such as new financial restraints or conditions, threats to operations, regulatory requirements, etc., management decisions regarding how to approach the risks may also change. Context, however, is more than the physical environment. The legal, regulatory, environmental, operational, cultural, and threat environments also factor significantly. These all become part of the larger context that encapsulates management decisions. It is this combination of context and the characteristics of the individuals involved that come together to form the perception of risk.

80  ◾  Critical Infrastructure

The mechanics of this influence, touched upon above, can be described when looking at the roots of risk. Begin with the five major categories of sensitivity (at this point, in no particular order of priority): ◾◾ Confidentiality. The need to restrict access to something so that it is only available to an identified, authorized, and appropriately trusted community. ◾◾ Integrity. The ability to ensure that something has not been added to, changed, or deleted from without appropriate checks and balances being met and only using trusted processes. ◾◾ Availability. The ability to rely upon something to be available for use upon demand and to have it function as intended. ◾◾ Relative Value. In terms of the dollar value or equivalent of something. ◾◾ Social Value. The importance of the asset to the community or population. One challenge that faces those practicing in the domain is the prioritization of these five categories. The prioritized order will not only shift based on the asset protection and security domain, but may also be influenced significantly by the perspective and other subjective factors tied to the individual doing the analysis. What needs to be clear is that the value of an asset is often stood on its head as a means of rapidly assessing the impact associated with some kind of threat. While this does offer a method for assessing the impact, it often fails to accurately describe the overall impact of something. Consider the electronic control chip for modern vehicles. Such a chip may only cost a hundred dollars or so to produce and may only be marked up slightly due to the volume of sales, but the loss of the chip has two major contexts. The first is the lost revenue to those that manufacture the chip and sell it to the automaker. The second, and less apparent, involves the loss of production and delay in sales that results when an inexpensive but critical component in the vehicle is missing. A second element involves how that control chip interacts with the integration of new technology—such as the automation of a vehicle. Suddenly, the integrity of data coming through that chip has to be looked at in terms of its impact on the automation processes. This interaction could be minimal, or it could be significant enough to affect the safe operation of the vehicle. This introduces a layer of complexity because of the value of the chip must now also be looked at in terms of its role in the system and design and architecture which, for the individual conducting the analysis and assessment, means looking at the chip not only in isolation but in the operational context. One may want to look at this in the context of attempting to locate electrons within an atom. The paradox is that the energy that is applied to the electron to “see” it is actually enough to ensure that its location has changed. What may be more relevant is to stop looking for the exactly precise answer and to begin to look at the concept of operating based on ranges of possibilities. An organization may not be able to agree that the total cost of an event is a certain value. As a result, it never fully establishes the impact criteria for risk and proceeds no further. What it

The Reinvention of Information Sharing and Intelligence  ◾  81

can agree upon is that the impact value is certainly no lower than one value and no higher than another. The same applies for frequency. While this information will not provide as clear a snapshot for the executives, it provides a much more relevant set of outcomes and actually covers a broader range of potential scenarios. The outcome may be a communicated risk based on a lowest/highest impact with a lowest and highest number of events. It should be clear that the concept of perspective and context are intertwined. Individuals have perspectives that are formed through their education, training, experience, and motivation. This perspective forms the basis of how they interpret the data, organize it into information, and build the context around them. That perspective and context drive how we assess the value of assets, and this in turn feeds into the risk management and enterprise management decision-making processes. The influence of context is a major, if not determining factor, in the debate on how to approach Operational Technology (often considered by several communities of interest as a culmination of the Internet of Things, the Industrial Internet of Things and Process Control Systems) as opposed to Information Technology. Without becoming too engrossed in the labels, the contexts here are divergent. The former is preoccupied with managing the state and changes of state in an environment that controls physical activity. For example, the controls managing the valves on pipelines or chemical manufacturing processes. The latter is preoccupied with the management of files or other forms of information that are, by comparison, largely static and distributed or used as needed. In brief, one might argue that the application of practices from one field to the other may be possible within the realm of physics but not in the context of their functionality. Information Technology focuses on a hierarchal order of confidentiality, integrity and availability associated with the objects in the subject-object pairing (most often information files). This triad is largely based upon maintaining the ability to use information as required and not to have it pass outside of acceptable controls or environments. This structure only loosely applies to Process Control Systems. In this context, the values are interlinked and cannot be considered unique or independent. The service may be available, but still remain dangerous when the integrity aspect is not present. Also, Process Control Systems have an additional factor in terms of availability and that is one of precision. A document can be available in terms of either an electronic or hardcopy and meet the criteria for being available on demand. Within the Process Control System context, the range of options that meet the availability and integrity pairing are far more limited. One might look at this in the context of a Venn diagram where Information Technology may look at the union of the overlapping characteristics (i.e. it appears in either or uses the OR function) whereas the Process Control System function can only accept both being present concurrently (i.e. it falls into both or uses the AND function). This rather subtle distinction changes the manner in which the asset valuation process has to approach the confidentialityintegrity-availability triad.

82  ◾  Critical Infrastructure

Consider a chemical manufacturing process. Ultimately, the goal is to keep the plant from operating unsafely in the context of safety (i.e. not on fire or not exploding). This means that the chemical reactions are the determining concern. Too much or too little of a reaction can lead to the unsafe conditions that we seek to avoid. Availability is important in this context, but only when that availability is operating within safe parameters (so much of a chemical being inserted into a reaction in a calculated period). If availability is considered in isolation, one cannot state with confidence that the negative outcomes will be avoided. Integrity, however, cannot be considered in isolation except when factoring availability due to the fact that the concern is a process, not simply the infrastructure. Again, the intersection between availability and integrity is the appropriate characteristic, not simply availability or integrity. When considering many of the risk assessment methodologies, these two aspects are treated independently (such as the Harmonized Threat and Risk Assessment methodology) or using an OR function. Within the context of the Process Control System, they cannot be considered independently (AND function), making those models less effective.

5.5 Enter the Cloud The challenge of context creates a trap for those assessing the risks inherent in systems. On one hand, does one use an existing model and attempt to reform it to fit? This can lead to gaps or errors as described above. Does one attempt to create new models which will take significant time and effort to promulgate through both the technical and business communities until they are finally accepted? As we have seen with other models and structures, particularly in the Public Safety and Homeland Security communities, this could take years to design, implement, refine, and ultimately adopt. So how does one break free of this trap? There are two possible solutions. The first involves building a system that attempts to take as much of an individual’s prejudices or perspectives out of the equation. This approach is difficult in that it is nearly impossible to validate and it is nearly impossible to apply consistently. The second is to use a number of perspectives and a Delphi kind of approach to look at the perspectives, contexts, and, ultimately, risks to the organization. This is where the concept of cloud computing comes into play. There are really three elements to the cloud that come into consideration. The first is that data is held in such a way that it is accessible across a broader community. In its purest form, cloud data would be accessible to everyone, but this is, quite frankly, not realistic. The second is that the computing power, the analysis of the data, and its organization would actually be subjected to a number of intermediary processes on the way to being transformed or translated into information. The third element is that the information, produced in a cloud format, would likely be more accessible

The Reinvention of Information Sharing and Intelligence  ◾  83

and, as a secondary element to this, also likely available in its interim form and not simply in its final form. Each of these needs to be understood, including the potential impacts associated with misuse or even hostile use, before an organization decides to move its data into a cloud format. The first element is the result of a gradual shift in terms of how data, information, and intelligence are handled by organizations. While intelligence, particularly in its most sensitive forms, is still guarded closely, the raw data and information have been the subject of a gradual loosening of controls. Consider the period around Y2K—organizations largely held their data, information, and intelligence on proprietary systems. Those proprietary systems needed to be maintained and protected at the cost of the company—sometimes an expensive endeavor. Gradually, organizations sought to realize efficiencies by outsourcing, first, parts of the ability to hold data and information. Off-site storage centers and data repositories, particularly for use as backup sites, became more prevalent. This in turn led to organizations seeking to make arrangements with third parties that could handle certain parts of the processing of data and management of information. Finally, we now see network-based organizations using third-party suppliers entirely for their data holding and information management requirements. This transition has significant impacts when looking at the overall ability of an organization to protect and ensure the services it delivers. This migration has forced organizations to adapt how they look at controlling their data, information, and intelligence holdings. In the more traditional models where organizations controlled the personnel, assets, facilities, information, and supporting infrastructure, the focus was ensuring that the organization applied the necessary administrative, physical, procedural, and technical security controls. As certain parts of this processing and storage capability were moved to known third parties, the only significant element that changed was the span of control that the organization exercised when planning, designing, implementing, monitoring, and adjusting these controls. As a result, outside networks needed to be certified against certain criteria, and a risk management decision was made through the accreditation process. The design of how data is going to be managed is becoming an increasingly important element in project management and execution. This may involve appropriately identifying, labelling and categorizing data that is the product of the work. It may also involve the same factors for data and information that is brought to the work. For example, if one were to conduct a series of vulnerability assessments, one should understand how data may be used (intentionally but also later through discovery) within the organization before setting down hard and fast data and information management structures. Oddly enough, this is where skills developed in such sciences as the library sciences become very important to project managers as those sciences not only look at how to store information in an organized manner but also in a manner that one can identify its value and retrieve it again later.

84  ◾  Critical Infrastructure

5.6 The Cloud as an Amplifier The integration of the cloud into the computing base (note that this is not necessarily the trusted computing base) will simply be an amplification of this principle. The main challenge for executives and managers with responsible charge positions will be to maintain their focus on their own mission and determine to what extent the cloud’s capabilities can be exploited. This includes asking the following questions: ◾◾ Has the organization appropriately identified the sensitivity of its data, information, and intelligence from both an operational point of view and the means and opportunity it can provide a competitive or hostile entity? ◾◾ Has the organization appropriately identified the requirements that must be met to appropriately manage the risks associated with the confidentiality, integrity, availability, relative value, and social value of the data, information. and intelligence? ◾◾ Has the organization designed and implemented a strategy that will allow the organization to ensure that these requirements are met and maintained? As a second part of this, has the organization also implemented a strategy that ensures that, once in place, they remain in place? ◾◾ Has the organization put in place the necessary administrative, physical, procedural, and technical controls so that it can monitor the location, condition, and access to its data, information, and activity? Can it exert the necessary influence to control the same? ◾◾ Finally, has the organization designed and implemented the necessary administrative, physical, technical, and procedural controls so that it can recover its data, information, or intelligence at the same level of confidence or trust? This reflects the perspective that organizations may seek to exploit the capabilities offered by the cloud, but prudent managers, often linked to accountability, will look at the cloud as a tool that serves the organization as it attempts to accomplish its goals and achieve its objectives. Perhaps the greatest challenge for those seeking to protect and assure critical services will be to identify, achieve, and maintain an appropriate balance when looking at exploiting the opportunities offered by cloud computing. This will rely heavily on those that can assess the sensitivity of data, information, and intelligence to the organization, and the opportunities that the same data, information, and intelligence would offer competitive or even hostile entities. It will also involve a significant effort to manage the expectation of clients and users who will have been inundated with communications extolling the latest and greatest capabilities associated with cloud computing.

The Reinvention of Information Sharing and Intelligence  ◾  85

5.7 Clouds and Concealed Conduits In this context, identifying the cloud as a concealed conduit may be of some value to the protection or assurance practitioner. This concealed conduit does not necessarily mean that the cloud penetrates the access control measures around the known network. It can also latch onto points where data, information, or intelligence is passed outside of the trusted network infrastructure. For the protection and assurance practitioner, some of the questions that should come to mind are the following: ◾◾ Does the organization share infrastructure with competitive or hostile parties? Is the infrastructure kept separate? ◾◾ Does the cloud, when establishing the resources necessary to store or process data or information, establish a partition that can be protected against outside interference, intrusion, or monitoring? ◾◾ Does the cloud, when communicating data, information, or intelligence, maintain an appropriate level of protection so that only trusted parties receive or have other access to it? ◾◾ Does the cloud create duplicates or copies of data, information, or intelligence, and are these protected to the same extent? ◾◾ Does the management of the cloud’s storage, processing, or communications routines or processes ensure that only those persons identified by the client as meeting certain criteria have access? ◾◾ Are there organizations that have been given access to data and information as part of End User License Agreements, such as those entities that use the characteristics of data and information to target marketing or services? To what extent do these organizations have access—do they see headers and metadata or are they able to plunge into the message body? The person signing off on the EULA may not be the data owner—something that can muddy the waters in a legal challenge should the information be compromised. ◾◾ Does the data actually impart value to the infrastructure and/or does it mean that the owners of the infrastructure have the right to exploit data and information for their own value? While the debate over the use of media content continues to rage, one of the more pressing legal issues is how do the various parties in the dispute have to compensate each other with respect to derivative works. What we are essentially discussing here is the trusted computing base (TCB). This can be described in terms of that infrastructure under control where the hardware, software, and firmware involved operate at a level where management does not face any significant risks associated with losses of confidentiality, integrity, or availability of data or services.

86  ◾  Critical Infrastructure

Dealing with cloud-based issues, when put in this context, is a simple exercise contextually but may pose some challenges in terms of implementation. Integration of the cloud simply involves expanding the trusted computing base in terms of processing and storage. In mature systems where there is an implemented certification/ accreditation regime in place, this is a simple matter of activating the appropriate change control protocols. At this point, the issue becomes complex and offers the opportunity to open up concealed channels. The first issue involves identifying the scope of infrastructure that may be involved. This can be divided into a series of questions: ◾◾ Where can data be sent or stored as part of the processes directly involved in the computing or storage processes? For example, what servers and lines of communication are identified as being able to handle the data? ◾◾ Where can data be sent or stored as part of the processes that are indirectly involved in the computing or storage process or, in other terms, may be involved in supporting the overall operations of that infrastructure? For example, does the infrastructure involve backup routines or systems that will copy the data and hold it in other locations? The second involves being able to trust what we know about that infrastructure. In the information technology realm, this generally involves the concept of certification and accreditation. Certification involves an expert determining the level of compliance, or adherence, with specific standards. Accreditation involves management looking at the level of adherence to those standards, determining specific steps needed to manage any unacceptable levels of risk, and then commissioning the network to operate within certain constraints. This leads to two kinds of concealed conduit. While both involve the actual conduit being present, the difference comes from whether or not the accrediting body detects those concealed conduits. In cases where there is an appropriately conducted threat and risk assessment, inspection, and other forms of checks, the conduit may be fairly apparent to the accrediting body. That is because of the work that was done to identify it and communicate it. The second comes from situations where the conduit is there, but remains undetected for some reason. This could be the result of many factors, including the following: ◾◾ ◾◾ ◾◾ ◾◾ ◾◾

Failing to identify the appropriate criteria to be met. Failing to use appropriately capable persons (expertise). Failing to conduct the full assessment. Over-relying on end documentation (such as certificates). Refusing to accept what is presented in the technical reports.

The overreliance on certification documentation has a number of elements to it. The education industry has often been challenged by the following:

The Reinvention of Information Sharing and Intelligence  ◾  87

◾◾ Programs that are not accredited but hold themselves out to be ◾◾ Institutions that hold themselves out to be competent and capable but that operate without oversight. ◾◾ Simple business enterprises that will sell an official-looking certificate that can be used to fraudulently bypass hiring or similar controls. We also see this practice entering into other certification regimes. This also comes in various forms—ranging from unethical practitioners to disreputable business enterprises. Consider the recent exposure of organizations that offer college and university degrees for sale? While on the surface, this may appear to be fraudulent, one has to look at why it might be considered so. Universities (fully accredited) sometimes offer course credit for those who have performed certain jobs (life credits). Even certain organizations will equate the time an individual performs at a certain level as meeting certain educational requirements. Another approach to this is translating trade credits (training) to stand for academic credits (education) due to the overlapping of material. The key element lacking in these degree mills is that there is no link to the common criteria used to determine if the individual should, in fact, hold that level of qualification or attestation. This issue, however, permeates far deeper than education and training. Should an individual who is a professional auditor be able to certify and make recommendations regarding accreditation of something outside of the audit process? One might argue that they most certainly should not as they lack the technical knowledge and experience relative to the domain. They should be clearly limited to only stating those elements within the certification structure that they could or could not prove through documentation, observation, or interviewing. Yet today, we see several organizations accepting the outcomes of these kinds of audits not just in terms of what is lacking but also in terms of what steps the auditor proposes should be taken in order to resolve any gaps. It is this latter element that poses the most significant risk to those looking at the issue of cloud computing. This is because the organization may well take steps to mitigate the risks associated with certain detected and assessed vulnerabilities, but it may well fail to act if those vulnerabilities are not identified. This failure to act means that the overall process has not delivered the value that it should have, and also leaves the organization, and potentially the overall system, vulnerable.

5.8 Linking the Trusted Computing Base and User Communities When looking at information sharing, one has to look at who is sharing the information, what is the information being shared on, and is it appropriate to be sharing the information. These three elements are the core of any effective information

88  ◾  Critical Infrastructure

sharing structure—ranging from conference calls to multi-million-dollar fusion centers. Having looked at what the information is being shared on, we need to return to the authorized user community. This community has three things in common: ◾◾ They are identified, and that identity is authenticated through trustworthy sources. ◾◾ They are authorized to have access to the assets involved, ranging from the TCB to the information held on it, after having undergone a formal authorization process. ◾◾ They are all bound to abide by certain conditions, generally set down as part of the certification and accreditation process. This community represents more than simply the end users and managers of the TCB. It also includes a range of support services and other secondary roles that may have incidental access to the system or the data contained on it. There are potential conflicts that need to be overcome when looking at information sharing and the TCB. The first involves the philosophy of how the authorized user community should be defined. The TCB sets these definitions in terms of the need to know—limiting access to those who have met the criteria defined above. People, however, do not operate based on the need-to-know principle. They operate on the basis of what might be more appropriately termed the need to share. This does not mean that the user is compelled through some feature of character to give away secrets to all under the sun. It means that the user evaluates individuals on a case-by-case basis and ultimately makes a personal judgment call based on (1) personal trust and (2) the need to share the information in order to accomplish the goals. This does not represent an attack on the concept of the need to know. That concept is still being preserved under the need-to-share regime. It does represent, however, two shifts in doctrine. The first is that it moves the need-to-share information back to the user/operations level and away from the administrative level. It also means that the need-to-know decision becomes decentralized, with the authority being taken by the user level and often justified through the argument that the sharing was vital in order to reach the objectives and maintain the goals of the organization. This decentralization of the decision to share information, sometimes even outside of apparently normal practices, means that those overseeing the information sharing arrangements and the TCB must place significant emphasis on education, training, and oversight. It also changes the applicability and solidity of such roles as the data owner and data custodian within the information security domain. This applies through the entire cycle that an individual may have access to the information and the TCB, including the following:

The Reinvention of Information Sharing and Intelligence  ◾  89

◾◾ ◾◾ ◾◾ ◾◾

Background screening as a mandatory part of selection. Training. Ongoing familiarization. Active monitoring of the individual and use of the network.

Having selected the individual and before granting access, the individual must be made aware of the various restrictions that operate within the system. This is a basic principle linked to the concept of natural justice—before enforcing something there must be a reasonable expectation that the restriction is well known and understood. This also applies to the consequences associated with violating the consequences. This requirement is often overlooked or bypassed in large or distributed organizations, leaving the organization vulnerable in terms of a lack of ability to enforce its own requirements with those with access. Meeting this requirement in the need-to-share environment requires more than simply having signed statements on file. As the user has additional responsibilities in terms of the decision to share information or allow access, he or she must also be well educated and competent in making decisions that remain in line with management’s intent. It also requires the user to have the confidence necessary to make the appropriate decision to share or not to share. A significant part of this is understanding that the management involved applies rules consistently and fairly on one hand, but on the other hand does make decisions and exercise judgment when individuals can be clearly shown to be operating in a way that takes appropriate precautions and meets management’s intent. Corporate culture and how it accepts or rejects the risk environment will also factor heavily in this. Where an organization’s corporate culture is well aware of the threats, vulnerabilities, risks, and consequences, it is much more likely to ensure that various restrictions stay in force and will limit its decisions to those that align with both the intent of the restrictions and operational needs. An organizational culture that does not accept these will not abide by the restrictions except in circumstances where it believes that individuals will be detected and punished. While this may be adequate in the eyes of some management, it is a weak posture. From the perspective of information sharing, this means that a balance exists with respect to access within the user community and TCB and the privileges that can be exercised as part of the need to share. This balancing point will be weighted as a result of a number of decisions with respect to how risk is managed. These decisions and requirements will be the result of requirements including, but not necessarily limited to, the following: ◾◾ Laws, regulations, and similar measures that generally cannot be risk managed except by the most senior levels of government with the support of the courts. ◾◾ Overarching policies that are the result of parent organizations making risk management decisions.

90  ◾  Critical Infrastructure

◾◾ Restrictions that are the result of information sharing or asset sharing agreements. ◾◾ Internal decisions that are the result of management’s decision to manage risks in a certain way. It is important to note that the principles of risk management are an important element in the need-to-share principles. One of these principles is that it is only the owner of the risk management decision that has the authority to make decisions that run contrary to his or her previous direction. This is that individual who bears the accountability associated with the appropriate protection or use of the assets involved and, as a result, holds delegated authority from the more senior layers of management—usually the highest levels. Those that decide to manage risks differently for their own purposes without first seeking the consent of that delegated officer or individual run a significant risk of running afoul in their decision making. Ultimately the requirements and constraints placed on individuals must be clearly communicated. This is once again accomplished through the informand-acknowledgment process. The individual is informed of the sum total of the requirements, the relevant consequences, and the method of clarifying issues. The individual then acknowledges that he or she has been informed, assents to being subjected to the sanctions that may arise from breaking them, and acknowledges the process by signature or some other attestable means.

5.9 Barriers to Information Sharing The key barriers to information sharing come from a lack of trust and teamwork between the government, industry, and academic parties. The level of trust will vary from interaction to interaction, but the lack of trust between institutions is clearly evident. From the government perspective, the reasons the private sector refuses to share information can be reduced to the following: ◾◾ The desire to conceal information that may lead to the government detecting shortfalls in regulatory compliance. ◾◾ The concern that the revelation of the information could be used to assign or increase the level of liability or other similar forms of risk that an organization assumes. ◾◾ A lack of trust that assurances given by the officers in one part of government will be adhered to by officers in another part of government. ◾◾ A lack of confidence that information provided in confidence will be maintained in confidence due to public disclosure rules.

The Reinvention of Information Sharing and Intelligence  ◾  91

From the private sector perspective, concerns surrounding the sharing of information rotate around a number of core issues. These include the following: ◾◾ That information shared in consultative processes may be used by the government as part of a regulatory enforcement action. ◾◾ That information shared in a consultative process can make it to the hands of the competition, causing loss of market position. ◾◾ That information shared in consultative processes can end up in the hands of the public and lead to a loss of public confidence or brand credibility. The academic community has been proposed as one potential alternative to break this stalemate. The academic community is seen as being free of vested interest and can be trusted, when appropriately directed, to remain free and clear of competitive issues. This, one might argue, may operate within the realm of the academic but when one approaches the university as a business within a competitive market, begins to break down as they can compete amongst each other. One significant concern, however, is that the academic community is also subject to a number of laws requiring the disclosure of information, and this could again expose the information. If looking to build communities that allow for the sharing of information, a change in many of these attitudes will be required. Government regulators, often overly concerned with practices to ensure absolutely equal fairness, will need to understand that such practices may need to be adjusted somewhat if the private sector is going to expose itself to additional risks. Similarly, all parties will need to understand that any information revealed during these processes must be protected against disclosure, even if under the authority of exceptions to existing disclosure information or under the authority of new legislation. The final barrier to information sharing lies with organizations that seek to advance their position by having access to data, information, or intelligence that others do not. Administrative processes, including security clearances, will need to be adjusted to allow for regional (provincial, state, territorial) and municipal governments’ participation. Many of these barriers are in need of adjustment to reflect new operational and CIP/CIA realities. The focus, particularly in a world where joint operations and international teams are involved, must be on the ability to share data, information, and intelligence in such a way that the overall parameters for mission success are achieved.

5.10 The Rise of Open Sources Open-source data and information comes from the computer industry’s use of open-source software or software where the code is freely available. Organizations

92  ◾  Critical Infrastructure

are now placing more and more information into the public domain, often as a tool to attract business or to demonstrate their own capabilities. Researchers access this data and information to perform research that would have been impossible in the past. The vulnerability associated with open sources comes from the potential for researchers to fail to apply quality controls or checks to the data. While governments and academic institutions have often limited the overall access to information, treating it as a marketable commodity, they have done so with an understanding that such data was only published after undergoing stringent checks ensuring its reliability and credibility. The risks associated with open sources, as a result, involve a loss of credibility of the research at one level or, at a more fundamental level, a loss of accuracy or completeness. It should be clear, however, that these risks can be mitigated and addressed through the formation of networks of private researchers. Several organizations, ranging from formal associations (ASIS International and the International Association of Maritime Security Professionals, to name a few) to less formal networks (SCADASEC and similar research lists), form networks of persons who can comment on the validity and context of the data and information while the data is on its transformative process to information and ultimately intelligence.

5.11 Open-Source Information and Intelligence What researchers need to be cognizant of is the difference between open-source information and open-source intelligence. The difference between the two parallels closely the difference between information and intelligence. Open-source information is intended to provide facts, but not to explain the importance of such facts. Intelligence, on the other hand, is data and information that have undergone that formal process of collection, collation, analysis, and dissemination. As with data and information, there is a need for the researcher to be cautious. There are several companies that indicate that they produce intelligence, where in fact they are simply regurgitating open sources of information. These firms are often little more than media monitoring companies that can provide lists of commentary. The second challenge is that those companies that do produce intelligence need to be understood in the context of what they deliver as business lines. In short, as with other information, the context in which it organized the data needs to be understood. That being said, there is a notable increase in the number of organizations that sell or trade in what can be described as open-source intelligence. These involve organizations gathering together publicly available information and, with the assistance of specially trained or skilled individuals, working that information through the analysis process to become intelligence. Some of this intelligence is placed into the public domain in order to demonstrate the capability of the organization,

The Reinvention of Information Sharing and Intelligence  ◾  93

while the rest is held on to in order to develop clients. These organizations may be less susceptible to certain kinds of contextual pressures, but still need to be understood in terms of their business contexts, including relationships with other clients or service providers. A significant number of these groups have risen because of the need for credible intelligence in the private sector and, as noted above, the inability of the private sector to work through various information sharing requirements in a timely manner.

5.12 An Approach to Information Sharing— The Consequence-Benefit Ratio As these organizations arise, there is an opportunity to change the model. At the grassroots level, open sources of information and intelligence can be supplemented by the more proprietary sources. The emphasis, however, would shift from those proprietary sources to publicly available sources that can be reviewed and quality controlled. Where a proprietary source must be used, then consideration may well be given to the establishment of a “Good Samaritan” law. This would involve a relief from liability where the disclosure of such information was necessary to prevent grievous harm to individuals or the national interest. While this may seem somewhat Orwellian, the early forms of this capability have been applied in the medical community, allowing medical practitioners to communicate information that, if withheld, could lead to a loss of life or risk of grievous bodily harm. This open-source information can be brought together through various forms of technology. For information that has no significant value in terms of compromise and sensitivity, the Internet and other wide broadcast tools may be appropriate. As information becomes progressively more sensitive, the shift may be toward the more traditional restrictions. Ultimately, however, to break out of the current deadlock, the government needs to look at information sharing in terms of cost and benefit. Where the consequences can be mitigated and limited to areas that do not overly affect the safety, security, and economic well-being of citizens, the benefits in terms of contributing to operational success can be weighed. If there is sufficient imbalance in favor of operational success, then the information is shared within the trusted community or, as a second tier, the community that is working toward the common interest.

http://taylorandfrancis.com

Chapter 6

Critical Infrastructure Information 6.1 Introduction This chapter introduces concepts surrounding the reclassification of information and provides some introspective views as to how both industry and government are altering how information is perceived and some of the challenges that have emerged. There is much publicly available information about our infrastructures that describes demographic, financial, and security-related details. Those who are familiar with these environments are often able to locate public information as it pertains to the operation, description, geographic/geospatial mapping data, system, or access information about a specific critical infrastructure or its sectors. This level of accessibility is currently being reviewed by both private and public sectors and represents a continuous process that is undergoing some serious reconsideration in terms of information classification.

95

96  ◾  Critical Infrastructure

6.2  What Is Critical Infrastructure Information (CII)? Critical infrastructure information1 (CII)2 is defined a type of designation of data or information that is representative of a critical infrastructure, or its sector, and is considered sensitive in nature but remains unclassified (this implies the federal government’s “sensitive but unclassified” designation, as discussed later in this chapter). This can lead to a level of confusion, particularly when sharing the information, as this designation used by the United States is not actually used by a significant number of its allies—those allies either classifying information in the national interest or having it fall under protected but not under the national interest. In some regard, CII is information3 that is a form of metadata4 —that is, it is data5 about data, or more appropriately, data containing additional data. CII has also been called another definition of the term information. As defined by more than one credible source, the term information is defined as data that have been transformed through analysis and interpretation into a form useful for drawing conclusions and making decisions. Thus, CII is clearly not the same as information. Therefore, CII is specifically defined as consisting of any of five criteria such that it: 1. Represents information directly relating to specific data, tasks, or information relating to any given critical infrastructure or its sector.

Although there appear to be several references, both government and industry, that give regard to the definition of the term critical infrastructure information, there do not appear to be any contextual data provided that demonstrate a defined term. All in all, all interested parties involved appear to be more concerned about what to do with the information rather than defining it; if it is defined, it consumes numerous volumes of text outlining an overtly detailed explanation, which, simply put, might be explained with but a few bulleted items. Therefore this definition is by no means perfect; however, it is an attempt at defining what it means and signifies. 2 This definition represents a consensus of observed statements, as well as online and printed materials that were reviewed from both government and industry viewpoints. It is an attempted abbreviated version of what was observed. The shortest/smallest definition of the term critical infrastructure information consumed approximately 34 pages of material. 3 Information—Data that have been transformed through analysis and interpretation into a form useful for drawing conclusions and making decisions. 4 Metadata—It is either: (1) Information about a data set that is provided by the data supplier or the generating algorithm and which provides a description of the content, format, and utility of the data set; metadata provide criteria that may be used to select data for a particular scientific investigation. (2) Information describing a data set, including data user guide, descriptions of the data set in directories, and inventories, and any additional information required to define the relationships among these. Source: ESADS, EPO, IWGDMGC. 5 Data—The collection of material or facts on which a discussion or an inference is based. Data are the product of measurement. The word data is the plural of datum. Compare information (referred to as a lexicon definition). 1

Critical Infrastructure Information  ◾  97

2. Represents information generated by, produced by, or indirectly related to such information that results from or is resulting from daily operations of any given critical infrastructure or its sector. 3. Represents geographical or geospatial information pertaining to locations, access points, methods of access to or from a site, facility, or area that is representative of a critical infrastructure or its sector. 4. Represents any other information that may be indirectly related to or from any given critical infrastructure that is deemed, labeled, or marked as “protected critical infrastructure information” (as defined within the Critical Infrastructure Information Act of 2002), or as accepted by the US Department of Homeland Security (DHS). 5. Represents any recently defined or newly found or discovered information that could be utilized to destroy, dismantle, render useless or inoperative, incapacitate, or lessen the usefulness of any given critical infrastructure, or any impacts resulting from said methods against, to, from, or within any given critical infrastructure or its sector. To sum up, critical infrastructure information 6 is loosely defined as consisting of any of the five criteria such that it: ◾◾ Relates to information about critical infrastructures or its sectors ◾◾ Relates to information produced from the operations of those critical infrastructures, such as patient information, financial records, and transaction logs ◾◾ Relates to mapping information about locations or directions to any critical infrastructure site, facility, or work area ◾◾ Relates to information that the government considers protected critical infrastructure information ◾◾ Relates to any newly found or discovered information about a critical infrastructure, such as exploit information and “how-to FAQs” that would explain how to disable, dismantle, or destroy, say, a high-energy electrical transmission tower A few additional criteria may hold true to the refined definition of CII, which might include the following alternative criteria: ◾◾ Relates to information about future developments of critical infrastructures, such as maps or architectural drawings or designs of power generation facilities.

6

Critical Infrastructure Information Act of 2002, Section 212(3), page 17; URL: https://www​ .dhs.gov/sites/default/files/publications/CII-Act-508.pdf; alt url: http://cipbook.infracritical​ .com/book4/chapter6/ch6ref1.pdf.

98  ◾  Critical Infrastructure

◾◾ Relates to information about discontinued or dismantled critical infrastructures that are no longer in use, such as dismantled nuclear power generation facilities, or long-term nuclear material storage facilities. ◾◾ Relates to geological information about locations to any critical infrastructure, such as earthquake-prone sites, facilities, or areas of critical infrastructures that would show possible weaknesses of that location. ◾◾ Relates to any meteorological information about locations to any critical infrastructure. CII was implemented, through regulation, via the Critical Infrastructure Information Act of 2002 in February 2004. As of March 2, 2004, a US Department of Justice report stated that the CII designation would apply only to documents that were or are in the possession of the US DHS. The concept of Critical Infrastructure Information should be understood as a designation that does not operate independently of other designations. For example, Sensitive Security Information, covered under 49 CFR 1520 can easily overlap with this kind of information, leading to challenges in how to identify, label, control, and enforce the use of such information.

6.3 How Does the Government Interpret CII? Exemption 1 of the Freedom of Information Act (FOIA) protects data owners from disclosure of national security information concerning national defense or foreign policy, provided that it has been properly classified in accordance with the substantive and procedural requirements of an executive order.7 As of October 14, 1995, the executive order in effect was Executive Order (E.O.) 12958 issued by President Clinton and amended in 1999 by E.O. 13142.8,9 Section 1.5 of the order specifies the types of information that may be considered for classification: military plans, weapons systems, or operations; foreign government information; intelligence activities, sources or methods, or cryptology; foreign relations or foreign activities, including confidential sources; scientific, technological, or economic matters relating to national security; federal government programs for safeguarding nuclear materials and facilities; or vulnerabilities or capabilities of systems, installations, projects, or plans relating to

5 U.S.C. §552(b)(1). 3 C.F.R. 333 (1996), reprinted in 50 U.S.C. §435 note. 9 Congressional Research Service—The Library of Congress, Critical Infrastructure Information: Disclosure and Homeland Security, Report for Congress, RL31547, January 29, 2003; http:// www.fas.org/sgp/crs/RL31547.pdf (alt URL: http://cipbook.infracritical.com/book3/chap​ ter11/ch11ref4.pdf). 7 8

Critical Infrastructure Information  ◾  99

national security.10 The categories of information that may be classified appear broad enough to include homeland security information concerning critical infrastructures. Under E.O. 12958, information may not be classified unless “its disclosure reasonably could be expected to cause damage to the national security.”11 On March 19, 2002, the White House Chief of Staff issued a directive to the heads of all federal agencies addressing the need to protect information concerning weapons of mass destruction as well as other sensitive homeland security-related information.12 The implementing guidance for the directive concerned sensitive homeland security information that was currently classified, as well as previously unclassified or declassified information.13 The guidance stipulated that if information was currently classified, then its classified status should be maintained in compliance with E.O. 12958. This included extending the duration of classification as well as exempting such information from automatic declassification as appropriate. For previously unclassified or declassified information concerning weapons of mass destruction and other sensitive homeland security-related information, the implementing guidelines stipulated that if it has never been publicly disclosed under proper authority, it may be classified or reclassified as outlined within E.O. 12958.

10

11

12

13

http://www.fas.org/sgp/crs/RL31547.pdf (alt URL: http://cipbook.infracritical.com/book3​ /chapter11/ch11ref4.pdf). E.O. No. 12958, §1.2(a)(4); E.O. 12958: Classified National Security Information; signed: April 17, 1995; Federal Register page and date: 60 F.R. 19825; April 20, 1995; revoked: E.O. 12356, April 6, 1982; amended by: E.O. 12972, September 18, 1995; E.O. 13142, November 19, 1999; E.O. 13292, March 25, 2003; see: Order of October 13, 1995; Order of February 27, 1996; Order of February 26, 1997; Final Rule of July 1, 1997 (62 F.R. 36984); E.O. 13231, October 16, 2001; Military Order of November 13, 2001 (66 F.R. 57833); Order of December 10, 2001 (66 F.R. 64347); E.O. 13284, January 23, 2003; E.O. 13311, July 29, 2003; Order of September 17, 2003 (68 F.R. 55257); E.O. 13329, February 24, 2004; E.O. 13354, August 27, 2004; E.O. 13356, August 27, 2004; Order of April 21, 2005; E.O. 13387, October 14, 2005; E.O. 13388, October 25, 2005; E.O. 13462, February 29, 2008; E.O. 13467, June 30, 2008; E.O. 13470, July 30, 2008; URL: http://www.archives.gov/federal-register/executive​ -orders/1995.html (alt URL: http://cipbook.infracritical.com/book3/chapter11/ch11ref25​ .pdf and http://cipbook.infracritical.com/book3/chapter11/ch11ref25a.pdf). See White House Memorandum for Heads of Executive Departments and Agencies Concerning Safeguarding Information Regarding Weapons of Mass Destruction and Other Sensitive Documents Related to Homeland Security, March 19, 2002; reprinted in FOIA Post, posted March 21, 2002; https://www.justice.gov/oip/foia-guide-2004-edition-exemption-9 (alt URL: http://cipbook.infracritical.com/book3/chapter11/ch11ref24.pdf and http://cipbook​ .infracritical.com/book4/chapter6/ch6ref2.pdf). See Memorandum from Acting Director of Information Security Oversight Office and Co-Directors of Office of Information and Privacy to Departments and Agencies, March 31, 2002; reprinted in FOIA Post, posted March 21, 2002 http://cipbook.infracritical.com/book3​ /chapter11/ch11ref26.pdf and http://cipbook.infracritical.com/book3/chapter11/ch11ref26a​ .pdf.

100  ◾  Critical Infrastructure

If the information was subject to a previous request for access, such as an FOIA request, classification, or reclassification, then it is subject to the special requirements of that executive order.14

6.4 Exemption 3 of the FOIA As outlined under Exemption 3 of the FOIA, information protected from disclosure under other statutes is also exempt from public disclosure.15 Exemption 3 allows the withholding of information prohibited from disclosure by another statute if and only if the other statute meets one of three criteria: 1. Requires that records are to be withheld (with no agency discretion). 2. Grants discretion on whether to withhold information, but provides specific criteria outlining the exercise of that discretion. 3. Describes the types of records to be withheld. To support an Exemption 3 claim, the requested information must fit within a category of information that the statute authorizes to be withheld. As circular as this may sound, essentially, if the information does not fit the criteria established, it cannot be acted upon.16 As with all FOIA exemptions, the government bears the burden of proving that requested records are properly withheld.17 Numerous statutes have been held to qualify as Exemption 3 statutes under the exemption’s first subpart, in which those statutes that require information to be withheld leave the agency with no discretion.18 Several statutes have failed to qualify under Exemption 3 because too much discretion was vested in the agency or because the statute lacked specificity regarding the records to be withheld.19 Unlike other FOIA exemptions, if the information

14

15 16 17 18 19

Congressional Research Service—The Library of Congress, Critical Infrastructure Information: Disclosure and Homeland Security, Report for Congress, RL31547, January 29, 2003; http:// www.fas.org/sgp/crs/RL31547.pdf (alt URL: http://cipbook. infracritical.com/book3/chapter11​ /ch1ref4.pdf). Ibid. Ibid. Ibid. Ibid. See CRS Congressional Distribution Memorandum, American Law Division, Freedom of Information Act: Statutes Invoked under Exemption 3 by Gina Stevens, July 11, 2002; updated reference; http://www.fas.org/irp/crs/RL31547.pdf (alt URL: http://cipbook.infracritical​ .com/book3/chapter11/ch11ref27.pdf).

Critical Infrastructure Information  ◾  101

requested under FOIA meets the withholding criteria of Exemption 3, the information must be withheld.20 Congress has considered a number of proposals that address the disclosure under FOIA of cyber security information, of information maintained by the DHS, and of CII voluntarily submitted to the DHS.21 Generally, legislation has specifically exempted the covered information from disclosure under FOIA, in effect creating an Exemption 3 statute for purposes of FOIA.22 In Canada, the closest approximation to this was included under the Access to Information Act under Section 20(1)(b.1) that requires the head of government institutions to refuse to disclose any record that was concerned with “the vulnerability of the third party’s buildings or other structures, its networks or systems, including its computer or communications networks or systems, or the methods used to protect any of those buildings, structures, or systems.” This can be directly linked to Section 16(2) which offered the opportunity (as opposed to the mandatory requirement) to protect information “that could be reasonably expected to facilitate the commission of an offence, including, without restricting the generality of the foregoing, [information on the vulnerability of particular buildings or other structures or systems, including computer or communication systems, or methods employed to protect such buildings or other structures or systems].” The application of these two sections, however, may become an increasing point of friction as government as a significant number of government offices fall under the category of leased space, meaning that the former exemption (20.1) may apply although the public expectation may pressure those releasing information to look at it in terms of (16.2). The approach to Critical Infrastructure Information, however, is limited largely to that information that can be looked at in terms of the exemptions of the Access to Information Act.23

20

21

22 23

Congressional Research Service—The Library of Congress, Critical Infrastructure Information: Disclosure and Homeland Security, Report for Congress, RL31547, January 29, 2003; http:// www.fas.org/sgp/crs/RL31547.pdf (alt URL: http://cipbook.infracritical.com/book3/chap​ter11​ /ch1ref4.pdf). Congressional Research Service—The Library of Congress, Critical Infrastructure Information: Disclosure and Homeland Security, Report for Congress, RL31547, January 29, 2003; http:// www.fas.org/sgp/crs/RL31547.pdf (alt URL: http://cipbook.infracritical.com/book3/chap​ter11​ /ch1ref4.pdf). Ibid. The Access to Information Act referred to was drawn from the Justice Department’s website at http://laws-lois.justice.gc.ca/eng/acts/A-1/page-3.html (alt url: http://cipbook.infracritical​ .com/book4/chapter6/ch6ref3.pdf) and http://laws-lois.justice.gc.ca/PDF/A-1.pdf (alt url: http://cipbook.infracritical.com/book4/chapter6/ch6ref3a.pdf).

102  ◾  Critical Infrastructure

6.5 Exemption 4 of the FOIA Exemption 4 of the FOIA exempts from disclosure “trade secrets and commercial or financial information obtained from a person and privileged or confidential.”24 The latter category of information (commercial information that is privileged or confidential) is relevant to the issue of the federal government’s protection of private sector CII.25 To fall within this second category of Exemption 4, the information must satisfy three criteria. It must be:26 1. Considered commercial or financial. 2. Obtained from an individual. 3. Labeled or classified as confidential or privileged. The Washington, D.C., circuit court held that the terms commercial or financial should be given their ordinary meaning, and that records are commercial if the submitter has a “commercial interest” in them.27 The second criterion, “obtained from a person,” refers to a wide range of entities.28 However, information generated by the federal government is not “obtained from a person,” and as a result is excluded from Exemption 4’s coverage.29 Most Exemption 4 cases involved in a dispute are generally over whether the information was considered confidential.30

6.6 Section 214 of the Homeland Security Act After extensive deliberation, which still appears to be continuing today, and no small amount of controversy involved, the US DHS has regulations defining the Protected Critical Infrastructure Program within the implementation of

24 25

26 27 28

29 30

5 U.S.C. §552(b)(4). Congressional Research Service—The Library of Congress, Critical Infrastructure Information: Disclosure and Homeland Security, Report for Congress, RL31547, January 29, 2003; http:// www.fas.org/sgp/crs/RL31547.pdf (alt URL: http://cipbook.infracritical.com/book3/chap​ter11​ /ch1ref4.pdf). Ibid. Public Citizen Health Research Group v. FDA, 704 F.2d 1280, 1290 (D.C. Cir. 1983). See Nadler v. FDIC, 92 F.3d 93, 95 (2d Cir. 1996) (term person includes “individual, partnership, corporation, association, or public or private organization other than an agency,” quoting definition found in Administrative Procedure Act, 5 U.S.C. §551(2)). See Allnet Communications Servs. v. FCC, 800 F. Supp. 984, 988 (D.D.C. 1992). Congressional Research Service—The Library of Congress, Critical Infrastructure Information: Disclosure and Homeland Security, Report for Congress, RL31547, January 29, 2003; http:// www.fas.org/sgp/crs/RL31547.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter11​ /ch1ref4.pdf).

Critical Infrastructure Information  ◾  103

Section 214 of the Homeland Security Act of 2002, 6 U.S.C.A. §133 (West Supp. 2003).31 Section 214 of the Homeland Security Act, enacted in November 2002, contains a series of provisions aimed at promoting the flow of sensitive information specifically relating to the national critical infrastructures, of which approximately 85 percent are located within private sectors, to the federal government for homeland security purposes.32 This section established a new category defined as critical infrastructure information. Section 214 of the Homeland Security Act of 2002 (P.L. 107-269) exempted from disclosure under FOIA for Exemption 333 protection such that “critical infrastructure information (including the identity of the submitting person or entity) that is voluntarily submitted to a covered agency for use by that agency regarding the security of critical infrastructure (as defined within the USA PATRIOT Act)… ,34 when accompanied by an express statement.”35 The new Exemption 3 statute for CII, which now applies to information held by DHS only, is one of “a growing trend [of] statutes enacted in recent years [that] contain disclosure prohibitions that are not general in nature but rather are specifically directed toward disclosure under the FOIA in particular.”36 The Homeland Security Act defines “critical infrastructure information” to be representative of “information not customarily in the public domain and related to the security of critical infrastructure or protected systems”: A. Actual, potential, or threatened interference with, attack on, compromise of, or incapacitation of critical infrastructure or protected systems by either physical or computer-based attack or other similar conduct (including misuse of or unauthorized access to all types of communications and data transmission

31

32 33 34

35

36

FOIA Post, Critical Infrastructure Information Regulations Issued by DHS, February 27, 2004; https://www.justice.gov/archive/oip/foiapost/2004foiapost6.htm (alt URL: http://cipbook​ .infracritical.com/book3/chapter11/ch11ref28.pdf). Ibid. Exemption 3 of the Freedom of Information Act, 5 U.S.C. §552(b)(3) (2000). “Systems or assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” P.L. 107-56, Section 1016. Congressional Research Service—The Library of Congress, Critical Infrastructure Information: Disclosure and Homeland Security, Report for Congress, RL31547, January 29, 2003; http:// www.fas.org/sgp/crs/RL31547.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter11​ /ch1ref4.pdf). FOIA Post, Agencies Rely on Wide Range of Exemption 3 Statutes, February 16, 2003; https:// www.justice.gov/oip/blog/foia-post-2003-homeland-security-law-contains-new​-exemption​ -3-statute (alt URL: http://cipbook.infracritical.com/book3/chapter11/ch11ref29​.pdf and http://cipbook.infracritical.com/book4/chapter6/ch6ref4.pdf).

104  ◾  Critical Infrastructure

systems) that violates federal, state, or local law, harms interstate commerce of the United States, or threatens public health and safety. B. The ability of critical infrastructures or protected systems to resist such interference, compromise, or incapacitation, including any planned or past assessment, projection or estimate of the vulnerability of critical infrastructure or a protected system, including security testing, risk evaluation thereto, risk management planning, or risk audit. C. Any planned or past operational problem or solution regarding critical infrastructure… including repair, recovery, reconstruction, insurance, or continuity to the extent it relates to such interference, compromise, or incapacitation.37 A “covered agency” is defined as the US DHS.38 The submission of CII is considered voluntary if done in the absence of the DHS exercising its legal authority to compel access to or submission of such information.39 Information submitted to the Securities and Exchange Commission pursuant to Section 12(i) of the Securities and Exchange Act of 1934 is explicitly not protected by this provision.40 Besides exempting from FOIA CII that has been submitted voluntarily with the appropriate express statement to the DHS, the Homeland Security Act also states that the information shall not be subject to any agency rules or judicial doctrine regarding ex parte communications with decision-making officials.41 The act also prohibits such information, without the written consent of the person or entity submitting such information in good faith, from being used directly by the DHS, any other federal, state, or local authority, or any third party, in any civil action.42 Nor may the information, without the written consent of the person or entity submitting such information, be used or disclosed by any officer or employee of the United States for any purpose other than the purposes of the subtitle except in the furtherance of a criminal investigation or prosecution, or when disclosed to either

37 38 39

40 41

42

P.L. 107–296, §212(3). Ibid. Congressional Research Service—The Library of Congress, Critical Infrastructure Information: Disclosure and Homeland Security, Report for Congress, RL31547, January 29, 2003; http:// www.fas.org/sgp/crs/RL31547.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter11​ /ch1ref4.pdf). Ibid. Congressional Research Service—The Library of Congress, Critical Infrastructure Information: Disclosure and Homeland Security, Report for Congress, RL31547, January 29, 2003; http:// www.fas.org/sgp/crs/RL31547.pdf (alt URL: http://cipbook. infracritical.com/book3/chapter11​ /ch1ref4.pdf). Ibid.

Critical Infrastructure Information  ◾  105

House of Congress, or to the Comptroller General or other authorized General Accounting Office official, in the conduct of official business.43

6.7 Enforcement of Section 214 of the Homeland Security Act Any federal official or employee who knowingly publishes, divulges, discloses, or makes known in any manner or to any extent not authorized by law, any protected information, is subject to removal, imprisonment up to one year, and fines.44 If the information is disclosed to state or local officials, it may not be used for any purpose other than the protection of critical infrastructures, and it may not be disclosed under state disclosure laws.45 The protections afforded protected information do not result in waiver of any privileges or protections provided elsewhere in law.46 Finally, no communication of CII to the DHS shall be considered an action subject to the requirements of the Federal Advisory Committee Act.47 For information to be considered protected, it must be accompanied with a written statement to the effect that “this information is voluntarily submitted to the federal government in expectation of protection from disclosure as provided by the Critical Infrastructure Information Act of 2002 (the name given to Subtitle B).” The Secretary of the DHS is to establish procedures for handling the information once it is received. Only those agency components or bureaus designated by the president or the Secretary of Homeland Security as having a critical infrastructure program may receive CII from the department. The above protections for information voluntarily submitted by a person or entity to the DHS do not limit or otherwise affect the ability of a state, local, or federal government entity, agency, or authority, or any third party, under applicable law, to obtain CII (including any information lawfully and properly disclosed generally and broadly to the public) and to use that information in any manner permitted by law.48 43 44 45 46 47

48

Ibid. Ibid. Ibid. Ibid. The Federal Advisory Committee Act (FACA) requires that the meetings of all federal advisory committees serving executive branch entities be open to the public. The FACA specifies nine categories of information, similar to those in FOIA, which may be permissively relied on to close advisory committee deliberations. 5 U.S.C. App. 2. Congressional Research Service—The Library of Congress, Critical Infrastructure Information: Disclosure and Homeland Security, Report for Congress, RL31547, January 29, 2003; http:// www.fas.org/sgp/crs/RL31547.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter11​ /ch1ref4.pdf).

106  ◾  Critical Infrastructure

Submittal to the government of information or records that are protected from disclosure is not to be construed as compliance with any requirement to submit such information to a federal agency under any other provision of law.49 Finally, the act does not expressly create a private right of action for enforcement of any provision of the act.50

6.8 What Does “Sensitive but Unclassified” Mean? In recent years, more reports and information contained on websites have introduced a new data classification referred to as “sensitive but unclassified,” especially when dealing with information pertaining to a critical infrastructure such as the national power grid. The term sensitive but unclassified (SBU)51 is an informal designation applicable to all types and forms of information that, by law or regulation, require some form of protection, but are outside the formal system for classifying national security information.52 As a general rule, information may be exempt from release to the public under the FOIA.53,54 This section reviews the most common types of sensitive unclassified information.55

49 50 51

52

53

54

55

Ibid. Ibid. http://www.wrc.noaa.gov/wrso/security_guide/intro-5.htm#Sensitive (alt URL: http://cip​ book.infracritical.com/book3/chapter11/ch11ref5.pdf). The US Department of State uses “sensitive but unclassified” (SBU) as a document designation comparable to “for official use only.” The FOIA establishes a presumption that records in the possession of agencies and departments of the executive branch of the federal government are accessible to the people. This was not always the approach to federal information disclosure policy. Before the enactment of the FOIA in 1966, the burden was on the individual to establish a right to examine these government records. There were no statutory guidelines or procedures to help a person seeking information. There were no judicial remedies for those denied access. With the passage of the FOIA, the burden of proof shifted from the individual to the government. Those seeking information are no longer required to show a need for information. Instead, the need-toknow standard has been replaced by a right-to-know doctrine. The government now has to justify the need for secrecy. The FOIA sets standards for determining which records must be disclosed and which records may be withheld. The law also provides administrative and judicial remedies for those denied access to records. Above all, the statute requires government organizations to provide the fullest possible disclosure of information to the public. http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=106_cong_reports&docid​ =f:hr050.106.pdf (web link no longer exists). Information taken from the National Oceanic and Atmospheric Administration Web site, in which information posted on the various categories of sensitive unclassified information is based on a research report prepared for Personnel Security Research Center by John Tippit & Associates.

Critical Infrastructure Information  ◾  107

The US Department of Defense (DOD) also uses the term controlled unclassified information (CUI)56 to refer to certain types of sensitive information within DOD that require controls and protective measures.57 CUI includes “for official use only” (FOUO) and information with comparable designations that is received from other agencies, DOD Unclassified Controlled Nuclear Information (UCNI), “sensitive information” as defined in the Computer Security Act of 1987, and DOD technical data.58 Some information that is not formally designated as sensitive is nonetheless inappropriate for putting on a public, unsecured website.59 Federal law defines most categories of sensitive unclassified information, whereas others, such as the FOUO classification, are defined by organization policy, and several government organizations use different names for this category of information.60 Most legislative authorities are very specific in identifying the protected category of information, whereas others are general and leave much discretion to the agency or company.61 Procedures for safeguarding sensitive unclassified information depend on the category of information and, in some cases, vary from one agency or company to another.62 Generally speaking, the law provides protection for established categories of protected information only when the owners of the information have taken reasonable or required steps to protect it.63 These steps are sometimes stated in the law or regulation; however, they are often left up to the information owner to develop internally.64 Legal history shows that the following elements are the key to successful enforcement of an information protection program. The organization must have:65 ◾◾ An established information security policy. ◾◾ A system or mechanism to identify specific information that is to be protected (this includes periodic reviews of the need for continued protection). 56

57

58 59

60 61 62 63 64 65

Assistant Secretary of Defense for Command, Control, Communications, and Intelligence, DOD Guide to Marking Classified Documents, DOD 5200.1-PH, April 1997: http://www​ .acqnotes.com/Attachments/DoD%205200.1ph%20DoD%20Guide%20to%20Marking%20 Classified%20Documents.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter11​ /ch11ref30.pdf), along with http://www.wrc.noaa.gov/wrso/briefings/DOD%20Marking%20 Guide.ppt (alt URL: http://cipbook.infracritical.com/book3/chapter11/ch11ref10.ppt). http://www.wrc.noaa.gov/wrso/security_guide/intro-5.htm#Sensitive (alt URL: http://cip​ book.infracritical.com/book3/chapter11/ch11ref5.pdf). DOD Regulation 5200.1-R, Information Security Program. http://www.wrc.noaa.gov/wrso/security_guide/intro-5.htm#Sensitive (alt URL: http://cip​ book.infracritical.com/book3/chapter11/ch11ref5.pdf). Ibid. Ibid. Ibid. Ibid. Ibid. Ibid.

108  ◾  Critical Infrastructure

◾◾ Procedures for safeguarding and controlling protected information such that any risk of exposure is only to those who have specific need for knowledge of the information, as well as a duty to protect its safety. ◾◾ Duty to protect and safeguard information may be imposed or regulated by law (for some categories), or established by a confidential agreement. ◾◾ A system or mechanism of warnings and markings advising of the sensitivity or handling requirements of the information. The use of “Sensitive but Unclassified” is one example of a designation that can challenge allies that are connected to the CI Sector (such as through Energy, Telecommunication, etc.). The comparable designation in Canada, for example, falls under the protected information, or that information that is sensitive but not necessarily in the national interest. Within the Canadian context, the challenge is that the protected designation is most commonly used for protection of information under the Privacy Act meaning that it pertains to persons.

6.9 Information Handling Procedures Procedures for handling the various categories of sensitive unclassified information vary from one agency or company to another.66 This is due to different legal and regulatory requirements for each category and the agency or organization’s implementation of those requirements.67 Factors affecting the implementation are the degree of sensitivity of the information, nature of the threat to the information, vulnerability of the information, options that are available for protecting the information, and organizational facilities/capabilities for secure handling, storage, and transmission.68 Perhaps the greatest challenge in this respect will be with the interpretation of labels and a potential failing of a custodian in understanding that this designation involves strict handling controls based on the need to know. While this information may be well-protected within the United States, one must be concerned with the gradual movement towards cloud computing that is happening at a global level. While Canada’s strategy for the use of cloud computing, for example, limits the holding of its most sensitive information to proprietary and well-protected clouds, the designation of “Sensitive but Unclassified” and “Critical Infrastructure Information” do not contain clear caveat information that would prompt a user not to release it to leased or rented clouds. While these clouds may offer a level of

66 67 68

Ibid. Ibid. Ibid.

Critical Infrastructure Information  ◾  109

protection, there still needs to be clear guidance with respect to the handling and controls over this information in the broader community of potential custodians.

6.10 Freedom of Information Act The public has a right to information concerning the activities of its government. The FOIA requires all government organizations (mostly federally related) to conduct their activities in an open manner and to have a system for providing the public with the maximum amount of accurate and timely information allowed by law.69 Agencies commonly have an FOIA office for processing public requests for information.70 Within both the United States and Canada, the applicable legislation contains a range of exemptions that are either mandatory (the government must withhold the information) or that are more discretionary (the government may choose to withhold) the information. Applying the former group of exemptions is relatively straightforward—one must only make the clear linkage between the information and the exemption and then the course is clear. The discretionary exemptions, however, pose more of a challenge. In this case, the data and information owner must often build a case to the applicable office (FOIA or ATIP) to convince that particular office that the information should be exempted.

6.11 Need to Know Not all CII is defined as “protected critical infrastructure information” and may be defined or categorized as something other than CII; one of those designations may be “need to know.” Need to know is one of the most fundamental security principles.71 The practice of need to know limits the damage that can be done by a trusted insider who might betray one’s trust. Failures in implementing a need-toknow principle may cause serious damage to an organization.72

69

70 71

72

http://www.wrc.noaa.gov/wrso/security_guide/foia.htm (alt URL: http://cipbook.infracritical​ .com/book3/chapter11/ch11ref6.pdf). Ibid. http://www.wrc.noaa.gov/wrso/security_guide/need-2.htm#Need-to-Know (alt URL: http:// cipbook.infracritical.com/book3/chapter11/ch11ref7.pdf). Ibid.

110  ◾  Critical Infrastructure

Need to know imposes multiple responsibilities on whoever as well as all other authorized holders of protected information:73 ◾◾ When certain individuals perform their job, one is expected to limit their requests for information to that which is a need to know. Under some circumstances, an individual may be expected to explain and justify his or her need to know when asking others for information. ◾◾ Ensure that anyone to whom protected information is given has a legitimate need to know that information. In some cases, one may need to ask the other person for sufficient information to enable that person to make an informed decision about his or her need-to-know status. ◾◾ Refrain from discussing protected information in hallways, cafeterias, elevators, rest rooms, or smoking areas where persons who do not have a need to know the subject of conversation may overhear the discussion. A caveat of the need-to-know classification is that need to know is difficult to implement as it conflicts with our natural desire to be friendly and helpful.74 It also requires a level of personal responsibility that many find difficult to accept. The importance of limiting sensitive information to those who have a need to know is underscored, however, every time a trusted insider is found to have betrayed that trust.75 Although every individual with access to a particular computer network is approved for that system, that person may not have a need to know all of the information coming across the system.76 Another challenge with the “need to know” concept is that it can be applied far too literally and lead to situations where decisions are made without the benefit of full information. This is generally an error in the application in individuals determining whether the information should be shared refer to prescriptive lists (or similar items) but fail to uphold the mandate of the organization or the greater public trust that the government will do all that it can for the protection of its people. Consider the scenario during which an individual requests information, such as the drawings, of a structure. If the individual is simply looking to have a copy for a file to complete a file copy, then one might argue that a note on that file on where to locate that information may suffice. On the other hand, if the request is being made because of a risk to life (such as might occur in many crimes, incidents, or accidents), then one might argue that the need to preserve life in the immediate context outweighs the need to update the various control lists (this is not to say if it does or does not). For this reason, any application of the “need to know” principle should include a description of conditions under which the information may be released or communicated and what restrictions to impose during that communication. 73 74 75 76

Ibid. Ibid. Ibid. Ibid.

Critical Infrastructure Information  ◾  111

This has led to a concept called the “need to share.” The need to share, often wrongly interpreted as being the ability to share information all the time, builds on the concept of the need to know by beginning to define these conditions under which sharing can take place. In this structure, three steps are taken. The first is that the individual or organization requesting the information explains why that information is needed and the potential impacts that can arise if it is not shared. The organization that may release the information examines that request and considers any direct legal prohibitions and, depending on what is found, decides to share the information (or not). Finally, the exchange, including any limitations (that the receiving party must accept) are documented and may be used as a precedent or foundation for a change to existing information sharing agreements. Essentially, this allows persons closer to the work that is happening to share information so that decisions can proceed and decision-making cycles are not slowed when there is a clear impact that involves situations such as a failure of CI, loss of life, or other significantly serious impacts.

6.12 “For Official Use Only” “For official use only” (FOUO) is a document designation, not a classification.77 This designation is used by the US DOD and a number of other federal agencies to identify information or material that, although unclassified, may not be appropriate for public release.78 There is no national policy governing use of the FOUO designation.79 DOD Directive 5400.7 defines FOUO information as “unclassified information that may be exempt from mandatory release to the public under the Freedom of Information Act (FOIA).”80,81 The policy is implemented by DOD Regulations 5400.7-R and 5200.1-R.82 Note: The FOUO designation is also used by the CIA as well as a number of other federal agencies, but each agency is responsible for determining how it shall be used. The categories of protected information may be quite different from one agency to another, although in every case the protected information must be covered by one of the nine categories of information that are exempt from public release under FOIA.83 77

78 79 80 81 82

83

http://www.wrc.noaa.gov/wrso/security_guide/fouo.htm#For Official (alt URL: http://cip​ book.infracritical.com/book3/chapter11/ch11ref8.pdf). Ibid. Ibid. Ibid. DOD Regulation 5200.1-R, Information Security Program. http://www.wrc.noaa.gov/wrso/security_guide/fouo.htm#For Official (alt URL: http://cip​ book.infracritical.com/book3/chapter11/ch11ref8.pdf). Ibid.

112  ◾  Critical Infrastructure

Some agencies use different terminology for the same types of information. For example, the US Department of Energy uses “official use only” (OUO).84 The US Department of State uses “sensitive but unclassified” (SBU) (formerly called “limited official use” (LOU)).85 The US Drug Enforcement Administration uses “DEA sensitive.” In all cases, the designations refer to unclassified, potentially sensitive information that is or may be exempt from public release under the FOIA.86 The fact that information is marked FOUO does not mean it is automatically exempt from public release under FOIA.87 If a request for the information is received, it must be reviewed to see if it meets the FOIA dual test88: 1. If it fits into one of the nine FOIA exemption categories. 2. If there is a legitimate government purpose served by withholding the data. Consequently, on the other hand, the absence of the FOUO or other markings does not automatically mean the information must be released in response to an FOIA request.89

6.13 Enforcement of FOUO Information Administrative penalties may be imposed for misuse of FOUO information.90 Criminal penalties may be imposed depending on the actual content of the information (privacy, export control, etc.).91,92

6.14 Reviewing Web Site Content With its many benefits, the Internet can also do a great deal of harm if not used properly.93 Information on the Internet that may be intended for a limited audience is often available to a worldwide audience.94 The World Wide Web was not 84 85 86 87 88 89 90 91 92

93 94

Ibid. Ibid. Ibid. Ibid. Ibid. Ibid. Ibid. Ibid. 5 U.S.C. 301—Departmental Regulations: DOD Regulation 5200.1-R—The Information Security Program; DOD Directive 5400.7—The Freedom of Information Act (FOIA) Program; DOD Regulation 5400.7-R—The DOD Freedom of Information Act Program; DOD Regulation 5400.11-R—Department of Defense Privacy Program. http://cipbook.infracritical.com/book3/chapter11/ch11ref9.pdf. Ibid.

Critical Infrastructure Information  ◾  113

designed with security in mind, and unencrypted information is at high risk of compromise to any interested adversary or competitor.95 It is very easy to search the web and put together related pieces of information from different sites. For example, the former search engine SearchMil.com (www.searchmil.com) specialized in indexing sites with a .mil domain name. It claimed (as of August 2001) to have indexed more than 1 million pages of military sites, with the number of pages still growing rapidly.96 The DOD has been among the first government departments to take the lead in spelling out rules for what should and should not go on online and how information should be reviewed before it is posted on a website.97 The DOD policy should be reviewed before posting DOD or DOD-controlled information to a website.98 The DOD policy applies to all unclassified DOD websites, requiring a review and approval process of requests received from DOD contractors and subcontractors as well as other government agencies to post DOD information on their websites.99 DOD guidelines take into account what security access controls, if any, are in effect for the site, the sensitivity of the information, and the target audience for which the information is intended.100 Briefly, most types of sensitive unclassified information discussed are usually not permitted for public viewing, and thus should not be displayed on a website unless that site is protected by encryption.101 In other words, DOD technical information, FOUO information, export-­ controlled information, unclassified nuclear information, and Privacy Act information may not be posted on an unencrypted website.102 Decisions on the handling of proprietary or trade secret information in the private sector are made by the owners of that information.103 DOD guidelines also require that judgments about the sensitivity of information take into account the potential consequences of “aggregation.” The term sensitive by aggregation refers to the fact that information on one site may seem unimportant, but when combined with information from other sites it may form a much larger and more complete picture that was neither intended nor desired.104 In other words, the combination of information from multiple websites may amount to more than the sum of its parts. Similarly, the compilation of large amounts of information together from one website may increase the sensitivity of that information and Ibid. Ibid. 97 Ibid. 98 Ibid. 99 Ibid. 100 Ibid. 101 Ibid. 102 Ibid. 103 Ibid. 104 Ibid. 95

96

114  ◾  Critical Infrastructure

make it more likely that that website will be accessed by those seeking information that might be used against the United States.105 Table 6.1 from the DOD guidance on reviewing websites106 has been modified to fit into a smaller space. It is a guide to determining an acceptable level of risk, but the listed types of access controls are not necessarily the only options available for protecting information. There are several common mistakes that people make when deciding what to put on a website. One is to ignore the danger associated with personal data on the Internet. Another is to assume that information is not sensitive just because it is not marked with any sensitivity indicator. A third is that people underestimate the ease and potential significance of “point-and-click aggregation” of information. FOUO information and other sensitive information are normally marked with a sensitivity indicator at the time of creation. However, the absence of any sensitivity marking is not a valid basis for assuming that information is non-sensitive. Before putting unmarked information on a website, it must be examined for the presence of information that requires protection and qualifies as exempt from public release. People who have not developed strong skills at searching the Internet may underestimate the amount and nature of the information that can be found there and the ease with which it can be located. The vast quantity of information on the Internet, combined with powerful computer search engines, has spawned sophisticated data mining techniques for the rapid collection and combination of information from many different sites. Very little knowhow is needed, as the tools of the Internet have been designed to do this. A single user sitting at a computer in a foreign country can now identify, aggregate, and interpret information available on the Internet in ways that sometimes provide insights into classified or sensitive unclassified programs or activities. Information relevant to operations security (OPSEC) is a particular concern. Commanders and program managers responsible for OPSEC need to identify what needs to be protected and then take a “red team” approach to how outsiders might obtain unauthorized knowledge. As a double check, military reserve units have been tasked to conduct ongoing OPSEC and threat assessments of DOD Web sites.

105 106

Ibid. Office of the Assistant Secretary of Defense (C31), Web Site Administration Policies and Procedures, November 25, 1998, approved by the Deputy Secretary of Defense, December 7, 1998. This document has been revised several times, and is available on the Internet. http:// cipbook.infracritical.com/book3/chapter11/ch11ref12.doc and http://cipbook.infracritical​ .com/book3/chapter11/ch11ref12a.pdf, along with http://www.au.af.mil/au/awc/awcgate​ /dod/02129sum.htm (alt URL: http://cipbook.infracritical.com/book4/chapter6/ch6ref5​ .pdf), and finally http://www.au.af.mil/au/awc/awcgate/dod/02-129.pdf (alt URL: http:// cipbook.infracritical.com/book4/chapter6/ch6ref6.pdf and http://cipbook.infracritical.com​ /book4​/chapter6/ch6ref7.pdf).

Critical Infrastructure Information  ◾  115 Table 6.1  DOD Guidance on Reviewing Web Sites Access Control

Level of Vulnerability

Information Can Be

Open—no access limitations, plain text, unencrypted.

Extremely high. Subject to worldwide dissemination and access by everyone on the Internet.

Non-sensitive, of general interest to the public, cleared and authorized for public release. Worldwide dissemination must pose limited risk even if information is combined with other information reasonably expected to be in the public domain.

Limited by Internet domain (e.g., military, government) or IP address. Plain text, unencrypted.

Very high. This limitation is not difficult to circumvent.

Non-sensitive, not of general interest to the public although approved and authorized for public release. Intended for DOD or other specifically targeted audiences.

Limited by requirement for user ID and password. Plain text, unencrypted.

High. Still vulnerable to hackers, as user IDs and passwords can be compromised if encryption is not used.

Non-sensitive information that is appropriate only for a specifically targeted audience.

User certificate based (software). Requires public key infrastructure (PKI) encryption through use of Secure Sockets Layer.

Moderate. This provides a moderate level of secure access control.

Sensitive unclassified information, and information that is “sensitive by aggregation.”

User certificate based (hardware). Requires PKI encryption.

Very low vulnerability.

Sensitive unclassified information and information that is “sensitive by aggregation,” where extra security is required.

116  ◾  Critical Infrastructure

One useful tool is to conduct keyword searches on the Internet to learn what related information may already be out there that others might use to deduce information about any sensitive activities. As sites are visited or newsgroup messages are read, personnel should determine if information could be used in conjunction with the information in question, or with information from some other site, to deduce if it is considered sensitive information.

6.15 Export-Controlled Information There may be some CII that is related to a device or information that may be shared outside of the United States. If the device contains cryptographic information or is a protected cryptographic mechanism, it may be protected as an export-controlled device, as well as its information. Export-controlled information107 or material is any information or material that cannot be released to foreign nationals or representatives of a foreign entity without first obtaining approval or license from the Department of State for items controlled by the International Traffic in Arms Regulations (ITAR) or the Department of Commerce for items controlled by the Export Administration Regulations (EAR).108 Export-controlled information is controlled as sensitive information and marked accordingly.109 One objective of ITAR and EAR is to prevent foreign citizens, industry, or governments or their representatives, from obtaining information that is contrary to the national security interests of the United States.110 Different laws and regulations use different definitions of a US person, US national, and foreign national. This is a source of considerable confusion when implementing international security programs.111 .O. 12923: Continuation of Export Control Regulations, 30 June 1994: Title 22 E U.S.C. 2778 et seq.—Arms Export Control Act; Title 50 U.S.C. 2401 et seq.—Export Administration Act of 1979 (as amended); Title 50 U.S.C., Appendix, Section 10—Trading with the Enemy Act of 1917; Title 15 C.F.R. Part 770, Export Administration Regulations; Title 15 C.F.R. Part 779, Technical Data; Title 22 C.F.R. (Department of State) Subchapter M, The International Traffic in Arms Regulation (ITAR), Part 121–130. Additional information includes: E.O. 12923: Continuation of Export Control Regulations; signed: June 30, 1994, Federal Register page and date: 59 F.R. 34551; July 5, 1994; revoked by: E.O. 12924, August 19, 1994; see: E.O. 12002, July 7, 1977; E.O. 12214, May 2, 1980; E.O. 12735, November 16, 1990; E.O. 12755, March 12, 1991; E.O. 12851, June 11, 1993; http://www​ .archives.gov/federal-register​/executive-orders/pdf/12923.pdf (alt URL: http://cipbook.infra​ critical.com/book3/chapter11​/ch11ref31.pdf). 108 http://www.wrc.noaa.gov/wrso/security_guide/export.htm#Export-Control (alt URL: http://​ cipbook.infracritical.com/book3/chapter11/ch11ref13.pdf). 109 Ibid. 110 Ibid. 111 Ibid. 107

Critical Infrastructure Information  ◾  117

The rules are especially confusing when dealing with an immigrant alien who possesses a green card for permanent residence in the United States.112 For the purpose of export control regulations, such an individual is a “US person” and may be allowed access to export-controlled information without an export license.113 If the export-controlled information is classified, however, the regulations for release of classified information apply. According to the National Industrial Security Program Operating Manual, a permanent resident with a green card is still a foreign national and not a “US person.” Therefore such an individual cannot have access to classified export-controlled information.114

6.16 Enforcement of Export-Controlled Information The penalty for unlawful export of items or information controlled under the ITAR is up to two years imprisonment or a fine of $100,000, or both.115 The penalty for unlawful export of items or information controlled under the EAR is a fine of up to $1,000,000 or five times the value of the exports, whichever is greater; or for an individual, imprisonment of up to ten years or a fine of up to $250,000, or both.116

6.17 Within the Contracting Process This builds upon the concept of source selection data117 and is information related to the decision-making process (including the decision itself) for an award of a contract to industry.118 Information in this category is generally only sensitive until after a formal award of the contract. Such information must be protected from disclosure outside the government and limited within the government to individuals with a need to know that information.119 Ibid. Ibid. 114 Ibid. 115 Ibid. 116 Ibid. 117  Title 41 U.S.C. 421—Federal Acquisition Regulatory Council; Title 41 U.S.C. 423— Procurement Integrity; FAR Part 3.104-1—Procurement Integrity, General (48 C.F.R.); FAR Part 3.104.3—Statutory Prohibitions and Restrictions (48 C.F.R.); FAR Part 3.104-5— Disclosure, Protection, and Marking of Proprietary and Source Selection Information; FAR Part 14.401—Receipt and Safeguarding of Bids (48 C.F.R.); FAR Part 15.407—Solicitation Provisions (48 C.F.R.); FAR Part 27.4—Rights in Data and Copyrights; FAR Part 52.21512—Restriction on Disclosure and Use of Data (48 C.F.R.). 118 h ttp://www.wrc.noaa.gov/wrso/security_guide/source.htm#Source_Selection (alt URL: http://​ cipbook.infracritical.com/book3/chapter11/ch11ref14.pdf). 119 http://www.wrc.noaa.gov/wrso/security_guide/source.htm#Source_Selection (alt URL: http://​ cipbook.infracritical.com/book3/chapter11/ch11ref14.pdf). 112 113

118  ◾  Critical Infrastructure

Federal Acquisition Regulations120 (FAR)121 specify procedures to be followed to protect source selection data.122 Bids may not be disclosed except on a need-toknow basis and only to government employees (FAR Part 14.401123 —Receipt and Safeguarding of Bids (48 C.F.R.)).124 Proprietary and source selection information may only be disclosed to individuals authorized by the head of an agency (FAR Part 3.104-5125 —Disclosure, Protection, and Marking of Proprietary and Source Selection Information). For contracts over $100,000, the names of individuals having access to the file shall be listed with the contract file.126 This refusal to disclosure is also closely linked to various conventions and laws associated with ensuring fair trade and competition. This can occur under any combination of the concept of proprietary information, trade secrets or protection afforded to patents and copyright materials. These are often also covered under the disclosure of commercial information or third party information, given that the release of information could be part of an attempt to undermine the fairness of the competitive processes by making other bids and positions known across competitors.

6.18 Enforcement of Source Selection Data For knowing disclosure of nongovernment information to which a government agency has gained access in connection with a procurement action, Title 41 U.S.C. 423—Procurement Integrity provides both civil and criminal penalties.127 The criminal penalty is up to five years imprisonment. The civil penalty is a fine of up to $100,000.128 This applies mainly to government employees who receive nongovernment information, but it also applies to nongovernment personnel who receive sensitive  ttp://www.arnet.gov/far (alt URL: http://cipbook.infracritical.com/book3/chapter11​/ch11ref32​ h .pdf), with current FAR regulation found here: https://www.acquisition.gov/sites/default/files​ /cur​rent​/far/pdf/FAR.pdf (alt URL: http://cipbook.infracritical.com/book3​/chapter11/ch11​ ref32a​.pdf). 121 http://cipbook.infracritical.com/book3/chapter11/ch11ref33.pdf. 122 http://www.wrc.noaa.gov/wrso/security_guide/source.htm#Source_Selection (alt URL: http:// cipbook.infracritical.com/book3/chapter11/ch11ref14.pdf). 123 https://www.acquisition.gov/far/html/Subpart%2014_4.html#wp1090681 (alt URL: http:// cipbook.infracritical.com/book4/chapter6/ch6ref8.pdf). 124 http://www.wrc.noaa.gov/wrso/security_guide/source.htm#Source_Selection (alt URL: http:// cipbook.infracritical.com/book3/chapter11/ch11ref14.pdf). 125  https://www.acquisition.gov/far/html/Subpart%203_1.html#wp1139379 (alt URL: http:// cipbook.infracritical.com/book4/chapter6/ch6ref9.pdf). 126 Ibid. 127 Ibid. 128 Ibid. 120

Critical Infrastructure Information  ◾  119

procurement information from government (e.g., if government gives industry a bid package containing information from a potential subcontractor).129 This procurement integrity law applies only before the awarding of a contract. Once a contract has been awarded, other laws with lesser penalties may apply.130 Title 18 U.S.C. 1905 applies to disclosure by a government employee of any information provided to the government by a company or other nongovernment organization, if the provider of the information identified it as proprietary or as being provided to the government in confidence.131 The penalty is mandatory removal from office (termination of employment), and the offender may be fined not more than $1,000 and imprisoned for not more than one year.132

6.19 Privacy Information Privacy information is information about an individual including, but not limited to, personal identifying information, social security number, payroll number, and information on education, financial transactions, medical history, including results of drug testing, and criminal or employment history.133 The Privacy Act addresses information contained in a “federal system of records.”134 A system of records is a collection of information on individuals in which the information is retrievable by the individual’s name, identifying number, symbol, or other identifying particular.135 An “individual” is defined in the act as “a citizen of the US or an alien lawfully admitted for permanent residence.”136 The Privacy Act requires that privacy information in the custody of the federal government be protected from unauthorized disclosure and provides for both civil and criminal penalties for violation of the act.137

Ibid. Ibid. 131 Ibid. 132 Ibid. 133  http://www.wrc.noaa.gov/wrso/security_guide/privacy.htm#Privacy Information (alt URL: http://cipbook.infracritical.com/book3/chapter11/ch11ref15.pdf). 134 Ibid. 135 Ibid. 136  Title 5 U.S.C. 552a—Records Maintained on Individuals (Privacy Act); Title 12 U.S.C. 3417—Civil Penalties; Title 18 U.S.C. 1905—Disclosure of Confidential Information Generally; Title 41 C.F.R. 201-6.1—Federal Information Resources Management Regulation; E.O. 12564—Drug Free Federal Workplace; OMB Circular No. A-130— Management of Federal Information Resources, Appendix 1, Federal Agency Responsibilities for Maintaining Records about Individuals; P.L. 100-71— The Supplemental Appropriations Act of 1987, Section 503; P.L. 104–13—Paperwork Reduction Act of 1955. 137  http://www.wrc.noaa.gov/wrso/security_guide/privacy.htm#Privacy Information (alt URL: http://cipbook.infracritical.com/book3/chapter11/ch11ref15.pdf). 129

130

120  ◾  Critical Infrastructure

Privacy information in the custody of government contractors is not covered by the Privacy Act unless the contractor is performing on a contract under which the contractor is provided access to or custody of such information by the federal government.138 Under this condition, the law would apply to contractor personnel the same way as it applies to government personnel.139

6.20 Enforcement of Privacy Information Title 5 U.S.C. 552a allows civil remedies against the United States for noncompliance, criminal penalties for individual acts of noncompliance, and criminal penalties for maintaining a system of records without meeting the reporting requirements of the Privacy Act.140 Title 12 U.S.C. 3417 of the Right to Financial Privacy Act allows civil penalties to agencies and requires an investigation by the Office of Personnel Management and appropriate disciplinary action for federal employees disclosing financial information.141 Title 18 U.S.C. 1905 applies to disclosure by a government employee of any information provided to the government by a company or other nongovernment organization, if the provider of the information identified it as proprietary or as being provided to the government in confidence.142 The penalty is mandatory removal from office (termination of employment), and the offender may be fined not more than $1,000 and imprisoned for not more than one year.143 Additionally, several recent acts of legislation have been implemented that protect and safeguard private information of the general public, specifically in the financial and healthcare sectors. Those pieces of legislation include:

1. The Gramm-Leach-Bliley Act, which includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule, and pretexting provisions.144

Ibid. Ibid. 140 Ibid. 141 Ibid. 142 Ibid. 143 Ibid. 144 http://www.ftc.gov/privacy/privacyinitiatives/glbact.html, https://www.ftc.gov/tips-advice​/busi​ ness-center/privacy-and-security/gramm-leach-bliley-act (alt URL: http://cipbook.infracritical​ .com/book3/chapter11/ch11ref16.pdf and http://cipbook.infracritical.com/book4/chap​ ter6/ch6ref10.pdf ). 138 139

Critical Infrastructure Information  ◾  121

2. The Health Insurance Portability and Accountability Act, which regulates and protects the confidentiality, integrity, and availability of personal health information.145 The concept of privacy information is another area that has become increasingly complex over time. For example, a privacy act may identify medical, criminal and personal information as being personal information to be protected under its authority. This may overlap significantly with, for example, the protection of health care records and medical information covered under its own legislation. This can lead to a level of confusion for those that fall under the legislation and a level of uncertainty with respect to how complaints could be handled by the legal system.

6.21 Unclassified Controlled Nuclear Information UCNI,146 which is regulated and governed under the jurisdiction of the US Department of Energy, includes unclassified facility design information, operational information concerning the production, processing, or utilization of nuclear material for atomic energy defense programs, safeguards and security information, nuclear material, and declassified or controlled nuclear weapon information once classified as restricted data.147 Conversely, DOD UCNI is unclassified information on security measures (including security plans, procedures, and equipment) for the physical protection of DOD special nuclear material, equipment, or its facilities.148 Information is designated UCNI only when it is determined that its unauthorized disclosure could reasonably be expected to have a significant adverse effect on the health and safety of the public or the common defense and security by significantly increasing the likelihood of the illegal production of nuclear weapons or the theft, diversion, or sabotage of special nuclear material, equipment, or facilities.149

ttp://www.hhs.gov/ocr/hipaa, https://www.hhs.gov/hipaa/index.html (alt URL: http:// h book.infracritical.com/book3/chapter11/ch11ref17.pdf and http://cipbook.infracritical​ cip​ .com​/book4/chapter6/ch6ref11.pdf). 146  42 U.S.C. 2168—Atomic Energy Act of 1954; 10 C.F.R. Part 1017—Identification and Protection of Unclassified Controlled Nuclear Information; DOD Regulation 5200.1-R— Information Security Program; additional information may be found here: https://www​ .energy.gov/sites/prod/files/hss/Classification/docs/10CFRPart1017-June2010.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter11/ch11ref34.doc and http://cipbook.infra​ critical.com/book4/chapter6/ch6ref12.pdf). 147 http://www.wrc.noaa.gov/wrso/security_guide/ucni.htm#Unclassified Controlled (alt URL: http://cipbook.infracritical.com/book3/chapter11/ch11ref18.pdf). 148 Ibid. 149 Ibid. 145

122  ◾  Critical Infrastructure

6.22 Enforcement of UCNI Violation of Section 148 of the Atomic Energy Act150 carries a civil fine not exceeding $110,000. In addition, the individual may be subject to a criminal penalty under Section 223 of the act.

6.23 Critical Energy Infrastructure Information Critical energy infrastructure information (CEII) was defined by the Federal Energy Regulatory Commission (FERC) as information concerning proposed or existing critical infrastructure (physical or virtual) that:151 ◾◾ Relates to the production, generation, transmission, and distribution of energy. ◾◾ Is potentially useful for planning an attack on a critical infrastructure from the energy sector. ◾◾ Is exempt from mandatory disclosure under the FOIA. ◾◾ Provides strategic information beyond specific locations of energy sector critical infrastructures. FERC established procedures for gaining access to CEII that would otherwise not be available under the FOIA:152 ◾◾ CEII is defined as infrastructure explicitly covering proposed facilities, and does not distinguish among projects or portions of projects. ◾◾ Procedures detailing geospatial or geographical location information are excluded from the definition of CEII. ◾◾ CEII rules address some issues that are specific to state agencies, and clarify that energy market consultants should be able to gain access to CEII when they need it. ◾◾ CEII rules modify the proposed CEII process and delegate the responsibility to the CEII coordinator to process requests for CEII and to determine what information qualifies as CEII. 4 2 U.S.C. 2168—Atomic Energy Act of 1954; 10 C.F.R. Part 1017—Identification and Protection of Unclassified Controlled Nuclear Information; DOD Regulation 5200.1-R— Information Security Program; additional information may be found here: https://www​ .energy.gov/sites/prod/files/hss/Classification/docs/10CFRPart1017-June2010.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter11/ch11ref34.doc and http://cipbook.infrac​ ritical.com/book4/chapter6/ch6ref12.pdf). 151 http://www.ferc.gov/legal/ceii-foia/ceii.asp (alt URL: http://cipbook.infracritical.com/book3​ /chapter11/ch11ref19.pdf and http://cipbook.infracritical.com/book4/chapter6/ch6​ ref13​ .pdf). 152  http://www.ferc.gov/legal/maj-ord-reg/land-docs/ceii-rule.asp (alt URL: http://cipbook​ .infra​critical.com/book3/chapter11/ch11ref20.pdf and http://cipbook.infracritical.com/book4​ /chap​ter6/ch6ref14.pdf). 150

Critical Infrastructure Information  ◾  123

6.24 Enforcement of CEII Non-Internet public documents (documents that are not for disclosure to the general public and are subject to CEII restrictions) are the direct result of FERC Order 630, which was issued on February 21, 2003. FERC’s Order 630 established CEII regulations.153 Any member of the public may file a CEII request under 18 C.F.R. §388.113 or an FOIA request under 18 C.F.R. §388.108.154 Absent a waiver from the commission, natural gas pipelines and public utilities are still required to comply with commission regulations that may require that CEII be made available in county public reading rooms or from companies upon request, as appropriate.155

6.25 Controlled Unclassified Information As part of an effort by the federal government to streamline unclassified but sensitive information and documentation, President Bush issued a Memorandum for the Heads of Executive Departments and Agencies entitled “Designation and Sharing of Controlled Unclassified Information (CUI)” on May 9, 2008, outlining the intentions of consolidating the hundreds of unique markings and labels (which include FOUO and “sensitive but unclassified”) under three designations. These designations dictate the sensitivity of information, and how it should be handled and distributed.156 “Controlled unclassified information” is a categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under E.O. 12958, as amended, but is (1) pertinent to the national interests of the United States or to the important interests of entities outside the federal government, and (2) under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. Henceforth, the designation CUI replaces “sensitive but unclassified.”157

http://cipbook.infracritical.com/book3/chapter11/ch11ref21.pdf. http://www.ferc.gov/legal/ceii-foia/ceii/classes.asp (alt URL: http://cipbook.infracritical​  .com/book3/chapter11/ch11ref22.pdf and http://cipbook.infracritical.com/book4/chapter6​ /ch6ref15.pdf). 155  http://www.ferc.gov/legal/ceii-foia/ceii/classes.asp (alt URL: http://cipbook.infracritical​ .com/book3/chapter11/ch11ref22.pdf and http://cipbook.infracritical.com/book4/chapter6​ /ch6ref15.pdf). 156  W hite House Memorandum for the Heads of Executive Departments and Agencies, Designation and Sharing of Controlled Unclassified Information (CUI), May 9, 2008; http://georgewbush-whitehouse.archives.gov/news/releases/2008/05/20080509-6.html (alt URL: http://cipbook.infracritical.com/book3/chapter11/ch11ref1.pdf). 157 Ibid. 153

154

124  ◾  Critical Infrastructure

This new designation would be used throughout the federal government, as well as the military.158 All CUI shall be (1) categorized into one of three combinations of safeguarding procedures and dissemination controls, and (2) so indicated through the use of the following corresponding markings: 1. “Controlled with standard dissemination.” The information requires standard safeguarding measures that reduce the risks of unauthorized or inadvertent disclosure. Dissemination is permitted to the extent that it is reasonably believed that it would further the execution of a lawful or official purpose.159 2. “Controlled with specified dissemination.” The information requires safeguarding measures that reduce the risks of unauthorized or inadvertent disclosure. Material contains additional instructions on what dissemination is permitted.160 3. “Controlled enhanced with specified dissemination.” The information requires safeguarding measures more stringent than those normally required since the inadvertent or unauthorized disclosure would create risk of substantial harm. Material contains additional instructions on what dissemination is permitted.161 The National Archives and Records Administration (NARA) will define “enforcement mechanisms and penalties for improper handling of CUI.”162 The “controlled” document designation would inform, but not determine, that such information could be made public in response to an FOIA request.163 All CUI documentation produced either by or for the federal government is to be marked with the “controlled” designation regardless of how it is presented. President Bush’s memorandum defines that “oral communications should be

 emorandum for Secretaries of the Military Departments, Transition to New Markings for M Controlled Unclassified Information, December 28, 2007; http://www.fas.org/sgp/othergov​ /dod/cui122807.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter11/ch11ref2​ .pdf). 159 Ibid. 160 Ibid. 161 Ibid. 162  http://www.archives.gov/press/press-releases/2008/nr08-107.html (alt URL: http://cipbook​ .infracritical.com/book3/chapter11/ch11ref3.pdf and http://cipbook.infracritical.com/book4​ /chapter6/ch6ref16.pdf). 163 Walter Pincus, Keeping Secrets: In Presidential Memo, a New Designation for Classifying Information, Washington Post, May 19, 2008; http://www.washingtonpost.com/wp-dyn/content​ /article/2008/05/18/AR2008051801806.html?nav=rss_politics. 158

Critical Infrastructure Information  ◾  125

prefaced with a statement describing the controls when necessary to ensure that recipients are aware of the information’s status.”164

6.26 Lessons Learned Programs The Lessons Learned programs are part of the national network of lessons learned and best practices for whatever subject matter that the department, agency, or organization is responsible for. The Lessons Learned programs are general, unclassified information that is shared in order to improve operational safety by benefiting from the experience of others. Information is prepared and distributed whenever there is an opportunity to share a valuable new work practice or warn others of an adverse practice, experience, or product. Information also constitutes archived information provided or contributed by its membership base, which may include white papers written by member constituents or articles taken from third-party news or reference sources.165

6.27 Infragard InfraGard is a Federal Bureau of Investigation (FBI) program that began at its Cleveland field office in 1996.166 It was a local effort to gain support from the information technology industry and academia for the FBI’s investigative efforts in the cyber arena.167 The program expanded to other FBI field offices, and in 1998 the FBI assigned national program responsibility for InfraGard to the former National Infrastructure Protection Center (NIPC) and to the FBI Cyber Division in 2003.168 InfraGard and the FBI have developed a relationship of trust and credibility in the exchange of information concerning various terrorism, intelligence, criminal, and security matters.169  hite House Memorandum for the Heads of Executive Departments and Agencies, W Designation and Sharing of Controlled Unclassified Information (CUI), May 9, 2008; http://georgewbush-whitehouse.archives.gov/news/releases/2008/05/20080509-6.html (alt URL: http://cipbook.infracritical.com/book3/chapter11/ch11ref1.pdf). 165  US Department of Energy, Environmental Safety and Health (http://www.eh.doe.gov/ll). US Department of Transportation, Federal Transit Administration (http://www.fta.dot​.gov). National Aeronautics and Space Administration (http://llis.nasa.gov). US Department of Homeland Security (http://www.dhs.gov). US Department of Health and Human Services. Library of Congress (http://memory.loc.gov/ammem/award/lessons/lessons.html). 166  US Department of Justice Federal Bureau of Investigation, InfraGard Frequently Asked Questions (FAQ); http://cipbook.infracritical.com/book3/chapter11/ch11ref23.pdf. 167  US Department of Justice Federal Bureau of Investigation, InfraGard Frequently Asked Questions (FAQ); http://cipbook.infracritical.com/book3/chapter11/ch11ref23.pdf. 168 Ibid. 169 Ibid. 164

126  ◾  Critical Infrastructure

InfraGard is an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members.170 At its most basic level, InfraGard is a partnership between the FBI and the private sector, and is an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States.171 Its local chapters are geographically linked with FBI field office territories, and each chapter has an FBI special agent coordinator assigned to it; the FBI coordinator works closely with supervisory special agent program managers in the Cyber Division at FBI Headquarters in Washington, D.C.172 While under the direction of NIPC, the focus of InfraGard was originally cyber infrastructure protection.173 After September 11, 2001, however, NIPC expanded its efforts to include physical and cyber threats to critical infrastructures; consequently, InfraGard’s mission expanded accordingly.174 In March 2003, NIPC was transferred to the DHS, which has responsibility for critical infrastructure protection (CIP) matters.175 The FBI retained InfraGard as an FBI-sponsored program and works with DHS in support of its CIP mission, and facilitates InfraGard’s continuing role in CIP activities and the further development of InfraGard’s ability to support the FBI’s investigative mission, especially as it pertains to counterterrorism and cybercrimes.176

6.28 Sensitive Unclassified Nonsafeguards Information (SUNSI) The US Nuclear Regulatory Commission (NRC) must protect classified and sensitive unclassified non-safeguards information (SUNSI) related to US government programs for the physical protection and safeguarding of nuclear materials or facilities to ensure that such information is protected against unauthorized disclosure.177 Sensitive unclassified non-safeguards information (SUNSI) is information that is generally not publicly available and encompasses a wide variety of categories (e.g., personnel privacy, attorney-client privilege, confidential source, etc.). Information about a licensee’s or applicant’s physical protection or material control and accounting program for special nuclear material not otherwise designated Ibid. Ibid. 172 Ibid. 173 Ibid. 174 Ibid. 175 Ibid. 176 Ibid. 177  http://www.nrc.gov/security/info-security.html (alt URL: http://cipbook.infracritical​ .com​/ book4/chapter6/ch6ref17.pdf ). 170 171

Critical Infrastructure Information  ◾  127

as safeguards information or classified as national security information or restricted data is required by 10 C.F.R. 2.390178 to be protected in the same manner as commercial or financial information (i.e., they are exempt from public disclosure).179

6.29 Safeguards Information (SGI) Safeguards information (SGI) is a special category of sensitive unclassified information authorized by Section 147 of the Atomic Energy Act to be protected. Safeguards information concerns the physical protection of operating power reactors, spent fuel shipments, strategic special nuclear material, or other radioactive material. While SGI is considered to be sensitive unclassified information, its handling and protection more closely resemble the handling of classified confidential information than other sensitive unclassified information. The categories of individuals who are permitted access to SGI are listed in 10 C.F.R. 73.21.180,181

6.30 Authors’ Notes While the complexity of the various system continues to grow within each country, the ability to share information and retain the appropriate level of control also becomes more complex, In looking at this issue, one might be well-served to remember the rule about drains—the more bends and turns in a drain, the more likely it is to become blocked. While the “cleaning up” of legislation does not rate as one of the most glorified exercises in government, if one is looking at being able to communicate clear requirements and enforce those requirements, one might propose that there be some limit to the number of overlaps in legislation that are allowed. This would also support the concept that it is naturally unjust to attempt to punish someone for something that they clearly cannot understand or that has not been communicated. The second note at this point also arises from the availability of information to persons with access to just about any form of communication but most notably the Internet. Within the context of Critical Infrastructure Information, the availability of dark web services (such as offering access to the SS7 portal in the telecommunications sector) means that the level of knowledge and resources for various threat  ttp://www.nrc.gov/reading-rm/doc-collections/cfr/part002/part002-0390.html (alt URL: h http://cipbook.infrarcritical.com/book4/chapter6/ch6ref18.pdf). 179  http://www.nrc.gov/security/info-security.html (alt URL: http://cipbook.infracritical.com​ /book4/chapter6/ch6ref17.pdf). 180  http://www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0021.html (alt URL: http://cipbook.infracritical.com/book4/chapter6/ch6ref19.pdf). 181  http://www.nrc.gov/security/info-security.html (alt URL: http://cipbook.infracritical.com​ /book4/chapter6/ch6ref17.pdf). 178

128  ◾  Critical Infrastructure

actors is increasing while the skills required to accomplish attacks in many instances is decreasing. For those involved in the risk assessment business, one might also have to look at whether or not the granularity of the sensitivity designations actually help focus the attention of an attacker. Consider, for example, the difference between having one category for Critical Infrastructure Information across all sectors as opposed to one that specifically targets the Energy Sector. While modern search engines are becoming far more adept at identifying information, there may be some value to looking at the granularity of this in terms of providing a level of credible guidance to hostile or competitive researchers. One might propose that the entire concept of sensitive information might be resolved into five major categories. These include: ◾◾ Classified information that pertains to information that is in the national interest (applies to the whole CI sector); ◾◾ Law enforcement information that pertains to active investigations and techniques because such information is generally involved in cases associated with active investigations; ◾◾ Commercially sensitive information that is generally involved with respect to the protection of the ability to generate wealth or realize a competitive information; ◾◾ Control-based information that functions under the authority of the classified information that protects CI but which only pertains to a single entity or a much smaller community and therefore does not warrant the same level of sanctions that would be applied if the injury was national in scope; and ◾◾ Personally private information that could lead to an injury (physical, economic or reputational) of an individual and where there is no reasonable expectation that such information actually belongs in the public domain. Using a structure like this, would simply the overarching system and reduce the complexity of the system. Reducing this complexity limits the vulnerabilities that arise from conflicting overlaps, gaps between systems or just general confusion as to which system should be used under what circumstances.

Chapter 7

Supervisory Control and Data Acquisition 7.1 Introduction This chapter introduces terms and concepts that are associated with automated control systems, of which supervisory control and data acquisition (SCADA) is a part. For those working within the field, one may also encounter terms such as Industrial Control Systems (ICS) and Building Automation Controls (BAC) that have become increasingly prevalent not only in industrial and commercial settings but also in the context of smart homes. While these systems were previously thought to be used in limited sectors, they have now become more common based on their function and not their use within limited industries. They have also become increasingly connected to the Internet or home networks through smart appliances and similar technologies. Some of the terms introduced involve information technology (IT)-related security methodologies and what methods would be used to breach security controls and their mechanisms.

7.2 What Are Control Systems? Generally speaking, most control systems are computer based. Typically, control systems collect sensor measurements and operational data from the field, process and display this information, and relay control commands to local or remote equipment. In the electric power industry, they can manage and control the transmission and delivery of electric power, for example, by opening and closing circuit breakers and setting thresholds for preventive shutdowns. Using integrated control systems, 129

130  ◾  Critical Infrastructure

the oil and gas industry can control the refining operations on a plant site as well as remotely monitor the pressure and flow of gas pipelines and control the flow and pathways of gas transmission. In water utilities, control systems can remotely monitor well levels; control the wells’ pumps; monitor water flows, tank levels, or water pressure in storage tanks; monitor water quality characteristics such as pH, turbidity, and chlorine residual; and control the addition of chemicals. Control system functions vary from simple to complex; they may be used to simply monitor processes running—for example, environmental conditions within a small office building (the simplest form of site monitoring) to managing most (or, in most cases, all) activities for a municipal water system, or even a nuclear power plant. Within certain industries, such as chemical and power generation, safety systems are typically implemented to mitigate a disastrous event if control and other systems fail. Control systems were not always computer based. In fact, there are still many pneumatic control systems. Some are analog systems, based on operational amplifier circuits. Some are mechanical feedback systems, and others are hydraulic—for example, the set point for many pressure-reducing valves is made by setting the position of a hydraulic pilot valve configuration. Since the previous edition of this work, the use of this technology in the home has increased significantly. Systems now exist to monitor locks, temperature, the potential for flooding (frozen pipes), water pressure, and a host of other functions. This has changed one dynamic of the potential impacts associated with this technology in that an attack against may exploit this technology on two fronts. The first is a direct attack against an increasingly broad segment of the population. The second involves the use of misconfigured or insecure technology from which attacks (such as botnets used for Distributed Denial of Service attacks) can be launched from an unaware population against a range of targets. One only has to look at the Mirai attack that used a self-propagating botnet virus. Given that the source of this attack can come from a very significant number of unaware hosts, this unorthodox approach (using technology such as web cameras) has further complicated the cyber battlespace. In addition to guarding against both physical attack and system failure, organizations may establish backup control centers that include uninterruptible power supplies and backup generators.1

1

Library of Congress, Critical Infrastructure: Control Systems and the Terrorist Threat, CRS Report for Congress, CRS-RL31534, February 21, 2003; www.fas.org/irp/crs/RL31534.pdf; updated version (January 20, 2004): http://www.fas.org/sgp/crs/homesec/RL31534.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter10/ch10ref1.pdf and http://cipbook.infra​ critical.com/book3/chapter10/ch10ref1a.pdf).

Supervisory Control and Data Acquisition  ◾  131

7.3 Types of Control Systems The two primary types of control systems are: 1. Distributed control systems (DCS); these are typically used within a single process or generating plant or used over a smaller geographic area or even a single site location. 2. SCADA systems; these are typically used for larger-scale environments that may be geographically dispersed in an enterprise-wide distribution operation. A utility company may use a DCS to generate power, and use a SCADA system to distribute it.2 When looking at the DCS and SCADA structures, the control loop becomes an important factor. The control loop is a fundamental building block in any control process. It consists of all physical components and functions necessary to automatically adjust values that are of a measurable process. This includes sensory equipment, controllers and the final controlling elements (of which all are required for automation control). Control loops in a SCADA system tend to be open, whereas control loops in DCS systems tend to be closed. The SCADA system communications infrastructure tends to be slower, and less reliable, and so the remote terminal unit (RTU) in a SCADA system has local control schemes to handle that eventuality. In a DCS, networks tend to be highly reliable, high-bandwidth campus local area networks (LANs). The remote sites in a DCS can afford to send more data and centralize the processing of that data.

7.4 Components of Control Systems A control system typically consists of a master control system or central supervisory control and monitoring station, consisting of one or more human-machine interfaces in which an operator may view displayed information about the remote sites or issue commands directly to the system. Typically, this is a device or station that is located at a site in which application servers and production control workstations are used to configure and troubleshoot other control system components. The central supervisory control and monitoring station is generally connected to local controller stations through a hardwired network or to remote controller stations through a communications network that may be communicated through the Internet, a public switched telephone network (PSTN), or a cable or wireless (such as radio, microwave, or WiFi) network.

2

Ibid.

132  ◾  Critical Infrastructure

Each controller station has an RTU, a programmable logic controller (PLC), a DCS controller, and other controllers that communicate with the supervisory control and monitoring station. The controller stations include sensors and control equipment that connect directly with the working components of the infrastructure (e.g., pipelines, water towers, and power lines). Sensors take readings from infrastructure equipment such as water or pressure levels, electrical voltage, etc., sending messages to the controller. The controller may be programmed to determine a course of action, sending a message to the control equipment instructing it what to do (e.g., to turn off a valve or dispense a chemical). If the controller is not programmed to determine a course of action, the controller communicates with the supervisory control and monitoring station before sending a command back to the control equipment. The control system may also be programmed to issue alarms back to the control operator when certain conditions are detected. Handheld devices such as personal digital assistants (PDAs) may be used to locally monitor controller stations. Controller station technologies are becoming more intelligent and automated and can communicate with the supervisory central monitoring and control station less frequently, requiring less human intervention. Historically, security concerns about control stations have been less frequent, requiring less human intervention.

7.5 Vulnerability Concerns about Control Systems Security concerns about control systems have been historically related primarily to protecting against physical attacks or the misuse of refining and processing sites or distribution and holding facilities. However, more recently there has been a growing recognition that control systems are vulnerable to cyber-attacks from numerous sources. This can involve a direct attack where the attacker and the target are connected in what may be described as a direct line of communications, such as hostile governments, terrorist groups, disgruntled employees, and other malicious intruders. The second involves a less direct approach where the attacker pre-positions botnet armies or hordes across a wide range of unsuspecting (or even unaware) devices and then issues a triggering command that activates the attack. In this case, there are a myriad of communication lines between the attacking horde and the target while the attacker itself remains somewhat anonymous in the background. In October 1997, President Clinton’s Commission on Critical Infrastructure Protection specifically discussed the potential damaging effects on the electric power and oil and gas industries of successful attacks on control systems.3 Sometime in 2002, the National Research Council identified “the potential for

3

President’s Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America’s Infrastructures, Washington, DC, October 1997; http://www.fas.org/sgp/library​ /pccip.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter10/ch10ref2.pdf).

Supervisory Control and Data Acquisition  ◾  133

attack on control systems” as requiring “urgent attention.”4 And, in February 2003, President Bush outlined his concerns over “the threat of organized cyber attacks capable of causing debilitating disruption to our nation’s critical infrastructures, economy, or national security,” noting that “disruption of these systems can have significant consequences for public health and safety,” and emphasizing that the protection of control systems has become “a national priority.”5 Several factors have contributed to the escalation of risk of these control systems, which include the following concerns: ◾◾ The adoption of standardized technologies with known vulnerabilities. ◾◾ The connectivity of many control systems via, through, within, or exposed to unsecured networks, networked portals, or mechanisms connected to unsecured networks. ◾◾ Implementation constraints of existing security technologies and practices within the existing control systems infrastructure (and its architectures). ◾◾ The connectivity of insecure remote devices in their connections to control systems. ◾◾ The widespread availability of technical information about control systems, most notably via publicly available or shared networked resources such as the Internet.

7.6 Adoption of Standardized Technologies with Known Vulnerabilities Historically, proprietary hardware, software, and network protocols made it rather difficult to understand how control systems operated, as information was not commonly or publicly known, was considered proprietary in nature, and was therefore less susceptible to hacker attacks. Today, however, to reduce costs and improve performance, organizations have begun transitioning from proprietary systems to less expensive, standardized technologies that use and operate under platforms that run operating systems such as Microsoft Windows, UNIX, and LINUX systems, along with the common networking protocols used by the Internet. These widely used standardized technologies have commonly known vulnerabilities such that more sophisticated and effective exploitation tools are widely available and relatively

National Research Council, Making the Nation Safer: The Role of Science and Technology in Countering Terrorism, Washington, DC, December 2002. 5 White House, The National Strategy to Secure Cyberspace, Washington, DC, February 2003; http://georgewbush-whitehouse.archives.gov/pcipb/ (alt URL: http://cipbook.infracritical​ .com/book3/chapter10/ch10ref3.pdf and http://cipbook.infracritical.com/book3/chapter10​ /ch10ref3a.pdf). 4

134  ◾  Critical Infrastructure

easy to use. Consequently, both the number of people with the knowledge to wage attacks and the number of systems subject to attack have increased.

7.7 Connectivity of Control Systems to Unsecured Networks Corporate enterprises often integrate their control systems within their enterprise networks. This increased connectivity has significant advantages, including providing decision makers with access to real-time information allowing site engineers and production control managers to monitor and control the process flow and its control of the entire system from within different points of the enterprise network. Enterprise networks are often connected to networks of strategic partners as well as to the Internet. Control systems are increasingly using widearea networks and the Internet to transmit data to their remote or local stations and individual devices. This convergence of control networks with public and enterprise networks potentially exposes the control systems to additional security vulnerabilities. Unless appropriate security controls are deployed within and throughout the enterprise and control system network, breaches in enterprise security may affect operations. In this context, control systems are no longer only susceptible attacks focusing on the control system’s network. They can be impacted in a manner that would mirror the concept of “collateral damage” in that an attack on another network can actually break the communications chain used by the control system. For example, a control system that uses the enterprise network for communications between buildings may be impacted should the enterprise network become unavailable for any number of reasons. Similarly, the control system relies heavily on timed communications which can be susceptible to interference should the organization fail to protect bandwidth and the priority of processing within connected networks. For those responsible for overseeing the security of these systems, one might approach in terms of a chain representing the whole communication system and each link representing one connected network (DCS, enterprise, WAN, Internet, etc.). Breaking one link in the chain separates the two control systems which can lead to instability in the overarching infrastructure.

7.8 Implementation Constraints of Existing Security Technologies The uses of existing security technologies, as well as use of strong user authentication and patch management practices, are typically not implemented in control

Supervisory Control and Data Acquisition  ◾  135

systems, as control systems operate in real time; control systems are typically not designed with security in mind and usually have limited processing capabilities to accommodate or handle security measures or countermeasures. As the technology moves towards IP-based technology, however, this is beginning to change at an increasing rate although the sheer size (number of devices, locations, etc.) of that change will take significant time to accomplish. Existing security technologies and services such as authorization, authentication, encryption, intrusion detection, and filtering of network traffic (firewalls and intrusion protection) and communications require significantly increased bandwidth, processing power, and memory—much more than control system components typically have or are capable of sustaining. The entire concept behind control systems was integrated systems technologies, which were small, compact, and relatively easy to use and configure. Because controller stations are generally designed to perform specific tasks, they use low-cost, resource-constrained microprocessors. In fact, some devices within the electrical industry still use the Intel 8088 processor, which was introduced in 1978. Consequently, it is difficult to install existing security technologies without seriously degrading the performance of the control systems, thus requiring the need for a complete overhaul of the entire control system infrastructure and its environment. Furthermore, complex password-controlling mechanisms may not always be used to prevent unauthorized access to control systems, partly because this could hinder a rapid response to safety procedures during an emergency, or could affect the performance of the overall environment. As a result, according to experts, weak passwords that are easy to guess, shared, and infrequently changed are reportedly common in control systems, including the use of default passwords or even no password at all. Another aspect that must be thought of in this challenge involves the gap between how much header and metadata a control system appliance can handle as compared to how much is generally included in IP-based traffic. This can introduce several new issues. Critical information may be left outside of what may be described as the “usable space” within the header. Similarly, the IP-based traffic could simply overwhelm the more primitive appliance in something that closely resembles a stack overflow error or attack. Ensuring that network architects and engineers are closely consulted in any upgrades will be increasingly important as there may be a need to have a significant filtering capability to prevent these kinds of situations—a consideration that some organizations will need to add into traditional IT-based practices. Current control systems are based on standard operating systems as they are typically customized to support control system applications. Consequently, vendorprovided software patches are generally either incompatible or cannot be implemented without compromising service by shutting down “always on” systems or affecting interdependent operations.

136  ◾  Critical Infrastructure

7.9 Insecure Connectivity to Control Systems Potential vulnerabilities in control systems are exacerbated by insecure connections, either within the corporate enterprise network or external to the enterprise or controlling station. Organizations often leave access links (such as dial-up modems to equipment and control information) open for remote diagnostics, maintenance, and examination of system status. Such links may not be protected with authentication or encryption, which increases the risk that an attempted external penetration could use these insecure connections to break into remotely controlled systems. Some control systems use wireless communications systems, which are especially vulnerable to attack, or leased lines that pass through commercial telecommunications facilities; in either situation, neither method of communication performs any security methodologies whatsoever, and if there are any security measures implemented, they are capable of being easily compromised. Without encryption to protect data as they flow through these insecure connections or authentication mechanisms to limit access, there is limited protection for the integrity of the information being transmitted, and the process may be subjected to interception, monitoring of data from interception, and eventually penetration.

7.10 Publicly Available Information about Control Systems Public information about critical infrastructures and control systems is available through widely available networks such as the Internet. The risks associated with the availability of critical infrastructure information poses a serious threat to those critical infrastructures being served, as demonstrated by a George Mason University graduate student whose dissertation reportedly mapped every industrial sector connected via computer networks using tools and materials that were publicly available on the Internet, and none of the data, site maps, or tools used were classified or sanitized. A prime example of publicly available information is with regard to the electric power industry, in which open sources of information such as product data, educational materials, and maps (even though outdated) are still available, showing line locations and interconnections that are currently being used; additional information includes filings of the Federal Energy Regulatory Commission, industrial publications on various subject matters pertaining to the electric power industry, and other materials— all of which are publicly available via the Internet. This information can also be generated through more publicly-accessible tools (such as SHODAN) that, if the information cannot be found, can be generated with a limited understanding of the tool.

Supervisory Control and Data Acquisition  ◾  137

7.11 Control Systems May Be Vulnerable to Attack Entities or individuals with intent to disrupt service may take one or more of the following methods, which may be successful in their attack(s) of control systems6: ◾◾ Disrupt the operations of control systems by delaying or blocking the flow of information through the networks supporting the control systems, thereby denying availability of the networks to control systems operators and production control managers. ◾◾ Attempt, or succeed at making unauthorized changes to programmed instructions within PLC, RTU, or DCS controllers, change alarm thresholds, or issue unauthorized commands to control station equipment, which could potentially result in damage to equipment (if tolerances have been exceeded and which was clearly evident in the STUXNET attack), premature shutdown of processes (shutting down transmission lines or causing cascading termination of service to the electrical grid), or rendering disablement of control station equipment. ◾◾ Send falsified information to control system operators either to disguise unauthorized changes or to initiate inappropriate actions to be taken by systems operators—that is, falsified information is sent or displayed back to systems operators who may think that an alarmed condition has been triggered, resulting in system operators acting on this falsified information, thus potentially causing the actual event. ◾◾ Modify or alter control system software or firmware such that the net effect produces unpredictable results (such as introducing a computer “time bomb” to go off at midnight every night, thus partially shutting down some of the control systems, causing a temporary brownout condition; a time bomb is a forcibly introduced piece of computer logic or source code that causes certain courses of action to be taken when either an event or triggered state has been activated). ◾◾ Interfere with the operation and processing of safety systems (e.g., tampering with or denial of service of control systems that regulate processing control rods within a nuclear power generation facility). ◾◾ Many remote locations containing control systems (as part of an enterprise DCS environment) are often unstaffed and may not be physically monitored through surveillance; the risk of threat remains and may be higher if the remote facility is physically penetrated at its perimeter and intrusion attempts are then made to the control systems networks from within.

6

US General Accounting Office, Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems, GAO-04-354, Washington, DC, March 15, 2004; GAO-04-354 (alt URL: https://www.gao.gov/new.items/d04354.pdf).

138  ◾  Critical Infrastructure

◾◾ Many control systems are vulnerable to attacks of varying degrees. These attack attempts range from telephone line sweeps (wardialing), to wireless network sniffing (wardriving), to physical network port scanning, to physical monitoring and intrusion.

7.12 Consequences Resulting from Control System Compromises Some consequences resulting from control system compromises are as follows: ◾◾ Although computer network security is undeniably important, unlike enterprise network security, a compromised control system can have significant impacts within real-world life. These impacts can have far-reaching consequences not previously thought, or in areas that could affect other industrial sectors and their infrastructures. ◾◾ Enterprise network security breaches can have financial consequences: Customer privacy becomes compromised, computer systems need to be rebuilt, etc. ◾◾ A breach of security of a control system can have a cascade effect on other systems, either directly or indirectly connected to those control systems that have been compromised; however, not only can property be destroyed, but people can be hurt, or even worse, people can get killed.7

7.13 Wardialing Before there was AOL or AT&T Yahoo digital subscriber line (DSL), or any popular Internet service provider (ISP) of today, many people directly connected with remote computer systems via modems. Instead of dialing up the ISP and surfing a website or downloading e-mail, users would access bulletin board systems (BBS) to do their personal business; in many cases, these BBS would have features specific to those sites and locations. Some of these features included interactive chat rooms (similar to many of the instant messaging services provided by AOL, Yahoo, and MSN), e-mail, file up/download areas, etc. Many national corporate enterprises

7

Joe St. Sauver, SCADA Security, NLANR/Internet2 Joint Techs Meeting, University of Oregon, Columbus, OH, July 21, 2004.

Supervisory Control and Data Acquisition  ◾  139

made use of BBS services for internal employees of the company. Companies would grant a specific number of employees (while on the road) access to corporate servers for e-mail or private phone lines to make telephone calls billed back to the sponsoring company. Phone companies would (and still do) use special numbers to perform diagnostics, troubleshoot, and configure their networks remotely. Special tones, or the sequencing of these tones, could be sent through telephone lines to activate or deactivate specific services. Shortly after these services became available, individuals with less than honorable intentions or motives (often stating that they were merely “curious”) began seeking out these special or private telephone numbers, or the tones associated with the diagnostic functions of the various telephone companies. Thus the method of “phreaking” was born. A phreaker is an individual who specializes in unauthorized penetration and access of telephone systems. One of the easiest methods of determining the existence of these special or private telephone numbers is by calling each telephone number within a range or block of suffixed numbers within a given prefix or area code. Each telephone number dialed is checked for a modem carrier tone that uniquely identifies that the telephone number may be associated with a computer or network-connected device. Many of the dial-up blocks were performed manually, and it was not long before those individuals found faster, more efficient methods of dialing the telephone numbered blocks through customwritten software. The software applications would dial up every telephone number that was included within a list of telephone numbers to dial, going through the list number by number, dialing and recording its findings until something interesting would show up. This method of sequential dialing with the intent of exploiting the service connected to, and associated with, the telephone number found is called wardialing. While the use of modems has diminished over the years, there are still connections (such as remote locations) that rely upon their use. The equivalent to wardialing in the IP-based environment has also increased with the integration of this new technology as attackers use tools for port scanning, the identification of specific connection protocols and then attempt to gain access through various backdoors and other forms of remote connectivity.

7.13.1 Goals of Wardialing The main goal of wardialing is simple: access. This includes access to a specific company’s system; access to free long-distance service; access to an anonymous connection to anonymously access another computer system or entire network; access to a place to hide illegal or contraband software, data, or information; or access with intent to steal data, information, or software. Whatever the case may be, those who are wardialing a remote location, or attempting to find a remote location, are attempting to find access into the remote telephone system, computers, and its network.

140  ◾  Critical Infrastructure

7.13.2 Threats Resulting from Wardialing The combination of loosely controlled telephone infrastructures (compared to a typical Internet perimeter location) and the ubiquity of modems means that it is prudent to understand and manage telephone-based vulnerabilities. Some of the information or outcomes of information obtained from wardialing includes the following: ◾◾ Carrier detection. Determining (through several methods) whether the carrier is a modem or a facsimile; may be capable of determining the manufacturer of the device that is answering. ◾◾ Banner logging and identification. Many systems identify not only the name of the organization that is using or sponsoring the carrier answering device, but also the basic functionalities of the device that answered based on its name or a brief description. ◾◾ System identification. Once connected, individuals may determine the type of system through a series of scanning attempts that would identify the computer manufacturer type, model, and operating system running on the computer system. ◾◾ Network identification. It may be possible to scan other computing devices if the device has been compromised and may be capable of traversing within and throughout the enterprise network.

7.14 Wardriving Similar to wardialing efforts, the principle and primary goal of wardriving remains the same: access via wireless connectivity. This method of scanning is a form of wireless network sniffing from a stationary, sometimes remote, location to the target point.8 Many control systems are implementing, or have implemented, wireless connectivity at remote locations. This may be for several reasons, but some of the more obvious reasons stand out: (1) access at a remote facility without having to enter the facility or site location, (2) use of PDA devices to access critical control stations within and throughout the remote facility without being tethered to a cable, or (3) remote distribution of telemetry data and information back to a centralized monitoring facility.

8

http://www.wardriving.com.

Supervisory Control and Data Acquisition  ◾  141

7.15 Warwalking Similar to wardriving, the warwalking method of wireless network sniffing is performed at or near the target point and is performed by a pedestrian, meaning that instead of a person being in an automotive vehicle, the potential intruder may be sniffing the network for weaknesses or vulnerabilities on foot, posing as a person walking, but may have a handheld PDA device or laptop computer.9

7.16 Threats Resulting from Control System Attacks There have been many reported exploitations of several control systems throughout the country. Resulting from the penetration attempts, intruders were successful at several locations. Sometime in 1998, during a two-week military exercise code named “Eligible Receiver,” staff from the National Security Agency (NSA) used widely available tools and software to simulate how sections of the US electrical power grid’s control systems networks could be disabled through computer-based attacks. Their attempts were successful, demonstrating how within several days, portions or all of the country’s national power grid could have been rendered useless. The attacks also demonstrated the impotency capabilities of command-and-control elements within the US Pacific.10 In spring of 2000, a former employee of an Australian company that develops manufacturing software applied for a job in the local government but was rejected. The disgruntled former employee reportedly used a radio transmitter device on numerous occasions to remotely access control systems of a sewage treatment system, releasing an estimated 264,000 gallons of untreated raw sewage into nearby waterways.11,12 These earlier attacks are very important from an intelligence point of view. When looking at the commonly accepted phases of a cyber-attack, there is a fair emphasis on the attacker’s ability to research network resources in order to find a route by which to gain access before the lateral movements, escalation of privileges, installation of malware and launching of the attack. With this information coming from two different communities (engineers and IT-security), there is a need for these communities not only to look forward operationally but also to gain an understanding of the previous issues from each other.

http://wiki.personaltelco.net/index.cgi/WarDriving. http://www.fas.org/irp/news/1998/08/98082502_ppo.html (alt URL: http://cipbook.infra​ critical.com/book3/chapter10/ch10ref5.pdf). 11 Ibid. 12 http://cipbook.infracritical.com/book3/chapter10/ch10ref6.pdf. 9

10

142  ◾  Critical Infrastructure

7.17 Issues in Securing Control Systems A significant challenge in effectively securing control systems is based on several criteria that may or may not prevent capabilities of properly securing control systems environments and their networks. Some of the issues surmounting from securitization efforts include the following: ◾◾ Lack or unavailability of specialized security technologies and their implementation. ◾◾ Computing resources within control systems that are needed to perform some security functions may be limiting in their capabilities, and thus may be ineffective against attack. ◾◾ Control systems architectures may prevent any security implementation such that (1) configuration and layout of implementation may prohibit any such implementation; (2) performance considerations (again, possibly due to configuration or the layout of implementation) may be prohibitive such that redesign, or reimplementation, may be cost-prohibitive or time-prohibitive; and (3) additional security mechanisms may be completely ineffective, and would require a redesign, or reimplementation, of the entire control systems architecture. ◾◾ Criticality of specific control systems may not allow for outages without significant cost to the enterprise or customers resulting from lack of service. ◾◾ Many organizations are reluctant to spend more money to secure a control system. Hardening security of control systems would require industries to expend more resources, including acquiring more personnel to safeguard the secured control systems, providing additional training for personnel, and potentially prematurely replacing control systems that typically have an average life span of about twenty years. ◾◾ Political and legal entanglements insofar as to who controls and maintains the control systems infrastructure and who has responsibility for securing those environments. Conflicting priorities, lack of concern, and lack of interest due to an expansive financial burden to harden those environments perpetuate the lack of IT strategies that could be deployed to mitigate any potentially exposed vulnerability of control systems without affecting performance or the significant cost involved. ◾◾ Industrial plants and the instrumentation they include tend to be longlifecycle projects that have upwards to twenty-year project cycles and are by no means uncommon. As a result, the devices that were deployed as part of that construction may be virtual antiques by the time the facility is finally decommissioned, and there is no provision for refreshing those devices in any manner similar to that of computer workstation upgrades. ◾◾ Similarly, if security upgrades were probable and capable, the life cycles of the projects for implementation would be considerably longer than standard,

Supervisory Control and Data Acquisition  ◾  143

◾◾ ◾◾

◾◾ ◾◾ ◾◾

◾◾

conventional computer system implementations. One of the caveats might be that by the time the security upgrade was completed, there would be a vulnerability or exploit available that could jeopardize continued upgrade implementations, and thus cause disruptions in the life cycle process of the upgrade project. Many antiviral software packages have little or no effect on the control systems architectures, as these architectures often predate initial computer-based viruses. Remote devices (RTU and PLC) may be difficult to upgrade. These devices might utilize a hardware-based operating system that was burned into a readonly memory (ROM) chip. ROM chips are not rewritable, and some of the chips may no longer be manufactured. Remote devices may be physically sealed and not be upgraded or may be located in a difficult-to-reach location, or have no removable media. The worst-case scenario might be that the manufacturer of the remote devices may no longer be in business, may not be producing upgrades, or may not be allowing (or be allowed for legal reasons) the upgrades. If the remote devices are capable of being upgraded and have some security capabilities added, the sheer number of devices (may be in the thousands or even tens of thousands of devices) poses serious issues with password aging and retention. Because of the sheer volume of devices, many control systems operators may have a unitary password for all remote devices or find common methods of maintaining passwords remotely (which bears the possibility of being compromised).

Antivirus software often must be customized to handle a control system to avoid certain files for scanning, such as the log files, the human-machine interface (HMI), trend history files, etc. This limits their utility in the field. Having an antivirus utility scanning these files runs the risk of either (1) having them automatically removed by the antivirus software (thinking that they are infected) or (2) causing performance issues (slowness of the HMI application) within the HMI environment.

7.18 Methods of Securing Control Systems Several steps may be taken to address potential threats to control systems: ◾◾ Research and develop new security techniques to protect or enhance control systems. There are currently some open systems development efforts. ◾◾ Develop security policies, standards, and procedures that are implemented on, for, or with control systems security in mind. Use of consensus

144  ◾  Critical Infrastructure

◾◾

◾◾ ◾◾

◾◾ ◾◾

◾◾ ◾◾

standardization would have encouragement within the industry for investing in stronger securitization methods of control systems. If developing independent security policies, standards, and procedures is not applicable, then implement similar security policies, standards, and procedures taken from the plethora of widely available IT security practices. A good example might be the segmentation of control systems networks with firewall and possibly network-based intrusion detection systems technologies, along with strong authentication practices. Define and implement a security awareness program to employees, contractors, and especially customers. Define and implement information sharing capabilities that promote and encourage the further development of more secure architectures and security technology capabilities and enhancements. Organizations can benefit from the education and distribution of corporate-wide information about security and the risks related to control systems, best practices, and methods.13 Define and implement effective security management programs and practices that include or take into consideration the control systems security and its management. Conduct periodic audits that test and ensure security technologies’ integrity is at expected levels of security. Review information with all necessary parties involved, mitigating potential risk issues. Audits should be based on standard risk assessment practices for mission-critical business units and their functional subunits.14 Define and implement logging mechanisms for forensics purposes. Define and implement mission-critical business continuity strategies and continuity plans within organizations and industries, which ensure safe and continued operation in the event of an unexpected interruption or attack. Elements of continuity planning typically include: (1) assessments performed against the target mission-critical business unit for criticality of operations and identifying supporting resources to mitigate (if any), (2) developing methods that will prevent and minimize potential damage and interruption of service, (3) developing and documenting comprehensive continuity plans, and (4) periodic testing and evaluation of the continuity plans (similar to

US General Accounting Office, Homeland Security: Information Sharing Responsibilities, Challenges, and Key Management Issues, GAO-03-1165T, Washington, DC, September 17, 2003; http://www.gao.gov/new.items/d031165t.pdf (alt URL: http://cipbook.infracritical​ .com/book3/chapter10/ch10ref7.pdf). 14 US General Accounting Office, Federal Information System Controls Audit Manual, GAO/ AIMD-12.19.6, Washington, DC, January 1999; http://www.gao.gov/special.pubs/ai12​ .19.6.pdf, along with the summary, which may be found here: http://www.gao.gov/special​ .pubs/ai12196.97.html (alt URL: http://cipbook.infracritical.com/book3/chapter10/ch10ref8​ .pdf and http://cipbook.infracritical.com/book3/chapter10/ch10ref8a.pdf). 13

Supervisory Control and Data Acquisition  ◾  145

performing security audits, but specialized against disaster recovery and business continuity efforts of the control systems environments), making adjustments where necessary or as needed.15

7.19 Technology Research Initiatives of Control Systems Research and development of newer technologies is a constant process, providing additional security options in efforts of protecting control systems. Several federally funded entities have ongoing efforts to research, develop, and test new technologies. Those entities are as follows: ◾◾ Sandia National Laboratories. Current development of improved SCADA technologies at the Sandia SCADA Development Laboratory, in which industry representatives can test, improve, and enhance security of its SCADA architectures, systems, and components. ◾◾ Idaho National Engineering and Environmental Laboratory. Current development of the National SCADA Test Bed, which is a full-scale infrastructure testing facility that will allow for large-scale testing of SCADA systems before exposing those architectures and technologies to production networks, and for testing newer standards and protocols before implementation. ◾◾ Los Alamos National Laboratory. Conjointly working together, both Sandia and Los Alamos are cooperatively developing critical infrastructure modeling, simulation, and analysis centers known as the National Infrastructure Simulation and Analysis Center. The center provides modeling and simulation capabilities for the analysis of all critical infrastructures, particularly the electricity, oil, and gas industrial sectors. As control systems become more widely known (if still only embryonically understood), there are a number of private companies that have entered into the arena. These organizations range in quality and capacity but have entered a new level of complexity with respect to the disclosure of vulnerabilities in these systems as some have adopted a practice of notoriety before responsibility in releasing their information. 15

US General Accounting Office, Critical Infrastructure Protection: Challenges for Selected Agencies and Industry Sectors, GAO-03-233, Washington, DC, February 28, 2003, and US General Accounting Office, Critical Infrastructure Protection: Efforts of the Financial Services Sector to Address Cyber Threats, GAO-03-173, Washington, DC, January 30, 2003; http:// www.gao.gov/new.items/d03233.pdf, along with the summary, which may be found here: http://www.gao.gov/highlights/d03233high.pdf (alt URL: http://cipbook.infracritical​ .com/book3/chapter10/ch10ref9.pdf and http://cipbook.infracritical.com/book3/chapter10​ /ch10ref9a.pdf).

146  ◾  Critical Infrastructure

7.20 Security Awareness and Information Sharing Initiatives Several efforts to develop and disseminate security awareness about control systems vulnerabilities and take proactive measures/countermeasures are being coordinated mostly between government agencies, with some industrial sector participation. Some of those initiatives are as follows: ◾◾ Department of Homeland Security (DHS). The DHS created a National Cyber Security Division (NCSD) to identify, analyze, and reduce cyber threats and vulnerabilities, disseminate threat warning information, coordinate incident response, and provide technical assistance in continuity of operations and recovery planning. The Critical Infrastructure Assurance Office (now part of the DHS) within the department coordinates the federal government’s initiatives on critical infrastructure assurance and promotes national outreach and awareness campaigns about critical infrastructure protection. ◾◾ Sandia National Laboratories, Environmental Protection Agency, and industrial groups. Sandia National Laboratories has collaborated with the Environmental Protection Agency and industry groups to develop a risk assessment methodology for assessing the vulnerability of water systems in major US cities. Sandia has also conducted vulnerability assessments of control systems within the electric power, oil and gas, transportation, and manufacturing industries. Sandia is involved with various activities to address the security of our critical infrastructures, including developing best practices, providing security training, demonstrating threat scenarios, and furthering standards efforts. ◾◾ North American Electric Reliability Council (NERC). Designated by the Department of Energy as the electricity sector’s Information Sharing and Analysis Center coordinator for critical infrastructure protection, the NERC facilitates communication between the electricity sector, the federal government, and other critical infrastructure sectors. The council has formed the Critical Infrastructure Protection Advisory Group, which guides computer security activities and conducts security workshops to raise awareness of cyber and physical security in the electricity sector. The council also formed a Process Controls Subcommittee within the Critical Infrastructure Protection Advisory Group to specifically address control systems. ◾◾ Federal Energy Regulatory Commission. The Federal Energy Regulatory Commission regulates interstate commerce in oil, natural gas, and electricity. The commission has published a rule to promote the capturing of critical energy infrastructure information, which may lead to increased information sharing capabilities between industry and the federal government. ◾◾ Chemical Sector Cyber Security Program. The Chemical Sector Cyber Security Program is a forum of 13 trade associations and serves as the Information

Supervisory Control and Data Acquisition  ◾  147

Sharing and Analysis Center for the chemical sector. The Chemical Industry Data Exchange is part of the Chemical Sector Cyber Security Program and is working to establish a common security vulnerability assessment methodology and to align the chemical industry with the ongoing initiatives at the Instrumentation Systems and Automation Society, the National Institute of Standards and Technology (NIST), and the American Chemistry Council. ◾◾ The President’s Critical Infrastructure Protection Board and Department of Energy. The President’s Critical Infrastructure Protection Board and the Department of Energy developed “21 Steps to Improve the Cyber Security of SCADA Networks.” These steps provide guidance for improving implementation and establishing underlying management processes and policies to help organizations improve the security of their control networks. ◾◾ Joint Program Office for Special Technology Countermeasures. The Joint Program Office has performed vulnerability assessments on control systems, including the areas of awareness, integration, physical testing, analytic testing, and analysis.

7.21 Process and Security Control Initiatives Several efforts to develop policies, standards, and procedures that will assist in the securitization of control systems is being coordinated between the government and industry to identify and prevent potential threats, assess infrastructure vulnerabilities, and develop guidelines and standards for mitigating risks through protective measures. Some of those initiatives have already begun, whereas others are still being considered and developed. ◾◾ The President’s Critical Infrastructure Protection Board. In February 2003, the board released the National Strategy to Secure Cyberspace.16 The protection board document provides a general strategic picture, specific recommendations and policies, and the rationale for these initiatives. The strategy ranks control network security as a national priority and designates the DHS to be responsible for developing best practices and new technologies to increase control system security.17 White House, The National Strategy to Secure Cyberspace, Washington, DC, February 2003; http://georgewbush-whitehouse.archives.gov/pcipb/ (alt URL: http://cipbook.infracritical​ .com/book3/chapter10/ch10ref3.pdf and http://cipbook.infracritical.com/book3/chapter10​ /ch10ref3a.pdf). 17 US General Accounting Office, Critical Infrastructure Protection: Significant Challenges Need to Be Addressed, GAO-02-961T, Washington, DC, July 24, 2002; http://www.gao.gov/new​ .items/d02961t.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter10/ch10ref10​ .pdf). 16

148  ◾  Critical Infrastructure

◾◾ Instrumentation, Systems, and Automation Society. The Instrumentation, Systems, and Automation Society is composed of users, vendors, government, and academic participants representing the electric utilities, water, chemical, petrochemical, oil and gas, food and beverage, and pharmaceutical industries. It has been working on a proposed standard since October 2002. The new standard addresses the security of manufacturing and control systems. It is to provide users with the tools necessary to integrate a comprehensive security process. One report, ISA-TR99.00.01, Security Technologies for Manufacturing and Control Systems, describes electronic security technologies and discusses specific types of applications within each category, the vulnerabilities addressed by each type, suggestions for deployment, and known strengths and weaknesses. The other report, ISA-TR99.00.02, Integrating Electronic Security into the Manufacturing and Control Systems Environment, has evolved into ISA/IEC 62443 as an internationally accepted standard and provides a framework for developing an electronic security program for manufacturing and control systems, as well as a recommended organization and structure for the security plan.18 ◾◾ Gas Technology Institute and Technical Support Working Group. Sponsored by the federal government’s Technical Support Working Group, the Gas Support Working Group Technology Institute has researched a number of potential encryption methods to prevent hackers from accessing natural gas company control systems. This research has led to the development of an industry standard for encryption. The standard would incorporate encryption algorithms to be added to both new and existing control systems to control a wide variety of operations. This standard is outlined in the American Gas Association’s report, numbered 12-1. ◾◾ NIST and the NSA. The NIST and NSA have organized the Process Controls Security Requirements Forum to establish security specifications that can be used in procurement, development, and retrofitting of industrial control systems. NIST and NSA have both developed a set of security standards and certification processes. ◾◾ NERC. The NERC has established a computer security standard for the electricity industry. The council requires members of the electricity industry to self-certify that they are meeting computer security standards. It should be noted, however, that at the time of writing, the standard does not apply to control systems.

18

US General Accounting Office, Critical Infrastructure Protection: Challenges in Securing Control Systems, GAO-04-140T, Washington, DC, October 1, 2003; http://www.gao.gov/new.items​ /d04140t.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter10/ch10ref11.pdf).

Supervisory Control and Data Acquisition  ◾  149

◾◾ Electric Power Research Institute. The Electric Power Research Institute has developed the Utility Communications Architecture, a set of standardized guidelines providing interconnectivity and interoperability for utility data communication systems for real-time information exchange.

7.22 Securing Control Systems As part of methodologies for securing critical infrastructure control systems, here are some suggested recommendations insofar as implementation of a more secured environment involving control systems is concerned: ◾◾ Implement auditing controls over process systems; systems are periodically audited. ◾◾ Develop policies, standards, and procedures that are managed and periodically updated. ◾◾ Assist in the development of secured architectures that can integrate with computer technologies today and ten years from now. ◾◾ Implement segments networks that are protected with firewalls and intrusion detection technology; periodically test intrusion attempts to ensure that security countermeasures operate correctly. ◾◾ Develop a method for exception tracking. ◾◾ Develop and implement company-wide incident response plans (IRPs); IRP documentation should work with existing disaster recovery planning and business continuity planning documentation, in case of an outage.

7.23 Implement Auditing Controls ◾◾ Develop methodologies of understanding with levels of awareness for corporate management such that stateful computer-based security mechanisms are implemented for process control systems. ◾◾ Control systems auditing does not have the same focus as computer-based security auditing. Audits conducted have a far-reaching impact on all aspects involved; thus control systems utilized must take into consideration real-life scenarios involving loss of life, loss of financial or capital gain or monetary loss, and loss of property. ◾◾ Testing and evaluation of control systems during an auditing routine is not without risk. Although the audits may be similar in nature to their counterparts from other industrial sectors, it is important to note that technical audits must be performed following a carefully outlined guideline or plan, by certified or licensed technical professionals who are knowledgeable in the areas of control systems operation.

150  ◾  Critical Infrastructure

7.24 Develop Policy Management and Control Mechanisms Develop security policies, standards, and procedures for the control systems to: ◾◾ Set and define a statement of goals and objectives for the control system device, responsibilities broken down based on department, group, and individual for supporting and responding to emergency or disaster conditions or situations, and acceptable responses, as part of the incident response planning team, which will be an overseeing group or committee in its implementation. ◾◾ Define within the policies, standards, and procedures sections that all documentation is subject to change at any time, and should be periodically revisited for validity, content, and functionality. ◾◾ Define within the policies, standards, and procedures verbiage that the documentation is representative of goals and objectives in terms of achievement, not specifically as to how, or the method of performing any security task. Essentially, security policies should be at a strategic, possibly tactical, level.

7.25 Control Systems Architecture Development ◾◾ Develop and implement a multiple-level network infrastructure, segmenting the control systems architecture from that of the remainder of the corporate enterprise network; use firewalls and intrusion detection technologies to provide this level of protection. ◾◾ Simpler architectures could be divided within a facility into two distinctive levels: (1) All internetworking and interlayer network traffic flows through firewall and intrusion detection systems areas, and (2) provide a single point of control to oversee, manage, and maintain control of all network traffic in and out of areas involving control systems.

7.26 Segment Networks between Control Systems and Corporate Enterprise Implementing the use of firewall and intrusion detection technologies is not required; however, implementing these two very important technologies would reduce risk but not completely remove the risk (if any). ◾◾ Essentially, the firewall is the lock on the door; the firewall is not the “burglar alarm.” This is where an intrusion detection system would be useful.

Supervisory Control and Data Acquisition  ◾  151

◾◾ Require network intrusion detection systems to monitor any and all network traffic, and identify any unintended or malicious activity on, within, or through the network. ◾◾ Control systems network traffic patterns tend to be very repetitive and consistent based on their simplicity, such that the definition of network traffic matrices may be enough to determine what is accessing the control systems networks.

7.27 Develop Methodologies for Exception Tracking This area essentially identifies any exceptions for any rule so that if the device or environment were to be secured tightly, it would be unable to operate properly; therefore, defining an exception listing makes good sense.19,20 ◾◾ A layered security model is very strong (if implemented properly) as designed without exception; however, as with any system, there may be circumstances in which exceptions might have to be made. If one or more exceptions are to be made, identify those exceptions within a list and keep it with the rest of the security documentation as part of the auditing process (e.g., support vendor may require the use of dial-in capabilities utilizing computer modems for technical support-related issues). ◾◾ Require that any recordkeeping of exceptions listed is kept safe, and that, by any other means, any other method of access or communications remains secured.

7.28 Define an Incident Response Plan With any critical infrastructure environment, the continued operation of the business unit is crucial to the success of the business; therefore a “what if” scenario is highly recommended. This document or suite of documents should coincide with any business continuity planning documentation or disaster recovery planning documentation. Develop an incident response plan for security incidents, in that there is definition of a process to (1) deal with incidents in advance (if applicable) and (2) establish a security response team (SRT). The SRT is a central resource that provides testing, guidance, and solutions in the event that an incident of a serious nature is reported.

19 20

BCIT, Myths and Facts behind Cyber Security of Industrial Control, April 2003. http://www.wardriving.com.

152  ◾  Critical Infrastructure

7.29 Similarities between Sectors Not all industrial sectors have specialized or proprietary policies, standards, or procedures related to their specific industrial sector; however, it should be noted that best security practices should generally be coordinated between the various sectors, thus reinforcing their availability, capabilities, and enhancements, and encouraging the dissemination of useful and worthwhile information that would be of great significance to possibly more than one industrial sector.

7.30 US Computer Emergency Readiness Team CSSP The US DHS NCSD CSSP was created to reduce control system risks within and across all critical infrastructure sectors by coordinating efforts among federal, state, local, and tribal governments, as well as control systems owners, operators, and vendors. The CSSP coordinates activities to reduce the likelihood of success and severity of impact of a cyber attack against critical infrastructure control systems through risk mitigation activities. These risk mitigation activities have resulted in the following tools21: ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾

Catalog of Control Systems Security: Recommendations for Standards Developers. Control System Cyber Security Self-Assessment Tool (CS2SAT). CSSP documents. Critical Infrastructure and Control Systems Security Curriculum. Cyber Security Procurement Language for Control Systems. Recommended practices. Training.

The DHS NCSD established the CSSP to guide a cohesive effort between the government and industry to improve the security posture of control systems within the nation’s critical infrastructure. The CSSP assists control systems vendors and asset owners/operators in identifying security vulnerabilities and developing measures to strengthen their security posture and reduce risk through sound mitigation strategies.22 The CSSP has established the Industrial Control Systems Joint Working Group (ICSJWG) for federal stakeholders to provide a forum by which the federal government can communicate and coordinate its efforts to increase the cyber security of control systems in critical infrastructures. These efforts facilitate the interaction http://www.us-cert.gov/control_systems/ (forwards to https://ics-cert.us-cert.gov/) (alt URL: http://cipbook.infracritical.com/book3/chapter10/ch10ref12.pdf and http://cipbook.infrac​ ritical.com/book4/chapter7/ch7ref1.pdf). 22 http://cipbook.infracritical.com/book3/chapter10/ch10ref13.pdf and http://cipbook.infrac​ ritical.com/book3/chapter10/ch10ref14.pdf. 21

Supervisory Control and Data Acquisition  ◾  153

and collaboration between and among federal departments and agencies regarding control systems cyber security initiatives.23 The ICSJWG is a team of individuals from various federal departments and agencies who have roles and responsibilities in securing industrial control systems within the critical infrastructure of the United States. Since there are similar cyber security challenges from sector to sector, this collaboration effort benefits the nation by promoting and leveraging existing work and maximizing the efficient use of resources.24 The ICSJWG is a collaborative and coordinating body operating under the Critical Infrastructure Partnership Advisory Council (CIPAC) requirements. The ICSJWG will provide a vehicle to facilitate communications and partnerships across the critical infrastructure and key resources (CIKR) sector between federal agencies and departments, as well as private asset owner/operators of industrial control systems. The goal of the ICSJWG is to continue and enhance the facilitation and collaboration within the industrial control systems stakeholder community in securing CIKR by accelerating the design, development, and deployment of secure industrial control systems.25 As a collaboration body, the ICSJWG is connected with various stakeholders involved in industrial control systems, including participants from the international community, government, academia, the vendor community, owner/operators, and systems integrators. The ICSJWG shall serve as a sector-sponsored joint crosssector working group operating under the auspices and in full compliance with the requirements of the CIPAC. Stakeholders participating in the ICSJWG will have the opportunity to address efforts of mutual interest within various stakeholder communities, build on existing efforts, reduce redundancies, and contribute to national and international CIKR security efforts.26,27 The CSSP is working in tandem with the members of the control community to help develop and vet recommended practices, provide guidance in supporting the CSSP’s incident response capability, and participate in leadership working groups to ensure that the community’s (cyber security working groups, as part of President Obama’s cyber security initiative) cyber security concerns are considered in our products and deliverables.28 Ibid. Ibid. 25 http://www.us-cert.gov/control_systems/icsjwg/ (alt URL: http://cipbook.infracritical.com​ /book3/chapter10/ch10ref16.pdf and http://cipbook.infracritical.com/book4/chapter7/ch7ref2​ .pdf). 26 http://www.us-cert.gov/control_systems/icsjwg/ (alt URL: http://cipbook.infracritical.com​ /book3/chapter10/ch10ref16.pdf and http://cipbook.infracritical.com/book4/chapter7​/ch7ref2​ .pdf). 27 http://cipbook.infracritical.com/book3/chapter10/ch10ref17.pdf. 28 http://cipbook.infracritical.com/book3/chapter10/ch10ref13.pdf and http://cipbook.infrac​ritical​ .com/book3/chapter10/ch10ref14.pdf. 23 24

154  ◾  Critical Infrastructure

The CSSP is also working to facilitate discussions between the federal government and the control systems vendor community, establishing relationships that are intended to foster an environment of collaboration to address common control systems cyber security issues. The CSSP is also developing a suite of tools, which, when complete, will provide asset owners and operators with the ability to measure the security posture of their control systems environments and to identify the appropriate cyber security mitigation measures they should implement.29 To obtain additional information or request involvement or assistance, contact [email protected]; to join the ICSJWG, contact [email protected].

7.31 Control Systems Cyber Security Evaluation Tool (CSET) The Cyber Security Evaluation Tool (CSET®) is a self-contained software tool that runs on a desktop or laptop computer. It evaluates the cyber security of an automated, industrial control, or business system using a hybrid risk and standardsbased approach, providing relevant recommendations for improvement. The United States Department of Homeland Security’s (DHS) Control Systems Security Program (CSSP) developed the CSET application and offers it to all through the United States Computer Emergency Readiness Team’s (US-CERT) website.30 The CSET software tool guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards. The output from CSET is a prioritized list of recommendations for improving the cyber security posture of the organization’s enterprise and industrial control cyber systems environments. The tool derives these recommendations from a database containing several cyber security standards, guidelines, and practices. Each recommendation is linked to a set of actions that can be applied to enhance cyber security controls.31 CSET has been designed for easy installation and use on a stand-alone laptop or workstation. It incorporates a variety of available standards from organizations such as National Institute of Standards and Technology (NIST), North American Electric Reliability Corporation (NERC), International Organization for Standardization (ISO), United States Department of Defense (DoD), and others. While using the tool, when the user selects one or more of the standards, CSET will open a set of questions to be answered. The answers to these questions will be compared against Ibid. https://ics-cert.us-cert.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_CSET​ _S508C.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter10/ch10ref15.pdf and http://cipbook.infracritical.com/book4/chapter7/ch7ref3.pdf). 31 https://ics-cert.us-cert.gov/Assessments (alt URL: http://cipbook.infracritical.com/book4​ /chapter7/ch7ref4.pdf). 29

30

Supervisory Control and Data Acquisition  ◾  155

a selected security assurance level, and a detailed report will be generated to show areas for potential improvement. CSET provides an excellent means of performing a self-assessment of the security posture of a given control systems environment.32 CSET utilizes the following standards and guidelines for its assessments: ◾◾ CFATS Risk Based Performance Standard (RBPS) 8: Chemical Facilities Anti-Terrorism Standard, Risk-Based Performance Standards Guidance 8— Cyber, 6 CFR Part 27. ◾◾ DHS Catalog of Control Systems Security: Recommendations for Standards Developers, Revisions 6 and 7. ◾◾ DoD Instruction 8500.2 Information Assurance Implementation, February 2, 2003. ◾◾ ISO/IEC 15408 revision 3.1: Common Criteria for Information Technology Security Evaluation, Revision 3.1. ◾◾ NERC Reliability Standards CIP-002-009 Revisions 2 and 3. ◾◾ NIST Special Publication 800-82 Guide to Industrial Control Systems Security, June 2011. ◾◾ NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems Rev 3 and with Appendix I, ICS Controls. ◾◾ NRC Regulatory Guide 5.71 Cyber Security Programs for Nuclear Facilities, January 2010.33 Some of the key benefits include: ◾◾ Contributing to an organization’s risk management and decision-making process; ◾◾ Raising awareness and facility discussions specific to cyber security within the organization; ◾◾ Highlighting vulnerabilities within the organization’s systems while providing recommendations in ways that may address any discovered vulnerability or threats; ◾◾ Identifying areas of strengths and best practices that are currently being followed within the organization; ◾◾ Providing a method to systematically compare and monitor any improvements in the assessed cyber systems; and ◾◾ Providing a common industry-wide tool for assessing cyber systems.34 https://ics-cert.us-cert.gov/Assessments (alt URL: http://cipbook.infracritical.com/book4​ /chapter7/ch7ref4.pdf). 33 https://ics-cert.us-cert.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_CSET​ _S508C.pdf (alt URL: http://cipbook.infracritical.com/book3/chapter10/ch10ref15.pdf and http://cipbook.infracritical.com/book4/chapter7/ch7ref3.pdf). 34 https://ics-cert.us-cert.gov/Assessments (alt URL: http://cipbook.infracritical.com/book4​ /chapter7/ch7ref4.pdf). 32

156  ◾  Critical Infrastructure

The CSET software tool may be downloaded free of charge from this Web site: https://www.us-cert.gov/control_systems/csetdownload.html. Alternatively, the CSET software is available on DVD from the DHS, National Cyber Security Division (NCSD). To request a copy, please send an email to: [email protected]. Please insert “CSET” within the title block of the email and include your name, organization name, complete street address (no P.O. boxes), and phone number in your email request.35

7.32 SCADA Community Challenges One of the more interesting challenges is how to address security-related issues within the SCADA/control systems community, and the sectors it supports, as SCADA/control systems enterprises do not operate in a context similar to that of their traditional IT counterparts. It is probable that one of the more significant aspects to SCADA is the scope by which it dictates how issues are to be addressed. Many technologies within the IT realm, such as Structured Query Language (SQL) database transaction speeds, have traditionally been viewed by SCADA/ control systems engineers as having inadequate speed for control system data storage purposes. Although the technology has made this operation outmoded (Moore’s law), most opinions are difficult to shake, and thus many process control engineers continue having difficulties accepting IT solutions within their environments. Based on some of the challenges mentioned in this paragraph, the problem is not so much a matter of data management as it is about trend and statistical analysis. Of the larger problems is that forensics and evidentiary discovery practices are often associated with security management practices. Within control systems, these priorities are a little bit different than normalized systems, which are usually listed in the following order: 1. Safety. 2. Availability. 3. Security. IT-based architectures may be completely inverted from the priorities listed above, and thus there appears to be a conflict between what/how SCADA/control systems operate, and more importantly, how the corporation’s enterprise defines its priorities. Several industries are currently attempting to either reach a compromise

35

https://ics-cert.us-cert.gov/Assessments (alt URL: http://cipbook.infracritical.com/book4​ /chapter7/ch7ref4.pdf).

Supervisory Control and Data Acquisition  ◾  157

or figure out how both environments—IT and SCADA—can work together. Observationally, in some industries, such as nuclear power generation, these environments may never coexist together—ever. Some of the larger issues associated with control systems involve legacy architectures no longer supported, utilize equipment that cannot be taken offline immediately or easily, and pose serious operational and financial risks to the companies using them. Unless these systems are interconnected with newer systems or are upgraded, there would be no easy method of determining a plausible cause for any given event or incident. Outside of what may be found at the company’s control center, there are little forensic data to be found as control center computers do not lend themselves to traditional forensics analysis unless taken offline or removed off-site. Given the nature of most control systems, if it is an ongoing operational need, it may be very difficult to remove the servers in question for an extended analysis.

7.33 The Future of SCADA In the future, control systems will have to be segmented and configured so that high-risk sections of the control system will be carefully protected and firmly isolated. First, ensure that logging takes place in more than one part of a control system. When the gates of a dam are opened, there should be not only a digital signature of the operator who initiates the command at the master station from which it was sent, but also the signature of the operator at the RTU where the command was executed. Protocols such as IEC-60870 and DNP3 have recently added secure authentication features to make this possible. The new specification can be found in IEC-62351. The future holds much promise with protocols such as IEC-61850. However, it is an extremely complex undertaking that mixes many features into one layer. The maintenance management system is a nice feature to integrate the SCADA data with, but it may not be the best thing to place on the SCADA communications infrastructure. One of these operational elements is tactically significant, and the other is strategically significant. We may want to consider ways of segmenting and separating traffic for security reasons. This could entail reexamining the lower layers of the communications infrastructure. SCADA infrastructure needs to use a variety of ways to connect to remote stations. The goal is to avoid having common carrier problems disable a control system that it might depend on. Multi-headed RTU devices may be in the future of many SCADA systems. Note the convergence of DCS and SCADA technologies. The SCADA concept originally grew from dealing with the constraints of high latency, low reliability,

158  ◾  Critical Infrastructure

and expensive bandwidth. DCS concepts originally grew from the need to network everything to one central computer where everything could be processed all at once. DCS systems are also getting smarter about how they distribute the functional pieces, and SCADA systems are handling closed loops more often, as the communications infrastructure gets faster and more reliable. These two system paradigms may converge into what is known as the programmable automation controller. The languages of control systems in IEC-601131 are not well-defined. There is an opportunity to add certain features that might also include security. This could assist considerably in auditing and protecting control systems processes.

7.34 SCADA Resources Many of the available resources at the time of writing are accessible online through the Internet, via blogs, online discussion forums, and mailing lists. Shown in the following sections are a few of the online resources that are available through the Internet. The list is broken down based on public vs. private sector resources. Note that some of these resources require a registration form filled out, along with a small fee (usually annual).

7.34.1 Blogs Within the past several years, blogs have taken the main stage, allowing both private individuals and organizations to express their opinions about what is right and wrong with SCADA and control systems, along with technical discussions about how to fix, repair, or remediate security vulnerabilities found throughout the Internet.36

7.34.2 SCADASEC Mailing List A group of enthusiastic technicians, security developers, risk managers, homeland security researchers, engineers, asset and infrastructure managers, and security professionals have started a new discussion forum at http://scadasec.email to bring together academics and industry people interested in the subject of SCADA and control systems security, related technologies such as agents, distributed architectures, and nontechnical methodologies, and varied discussions relating to impacts from risk to its representative nations’ infrastructures (United States and Canada), etc. The goal is to create a place in which anyone who works for a critical infrastructure sector, industry, or organization can ask questions, publish articles, and read 36

http://scadalinks.infracritical.com.

Supervisory Control and Data Acquisition  ◾  159

about what others are doing, specifically pertaining to SCADA and control systems security activities. Many active members are IT, control systems engineers, and technical personnel, as well as asset/owners from the energy, water, and transportation sectors. The mailing list may be accessed free of charge, is publicly available, and stores all discussions within an Internet-accessible archive (which is also available free of charge).37 Additionally, an online search engine of all archived postings from the mailing list may be obtained free of charge and is publicly available.38

7.34.3 Online SCADA and SCADA Security Resources As websites come and go, these links will also grow and shrink dynamically. For this book, we give “snapshots” of websites containing relevant information pertaining to SCADA and control systems security. To access these static website links, visit http://scadalinks.infracritical.com.39 Also note that control systems vendors, integrators, and consultants may offer similar services. There is a significant Wiki entry (http://www.controlglobal.com/articles/2005/487.html) to help track the whereabouts of product support companies as they are bought and sold in the marketplace.

7.35 Authors’ Notes Although SCADA and control systems security has been a continuous, evolutionary process since about the mid-1990s, the events of September 11, 2001, increased awareness and attention toward these devices and architectures. Without their continuous operations, much of a nation’s security structures would fail. We depend on these devices; our livelihoods are dependent on them. Otherwise, life as we know it would be drastically altered, and we would either revert back to pre-technological times or shift to something entirely different. Thus concerns by industry subject matter experts of this issue should not be taken lightly.

http://scadasec.email. http://scadasec.email. 39 http://scadalinks.infracritical.com. 37

38

http://taylorandfrancis.com

Chapter 8

The Evolution of Physical Security 8.1 Introduction This chapter discusses changes that arising from a level of confusion when discussing Emergency Management. For those with a national perspective, Emergency Management may focus on the national response plans that bring together various levels of government and outside entities in response to major events. Within the Asset Protection and Security community, this has been confused in several organizations with Emergency Management that focuses on the contingency plans used to protect personnel, assets and operations within an organization’s facilities (ranging from campuses to individual buildings). This chapter also examines two key shifts when looking at the threat profiles facing those facilities. The first, and potentially most grave, involves the rise of “lone-wolf” or ideologically inspired domestic terrorism that has manifested itself in attacks ranging from assaults on individuals, vehicle-based attacks to active shooters. The primary challenge with this shift is that these individuals may not have any direct ties with any of the monitored organizations but are rather inspired to take action as a result of a combination of personal factors, exposure to key messages from those organizations and access to the knowledge and resources necessary to conduct the attack. The second shift involves the availability of technology to the attacker. While traditional attacks (such as the active shooter) still remain very grave due to their

161

162  ◾  Critical Infrastructure

impacts, the availability of network-enabled resources has increased the resources available to attackers. Smart technology, inter-connected networks, increased automation, and other similar technologies mean that incident response must involve a coordinated physical and logical response. The prevalence of this kind of technology has also led to circumstances where infrastructure that has been relied upon in the past is overwhelmed by the demands placed on it, complicating or even hindering an organization’s ability to respond. The October 22nd shooting in Ottawa, Ontario saw the cellular networks under such demand that some organizations were unable to reach key officials in order to activate building emergency plans as the communications infrastructure collapsed.

8.2 Core Offices Tested In the lead up to the third edition, the United States of America and Canada were in the process of organizing and refining their core offices (the Department of Homeland Security in the United States and Public Safety in Canada). These offices have been tested significantly since that edition. In the United States of America, the hurricane season of 2017 (particularly Maria and Harvey) have been nearly unprecedented in terms of their impacts. From a government management perspective, Maria’s impacts exceeded one hundred billion dollars while Harvey is estimated at over two hundred billion dollars.1,2 To put this in perspective, the full budget for the US military in 2017 was eight hundred billion meaning that in the period of three short months, the United States’ economy had to absorb an impact that approached one half of its major spending commitment or slightly over 1 percent of the Gross Domestic Product estimated for 2017.3 In Canada, the challenges were less severe financially but tested a number of different assumptions. The failure of the rail line in Churchill, Manitoba as a result of flooding provided a clear example of the challenges that could arise for a community when the government and private sector operator of infrastructure could not reach a rapid agreement on courses of action.4 As the discussions between the rail operator and the federal government carried on, and eventually devolved to threats of withdrawal and legal action, the community itself had to begin to make its own contingency plans.5,6 https://www.wunderground.com/cat6/hurricane-maria-damages-102-billion-surpassed-only​ -katrina. 2 https://projects.cberdata.org/reports/HurricaneHarvey2017.pdf. 3 https://www.thebalance.com/u-s-gdp-5-latest-statistics-and-how-to-use-them-3306041. 4 http://www.cbc.ca/news/canada/manitoba/manitoba-churchill-rail-service-1.4154221. 5 https://www.thestar.com/business/2017/10/13/ottawa-threatens-to-sue-railway-owner-over​ -broken-rail-line-to-churchill-manitoba.html. 6 https://www.thestar.com/news/canada/2017/11/14/us-owner-of-broken-rail-line-in-churchill​ -man-to-file-complaint-against-ottawa.html. 1

The Evolution of Physical Security  ◾  163

While these issues are dealing with macro levels, they become important at the facility level in that they essentially erode the underpinning assumptions that have been entrenched in facility contingency planning. The first of these assumptions is that the system actually works in all cases. As shown in the Churchill, Manitoba case, the system works only when the necessary controls are put in place that will allow it to work and as long as all parties remain willing partners. In the case of the hurricane season in the United States, the facility manager needs to understand that the sheer magnitude of events may result in friction during the initial response (less so due to the urgency in saving lives) but certainly in the relief efforts when costs and timelines associated with reconstruction become more apparent and understood. In Puerto Rico, at the time of this drafting, the restoration of power is estimated to take over eight months to restore the over sixty three percent of the thirty thousand miles of electrical distribution grid while many of the necessary supplies are only just arriving.7 While the national or more strategic level is likely to strain contingency planners, there is also a need for contingency planning at the strategic level to push the planning horizon further back. While there are still some that debate whether or not climate is changing, there is little doubt in the minds of persons that operate city infrastructure that they have faced significantly greater challenges associated with snowfall, rainfalls, and wind. This has led a number of associations focused on infrastructure design to come together to try to find ways to address the moving targets associated with climate and weather-related events when designing infrastructure that may require a usable life cycle that spans several decades.8 These three strategic factors should not be looked at in terms of being too specific or isolated. Combined with sea level rises, scientists have estimated that the business as usual models may see the one-in-five 100-year storm increase from 17 feet in 2100 to 50 feet in 2300.9 Similarly, changes in temperature in California have been identified as a significant factor in the severity of fires that have threatened lives and property while severely testing the state’s firefighting capacity.10 In Nevada, flood control designs are already facing challenges as the state deals with increased severity and frequency of major events.11 What has become apparent is that the scientific community and Emergency management community are beginning to put less credibility in the concept of the one-per-hundred year storms. At the facility level, this becomes important as engineers rely upon these kinds of statistics in the design of facilities. The upper margin of events is combined with a safety factor that then becomes the limit within which the engineers will certify https://www.nytimes.com/2017/12/23/us/puerto-rico-power-outage.html. http://www.weao.org/climate_change_and_infrastructure_design_hitting_a_moving​ _target as one example. 9 https://phys.org/news/2017-10-sea-level-stronger-storm-surge-future.html. 10 https://www.nytimes.com/2017/12/07/climate/california-fires-warming.html. 11 www.huffingtonpost.ca/entry/100-year-f lood-climate-change_us_59a6eaa3e4b084581​ a14ea14. 7 8

164  ◾  Critical Infrastructure

the building to remain structural sound or safe to occupy. With credible science beginning to challenge these thresholds, one has to look at the next step in the chain—determining whether or not the usable lifecycle of some of the facilities may be shortened if the same levels of risk tolerance (in terms of the safe structure) are going to be maintained. It also means that the facility manager will need to challenge the assumptions being made about the infrastructure’s ability to withstand events when developing plans. While climatic and weather-related factors pose one challenge to the facility emergency planner, the change in the nature of threats pose increasingly complex challenges. Consider active shooter scenarios. On one hand, the initially impacted facility has little to no advance warning of the scenario—the notification often being that the attacker is observed at the site or that shots have been fired. On the other hand, those facilities that do have advanced notice generally adopt a kind of lock down procedure to keep their personnel isolated from the attack and to deny entry to the attackers. The primary assumption in this design approach is that the threat is external in nature. What has become apparent in several cases, however, is that the active shooter may be more in line with an internal threat—meaning that they have been given access credentials. What needs to occur at this point is a rethinking of some of the principles associated with current access controls that can swiftly revoke credentials and cascade that information through the various levels of infrastructure to deny that individual’s movement quickly. The second element for contingency planners in this changed dynamic involves space design. Several larger organizations have increased the use of open space and community areas, limiting the number of available offices. For example, the Government of Canada has moved to a fit-up standard that sees all personnel below the level of director essentially in small cubicles. When one applies the concept of “run, hide, and fight” that is the current active shooter mantra, this breaks down quickly.12 With limited internal barriers and limited spaces to actually hide, one might wonder whether or not one should skip the first two and move straight to “fight.”13 While this would certainly have to be examined on a case-by-case basis by competent persons, there is a significant conflict between the doctrine of “open access” and “locking down” that poses a challenge for the building’s contingency planner. This open concept also poses another challenge for the contingency planner. In previous physical security doctrines, much of the attacker and target relationship has been considered one-on-one. In open concept design, however, this no longer https://w w w.fema.gov/media-library-data/1472672897352-d28bb197db5389e4dded​ cef335d3d867/FEMA_ActiveShooter_OnePagerv1d15_508_FINAL.pdf (alt URL: http:// cipbook.infracritical.com/book4/chapter8/ch8ref1.pdf). 13 https://www.tpsgc-pwgsc.gc.ca/biens-property/mt-wp/gdp-pg-desc-eng.html (alt URL: http:// cipbook.infracritical.com/book4/chapter8/ch8ref2.pdf and http://cipbook.infracritical.com​ /book4/chapter8/ch8ref2a.pdf). 12

The Evolution of Physical Security  ◾  165

functions as there are potential breaches of security from any other groups working within the area. This means that contingency planners must look beyond the basic intent of an attacker and look at what may be best terms as opportunistic threats and inadvertent disclosures. With no clearly defined and credible physical barriers against personal movement, sound transmission or in the lines of sight, the range of information available to contain the attacker or potential information targets, assessing the extent to which security and operations have been breached has become much more complicated. Adding to this complication is that the attacker may understand the value of the information inadvertently disclosed. Clean desk policies, posting policies and other similar kinds of controls may need to be much more rigorously enforced in these environments if the organization wishes to maintain some level of information security. While changes in climate and the more collaborative approach to space design pose some challenges to contingency planners, the third challenge is the most significant. This involves the rapid expansion of technology and how it is impacting Physical Security’s core principles such as zoning and barrier design. On one hand, network-enabled technology (particularly poorly configured or managed technology) has enabled the penetration of physical barriers through emanations and network-hopping. On the other hand, the complexity of the tools available to the attacker has also increased. These tools range from basic applications that will inform users of available networks (including IP addresses, MAC, etc.). When one looks at the early phases of the cyber attack (particularly at the penetration of the network), the means of .being able to conduct reconnaissance and then penetrating the network has become much more complex and capable. It may involve penetrating the network remotely (reducing the risk of exposure to the attacker) or something as simple as leaving a USB in the parking lot marked sensitive and loaded with malware. Once these tools have given the attacker access to the various networks and the ability to escalate privileges, then the attack can proceed rather quickly. For the contingency planner, this means that any physical or network event may be part of something larger or more complex. A breach in the fire panel could be an inadvertent use of a maintenance hook by a maintainer that triggers an alarm. It could also be an attempt to use the “fail safe” function of the fire panel and its connection to the access control system as a means of unlocking access controls for a period of time. Similarly, a USB key found in the parking lot could be an accidental loss of control but could also be an attempt to load malware onto the network as the identity of the key’s owner is researched. Unless treated cautiously, the nature of USB firmware allows for that executable code to move fairly easily across what used to be an air gap and into the system where it can build covert channels or other backdoors to be exploited by the attacker later. For the contingency planner, this means that the community providing information into the early phases of an incident needs to be broad, inclusive, capable and thorough in its assessments.

166  ◾  Critical Infrastructure

This increase in the availability of tools for the attacker is exacerbated by what may be described as the thorough penetration and permeation of smart and WiFienabled technology into most operating environments. Personnel routinely own smart phones that have significant processing, memory and transmission capabilities. This can lead to significant challenges when looking at insider threats. At the same time, an employee’s device may be compromised and become the equivalent of that found USB key should they attempt to connect it their work network (such as for charging). The user may not even be aware that the device is compromised. At the same time, the push towards “bring-you-own-devices” is still not yet mature enough in many organizations to prevent that device from being a bridge to more trusted networks. While the firmware and software may prevent much of this, simple mistakes (such as writing a network password down on the personal side of the device) can lead to that information becoming compromised. This, however, is only the tip of the iceberg. For the contingency planner, therefore, this raises a number of challenges. There will be cultural and potentially labor issues as the organization attempts to limit what are increasingly seen as personally-necessarily devices into certain spaces. There is also the possibility that a more devious attacker will not launch an attack to the point of causing an exploit, but just enough to trigger a response— which may involve cutting off a node of a network to protect the whole as a form of denial of service attack. At the same time, one of the core elements in the Incident Command System involves the control of communications from an organization. In today’s connected environment, this is almost impossible and the time it takes for “outside elements” to raise objections and criticism is far shorter than the traditional communications chains that involve multiple levels of vetting and wordsmithing. This means that contingency planners have a much more complex environment. While climate change affects both the range of impacts but also the ability to plan a coherent response as transportation and other infrastructures may be affected. The complexity of assessing the real and potential impacts associated with potential breaches of security also becomes more complex as compartmentalization is replaced by collaboration, particularly if the organization has failed to implement certain basic controls. Finally, the penetration of permeation of technology has evolved to a point where the contingency planner cannot simply work in either the physical or logical domains—both are now sufficiently interwoven that they must be treated together. The Physical Security and Emergency Management doctrines operate using two different cycles. These cycles align, but neither gracefully nor completely. Within the realm of Physical Security, the doctrine follows the Plan-Do-Check-Act cycle calling it Risk Assessment, Control Design and Implementation, Monitoring and

The Evolution of Physical Security  ◾  167

Surveillance and finally cycling through Adjustment back to Risk Assessment. It also uses a cycle of Prevention, Detection, Response and Recovery (Canada and parts of the United States) or Deter, Detect, Delay, and Deny within the United States through ASIS International. Essentially, the organization will assess its risks, determine how it will respond to those risks, design controls to manage those risks and then monitor those controls (adjusting as required) to ensure that the risk is actually being managed. This, of course, precludes primitive structures that operate on simple compliance with standards as such approaches are no longer widely accepted by competent practitioners. Within the context of contingency planning, the doctrine uses a structure based on mitigation, preparedness, response and recovery. Organization’s identify their risks, determine long term measures to cover a broader range of events, establish plans for shorter and more specific issues (such as a hurricane), put in place response plans and make adjustments as necessary. This is far closer to the operational structure (prevent, detect, respond, and recover or deter, detect, delay, and deny) than how physical security programs are generally managed. Resolving this conflict requires clear designations (what is an emergency or contingency?) and delegation structure. There is a certain value in clarity. Emergencies should be understood from a national context. Contingency plans should be understood from a local context. Consider the October 22, 2014 shooting that involved Parliament Hill in Canada and the drone being flown onto the White House lawn in 2015 be a national emergency. Should this be considered national emergencies? These should not. While they may impact administrative functions that operate at strategic levels, there is no real need to activate whole regional structures and different levels of government to respond. In Ottawa during the shootings, many of the most senior security officers in government became directly involved in the locking down of facilities while regional officers were relegated to support positions. The risk in this case is that those organizations, many of which operate in several nations, lost its ability to maintain its strategic focus while its leadership became engrossed in the local event. One might argue that this could essentially decapitate the decision-making processes for the organization if they become consumed in the event. This is where delegations become important. For the senior officer in an organization, the focus needs to remain on the whole organization. There may well be steps that need to be taken, but they are generally limited to confirming that the event is local and then supporting the local delegated emergency manager. For example, the senior officer may reassure other parts of the organization that the event (which will be well known through informal communications—the rumor mill—and the media) is, in fact, a local event and that while vigilance may be prudent, there is no need to activate the full organization’s resources at all locations.

168  ◾  Critical Infrastructure

The local emergency manager, given the specific knowledge of infrastructure, impacts, and plans, becomes the logical leader at the operational level.14 Keeping this distinction requires that the concept of building emergencies (or campus emergencies) be kept very separate from those national events—with one major exception. If the event has a direct impact at a regional level or at the level of mass casualties within a region (such as may be caused by a toxic plume or chemical contamination over large tracts of territory and infrastructure), then it may be handled through the higher levels of government. Again, this would have two coordinated responses. One would be looking at the local issue and controlling it. The other would be looking at responding to that event and protecting the surrounding population, infrastructure, and resources. For this reason, responding to events within a local structure can be looked at in terms of a corporate response (security, safety, emergency management) while the response to emergencies, in the strategic level, belongs with Operations within an organization and under senior management. With this context in mind and understanding the potential for conflicts in approaches, we can begin to look at the response to specific events.

8.3 First Responder The above structure means that there are essentially two levels of concurrent activity. These may be integrated into one plan (depending on the organization), but it must be clear that there is a distinct difference between the priorities at each level. The local level will look at issues such as securing the site, rescue, retrieval of critical resources, containment of damage, and so forth. The strategic level will be more focused on preventing further damage (containment) to the extended organization and those priorities. This may involve decisions to “relocate and build new” as opposed to “rebuild” in the same spot depending on the various forms and levels of disruption. Those decisions, however, are likely to be communicated to the emergency manager who will, based on the senior management guidance (or other form of senior authority) activate the appropriate parts of the operational plan.

14

In this context, the strategic level looks to the health of the whole entity within its area of responsibility (such as the country for a federal government) and deals with longer-term issues. Tactical levels provide the tipping point between the strategic and operational in that they describe the level that determines how an organization would like to respond (doctrine, etc.). The operational level pre-occupies itself with responding in line with doctrine (as best able) but is focussed on the preservation of life, property and immediate operations and not longer-term goals. In this context, the Chief Security Officer for an international company would provide guidance to senior management but would step back from the operations involved, only stepping in when adequate authority or financial delegations are needed to facilitate the operational manager’s response to events.

The Evolution of Physical Security  ◾  169

These two priorities are focused through limited resources. Certain roles will deal with only one level. The various responders on the site are likely focused on local issues but may be briefed on what to report to higher authorities as it may factor into more strategic levels. The strategic level will likely seek the input of persons on the ground in order to make sound decisions, they are not likely to allow local management to dictate the priorities across the whole organization. The majority of persons involved, however, will be executing their roles within a plan and this plan will assign roles, responsibilities, and resources to the various activities that need to take place from both perspectives. For the contingency planner, the second major challenge will come from demands being placed upon first responder communities. With land prices increasing in most major urban centers, construction is going vertical. This means that there are higher population densities and numbers of people. Complexes, such as the Aura complex in Toronto which in 2016 was the 6th tallest residential building outside of Asia, had nearly 80 floors of mixed use.15 At some point, a critical mass will be reached at which point the first response communities will be able to respond to those critically dense areas but will also draw resources from less densely populated areas, leaving some areas at reduced coverage. This critical mass is already being seen in many major urban centers as ambulance services are diverted from rural coverage around the cities during peak periods of demand within the city. This applies broadly across all public services and is largely based on the need to use resources to best effect.16 These three contextual pressures place a significant burden on the first responder community’s expertise. The combination of increasingly challenging infrastructure, increasingly dense populations and including fluid conditions means that decision-making cycles at the operational level must be quick, clean, and concise. Education, training, drills, and exercises are significantly important in this regard, particularly given that the potential for disaster in highly concentrated populations increases dramatically and the time needed to train to avoid those disasters cannot simply be compressed into a few short days or lectures. The challenge here is that as organizations look to reduce costs (for a variety of reasons), the first responder community is largely “out of sight, out of mind” except to those that have had direct interactions with them. Education, training, abilities, and commitment of those on the ground must align with the challenges confronting them, but also be able to act as the knowledgeable eyes and ears for various levels of risk management. First responders must be able to function both vertically across various layers of government within their craft and horizontally to ensure that the response to incidents is handled as gracefully and effectively as possible.

15 16

http://www.collegeparkcondos.com. http://www.thedailyobserver.ca/2016/11/23/ottawas-rural-neighbours-call-on-province-to​ -resolve-ambulance-impasse

170  ◾  Critical Infrastructure

8.4 First Responder Classifications At the time of drafting of the third edition of this work, the various classifications of first responder were continuing to expand into a rather long and comprehensive list. Depending on the nature of the incident and a given emergency situation, environment, or hazardous condition, the following groups were first seen as being reasonably indicative of the functions required by communities: ◾◾ ◾◾ ◾◾ ◾◾ ◾◾ ◾◾

Law enforcement. Fire services. Emergency medical or ambulatory services. Emergency management including emergency preparedness. HAZMAT and containment. Public works.

This list was quickly expanded to include a range of private organizations and entities that could bring special knowledge, skills, abilities, or resources to the event. Given that the list of potential incidents itself was very broad, the list of potential first responders also grew significantly, and to the point where one might argue that it would be easier to identify who was not a first responder to some kind of event rather than who was. It became apparent that there needed to be some understanding that the list of responders could be flexible. This was already understood within the concept of the incident command system that saw personnel moved into and out of the command structure as needed. What also became apparent was that the incident commander was better defined in terms of being the first person on the scene and responsible for setting in place the conditions that would facilitate the arrival of follow-on responders than for necessarily solving the issue at hand. Even as this concept of flexibility was becoming better understood, the concept of interoperability was becoming more important. One only has to look at the distribution of tasks in dealing with medical emergencies on highways to notice that there is an increasing overlap between paramedic, fire, and ambulance services. Similarly, there is a rise in the use of “special constables” that support specific public organizations (such as mass transit) that is standing in lieu of previous police patrols. Even private security has become increasingly active in the law enforcement domain, exercising powers for the protection of persons and property while on their client’s property and being trained more extensively in the use of force and affecting of citizen arrests.

8.5 Guideline Classifications The role of the guideline is to provide the first responder community and interested stakeholders with varying degrees of information, developed by competent

The Evolution of Physical Security  ◾  171

organizations that would assist them in maintaining the expected level of capability and interoperability. While the first responder community is generally primarily interested in their own guidelines, the guidelines are often shared between organizations that work together or train together so as to promote the interoperability of the organizations. Guidelines are broken down into three definitive areas: 1. Awareness-level guidelines. 2. Performance-level guidelines. 3. Planning- and management-level guidelines. While these guidelines were originally intended for first responders and provided a level of knowledge that was more commensurate with advanced knowledge, skills, abilities, and resources, certain guidelines soon spread into the public domain.

8.6 Example: North American Emergency Response Guidebook The Emergency Response Guidebook (ERG) was developed jointly by the US Department of Transportation (DOT), Transport Canada (­specifically CANUTEC), and the Secretariat of Communications and Transportation of Mexico for use by firefighters, police, and other emergency service personnel who may be the first to arrive at the scene of a transportation incident involving a HAZMAT.17 The aim of this guideline was the following: ◾◾ Assisting in identifying potentially hazardous materials quickly. ◾◾ Assisting in identifying the appropriate steps to be taken to protect persons, property, and operations.

17

US Department of Transportation Office of Hazardous Materials, Emergency Response Guidebook; https://www.phmsa.dot.gov/hazmat/erg/emergency-response-guidebook-erg (alt URL: http://cipbook.infracritical.com/book4/chapter8/ch8ref3.pdf), http://cipbook.infracritical​ .com/book3/chapter6/ch6ref2.pdf, http://cipbook.infracritical.com/book3/chapter6/ch6ref2a​ .pdf, http://cipbook.infracritical.com/book3/chapter6/ch6ref2b.pdf, https://www.phmsa.dot​ .gov/sites/phmsa.dot.gov/files/docs/ERG2016.pdf (alt URL: http://cipbook.infracritical.com​ /book4/chapter8/ch8ref4.pdf ), https://www.phmsa.dot.gov/hazmat/erg/summary-changes​ -erg2012 (alt URL: http://cipbook.infracritical.com/book4/chapter8/ch8ref5.pdf), and https://​ www.phmsa.dot.gov/sites/phmsa.dot.gov/files/docs/Summary_changes_ERG2016.pdf (alt URL: http://cipbook.infracritical.com/book4/chapter8/ch8ref6.pdf).

172  ◾  Critical Infrastructure

Since the drafting of the second edition, the various national entities in Canada, the United States, and Mexico have made progress with respect to improving the availability of information and basic training. While organizations such as the Emergency Management Institute (EMI) in the United States have operated distance and online learning programs in support of their mandate to improve awareness, the rise of social media, online portals, applications, and other communications tools has increased the use of this technology. While traditional documentation continues to be available, these are being tailored to more user-specific experiences using the same kinds of technology that is used to identify the products and services preferred by online shoppers.

8.7 Awareness-Level Guidelines The awareness-level guidelines address training and awareness material for personnel who are likely to come across situations that pose a risk to the safety, security, or economic well-being of those in the area. Within this context, the priority of work is often to take steps appropriate to preserve life, identify the nature of the event, communicate the need for assistance, take immediate steps for containment, and facilitate the arrival of those who are in a position to best respond. While the previous guidelines focused on various forms of HAZMAT incidents, there is a need to broaden the six traditional areas to include a range of evolving issues. These include the following:

1. Recognize incidents. 2. Know the protocols. 3. Know the measures for self-protection. 4. Know procedures for protecting potential incident scenes. 5. Know and follow the on-scene and security protocols. 6. Possess and know how to properly use equipment to contact dispatcher or high authorities to report information collected at the scene and to request additional assistance or emergency response personnel.

While these six topics originally focused on the HAZMAT issues, they can be expanded to include a range of evolving threats, including the following: ◾◾ ◾◾ ◾◾ ◾◾ ◾◾

Disease (particularly in the transportation sector). Invasive species (damaging agriculture, water supply, etc.). Counterfeit goods (particularly in the high-tech sectors). Climate change-related issues (drainage and drought). Cyber-related and telecommunications (in terms of converged technology).

The Evolution of Physical Security  ◾  173

There is some discussion about whether this level of training would be beneficial to the community at large. Although first responders are generally the first official response on the scene, it is often the victims of the event who have first contact with it. The authors propose that there is a benefit to ensuring that members of the community are encouraged to undertake similar levels of training or that publicly suitable awareness programs or packages be made available to its citizens free of charge.

8.7.1 Recognize Incidents For each of the topics above, there is a significant need to be able to recognize incidents. Recognition of incidents is critical to being able to identify, categorize, and initiate the response to conditions discovered on the ground. The following areas are important when looking at the recognition of incidents: ◾◾ Understanding what the various threats are, what vulnerabilities they can exploit, and what risks they are associated with. ◾◾ Being able to identify if any of those threats are present at the scene. ◾◾ Being able to use the appropriate guides and other reference materials. ◾◾ Understanding the potential outcomes or consequences for an emergency when one or more of the threats are discovered. If the goal is to be able to detect, identify, and categorize something quickly, then the individual should not have to rely on reference material to identify common threats, vulnerabilities, and risks. Similarly, he or she should not have to use reference materials to identify the key sources of information. While this still holds true, the increasingly network-enabled environment is forcing first responders and security practitioners into some fundamental shifts in thinking. Those responding to incidents and being asked to triage them must now look through lenses that can see both the local event but can also see more systemic impacts. Again, this casts back to the challenge of balancing local response and strategic adaptation in a single plan.

8.7.2 Basic Protocols When looking at the response to any incident, there are those steps that must be almost automatic and those steps that are taken as a result of the situation on the ground. These are generally defined in protocols that first responders use when arriving on the scene and in order to prepare to conduct work at the scene. First responders should be very familiar with the following protocols: ◾◾ Being able to clearly identify the core risks and consequences associated with the conditions on the ground.

174  ◾  Critical Infrastructure

◾◾ Preparing for movement to the site (who, what, where, when, how, and why to move). ◾◾ Movement to the site (how to move, when to stop, etc.). ◾◾ Identifying the safe areas from which to work. ◾◾ Communications with subordinate, parallel, and superior organizations and, by extension, the limits on communicating with the press or people other than those responding to the incident. ◾◾ Immediate steps to be taken in terms of the protection of persons and the protection of the public (including situations in which individuals are contaminated and the risk of further contamination is not acceptable). The need for this level of familiarization with protocols cannot be overstated. The first responder must not only be comfortable with his or her own ability to follow these protocols through, but must also appear to be in control of the situation and comfortable with the steps that are being taken. Should the first responder exhibit signs of stress, discomfort, or discontent with the actions on the ground, there is a risk that those sentiments will raise concerns in those around them— including the victims of the incident.

8.7.3 Know Self-Protection Measures As the first responder is arriving on the scene, he or she must be aware of potential threats in the environment and be taking appropriate precautions, including the use of personal protective equipment (PPE). This may be full-body biological suits, various forms of breathing apparatus, or even weapons. The protective equipment will largely depend upon the nature of the situation and the nature of the first responder in terms of what equipment makes up the basic load for each person. There is a balance that must be established. The first responder acts as a trained set of eyes and ears on the ground while also acting as a symbol of the response to the population. As a result, the first responder must be able to strike a balance in terms of self-protection that preserves his or her ability to meet mission objectives while also communicating, through his or her actions, in such a way that the population affected gains a sense of comfort or confidence in the overall response. This is not to say that the first responder should be reckless to assuage public fears, only that the first responder’s protective posture needs to reflect actual conditions and not overstate the threat. Ultimately, however, the first responder must keep the mission first and understand that the mission is intended to save the greatest number of persons and greatest extent of property possible. In looking at the needs associated with self-protection, the following factor significantly: ◾◾ Understand the hazards (safety) and risks (security) to human life, property, and operations.

The Evolution of Physical Security  ◾  175

◾◾ Recognize the signs, symptoms, indicators, and warnings associated with those hazards and risks as they begin to appear on persons and equipment. ◾◾ Know what PPE is needed for one’s own protection and what may be needed to support anticipated casualties. ◾◾ Know the limitations associated with that equipment. ◾◾ Know how to procure, receive, configure, use, maintain, store, and dispose of such equipment (including potentially contaminated equipment). ◾◾ Know the procedures that are to be followed with respect to inclusion, separation, or isolation of casualties or potentially affected persons (including safe distances and rates of exposure). The other aspect of self-protection is often overlooked. This is the mental and psychological preparation that must be made, often years in advance, in order to remain effective during and after the incident. The first responder must be prepared, depending on the nature of the incident, to be exposed to images that include human casualties, animal deaths, destruction, or damage of cherished points. It is becoming more accepted that first responders can be subjected to operational stress injuries from their exposure to these kinds of situations in the field, and the first responder organization should establish programs that provide tangible support intended to prevent this issue or respond effectively to it.

8.7.4 Know Procedures for Protecting Incident Scenes The three different aspects regarding the protection of incident scenes are: ◾◾ Protecting the scene from outside influences that may seek to enter the scene for malicious or inappropriate purposes. ◾◾ Protecting the scene from inside influences that may seek to cause further damage. ◾◾ Protecting the scene in terms of being able to gather the data and information necessary to form a credible intelligence picture and understanding of the event for use in the intelligence cycle or the courts. While these three elements remain the same and the principles remain sound, the context in which they apply has expanded. The increased interaction between the “physical world” and the “logical world” means that the first responder must be able to preserve evidence (as best able) in both realms. For example, consider the seizure of a computer. While the physical security specialist or responder will look at this in terms of chains of custody and control, the information systems security specialist will realize that at least part of the memory will be lost with the cutting of power. While traditional crime scenes may afford the responder the luxury of working through situations in a grid, the emergency first responder may need to make

176  ◾  Critical Infrastructure

the decision to grab and run with piece of equipment or not. Having an understanding of the consequences of both decisions will become increasingly important as society becomes more reliant on cyber technology to maintain its documents, changes, plans and priorities. One aspect of this involves inter-entity cooperation. For example, within the transportation sector, much of the infrastructure is protected under a range of several security regimes. Infrastructure used for that purpose can become ­invaluable— particularly in terms of closed-circuit video equipment recordings, access control logs, and similar documentation. The challenge here is to ensure that the necessary lines of communication between entities have been established such that administrative controls on information have been resolved before the event, and do not become another challenge during the initial response.

8.7.5 Know Scene Security and Control Procedures The goals for scene security and control procedures are defined above. Ultimately, the goal is to be able to protect persons, property, and critical operations while preserving enough data and information to be able to form a clear picture of the incident. This clear picture is necessary if the organization wants to learn from the event and make any adjustments to its own measures. For the first responder, this means that he or she must be able to perform any of the following: ◾◾ Understand the department or agency site security and scene control procedures for awareness-level trained personnel. ◾◾ Follow those procedures outlined for ensuring scene security and for keeping unauthorized individuals or personnel away from the incident scene or adjacent hazardous areas; this includes cordoning off any such areas to prevent anyone from inadvertently entering the incident scene. ◾◾ Maintain incident scene security and control until a higher authority arrives at the incident scene. ◾◾ Be familiar with the department or agency incident command procedures. ◾◾ Protect any physical evidence, such as footprints, any relevant containers, papers, etc. ◾◾ Know the department or agency procedures for isolating individuals from danger areas. ◾◾ Know how to deal with contaminated individuals until a higher authority arrives at the incident scene. ◾◾ Recognize that the incident or event scene may be deemed a criminal scene, and that evidence must be protected and left undisturbed until a higher authority arrives at the incident scene to take control.

The Evolution of Physical Security  ◾  177

8.7.6 Know How to Use Equipment Properly Knowing how to use the equipment properly consists of a number of sub-elements, including: ◾◾ ◾◾ ◾◾ ◾◾

Knowing when the equipment is to be used. Knowing the limitations of the equipment. Being skilled in the operation of the equipment. Being skilled in the basic maintenance and troubleshooting of the equipment.

Those coordinating this set of activities should be aware that this is not something that can be accomplished hastily. It requires adequate preparation time beforehand, since the first responder is likely to be operating the equipment in less than optimal conditions in both the physical and logical domains. In addition to basic field tasks and maintenance, the first responders must also be able to maintain a basic troubleshooting function over communications and other network-enabled equipment that relies upon digital transmissions, cryptography, multimedia interfaces and cloud computing to name a few. Education and training can take a number of forms. These include the following: ◾◾ Basic training in the operation of the equipment (under normal conditions). ◾◾ Advanced training in the operation of the equipment (austere or difficult conditions). ◾◾ Basic maintenance in support of operations in the field. ◾◾ Refresher training to keep skills up to date and practiced. As an expansion of the knowledge of equipment identified in the previous edition, the following ought to be considered: ◾◾ Knowledge of how and when to use communications equipment (two-way radio, cellular phone, satellite phone, Voice over Internet Protocol (VOIP) or similar systems, Web mail, email, and proprietary texting/Short Message Service (SMS) systems). ◾◾ Knowledge of how to request additional personnel, equipment, space, information, or support/assistance that will assist in dealing with managing the incident, managing casualties, controlling the environment, or communicating with outside/external organizations. ◾◾ Knowledge of how to accurately describe the threat discovered in the environment using appropriate terminology and to a level of detail where secondline or supporting responders/receivers can assist. This also includes being able to identify the appropriate response entities and capabilities within the affected jurisdiction.

178  ◾  Critical Infrastructure

◾◾ Knowledge of when and how to request additional assistance, escalate requests for support, and the levels of delegation or authority associated with the command structure. ◾◾ Knowledge of the department, agency, or other entity emergency plans and procedures for all roles that they are assigned to, the role of their supervisor, the role of their subordinates, and how to establish an incident command structure. ◾◾ Knowledge of how to notify the communications center and how to establish communications with alternate communications centers so as to be able to report information regarding actions taken, hazards assessed, or potential emerging issues of concern.

8.8 Performance-Level Guidelines This level is divided into two sections, each with a separate set of training guidelines. The training guidelines for the respondent at the performance level target personnel who will likely respond to the scene of the incident, most likely involving dangerous organisms or chemicals. Responding personnel, if properly trained and equipped, will conduct on-scene operations within a non-safety area that has been set up on the scene, to control and close out the incident. It is expected that those personnel trained for Level A performance levels will work within both non-safety and safety areas, supporting personnel who are working in a non-safety work area. Personnel trained for Level B performance levels will work within non-safety areas, and in other areas set up on the incident scene or event as needed.

8.9 Operational Levels Defined Level A is the operations level; Level B is the technician level. Sections 8.10.1 through 8.10.3 refer to Level A; Sections 8.11.1 through 8.11.8 refer to Level B; both levels are specific to the performance level, as outlined. Portions of these procedures may have sections or parts of their sections added or removed; this was necessary to generalize the overall procedural efforts of on-scene crisis management. This structure may vary depending on the various organizations. What is being communicated is that there are two clearly distinct categories associated with the operational level.

The Evolution of Physical Security  ◾  179

8.10 Level A: Operations Level 8.10.1 Have Successfully Completed Awareness-Level Training This training for responders involves possible handling of dangerous organisms, chemicals, and other materials in addition to other specialized training. It includes the following: ◾◾ Complete training (or have equivalent training and experience) in and understanding of the guidelines at the awareness level for the function specific to the respondent. ◾◾ Understand terminology, classes of materials and agents, toxicology of HAZMAT, weapons of mass destruction (WMD) agents, or materials, classification or other categorization of dangerous organisms, and anything not previously mentioned that would be considered hazardous to human life or property. ◾◾ Be aware of any potential targets for possible attack by any individual(s) having or using any WMD agents or materials. ◾◾ Know the preplans to be used within the department or agency emergency response plan for those locations listed (i.e., know what to expect and do for a chemical storage facility, fuel depot, etc., in case of an emergency). ◾◾ Know how to collect and forward any intelligence gathered regarding potential terrorist or criminal activity or actions involving possible WMD agents or materials. ◾◾ Be capable of coordinating and gathering any relevant intelligence from any sources, organizations, etc., that may be found at the incident scene or event. ◾◾ Demonstrate skills and knowledge in the preparation of any hazard or risk analysis of a potential WMD target within the local community or target area. ◾◾ Know how to assess the consequences for different threats, as well as collateral damage effects resulting from the implementation and enactment of those threats. This includes being able to make a hasty assessment of how the environment can lead to changes in consequences. ◾◾ Participate in joint training exercises or drills with other emergency response organizations, departments, or agencies, which are expected to participate as part of the response to potential WMD events within the target area. While the concept of WMD’s has been largely associated with CBRN devices, the ability of organizations to affect infrastructure using cyber-weapons is beginning to raise the question as to whether certain kinds of weapons should be classified

180  ◾  Critical Infrastructure

in the same manner. A nuclear weapon’s electromagnetic pulse may disrupt the electrical circuitry within a fairly significant area. Self-propagating and adaptive codes that target an electrical transmission grid can accomplish a similar affect on a population. When considering directed attacks against a critical infrastructure sector (as opposed to simply one site), there is a legal question to be answered as to whether or not the intended impact of the attack falls into this category and, if so, how does one recognize it and communicate critical information about it.

8.10.2 Know ICS Awareness Procedures In this step, within this level, it is essential for the responder to know the incident command system (ICS) and be able to follow the unified command system (UCS) procedures for integration and implementation methodologies of each system. In the following section, detailing some of the requirements to meet the above, note that all dangerous organisms, chemicals, etc., are intended to be covered (dangerous organisms should be considered as including invasive species): ◾◾ Know how systems integrate with each other and provide support for the incident as best as possible. ◾◾ Be familiar with the operations of both command systems’ structures and methodologies, and be able to assist the UCS if/where needed. ◾◾ Know how to implement initial site management procedures following the department incident command system and emergency response plan. Such procedures include: – Establishing communications with dispatched communications or command center. – Establishing control zones for the incident scene or event. – Locating the command post. – Forwarding any intelligence gathered that has been collected at the incident scene or event. ◾◾ Be able to implement the ICS component of the department or agency emergency response plan for any given WMD situation or event involving dangerous organisms, etc. ◾◾ Be aware of any assets available from the department or agency, as well as from local departments or agencies that could provide assistance specific to a potential WMD situation or event. ◾◾ Know what procedures are required to be followed to get resources to the incident scene or event if/when as needed. ◾◾ Be familiar with any assets that could be made available from other emergency response organizations, local or otherwise. ◾◾ Understand and follow department or agency procedures for accessing other organizations’ help specific to a potential WMD situation or event. ◾◾ Understand the purpose and function of the UCS.

The Evolution of Physical Security  ◾  181

◾◾ Know department or agency procedures for assisting in the implementation of UCS for incident scene or event management specific to a potential WMD situation or event. ◾◾ Be capable of assisting the critique and review of actions taken before, during, and after the complete response specific to a potential WMD situation or event. ◾◾ Assist with any documentation of lessons learned and activities from the critique or review as to how the lessons learned may be applied for future courses of action specific to a potential WMD situation or event. ◾◾ Understand the importance of and know how to terminate documentation specific to a potential WMD situation or event, to be conducted relating to, or specific to, the areas of activities while conducted before, during, and after the specific potential WMD situation or event. ◾◾ Know and follow department or agency guidelines specific to news media coverage. ◾◾ Know how to develop an incident action plan (IAP) specific to coordination activities with the on-scene incident command. ◾◾ Ensure that the IAP is consistent with the department/agency emergency response plan.

8.10.3 Know Self-Protection and Rescue Measures This includes following any self-protection measures and rescue and evacuation procedures for potential situations involving risks of exposure to dangerous organisms or chemicals. The following should be considered within any structure: ◾◾ Know how and when to use appropriate personnel protective equipment (PPE) issued by the department or agency and to work within a non-safety area that is on scene specific to a potential WMD situation or similar event involving a risk of exposure or contamination. ◾◾ Follow department or agency policies for use, inspection, and maintenance of PPE. ◾◾ Understand hazardous situations and risks associated with wearing protective garments or clothing or other protective clothing and equipment. ◾◾ Understand and follow rehabilitation methodologies to assist other responders to reduce any levels of heat-related stress, exhaustion, issues associated with psychological responses to confinement, or losses of mobility. ◾◾ Know precautionary measures necessary to protect responders who are on scene. ◾◾ Know how to determine the appropriate PPE for protecting officers who will be entering non-safety areas on scene specific to a potential WMD situation or event.

182  ◾  Critical Infrastructure

◾◾ Know the protective measures that are necessary to protect individuals, other responders, and other department or agency personnel who are on scene specific to a potential WMD situation or event. ◾◾ Know the department or agency and on-scene incident commanders’ plan for evacuation of individuals within the non-safety areas specific to a potential WMD situation or event. ◾◾ Be capable of rescuing and moving individuals specific to a potential WMD situation to a safety area for triage and treatment by emergency medical respondents. ◾◾ Understand the roles of Level A performance-level responders, and the roles of other levels of respondents within the department or agency emergency response plan. ◾◾ Know how to implement appropriate decontamination procedures for individuals, respondents, mass casualties, and equipment within, around, and surrounding non-safety areas. ◾◾ Understand the importance of proper decontamination of any reused equipment. ◾◾ Know and follow department or agency procedures or practices for handling and securing any suspicious packages, articles, or items. What is often overlooked in systems such as this is the background efforts that are needed to establish, validate, maintain, review, and adjust the various documents, including plans, standards, procedures, guidelines, and training material. For managers involved in this domain, it should be noted that significant effort may be required to accomplish this.

8.11 Level B: Technician Level 8.11.1 Know WMD Procedures This is necessary in following procedures for working at on-scene situations specific to potential WMD situations or events. The following should be incorporated into the overall structure: ◾◾ Know how to conduct any investigation and protect and collect evidence in conjunction with department or agency procedures for chain of custody, documentation, and any specific security measures necessary to store evidential information, articles, or items, whether or not contaminated, or however contaminated.

The Evolution of Physical Security  ◾  183

◾◾ Implement the department or agency emergency response plan on-scene security measures and procedures. Procedures should include: – Providing security for command post operation. – Controlling or monitoring activity into or out of on-scene areas (both safety and especially non-safety areas) specific to a potential WMD situation or event. ◾◾ Know how to implement appropriate on-scene decontamination procedures for protection of individuals, members of the public, emergency responders, or others who may have been contaminated on scene by agents or materials resulting specifically from the potential WMD situation or event. ◾◾ Know how to implement basic life-saving and supporting procedures for protection and treatment of individuals, members of the public, emergency responders, or others on scene specific to a potential WMD situation or event. ◾◾ Know how to implement procedures and measures for minimizing the spread of contamination of hazardous agents or materials to other locations, individuals, or equipment not previously contaminated, either within or surrounding non-safety areas resulting from the contamination. ◾◾ Be trained in recognizing any potential acts of terrorism. ◾◾ Be capable of identifying possible agents or materials that could be present at a WMD situation or event. ◾◾ Understand the roles and jurisdictions of any federal departments or agencies specific to a potential WMD situation or event. ◾◾ Be able to coordinate and assist in the overall investigative process specific to a potential WMD situation or event. ◾◾ Be aware of any applicable laws, as well as privacy and security-related issues specific to the potential WMD situation or event.

8.11.2 Have Successfully Completed Awareness and Performance-Level Training This involves possible HAZMAT handling for WMD and other specialized training. ◾◾ Complete training (or have equivalent training and experience) in and understanding of the guidelines at the awareness and performance levels for Level A training for the function specific to the respondent. ◾◾ Know the terminology associated with WMD agents, chemicals, dangerous organisms, and with any equipment, mechanical or otherwise, that would be used in conjunction with any tasks or assignments specific to the skill sets or knowledge base of the respondents.

184  ◾  Critical Infrastructure

◾◾ Have knowledge of, and ability to use, any specialty equipment used in conjunction with decontamination procedures, containment, or transportation for evidential purposes. ◾◾ Know how to conduct risk analysis and assessment for any HAZMAT or any WMD agents or materials for on-scene situations and for preplanned potential terrorist or criminal activities within any given area. This includes being able to conduct hasty assessment with respect to the level of contamination or exposure to dangerous organisms and the potential spread of that organism given current, flows, winds, and tides both in the environment and associated with infrastructure. ◾◾ Have experience in some emergency medical basic life support treatment and rescue of individuals and responders, triage and decontamination of individuals and equipment, and transportation capabilities of individuals exposed to WMD agents, dangerous organisms, or materials. ◾◾ Participate with emergency response organizations in joint training exercises or drills involving specified tasks, mock-up scenarios, or working with mock WMD agents, dangerous organisms, or materials.

8.11.3 Know Self-Protection, Rescue, and Evacuation Procedures This includes following any self-protection measures and rescue and evacuation procedures for potential WMD situations or events. The following should be included in any structure: ◾◾ Knowledge of how to develop, maintain, and follow plans and procedures associated with the response to various kinds of events: – Know how to develop site safety and a control plan initiative that coordinates activities with the incident commander, if qualified. That is, personnel conducting such tasks must be trained and experienced in these areas of safety and risk mitigation; otherwise, inexperienced personnel may cause further safety issues or concerns to those who are on scene. – Assist however possible with the implementation of the IAP on scene, or if requested, develop an IAP per directive from the incident commander. ◾◾ Be able to recognize potential threats: – Be able to recognize types of WMD agents or materials. – Know how to use and read results from diagnostic and sampling equipment and instrumentation devices. – Understand the limitations of the detection or diagnostic instrumentation devices that are provided by the department or agency. ◾◾ Knowledge of PPE and supporting equipment, including the equipment proper, maintenance tools, supporting equipment, and supplies:

The Evolution of Physical Security  ◾  185

– Know how to select and use the PPE18–20 needed to work safely within non-safety or near non-safety areas that are near or on scene specific to a potential WMD situation or event involving dangerous organisms, chemicals, or materials. – Understand the limitations of the PPE. Follow department or agency policies and guidelines on how to use, inspect, and maintain the PPE. – Understand the hazards and risks in using protective clothing. – Understand and implement rehabilitation measures to help responders reduce level of frustration or heat stress. Take any other necessary precautions to protect on-scene responders or other individuals that are on scene specific to a potential WMD situation or event. ◾◾ Knowledge of steps to be taken to protect persons and remove them (as best able and appropriate to the threat) from immediate harm: – Follow department or agency safety procedures and practices for retrieving, handling, transporting, and disposing of any unknown or suspicious package, article, device, or item. – Follow department or agency precautionary measures and safety practices to safeguard personnel against contamination as best as possible. – Have experience in some emergency medical basic life support treatment, rescue of individuals and responders, triage and decontamination of individuals and equipment, and transportation capabilities of individuals exposed to WMD agents or materials. US Department of Transportation Office of Hazardous Materials, Emergency Response Guidebook; https://www.phmsa.dot.gov/hazmat/erg/emergency-response-guidebook-erg (alt URL: http:// cipbook.infracritical.com/book4/chapter8/ch8ref3.pdf), http://cipbook.infracritical.com/book3​ /chapter6/ch6ref2.pdf, http://cipbook.infracritical.com/book3/chapter6/ch6ref2a.pdf, http://cip​ book.infracritical.com/book3/chapter6/ch6ref2b.pdf, https://www.phmsa.dot.gov/sites/phmsa​ .dot.gov/files/docs/ERG2016.pdf (alt URL: http://cipbook.infracritical.com/book4/chapter8​ /ch8ref4.pdf), https://www.phmsa.dot.gov/hazmat/erg/summary-changes-erg2012 (alt URL: http://cipbook.infracritical.com/book4/chapter8/ch8ref5.pdf), and https://www.phmsa.dot​ .gov/sites/phmsa.dot.gov/files/docs/Summary_changes_ERG2016.pdf (alt URL: http://cipbook​ .infracritical.com/book4/chapter8/ch8ref6.pdf). 19 OSHA requires employers to use personal protective equipment (PPE) to reduce employee exposure to hazards when engineering and administrative controls are not feasible or effective. Employers are required to determine all exposures to hazards in their workplace and determine if PPE should be used to protect their workers. If PPE is to be used to reduce the exposure of employees to hazards, a PPE program should be initialized and maintained. This program should contain identification and evaluation of hazards in the workplace and if use of PPE is an appropriate control measure; if PPE is to be used, how it is selected, maintained, and its use evaluated; training of employees using the PPE; and vigilance of the program to determine its effectiveness in preventing employee injury or illness. 20 US Department of Labor Occupational Safety and Health Administration, Safety and Health Topics: Personal Protective Equipment (PPE), http://www.osha.gov/SLTC/personalprotective​ equipment (alt URL: http://cipbook.infracritical.com/book3/chapter6/ch6ref3.pdf). 18

186  ◾  Critical Infrastructure

– Assist however possible any emergency medical groups that are on scene with the incident commander coordinating efforts of this type of support. ◾◾ Have experience to assist the incident commander in establishing any safety procedures for performing specialized tasks to lower the safety levels of the hazard from the potential WMD agent or HAZMAT. ◾◾ Be able to perform such tasks if assigned. ◾◾ Know how to plan for and implement coordination efforts with any emergency medical group, and to implement medical monitoring procedures for those individuals entering or leaving non-safety areas as needed.

8.11.4 Know and Follow Procedures for Performing Specialized Tasks This includes knowledge to perform specialized tasks at the scene of a potential WMD situation, area of contamination, exposure to an invasive species, or similar event. The structure should include the following: ◾◾ Recognize the activities that will be coordinated with the on-scene incident commander. ◾◾ Know how to identify the appropriate PPE and specialized tools associated with CBRNE threats, including those posed by dangerous organisms: – Know how to select appropriate PPE for the specialized task to be performed on scene, and to establish safety procedures and practices to be followed as outlined within the procedures of the department or agency that is responding. – Use technical reference materials to assist in the selection process of the PPE that is appropriate for the tasks. ◾◾ Know procedures on how to operate equipment associated with detection, sampling, collection, or containment of dangerous chemicals, dangerous organisms, or other forms of contaminations: – Follow procedures for operating any detection or sampling instrumentation devices or equipment. – Understand the limitations for collecting solid (including granular or particulate materials), liquid, and gaseous substances for detection, identification, and classification of potential WMD agents or materials, and for the verification of such materials as needed, and including invasive species.

The Evolution of Physical Security  ◾  187

◾◾

◾◾

◾◾

◾◾

– Know and follow procedures and best practices for retrieval of contaminated evidence and for the safe handling or transportation, storing, and securing of such evidence materials, items, articles, etc. – Use technical reference materials to assist in the tasks outlined as necessary. – Be able to perform similar tasks with respect to potentially dangerous organisms or contamination within the environment. Be able to mitigate any on-scene hazards and risks to responders and members of the public: – Assist the on-scene incident commander in developing and implementing strategies and tactics that will reduce on-scene risks for any responders or members of the public. – Be able to recognize any special threats, such as secondary incendiary or explosive devices that would otherwise be used to harm or kill any emergency responders, members of the public, any equipment used for the detection, decontamination, or removal of WMD agents or materials, or the vehicles to be reused. – Follow procedures and best practices for safely searching for suspected devices and, if found, controlling or removing these types of threats from the scene and away from those individuals, members of the public, and any responders or emergency personnel who might have otherwise been exposed, contaminated, or had some form of safety risk or threat posed upon them. – Coordinate decontamination procedures with the incident commander. Knowledge of plans, standards, procedures, and other directions associated with the response to an event: – Be able to implement the department or agency emergency response plans as well as local/regional emergency response plans. – Know how to access local/regional assets to assist with any on-scene resolution or mitigation procedures specific to any potential WMD situation or event. Knowledge of plans, standards, procedures, and guidelines with respect to supporting first responders: – Coordinate the implementation of any necessary medical monitoring efforts with emergency medical group members and the incident command for those responders entering and leaving non-safety areas. Be able to assist in the implementation of rehabilitation assistance to those emergency responders who may have suffered from any frustration or heatrelated stress, or other problems arising from protective clothing or that can be controlled or reduced on scene.

188  ◾  Critical Infrastructure

8.11.5 Know ICS Performance Procedures In this step, within this level, it is essential to know the ICS and be able to follow the UCS procedures for integration and implementation methodologies of each system. The following should be incorporated into the overall structure: ◾◾ Taking steps to establish the ability to respond: – Ensure that skill set and knowledge are available to serve the emergency operations officer for on-scene activities. – Be aware of any assets available from the department or agency and from local/regional emergency response organizations, especially regarding handling hazards or threats that may happen on scene specific to a potential WMD situation or event. – Know how to obtain the desired assets for on-scene support as necessary, or if needed. – Know and follow procedures for working, and coordinating, with other departments or agencies under the UCS to handle specialized hazards or threats on scene specific to potential WMD situations or events. – Understand and know how to implement termination procedures at the close of an emergency response incident. ◾◾ Be able to ensure that documentation and procedures are adequately documented, reviewed, and signed off on by senior management through the appropriate management or administrative reporting chain: – Know how to implement the ICS such that the department or agency has its emergency response plan. – Be capable of assisting the incident commander in completing required documentation related to termination procedures, including appropriate measures for cost recovery and management. ◾◾ Be able to assist the ICS commander or the entity when reviewing, assessing, and adjusting plan procedures and processes in response to lessons learned: – Know how to conduct or assist in conducting critiques of any actions taken before, during, and after the response specific to a potential WMD situation or event. – Be capable of assisting the incident commander in conducting incident critiques (defined as lessons learned capability, for future situations or events). – Assist in determining what improvements, if any, would be made for the next emergency response specific to a potential WMD situation or event, especially in areas regarding improvements specific to the tasks defined to those responders on scene and within special operations. ◾◾ Know how to coordinate the development of an IAP with the on-scene incident commander that is consistent with the department or agency emergency response plan procedures and practices:

The Evolution of Physical Security  ◾  189

– Be able to implement IAP, including addressing special on-scene hazards. – Recognize coordination efforts with/between other department and agencies that are on scene for gathering any evidence and intelligence data or information. ◾◾ Ensure that the ICS commander and key personnel are supported in terms of their ability to achieve situational awareness involving the event and potentially affected areas: – Understand the importance of developing and sharing intelligence gathering techniques for on-scene data gathering, including information from any special operations activities. – Recognize that any intelligence information gathered should be shared with the on-scene incident commander or incident commander designee, as well as any senior law enforcement leadership that may be on scene.

8.11.6 Planning and Management-Level Guidelines This section addresses training requirements for respondents who may be involved with hazard remediation efforts associated with potential terrorist/ criminal use of WMD. Respondents will be involved in planning for and managing the emergency on-site scene, and will help implement the on-scene command post. These individuals might be expected to manage specific tasks while on scene, as well as other allied emergency responders, who will support the ongoing operations to mitigate and control the hazardous agents and materials using any available resources to safely and sufficiently conclude the event. Actions to be taken by respondents should initially be conducted from a safety area. It is expected that respondents will be integrated into the overall command structure that is implemented for the management and supervision of resources and assets being deployed to mitigate and recover from the overall WMD situation or event. ICS provides a key tool in this regard. What is needed behind the ICS is buy-in from the community of potentially affected entities and not just the lead agencies alone. This community is not just limited to government—it must include entities and other communities from within the private sector given the nature of the event and ownership issues surrounding current infrastructures today. Consider this: An event may be the result of an incident within a community center—who has the primary responsibility and control? For those who have worked in this domain, the answer is reasonably clear. Where this question becomes important is when those who have a legitimate control over the scene attempt to take over and potentially meet resistance because the community with which they are interacting is unaware of the protocols, and unwilling to cede control over the response of the incident. These problems are the last thing needed when attempting to preserve the safety and security of the affected people.

190  ◾  Critical Infrastructure

8.11.7 Successfully Completed Awareness, Performance, and Management Training This section outlines a series of goals and objectives associated with ensuring that awareness, performance, and management training has been completed successfully. The following should be incorporated into the overall structure: ◾◾ Complete training (or have an equivalent training and experience) in and understanding of the guidelines at the awareness and performance levels for Level A training for the function specific to the respondent. ◾◾ Know how to implement the department or agency ICS and relevant portions of the department or agency emergency response plan. ◾◾ Be capable of implementing local/regional emergency response plans specific to potential WMD situations or events or HAZMAT events. ◾◾ Understand the roles of responder personnel within any given emergency response plan. ◾◾ Recognize the hazards, risks, and limitations associated with using protective clothing and equipment. ◾◾ Be familiar with any assets available for implementing the emergency response plan specific to any potential WMD situation or event. ◾◾ Know what additional assets and assistance may be available for assistance with handling WMD or HAZMAT events or situations. ◾◾ Understand the importance of implementing appropriate decontamination procedures for any given HAZMAT or WMD situation or event. ◾◾ Be able to implement those procedures to protect emergency responders, individuals, public safety personnel, and members of the public, as well as equipment that could be reused.

8.11.8 Know ICS Management Procedures In this step, within this level, knowing the ICS and being able to follow the UCS procedures for integration and implementation methodologies of each system is essential. The following should be incorporated into the overall structure: ◾◾ Know how to manage any one of the five basic functions for operating the department or agency ICS. ◾◾ Be capable of assessing needs for additional resources and obtaining those resources from the identified assets. ◾◾ Understand the responsibilities and roles of the emergency operations center. ◾◾ Be capable of interfacing and coordinating with everyone involved. ◾◾ Understand the applications and interfaces of the UCS with the ICS.

The Evolution of Physical Security  ◾  191

◾◾ Know best practices and methodologies that are to be used and implemented within the UCS that are on scene specific to a potential WMD or HAZMAT event: – This should be extended to include disease, dangerous organisms, and invasive species. ◾◾ Be capable of assisting the incident command in the completion of all termination documentation for the situation or event and explaining how specified tasks relate to respondents at the scene. ◾◾ Know how to conduct or assist in conducting critiques of any actions to be taken before, during, and after completion of the response specific to the potential WMD situation or event: – This should be extended to include disease, dangerous organisms, and invasive species. ◾◾ Be capable of developing lesson learned scenarios for future situations/events. ◾◾ Define and implement appropriate strategies and tactics that would assist in determining the types and levels of degree of improvements relevant to tasks performed by various responders at the scene, which are or will be needed for the lessons learned documentation. ◾◾ Know how to develop a media management plan specific to potential WMD situations or events, or HAZMAT events, in coordination with the on-scene incident commander: – This should be extended to include disease, dangerous organisms, and invasive species. ◾◾ Be capable of managing responder group activities under the UCS and ICS directives. ◾◾ Be capable of assisting the on-scene incident commander or designee on completion or conclusion of the WMD or hazardous situation or event: – This should be extended to include disease, dangerous organisms, and invasive species. ◾◾ Be capable of advising the incident commander or the management team of the respondents’ roles and capabilities, sharing any intelligence data or information gathered, along with any modifications necessary to the department or agency emergency response plans, procedures, and best practices.

8.12 Know Protocols to Secure, Mitigate, and Remove HAZMAT The containment of HAZMAT is of significant importance, particularly given the fragility of certain environments, the potential impact on the health of those in the area, and the long-term effects on the local population. The following should be included in the overall structure:

192  ◾  Critical Infrastructure

◾◾ Know how to assess agents or materials used in a potential WMD or HAZMAT event based on the signs and symptoms of any individuals exposed to the area. ◾◾ Use appropriate methods in gathering of evidential data or information. ◾◾ Follow emergency medical protocols for treating individuals. ◾◾ Understand procedures and protocols for defining locations for the command post, staging areas, medical monitoring function areas, and proper isolation boundaries for the different areas at the emergency scene. ◾◾ Know how to control entry within, into, and out of these areas. ◾◾ Be capable of identifying hazards presented at the scene that will be implemented in the most effective methods, considering alternatives and especially safety concerns of emergency responders at the scene. ◾◾ Be familiar with the environmental and public safety requirements for the removal, handling, transportation, and storing of WMD or HAZMAT or agents found at the scene. ◾◾ Understand the roles of the responders regarding any evidence gathering efforts, including chain of custody and needs for the secure storage of contaminated and non-contaminated materials gathered at the scene. ◾◾ Follow health and safety precautions and procedures for handling such materials. In July 2007, a crude oil pipeline was ruptured in British Columbia, Canada, and as a result, a number of homes, a highway, and the ecology of Burrard Inlet were affected. This type of event provides a good example of why those working on sites must be trained in the areas that have just been discussed. In these types of scenarios, the preservation of life as well as the environment (and not just in the “green” sense of the word) must be an almost immediate reaction by individuals in the immediate area(s). At the same time, once those have been assured through training, the steps associated with containment and mitigation need to move up on the priority ladder with management. In order to start these as quickly as possible, those working at the scene must be the ones who take appropriate steps—not the first responders called to the scene.21

21

http://www.bst-tsb.gc.ca/eng/rapports-reports/pipeline/2007/p07h0040/p07h0040.pdf (alt URL: http://cipbook.infracritical.com/book4/chapter8/ch8ref13.pdf) and https://www2​ .gov.bc.ca/gov/content/environment/air-land-water/spills-environmental-emergencies/spill​ -incidents/past-spill-incidents (alt URL: http://cipbook.infracritical.com/book4/chapter8​ /ch8ref14.pdf).

The Evolution of Physical Security  ◾  193

8.13 Additional Protective Measures This section pertains to the additional measures that are discussed through several doctrines and structures. Basically, these are a repeat of self-protection and protective measures that are to be implemented on scene, with a few additions. These include the following: ◾◾ Recognize the special hazards to human life, local species, and the environment from hazardous materials or dangerous organisms. ◾◾ Be able to and capable of assisting in the care for and treatment of individuals who may have suffered exposure. ◾◾ Know how to obtain resources for appropriate rescue, transportation, and emergency treatment of contaminated individuals and personnel. ◾◾ Follow post-event rehabilitation best practices and procedures for emergency response and other on-scene personnel, including critical incident stress management. ◾◾ Be capable of coordinating programs outlined for department or agency personnel if requested, usually by the incident commander or designee in charge. ◾◾ Understand the importance of implementing medically prescribed and appropriate prophylactic treatments for those who may have become contaminated with a biological hazard. ◾◾ Coordinate any treatments with health officials. ◾◾ Understand the importance of the safety officer role in protecting on-scene emergency responders and personnel. ◾◾ Be capable of assuming that role if requested, by an incident commander or designee in charge.

8.14 Understand the Development of the IAP This includes knowing the assets available for controlling situations or events, in coordination with the on-scene incident commander. ◾◾ In collaboration with the on-scene incident commander, be able to assist in planning management efforts, thus determining optional goals and objectives to bring the situation or event to successful conclusion. ◾◾ Know what assets are available for addressing on-scene hazards. ◾◾ Have the necessary communications equipment to request on-site assistance. ◾◾ Coordinate activities with the on-scene incident commander. ◾◾ Know how to draft an incident mitigation or action plan (referred to as IAP) to address any on-scene incidents, situations, or events, and to obtain assets to control or suppress any such hazards pertinent to any such situation or event. ◾◾ Coordinate the development, implementation, and alteration of the plan with the on-scene incident commander.

194  ◾  Critical Infrastructure

◾◾ Be able to advise the on-scene incident commander as well as other officials regarding site assessment and establishment of any zonal boundaries along with the outer perimeter of respondents and emergency personnel who are on scene, which include an appropriate location for the establishment of a command post. ◾◾ Follow procedures and methodologies outlined within the department or agency procedural or policy manuals for assessing any hazard and risk and for protecting the general public as well as any emergency respondents. ◾◾ Be capable of identifying any potential targets for what might be considered terrorist attacks.22 ◾◾ Understand and comprehend tactical methods used by individuals who may be classified as terrorists and what they might use within the target area. ◾◾ Be capable of developing preplans to mitigate any potential WMD or HAZMAT situation or event involving potential targets.

8.15 Know and Follow Procedures for Protecting a Potential Crime Scene Following the event, it is important to be able to gather data that are as complete and accurate as possible. This becomes important when looking at the lessons learned and any potential criminal proceedings that may arise out of the event. The following should be included in the structure: ◾◾ Know appropriate procedures for protecting evidence and minimizing any disturbances of the crime scene to the maximum extent possible, while protecting any individuals at the potential scene. In today’s network-enabled environment, this applies to both physical practices and following sound technical or cyber-related practices. ◾◾ Assist any individuals to minimize adverse medical signs and symptoms where possible. ◾◾ Understand the importance of coordinating with law enforcement officials to ensure that any department or agency actions do not hinder the gathering of any evidence by law enforcement officers. ◾◾ Assist law enforcement officers in identifying and preserving evidence and sharing of intelligence. ◾◾ Follow any protocols established that will help in minimizing any disturbances to the potential scene.

22

Definition of the term terrorist is fluid in nature; the term terrorist may or may not be someone who enjoys exhibiting any form of terror or mayhem to specified targets, or in some aspects, even general public targets, sites, facilities, or events, resulting in the damage or destruction of life or property. This definition is constantly changing; thus the definition of the term is nonstandard.

The Evolution of Physical Security  ◾  195

◾◾ Understand the roles and jurisdictions of any federal or state department or agency pertaining specifically to any potential WMD or HAZMAT situation or event. ◾◾ Know how to recognize an incident that may be defined as an act of terrorism. ◾◾ Be able to and capable of identifying any evidence that could be useful to the investigation of the potential scene. ◾◾ Share intelligence with law enforcement officials and the on-scene incident commander.

8.16 Know Department Protocols for Medical Response Personnel Knowledge of these protocols is important for ensuring that medical casualties are treated as efficiently and effectively as possible. It is also important to note that these measures also play a role in the protection of the medical response personnel themselves. The following should be included in the structure: ◾◾ Be capable of developing a medical action plan to protect any on-scene emergency responders. ◾◾ Coordinate the implementation of the plan with the emergency medical manager and/or on-scene incident commander. ◾◾ Know how to implement, in concert with the medical action plan, department or agency procedures for medical monitoring of all respondents and emergency team members involved with, or working with or within, the nonsafety areas. ◾◾ Ensure that the plan includes the monitoring of baseline vital signs and physical assessments for all personnel either entering or leaving this area. ◾◾ Ensure that any signs or symptoms of exposure to potential WMD or HAZMAT agents are included within the medical monitoring and physical assessments of responders who are entering or leaving non-safety areas. This should also be included to be able to identify the potential exposure to disease and dangerous organisms, including invasive species.

8.17 National Fire Prevention Association 472 For more definitive guidelines about emergency procedures, the Standard for Professional Competence of Responders to Hazardous Materials Incidents (referred to as NFPA 472) identifies the levels of competence required of responders to HAZMAT

196  ◾  Critical Infrastructure

incidents. It covers the competencies for first responders at the awareness level and the operational level, HAZMAT technicians, incident commanders, HAZMAT branch officers, HAZMAT branch safety officers, and other specialist employees. Guidance is provided for first responders on how to deal with terrorist activities and WMD. NFPA 472 specifically addresses the category of an individual who may be sent to a scene. NFPA 472 defines two categories of such responders: (1) private sector specialist employees B and (2) specialist employees C. Competencies are listed for both categories based on the prerequisite that all such individuals should receive first response awareness training. It should be noted that the distinction may be drawn such that any differences between categories B and C (with respect to additional training for category C specialists, based on the assumption that these personnel) may be required to work in non-safety areas.23

8.18 Osha Hazardous Waste Operations and Emergency Response The Occupational Safety and Health Administration (OSHA) Hazardous Waste Operations and Emergency Response (HAZWOPER)24 standard already recognizes that these types of individuals may be called to the scene to assist in the mitigation, control, or other aspects to aid the incident commander, as necessary. HAZWOPER rules include provisions for skilled personnel who have expertise in particular activities that are needed in the response but that cannot be performed promptly by the responding units, such as crane operators or tow truck drivers. These individuals are not expected to be trained emergency responders, nor are they expected to have prior training in accordance with HAZWOPER guidelines. Because it is likely that these individuals may be exposed to the hazards at the emergency response scene, they should receive appropriate on-scene briefing with respect to safety and health protections. Once emergency response operations are concluded and recovery and cleanup operations begin, those workers involved in these activities will not be considered emergency response workers and will be covered by other OSHA requirements. This section addresses only those workers called to the emergency scene to render some assistance to the incident commander, the unified command team, and the response team that is on scene.25

National Fire Prevention Association, Professional Competence of Responders to Hazardous Materials Incidents, NFPA 472, 2002. 24 Occupational Safety and Health Administration, US Department of Labor, HAZWOPER FAQ, http://www.osha.gov/html/faq-hazwoper.html (alt URL: http://cipbook.infracritical​.com​ /­book3/chapter6/ch6ref5.pdf and http://cipbook.infracritical.com/book4/chapter8/ch8r​ef7.pdf). 25 US Department of Justice Office for Domestic Preparedness, Emergency Response Guidelines, August 1, 2002; https://permanent.access.gpo.gov/lps55731/EmergencyRespGuidelinesRevB​ .pdf (alt URL: http://cipbook.infracritical.com/book3/chapter6/ch6ref6.pdf). 23

The Evolution of Physical Security  ◾  197

Typically, skilled personnel are asked to fulfill a particular task. In doing so, they are often briefed on safety and health hazards that they may encounter, as well as the types of control measures that any given incident commander may want them to follow. Typically, these persons understand the hazards they face in doing their job on a normal day. The briefing is intended to alert them about any extraordinary or unusual hazards that they may face and procedures to help protect them or those around them. Thus no one individual is asked to perform any given job or task in which that person cannot be reasonably protected from on-scene hazards, even though there may be some risks involved. Specialist employees are those who may have knowledge or expertise specific to particular hazards, equipment, processes, or chemicals that may be present at the emergency incident scene. The incident commander may benefit from their wisdom on the given subject. These personnel are expected to provide technical advice and assistance to the incident commander, and it is assumed that they generally will not be exposed to hazards on the scene. However, certain experts or specialist employees of railroad companies or chemical manufacturers may have been trained to work in Level A suits if necessary. These personnel receive training each year and must demonstrate their competency in their specialization area.

8.19 Skilled Support Personnel Skilled support personnel may be called upon to perform some functions that are related to a WMD or HAZMAT emergency response, are relied upon within the emergency response plan, and may receive some awareness training. This includes those with both physical and cyber-related training, particularly given the interwoven nature of physical and logical technologies. For example, a switch attached to the notification function of a smart device may be activated as a result of detecting a much broader range of frequencies that the cellular network. It is suggested that these personnel receive at least the minimum training on the awareness-level guidelines provided to public works agency employees before they have to respond to a WMD incident, situation, or event.26

8.20 Specialist Employee Specialist employees may be called upon for a WMD or HAZMAT incident response to provide information and technical advice unique to their particular specialty, or they may be asked to perform specific tasks that fall under their area of expertise, required by the incident commander to be undertaken at the scene. These specialist employees receive annual training in their area of expertise. They are also trained in how to work within an incident command system. Personnel are 26

Ibid.

198  ◾  Critical Infrastructure

expected to wear chemical protective clothing, perform unique tasks in the nonsafety areas zone, and will typically need additional training beyond the awarenesslevel guidelines.27

8.21 DOT HAZMAT Classifications The United Nations and the US DOT have devised a method of classifying HAZMAT based on the chemical and physical properties of the product that is referred to as a hazard class. Each of these classes is divided into specific subsets (e.g., gases that may be poisonous, flammable, or nonflammable). Oxygen and chlorine are gases that have their own individual labels. Each class has a symbol suggesting the primary type of hazard that it poses. DOT has cataloged every known toxic substance in the ERG,28 compiled by the DOT Research and Special Programs Administration29 and published by the US Government Printing Office and numerous distributors.30

Ibid. US Department of Transportation Office of Hazardous Materials, Emergency Response Guidebook; https://www.phmsa.dot.gov/hazmat/erg/emergency-response-guidebook-erg (alt URL: http:// cipbook.infracritical.com/book4/chapter8/ch8ref3.pdf), http://cipbook.infracritical.com/book3​ /chapter6/ch6ref2.pdf, http://cipbook.infracritical.com/book3/chapter6/ch6ref2a.pdf, http://cip​ book.infracritical.com/book3/chapter6/ch6ref2b.pdf, https://www.phmsa.dot.gov/sites/phmsa​ .dot.gov/files/docs/ERG2016.pdf (alt URL: http://cipbook.infracritical.com/book4/chapter8/ch8​ ref4.pdf), https://www.phmsa.dot.gov/hazmat/erg/summary-changes-erg2012 (alt URL: http:// cipbook.infracritical.com/book4/chapter8/ch8ref5.pdf), and https://www.phmsa.dot.gov/sites​ /phmsa.dot.gov/files/docs/Summary_changes_ERG2016.pdf (alt URL: http://cipbook.infracriti​ cal.com/book4/chapter8/ch8ref6.pdf). 29 Office of Pipeline Safety, Pipeline and Hazardous Materials Administration, US Department of Transportation, PHMSA Research and Development, http://primis.phmsa.dot.gov/matrix​ /RfpInfo.rdm?rfp=1&s=614443CCEA804822B0692455BBA3651C&c=1 (alt URL: http:// cipbook.infracritical.com/book3/chapter6/ch6ref4.pdf). 30 Federal Emergency Management Agency, An Orientation to Hazardous Materials for Medical Personnel, IS-346, September 1997; http://cipbook.infracritical.com/book3/chapter6/ch6ref8​ .pdf; an updated version, along with the brochure and course material, may be found here: https://training.fema.gov/is/courseoverview.aspx?code=IS-346 (alt URL: http://cipbook.infrac​ ritical​.com/book4/chapter8/ch8ref8.pdf), https://training.fema.gov/is/coursematerials.aspx?code​ =IS-346 (alt URL: http://cipbook.infracritical.com/book4/chapter8/ch8ref9.pdf), https:// training.fema.gov/emiweb/is/is346/entire%20course.pdf (alt URL: http://cipbook.infra​ critical.com/book4/chapter8/ch8ref10.pdf), and https://training.fema.gov/is/docs/factsheet​ .pdf?v=20170606 (alt URL: http://cipbook.infracritical.com/book4/chapter8/ch8ref11.pdf). 27

28

The Evolution of Physical Security  ◾  199

8.21.1 DOT HAZMAT Class 1: Explosives This is a chemical that causes a sudden, almost instantaneous release of pressures, gas, or heat when subjected to sudden shock, pressure, or extreme temperatures. Explosives usually have thermal and mechanical impact potential.31 Explosives may pose other forms of risk, depending on the specific compounds involved. These risks may range from the chemical to the fire hazard.

8.21.2 DOT HAZMAT Class 2: Gases Gases are grouped into three types: (1) compressed, (2) liquefied, and (3) cryogenic. Gases can be flammable, nonflammable (sometimes called inflammable), or poisonous. Gases have the ability to vaporize, which could cause respiratory issues to human life and cause thermal-related injuries or cause due to exceedingly cold temperatures.32

8.21.3  DOT HAZMAT Class 3: Flammable Liquids This also includes combustible liquids. Flammable liquids are liquid substances with a flashpoint below 10°F (e.g., alcohol or gasoline); combustible liquids are liquid substances with a flashpoint higher than 100°F, but below 200°F (e.g., various oils, such as household heating oil and solvents).33

8.21.4 DOT HAZMAT Class 4: Flammable Solids This also includes solids that are reactive. Flammable solids are likely to cause fires through friction or retained heat from a manufacturing process that may be easy to ignite; reactive solids are solids that are unstable under environmental conditions and can produce or intensify sudden heat or explosive properties when exposed to other chemicals or when they come into contact with water or organic substances (e.g., potassium, sodium, aluminum, or magnesium—all of these solid metals are highly combustible when exposed to water).34

8.21.5 DOT HAZMAT Class 5: Oxidizers This class also includes peroxides. Oxidizers are materials that can be in any form (gas, liquid, or solid state) and have the potential to readily yield oxygen, which supports combustion or explosive scenarios. This can include gases such as oxygen, ozone (which is a gaseous molecule that contains three oxygen atoms (O3); Ibid. Ibid. 33 Ibid. 34 Ibid. 31

32

200  ◾  Critical Infrastructure

ground-level ozone is a product of reactions involving hydrocarbons and nitrogen oxides in the presence of sunlight, and is a potent irritant that can cause lung damage or respiratory problems35), or chlorine; liquids such as bromine, hydrogen peroxide, and nitric acid; and solids such as chlorates, iodine, nitrates, and peroxides.36

8.21.6 DOT HAZMAT Class 6: Toxic Materials This also includes infectious substances, which include etiological or infectious organisms (e.g., anthrax, botulism, polio). Toxic materials may be harmful to human life due to inhalation, ingestion, or absorption through external layers of the skin; these substances can be in either liquid or solid form or may be produced through irritants which are dangerous or harmful fumes when exposed to air or fire (e.g., xylyl bromide).37

8.21.7 DOT HAZMAT Class 7: Radioactive Materials Any material that spontaneously emits ionizing radiation that has specific activity greater than 0.02 µCi per g is considered harmful to human life. Depending on the exposure, it can be fatal or cause serious harm to internal organs or long-term effect, resulting in cancer.38

8.21.8 DOT HAZMAT Class 8: Corrosive Materials This refers to any liquid or solid material that can damage living tissue, steel, or glass on contact (e.g., sulfuric acid, hydrochloric acid, ammonium hydroxide). Corrosive materials can also be classified as an irritant, as fumes from acids can have debilitating respiratory consequences on humans if inhaled.39 US Environmental Protection Agency, Mobile Source Emissions—Past, Present, Future— Definitions, March 2005; an updated version may be found here: https://www.epa.gov​ /clean-air-act-overview/air-pollution-current-and-future-challenges (alt URL: http://cipbook​ .infracritical.com/book4/chapter8/ch8ref12.pdf 36 Federal Emergency Management Agency, An Orientation to Hazardous Materials for Medical Personnel, IS-346, September 1997; http://cipbook.infracritical.com/book3/chapter6/ch6ref8​ .pdf; an updated version, along with the brochure and course material, may be found here: https://training.fema.gov/is/courseoverview.aspx?code=IS-346 (alt URL: http://cipbook​ .infracritical.com/book4/chapter8/ch8ref8.pdf), https://training.fema.gov/is/coursematerials​ .aspx?code=IS-346 (alt URL: http://cipbook.infracritical.com/book4/chapter8/ch8ref9.pdf), https://training.fema.gov/emiweb/is/is346/entire%20course.pdf (alt URL: http://cipbook​ .infracritical.com/book4/chapter8/ch8ref10.pdf), and https://training.fema.gov/is/docs/fact​ sheet.pdf?v=20170606 (alt URL: http://cipbook.infracritical.com/book4/chapter8/ch8ref11​ .pdf). 37 Ibid. 38 Ibid. 39 Ibid. 35

The Evolution of Physical Security  ◾  201

8.22 Importance of Implementing an Emergency Response Plan The effectiveness of responses during emergencies depends on the amount of planning and training conducted. During HAZMAT incidents, many additional burdens may be placed on local environments. Stress effects resulting from HAZMAT incidents can cause increases of a plethora of various stress-related symptoms and can produce situations resulting in potentially fatal results, such as cardiac arrest or further contagion to other individuals. When all incidents are compounded, the situation can get out of control—quickly—unless detailed procedures for handling such incidents are available and readily accessible. In addition, simply having these procedures in place may not be enough. Periodic review of the procedures, establishing updates as they are needed, and ensuring that the procedures reflect current environmental conditions are necessary measures to ensure the effectiveness of the utilization of these procedures and planning initiatives.40

8.23 Authors’ Notes Within the incident response realm, the theoretical concept is to identify, report, mitigate, and respond to incidents as quickly as possible. So this question must be asked: Given a limited number of first responders, is there a role for the public’s involvement? If critical infrastructure protection has an impact across the whole community, at what point do we engage the citizens as part of the effective response to an event, and to what extent? This question is fraught with legal and social perils. On one hand, society believes itself to have a right to be protected but has translated that right into the right to have somebody else come and protect you. Although it is understood that many citizens would be unable to respond effectively and would likely become casualties, should citizens be encouraged to identify what they can do without putting themselves too much into harm’s way? A similar question involves the detection of behavior or situations that can pose a threat to public safety if left unchecked. Consider this situation: Individuals at a processing plant claim to have observed or participated in acts that run contrary to food safety practices. While the focus may be on the management of the plant or the various inspection routines, what does this say about the individual who is willing to participate in those acts but leave them unreported? Perhaps one illustration of this dilemma comes out of larger organizations. One author has had direct contact with an (anonymous) organization that does not want to provide fire extinguisher training to employees due to the costs associated with that training. The common response is that employees are not firefighters—in the minds of the authors, this becomes a question of due diligence. 40

Ibid.

http://taylorandfrancis.com

Chapter 9

The Insider Threat 9.1 Defining the Insider Threat The concept of an insider threat has been with us ever since there was competition between organizations. It is nothing new. Ancient military forces employed spies, saboteurs and sought for turn-coats several thousand years ago. Sun Tzu wrote of using spies and other similar persons in the gathering of information and disrupting of plans. The Roman Army often wrote on the value of collaborators within communities that could help them identify key persons, strongholds and economic activities. Even in modern times, there is little doubt that having an “inside track” or “privileged access” gives an organization a competitive advantage. The first layer of definition involves identifying an insider threat as being a member of a trusted community. This does not necessarily mean an employee, a contractor or a visitor—it refers specifically to a person that operates as part of that environment. This means that the concept of an insider threat becomes uncomfortable in many organizations because it forces the consideration that individuals may betray the trust, confidence or even friendships within those communities. When looking at this issue, therefore, we need to understand that there are three major factors that differentiate the insider and external threats. The first involves the intent and commitment of the individual. These two elements (intent and commitment) are likely the two most aligned elements when describing the threat. The second element involves the fact that the insider threat belongs to part of the community. That means that its proximity is immediate, and it will have an expanded ability to move effectively within the organization. The third element involves the knowledge, skills, and resources available to the threat. For the insider threat, the opportunity to develop or elevate these three characteristics’ gravity is a key element and even reveals a significant flaw in how many organizations approach the design of their security controls. 203

204  ◾  Critical Infrastructure

The final element associated with the general treatment of the internal threat issue is that it is rife with subjectivity and subject to various interpretations. While the organization may see the insider threat in terms of their betrayal of trust and potentially devastating impacts, the individual may be motivated by other factors that would make their intentions appear to be noble or even heroic. The individual may be convinced of the rightness of their actions and may well hide any of the normal personal indicators that would be looked for behind that shield. Addressing these elements effectively means shifting the design philosophy not only within security, but also within such key processes and staffing, hiring, supervising and discipline. The other challenge with an insider threat program is that it takes an approach that most organizations are loathe to adopt because it requires them to make the statement or assumption that there is a need to monitor the loyalty, integrity and honesty of its employees. While this message may be easily sent, it can be received and interpreted badly—leading to its own impacts, one of which is fostering an environment within which an insider threat can flourish. Those who have studies the various anti-terrorism and counter-terrorism campaigns that arose in Africa (Nigeria, Congo, Angola) or parts of Europe (Ireland) have very strong examples of how a population, when put under this kind of pressure, can have its moderates swing towards the opposition in response to what may be perceived as inappropriate, unnecessary or even oppressive controls.

9.2 Intent and Commitment 9.2.1 What Motivates the Insider Threat? When comparing the internal and external threats, the area with the most overlap involves the intent of the individual. How the organization chooses to perceive itself and how the insider threat perceives the organization, or even a single aspect of the organization, become at odds with each other. The source of this misalignment follows the traditional reasons: (1) financial, (2) status, (3) ethical/moral/ religious, and (4) social issues. Financial pressures may involve the need to alleviate financial pressure (such as massive debt) or the desire to achieve greater wealth and its accoutrements (larger house, etc.). The primary source of the dissonance lies in the individual’s own desires or needs, and the reward structure offered by the organization. The second element involves personal status. The threat may feel that their work is not appreciated within the organization. It may also perceive others as having received inappropriate recognition. Again, the core consideration is the difference between the individual’s perception or need and that of the organization. The third element (moral/ethical/religious grounds) involves the individual determining that there are a set of higher values that need to be adhered to and that

The Insider Threat  ◾  205

the company is deficient in meeting the requirements of those values. This factor is important in that there is consistent belief that the organization’s approach is deficient. Finally, an insider threat may also be the result of social pressures. Individuals who develop affiliations with competing entities (or even hostile entities) These entities may demand proof, or the individual may wish to demonstrate their value to the group (essentially a matter of status) and elevate their status within the group. When looking at the issue of the insider threat, understanding how organizational beliefs and decisions can influence these four factors is a key element when attempting to assess the probability of insider threat issues. While the source of cognitive dissonance (financial, status, ethics, social) may lie at the base of the issue, there is a second layer that involves how the individual responds to that cognitive dissonance. These four factors can be described in terms of (1) reward, (2) avoidance, (3) justification and (4) retribution. These two sets of four operate in pairs to give a structure to the kind of insider threat. For example, an individual seeking financial reward may attempt to sell secrets or steal funds. An individual seeking to avoid financial costs or penalties may attempt to falsify documents or statements. An individual may attempt to justify their steps taken to disrupt a service by claiming that it serves a “greater good.” This approach allows for an organization to begin to generate a spectrum of first possible activity and then refine that, through surveillance, to start to identify probable activity.

9.2.2 The Changing Attitude Towards Employment These foundations can be linked to a current shift in how people perceive the nature of careers and employment. Many of the current models continue to assume that an individual seeks the stability of their position and then works to manipulate financial, personal, and other rewards and sanctions in the context of the individual remaining in that position. This approach had merit with the generations that sought stability (long term employment/pensions) in their lives. Today, however, the upcoming generations may change jobs once every two to three years as they seek out greater responsibility, challenges, and opportunities. The result is that there is a natural increase in the cognitive dissonance associated with reward and status that can lead to an individual seeking greater rewards or justifying acts to accomplish the same results as advancement would.

9.2.3 The Impact on Intent and Commitment While an intent may have formed, the commitment to act or to press through with an action must also be considered. This will be dependent on several factors. First, and foremost, will be the individual’s tolerance with respect to the risk of suffering sanctions versus the perceived rewards or benefits. The greater the risk of sanction (in terms of severity or probability of failure), the greater the downward pressure on commitment. The second factor involves whether the individual sees that context

206  ◾  Critical Infrastructure

as improving or degrading. Where the situation is improving, the likelihood that the individual decrease. Where the situation appears to be degrading, this can lead to the individual becoming increasingly desperate and increases the risk that the individual will commit the act. The third element that can influence this is the change in external factors acting on the individual. While the context may deal with conditions, this third category deals with influences that may act or push the individual towards acting. This may involve pressures from fellow employees, family members, acquaintances or others that have identified a situation and will likely use the individual’s desperation as a vector to attack from. One common method of assessing the potential impacts on an organization involves using an annualized rate of occurrence factored by an average cost of an event. The challenge here is that this assumes that there is a linear curve. This does not reflect the normal behaviour of persons. An individual may reinforce their commitment to act by having many successful attempts. These successful attempts reduce the individual’s focus on the sanctions (in terms of likelihood) while reinforcing the reward aspect of the attack. Given that this curve involves many highly subjective factors, concerns may be raised by attempting to compare two or more individuals within the same set. Where multiple persons or threat agents are involved, threat profiles should be considered or developed, and the level of commitment should be expressed as a range.

9.3 Knowledge, Skills, Abilities, and Resources The insider threat is part of a community, often a trusted community, and can become a significantly grave threat to the organization for several reasons. These include, but are not necessarily limited to, the following: ◾◾ The individual has direct knowledge of what assets may be vulnerable to certain kinds of attacks through observation and exposure; ◾◾ The individual has direct knowledge of at least some of the security controls that are used to protect those assets, including having indicators of what factors may trigger a response; ◾◾ The individual may have the ability to identify gaps in routines or coverage that would allow for more means or opportunity to attack; ◾◾ The individual may be given a token, given information acting as a token or be registered into systems that allows for the bypassing of security controls; and ◾◾ The individual may have significant time and ability to operate within the environment without raising suspicion. From a capacity-based approach for the threat, this elevates the gravity of the threat significantly given that the threat has the means and opportunity to penetrate

The Insider Threat  ◾  207

many of the security controls within little to no interference. The individual has a defined job description that provides a tacit level of authorization to certain kinds of access to perform their job. The individual may be registered in systems (such as for email or file sharing) that allows the individual to gain access to information. Further to this, however, is that the time it takes for the individual to proceed through the attack cycle is greatly increased. While external attackers must spend time in reconnaissance to identify targets and to identify what they may need to be successful, the insider threat understands this as a matter of course.

9.3.1 The Ability to Target The initial phases of both physical and logical attacks involve a degree of reconnaissance. While the physical attack (consisting of conceptualization, initial reconnaissance, target selection, detailed reconnaissance, planning, preparation, execution and exploitation/escape) and the logical attack (consisting of conceptualization, external reconnaissance, breaching the perimeter. Lateral movement, escalation of privileges, delivering the payload, executing the attack, covering tracks), the first key element is that the threat, to perform reconnaissance must act in a way that may be detected by the intended target. If detected, defensive controls can be adjusted to intercept the attacker before the organization suffers the injury associated with a successful attack. The insider threat, however, operates within the physical and logical space, meaning that the time needed to conduct this research or reconnaissance is greatly reduced. This can lead to a 0-day scenario for both the physical and information security communities. If the insider threat has access to the asset (including information or data) as part of the work, it is possible that the breach will be discovered at the point where the organization suffers the full extent of the injury (such as reading sensitive data on the Internet). When considering the security mantra of prevention (or protection), detection, response and recovery, this means that the organization is immediately forced into the recovery phases of an event with little way of preventing the loss.

9.3.2 The Ability to Lengthen the Breach The second aspect of this involves the attacker’s ability to prolong the breach by concealing their actions. If the insider threat has access to the files and permission to remove them, then it can simply remove select files at any point in time. This ability allows the attacker to increase the number of successful attempts and keep each attempt below the normal thresholds for detection. Copying a full hard drive may raise alarm bells but copying a couple of folders may well look explainable. Further, the attack can be done in such a way that while it uses many attempts, it does not set a pattern that would point towards a larger attack. The insider threat must also be considered distinctly from other threats in that the insider threat may not just commit one act but attack the system in such a way

208  ◾  Critical Infrastructure

that recurring breaches or injuries occur. Instead of simply breaching the network once or creating the conditions supporting a denial of service attack, the attacker could create conduits and routes past the controls. This is becoming increasingly important when one considers the variety of tools that are used to breach networks that are currently available on the Internet.

9.3.3 The Ability to Abuse Processes Finally, one must also be aware that the insider threat may well take steps for their own protection. This may involve measures to conceal one’s own actions but may also include steps to force the organization to “back off.” This may include the use of complaint processes or avenues that can be used to force a reduction in supervision or management. While such processes and avenues for redress are very important to those that have legitimate claims (and therefore become necessary within the organization), the ability to detect and respond to persons that attempt to use or abuse these processes as a means of avoiding detection through security or even supervision is equally critical. Organizations may become progressively vulnerable to this form of abuse as the social and political climates demand that the organization demonstrate that it has taken every reasonable step in ever circumstance. The capacity of the insider threat, therefore, can be described in terms of its ability to use the organization’s own culture, resources and processes against itself.

9.4 Proximity and Mobility The concept of proximity and mobility peaks to the ability of the insider threat to reach its intended target either physically or logically. This may involve being able to access certain files, drives or services on a network. It may involve being able to access certain kinds of spaces. The challenge here is that the threat is part of the community.

9.4.1 Proximity to the Community When defining the community in this context, one needs to look at it as being more than simply part of the organization chart. This includes the levels of access that are granted to outside communities that an individual may be given access to perform certain roles. Certain roles within an organization may have to be treated distinctly in this regard. These are communities that have expanded access due to their daily operations—such as security, safety, environmental controls, maintenance, and other supporting services. In this case, there needs to be a balance between the level of access given to facilitate business processes and the level of access restricted to reduce the risks of these kinds of attacks. This may be more complicated than some

The Insider Threat  ◾  209

imagine, particularly as organizations shift priorities and demand greater responsiveness from coordinated services. Each of these positions, however, should be readily distinguishable from what may be described as baseline or normal levels of access and treated accordingly. Many organizations simply require these positions to undergo a more rigorous security screening. The argument is that this elevated level of screening demonstrates that the organization is doing more due diligence before giving the individual access. This, however, is a flawed approach. The security screening process, while vital in many respects, is not the complete solution to the problem although many managers and supervisors will trust the elevated level of clearance implicitly. The first challenge with this is that most clearance processes deal in final outcomes (such as a criminal conviction). If the individual has somehow avoided the charge or the record entry, then there is a significant possibility that the issues would not be reported. Secondly, many of these processes take considerable time and effort to prosecute meaning that some organizations may attempt to find ways to reduce what would be normally seen as reasonable actions in order to avoid public criticism or legal actions. Finally, as we see more migration and movement of persons, these processes may not actually be possible to complete due to gaps in the credibility of other systems or the lack of information sharing arrangements between systems. When using the security mantra of “detecting and responding to a threat faster than the threat has time to commit acts that lead to injury,” then the insider threat may be considered having been given a significant head start.

9.4.2 Mobility within the Community While a threat may be near its target (or not), the next aspect of the insider threat is its ability to move and operate within the organization’s context without arousing suspicion. There are several aspects to this. Trust is a commodity that must be earned and should not be assumed. This means that the presence of a clearance should not be used exclusively and should only be used to indicate that, at the time of the granting of such clearance, there were no overt areas of concern. Second, the clearance must always be linked to appropriate managerial and supervisory controls. This is often described in terms of possessing a security screening at a requisite level of sensitivity in addition to having a need for access to perform one’s duties. This is where the systems often break down, particularly in organizations with a weaker security culture. In these instances, organizations often lose control over sensitive spaces or levels of access when arguments arise that such controls are not necessary or impede the work environment. For example, one should not simply allow all individuals into sensitive processing areas based on an individual’s feeling of personal inconvenience. Similarly, in circumstances where an individual seeks access to those spaces that are not from within that group, it is incumbent upon the organization to determine if such access is, in fact, required. In organizations

210  ◾  Critical Infrastructure

that have weak security cultures, these kinds of controls may be onerous or perhaps even draconian, but the lack of those controls leaves the organization easily penetrated. Mobility also refers to the latitude that is given individuals in certain processes. A well-defined job-description and management structure will often support a need-to-know by clearly outlining which individuals should have access to certain kinds of information. This can be expanded to include a need to share given that the individual job descriptions can be trusted to provide adequate detail to meet the thresholds for exercising due diligence. In some organizations that suffer from high internal turnover, there is a temptation to create generic job descriptions across whole classes of employees. From a security perspective, this introduces a significant vulnerability in that the organization loses the ability to refer to the expectations placed on the employee and indicate what access should be allowed and what access should be limited. The primary reason for this generally involves facilitating the staffing process within an organization, allowing the job descriptions to be approved and provide more latitude for individual staffing processes.

9.4.3 The Ability to Camouflage Activities Finally, the insider threat has an advantage over the organization in that it can camouflage its presence and activities. Consider the employee that always remains late after work to complete tasks. On one hand, the employee may be attempting to gain isolation to conduct some nefarious activity. On the other hand, it may be that the employee is dedicated, and the workload assigned has deadlines that are beyond the ability of the organization to meet during regular working hours. Because the employee is part of the trusted community or regular community, it can easily integrate itself into the general environments and avoid detection.

9.5 The Need for Organizations to Listen, Adapt and Control The challenge associated with the insider threat may do well looking back at the anti-terrorism and anti-insurgency lessons learned. One of these lessons involves understanding how an organization would attack to prompt a heavy-handed response that would then drive more of the moderates towards the insurgents or terrorists. In this case, the response to the potential insider threat could create an environment in which the more reasonable (and loyal) members of staff feel that they are being punished without reason. The result becomes an environment in which management loses a degree of its ability to manage the situation without having to move to a very significant, if not catastrophic step.

The Insider Threat  ◾  211

Part of the reason for the increase in the number of cases of apparent insider threats involves the change in how people see themselves and their employment. In the past, many individuals expected to be able to work for the same organization for almost a full career. They became part of the company and then worked hard to advance through that company. They essentially traded off an element of their freedom and self-satisfaction to achieve the stability of pensions and other considerations. We still see vestiges of these systems through organizations such as the various public services and certain larger companies. For the younger or newer generations, this is no longer the case. While people were previously prepared to commit a lifetime (in many cases, not all) to a company or organization in the past, today’s numbers show that people may change their career four or five times in the same period. The desire for stability has been replaced with a desire for satisfaction. Individuals are far less likely to accept waiting for years before being given development opportunities or before reaching a point where they can be empowered significantly within an organization. When looking at the reasons why individuals changed jobs, certain trends have become apparent. Of the reasons cited, one of the most prevalent was that there were no more significant opportunities for advancement. This was closely followed by individuals that felt dissatisfied with their leadership or the leadership of their senior management. These two elements appear to have been closely ranked. It should also be noted that the top reason for leaving (the lack of advancement) and the lowest reason (the reward structure) only differed by 13 percent in a range of surveys. One might argue, therefore, that one should closely watch the lack of advancement, dissatisfaction with leadership, the level of challenge at work, the work culture and the reward structure as part of a balanced approach.1 The reason why this trend is likely to continue involves a challenge with workplace balance and a growing divergence between expectations and rewards. One article in Forbes indicated that a company that was not growing at over 30 percent would be less likely to offer the new experiences, challenges or building opportunities that would be encountered when changing jobs.2 There are not too many markets today that are growing at that rate unless they are younger companies or companies that are essentially starting out on new business lines. The transition of the organization from a refuge within which a person could build a life to a stepping stone or a tool with which a person builds their own life is one of the foundations of the challenge with the insider threat. This is because the organization has become, in the mind of many persons, a tool by which they achieve their own goals. The balance has shifted from one of what may be described as an uneasy symbiosis (trading time for stability) to one where the company must https://business.linkedin.com/talent-solutions/blog/2015/08/new-research-reveals-the​ -real-reason-people-switch-jobs-and-it-isnt-money-or-their-boss. 2 https://www.forbes.com/sites/lizryan/2016/10/28/ten-reasons-successful-people-change-jobs​ -more-often/2/#6e1315c04fe2. 1

212  ◾  Critical Infrastructure

be able to demonstrate to its workers that being there is in that individual’s best interest. To identify these particular challenges, an organization’s management can balance their approach along the following core principles: observing, listening, adapting and controlling.

9.5.1 Observing Many organizations will attempt to promote or distribute lists that provide triggers or indicators of what an insider threat looks like. These need to be taken with a grain of salt. For example, a manager that consistently works late may be an insider threat or may be trying to make sure that the business of the day is properly wrapped up before going home. There are some indicators, however, that do appear to be more common. When looking at the concept of observations, there are two main factors. The first factor is knowing the individual’s work habits and preferences. Different people will have different work habits and the organization’s supervisory level needs to understand these work habits in such a way as to reduce the risk of false positives (falsely identifying the employee as a potential insider threat) as these false positives can quickly poison even a productive and loyal employee’s thinking. The second element involves knowing the individual’s circumstances and looking for changes that happen nearly-in-parallel to life changes. For example, an employee that suddenly takes on a significant debt may not simply walk into the office and commit computer fraud that same day. There are going to be periods during which the individual must resolve doubts and go through their own iteration of the attack cycle. If an organization has been monitoring for chances in circumstances and then detects a change in the work behaviour, then this may indicate a need for closer scrutiny. This brings up another immutable approach within the security domain—that deviations from the normal behaviour of something should have some form of explanation or be considered issues to be resolved. That deviation may be within accepted norms. The insider threat may well know the thresholds for suspicion and may tailor their activities to remain within those norms. The use of norms and thresholds should be regarded with caution and have an understanding that it is unlikely that behaviour will have sharply defined parameters.

9.5.2 Listening The second element of the approach in dealing with the insider threat is listening. This should not be confused with hearing. It means hearing the message, but also attempting to process that message in a meaningful and empathetic dialogue. It should also be clear that this does not simply mean that the organization needs to

The Insider Threat  ◾  213

capitulate and give individuals what they want every time they demand it. This is a two-way street and both parties must come to the process in good faith. Consider, for example, an employee that feels that their work (which has been above average but not necessarily exemplary) is not being appropriately recognized. Failing to recognize that this is a potential factor in the emergence or evolution into an insider threat would be a serious misstep. The individual is not an insider threat—simply a person that has an issue. If the supervisor simply returns with a “canned speech” (and employees pick up very rapidly when management is using programmed communications) and the employee does not feel that there has been a meaningful communication, then the evolution towards becoming an internal threat may continue. If, on the other hand, the supervisor is able to sit down with the employee and identify, in a constructive manner, what needs to happen, the range of potential outcomes still has potentially negative results (where the employee rejects the results) but also has potential positive outcomes. This is where there needs to be a significant understanding within an organization’s leadership in the differences between programmed organizational communications (such as may be used to announce the start of a major project across the organization) and personal communications (which should have some level of personal connection with the individual).

9.5.3 Adapting The act of listening, however, is nothing if there is no concrete or tangible response to that listening process. There also needs to be a level of adaptation that addresses those things that were identified in the listening process. Consider again the example above. While management or the supervisor may have listened during the conversation, no action was taken. The employee may interpret this as a statement that the organization (informed of the potential impacts associated with non-action) has decided that those impacts are more acceptable than the costs associated with fixing any identified issues. Again, this pushes the individual towards that sense of adverse or non-recognition that begins to foster the formation of the internal threat. This adaptation needs to be controlled and carefully documented. If the source of our employee issue involved a specific condition, then that condition should be carefully documented so that the factors leading to a decision are well-known. The decision should also be understood in the context of being a result of not only those conditions but also the nature of the dialogue between the employee and the organization. An employee that comes forward in a positive manner (such as requesting assistance in resolving an issue) should be identified in the process as having been part of the solution and, because the route to that solution was relatively straightforward and free of hinderances, an optimal solution could be found. Where an employee chooses a confrontational or negative approach, then the employee should bear some responsibility for this action. That may involve

214  ◾  Critical Infrastructure

making it clear that the costs associated with the negative approach eroded the organization’s ability to provide an optimal solution. This operates at more than an individual level, adaptation also requires an organization to take two steps. The first involves ensuring that its operating frameworks are set up in such away that there is adequate slack at each level of management to manage. Similarly, the frameworks must have adequate flexibility to respond to new pressures. This does not mean that these frameworks should be without some concrete form or limitations. These limitations should be established clearly so that the limits of flexibility are clearly understood. For example, it may be considered allowed that an individual bring a personal data device into work in order to listen to music. If this is the case, then it should also be made clear that this is a privilege within the work environment that has certain conditions, such as that the user will not attempt to charge the device using a USB connection to the company network. Should an individual be caught violating that condition, then the privilege should be removed, and the individual looked at in terms of any internal approach to discipline.

9.5.4 Controlling This last aspect is very important from a Critical Infrastructure perspective. The organization must continue to provide (and be able to assure it can provide) a service. Failing to maintain effective control over the work environment means that this assurance is being eroded from a management perspective—particularly if it is linked to actions that were declared to present too much risk to the organization. Consider, for example, that military persons in the field may be able to maintain their smart devices (some forces having declared that they cannot enforce the policy, so they are no longer going to enforce it). Does this change the reality that such devices, if monitored, could provide the locations of individuals carrying them under certain circumstances? It does not. Does it change the fact that if an adversarial force were to receive that information, it could act against that group and potentially establish an element of surprise? No, it does not. In this context, the management and leadership need to be careful to ensure that some other control is in place to prevent this kind of undesirable outcome. One example that comes to mind involves the recent revelation that some fitness tracking devices could be used to identify the perimeter of camps and locations of camps. Does this information provide a level of value to an adversarial force? Of course. Any information that can be used to predict movement and determine patterns in operations can be of some level of value. At the same time, the lack of exposure of the threat when gaining this information should also be noted. Would this principle, which appears to work for camps in the desert, also work for ships at sea? It may well. If certain communities will not accept the controls being put in place, the organization may well want to take two approaches. The first may be to declare certain conditions to be completely unacceptable and continue to enforce

The Insider Threat  ◾  215

the conditions under those (potentially less rigorous) circumstances. The second is to ensure that those who refuse to accept the controls are required to share the burden of any consequences that may arise out of those circumstances. It the case of the camp or crew, it should be clear that if the organization was targeted for an attack and that attack exploited that vulnerability, it should be made clear that those that were part and parcel of the vulnerability exploited bear some accountability and responsibility for their actions. In some cases, the organization may find that making this clear goes a significant way in resolving the issue. For example, in the military context, very few (if any at all) are willing to put their colleagues at risk for their own personal convenience. In this respect, the need for communications becomes clear—not in terms of issuing edicts but in terms of getting people in line with the organization’s goals and then explaining how certain factors can affect those goals.

9.6 The Alternative Approach to Staffing and Resource Management One element that may be considered within organization involves what may be described as a return to fundamentally sound practices. If one accepts the premise that the current generation of incoming younger workers is focussed on self-actualization and advancement and no longer seeking stability, then one can anticipate that hiring an individual to do a single job will yield diminishing returns in the future. An individual may be highly motivated at the outset but may establish routines that gradually transmute into restlessness or dissatisfaction which then provides the incentive to leave. If the organization begins to adjust its hiring and staffing practices to move into career streams, however, it can identify optimal numbers of persons to be in those streams so that the overall stream remains filled. For example, a senior manager may retire, and this approach would allow the top performer of the next level of management down being able to move upwards and for those behind that individual to advance accordingly. The first step involved in this process is returning to clearly defined job descriptions, roles and responsibilities. Currently, there are many organizations that use generic job descriptions as a means of easing the staffing and classification burden. The result is that individuals become unclear as to what is expected of them and how they need to progress to meet the requirements of the next step. This lack of clarity transforms into stresses which, in turn, transform into factors that increase the desire to leave or realize benefits through other means (i.e. becoming the insider threat). The second element involves being able to map out the various steps that need to be met for an individual to progress. Some organizations take the approach of hiring an individual into a position then considering them for training. Would one do this for the pilot of an aircraft? Of course not. So why would an organization

216  ◾  Critical Infrastructure

give them helm to an individual not ready to take control? In this context, the first stable level of management may wish to consider a period of acting positions where the individual works on the understanding that they are being monitored and coached to determine if they can assume that level of responsibility. Having the clearly defined background material for this is an important first step in that those that possess it are more likely to succeed than those that do not. The coaching and mentoring allows the organization to determine if they can apply that knowledge.

9.7 Authors’ Notes What is clear is that if the current generations of workers are going to be motivated by advancement, then organizations need to be prepared to accept that. It is equally clear that having a roadmap that clearly defines what needs to be met to be considered for advancement provides not only the clarity necessary to state that advancement is possible but also places clear expectations on an individual’s performance should they want to advance. The days, however, of being in a job that will simply provide stability for a lifestyle and offer advancement appear to be largely gone by the wayside as are the days when organizations can simply attempt to meet demands in order to keep their workforce.

Chapter 10

Safeguard Design In this chapter, we review and analyze the associative elements that are aligned to threats, the targets that are in-scope of the given threats (or attack), what risks (depending on how much the threats align with the overall operation) may be associative to the threats, and finally what form of countermeasures should be implemented. The graphic (shown in Figure 10.1) outlines a swim lane1 approach as to the overarching process that will be explained in greater detail within and throughout this chapter.

10.1 Responding to the Threat Three major elements of risk include the threat, the asset or target the threat attacks (to cause damage or disruption) and the vulnerability that the threat exploits. One might rephrase this to state that a threat exploits a vulnerability to cause some form of damage (any one or more of disclosure, destruction, or disruption) to an asset, thereby creating a loss for the organization that may be looked at in terms of risk. When an organization is looking to address risk, there is a hierarchy between these three factors in the span of control. Assets are clearly within the span of control and can be managed at the will of the organization. It is simply a matter of management making the decision to increase the number of assets (reducing single points of failure or preventing supply chain disruptions), changing the assets (making them more robust or resilient to impacts), or their location (such as 1

A “swim lane” (often referred to as a “swim lane diagram”) is a visual representation of process flow diagrams that distinguish job roles and responsibilities for processes of a given system (and it associative business processes). Swim lane diagrams may be arranged horizontally or vertically.

217

218  ◾  Critical Infrastructure

Threat element

Target element

Risk management

Control design

Start

Arrangement into systems/layers of defence

Understand threat intent

Physical, procedural, technical, administrative

Understanding capability, opportunity and resources

Value of asset and specific input

Risk management (approach to dealing with loss)

Permeation of the harmonized model

Understand proximity, mobility

Nature of injury/ damage leading to the outcomes

Focus of control (protect, detect, respond, recover)

Point of interception in the attack cycle

Desired threat outcomes

Level of assurance that control functions

Link between control and risk (asset, threat, vulnerability)

Output of threat profile

Figure 10.1  Steps in thinking when designing security controls.

risk avoidance by positioning critical assets outside of potentially impacted areas). Threats are largely outside the span of control of the organization but can be influenced by the organization. If threats could be “managed”, we would simply pass a resolution and make them disappear. The organization can, however, take steps that would make the threat believe that any attempt to attack would most likely fail and that the efforts would be best spent elsewhere. This is not threat management (we are only influencing the threat) but is the foundation of concepts such as deterrence and threat displacement. The middle ground between the threat and the asset involves the vulnerability that the threat exploits. The organization can manage its part of the vulnerability (by adding, removing, or changing controls or making changes to the asset) but needs to understand that the threat is likely to learn of and adapt to those changes.

10.1.1 Understanding Intent Those that have been practicing within the security domain for a while understand the challenges associated with the delineation of deliberate, accidental and natural

Safeguard Design  ◾  219

threats. Consider a car ploughing into a crowd of onlookers. At the first step, we do not know if there was an intent to cause this terrible damage or not. The investigation will determine if there was an intent or purpose to the attack. A clearer delineation of threats might involve: ◾◾ those that are the result of an intent (having purpose); ◾◾ those that are not the result of an intent (such as losing control over a vehicle); ◾◾ or those that are sourced from environmental or natural influences (where the intent is part of the nature of the event). There are two aspects of intent to consider. The first element is the level of damage or consequence that the threat is willing to cause. A threat that may want to make a point about the environmental issues surrounding a power station may seek to protest and disrupt operations (reducing the environmental impact) but may not go so far as the destruction of the plant as that act would be counter to the purpose of protecting the environment (the threat’s main goal). Other threats, however, may take a different route, stating that the destruction of one plant and the local consequences may serve as an example to all the other plants. That structure of the intent may lead to an attack involving the release of toxic materials and mass casualties because the attacker has rationalized its actions.2 The second element involves the attacker’s level of commitment to seeing the attack through. Will the attacker be deterred by the presence of controls? This would be indicative of an attacker (sometimes referred to as a threat agent) that lacks full commitment. What if the attacker was willing to completely risk their freedom or even their life to carry through the attack? This level of commitment makes it much more challenging for protective details and controls to be effective. This has long been a statement made by organizations such as the US Secret Service in its protection of certain persons and one of the reasons why it takes such broad and extraordinary measures to protect its principals—because it must protect against threats that may be highly committed or even irrational in their desire to attack. Understanding the attack allows the defenders to focus their controls. If we are on an oil rig in the middle of the North Sea, we are not likely to spend a great deal of time worrying about forest fires. This is a simple matter of dealing with those threats that have a greater probability of becoming a “fight that we need to fight” and to expend our limited resources to their best effect. Understanding the intent of the threat also helps to resolve the conflict that arises when considering higher probability/lower impact events and very low probability/cataclysmic events. Often organizations, or even regulators, will insist on certain controls being put in place to prevent these cataclysmic events to address 2

The concept of justification as being a core element in the formation of mal intent is discussed in Chapter 9 dealing with insider threats and applies equally here.

220  ◾  Critical Infrastructure

public safety concerns. In many cases there are good reasons. These controls, however, can be applied into environments that make no sense. Consider perimeter fencing around marine facilities. If there are two populations (passengers and nonpassengers) to keep separate and a community that may try to gain unauthorized entry, then the fence makes sense. That is because the threat assessment determines there is a potential threat agent that would form that intent. Now consider an isolated wildlife lookout station on the British Columbia coast, perhaps a hundred kilometers isolated in the wild. Does the fence still make sense? The lack of a threat with a reasonable intent limit helps illustrate the utility of the control. When considering threats that do not form based on intent (such as accidents) and natural disasters, one looks first at the historical events in the area. If there is no history, one then looks to determine whether the factors that could lead to those events are present at the location or are showing signs of becoming more prevalent in the immediately surrounding area.

10.1.2 Understanding Capacity, Opportunity and Resources Having established either intent or history, the next step is determining whether the threat agent (the terrorist, thief, negligent person, natural event, etc.) can overcome the current or proposed controls to accomplish its goal. This is a combination of capacity, opportunity, and resources. An individual may have the intent to disrupt government services but may lack the knowledge, skills, abilities, or resources to do so. As these are gathered together, however, it becomes increasingly important that the defenders understand the intent and commitment as to how these tools may be used. For threats with intent, the characteristics of the threat can be held in contrast to the characteristics of a defender. For high value targets, we prefer knowledgeable, skilled, able, and well-resourced defenders. We are also most concerned about threats that show the same. Consider the protection of a child. The guardian of the child should not only be loyal and trustworthy (speaking to intent and commitment), but should be knowledgeable, skilled, able, and well-supported in taking care of our child. We do not want the guardian to be lacking in any one or more of these attributes. At the same time, we become more concerned as the threats have more knowledge on how to attack our child, are more skilled in certain acts like kidnapping, show greater abilities to defeat controls or have increasingly large amounts of resources that they can use in the attack. The core determining difference between the attacker and defender in this context lies in the intent and commitment of each. This balance is best described as a tenuous equilibrium because the two elements in it are constantly seeking some advantage over the other. The attacker will generally seek to identify vulnerabilities to exploit. The defender will constantly attempt to manage its affairs and the controls protecting those affairs to stymie the attacker.

Safeguard Design  ◾  221

Where there is a serious imbalance in favour of the defender, the attacker may even shift its intent to another purpose. This may involve focussing its activity or attention into another area. For example, the core of a nuclear reactor may be so well protected that the attacker may not seek to attack a power generating facility directly but may decide to disrupt the power distribution system so that the services provided by the generating station are still cut off from the client base. This is where the defender must not only understand the stated intent of the threat, but also understand its goals. One of the greatest challenges for the Asset Protection and Security practitioner, in any domain, is designing the layers of controls in such a way that it prevents or addresses the potential for these kinds of shifts. Consider the past twenty years in information security. Twenty years ago, information security had limited network controls in place but focussed significantly on people being able to break into a facility and steal the most sensitive of documents. This was largely because such documents were not allowed to be stored on networks and were usually guarded in centralized and well controlled vaults or isolated systems deep within the facility (such as an air-gapped environment). As connectivity increased, various controls were moved onto IP-based infrastructure and these documents were protected behind logical controls (such as a partitioned network and firewalls), we saw new threat capabilities become relevant. Today, one might look on the existing physical controls with a feeling that they may be archaic or less relevant, but they need to be understood as addressing a threat profile that has shifted (as threats found weaknesses in our networks) but which may become very relevant again in the future as logical controls begin to outpace threat capabilities. There is an importance in managing the full community of controls in a manner that prevents these forward and backward shifts in the threat to exploit new vulnerabilities. For threats that are non-intentional or natural, the capabilities of the threat are largely determined by their nature or engineering. Natural events can be characterised by their impact on materials (particularly at critical load points and intersections) and structures. These are well documented through various scientific and engineering communities. Non-intentional threats can be looked at in the same manner. One emerging area is that of the technical or pseudo-intelligent threat. These threats, often found in the network environment, can be described in terms of their source, persistence, propagation and progress. The source of the threat is generally intentional (deliberate) but may also have a non-intentional element (such as what happened with the early release of Stuxnet that led to what may be argued to be unintentional consequences). The persistence of the threat can be described in terms of its engineered lifespan and its “commitment” to continue to attempt to breach defenses (a strong factor in brute force attacks).3 Propagation, on the other 3

This is in parentheses to compare it to the commitment of traditional threats, such as human threats, that have commitment. These technical threats are simply designed to repeat the attack ad nauseam and are not acting out of any measure like a cost-benefit analyses or commitment to cause.

222  ◾  Critical Infrastructure

hand, involves the threat identifying the control that is blocking it and identifying ways to either breach or bypass that control and then retaining this information for future reference. This is where the electronic threat may begin to mimic not intelligence but the genetics of a virus in terms of its ability to adapt to survive and flourish in a new environment. The next step in propagation involves replicating itself with these new characteristics and continuing its movement through the environment. The final aspect involves the threat’s ability to progress. This is not meant in terms of its ability to make and incorporate its “learning” into its base form.4 For example, a threat that only learns from its own experience may progress at a rate like the number of controls it encounters while a threat that is designed to allow itself of exchange information with other versions of itself may progress significantly more rapidly. While these kinds of electronic threats already exist, the coming of quantum computing may well lead to what might be described as an evolutionary leap in network-centric warfare. Quantum computing allows for an additional state at the bit level (like an “on and off”) that increases the number of potential options it can consider. This increase has the potential to mimic intelligence, particularly when considered with the speed at which computing takes place. The result is a threat that will be able to consider significantly more options in how it can attempt to circumvent or defeat controls. At the same time, one will see the necessary shift in how controls are designed to accomplish the same. As the computing bases necessary for this kind of application become more prevalent, one can expect to see the breadth, depth and complexity of cyberwar increasing more than strictly linear rates.

10.1.3 Understanding Proximity and Mobility The proximity and mobility of the threat is the final element. While non-intentional and natural threats must be considered in terms of their proximity and ability to move into and throughout an environment based on operational and physical factors, intention-based threats add another layer of complexity. If one looks at the concept of protection, detection, and response as being at the foundation of control design, then one may rightly assume that those threats that are part of the baseline environment pose different challenges than those that would attempt to move into the environment. Those that are part of the environment, if dormant, may not pose some immediate threat and be passed over undetected unless the threat is examined in minute detail. At the coding level, this involves a commitment of computing resources. At individual levels, this may involve a 4

In this context, learning should be looked at in terms of its evolutionary context or the adaptation to a new environment. This might be compared to the changes in a virus that allow it to survive in a new host—it is not a matter of intelligence but rather changes in its genetic behavior.

Safeguard Design  ◾  223

commitment of additional investigative resources. What is consistent is that additional resources, commitment and refinement in the assessment process will be needed to deal with threats that reside naturally within the baseline environment. The second category involves movement within the controlled or baseline environment. This movement naturally invites scrutiny—either electronically or in the physical realm. Data in motion may be scrutinized more than data at rest (especially if remaining at rest). People doing new things within an organization may attract attention. What becomes important here is understanding both the nature of the activity and the intent behind that activity. It may well be part of the natural processes within the computing or operating environment. It may well be indicators that some subject will be seeking inappropriate access from a new range of objects (in the context of access control). With the subjects being part of the “natural environment”, the organization can build profiles of its activity over time and to project likely profiles of activity based on its own expectations. Deviations from these can become the triggers for additional scrutiny, refined investigation and potential corrective actions (again, in both the logical and physical domains). While this pattern analysis is relatively simple in today’s computing and operating environment, this may become more complex as organizations are forced to sift through an increasing volume and complexity of patterns to detect unauthorized, suspect or suspicious activity. The third element of proximity and movement involves the subject having to move through some form of barrier or perimeter control—such as between a less trusted and into a more trusted community. Again, the control process in this case illustrates another one of the immutable truths in security design. To move from one level to another, the subject must meet the criteria set by the authorization process to pass through the gateway and become part of the more trusted community. One may look at this in terms of the Clark-Wilson model supporting network security models such as the Bell LaPadula and Biba models. This approach, however, applies to more than simply networks. It applies to communities of people, spaces, access to sensitive assets and becoming part of operational communities or teams. This can also be found in the application of the Purdue model when considering network segmentation and zoning. The critical factor in mobility involves the security controls’ ability to detect and respond appropriately to the potential or probability of threat. Elements that are part of the natural or baseline environment become more difficult as they are essentially camouflaged in the environment. They become apparent when their activities within that environment show a divergence between their intent and the expectations of the system (or organization) in which they are working. Elements from outside the environment can be looked at in terms of whether they belong to extended communities of trust that can be introduced to the trusted computing base or the trusted organization. Again, the concept of camouflage (achieved through mimicry of or encapsulation within trusted entities) factors significantly here. What is almost certain is that there is a potential for the rate, breadth and

224  ◾  Critical Infrastructure

depth of both threats and security controls to increase very significantly as we face the congruence of computing capabilities offered through quantum computing and analytics (especially involving the full population of datasets) within the cloud environment.

10.2 Focusing the Control (Asset) Returning to the statement that a threat exploits a vulnerability to cause injury to an asset and this links directly to the risks faced by an organization, we can begin to focus the design of controls.

10.2.1 The Threat Outcome The design of the control must support the risk management strategy of the organization (address, transfer, share, avoid, accept, etc.). It will do so by reducing the threat’s capability or capacity to act, the opportunities available to the threat to avoid being defeated, or by eroding the intent and commitment of the threat to act in the first place. The next layer involves looking at how the threat can create its desired impact on the target. In this context, a threat can exert four kinds of influence. The first is to directly affect the asset involved and affecting the value of that asset to the organization—by breaking it, for example. This is the premise behind methodologies such as CARVER and MSHARPP that attempt to draw a direct line between the threat, its intent and a potential target for the threat to act upon.5 The second element is to attack the asset indirectly. The threat may not be able to attack the computer network due to a very strong set of controls, but it can disrupt the power to the facility that supports the network. This second layer of approaches can be found in structures such as supply chain security (such as ISO 28000) that involves those assessing potential threats not just at the asset location but along various points in the supply chain or production chain. When approaching this issue, it is important to have the various processes (and their inputs in terms of persons, assets, facilities, information and activities) clearly defined and mapped onto the mission of the organization. The third element involves collateral damage or damage that spills over and effects the target. Consider the use of a weapon that affects the supporting infrastructure. 5

CARVER is an acronym that stands for criticality, availability, recognisability, vulnerability, effect, and recoverability. A description of its approach can be found at http://www.dtic.mil​ /dtic/tr/fulltext/u2/a483640.pdf (alt URL: http://cipbook.infracritical.com/book4/chapter10​ /ch10ref1.pdf). MSHARPP takes the attacker’s perspective and refers to mission, symbol​ ism, history, accessibility, recognisability, proximity, and population. Further details can be found at B2 of http://www.2ndmaw.marines.mil/Portals/7/WingAdjutant/Orders/WgO%20 3302.1A.pdf (alt URL: http://cipbook.infracritical.com/book4/chapter10/ch10ref2.pdf).

Safeguard Design  ◾  225

The next element that has become apparent, especially since the last election, is the element of consequential damage. In traditional terms, this may be looked at in terms of Psychological Operations or Information Warfare. Going back further, it can be described in terms of the propaganda battles that have permeated the major conflicts of the 20th century. Consequential attacks involve an organization being impacted not through an attack on its infrastructure or operations, but on its reputation and the willingness of people to deal with that organization. The explosion in the use of social media and the connectivity of society have made organization vulnerable to attacks launched not with bombs or computer coding, but with tools such as memes and posts. Consider an attack on an organization’s business operations—largely linked to decisions made by key personnel and stock values. The use of created identities, accusation, and similar kinds of tools can quickly influence an individual’s ability to operate or the organization’s ability to raise capital.

10.2.2 Aligning Outcomes to Assets Having identified the kinds of attacks and the likely nature of the attackers, the organization can focus on building the layers of protection around the key assets and outwards. This process has traditionally involved an “inside-outward” or “outside-inward” approach. In the “inside-outward” approach, progressive layers of defense are added around the asset—beginning with the final level of protection at the asset then proceeding through the rings of space around that asset. These rings generally follow production flows and physical structures until they reach the outside limits of the organization’s span of control or ownership of property. The focus in this approach however can best be described in terms of how a pearl is formed around a grain of sand—additional layers are added around the sand until the oyster is satisfied. The “outside-inward” approach involves starting at the perimeter of ownership and control and adding controls that limit the movement of the attacker to progressively more sensitive assets, spaces or operations. This approach is commonly used to filter out those that are not part of the trusted community and may be looked at as a progressive series of filters until the person, asset, infrastructure or operation being protected is reached. Each of these has its own strengths and weaknesses. To address internal and external threats, it is important that the control design process incorporate both approaches. The challenge with the “outside-inward” model is that the insider threat will often be given the knowledge, skills, and resources necessary to pass through the various levels of control. As a result, taking this approach in isolation will leave the organization highly exposed to this kind of threat. At the same time, taking a purely “inside-outward” approach has the opposite challenge. By only working outwards, the organization becomes increasingly exposed to threats that may not be immediately apparent or to shifts in the threat’s intent by leaving certain persons, areas, information or operations more available to those unknown threats. Taking a balanced approach and using both

226  ◾  Critical Infrastructure

sets of controls, however, can achieve the necessary balance between the protective systems. The core elements of this approach involve the following: ◾◾ Those that are not part of the trusted community are not able to see or become fully aware of the most sensitive controls. Some of the final controls may only be apparent to the asset custodian or the response capability of the organization; ◾◾ Those that are part of the progressively trusted community operate within increasingly defined and supervised environments where the detection of anomalous activity is enhanced; ◾◾ The level of investigation and supervision increases in balance as the level of trust increases. This also includes a narrowing of the thresholds with respect to the organization’s expectations placed on those individuals; ◾◾ There is an increasing trend towards the segregation of trusted communities within an organization that mirrors the segregation of networks. While communities at different levels of trust may interact, organizational and procedural controls are becoming more common and broad to monitor those interactions to ensure that the influences of less trusted individuals cannot compromise more trusted environments; and ◾◾ Controls are applied not simply in the immediate environment but must also consider factors such as collateral and consequential injuries to the organization. This may include controls such as a requirement that covers an individual’s work and private life in certain environments when involving proprietary or sensitive information. For the protection of critical infrastructure, this needs to be advanced cautiously. The above principles reflect what can be described as an erosion of individual rights towards what may be described as a rigorous and authoritarian regime. At the same time, the failure to provide these kinds of controls reflects an approach that leaves significant vulnerabilities and areas of exposure over services vital for the safety, security and economic well-being of communities. In the design process, this means that the system must have several different feedback loops that can detect the ripples of discontent within the organization’s culture, can involve communities in the design of controls that can impact them, but also educate those communities with respect to the reasons why those controls are being put in place. Failing to do so will leave an information vacuum that will be filled by those using consequential threats (such as the attacks through social media) as part of their attempt to erode the controls. This approach is also vital because it is not the protection of the system that is the critical aspect at play here. As stated since the Second Edition of this work, it is the ability of the infrastructure to deliver its vital services on time and in necessary condition to the community that is the vital element. Over-extending these

Safeguard Design  ◾  227

controls to the point where this cannot be assured through the loss of key personnel, reductions in productivity, disruptions in operations and other similar factor is part of the set of indirect threats that face the organization.

10.3 Risk Management The focus of risk management is to ensure that the organization meets its mission objectives and other requirements. Practitioners need to remember that the real goal is to protect the capacity of the organization to deliver and not necessarily assets. Failing to recognize the latter, particularly in more doctrinally-driven practitioners, can lead to a situation like an arms race where the practitioner and apparent threat get locked into rapidly escalating, and expensive, controls. For the management of an organization, risk management must involve three major considerations or outcomes in the decision. The first involves the outcome at the production level. This is tied directly to the processes and systems that do work and that align directly with the overall mission of the organization. What is often overlooked, however, are the decisions with respect to conditions where the system has failed at the regional level. This is the second consideration—are there special requirements placed upon the company to be able to operate during abnormal conditions? Many organizations simply manage risk based on day-to-day operations and fail to consider the different factors that may arise during regional events. For example, if an organization is adopting a “green position” and promoting the use of public transit, has it balanced this with the challenges associated with getting a workforce to the workplace during either extreme weather (involving cancellations) or widespread illness in the area (which may see the public transit become a vector by which employees become ill). The third element involves how management wants the organization to reposition itself during and immediately after the event. Will the organization become “part of the pack” that receives aid and reconstitutes its services or does the organization want to be able to be the “most reliable” or “most resilient” after the even as part of an effort to expand its market share? When looking at the list of companies that have received public relief funds, it becomes clear that the receipt of these funds can have lasting reputational impacts with those receiving funds being kept in the public eye for receiving the funds while others, conspicuous by their absence, do not carry such baggage.6 With these three considerations driving the risk management decisions, the organization has a greater ability of meeting all three of its local, regional, and strategic objectives. This means that the organization must maintain an awareness of how it would deal with these situations given that the time taken to analyze, assess and ultimately decide such thresholds would be significantly longer than the risk 6

These lists can be found at https://projects.propublica.org/bailout/list and https://www.thebalance​ .com/auto-industry-bailout-gm-ford-chrysler-3305670.

228  ◾  Critical Infrastructure

assessment processes. To put it into perspective, decisions at the strategic level may take several years to completely analyze and assess before being built into long term plans. In today’s environment, however, changes in the operating and threat environments may mean that the company faces a significant suite of new challenges before those decisions are received. The outcome is a gap in coverage.

10.3.1 Concentrating the Control The next element involves designing the controls that will meet these risk management decisions. Again, the outcome of the risk management decision is the important factor. This does not mean, however, that every single factor must be addressed continuously—as long as the organization can identify and respond to emerging factors before they become an issue, those goals are still met. Where there are known and persistent issues, the focus should be on improving baseline performance and controls so that those issues are addressed. This also includes those factors that may emerge faster than the organization can respond to them. Consider, for example, a need to respond to issues associated with workplace violence by being able to monitor visitors for weapons. If the infrastructure and capacity is largely addressed and requires only 24 hours to be put in place, then there is simply an onus on the organization to be able to detect and respond to those issues faster than the 24-hour period. If, however, the organization is hampered by long contracting processes and complex financial issues, these controls may need to be put in place fully in order to give management some level of assurance that the organization can respond in time.

10.4 Control Design 10.4.1 Aligning Risk Management and Controls When considering how to respond effectively to an attack of some kind, there are a number of different factors that can be considered. These include: ◾◾ Selecting the control type (deter, detect, delay, deny). ◾◾ Identifying overlapping physical and logical domains. Consider an attack that involves an individual breaking into the facility. These can be divided into two major questions. The first involves what kind of response is needed to effectively meet the risk management goals? If the goal involves statements like “protect”, “prevent”, “no occurrences of”, then the response must be effective at blocking, disrupting or otherwise stopping the attack before the company suffers the anticipated impact. At this point, there is a second factor in the control design process that involves where the attacker will be stopped and how much

Safeguard Design  ◾  229

of the attacker’s capacity can be eroded by controls before getting to that point. For example, perimeter controls may involve an anti-vehicle ditch that requires that the attacker proceeds on foot—this limits the speed of the attacker and the number (and kind) of tools it can bring forward in the attack. The next layer of controls may be a fence that the attacker must take time to breach (increasing the potential of detection) followed by a long open space that they must cross. Taking this approach allows the organization to build effective layers of defence (again using the “insideoutward” and “outside-inward” approach) that can more reasonably balance costs and operational impacts. The attack in progress is only one phase of an attack. The organization may also want to consider approaches that focus on defeating the attack earlier in the attack cycle. For example, when considering a physical attack (such as terrorism or criminality), there are certain steps that one will generally encounter: ◾◾ Conceptualization — forming the intent to attack. This may be improved through increased ties to reliable and credible sources of intelligence, analysis of events, etc. ◾◾ Initial Reconnaissance/Perimeter Probing — seeking means to penetrate the organization or to determine the potential exploitability of the organization. While this has traditionally involved perimeters such as fences and firewalls, this now needs to be refined to suspect activity at the access control level both physically and logically to identify the fluidity of the internal threat. This may be improved by increasing event recording, analytics, and other similar intelligence-generating measures that can be compared to known or suspected threat patterns; ◾◾ Target Selection — At this point, one might assume that the threat (undetected to this point) has determined the organization that is to be attacked. This is the point at which the “outside-inward” and “inside-outward” must be functioning nearly seamlessly. Organizations may improve this by increasing their involvement within intelligence and local communities to watch for signs of increased negative attention or changes in the perception of the organization. Similarly, organizations should be monitoring communications from within the organization (using their technology or involving their organization) to detect instances where information or communications appear to become focussed or increased on specific issues, operations, or infrastructure. This is the most complex effort as it can involve very complex monitoring (such as for steganography from within the organization, suspect patterns in communication flows or patterns, etc.); ◾◾ Detailed Reconnaissance / Penetration of System — This phase involves the attacker gathering information regarding the specific target and beginning to lay the plan for the delivery of the attack. In the physical space, this involves more detailed reconnaissance through measures such as social engineering, penetration of public and less secure zones, detailed research into open

230  ◾  Critical Infrastructure

sources of intelligence, etc. For the logical system, this can involve the penetration past the firewall to find out the best method by which to deliver and then execute hostile payloads. Organizations can disrupt these events through rigorous monitoring of activity. This may involve following up on failed access control attempts, integrating suspicious condition monitoring into access control systems (the same card being used in two spaces at once, for example), ensuring that network traffic is well understood for baseline behaviour and that any deviations are investigated, that new connectivity (Bluetooth, peer-to-peer, wireless communications, WIFI, etc.) is detected and investigated, etc. ◾◾ Planning — This phase involves identifying and setting down the path that will be used for the attack. Within the physical space, this involves refining the attack, identifying the knowledge, skills, abilities, and resources that will be brought to bear and ultimately determining if the final attack appears to be feasible. This is closely mirrored in the logical domain as the attacker escalates its privileges, moves within the system, and begins to lay the groundwork that will allow the hostile payload to be installed and ultimately activated. Organizations can improve their abilities through the ability to detect unexpected, unauthorized, or suspect activity within their spaces or networks. There are significant comparisons that can be made here in terms of comparing the movement of persons through certain spaces without an explanation and those attempting to access directories/files that are outside of their assigned or authorized duties. ◾◾ Preparation — This involves the positioning of the knowledge, skills, abilities, and resources that are necessary to carry out the attack. This is one area where the attacker can be significantly exposed. For example, the attacker may seek to break a lock into a certain tool shed, position packages or have certain people waiting to facilitate the attack. These are highly detectable and overt steps that a well-prepared and vigilant organization can detect. Similarly, within the network environment, this may involve coding being inserted into applications, additional files being added to directories (ranging from logic bombs to whatever else that the attacker wants to position), changes in privileges, opening of ports and other measures. Organizations can improve this capability through internal monitoring of controlled areas (physical and logical) while also having clearly defined plans that can be used to activate a holistic response to events. Given advancements in technology, any response should include both the corporate, physical and network teams as an attacker may use steps that allow it to skip or bypass controls in one domain through another. For example, if a connection to a service is established from a port in a public space, there should be a response on the network aspect (with respect to maintaining, controlling or terminating the connection) but also on the physical side (in terms of investigating the person making the connection). Organizations may wish to run parallel responses that communicate with each other (thereby allowing response

Safeguard Design  ◾  231

and an escalation of understanding as the event progresses) as opposed to attempting to completely analyze complex events before deciding to act. ◾◾ Execution — This involves the attack proper (such as a bomb detonating or the malicious payload being activated). This will be readily detectable in that concrete events and conditions will begin to unfold. Again, this is the footrace between the threat’s attack and the organization’s ability to detect, analyze, assess, identify, notify, and respond effectively (this is often just categorized as detection and response). What needs to be clear at this phase is that the physical and logical environments may intersect directly (damage to both), indirectly (affecting interdependencies), in a collateral sense or even consequentially. For example, the impact associated with a device injuring a few important clients may also turn into a social media blitz that involves portraying the organization as being incapable of protecting important persons. Organizations can improve their capability to deal with these kinds of events through training, exercising and having clear and simple plans in place. Many organizations tend to over-complicate their plans, leading to losses of command and control at the early phases of the Incident Command System structure as organizations attempt to resolve what is going on. The other challenge is that certain sectors attempt to reinvent the wheel meaning that the organizations may be directed to establish an incident command system for one set of events then another kind of structure for other kinds of events. This invariably leads to confusion. In these cases, management should direct both subgroups to be in line with management direction and to support the overall organization’s ability to secure, isolate, contain and resolve the issue with minimal losses of life, property, or operational disruption. The current activities that separate these responses is one that will lead to significant vulnerabilities in the response phases of events and there is a direct and immediate need for management within the industry to control these two philosophies through the setting of common requirements. The first step may involve integrating the day-to-day command centers where these exist. ◾◾ Exploitation and Escape — This step involves the attacker being able to escape the consequences of the response by evading detection, capture, or prosecution. Organizations can protect themselves by ensuring that logs, records and other data that can be used in evidentiary processes can be protected against loss or modification. It also means having clearly defined thresholds for pursuit and prosecution set in advance to ensure that events are resolved and, if necessary, those involved are dealt with appropriately. For example, if an individual is caught removing and selling files, then there should be both internal and external consequences. This does not mean having events play out in the public eye, a factor that could lead to increased liability and consequences for the organization. It means, however, that it should be clear that those involved in the event are aware that they face consequences and that others that may consider the same approach are aware of such potential consequences.

232  ◾  Critical Infrastructure

10.4.2 Integration of the Harmonized Model The first step in the design of controls involves a step that might be best described as a feedback loop. Those familiar with the development of security architecture in the IT domain will recognize this step immediately. The first step involves setting down the goals (protection, management, remediation, etc.) of the security system and how it will perform to meet the risk management decisions. The second step involves the specific designing of controls to ensure that this performance is achieved. The final step involves monitoring and making refinement to the controls to ensure that the controls can adapt to the natural, expected, or possible fluctuations in their operating and threat environments. The goals of the security system, as noted earlier and several times, must meet the risk management directives and support the organization’s ability to meet other requirements (legal, regulatory, etc.). Defining these at a broader level, however, allows the architect and practitioners to focus the controls in a way that also balances operational and cultural requirements. This also applies equally in the physical and logical domains but are also highly subjective in nature that will become apparent in the next step. An organization may believe that installing a chip inside a person’s hand is a good way to look at access control as it is unlikely that the individual will ever lose their credentials. Individuals may (or may not) agree with this but may also look at medical and privacy concerns. At this point, however, the organization defines the goal as being able to identify all persons coming into a space (physical or logical) as being appropriately identified, authenticated, and authorized, and understanding that their actions are auditable. The second step involves the specific design of the control so that these goals are met. This extends the realm of supporting the risk management decisions (i.e. the goals and requirements) to include the return on security investment (how to best meet those goals and requirements). Are the costs associated with the controls too extreme for the value that they bring to the organization? Can the goals be met more efficiently while maintaining the same level of assurance that they will function consistently? Is it possible to use multiple controls to achieve the same goals and meet the same requirements? This is where the complexity of control design comes into play and requires those involved to understand the operational, social, cultural and reputational impacts that may result from the implementation of certain kinds of controls. When designing the control, there are three factors to consider. These include the following: ◾◾ What level of assurance is required of each control? When looking at risk, one must also consider the fact that the control may ultimately fail. Is there a need for the control to only include its core function (in terms of protection, detection, response, or recovery), but should it also include the ability to identify future demands, its state (in terms of potential issues that may result

Safeguard Design  ◾  233

in its failure), and communicating conditions under which it may have failed and for which a response must be initiated to confirm that it has not been breached? ◾◾ Is the control design holistic in nature or specific in nature? In this context, have we covered as much of the spectrum between the operational, physical and logical aspects of the control that needs to be addressed. In this approach, one might look at dividing the control design into three major elements—the physical, communication, and interface levels. This can be refined by using the OSI model to define each. The physical connections include the physical and datalink layers of the model and involve protecting the control from physical disruption. The communications level involves the ability to relate information within the security (and other stakeholder) systems appropriately and include the transport and network levels (ranging from IP addresses to contact lists). The third layer involves the session, presentation and application layers that involve the controls receiving, managing and communicating its information (state, performance, alarms). For example, when considering the application of camera technology to monitor a space, the interface level may involve ensuring that the monitoring station receives good information regarding the field of view, the status of the system and alarming information. The communication layer may involve ensuring that all the correct destinations for information are set and roles and responsibilities are assigned appropriately. Finally, the physical layer may involve protecting the signal against disruption (such as jamming, loss of signal, etc.) and operational limitations from other systems (such as deficiencies in available bandwidth or processing capability). ◾◾ What kind of user intervention is needed to activate or maintain the control? This will largely depend on several factors. Can the organization’s security teams (in all departments) manage the control manually? How many transactions will it involve and how quickly do they need to be involved? Does the resolution of the issue involve the satisfaction of a rule or the exercising of judgement? For example, denying an individual access to restricted files can be done automatically and an alarm sent should the individual persist in attempting to access those files. An individual, however, may have had a change of responsibilities that requires access to those files in order to perform authorized functions—meaning that human intervention may be needed to authorize the change in access to ensure that it is, in fact, appropriate. This applies equally across all forms of access control. Similarly, an individual may only come to light after the alarms are initiated in what may be described as a “ false positive” alarm—the individual needing legitimate access but being denied—which may also require human intervention to determine if (1) the immediate situation is resolved and (2) any adjustments to the security control are made to reduce the potential for future occurrences of a similar event.

234  ◾  Critical Infrastructure

Taking this approach to the design of security controls will become increasingly important in the future. As threats become more complex and involve greater integration between the physical and logical domains, it will be increasingly important for security controls to be able to match or exceed the threat capabilities. This is not only a technical question—it also involves the ability of the organization to identify, manage, adjust and refine the administrative (policies, discipline, etc.), physical (infrastructure), logical (software, computing power), and technical (configuration) aspects of its controls. As computing power and attacks become more complex, the impact on OODA (observe, orient, decide, and act) loops that describe an organization’s ability to adapt to new, evolving, or diminishing threats will also be put under increasing pressure in terms of time and accuracy. Organizations that fail to recognize these challenges today may be able to manage their risks in the immediate and short term but are setting themselves up for an increasing probability of failure and unnecessary costs in the future.

10.5 Authors’ Note A parting thought. Consider the technological change over the past ten years and then consider the amount of change that is possible over the anticipated useful lifecycle of the infrastructure being used to protect the organization’s persons, assets, and operations. Given both the current rate of change and the acceleration of that change, how does this affect your confidence that you will realize the benefits of that system over its full lifecycle?

Chapter 11

Challenges in Regulatory Oversight 11.1 The Role of Regulatory Oversight The key responsibility of any government involves protecting the safety, security and economic-wellbeing of its citizens. These are elemental to the state and any state that fails in this regard soon finds itself first diminished on the world stage and ultimately loses its ability to maintain its own core values and philosophies as it is subverted to other interests. While this view may, to a few, appear to be somewhat harsh, it is the reality of the world. Social programs and soft power do not exist except on a foundation that has assured the safety, security and economic well-being of a nation. Without the economic engine, the country cannot project its interests abroad (militarily or socially) except through rhetoric and being reliant on the actions of others. Where the safety of the nation’s population is concerned, legal and ethical considerations begin to drive the agenda of governments. Where the security of the state is threatened, then this issue can consume the priorities and agenda of the government in such a way that all other priorities fall by the wayside. The role of business, on the other hand, is the generation of wealth and the returning of reward for some form of investment. A business that fails in this respect will, like the state, first find itself diminished and, ultimately, failing and fading as its market share is diminished and ultimately swallowed up by its competition. One has only to look at the challenges for the big box retail stores over the past five years to see more than a few examples of the realignments, mergers and outright failures in the sector. One might also argue that the realignment of food retailers and drug retailers in Canada follows the same pattern. 235

236  ◾  Critical Infrastructure

Businesses may choose several different routes in their affairs, but there are really three major factors: 1. The generation of adequate wealth to cover costs and realize profit; 2. The reduction of costs to increase the net income of the organization; and 3. The stabilization of a core market share and, as the need to generate increasing revenues increases, the expansion of that market share outwards. Achieving these goals can take many forms. Some will focus on the generation of new wealth followed by the reduction of costs. Some will involve the reduction of costs to become lean followed by building reserves with which they move to expand. Some involve forming alliances with other companies (or simply taking them over) to reduce the losses and energy associated with competition. Others may simply adopt new technology and approaches, essentially trail-blazing into new markets or business lines. Understanding this dynamic is important as much of the critical infrastructure is owned and operated by the private sector. This creates a situation that may be described as a delicate balance or partnership in positive situations. This is most likely the most positive end state when it comes to establishing a symbiosis in terms of knowledge, skills, abilities and resources. This is not always the case and failing to recognize this imbalance can lead to dire situations in which the potential for injury and damage are compounded significantly as the two communities remain locked in conflict. While there are many positive examples of government and industry working together, there have been some examples of how this tenuous balance can fall into conflict. In 2008, the (Canadian) federal government and a private rail firm entered into an agreement that required the private firm to operate, maintain and repair the rail line in a timely manner until 31 March 2029. In 2012, the federal government made a shift that, the private company argued, shifted the demand for the rail line and caused many of its clients to shift to alternative ports. The rail line began and continued to lose money for a period. In the spring of 2017, a significant storm eroded significant parts of the rail line and rendered them inoperable—severing the major transportation link between the community of Churchill, its outliers, and the main transportation network to the south. With the private rail line indicating that it would not repair the rail line without assistance and the government taking the stand that the company had to meet its contractual obligation, it became apparent quickly that the town of Churchill was going to be isolated for significant period of time, would have to rely on air transportation for much of its movement of persons and goods, and could even face increasing risks associated with fuel availability for the winter months. This conflict escalated quickly. Mid-October saw the federal government issue an ultimatum to the private firm that declared that it had 30 days to fix the rail

Challenges in Regulatory Oversight  ◾  237

line or it would face an $18.8 million lawsuit.1 Mid-November saw little movement towards a resolution with each side making public statements that accused the other of sabotage in the issue in court filings that saw the federal government initiating its lawsuit while the private firm (a USA-based company) filed under the NAFTA agreement indicating that it would sue the federal government for $150 million if arbitration did not result in a settlement.2 This conflict is ongoing, with the rail line still not being repaired as of February 2018. Three companies came together to create a stop-gap solution, an ice road, that allowed for the movement of larger volumes of goods and numbers of persons, that relieved some of the shortages caused by the cut supply chain route. This example provides a clear example of how the relationship between the public and private sector can first sour and then become dysfunctional to the point that the need for delivering the critical service is lost on both parties. Those involved in this domain would be well served to look at the long list of things that could have been done better in this case, beginning with due diligence in divestiture processes and right up to dispute resolution, before entering into future arrangements.

11.2 Balancing Public Safety and Business Operations One of potential emerging concern is the blurring of the roles of the regulator and private entities. Consulting with business entities is certainly important when looking at the potential impacts associated with regulatory decisions, but it must remain clear in the minds of all parties involved that the role of the regulator is not to protect industry, it is to protect those that may be impacted by the industry. Regulators must consider that the businesses that they operate are often providing critical services to the populations that those businesses serve. It must also remain aware that the regulatory body likely does not have the ability to deliver those same services itself. If one returns to the example with Churchill, Manitoba, the Canadian federal government is not in the railway business. It relies upon the private sector entities to deliver those services. Should regulations have an undue impact on the operations of those businesses, then the critical services themselves may falter. Consequently, there is a natural tension between the business and regulatory communities. This tension has resulted in the following major challenges: This was widely reported in open sources, such as https://www.thestar.com/business/2017/10​ /13/ottawa-threatens-to-sue-railway-owner-over-broken-rail-line-to-churchill-manitoba.html. 2 At this point, the issue had become a major news story across the nation as the government and private sector company appeared entrenched in the conflict and the community increased its own communications calling for a resolution. Such stores can be found in sources such as https://www.winnipegfreepress.com/local/omnitrax-files-nafta-claim-against-ottawa-threatens​ -150m-suit-457491683.html. 1

238  ◾  Critical Infrastructure

◾◾ Challenges associated with the sharing of vulnerability information between regulatory bodies and the private sector; ◾◾ Challenges associated with ensuring that the regulatory process is not usurped by the private sector to further its own agenda; and ◾◾ Challenges within the public sector/regulatory bodies in maintaining the ability to maintain effective monitoring the implementation of regulatory requirements and ensuring an appropriate level of enforcement. These three challenges currently threaten the balance between the public and private sectors in a way that can have significant impacts on both public safety concerns and the ability of private sector entities to compete within emerging markets. The sharing of vulnerability information within the Critical Infrastructure domain continues to be challenging. Ultimately, one would propose that having access to relevant vulnerability information is necessary when considering the evolution, or even reform, of regulations. The source of that vulnerability information often comes from entities that are themselves regulated by the same body. Many regulatory bodies, however, have taken the approach that they will move into an investigative and enforcement mode upon the discovery of any information that appears to be a willful failure to meet regulatory requirements. As a result, private sector entities tend to be less than enthusiastic about sharing such information with the regulator. Private sector entities within the same domain are often in competition with one another. With brand reputation and other similar concerns being a significant factor (influencing market share, the ability to raise capital through stock offerings, etc.) in the success of businesses, the sharing of such information may result in a balance that affects the company’s competitive advantage. Again, this limits the ability to gather that vulnerability information. This leads to the second challenge. While some organizations will attempt to conceal vulnerability information to protect their reputation or to avoid regulatory impacts, some companies may attempt to maintain control over the regulatory process to protect their own goods, products or services. An organization may seek to escalate its own practices into regulations or best practices to enshrine them in regulations, essentially capturing a market. An organization may similarly attempt to tailor the requirements demanded by regulations to limit or manipulate the competitive market. For example, costs associated with audits and insurance may be set high enough that small businesses have little to no hope of generating the revenues necessary to maintain their memberships. The larger firms within an association may attempt to push these limits through, using the association’s name and influence, to sweep the competitive field. Concurrently, an organization may attempt to present new technology in such a manner that the regulatory bodies do not have the time necessary to assess it before it comes to market. In these cases, the private company may appear to be helpful, providing guidance and advice with respect to how to operate the technology safely

Challenges in Regulatory Oversight  ◾  239

and securely based on their own testing and evaluation. This is then presented to regulatory bodies in such a manner that the proposed practice becomes an acceptable practice in the eyes of the regulatory body. Depending on the nature of the regulations, this provides a level of what may be considered “official recognition” that assists in the marketing of the product or service. These two conditions can lead to a circumstance where the regulator loses the ability to enforce its own regulations. The first aspect (the loss of awareness of the vulnerabilities inherent in the industry) challenges the inspector with respect to what may be considered reasonable and the level of baseline security across the sector. This can lead to under enforcement in circumstances where the inspector becomes convinced that confronting one entity can lead to repercussions coming back from the industry. Given that regulatory measures are generally appealed in tribunals that weigh the balance of probabilities (as opposed to criminal court where things must be proven beyond a reasonable doubt), this can pose challenges for the inspectors as they attempt to justify apparent differences in treatment (why one facility may have been targeted and another not targeted, etc.). The second challenge involves the ability to maintain a level of oversight while not allowing the regulatory process to become a limit to legitimate and appropriate competition. This was referred to in the second challenge but involves three flaws. The first flaw arises when the regulatory body accepts, on faith (i.e. not conducting their own testing or testing through a neutral third party that is kept clear of external influences), the statements made by organizations that are seeking to have their products approved for use. This is a flaw because most regulatory regimes clearly indicate that an individual cannot be put in a position where they approve their own work. At the least, this deficiency in the approach may put the regulatory body in a position where it can be challenged with respect to whether it upheld its duty of care or met a standard of care. The second element involves the regulator being able to detect whether there are unacceptable deficiencies prior to an event. Would an inspector be able to detect a flaw within the communications system that may allow for a vessel or vehicle to be taken over? Would the inspector possess the necessary knowledge, skills, abilities, and resources to detect vulnerabilities within the system? If the inspector does not and the regulatory body has set requirements that the inspector cannot assess, what options are available to the regulator with respect to allowing that individual to sign off on an inspection that may be counted upon to trust that a system is operating safely and securely? From a public perspective, would an individual in the public be comfortable if it was determined that inspections were simply a matter of verifying documentation and that inspectors were less able to make credible technical assessments with respect to what they are signing off? When practices and technology begin to outpace the ability of the regulatory body to assess impacts, implement or communicate requirements or make the necessary adjustments to its oversight processes, these questions become very significant given the potential impacts.

240  ◾  Critical Infrastructure

11.3 A Critical Challenge in the Regulatory Development Process This can lead to significant challenges within the regulatory development process and involves the ability to assess performance-based systems versus compliancebased systems. In some systems, the regulations allow for an organization to set controls that are then assessed as being reasonable in terms of meeting specific goals—such as preventing unauthorized access. As organizations realized that this kind of system faced significant challenges (for example, how to prove that a measure was reasonable or not), the inspection process shifted from a performancebased system structured on regulations to a simple verification that the controls identified in a plan were put in place and appeared to be functioning. Determining whether the control was, in fact, reasonable or had a reasonable probability of success with respect to the communicated goals became a significant aspect of the challenge. Arguments regarding the presence or reasonability of certain kinds of threats became critical to determining just what level of threat could be considered reasonable. In some cases, these challenges were assessed by what can only be described as impromptu attempts to breach the controls. For example, inspectors may attempt to reach certain points in a facility without facing significant resistance. This has its own set of risks. Failure to communicate and coordinate appropriately could lead to those testing the system to suffer dire consequences. For example, an individual swimming under the cover of darkness with a package towards a ship with armed security could face an escalation of force scenario where the security detail is not aware of the exercise. Over-coordination can lead to situations where those conducting the tests are given too much access and therefore fail to realize the full extent of the controls inherent in the system. An auditor, for example, may be given access based on the audit department’s authority to access spaces and not be impeded in their work where they should have been blocked from through earlier layers of controls. This can result in the auditor identifying the security as being lax where it is, in fact, appropriate. As these kinds of errors begin to become apparent in the oversight regime, the overall credibility of the oversight regime is slowly called into question. This will first manifest itself in the criminal courts (for the most serious of offences), then the tribunals (where arguments must be presented to establish a balance of probabilities), and ultimately civil court for the restitution of damages. For example, consider an organization that is assessed an administrative monetary penalty and is subjected to an increased rate of inspection. Now consider that this can lead to a loss of business. If it is found that the AMP was erroneously or negligently administered, then the organization may put forward a claim against the regulatory body to recover damages.

Challenges in Regulatory Oversight  ◾  241

11.4 Consultation, Cooperation, or Coercion A critical question for both the private sector entities involves determining whether the proper course of action is one of consultation, cooperation, or coercion. Each of these represents a different level of involvement. The consultative regime can best be described in terms of a challenge and response structure. One side of the equation requests information of the other and the other entity provides what it considers to be an appropriate response back. The onus is on the side asking the questions to ask the right questions or, at least, appropriate questions while the other side may be held accountable later for having provided incomplete or less-than-completely accurate responses. The consultative regime is also the one that offers the regulator the greatest flexibility. In demanding the question of industry, the regulator can either accept the response, challenge the response, or even override the response based on higher priorities. It can also challenge the industry if the industry fails to identify a potential impact and indicate that the industry had its opportunity to guide the regulator down another path but failed to do so. Today’s challenge within the consultative regime lies in being able to identify the right question. This returns to the question of the “Unknown-Unknown” (we don’t know what we don’t know). This situation is increasing as the complexity and interconnectivity of systems increases. For example, we may not have a full understanding of the unknowns associated with automated vehicles. We may also have an incomplete understanding with respect to the severity and frequency of certain kinds of storms. Where this becomes challenging is at the intersection of these two—how would this technology behave under the adverse conditions associated with these storms? In the cooperative regime the challenge involves the combination of scope, duration, and spans of control/influence. While consultation is a relatively narrow scope that allows each side to limit and tailor its answers to specific circumstances, cooperative regimes see each member of the group making a commitment to tackle the challenges that emerge. This can involve several iterations of what might be compared to the consultative regime. It may also involve topics that are either unforeseen at the start of the project or that may have levels of complexity or sensitivity that challenge the system. Comparing these two systems yields an understanding that the consultative approach provides an advantage for the public sector when looking at the development of regulations in terms of a project. As most project managers will attest, there is a challenge that involves the balancing of scope, time, and resources. The consultative process allows that to become a natural part of the formalized process. When there is a need for the regulations to be published or brought into force on a certain date, one may well expect to see a bias towards the consultative approach.

242  ◾  Critical Infrastructure

The cooperative approach is often integrated after the regulations have been passed. This is because the core deadlines have been met and the scope can be limited to addressing issues that appear in the regulations. The pressures associated with deadlines have also been largely lifted. This shifts the focus to a longertermed effort involving identifying those elements of the regulations that need to be added, modified or removed to address issues, reflect changes, or respond to evolving threat and operating conditions. This is where the reader will find various working groups, committees, and other forms of partnerships that focus on longer term and less defined issues. The gap that can occur in this process, however, occurs when the scope of the regulations takes precedence over the intent of the regulations. Consider the issue with autonomous or remote-controlled ships. When the International Ship and Port Facility Security (ISPS) Code was brought into being as an amendment to the Safety of Life at Sea convention, there was a presumption that ships were manned. Remote controlled vessels may have been conceptualized and on the horizon, but it was a relatively distant horizon. While the ISPS Code spoke to the need to assess and secure network and communications equipment, the application of this subsection in Part B was considered more in terms of being able to communicate securely and to protect systems on board the vessel or in port. While there is a natural extension of this to the communications and network infrastructure and operations for such concepts as the “bridge of the future,” this is one of those issues that operate at the fringe of the scopes. As a result, the need to address the issue may be identified but it may not appear to be as critical to those that approach the regulatory renewal process as a process and not an exercise in risk management. The concept of coercion in the regulatory space is one that is challenged by the fact that the public-sector entities do not actually own the infrastructure or companies that they are attempting to direct. Some clear examples of what happens when the public-sector side of the equation appears to become more coercive in nature can be seen in such issues as Port Security Clearances and the threats by labour to stop work at seaports, the conflict between the Canadian government and the private rail line to Churchill that has degenerated into a number of legal challenges and counter-challenges and similar kinds of issues. The reality is that while the government has the ability and authority to regulate, the private sector can simply declare that it will no longer operate under those conditions and, unless there is some binding mechanism that compels that cooperation, there is very little that can be done except attempting to find a mutually beneficial solution. This coercive or authoritative approach doesn’t necessary involve only publicprivate relationships. It may also involve issues between levels of government— such as federal to state or federal and provincial. Canada, for example, has been attempting to establish a pipeline from Alberta to the coast of BC through which it will move oil products. This pipeline has been challenged by a range of groups but the provinces of British Columbia (with the coast and having concerns regarding the potential for environmental impact) and Alberta (looking at

Challenges in Regulatory Oversight  ◾  243

the need for the pipeline to bolster its economy) have become entrenched in a conflict that has escalated to an internal trade war with Alberta banning British Columbia wine within the province. The challenge in this case is that the pipeline may intersect with provincial issues, but itself is infrastructure that spans under federal jurisdiction because it moves across provincial boundaries. This has prompted statements by the federal government that it will have the final say in the project. The need for authoritative power (based on legal structures or mandate) in this structure is relatively clear. It is based on the need to be able to drive all parties towards a resolution of an issue and, should an issue appear to be unresolvable to the satisfaction of all parties, then pressing towards a consensus that all parties can live with. If this is not possible, then the authority must be able to finally set the pin in the sand by stating that the debate has gone on for long enough and reach a decision. This is not just an issue of basic leadership—it involves ensuring that the processes used to identify, form, and manage groups have a sound foundation that is unassailable. In the case of Churchill, one might expect to find gaps in the contracting due diligence that would normally cover whether a company had the financial wherewithal to absorb certain kinds of events. Similarly, the company’s own organization likely should have pressed for clear statements that involve receiving support from various levels of government outside of the contract’s normal financial operations in the case of emergency or failures above a certain threshold. When considering the conflict between Alberta and British Columbia, the need for strong underpinning structures (in this case involving federal-provincial affairs) guided by strong leadership that understands at what point authority must be exercised becomes critical. Given challenges such as increased automation, the need for faster and more comprehensive data analysis, and increasingly fault-intolerant systems, one might reasonably expect to see the regulatory process move in the following directions over the short to medium term: ◾◾ Governments and other entities that have clear time-frames and mandates that are supported by legitimate authority (the ability to exercise coercive power if needed) are likely to press towards a consultative structure. This will largely focus in the policy and program areas where the organizations are tied directly or closely to political mandates and promises, and which are therefore considered to be under significant public scrutiny or pose a risk to the public reputation of the administrations involved. ◾◾ Scientific and development communities that are addressing complex issues will likely adopt a blend of the consultative and cooperative approach. The nature of this blend will depend upon the neutrality of the organization pressing the issue forward while the focus will involve the perceived risks in terms of market share and reputation. For example, a company promoting a new form of technology may attempt to launch a cooperative effort but may

244  ◾  Critical Infrastructure

attempt to exert significant influence (referential and political) to protect its own goods and services. ◾◾ Professional associations, trade associations and similar entities are likely to press towards cooperative processes during and after the regulatory process While the structure of these discussions will trend towards the cooperative, they are likely to be bounded by those entities’ efforts to protect their mandate, reputation and market share. This area however is likely to see the most activity due to the growing changes in how these associations reach broader (international) communities and can communicate to reach broader audiences. The lobbying activities of these groups (both formal communities and informal/issue-driven communities) is likely to see the increased use of social media and communications tools in their efforts to promote change through the creation of internal and external pressures on decision-makers.

11.5 Critical Capacities for Regulators For the regulator, this means that there are certain core capabilities that they must be able to maintain. These can be divided into the following broad areas: ◾◾ Knowledge regarding the industry and the domain being regulated to a level that is at least in parity with those being regulated; and ◾◾ Skills necessary to conduct inspections and assessments in support not only of enforcement activities but also regulatory renewal. The reason for having the knowledge of the industry and domain being regulated at a level on par with that of the industry is so that the regulator does not fall prey to being manipulated into accepting options that are based on the vested interest of an organization and that they are able to generate credible options that support public safety. Consider again the challenges of a cooperative process. If an organization seeks to present its own options (supporting the application of their technology or services), then the regulator also has a responsibility to be able to identify this condition and to determine the appropriate course of action to maintain the public interest. Failing to do so means that the regulator may have addressed what appears to be the immediate question but has, in fact, done so in a way that may be considered a failure to exercise due care by giving a competitive advantage to another organization. The second reason for having this knowledge involves the provision of guidance into the industry. This becomes a matter of both the level of training but also the consistency of the training and the stability of the doctrine used by the regulator. In a performance-based system, the regulator must be able to assess whether a course of action (often documented in the plan) offers a reasonable assurance of meeting the

Challenges in Regulatory Oversight  ◾  245

goals communicated in the regulations. If the personnel do not have the necessary knowledge or skills to do this, then the tendency is to return to a pseudo-prescriptive system in which working examples or guidance is used to provide a library of options. This essentially reduces the value of having this structure of regulations. This is becoming apparent in Canada with some of the guidance being given with respect to the protection of certain kinds of products. In this case, working examples are becoming de facto standards because they offer a clear line between the regulatory requirements and the construction to be performed, even though the directives involved do not require that specific construction. This leads to the next reason for ensuring that those involved in the regulatory process have the necessary knowledge and skills—that of officially induced error. An officially induced error is a mistake of law caused by reliance on erroneous legal advice obtained by an appropriate official.3 An operator may request an early indication as to whether a certain control would satisfy a regulatory requirement. Should another inspector then decide that they do not see the control as being appropriate, and require that it be changed, then the general conditions for officially induced error may apply as: ◾◾ The error is in fact one of law or mixed law or fact. In this context, it involves the question being whether a control would satisfy a regulatory requirement; ◾◾ The accused would be able to demonstrate that it had considered the legality of the course of action by approaching the regulatory to seek advice as to the appropriateness under the regulations; ◾◾ The advice would be given by an appropriately delegated public agent (regulator) that can be reasonably expected to be competent in the performance of their duties and to be operating under a standard of care; ◾◾ A direct link can be drawn between the advice and the condition declared to be unacceptable; and ◾◾ The operator could show that it relied upon the official advice.4 While this should not be looked upon as a legal template, it does illustrate that there is a potentially significant challenge that the regulator must address if it intends to (1) maintain its ability to enforce regulations consistently and (2) limit its own financial and civil liability with respect to any damages caused.

This is a widely referenced definition that can be found in such sources as http://criminalnote​ book.ca/index.php/Officially_Induced_Error and http://www.thecourt.ca/can-government​ -officials-rely-on-their-own-officially-induced-errors/. Discussions on this can be found in several legal blogs such as http://canliiconnects.org/en/summaries/31175. 4 This can be further described in cases described in the CanLII databank such as those found at http://canliiconnects.org/en/summaries/31175. For specific cases or situations, appropriate legal advice and counsel should be consulted, and this does not constitute legal advice. 3

246  ◾  Critical Infrastructure

Consider now the domain in which this argument takes place. Under a prescriptive regime, the facts are reasonably clear. There are direct lines between regulatory requirements, guidance, the controls (as implemented and operated) and enforcement actions. This straight line does not exist in performance-based systems, even with the presence of a plan. There is a goal to be achieved and the regulations are generally in the context of taking reasonable steps to meet that goal. As a result, the target is less clear, and the reasonability test applies. Now consider the possible disparity between parties involved in a dispute. Where one side can demonstrate enhanced education, skills and experience in the domain, they would have a clear advantage over the other. Now consider this imbalance in terms of the ability to achieve that 51 percent in the balance of probabilities. Would you consider an individual that possesses enhanced education (such as a degree or diploma), industry certifications and experience to be likely more capable than an individual that can demonstrate only internal seminar-based training? The former involves testing by third parties that are preoccupied with the individual achieving a standard of performance, not in whether the individual will continue to be available for work. The latter may not involve any testing processes but may simply be based upon attendance. The latter may have authority to make certain decisions, but the foundations upon which they can defend those decisions may be looked upon as being relatively weaker than the former.

11.6 Balancing Resilience and Financial Responsibility For the regulator, this leads to the next challenge—that of balancing the ability to maintain a resilience in their operations while also demonstrating a level of financial responsibility. This is a clear case of cost-benefit analyses. The cost aspect is perhaps the clearest issue. Consider the scenario where a cooperative approach is used, and the regulator relies upon the use of contractors or consultants for their technical knowledge. First, the regulator has not actually shed its accountability by going to an outside source of information—that accountability remains, and it becomes accountable for the decisions associated with the use of those resources. Second, there is the issue of cost. Consultants with significant technical knowledge are not inexpensive. Consider that a senior advisor within the Canadian system could cost the government approximately $150,000 per year between salary dollars and other forms of support. That value represents a full year’s work at 7.5 hours per day. A consultant making $1000 per day would consume these resources in 150 person-days, or slightly over seven working months if allowed to be consumed by one person. As a result, one may be able to build the business case for the use of consultants and contractors for specific, short duration issues (addressing a specific issue), but it becomes increasingly difficult to justify their prolonged use from an economic standpoint. There are also challenges that come from the ability to maintain corporate knowledge and

Challenges in Regulatory Oversight  ◾  247

contain information regarding potential vulnerabilities in the system. These can also lead to significant financial impacts (meaning dollars spent as opposed to an impact on the economy) against the organization as it attempts to reconstitute its knowledge base or defend itself. Responding to this cost issue can become challenging. The regulator is often dealing with an environment that has been defined through negotiations with respect to the expectations placed on its employees—such as in labour contracts and similar mechanisms. Adding new requirements or limiting powers (or advancement) based on new requirements can lead to significant challenges should individuals attempt to use the grievance process to reduce their burden. Similarly, arguments regarding work-life balance has created an environment in many areas where there is an expectation that any training and professional development must be done on “work time” and the employee is due additional consideration should they be required to commit their own time or resources. This is where basic project management comes into play with the management of scope, time, and resources. For the regulator, the question is the same. It involves the amount of work (and expectations), the number of resources available and time. The running truism is that a project authority can pick two of the three, but the third will be decided. If picking scope and time, then resources will be dictated. If picking time and resources, then scope will take its place. For the regulator, determining this priority will be contextual in nature. When looking at these three, there is a natural priority. The scope of regulations is determined by the regulations themselves and the laws that apply. Being selective in what laws or regulations are going to be enforced is difficult territory to operate within. At the same time, one can argue that in a globally competitive environment, time is also of the essence. The time lost waiting for regulatory decisions and the uncertainty that arises during that period are anathema to innovators as they commit their own resources and effort to finally reaching a point where they can benefit from that innovation. As a result, there is a bias towards the issue revolving around the amount of resources available or to be committed. When looking at the resources, which can be translated into people and the tools available to perform work, one cannot simply expect to operate at 100 percent all the time. Military forces long since learned that there were elements that were deployed, elements preparing for deployment and elements that would reconstitute themselves following deployment. A similar structure needs to be looked at in terms of setting a structure in place that allows for some persons within the organization to be in the training and development system while others are deployed and doing the work in the field. Some would argue that this conflicts with the need to reduce costs and the size of government as a number of persons may not be directly working in the field as they are acquiring new knowledge and skills. This, however, becomes an issue of “best dollar” versus “lowest dollar.” Again, the question of time, resources and scope come into play. If stating that resources

248  ◾  Critical Infrastructure

are the key element (lowest dollar), then one will have to make up the loss or gap from either the scope (deregulation) or time (time to market and operational impacts). This also forces the organization back into the trap of becoming reliant on consultants and contractors for their day-to-day operational needs as opposed to specific operational requirements. When looking at the best dollar value, there is a calculation to be made. If the issue is a short term, single-event issue, then it may well be worth engaging consultants. Where such events become part of the baseline operating environment, there will need to be an adjustment of the baseline knowledge and that will require training. In this case, determining the number of persons that need to develop expertise in the area to meet demand needs to be established, that number adjusted to allow for any requirements for ongoing learning and upkeep, and ultimately the organization needs to adjust its size based on the reasonable expectation that it can meet the obligations made under the various agreements (including its collective agreements—which it can renegotiate later using the appropriate mechanisms).

11.7 Picking the Right Mechanisms While organizational size plays one role in regulatory oversight, there is another tool available that can provide some benefit. Legislation and regulations are processes that take their time. There is research to be done, consultative processes to go through, impact assessments to complete, legal reviews, and other factors. The time it takes to change legislation can be significant (particularly if the government has a full slate of issues) and regulations, while not as complex, still take significant time. Where there is a need for a quick decision (often in response to an incident or crisis), there needs to be a mechanism in place that allows for the regulator to make decisions quickly. These tools may involve measures, rules or directives. These generally share the characteristics of having limits in terms of scope or the time available to make decisions. They may address unique or special circumstances that would be burdensome, or even impossible to address in time, under the regulatory structure. Regulatory oversight systems may well want to consider these tools as part of the risk management approach under two systems. In many systems they already exist—the transportation sector has a number of systems that allow for exemptions and these kinds of tools. These tools are generally approved at lower levels of the organization (due to their more limited risks and their need for more rapid decision making), involving the senior levels of the organization in a less formal capacity and limiting public discourse. At the same time, they are limited in terms of their application—often to specific events, locations or times. What should be clear is that these tools are available to deal with the short term, specific impacts that need to be managed and to buy time until a specific issue can be integrated into the overall structures.

Challenges in Regulatory Oversight  ◾  249

11.8 The Emerging Role of Private Associations and Membership In some cases, the regulator may determine that it cannot achieve the necessary level of oversight and may attempt to share its authority from within a legislative frame. Traditional regulations involve the government and tribunals acting as the key source of authority. There are some areas that involve the concept of selfregulation—where the industry is expected to organize itself and to ensure that its members all meet the requirements set down by the government. In this context, expertise within government is critical so that the government can maintain an oversight of its decision to allow for self-regulation. The government may also look towards something referred to as hybrid regulations where the authority is shared between the government and a professional body that is given legal authority and standing on technical matters. One sees this in engineering, legal, and medical colleges that can sanction their members should those members come into conflict with that body’s acceptable codes of practice. The coming challenges with the foreseeable evolutions in technology and movement of populations (ranging from normal migration, political issues, climate change, etc.) come in two major forms. The first of these involves the care and effort that it takes to establish such bodies (if that route is to be explored) to ensure that matters of public safety (in its broad sense) are treated first and that the regulator maintains adequate an adequate capability to oversee these organizations. This will again require an assurance of loyalty and competence that may well require regulators to require that their personnel maintain that level of parity with those that they are regulating. The second criteria involves coordinating the interaction between these organizations to ensure that individuals still have mobility and that there are reasonable expectations that organizations can compete. Organizations and associations that place baseline restrictions that limit participation based on requirements that are not in line with the requirements to be met (such as setting an unnecessarily high insurance carrier or setting significantly high baseline memberships) must be prevented if the governments wish to argue fairness in competition. Organizations that promote or establish this kind of practice have little to no business using the authority of the state to protect their attempts at generating de facto monopolies.

11.9 Membership versus Competition? There are emerging systems that have membership to certain operations as a prerequisite for operations. This is another area that is likely to be challenged legally should these kinds of requirements continue to flourish. The question becomes at what point should those associations be allowed to remove members if membership is a regulatory requirement? Does this, in fact, provide a method of regulatory

250  ◾  Critical Infrastructure

sanction without providing for an appeal mechanism for those involved? Under what conditions should the organization be required to provide a reasonable means for membership for businesses that cannot be reasonably expected to pay significant fees? The danger here is that associations can attempt to use internal decisionmaking powers for such factors as fees, bylaws, internal discipline, and other factors to manipulate the market. For example, an association may set a requirement for individual membership at several thousand dollars. This may limit, if not eliminate, the ability for several individuals to participate in the market. Similarly, those members that operate at the fringe of the membership may find themselves forced to adopt hostile or damaging measures to retain their memberships. The question becomes whether this practice becomes a protectionist control that runs afoul of fairness and competition conventions and legislation or not.

11.10 Authors’ Note Regulators will likely face significant pressures over the coming years. Environmental factors such as climate change, changes in the threat environment and the evolution of technology (with some significant possibilities on the near horizon) will put pressure on regulatory bodies to find ways to appropriately oversee the design, implementation, use, control, and removal from service of technology and other security controls in the critical infrastructure protection domain. These pressures will be influenced by factors such as scope, resources and time. As a result, one might see areas left unregulated or even a measure of deregulation. One may see increased reliance on professional associations and see these organizations given expanded powers. At the same time, the regulators will be under increasing pressure to meet the need for increased training and development cycles so that they are not pushed into situations where they cannot discharge their functions or oversee those that are delegated to support them in the discharging of those functions. This, in turn, may well lead to conflicts and comments with those seeking to press for the reduction of internal government costs to ensure adequate resources for other government activities or simply for political capital.

Chapter 12

Interdependencies 12.1 Looking at the World—A Community People tend to want to categorize the world around them. This is a natural effort as people attempt to bring order and understanding to the world. This approach has had some positive trends—the ability to organize activities, to build communities, and building understanding—but it has also led to some negative trends—such as racism and discrimination. The challenge with this form of categorization is that it not only loses detail in examination, but it often fails to identify how the various boxes are connected and reliant upon each other. This is why people can use such broad sweeping statements in demographics which fail to recognize the cultural and social differences that exist within those communities and they gain some level of recognition. Consider the approach represented by this kind of thinking as being something akin to a decision tree. If something fits into a certain category, then a branch is chosen and the decision proceeds. This may be somewhat akin to modern computing today—if not 0, then 1 and vice versa. Something generally applies to a category or it does not. We see this argument when attempting to deal with control systems. Is it something unique or is it simply an information technology network? Resolving this question becomes the priority before dealing with the myriad of issues that permeate that technology—because we need to know how to label it to understand how to respond to it. Take another example, the family home. What is the family home? It has its own label. For many sectors, however, the family home represents something that fits within the client or consumer category. Within that category, it has a range of profiles, but they all generally fall under the category of consumer of goods or services. It is often the terminus when considering the distribution of that good or service. It is also often the initiating point for payment of that service. We have 251

252  ◾  Critical Infrastructure

power, natural gas, water, and such delivered to our homes and we pay a fee for that service. The same falls true for factories—they are an end consumer of the product or service and then pay for that good or service. While this approach allows us to essentially organize and tidy the world around us, it can leave significant gaps. Consider pandemic planning. One of the first assumptions was that a few employees could become ill and would not show up to work. This was expected … an organization is not immune to this kind of thing because it holds a certain position in the plan. What was less expected was the number of persons that could be absent. This was a much higher number. What was also unexpected was that many of these people were not ill, they were identifying their need to take care of their family over their need to be at work. In short, the box that the organization chose failed to recognize that their people may choose another box, leading to a loss of personnel during the crisis.

12.2 Current Trends in Business Certain trends have been identified as being fundamental shifts in how business is likely to conduct itself in the near to medium future. These trends can be summarized in four major areas that are going to challenge how we look at interdependencies. ◾◾ The use of analytics and ultimately Artificial Intelligence (AI) to refine the relationship with consumers is likely to continue. The focus on these efforts has been largely in terms of targeting advertising and marketing efforts to increase the return on investment in those business activities. This also involves approaches businesses using the full population of datasets within their organizations to guide their operations and improve their business intelligence; ◾◾ The use of social methods of learning, such as peer-group learning, the use of social media, interactive applications and similar technologies; and ◾◾ The transition of the workforce from being an institutionally-supporting and career driven population of workers to one that seeks self-actualization and advancement. What does this mean from the perspective of looking at interdependencies? When we look at these three trends, one might reasonably expect that our understanding of interdependencies can be influenced in the following manner: ◾◾ Our understanding of the impacts associated with events will become far more granular as the ability to analyze the event increases using analytical tools. Similarly, the increases in computing power, and the potential revolution that may come from the integration of quantum computing, will allow

Interdependencies  ◾  253

a greater population of scenarios (and their impacts) to be identified and assessed. This increase in the number of datasets and the speeds at which they can be processed can lead to significant refinement in our understanding of potential cascading impacts and events arising from failures of interdependent infrastructure. ◾◾ The use of social media methods of learning offers a significant opportunity for both governments and industries to inform and educate populations with respect to how to handle events. Similarly, the ability to identify, form, manage, and exploit the thinking of groups using social media tools (or similar proprietary tools) may allow organizations to communicate its information requirements and instructions to those populations more quickly and accurately and using common platforms. This capacity can be further enhanced using analytics. ◾◾ The changes in the focus from a career-oriented to an actualization-focussed working population, however, poses a risk from the interdependency perspective. Unless organizations have very clear and enforced information management systems, the increased rate of transition can lead to increases in losses of corporate knowledge, including the first-hand accounts of events associated with the failures of interdependent infrastructures on the organization. Consequently, organizations may find some utility in either bolstering their information management systems or adjusting their staffing processes so that persons can realize their goals towards self-actualization within the same organization. Businesses continue to focus on the concept of “just-in-time” delivery with the premise being that the transportation network (carrying the materials) replaces the warehousing infrastructure normally used to maintain reserves of inputs (ranging from food to manufacturing). The challenge here is that the “just-in-time” system leaves the organization or community exposed to a loss of critical or needed materials under two circumstances. The first of these circumstances involves a disruption of a shipment that means a period during which the demand strips the availability of the product, service, or data from the system. The second involves the circumstance during which the demand cannot be met as the system attempts to re-balance itself after an event. The first impact (a loss or delay) leads to an absence during the event while the second impact (a lag or pull) results in either an absence in the period immediately following an event or a loss of quality (integrity) that comes from suppliers or providers attempting to meet the demand faster than they can normally handle. These impacts (push/pull/lag/delay) are common across all networked environments, not just the transportation sector or the shipping activity. While sea containers full of material (or trucks) may be the common image, similar principles apply to networks (think of data packets instead of trucks), electrical distribution grids (noting the issues associated with surges and quality of power),

254  ◾  Critical Infrastructure

water distribution systems, and so forth. Understanding how impacts affect systems in terms of these four factors is becoming critical, particularly when looking at interdependent events. One approach for mitigating this scenario involves switching from a “just in time” system to a “just in case” system. This system involves identifying common impacts and then maintaining adequate local reserves and capacity that can be used to cover that impact while the normal flow of inputs and services resumes. This approach reduces the benefits of the “just in time” system as it requires some level of maintenance of inventories and warehousing capabilities (or storage of some kind). The advantage of this system is that these reserves can act as a sort of shock absorber within the supply chain that limits or contains the impact of events that cascade through the supply chain. Once again, this applies to more than the transportation system. Consider your computer. Do you own an uninterruptible power supply? If so, you are already recognizing this principle within the context of protecting yourself against a failure through a dependency on power. Within the realm of data, one might look at the use of back-up systems, particularly resilient systems such as properly configured (or appropriately configured) cloud-based systems to preserve data holdings. It also applies to systems that integrate the checking of data flows for lost packets and that maintain the ability to replace damaged or lost packets during the transmission process. Within the realm of water, one might simply look at having five days of potable water (or some other amount) available to have a supply on hand should some form of contamination occur. When looked at from a common-sense point of view, the “just-in-case” system refers to a more prudent and balanced approach to efficiency whereas the “just in time” system refers to one that is intended to maximize efficiency under normal conditions, but which can leave the organization at increased risk. The key is balancing the application of the “just-in-case” system within operating and threat environments that are becoming increasingly unpredictable and in such a way that the organization maintains its resources and competitive advantage.

12.3 The Shift and Change Government and Regulation This is where the movement towards performance-based regulations becomes significantly important. Given a service or capability being declared essential, it achieves what may be described as an “always on” or “always up” status. This, of course, is impossible to guarantee and organizations are generally forced to risk manage decisions based not only on civil liability but also regulatory liability (administrative monetary penalties and the like). The other aspect to this is that performance-based systems are generally more descriptive of goals than of specific measures—meaning that the organization is given the flexibility in how

Interdependencies  ◾  255

they respond to those goals. This comes with an augmentation in accountability because the measures that the organization proposes to take are assumed to be reasonable and achievable. This factor must also be looked at in terms of how it may influence legal and civil liability. While each case would need some form of legal contribution (to determine specifics), one might reasonably assume that if an organization has the flexibility to meet a goal in its own way, it should be able to maintain that capacity under most conditions. Returning to the Churchill, Manitoba event in the spring of 2017 (an event that shows all the hallmarks of an interdependent event), one sees this principle in action. An organization commits to a course of action through a contracting process and that service is disrupted through an event that goes beyond the organization’s willingness or ability to recover the service. Given that the route was a single point of failure, the community also began to look at the company in terms of subsequent potential issues, such as the lack of availability of fuel for the winter. While this work is not intending to make any comments on the specific liabilities, it does serve as a good example of how corporate decision-making (for good or bad) can lead to events cascading through the interdependencies of services.

12.4 The Blurred Line between Government and Business The role of government within the Critical Infrastructure Protection and Critical Infrastructure Assurance domains has been one not of ownership but more of regulator. Most critical infrastructure is not actually operated by government entities (although some are). What is also becoming clear, however, is that the consultative processes used by government and the reliance on outside technical support services has also been increasing over time. In health care, benefits packages are often configured or drawn from private enterprises. Power generation and energy is not supplied through government operations but through private companies. Except for certain circuits, telecommunication services and capacity also reside within the private sector domain with many of those services also supporting general government operations. One might state that the distance between companies and government has been closing. While government services may be delivered and supported through private sector enterprise, the performance-based regulatory structure allows for private ownership of critical infrastructure protection at two levels. The first level (and least obvious) involves the use of consultation processes in the development of rules and measures. The second involves the corporate plans (as approved by the regulator) to become the controls that protect that infrastructure and assure that service.

256  ◾  Critical Infrastructure

12.5 The Rise of the Networked Machines— The Internet of Things (IoT) While the divide between the regulator and regulated becomes more blurred, the other factor that must be considered is the permeation of networked technology. From the perspective of an interdependency, a new fragility has entered into the system in that the speed and convenience with which technology is used has reduced the ability to operate without that technology. Wireless communications devices connecting equipment within a sea container shipping yard are vital to maintaining the speed of performance that is the key performance indicator for if the terminalis likely to be profitable, or even viable. Heavy equipment is making increased use of network-enabled technology to monitor the performance of key systems (such as engines) and to allow the manufacturer to make subtle adjustments without having to go on site to maintain the equipment except in the case of significant failure. Homes are showing signs of increased automation and remote control using wireless or electrical infrastructure to maintain a comfortable living environment. Each of these examples illustrates the penetration and permeation of network-enabled technology into the baseline operations and critical paths of various activities. In the race for convenience, however, this permeation is showing signs of augmenting certain kinds of risks. The Internet of Things has allowed for network connectivity to permeate spaces normally outside its reach. Combined with the permeation of “smart phones” and similar personal devices, the ability to physically protect infrastructure against interference is facing a fundamental shift in emphasis. While physical attacks will likely still occur, the increased knowledge and skills evident in the hacking (criminal versus ethical) and the increased level of skills means that criminal organizations or individuals no longer need to rely upon physically “attacking” an organization. While an organization used to only need manage its own network topography and architecture in a way that prevented less trustworthy systems from interacting with more sensitive operations, these two factors have built bridges around many of those controls. This also has a profound effect on both the criminal and cyber attack cycles that allow those seeking to cause injury to conduct their reconnaissance into systems and an organization through less monitored (or even unknown) channels and reducing their risk of detection by security or other members of the organization. As a result, many of the attacks that occur can be expected to be along the lines of “zero-day” exploits in that there will be little to no warning in these circumstances unless an organization is aware of these potential vectors or channels.

12.6 Trends in the Alignment of Interdependencies One aspect that has accelerated within the critical infrastructure protection domain is the stratification of the various sectors. The importance of this stratification is

Interdependencies  ◾  257

that different approaches to critical infrastructure assurance and protection will need to evolve as this stratification continues. The first sector involves those that are critical to a life sustaining environment but that operate at local or regional levels only. This includes: ◾◾ Water and waste water; ◾◾ Food and agriculture; and ◾◾ Emergency services. Without these three elements present within an environment, maintaining the basic services to sustain a population and order within society becomes nearly impossible. A lack of water, such as being experienced in Cape Town, can threaten the existence of the community at large. Similarly, the drought in California has clearly indicated some of the challenges that could arise in balancing water requirements between a population’s drinking water, the water needed for agriculture and that needed for more esthetic purposes. The challenge here is that a collapse of the water system (particularly drinking water) needs to be addressed urgently given that life safety is impacted in short days. Addressing a systematic shortfall in this sector may be vital to the continued viability of a community. Food and agriculture can be affected significantly by extreme water levels. Crops can be destroyed by drought, but they can also be impacted significantly by flooding. The difference here is on the urgency needed to respond to loss of support from that sector. While not as immediately critical as water, the sector still has limitations within which issues must be addressed. Food stocks, however, can be brought in from outside the area and so forth. Emergency services also fall into this category in that they are necessary for maintaining the order within society. The failure of either of the two above sectors, however, can lead to increased demand on this sector—above and beyond the baseline requirements. Emergency services may need to protect vital points that are involved in the distribution of water or food to populations. This demand will become increasingly critical as conditions persist. These services are also drawn from the local populations and may also be facing the local impacts. These three sectors, however, illustrate what may be described as an accelerated clustering of interdependencies. These three sectors tend to operate at what may be described as a primary level when looking at the preservation of a community—the failure of any one or more leads to the collapse of the community. The secondary level of this may be described as the Commercial Facilities Sector and Government Facilities Sector. The reason why these are considered secondary is because the services can be delivered from outside those facilities, but the lack of these facilities makes the delivery far more complicated and place strains on the primary sectors. This strain is most clearly felt with the Emergency Services sector that must provide unique or expanded services to facilities that may be operating on a contingency or improvised basis. The ability to maintain adequate food and water

258  ◾  Critical Infrastructure

at a football stadium during a period of crisis poses significant logistical challenges. At the same time, maintaining “law and order” within that facility also poses challenges. These are not considered as being primary as the services can be delivered using alternatives—where a football stadium is not available, another location with similar characteristics may do. Contrasting these two relationships leads to what may be called a vital dependency. When considering sectors such as food and water, there is no way to substitute the service with something else. Should these sectors fail, another source of the same product (or service in the case of waste water) must be found quickly to meet the demand. In this context, drinking water is obviously the most critical in that people will die if they do not gain some access to it quickly. If the water cannot be sourced locally, then it must be brought in from somewhere else. Those involved in the disaster relief activity (for natural disasters and not IT related) understand that the next critical element involves the ability to deal with sewage. Waste water, or at least the treatment of sewage is the next vital aspect. Without this, disease flourishes within the camp and, again, lives are put at risk. Finally, one must look at the issue of food. Again, one cannot really replace food, one must find another source of that food. An interdependency that links between flexible sectors (such as with the commercial and government facilities), however, would be looked at in terms of several other factors—such as whether the issue is transitory or not. In this context, one looks at the interdependency in terms of its impact (operationally), its persistence (how long it lasts for), and whether it is cyclical in nature. A very significant impact that happens once but that is not permanent may be considered transitory or nonpermanent. A similar impact that recurs periodically may be described as both significant but also cyclical in nature. While it may be important to have a plan that allows the organization to work through the first kind of interdependency (the transitory), it may be vital for the organization to make efforts to address the root causes of failures in interdependencies of a cyclical nature. Where interdependencies are transitory or cyclical in nature, unique combinations of interdependencies can lead to impacts that cross over between them—like an electrical current arcing between two wires. Consider a disruption of food and water in an area. While this may not impact the transportation sector directly, the failure of communications within the area (requiring longer delays for drivers) may cause an arc between the two systems that impacts the transportation system through the driver’s ability to operate safely. The direction of these interdependencies must also be considered. A dependency will usually describe an impact that flows in one direction. For example, the loss of a government facility within an area disrupts several government services but does not necessarily affect other sectors significantly. Life goes on. There are also interdependencies where the impact will create something like a feedback loop— such as one might find when relating energy and transportation. A lack of fuel impacts transportation in that it can no longer function. The lack of transportation

Interdependencies  ◾  259

limits the amount of fuel that can enter an area to resolve the issue. This kind of interdependency needs to be identified and addressed in the planning and preparation stages (within the context of emergency management). Materials or services to be pre-positioned and supported to break the cycle before that cycle can begin to establish itself. The next cluster of interdependencies involve those sectors that operate relatively independently but that require the support of specialized services. The Chemical Sector, for example, may require a range of response capabilities if dealing with accidents (ranging from hazardous materials response, evacuations, or mass casualty treatment). Dams require specific and specialized engineering support services to prevent disasters and specific response capabilities should it appear that the structure is going to fail. Finally, the Nuclear Reactors, Materials and Waste Sector, faces similar challenges when dealing with various materials. The common thread in this category is in the nature and severity of the potential impacts. These all have a strong possibility of involving massive losses of life and property. Within this category one must separate dependencies and interdependencies. These sectors will require very clear assurances that they will receive appropriate support from other entities or sectors. Where these organizations are providing support, that support would be considered a dependency. The interdependency occurs when those supporting services require inputs from the affected sector. This becomes particularly critical in that the disruption in the affected sector could then cycle through the responding sector and back to the originally impacted sector by delaying or disrupting the needed response. This exacerbates the impacts associated with the disruption quickly and with potentially dire impacts. There is a similar possibility when considering the Defense Industrial Base Sector and the Critical Manufacturing Sector. In this case, the impact is most likely to be strategic in nature and not local. Disruptions in key supply chains may not affect people in terms of a loss of life but may put significant strains on industries or forces that are involved in projecting national interests or priorities abroad. In most other respects, however, they would be very similar to those described for the Chemical and other sectors described above.

12.7 The Emergence of the Key Sectors – Energy, Transportation, Telecommunications, and Financial The interdependencies linking four sectors are particularly important to note. These stem from the interdependencies between the Energy, Transportation, Tele­ communications and Financial Sectors. These are paired and ordered this way for a reason. The Energy Sector underpins both the Transportation and Telecommunica­ tions sector. During the August 2003 blackout, Eastern Ontario approached a

260  ◾  Critical Infrastructure

situation in which the lack of fuel was impacting the ability to move fuel for the backup generators into the area. Should that threshold have been breached, the disruption in power would have had a critical impact on the remaining critical services such hospitals, cooling centers, water treatment, food shipment, and others. Similarly, there are strong ties between the Telecommunications and Financial sectors. This is becoming increasingly important in an age of Electronic Funds Transfers (EFT) and is also likely to be one of the key vulnerabilities when looking at electronic currencies such as Bitcoin (and similar variants) should they evolve into an accepted financial tool. The evolving reliance on EFT’s operates at both local and strategic levels. These two pairs, however, can come together to create what may be described as a perfect storm within the interdependency realm. This perfect storm describes conditions under which the system cannot recover. The right combination of these not only affects the response to an event, but also reduces the ability to identify and define the nature of the impacts in such a way that determining what response is needed or what responses have been effective is also difficult or even impossible. Evolving technologies may lead society closer to these conditions. Consider autonomous vehicles—ranging from cars, aircraft, rail, and even ships. This bridges the connection between the two sector pairs in a way that provides what may be described as a single point of attack against all four sectors should the Telecommunications and Energy sectors be affected. While the conditions under which this may occur are still not fully understood, the potential for this kind of impact across the full community requires an additional level of care when considering the deployment of this technology. Similarly, the convergence of traditional telephony services (analog and later digital) to protocols such as Voice-Over-Internet (VOIP) cluster these sectors in a way that emphasizes these factors. The clustering of these four sectors requires a balanced and thoughtful approach from both within the government regulatory communities and the business communities. Given the nature of the critical impacts on society, the government regulatory communities may be argued as having a higher duty of care with respect to the integration of newer technologies that can lead to these conditions. This will largely affect the consultative process that has become increasingly balanced towards the private sector entities. One might argue that the government regulatory services must be able to conduct their own independent security assessment and accreditation on systems to verify vendor claims (prior to sale) but must also be mindful of technological solutions that promote certain approaches. Within the private sector community, this will require that organizations understand a need to control the enthusiasm and exuberance associated with the adoption and integration of newer technologies. At the fundamental level, the business needs drove the development of tools. This required a significant amount of time and effort, particularly in the development of proprietary tools. This has evolved to include situations where the business needs are tailored to fit readily available

Interdependencies  ◾  261

solutions which may (or may not) cover the full suite of vulnerabilities associated with that application. The pace at which technology can be designed and deployed can outpace the various checks and balances applied from outside of the business community (such as the regulatory). This is a cultural issue that, in some cases, may border on technophilia as certain communities drive their technologies to market or attempt to bring them to market in search of solutions.

12.8 Comparing the Topography of Interdependencies with Flat/Hierarchical Networks A flat topography is used in the context of those that work within the IT Security domain. Networks are often separated into various nodes or hierarchies, often using gateways, switches or routers. The areas that fall within these nodes or hierarchies are generally referred to as broadcast zones. A flat network involves an architecture that is moving to, or operating with, a single broadcast zone. All devices fall within the same hierarchy or broadcast center. This is generally done to reduce the costs associated with switches, routers and gateways but can leave the network exposed should something breach the perimeter and enters the broadcast zone. For a network, an event breaching the perimeter of one broadcast zone may be contained within that broadcast zone by cutting the connection points with the rest of the network. Similarly, a hierarchal configuration can also allow for certain zones within the space to be protected by additional or more rigorous controls. Those involved in incident response and incident management have become well-versed in working to isolate and contain events before they can cause significant network disruption. Now consider the spoke and hub configuration as applied to other sectors (such as transportation, energy, telecommunications, and financial). Each locality can be describes as having hierarchical characteristics through efforts such as business continuity planning. The business impact analysis done at the start of the planning processes stratifies business activities from the critical to those that are less critical. The controls that are placed around these processes and business lines creates what may be described as hierarchical. These points in the spoke and hub network operate heretically at regional levels. Outlying points, often less protected due to smaller resources and apparently lower threats, interact with the central hub. The central hub acts as a sort of regulator by limiting how it can be affected by impacts from outlying site. A central airport will not subvert all its operations (supporting all outlying sites) simply to assist one site. This creates another layer of hierarchical structure. When one considers the central hubs, however, these operate in more of a mesh topography. The challenge with the mesh topography is that it more closely resembles or approximates a flat network. Consider the impact of a disruption at one of

262  ◾  Critical Infrastructure

the major airports. The impacts cascades through the entire system if the operations connect either directly or indirectly to the affected central hub. Direct impacts may be described as delays in flights, the inability to send flights, and then the challenges associated with catching up the operations. When looking at the mesh network, capacity will generally balance itself between nodes (distribution centers, etc.) and conduits (routes and lines, etc.) as best able when demand exceeds capacity. The challenge happens when the supporting nodes and conducts begin to fail under the demand. This is what ultimately leads to the fragmentation and potential dissolution of the network as the network cannot re-establish routes past the disruption. This describes a state of criticality in the overall network which, in this case, represents sectors. Within the four key sectors (energy, transportation, telecommunications, and financial), certain relationships may be described as “strong.” Energy and transportation, for example, share a “strong bond” involving the availability of fuel. The energy sector relies on transportation to deliver the fuel past its major distribution points (such as trucks to gas stations) but the trucks also rely on those gas stations for their own fuel. A loss of availability of fuel at the stations can trigger failures that occur not only at the sector level but across this bond. Consider the August 2003 blackout that saw many parts of eastern Ontario with fuel in the gas stations but no electricity to run the pumps to distribute it to vehicles. The result approximated a fuel shortage. In this case, the linkage between the electrical distribution system and the fuel distribution system shares what may be described as a “strong bond.” While the characteristics of a “strong bond” can be very generally characterized as involving a direct impact, these bonds share characteristics based on the interdependency between the affected sectors. For the August 2003 blackout, this bond can be considered bi-directional or even cyclical in nature when considering fuel shipment. When considering the electrical failure, the bond may be considered strong from the electrical sector to the transportation sector (the lack of power affecting distribution) but weaker when considering the impact of the lack of fuel on the electrical sector. As the event progressed, however, the lack of fuel began to affect generator reserves, illustrating what may have been initially described as a “weak bond” becoming “stronger.” The same principle holds true between the financial and telecommunications sector. Electronic Funds Transfers require the use of the telecommunications infrastructure. When the telecommunications infrastructure is disrupted, then the funds cannot be moved. This would be indicative of another “strong” bond pairing. While these pairs of sectors show “strong bonds”, they are also connected through a number of “weak bonds.” Consider the impact of a loss of communications on the airline industry. Aircraft can still fly but, depending on the nature of the disruption, passengers cannot board the aircraft. An example of this involves failures in communications systems that handle the aircraft boarding and reservation systems. This is considered a “weak bond” because the impact is less direct

Interdependencies  ◾  263

than a strong bond. It affects a supporting service and not a service that falls on the critical path. A disruption may result in impacts across both “strong” and “weak” pairings. A power failure may impact the telecommunications sector through “strong pairings” as the telecommunications sector’s critical operations fail or are put at an increased risk of failing. It may also flow along “weak” bonds. For those assessing the impacts, it should be noted that these bonds can be linked together like links in a chain and some mitigation can occur at every link (such as backup generators compensating for lack of power). These bonds will closely mirror the interdependencies between the various sectors and services. While it is perhaps convenient to simply follow the flow of operational impacts, it is vital to understand the topography of these bonds between the various sectors to be able to predict the volatility and secondary impacts that may flow from single events. It should also be noted that the prevalence of specific vulnerabilities across key sectors also impacts this. The relationship amongst the four key sectors is not linear but itself a mesh of strong and weak pairings. Consider the EFT system. This technology is widely deployed across all the other sectors. Thus, a vulnerability that is exploited to cause a critical impact flows along the strong and weak pairings to affect those connected sectors. This can in turn trigger the impacts between other pairings that are considered “weak” but which then affect the operations in those other sectors in terms of operational pressure, but not necessarily failure. This will push the affected sector towards a state of failure, but this may or may not be immediately apparent to those operating in that sector. As the affects become more prevalent or significant, they will pass the fragility thresholds (leading to failure) and as these events continue, the affected sector will approach the fragility levels associated with regional or network levels. When considering attacks that may through bonds or interdependencies, there are two scenarios that need to be considered. The first is a single point of attack which results in impacts flowing along the interdependencies and bonds from that originating point. These will be influenced by the local topography of the networks and, depending on their severity, may cross into other flat networks. In this context, the overall impact may eventually become severe but may also be limited to a specific region. When considering a single vulnerability in a sector that has that technology deployed into multiple sectors, this flow of impacts may have multiple entry points into the second level of sectors. For example, if a vulnerability can be exploited in such a way that it affects the full telecommunications sector, the impact may be felt in several locations simultaneously. When considering the fragmentation and dissolution of network, this second scenario is far more complex given that the initially impacted points will all have impacts that flow along the bonds or interdependencies. The difference would be comparable to tracking the effect of waves that results from a dripping faucet to looking at a similar exercise in a pond while it is raining.

264  ◾  Critical Infrastructure

Outside environmental or operational factors can influence the impacts that flow naturally through interdependencies and bonds in a way that can either create new impacts or amplify existing impacts. The key factor is the system’s ability to absorb changes or impacts without suffering disruptions. Peak operating periods (or where the system is operating at full or beyond fully-intended capacity) may result in conditions where the organization has little to know resilience. Similarly, environmental factors may result in the system being placed under additional strain such as may occur when the electric power grid suffers brown outs during periods of extreme heat in the summer due to increasing demands by cooling systems. When these conditions exist, two or more impacts existing naturally between infrastructures can be exacerbated or amplified, leading to a third kind of impact which would not normally occur under other conditions. Using the high-heat period as an example, this may result in the degradation of the power supply that is used to feed the grid which in turn is used to power telecommunications. While the telecommunications sector may be able to withstand limited impacts of this nature, it may face challenges should those conditions persist longer than it has been able to prepare for. Thus, the relationship between sectors cannot be simply looked at in terms of linear dependencies or even inter-dependencies. When modelling potential impacts, the topography of bonds, dependencies and interdependencies must be understood to effective map and predict the impacts associated with certain kinds of attacks. This, however, is not a stable playing field. In addition to the mechanics (in the physical and logical sense) of attack, those seeking to predict the flow impacts must also consider various external factors that can affect demand (peak travel periods, etc.) and the available capacity of the network (high demand for additional power to support cooling, etc.). The relationship must therefore be looked in terms of time, the frequency and duration of conditions, the impact of these cycles in terms the fragility of the infrastructure, and the inter-relationship of various primary and secondary impacts. For organizations, therefore, there is an inherent risk in attempting to overemphasize preventive controls. The number of potentially kinds, permutations and combinations of events can lead to a level of complexity that would overtax most systems’ ability to predict and implement effective preventive controls. This is not to say that preventive controls should not be part of the suite of controls used to protect the capacity of the infrastructure. It is to say that preventive controls are only one aspect of the controls needed to properly assure systems where this level of complexity exists. The other suite of controls may be normative controls that focus on maintaining the equilibrium across the system. These controls may include interim preventive controls but also include detective and response controls operating at local, regional and system-wide levels. When designed and implemented appropriately, these controls serve to maintain the capacity of the sector to meet demand, to contain impacts as best possible, respond effectively to those effectively and speed appropriate recovery.

Interdependencies  ◾  265

12.9 Conditions for the Perfect Storm The perfect storm describes rare conditions that can lead to the full collapse of several infrastructures across at least regional levels. The general conditions of a perfect storm consist of the following: ◾◾ The initial event fragments the network in such a way that demand cannot be met; ◾◾ The scale of this disruption is at least regional in scope; ◾◾ The impact flows along the interdependencies and bonds that also affects the sector’s ability to detect and respond to the event; and ◾◾ The impact also degrades the organizations’ ability to focus and complete its recovery efforts. These conditions describe a scenario where the only option to restore functionality involves resetting the system after complete failure. Essentially, the sector must “reboot.” The key effort that sectors can make to prevent “perfect storm” conditions involve the following: ◾◾ No vulnerable service is relied upon across all operations; and ◾◾ No vulnerable service is incorporated into all of preventive, detective and response controls or systems (in terms of interconnected and managed processes). This will lead to a circumstance where certain sectors are argued as being “too big to fail” as the impacts associated with such a failure would be cataclysmic. This term has been used in economic contexts but also applies with respect to general operational contexts. Within the domain of Critical Infrastructure Protection and Critical Infrastructure Assurance, this creates a new layer of criticality when looking at sectors. One question that remains involves the roles and responsibilities associated with the management of those sectors and what support and expectations should be in place to prevent their failure. The other question is whether regulatory bodies (primarily concerned with public safety issues) should allow for sectors to evolve to a point where they lack the resilience necessary to meet the demands on the sector should key organizations fail. The challenge here is that this will involve major rethinking of policies and practices that prevent regulatory bodies from interfering in sectors based on the success of organizations as opposed to their failure and is therefore improbable.

266  ◾  Critical Infrastructure

12.10 Authors’ Note Given the growing interconnectivity of infrastructure and the trends towards globalization and distributed services, the ability to identify, assess, manage and monitor the full suite of any organization’s dependencies and interdependencies is growing increasingly complex and certainly beyond the range of any organization’s sub-department. Business owners, at the executive level, may wish to direct their various asset and process owners to capture this information as part of their dayto-day activities and ensure that it is being communicated to a central or official repository (well-backed up) so that a comprehensive awareness can be built. Business owners are also warned about a current trend within the Asset Protection and Security community towards the adoption of standardization and compliance. Within the context of interdependent systems and links, there are two significant issues. The first issue involves the necessity of becoming compliant (i.e. expending resources) for the sake of compliance alone. The second involves the fact that what works well in one operational/threat environment does not necessarily mean it works well with all. There will be significant pressure to adopt the standardization approach, not because of business reasons, but because such an approach requires less effort than undertaking comprehensive analyses of the business. As standards and best practices fall under either a baseline model (based on consensus) or a high watermark model (most rigorous solution), adopting this approach can trap businesses into significant expenditures to belong to a community but at the expense of their own operations and without being linked to any real (initial or residual) risks.

Chapter 13

Climate Change There has been a great deal of debate about how the climate is changing the face of the world and how it is affecting populations. An even greater debate is the possible and probable sources of those changes. This chapter seeks to identify, define, and provide insight with respect to the protection of critical infrastructures, as opposed to debating the possible causes (or non-causes) of conditions experienced thus far. The nature of critical infrastructure protection (CIP) requires that a more critical eye be applied to all factors that can have a significant impact on it. Thus, we will look at the issue of climate change not from an advocacy point of view, but rather from a more technical point of view.

13.1 The Challenge of a Changing Climate While there may be debate regarding the specific nature of climate change, there should be little to no doubt that the climate is, in fact, changing. Before we go much further with this narrative, we need to first understand that climate and weather are not actually the same thing. Climate might well be described as something more of a paradigm while weather might well be described in terms of immediate conditions. Within the United States, the report on the National Security Implications of Climate Related Risks and a Changing Climate has been tabled since July 23, 2015 and clearly indicates that “climate change is an urgent and growing threat to national security, contributing to increased natural disasters, refugee

267

268  ◾  Critical Infrastructure

flows, and conflicts based over resources such as food and water.”1 In this report, four significant areas were identified: 1. Persistently recurring conditions such as flooding, drought and higher temperatures; 2. More frequent and/or more severe extreme weather events; 3. Sea level risks and temperature changes; and 4. Decreases in Arctic ice cover, type and thickness.2 Other organizations, such as the National Academy of Sciences have indicated similar concerns within their own reports and works, such as the Abrupt Impacts of Climate Change: Anticipating Surprises3 given the breadth and depth of critical research available, one might consider the debate as to whether the climate is changing to be rather moot. There are two elements that need to be dealt within the context of climate change. The first of these is the long-term ramifications of those changes—such as the need to shift population centers, competition over shifting resource basis, the shifting of various species (including their potential re-emergence) and other similar factors. While the rate at which some of these may appear may not be constant, the response to them will not necessarily be swift. Society cannot simply uproot cities and communities along the seaboard in a matter of short years without causing significant issues. Transportation networks for the global economy continue to rely upon the heavy seaport infrastructure that could well be directly impacted by rising ocean levels (taking not to distinguish between the global average versus the local sea level changes). The second element is the changing precipitation levels and patterns, which can have a significant impact not only on transportation infrastructure and population centers, but also in the nature of agriculture and food supplies. In short, there needs to be a deeper understanding and acceptance that, while still hotly contested in terms of the causes of the change, the change is still there.

National Security Implications of Climate-Related Risks and Changing Climate in response to a request within Senate Report 113-211 and as found at http://archive.defense.gov/pubs/150724​ -congressional-report-on-national-implications-of-climate-change.pdf (alt URL: http://cip​ book.infracritical.com/book4/chapter13/ch13ref1.pdf). 2 Ibid. p4. 3 National Research Council of the National Academies, Abrupt Impacts of Climate Change: Anticipating Surprises. National Academies Press (Washington, DC). 2013 as found publicly at https://www.nap.edu/read/18373/chapter/1#ii. 1

Climate Change  ◾  269

13.2 Christening the Ground—The Basic Concepts of CIP Let us recap what we understand about the critical elements of critical infrastructure protection. The first of these is that the outcome of CIP is not about a well-protected facility; it is the ability to perform or deliver a critical product or service upon which society depends. While many often associate the word “protection” with “security”, insofar as to our point of view, this term not only applies to the security of something physical (as well as logical), but also applies to safety and continuity of a given operation (in this situation, an entire infrastructure). The second factor is that for this outcome to be met, facilities, and the connection points between them (whether they are roads, wires, pipelines or something else), must be maintained and protected in such a way that they sustain the capacity to meet the demands placed upon them. The final factor is that the robustness, resilience, and redundancy in the system which must be managed in such a way that while the system may be in a continuous state of evaluation and adjustment, the outcome of the system’s efforts remain available and in usable condition. The fulcrum upon which this rests involves the protection of an infrastructure. This protection is a combination of various elements—ranging from conceptualization, design, implementation, maintenance to the removal from service—that come together in such a way that we, as the consumer, can benefit from a stable and usable operation or service. Now let us take a quick overview of the concept of fragility. Fragility can be perceived in terms of the probability of something failing. That probability can be influenced by several different factors, including the demand being placed on it, as well as the conditions in which it is operating. For example, consider an automotive engine. The engine is rated to operate at an optimal number of rotations per minute (RPM). As the number of RPM decreases while the engine is under load, it increases the probability that the engine will stall. Oppositely, as the number of RPM increases towards the maximum RPM that the engine was designed to handle, this increases the potential that the engine will suffer some form of catastrophic failure. At the same time, if the cooling system is removed from the engine is allowed to continue to run, it will also fail—largely due to the engine’s temperature exceeding the limits associated with seals and lubricants. These limits are what can be called “engineered fragility” because they represent limits that are specifically built into its design. These conditions, however, are not stable. The most obvious examples of this come in the form of seasons. While those near to the equator will be less influenced by this, populations approaching either of the planet’s poles are subjected to changes that range from temperature, storms, precipitation, hours of daylight and so forth. Each of these changes can have an impact on the infrastructure and its ability to meet that goal of operating or providing a service.4 4

Joshua Zaffos. USA Military Forges Ahead with Plans to Combat Climate Change. Scientific American. April 2, 2012 as found at https://www.scientificamerican.com/article/us-military​ -forges-ahead-with-plans-to-combat-climate-change/.

270  ◾  Critical Infrastructure

Some of these cycles are reasonably predictable, whereas others are less so. We can reasonably predict the number of hours of daylight based on the date. The rate at which this cycle proceeds is relatively fixed. That being said, for example, an earthquake which struck Japan on March 11, 2011 accelerated the spin of the earth by approximately 1.8 microseconds according to NASA’s Jet Propulsion Laboratory.5 While this does not seem like a huge number, it is an important fact in that it was able to influence something that many people would consider to be relatively constant, if not unchangeable. But when we consider that other events (such as the 8.8 magnitude earthquake in Chile and the 9.1 earthquake in Sumatra) also had a similar effect, then we can start to see a small, but present, change emerging. While the length of a day is in no immediate danger of causing all our watches to become useless, other cycles are far less predictable. Consider something as significant as our change of seasons. Our seasons can be influenced by several factors, such as the ocean currents which help to distribute heat around the globe. These ocean currents have a most profound effect in areas away from the equator and are follow routes that are a combination of factors including wind, temperature, and salinity gradients.6 These currents can therefore be influenced and changed which will, in turn, have impacts on other factors such as rainfall (through the evaporation of water and its carriage by winds) and temperature (through moderating effects). The next factor that can affect our seasons is the jet stream which can have an impact on the extremes experienced during each season. In North America, the polar jet stream is one of the significant factors when considering the weather. What we do know is that the jet stream is strongly influenced by the difference in temperatures (between the equator and the poles). The greater this difference, the straighter the air flow and the more stable the weather. As the difference weakens, then the jet stream tends to increase its north and south movement which can lead to abnormal weather—such as Edmonton, Alberta Canada being warmer for a couple of days in the winter than Miami, Florida.7 The concept of critical infrastructure protection involves creating the following: 1. Protecting local, regional and national infrastructure against impacts that reduce capacity through factors that lead to a loss of capacity (such as the loss of power through the loss of a power production facility), fragment, or dissolve the networks necessary to deliver that capacity; 2. Improving situational awareness across networked infrastructure in a manner that any such events are detected, communicated, assessed, and responded to effectively and in such a way that the network can rebalance

http://www.space.com/11115-japan-earthquake-shortened-earth-days.html. http://oceanexplorer.noaa.gov/facts/climate.html (alt URL: http://cipbook.infracritical.com​ /book4/chapter13/ch13ref2.pdf). 7 https://weather.com/news/news/heat-wave-alaska-jet-stream-may-be-blame-20130625. 5 6

Climate Change  ◾  271

itself to maintain those services or recover from disruptions as quickly and gracefully as possible; and, 3. Establishing a learning condition so that the network, and those overseeing it, are continuously learning and improving their ability to maintain that delivery of capacity such that it arrives from appropriate sources to where it is needed on demand, in usable condition and for reasonable cost.

13.3 Responding to Longer-Termed Issues To address the long-term or slower evolving impacts, there are several different approaches that can be taken to reduce the overall exposure of nation states and populations to these changes. They include the following: 1. Establishing measures that limit the expansion into vulnerable spaces to reduce the impacts associated with the gradual change and the immediate impact for when measures must be taken. This may well include making unpopular decisions such as limiting the establishment or growth of infrastructure and expansion into areas that are most likely to be impacted except in the context of measures needed to facilitate preparedness and response. For example, it may be prudent not to establish new critical infrastructure (except as needed to support the local population) in affected areas but rather establish those capabilities in less impacted areas. This would be twinned with the concept of distributing infrastructure and its capacity to support demands across wider areas that are not as likely to be as susceptible to localized events. 2. Establishing resilient networks and over-capacity as the norm in projects to ensure that if the networks are disrupted, it can be contained such that its injury, self-healing, and recovery back to acceptable performance levels exists. This should not be the exception to the rule through specialized programs but should be directly integrated into the core operating principles of the infrastructure as the norm (both in terms of design and corporate culture). This means that networked infrastructure (not in the context of IT infrastructure, but in terms of connected infrastructure) must balance that need for robustness, resilience, and redundancy. 3. Building realistic measures for self-reliance in terms of the protection of populations. This means a critical look at the ability not only of people but communities to self-sustain themselves for the duration of time needed to identify, assemble resources, and respond to the situation. Where this should be challenged is in terms of measures that are increasing the population’s reliance on centralized services to the extent that they cannot sustain themselves without those services. This operates at the family unit level (such as through many 72 hour programs which may be helpful but not necessarily adequate

272  ◾  Critical Infrastructure

in all cases)8, the community level (in terms of the ability to maintain localized controls such as fire response, policing and medical services), and the city level (in terms of transportation, communications, and other similar services). Within an organization, this will involve looking at the capacity of an organization to deliver its services by managing risks associated with the following: Taking a longer-termed vision with respect to the expansion of its organizations and identifying situations where the usable lifecycle of its infrastructure and operations appear to come into conflict with climate-related conditions; Examining its own operations to ensure a level of resilience through modifying just-in-time supply chains to just-in-case supply chains where there is an unacceptable risk of disruptions in terms of key services, support or manufacturing inputs9; and, Building the knowledge, skills, experience and tools necessary to identify, assess, monitor and evolve from events within the organization and to integrate the understanding of those requirements into both the management and corporate cultures. A prime example of these three factors would be the form of the modern food store. Many stores where people shop for food and other household provisions, what is on the shelves throughout the store, contains the only inventory—there is no backroom storage area where older forms of food and provisions distribution existed. This form of inventory control was removed from the store level, and placed back at the distribution warehouse level to regulate, reduce or prevent theft, fraud, or error. Every day, local distribution centers ship routine deliveries to each local food store; those local distribution centers receive weekly (or bi-weekly) shipments from regional distribution centers, which then in turn receive shipments from the appropriate food manufacturers (or suppliers if it concerns perishables, such as fresh This is not to disparage the efforts of the various Public Safety organizations that promote this. It needs to be clear, however, that individuals need to apply a level of judgement to their situation (particularly in terms of the nature of threats and ability to respond) as opposed to simply taking the number at face value. One might consider the situation recently in New Brunswick which involved a loss of power due to heavy freezing rain and which had a significant population without that power for over a week. 9 The just in time system, while very efficient under optimal conditions, can be disrupted through the loss of critical services or inputs because there is little elasticity in the system. The just-in-case approach looks at ensuring that there are arrangements to carry on those services through mutual aid agreements, reserves, and similar measures that flatten out the disruption. These measures essentially flatten out the impacts of certain events over time by reducing them from a loss of production (and potential market) to the need to replace reserves or predictable costs for using alternatives. 8

Climate Change  ◾  273

produce and meat). In the event of a catastrophic failure for an extended period of time (more than 72 hours, such as a hurricane or tornado), food and provisions will quickly diminish due to several reasons which may include looting, failure to resupply the food stores, and lack of ability to transport materials to the food stores. Because inventory is maintained at locations that are miles away from a given local food store, inventory replenishment is not possible. This is where just-in-time fails. If, however, a food store was to have an extended segmented added to it for a small, localized storage facility for critical food and provisions, this would help reduce any impacts for that system. This form of small emergency provisions would be termed as “just-in-case”, allowing for short-term outages; however, this would still succumb to longer-term outages if the time period were measured in weeks as opposed to hours or days. Building the knowledge, skills, experience and tools necessary to identify, assess, monitor, and evolve from events within the organization and to integrate the understanding of those requirements into both the management and corporate cultures. Give examples in here . . . mention about water and electrical supplies; mention Fukushima and New Brunswick electrical outages. Scenario: Fukushima Dai-ichi — Earthquake and Flooding Routine Assessments The incident involving the Fukushima nuclear generating facilities raised many questions about the preparedness aspect of critical infrastructure; in this case, the site was neither completely prepared for an earthquake with a significantly sizeable magnitude, nor flooding compromising the breakwall resulting from the tsunami. Thus, the US Nuclear Regulatory Commission (NRC) ascertained that all nuclear power plants within the US were to conduct initial assessments pertaining to earthquake hazard risk. In 2012, the US Department of Energy (DOE), Electric Power Research Institute (EPRI) and the NRC joined forces to update their seismic source model for the central and eastern US. Thus, it was established through the Near Term Task Force (NTTF)10 that a risk assessment of potential earthquakes on the North American tectonic plate, with a focus on the New Madrid fault zone near St. Louis, the Charleston fault zone near Charleston, S.C., along with other updated information, became necessary.11 The data on seismic sources will be used in conjunction with a ground motion model for the central and eastern US as well as data from individual plants on the localized geology, topography, soil cover, and other data to create a picture of the “ground motion response spectra” for each plant. This new ground motion response https://www.nrc.gov/docs/ML1233/ML12333A170.pdf (alt URL: http://cipbook.infracriti​ cal.com/book4/chapter13/ch13ref3.pdf). 11 https://www.nrc.gov/reactors/operating/ops-experience/japan-dashboard/seismic-reevaluations​ .html (alt URL: http://cipbook.infracritical.com/book4/chapter13/ch13ref4.pdf), https://www​ .nrc.gov/docs/ML1506/ML15068A397.pdf (alt URL: http://cipbook.infracritical.com​/book4​ /chapter13/ch13ref5.pdf). 10

274  ◾  Critical Infrastructure

spectrum at each plant will be compared with that developed in the past to see if the new data suggests the plant could see higher ground motions than previously thought. If that is the case, the plant will be considered to have “screened in” to further detailed seismic hazard analysis. Those plants that “screen in” will be required to do a seismic “probabilistic risk assessment” or a seismic “margin analysis” to evaluate in detail how the existing plant structures and systems would respond to the shaking from the range of earthquakes that could affect the plant based on our current understanding of seismic sources. This assessment is extensive, involving experts from a variety of fields, and will require at least three years to complete. Once these assessments are complete, the NRC will decide if significant upgrades to plant equipment, systems, and structures are required. In the meantime, to ensure that the plant is safe, the NRC requires that by the end 2014, plants have reported the interim actions they will take to ensure the safety of the plants before the assessment is complete. Such measures could include re-enforcing existing safety-significant equipment or adding equipment. For flooding reassessment and protection, the NRC It is expected that any additional information related to the impact of the flooding hazard reassessment will be considered as part of the integrated assessment, and that this information would be used to evaluate the flood protection capabilities in light of potential additional flooding impacts to the site. The NRC wrote a letter12 dated on March 12, 2012 requiring that licensees perform flood protection walkdowns to verify that plant features that are credited in the current licensing basis for protection and mitigation from external flood events are available, functional, and properly maintained. These walkdowns are interim actions to be performed while the longerterm hazard reevaluations and integrated assessments are performed. NRC and the Nuclear Energy Institute (NEI) worked collaboratively to develop guidelines for performing the walkdowns; this collaboration resulted in NEI 12-07, “Guidelines for Performing Verification Walkdowns of Plant Flood Protection Features,” issued May 2012 (Ref. 2), which the NRC endorsed on May 31, 2012 (Ref. 3). As part of the walkdowns, licensees and construction permit holders will verify that permanent SSCs, as well as temporary or portable flood protection and mitigation equipment, will perform their intended safety functions as credited in the current licensing basis. Verification activities will ensure that changes to the plant (e.g., security barrier installations and topography changes) do not adversely affect flood protection and mitigation equipment. In addition, the walkdown will verify that licensees can perform the procedures needed to install and operate equipment 12

US Nuclear Regulatory Commission, Request for Information Pursuant to Title 10 of the Code of Federal Regulations 50.54(f) Regarding Recommendations 2.1, 2.3, and 9.3, of the Near-Term Task Force Review of Insights from the Fukushima Dai-Chi Accident; https:// www.nrc.gov/docs/ML1205/ML12053A340.pdf (alt URL: http://cipbook.infracritical.com​ /book4/chapter13/ch13ref6.pdf).

Climate Change  ◾  275

needed for flood protection or mitigation as credited in the current licensing basis. The walkdown will also verify that adverse weather conditions that could reasonably be expected to occur simultaneously with a flood event will not impede the licensee’s ability to carry out the procedures. As part of the walkdowns, the licensee will enter observations of potential deficiencies, as well as observations of flood protection features with small margin and potentially significant safety consequences if lost, into its corrective action program. It is anticipated that the walkdowns will be a valuable source of information that will be useful during the performance of the integrated assessment. In particular, the walkdowns will provide information on available physical margin (APM) under the current design basis hazard, the condition of flood protection features, the feasibility of manual actions, SSCs that are subjected to flooding, and the potential availability of systems necessary to mitigate flood events. However, it is emphasized that the walkdowns are performed to the current licensing basis. The reevaluated flood hazards performed under Recommendation 2.1 (see Section 2.2) may result in higher calculated water surface elevations and different associated effects when compared to the current licensing basis. Therefore, some of the information from the walkdowns may not be directly applicable to the integrated assessment. It is expected that any additional information related to the impact of the flooding hazard reassessment will be considered as part of the integrated assessment, and that this information would be used to evaluate the flood protection capabilities in light of potential additional flooding impacts to the site (e.g., higher elevations, accessibility issues) that may not have been fully considered during the implementation of the Recommendation. The NRC is implementing Recommendation 2.1 of the NTTF in two phases13. In Phase 1, licensees and construction permit holders will reevaluate the flooding hazard(s) at each site using present-day regulatory guidance and methodologies. If the reevaluated hazard is not bounded by the design basis flood at the site, licensees and construction permit holders should also perform an integrated assessment for external flooding. During Phase 2, NRC staff will use the Phase 1 results to determine whether additional regulatory actions are necessary (e.g., update the licensing basis and SSCs important to safety). These measures may be considered part of the mitigation strategy as footnoted below. The above would likely reside within the context of the senior management’s strategic planning and operations groups that think in terms of long-term timeframes. For short-term timeframes, there is significant overlap when considering the mitigation and recovery efforts that will become apparent as measures may be examined for addressing quicker events. 13

US Nuclear Regulatory Commission, Request for Information Pursuant to Title 10 of the Code of Federal Regulations 50.54(f) Regarding Recommendations 2.1, 2.3, and 9.3, of the Near-Term Task Force Review of Insights from the Fukushima Dai-Chi Accident; https:// www.nrc.gov/docs/ML1205/ML12053A340.pdf (alt URL: http://cipbook.infracritical.com​ /book4/chapter13/ch13ref6.pdf).

276  ◾  Critical Infrastructure

This diagram shows a very focused event (small physical impact aas per lowest ring) of a significant impact (overwhelmed up to the mitigation measures as per the highest ring)

Program impact – the radius represents how the impact of the event overwhelms mitigation, preparedness, response or recovery measures

Geographic impact – describes the event in terms of the physical impact

Figure 13.1  Depth of the vortex is the amount that is addressed. Volume of the vortex represents the social impact. The entry point at the outer edge represents the actual event itself.

As long-term measures may evolve more slowly but may include more significant and potential disruptions (such as having to move a factory), the short-term impacts operate at a different level. These impacts can be characterized as being short, sudden and decisive events. One analogy in this respect may involve looking at a whirlpool and considering the distance covered by the water as the extent of the impact (Figure 13.1). While the water at the outer ring of the whirlpool appears to move more slowly, it does so only in the context of revolutions per minute. In fact, the distance covered may be significantly greater than the water nearer to the center of the vortex. That water appears to move quickly, but the distance travelled is significantly less. This analogy utilizes decision-making requirements in terms of the revolutions per minute. Long-term decisions involving a greater impact may allow for a slower decision-making cycle (one might use the OODA loop context for this) but it this needs to be clearly defined that this cycle is of potentially significantly greater importance to the organization.14 The short-term decision-making capability may require faster decision-making cycles and these may still have a significant impact, but are balanced off in terms of having less strategic impact on the organization (if it survives).

14

The OODA loop is broken down into observe, orient, decide and act. The observe element involves identifying the circumstances and incorporating information so that the organization can orient itself through analysis. This analysis leads to a decision and ultimately action. In this context, the long-term impacts of changing climate may require a more detailed and thorough OODA cycle that is allowed to proceed more slowly than the immediate impacts that would require a faster cycle that focuses less on strategic concerns and more on the immediate sustainability and operations of the organization.

Climate Change  ◾  277

13.4 Integrating Shorter-Termed Challenges of a Changing Climate To the reader, it should be clear that the long and short-term challenges should be looked at in terms of a continuum and not two distinct points. While climate change may be looked upon in terms of a longer-term event, it can manifest itself in terms of weather and immediate conditions. These can include changes in temperature, winds, and precipitation (amongst others). Addressing the challenges associated with the more extreme or frequent severe storms (a factor listed in the report described above), involves mitigation measures that overlap significantly with the longer-term or more strategic decision-making. Consider the Emergency Management Cycle and some of the major activities associated with the phases in that cycle (Figure 13.2). The four general phases are the following: ◾◾ Mitigation — These are longer-term efforts that seek to reduce the loss of life and property by lessening the impact of disasters.15 Those involved in the design of mitigation measures take historical data, apply several assumptions, and then design controls that are designed to remain relevant into the future. We see these kinds of controls in federal flood relief programs, insurance programs, building codes, and specific architectural design and construction methods that are applied to reduce the impacts of local threats (such as “earthquake proofing” buildings). This phase in the cycle will integrate and be impacted by the strategic decision-making significantly; ◾◾ Preparedness — While considering local mitigation controls, preparedness looks to responding to specific events. These include the drafting of local policies, establishing plans, purchasing equipment, training personnel, conducting drills and exercises, as well as similar kinds of controls. While mitigation deals with long term factors in its design, preparedness deals with situations that come from conclusions or assessments that were formed during the mitigation phase (such as what is likely to be the intensity of the most severe storms, etc.). This phase will be impacted by decisions made in the mitigation phase of the cycle, but focuses much more closely on immediate or imminent events and therefore operates more in the short-term or faster decision-making context; ◾◾ Response — These are immediate steps that are taken to preserve life, protect property, and generally contain damage associated with the events. These activities are immediate in nature, such as the dispatching of emergency services, activating command and control centers, and the like. While preparedness measures may be derived from work done during the mitigation phase, the response phase is highly guided by the preparedness phase. The plan that directs 15

https://www.fema.gov/what-mitigation.

278  ◾  Critical Infrastructure

• Medium to short term and quicker OODA loops

• Longer term and slower OODA loops

Mitigation

Recovery • Longer term factors are integrated into decisions meaning a connection between slow and fast OODA loops

Preparedness

Response • Very short term and almost immediate actions

Figure 13.2  The red represents the highest connection between fast and slow OODA loops and representing potentially the most critical break between strategic and immediate concerns.

the responses to these events comes from planning measures falling under preparedness. This phase operates with some consideration towards strategic goals but is focused on immediate and imminent concerns extensively; and, ◾◾ Recovery — These are steps that are involved in returning conditions to an acceptable state. It involves what some might describe as steps that both restore operations (normal or at least acceptable levels of activity) while also healing the community (rebuilding homes, fixing infrastructure, and the like).16 This phase transitions away from the short-term considerations and begins to take into account the strategic concerns again. As we can see from the diagram shown above, the work done in assessing the nature and impact associated with disasters, combined within the mitigation phase, is a critical step in this process. If those involved in that work misread data, fail to make appropriate assumptions, or fail to consider trends when planning for the future, then the population is at increased risk of not being protected appropriately or as intended—plans will not be able to meet the challenges associated with the disasters and recovery efforts will be based on resources that may not be adequate. 16

One can find several hundred descriptions of the Emergency Management cycle online. These include sites such as http://www.viha.ca/emergency_management/emerg_mgmt_cycle.htm which are intended to educate the public regarding the various phases of activity.

Climate Change  ◾  279

The root of this challenge involves defining predictions that remain relevant into the future. For those reading that may not be involved with this kind of process, consider basic and simple weather forecasting. When we look up or read the weather forecast for the day, we have a reasonable certainty (after looking outside of the window) regarding the conditions we are about to face. Tomorrow’s forecast, while somewhat less certain, may still be considered as trustworthy in our minds. As we project out a week, we are taking the last couple of days as more of a best guess. Seasonal forecasts are looked on for information purposes, but we typically look at general trends and statements described (such as a warmer or milder winter than normal). Weather is but one factor that affects those planning mitigation measures and, when introducing other factors of a less scientific nature (such as budget allocations, politics, and so forth), there can be little doubt that mitigation measures represent a best effort based on the optimal application of science and engineering. Let’s bring this back to today’s context. The foundation of mitigation lies in the ability to predict into the future. For example, data may point towards a generally increasing trend in the amount of rainfall and snowfall. These increases, along with any cyclical patterns, are then projected out several years so that the mitigation controls have considered the potential impacts. Where these trends follow predictable curves (or even linear progression), then predicting the trend into the future is, while not simple, at least not a Herculean mathematical effort. One simply extends the curve outwards, adds whatever margin to cover off any uncertainties or foreseeable abnormalities, and then begins to build the controls based on the outcome. Where that trend, however, becomes unpredictable or begins to become more complex, the trends cannot be trusted to the same extent.17 This means that either the lifespan of the mitigation control is shortened or wider margins of error are applied. At this point, we begin to see one of the major impacts of our current climate situation—the increased risks associated with the uncertainties of future prediction. This inserts a level of complexity into the design of a mitigation control. For example, will the insurance industry accept a level of uncertainty and still be willing to cover the potential liabilities and costs? They may choose to do so, but at a higher rate. Would the government be willing to cover either the liabilities or the gaps where the insurance companies are less willing to provide coverage? They may 17

Consider the following trend: 1, 2, 4, 8, and 16 with each number representing a year. It is apparent to even the untrained mathematician that if we wanted to extend this trend out another five years, we would have values of 32, 64, 128, 256 and 1012. This is because the trend is a simple doubling of the previous year. In looking at the trends involved in the design of mitigation, we may be using a much larger sample of available historical data, but we are also attempting to predict out far more than five years. Now, let’s destabilize the trend: 1, 2, 3, 1, -2, and 3. Finding the relationships and patterns that may allow us to predict out the next five years will be a much more complex exercise. If the task is to ensure that the population is protected 99.9 percent of the time, then those making the assessments will have to add more significant margins of error in order to give the same assurance (in the first trend, there was little need to deviate from the trend, much less than in the second).

280  ◾  Critical Infrastructure

be forced to do so, but in an age that is being driven by a culture of fiscal restraint and accountability, arriving at specifics is likely to be more challenging. When determining what specific controls or limitations should be expressed in codes, what additional margins must be put in place? This additional space can become highly contentious when looking at the following questions: 1. Is the application of this control both reasonable and within the duty of care that promised to the population? Has a control been imposed, perhaps arbitrarily, that negatively impacts an individual’s right to life, liberty, property, and the ability to operate in a way that might be considered unreasonable? This is highly important to look at during the initial phases of the design of these kinds of controls if one does not want to become embroiled in various forms of civil action. 2. Will the application of this control have a positive, negative, or neutral impact on the costs associated with various forms of activities and what are these impacts? These impacts, which might describe as simplistically affecting the economy in the area, are not simply defined. Alternatively, one might consider the jobs and material purchases within the economy as being relatively positive. Last, consider the taxes (in whatever form) as being negative in terms of reducing the amount of disposable or available income within the same economy. These will likely shift over time with as projects proceed and are eventually closed out, maintenance costs increase, and the community adjusts to what may be a part of a new reality. 3. Can the control be adapted over time if there are shifts in the condition, or does its design for new controls, would need to be implemented if the conditions assumed in its design are exceeded? Consider a simple flood control—the berm or spillway wall. These controls involve significant calculations such as the width of the base, the depth of the base, the height of the berm and its shape. The width of the base will largely be dependent upon factors such as stability, permeability, and structural integrity. The depth of the base will have dependencies associated with finding a firm foundation upon which to build, its weight, and the potential for water reaching under the berm to destabilize its foundation. The volume of materials is a difficult calculation (particularly when attempting the calculation of the area of a tear drop curve)18 and other designs would have their own specific calculations.

18

A= π

( (3 + m)) . This area would have to be multiplied by length of the berm Γ (3 + m )

Γ

1 2

1 2

(Weisstein, Eric W. “Teardrop Curve” from Mathworld — A Wolfram Web Resource as found at (continued on next page) http://mathworld.wolfram.com/TeardropCurve.html) and the volume of materials needed to make up the base of the structure would be needed (e.g.; street berm).

Climate Change  ◾  281

Again, when considering these questions in terms of engineering and costs, various thresholds will be approached, reached, or may even be breached. The amount of materials needed to maintain structural integrity may exceed local supplies, costs may exceed budgetary controls, and so forth. Consider the two following conditions. The first condition involves a predictable system in which there is a reasonable expectation of a major flood that causes significant damage every ten years or so. This is the ideal condition and should be considered more of a mathematical construct than what the reader is likely to encounter—Mother Nature having what may be described as a somewhat capricious element. The second condition may be categorized in terms of there being an increasing number of severe storms that lead to the conditions that are ideal for significant flooding but the numbers vary significantly from year to year. This is likely far closer to our current reality (Table 13.1). Let us consider the mitigation measure associated with a major insurance program intended to reduce the impacts of the severe flooding by ensuring that there is a stable source of funds available to aid in the recovery from the event, while comparing just some of the differences that are likely to be encountered between the two scenarios: At the mitigation level, the nature of the controls has a degree that is more flexible. These are, after all, controls that are intended to either lessen the exposure in terms of loss of life, the potential losses associated with an event or to minimize the potential impacts on various forms of operations. The mitigation measures, however, can fall into two predictable trends: 1. The use of legal or administrative controls that include terms that point towards the onus of the operator or owner to take reasonable steps. While there are positive aspects to this in terms of lessening unreasonable impacts on people and businesses, it is essentially transferring the uncertainty from the controlling body to the owner/operator. In short, it becomes the responsibility of the owner/operator to demonstrate that reasonable steps (i.e. supported by the various calculations and considerations described above) have been taken to be considered either compliant with regulations or not having been negligent in some form. 2. The application of a control that covers a significant portion of the risk exposure may be considered controversial in the public’s eye (or even more critical eyes) due to the size, scale, and costs associated with the project. One clear and historically supportable example of this debate can be found in the design and construction of “Dutch’s Ditch” (a major spillway protecting the city of Winnipeg) in the 1960’s which began with significant political uncertainty, involved much criticism but which eventually (in several years, including 1997) demonstrated its return on investment.19 19

One can find a reasonable synopsis of this through the Manitoba Historical society at http:// mhs.mb.ca/docs/mb_history/42/duffsditch.shtml.

An unstable rate of change, combined with a less predictable system, will require much more complex calculations resulting in the potential for a higher margin of error. The ALE becomes less stable due to the value of the ARO as it is far less stable and can be subject to significant margins of error due to either the changes or the lengths of time used to calculate it. The range of potential values becomes much greater when considering the margin of error and applied safety margin.

Can this scenario be assessed with a reasonably lower margin of error with a safety margin added in to cover for anomalous conditions?

The ALE returns a relatively stable number because the Annualized Rate of Occurrence (ARO)2 can be considered relatively constant with a limited margin of error that is identifiable and can be integrated easily into the calculation. (e.g.; The value of the ALE)

What is the potential frequency of these events?

Given the potential impacts and frequency, what is the annualized loss expectancy (ALE) of such events?1

(Continued)

Due to the lack of predictability, a much higher margin of error exists and the applied safety margin is added onto a less firm foundation.

Scenario 2 – Less predictable

Can this scenario be assessed with a reasonably low margin of error and a safety margin added in to cover any anomalies?

Scenario 1 – Stable

What is the potential impact that is being faced?

Question

Table 13.1  Mitigation Measurements per Scenario

282  ◾  Critical Infrastructure

2

1

This can be reasonably predicted given the ALE and the anticipated usable lifespan of the control. The case may be considered viable should the cost of the infrastructure over its lifespan be less than factor of the ALE for that number of years (e.g.; Cost < ALE x (usable lifespan))

Scenario 1 – Stable This is far more difficult to predict in that there are significantly greater margins of error and that the system is far more susceptible to errors caused by sampling (i.e. not factoring in changes into the ARO based on different periods). As a result, the ability to determine the return on investment is far less stable and open to debate or challenges.

Scenario 2 – Less predictable

The Annualized Loss Expectancy (ALE) can be described as taking the sum of all relevant impacts within a period and then dividing it by the number of years covered. For example, if the total losses over a ten-year period were one million dollars, then the ALE would be assigned a value of one hundred thousand dollars. While this is a popular method for determining the exposure of an organization to certain events, it does have a few potential flaws. For example, if in that ten-year period, all the impacts occurred in the last two years, then the ten-year ARO may be $100,000 but there is also a case that the two-year ALE would be $500,000. For this reason, care needs to be exercised to consider the population or community of events over several periods of time (such as one year, two years, five years, ten years, twenty years, twenty-five years, fifty years, one hundred years) so that any trends can be identified. Of course, the number of different calculations will be driven by the availability of data or information. The Annualized Rate of Occurrence (ARO) can be described as an averaging exercise where the total number of events over a period is communicated in terms of the number of events that can be predicted per year. This is a significant element in the calculation of the ALE above in that the ALE assumes that the ARO is a constant value while in less stable systems, the ARO can be subject to significant changes depending on the period of time covered and the nature of the changes. In less stable conditions, the need to calculate the ARO using various thresholds (as described above) can be considered a critical step when using this form of calculation.

What is the reasonable threshold for investment in the control?

Question

Table 13.1 (Continued)  Mitigation Measurements per Scenario

Climate Change  ◾  283

284  ◾  Critical Infrastructure

Having moved from the challenging realm in terms of mitigation strategies, the cycle proceeds towards the preparedness phase which involves the more concrete measures used to respond to specific events. Where there may be a certain latitude in the responses put forward in the mitigation strategies (such as how much of an impact to cover), the preparedness phase is much more of a pass/fail environment. With an event being predicted or even imminent, the outcomes will be determined by answering whether the organization can recover from the event or not. Again, the goal of the preparedness phase is to have established the necessary capacity to respond to the event that is imminent or foreseen. It encompasses the activities associated with planning, the purchasing of equipment, training, and builds upon the measures that are defined within the mitigation steps (or at least, complements them significantly). While climate change promotes a level of uncertainty about the weather, it will still be within reasonable norms. Think of weather as proceeding along a sine curve. A more severe event, let’s say, increases the amplitude of the curve while the frequency of events affects the frequency of that curve. What is being discussed in the context of climate change is not simply an increase in amplitude, it is also an increase in terms of frequency. As a result, those looking at the preparedness cycle may be well served by taking the following factors into account: ◾◾ Increasing the capacity of the responding elements beyond the level required to meet the demand by a larger safety margin. This is intended to reduce any potential deficiencies that can arise from more significant events. While some might argue that this requires organizations to purchase more equipment (increasing losses), the personnel in charge of the preparedness aspects should also consider the establishment of leasing agreements, rental arrangements and service level guarantees (such as holding a rental agency to an agreement to have a certain asset on hand). These kinds of measures may defray those costs somewhat; ◾◾ Training personnel on the use of that equipment under more rigorous conditions. This goes hand in hand with the equipment issue in that personnel operating the equipment require either appropriate or additional training (under a range of safety codes), while the organization needs assurance that those personnel are able to put the plan into motion under the more difficult conditions; and ◾◾ Ensuring appropriate capacity within the organization to maintain that balance between the capacity to respond, while maintaining that capacity for a reasonable cost. It should be clearly noted that the issue of climate change and extreme weather would be in addition to the all-hazards approach (by adjusting the thresholds associated with the various threats and hazards) and not an issue that is kept apart or is operating independently. Like most technical challenges, the challenge here is establishing that balance between the use of internal and external resources. While external resources

Climate Change  ◾  285

tend to cost more on a per-unit basis (such as a daily rate as compared to the pay for an employee applicable for the same period of time), that cost off-sets any requirements for training, the development of expertise, and the other elements of human capital. Management needs to be careful, however, in that the use of the contractor is not necessarily assured under all conditions, may become an information security issue if not bound appropriately, and the corporate knowledge leaves with the contractor at the end of the contract. As with previous issues in most technical designs, the use of contractors here may be relevant in the following circumstances: ◾◾ Answering specific, well-defined issues for the company and in support of internal resources that may not have the expertise or time available to address that specific need; ◾◾ Being able to provide an outside view of a specific issue so as to be free of assumptions made by the organization when monitoring the capacity of the organization’s preparedness; and ◾◾ Being able to provide a confirmation with respect to the apparent soundness of a course of action where management requires a confirmation from an outside source that operates outside of the budgetary and political aspects of the organization. The second element to consider is the nimbleness of the organization. With the increasing level of uncertainty and potential for events to be happening closer together, there is a need for plans to be developed that take into account the need for potentially much shorter recovery periods. This may involve maintaining initial stockpiles (outside of the affected area), only using that part of the response team that is necessary, or moving to the use of supplementary responders at an early stage so as not to allow internal responders to become overly fatigued. Reaching this particular state is not something that can be done using external resources. The organization will need internal resources that have at least the capability to build, assess, implement, monitor, and adjust the activities associated with achieving this. This will require a sustained effort that has both a level of technical expertise regarding the challenges facing the organization and a level of understanding of the organization’s operations so that he or she can ensure that the plan is both effective but also involves graceful transitions into and out of the emergency response activities (to the extent possible). This will require investment on the part of the organization as well as senior management commitment. One might consider meeting this challenge through several avenues, including education, certification, or significantly vigilant human resources and quality assurance activities. In comparing some of these, the organization should carefully consider some of the factors when looking at the knowledge, skills, abilities, and experience that may be necessary to meet the challenge:

286  ◾  Critical Infrastructure

The establishment of this internal capacity is something that begins within mitigation but becomes much more relevant in the planning phase. For the response phase, this needs a combination of three factors: ◾◾ An individual with the necessary knowledge and skills to be able to solve complex problems or at least be able to identify key members necessary to solve problems; ◾◾ An individual with the necessary experience to know where the pitfalls and other traps when dealing with complex scenarios, and ◾◾ An individual with the combination of the two above along with the ability to handle the psychological and physiological stress necessary to lead in those kinds of environments and provide sound advice. Having developed plans that take into account the needs of the preparedness phase, there is the issue of the response phase. This operates in symbiosis with the preparedness phase: one might consider them to be inexorably linked. Within the realm of the response phase, perhaps the greatest factors will involve the extent of the impact and the pace of events. The military quickly learned that, when dealing with faced-paced events on the battlefield, there was a significant benefit to the following: ◾◾ Enhanced communications and situational awareness that allowed all levels of the organization to understand what was going on around them and what the overall intents of their activities were; ◾◾ The delegation of decision making to levels that were as close to the issue as possible. This means that decision making cycles (the OODA loops) are tighter but require that those local commanders are consistently working within the constraints and restraints of the higher organization’s intent; and ◾◾ The ability to maintain personnel, equipment, supplies, stores, and consumables so that there are no disruptions to activities due to the supply chain. This operational need mean that there is an increased burden on training and exercising in the preparedness phase of events, in addition to activities that protect vital stocks and supply chains. That training, which is often under pressure to be cut during period of fiscal restraint (either in terms of the number of drills and exercises or their level of involvement and intensity), becomes vital in that organizations will respond to events the way that they practice responding to those events (Table 13.2). Those organizations that cut corners or allow their personnel to cut corners (e.g. staying too close to buildings during evacuations, failing to check evacuation routes as part of the exercise, and so forth) put themselves and their personnel at significant risk for when the time comes that measures have to be put in place for real. There is another aspect to response that may complicate issues—that of our growing trend towards “green” living in urban centers. When one considers that,

• Significantly in depth and involving a breath of subjects • Developed in line with sound practices (if accredited) • Up to date to remain competitive but in terms of offering, not upkeep • Tested once through examination but then not subject to upkeep requirements.

• Limited to certain disciplines (engineering, sciences) in technical terms but may involve base skills such as research and critical thinking

Skills

Education

Knowledge

Element

Table 13.2  Operational Needs Comparison

• Often requires the attestation that the individual has performed certain tasks appropriately and at an expected level

• In depth within a specific field but may lack the same breadth as education • Developed through community of willing experts • Individual must remain current to remain certified • Verified first through neutral third party testing followed by verification of upkeep submissions

Certification

(Continued)

• Often simply presented and then verified in a percentage of cases

• Internal training requirements relevant to organization but may lack same level of expertise • May be made mandatory throughout the organization, distributing knowledge more fully • Verified through limited testing

HR and similar

Climate Change  ◾  287

• May be supported by other persons • Those persons supporting may have a vested interest or a personal interest in the success of the individual • Must be provided and validated, but not necessarily free of vested or personal interest

• Often not tested or even assessed. The approach in this context often limits the amount of actual application of knowledge with the exception of rare programs with practical applications

• Not required and often not developed except in rare circumstances or in a very limited context (such as practical applications within a course)

Abilities

Experience

Certification

Education

Element

Table 13.2 (Continued)  Operational Needs Comparison

• Self-provided and validated through the provided references

• Generally, through declaration and potentially supported through reference checks • Not consistently applied

HR and similar

288  ◾  Critical Infrastructure

Climate Change  ◾  289

according to the United Nations, that 54 percent of the world’s population will be living in urban centers, there are other factors that need to be considered.20 These factors include the following: ◾◾ The ability of populations to move out of areas that are no longer safe; ◾◾ The ability to maintain a supply of clean water; ◾◾ The ability to maintain sanitation (and particularly sewage) capabilities to prevent disease; ◾◾ The ability to establish shelter in safe areas; ◾◾ The ability to establish and sustain food supplies; and ◾◾ The ability to deliver medical services. As noted in the UN report, the number of mega-cities (over ten million persons) is increasing with ten being reported in 1990 and twenty-eight being reported in 2014. This marks an increase from 7 percent to 12 percent of the world’s population living in those conditions. At the same time, small cities (those fewer 500,000 persons) account for nearly half of the 3.9 million urban dwellers. Rural populations, on the other hand, are expected to reach a peak in 2020 at around 3.4 billion and then begin to decline to approximately 3.1 billion by 2050.21 First, let us consider the issue of transportation in the response. Urban centers continue to push towards sustainable development, a significant aspect of which is reducing the number of vehicles on the roads in favour of public transportation. Many of these systems run at near-capacity for the sake of reducing costs during normal periods. Consider the capacity of a moderately large (approximately 1 million persons) city like Ottawa, Ontario, Canada: ◾◾ The full OC Transpo main bussing fleet, if fully operational and available, capable of carrying a total of slightly over 45,000 persons at one time (assuming full capacity in terms of number of persons).22 Currently, the population can still be described in terms of being car-based.23 What is important here is As discussed in the World’s Organization Prospects as found at http://www.un.org/en/develop​ ment/desa/news/population/world-urbanization-prospects-2014.html. 21 As found at http://www.un.org/en/development/desa/news/population/world-urbanization​ -prospects-2014.html. 22 This is based on the numbers presented by OC Transpo on their website at http://www​ .octranspo.com/about-octranspo/bus_fleet and assuming that each bus listed would be in service and operating at full capacity. 23 In 2013, it was estimated that two-thirds of the employed population in Ottawa used cars as their primary source of transportation with approximately 514,855 vehicles being registered and 90 percent of those being passenger vehicles. Willing, Jon. Car is still king for may Ottawans despite city spending on other modes of travel. Ottawa Sun from July 14, 2014 and as found at http://www.ottawasun.com/2014/07/20/car-is-still-king-for-many-ottawans​ -despite-city-spending-on-other-modes-of-travel. 20

290  ◾  Critical Infrastructure

that there is a significant emphasis on reducing this reliance on automobiles in order to lessen the environmental impacts of the vehicles and congestion. This needs to take into account the need to be able to maintain an adequate capacity to evacuate or move populations in case of disaster; ◾◾ This also places a pressure on individuals with respect to their ability to carry their own emergency supplies. If we are to consider a basic load of a first aid kit, adequate water, shelter, food, and a limited number of items for ablutions and clothing, then it is highly unlikely that the public transportation fleet would be able to run at capacity; and ◾◾ There is a limited benefit, however, to reducing the amount of traffic. In the case of more localized evacuations, reduced congestion can facilitate the movement of persons out of harm’s way and the movement of relief and emergency crews into the affected areas. The second element involves the conditions in which these persons live. When one considers a city like Toronto (with a population of approximately 3 million), the number of occupants living in high rise apartments and condominiums more than doubled in the period between 1996 and 2006.24 In 2006, the total number of individuals living in apartments of over five stories nearly reached 40 percent in the city, representing increases of 6.9 percent (1996-2001), 7.0 percent (2001-2006), and 14.4 percent (1996-2006).25 This represents approximately 380,000 households of 979,280 (slightly under 39 percent). Now consider the challenges associated with this: ◾◾ Consider an apartment complex with 30 units per floor and an average of 3.0 persons per unit (90 persons per floor) and over five stories (450 persons per building). Under what might be considered normal conditions (where an individual requires not less than 2.5 to 3.0 liters of water per day), the daily supply of water needed for that one structure would be 1,125 liters to 1,350 liters of water. Consider a very conservative level of consumption of water looking at approximately 39 percent of the population of Toronto. For those being affected (for a very grave and likely very rare event—certainly catastrophic), the daily water requirements would approach nearly 3,000,000 to 3.500,000 litres per day (3T to 3.5T per day) to continue to be sustained. Survivability drops significantly if water consumption is not possible over a three day period and/or if the event does not address any health issues should at least part of this supply become contaminated. ◾◾ The ability to evacuate these structures can be challenged through combinations of aging populations (a growing factor), the loss of infrastructure such as elevators and the availability of space into which to evacuate. From notes in the Official Plan review for the City of Toronto as published at https://www​ .toronto.ca/wp-content/uploads/2017/08/8e13-Trends-in-Housing-Occupancy-Bulletin.pdf (alt URL: http://cipbook.infracritical.com/book4/chapter13/ch13ref7.pdf). 25 Ibid. p2. 24

Climate Change  ◾  291

Once the population is evacuated, the next challenge, of course, becomes how to sustain that population through medical services, shelter, water, and food—particularly for events that could persist a number of days; In essence, as we look at the increasing density of urban living (for example, the population density in downtown Toronto increased almost 450 percent over five years to a population of approximately 14,100 persons per square kilometer and with structures ranging from 70 floors to 80 floors).26 If we measure the need to respond based on the preservation of human life, this level of population density has the ability to pull emergency response capabilities (including all aspects lifted above) into dealing with the complex situation within a very narrow area. Even with the current trends (without having to contend with major events), many first responder services and particularly ambulance services, are now beginning to draw resources in from rural areas to cover urban shortfalls. An event that had a catastrophic event on the number of people, as described in the downtown density in Toronto, would quickly overcome local resources and would likely strain regional resources for a period of time. From a response perspective, this is going to force field commanders to make difficult decisions with respect to how to cover impacted areas. While the first responder will likely continue to respond to calls as dispatched, those coordinating dispatch services may be faced with creating a tsunami effect on first response capability (where all the water is first sucked back from around the impacted area, leaving bare shore and seabed) and leaving areas less covered until such a point as the level of criticality demands reallocation of services. At the same time, rural planners and coordinators may be faced with decisions that demand that they set minimum capacity levels in rural areas knowing that the cumulative shortfalls in urban areas are likely to lead to loss of life and property.27 These immediate impacts (water, sanitation, first responders) may also be compounded by longer term issues associated with transportation, food supply, and the subsequent impacts that flow along interdependencies into other sectors (such as the financial sector when looking at downtown Toronto or government within the Ottawa area). Having (hopefully—and it is up to professionals who read these kinds of books not to be bound in despair but to pick up the challenge in findings solutions) survived the impacts that required a response, we need to look at the concept of Dakshana Bascaramurty. Density, Infrastructure and the high cost of building a vertical Toronto. The Globe and Mail, 12 October 2012 as found at http://www.theglobeandmail​.com​ /news/toronto/density-infrastructure-and-the-high-cost-of-building-a-vertical-toronto​ /article4610721/. 27 One option being proposed as a mitigation measure is a change to the development code to ensure that all major projects of this type also include the investments necessary for local infrastructure and costs to establish and sustain first responder services while also requiring measures to limit the impact of power, water, heat, and similar failures. 26

292  ◾  Critical Infrastructure

recovery. When we take into account the impacts above, we are faced with the following challenges (and this list should not be considered exhaustive): ◾◾ The distribution of affected persons into sustainable conditions and ultimately self-sustainable conditions; ◾◾ The clean-up activities that may be associated with major or even catastrophic failures, particularly with respect to buildings, transportation networks, power, water, and other life-sustaining infrastructure; ◾◾ The reconstruction activities associated with returning to normal conditions and the potential recovery from other losses (financial, operating capability, etc.); and ◾◾ The dealing with a significant community of persons that may require longterm physical and mental care concentrated into a very tight location, straining services into the long term. These issues in the recovery phase are only part of the issue as we need to be able to also examine how quickly the responding forces can be recuperated. The recuperation of first responders and emergency services faces its own challenges. These can be divided into the following factors: ◾◾ The costs associated with the replacement, remediation, repair, and reconstitution of the capacity to respond (such as repairing vehicles, replacing stores and supplies, etc.) are likely to be significantly higher as events have a combination of a more severe impact into increasingly concentrated populations, further exacerbating the situation; ◾◾ The time between events shows a significant potential to decrease, meaning that the time needed to rest, repair, replenish, and reconstitute the capacity also diminishes. This will not only be a budgetary challenge, but is also affected by factors such as the time needed to heal, learn lessons, train, and reconstitute the emergency response infrastructure and capacity after the event; and ◾◾ The sustainability of emergency responders at current levels (already showing signs of strain) should be examined closely in order to prevent issues such as burnout and turnover from having an ability to develop, maintain, and communicate the knowledge, skills, and experience necessary to meet increasingly complex situations.

13.5 Authors’ Note Although the science of climate change is ever evolving, because variations of these theories, practices, etc. continues to exist within a state of flux, obtaining more resolute and stable answers still remains a significant challenge—both within the

Climate Change  ◾  293

scientific community, as well as to those who work diligently in safeguarding and protecting our infrastructures. This continued, ever-vigilant mindset is what will be a saving grace for ­humanity—​ being prepared or, better yet, expecting the unexpected. Although cost (time, materials, resources, people, etc.) plays a very important and integral part of trying to remain proactive, establishing (then maintaining) a positive and proactive stance is vital in ensuring our survivability.

http://taylorandfrancis.com

Appendix 1

295

296  ◾  Appendix 1

Designated Sector-Specific Agencies and Critical Infrastructure Sectors Sector-Specific Agency

Sector

Description

Department of Agriculture Department of Health and Human Services Food and Drug Administration

Agriculture and food

Provides for the fundamental need for food. The infrastructure includes supply chains for feed and crop production. Carries out the post-harvesting of the food supply, including processing and retail sales.

Department of Defense

Defense industrial base

Supplies the military with the means to protect the nation by producing weapons, aircraft, and ships, and providing essential services, including information technology and supply and maintenance.

Department of Energy

Energy

Provides the electric power used by all sectors and the refining, storage, and distribution of oil and gas. The sector is divided into electricity and oil and natural gas.

Department of Health and Human Services

Public health and healthcare

Mitigates the risk of disasters and attacks and also provides recovery assistance if an attack occurs. The sector consists of health departments, clinics, and hospitals.

Department of the Interior

National monuments and icons

Memorializes or represents monuments, physical structures, objects, or geographical sites that are widely recognized to represent the nation’s heritage, traditions, or values, or widely recognized to represent important national cultural, religious, historical, or political significance. (Continued)

Appendix 1  ◾  297

Sector-Specific Agency Department of the Treasury

Sector Banking and finance

Description Provides the financial infrastructure of the nation. This sector consists of commercial banks, insurance companies, mutual funds, government-sponsored enterprises, pension funds, and other financial institutions that carry out transactions.

Environmental Protection Drinking water Agency and water treatment systems

Provides sources of safe drinking water from more than 53,000 community water systems and properly treated wastewater from more than 16,000 publicly owned treatment works.

Department of Homeland Security Office of Infrastructure Protection

Chemical

Transforms natural raw materials into commonly used products benefiting society’s health, safety, and productivity. The chemical sector produces more than 70,000 products that are essential to automobiles, pharmaceuticals, food supply, electronics, water treatment, health, construction, and other necessities.

Department of Homeland Security Office of Infrastructure Protection

Commercial facilities

Includes prominent commercial centers, office buildings, sports stadiums, theme parks, and other sites where large numbers of people congregate to pursue business activities, conduct personal commercial transactions, or enjoy recreational pastimes. (Continued)

298  ◾  Appendix 1

Sector-Specific Agency

Sector

Description

Department of Homeland Security Office of Infrastructure Protection

Dams

Manages water retention structures, including levees, more than 77,000 conventional dams, navigation locks, canals (excluding channels), and similar structures, including larger and nationally symbolic dams that are major components of other critical infrastructures that provide electricity and water.

Department of Homeland Security Office of Infrastructure Protection

Emergency services

Saves lives and property from accidents and disaster. This sector includes fire, rescue, emergency medical services, and law enforcement organizations.

Department of Homeland Security Office of Infrastructure Protection

Nuclear reactors, Provides nuclear power, which accounts for approximately materials, and waste 20% of the nation’s electrical generating capacity. The sector includes commercial nuclear reactors and nonpower nuclear reactors used for research, testing, and training; nuclear materials used in medical, industrial, and academic settings; nuclear fuel fabrication facilities; the decommissioning of reactors; and the transportation, storage, and disposal of nuclear materials and waste. (Continued)

Appendix 1  ◾  299

Sector-Specific Agency

Sector

Description

Department of Homeland Security Office of Infrastructure Protection

Critical manufacturing (announced March 3, 2008)

Provides crucial support to the economic prosperity and continuity of the United States. US manufacturers design, produce, and distribute products that provide more than $1 of every $8 of the US gross domestic product and employ more than 10% of the nation’s workforce.

Office of Cyber Security and Communications

Information technology

Produces information technology and includes hardware manufacturers, software developers, and service providers, as well as the Internet as a key resource.

Department of Homeland Security Office of Infrastructure Protection

Communications Provides wired, wireless, and satellite communications to meet the needs of businesses and governments.

Transportation Security Administration

Postal and shipping

Delivers private and commercial letters, packages, and bulk assets. The US Postal Service and other carriers provide the services of this sector.

Transportation Security Administration and US Coast Guard

Transportation systems

Enables movement of people and assets that are vital to our economy, mobility, and security with the use of aviation, ships, rail, pipelines, highways, trucks, buses, and mass transit.

Immigration and Customs Enforcement, Federal Protective Service

Government facilities

Ensures continuity of functions for facilities owned and leased by the government, including all federal, state, territorial, local, and tribal government facilities located in the United States and abroad.

http://taylorandfrancis.com

Appendix 2

301

Theft of equipment

Destruction of bridge or communications link

An explosion at facility

An aircraft is hijacked

Cascading

Collateral

Consequential

Attack

Isolated

Propagation Type

Impacts

A loss of confidence in aviation security leads to a reduction of passengers

All facilities within a certain range are damaged structurally

The loss of communications leads to items not be processed for shipping

Generally, in terms of replacement time and costs

Impact

All airlines suffer losses due to the consumer loss of confidence.

Disruption of services from those facilities impact other organizations

Engineers are required to assess all structures within a geographic space and proximity to the first impact All infrastructure or operations of a type are seen as being subject to the same issues

The delays in shipping result in increased financial costs (penalties) but also losses of potential earnings for clients

Not applicable

Second Impact

The results of the first attack spread through the dependency to another connected process

None beyond financial loss and immediate disruption

Kind of Spreading

302  ◾  Appendix 2

Appendix 2  ◾  303

This table describes different ways that impacts can move through systems. While certain events have only localized impacts (isolated) that can be described in terms of their traditional costs. Where the impacts of isolated events affect other organizations, they can involve situations such as collateral damage (as used in the military context) or consequential damage (such as the 9/11 scenario or the various boycotts following the school shootings in Florida). Finally, cascading impacts are those that spread along various dependencies, interdependencies, and bonds to impact other organizations and are not contained.

http://taylorandfrancis.com

Glossary AAR: Association of American Railroads AC: Area command ACC: American Chemical Council ACN: Alerting and Coordination Network AES: Advanced Encryption Standard AGA: American Gas Association AMSA: Association of Metropolitan Sewage Agencies AMWA: Association of Metropolitan Water Agencies ANSI: American National Standards Institute API: American Petroleum Institute APTA: American Public Transportation Association ASDWA: Association of State Drinking Water Administrators ASME: American Society of Mechanical Engineers ATA: American Trucking Associations AWWA: American Water Works Association AWWAR: American Water Works Association Research Foundation BBS: Bulletin board system BCP: Business continuity plan BMF: Business master file CANUTEC: Canadian Transport Emergency Centre of the Department of Transport CC: Common Criteria CC EAL: Common Criteria European Assurance Level CDP: Center for Domestic Preparedness CEII: Critical energy infrastructure information CEM: Common evaluation methodology CEO: Chief executive officer CHEMTREC: Chemical Transportation Emergency Center CIA: Critical infrastructure assurance CIAO: Critical Infrastructure Assurance Office CIDX: Chemical Industry Data Exchange CII: Critical infrastructure information CIKR: Critical infrastructure/key resource 305

306  ◾ Glossary

CIO: Chief information officer CIP: Critical infrastructure protection CIPAC: Critical Infrastructure Partnership Advisory Council CIPAG: Critical Infrastructure Protection Advisory Group CN: Canadian National Railway COBIT: Control Objectives for Information Technology CRIS: Communications Resource Information Sharing CRS: Congressional Report Summary CS2SAT: Control System Cyber Security Self-Assessment Tool CSF: Critical success factor CSO: Chief security officer CSSP: Control Systems Security Program CUI: Controlled unclassified information DCS: Distributed control systems DES: Data Encryption Standard DHS: US Department of Homeland Security DMAT: Disaster Medical Assistance Team DOD: US Department of Defense DOE: US Department of Energy DOT: US Department of Transportation EAR: Export Administration Regulations EMAC: Emergency Management Assistance Compact E.O.: Executive order EOC: Emergency operation center EOP: Emergency operations plan EPA: US Environmental Protection Agency ESF: Emergency support function FASC: Finance/Administration Section Chief FBI: Federal Bureau of Investigation FBIIC: Financial and Banking Information Infrastructure Committee FCC: Federal Communications Commission FDA: US Food and Drug Administration FEMA: Federal Emergency Management Administration FERN: Food Emergency Response Network FIPS: Federal Information Processing Standards FIRESCOPE: Firefighting Resources of Southern California Organized for Potential Emergencies FISCAM: Federal Information System Controls Audit Manual FISMA: Federal Information Security Management Act FMI: Food Marketing Institute FOIA: Freedom of Information Act FOUO: For office use only FRP: Federal Response Plan

Glossary  ◾  307

GAO: General Accounting Office GETS: Government Emergency Telecommunications System GLBA: Gramm-Leach-Bliley Act GTI: Gas Technology Institute HAZMAT: Hazardous material HAZWOPER: OSHA Hazardous Waste Operations and Emergency Response HICS: Hospital Incident Command System HIPAA: Health Insurance Portability and Accountability Act HMI: Human-machine interface HSOC: Homeland Security Operations Center HSPD: Homeland Security President Directive IAP: Incident action plan IC: Incident commander ICP: Incident command post ICS: Incident command system ICSJWG: Industrial Control Systems Joint Working Group IEC: International Electrotechnical Commission IEEE: Institute of Electrical and Electronics Engineers IIMG: Interagency Incident Management Group IRS: Internal Revenue Service IS: Information systems ISA: International Society of Automation ISAC: Information Sharing and Analysis Center ISO: International Organization for Standardization IT: Information technology ITAR: International Traffic in Arms Regulations IXC: Interexchange carrier JFO: Joint Field Office JIC: Joint information center JIS: Joint information system LAN: Local area network LEC: Local exchange carrier LNO: Liaison officer LSC: Logistics section chief MACS: Multiagency coordination system MCE: Mission-critical element MCE: Multiagency coordination entity MEI: Minimum essential infrastructure MSC: Maritime Security Council MTS: Maritime Transportation System MTSNAC: Maritime Transportation System National Advisory Council NAERG: North American Emergency Response Guidebook NARA: National Archives and Records Administration

308  ◾ Glossary

NAWC: National Association of Water Companies NCC: National Coordination Council NCS: National Communications System NCSD: National Cyber Security Division NERC: North American Energy Reliability Council NEST: Nuclear Emergency Support Team NFPA: National Fire Protection Association NGO: Nongovernmental organization NIC: NIMS Integration Center NIIMS: National Interagency Incident Management System NIMS: National Incident Management System NIPC: National Infrastructure Protection Center NIPP: National Infrastructure Protection Plan NIST: National Institute of Standards and Technology NRCC: National Response Coordination Center NRF: National Response Framework NRIC: Network Reliability and Interoperability Council NRP: National Response Plan (deprecated) NSA: National Security Agency NSIE: Network Security Information Exchange NSPD: National Security President Directive NSTAC: National Security Telecommunications Advisory Committee NWCG: National Wildfire Coordination Group OAGi: Open Application Group, Inc. ODP: Office of Domestic Preparedness OMB: Office of Management and Budget OPSEC: Operations security OSC: Operations section chief OSHA: Occupational Safety and Health Administration PAS: Priority access service PBX: Public branch exchange PCS: Personal communications service PCSRF: Process Control Security Requirements Forum PDA: Personal digital assistant PIN: Personal identification number PIO: Public information officer P.L.: Public law PLC: Programmable logic controller PPE: Personnel protective equipment PSC: Planning section chief PSO: Patient safety organization PSQIA: Patient Safety and Quality Improvement Act PSTN: Public switched telephone network

Glossary  ◾  309

RRCC: Regional Response Coordination Center RTU: Remote terminal unit SAIC: Science Applications International Corporation SBU: Sensitive, but unclassified (deprecated) SCADA: Supervisory control and data acquisition SCADASEC: SCADA security SHARES HF: Shared Resources High Frequency (Radio Program) SLGCP: US Department of Homeland Security’s Office of State and Local Government Coordination and Preparedness SO: Safety officer SOLAS: Safety of Life at Sea SOX: Sarbanes-Oxley Act SRT: Security response team SVA: Security vulnerability assessment TCSEC: Trusted Computer System Evaluation Criteria TDEA: Triple DES TSP: Telecommunications Service Priority TTCI: Transportation Technology Center, Inc. UC: Unified command UCNI: Unclassified Controlled Nuclear Information UCS: Unified command system USACE: US Army Corps of Engineers U.S.C.: US Code USFA: US Fire Administration VAF: Vulnerability Assessment Framework WAN: Wide area network WERF: Water Environment Research Foundation WMD: Weapons of mass destruction WPS: Wireless Priority Services WRF: Water Research Foundation Y2K: Year 2000

http://taylorandfrancis.com

Index A Access to Information Act, 101 Administrative Monetary Penalty (AMP), 6 Admiralty Code, 74 Air-gapped environment, 221 Atomic Energy Act, 122, 127 Auditing controls, implementing of, 149 Available physical margin (APM), 275

B Backdoor elimination, 55 Baltic and International Maritime Council (BIMCO), 47 BBS, see Bulletin board systems (BBS) BCP, see Business continuity planning (BCP) Bell LaPadula model, 23 Biba model, 223 Botnet, 53, 55, 130 Budapest Convention for Cybercrime, 54 Budget, balancing of, 5 Building Automation Controls (BAC), 129 Bulletin board systems (BBS), 138 Business continuity planning (BCP), 17

C Canada Border Services Agency (CBSA), 18 Canada-United States Action Plan for Critical Infrastructure, 38–39 Capacity, see Demand, capacity, fragility, and the emergence of networks CEII, see Critical energy infrastructure information (CEII) Chemical Sector Cyber Security Program, 146 Churchill, Manitoba, 17, 48 CIA, see Critical infrastructure assurance (CIA)

CII, see Critical infrastructure information (CII) CIP, see Critical infrastructure protection (CIP) Clark-Wilson model, 223 Climate change, 267–293 available physical margin, 275 challenge of changing climate, 267–268 CIP, basic concepts of, 269–271 decision-making requirements, 276 learning condition, 271 mitigation strategies, 284 OODA loop, 276 operational need, 286 predictable system, 281 preparedness phase, 284 reconstruction activities, 292 responding to longer-termed issues, 271–276 seismic “probabilistic risk assessment,” 274 shorter-termed challenges of changing climate, 277–292 situational awareness, 270 supply chains, 272 transportation networks, 268 Cloud as amplifier, 84 computing, 82–83, 108 concealed conduits and, 85–87 -enabled technologies, 26 environments, information provided into, 45 Commercial Facilities Sector, 257 Computer Security Act of 1987, 107 Consequence-benefit ratio (approach to information sharing), 93 Control systems, see Supervisory control and data acquisition (SCADA) Control Systems Security Program (CSSP), 152–154

311

312  ◾ Index

Critical energy infrastructure information (CEII), 122, 123 Critical infrastructure assurance (CIA), 59 definition of, 8–10 domain, information sharing within, 73 public-private partnerships and, 59 standards-driven activities, 69 Critical infrastructure assurance (CIA) and protection (CIP), introduction to, 1–13 Administrative Monetary Penalty, 6 budget, balancing of, 5 CIA, definition of, 8–10 CIP, definition of, 7–8 critical infrastructure, definition of, 3 critical infrastructure, evolution of, 12–13 critical infrastructure functions, 11 downloading, 5 financial risk, 4 global-centric network, 3 international “monsters,” 3 nongovernmental organizations, 4 private sector, definition of, 4–5 public-private partnerships, definition of, 11 public sector, definition of, 5–7 terrorist attacks, evolution of, 2 threat category, 9 threat of international terrorism, 12 threat spectrum, 1 Critical infrastructure information (CII), 95–128 contracting process, 117–118 controlled unclassified information, 123–125 critical energy infrastructure information, 122, 123 definition, 96–98 export-controlled information, 116–117 FOIA, Exemption 3 of, 100–101 FOIA, Exemption 4 of, 102 “for official use only,” 111–112 FOUO information, enforcement of, 112 Freedom of Information Act, 109 government interpretation of, 98–100 Homeland Security Act, enforcement of Section 214 of, 105–106 Homeland Security Act, Section 214 of, 102–105 information handling procedures, 108–109 InfraGard, 125–126 Lessons Learned programs, 125 need to know, 109–111

“point-and-click aggregation” of information, 114 privacy information, 119–120 privacy information, enforcement of, 120–121 procurement integrity law, 119 reviewing web site content, 112–116 safeguards information, 127 sensitive by aggregation, 113 “sensitive but unclassified” designation, 106–108 sensitive unclassified nonsafeguards information, 126–127 source selection data, enforcement of, 118–119 unclassified controlled nuclear information, 107, 121, 122 Critical Infrastructure Information Act of 2002, 98, 105 Critical infrastructure and key resources (CIKR) sector, 153 Critical Infrastructure Partnership Advisory Council (CIPAC), 153 Critical infrastructure protection (CIP), 1, 15, 267 basic concepts of, 269–271 definition of, 7–8 domain, information sharing within, 73 goals, 8, 15 nature of, 267 public-private partnerships and, 59 standards-driven activities, 69 Critical infrastructure sectors, 296–299 Cyber-attacks, vulnerability to, 132 Cyber Security Evaluation Tool (CSET ®), 154–156 Cyberterrorism, 24–32 convergence, 26–27 convergence and the understanding of threat, 27–28 fragility, 29–31 fragility and destabilization of systems, 31 fragmentation and dissolution of networks, 31–32 TCP/IP, 26

D Demand, capacity, fragility, and the emergence of networks, 15–36 assets, 30 business continuity planning, 17

Index  ◾  313

capacity, concept of, 15–16 cloud-enabled technologies, 26 competition between nations, 24 convergence, 26–27 convergence, network expansion, open architecture, and common criteria, 33 convergence and the understanding of threat, 27–28 current efforts and research, 22–23 cyberterrorism, 24–32 cycles, 30 demand (reason for capacity), 16–20 design of objects, 29 dissolution and convergence (emerging risk), 32–33 Emergency Detour Routes, 21 firewall, 27 fragility, 29–31 fragility and destabilization of systems, 31 fragmentation conditions, 32 fragmentation and dissolution of networks, 31–32 hybrid attack, 28 influence at the small system level, 21–22 interdependency hydra, 23 legislation (107th congress), 34 legislation (108th congress to 109th congress), 35 “load shedding,” 19 local impact and the influence on capacity, 17 marking the journey, 33–36 mitigation, 34 network connectivity, 28 network fragmentation and dissolution, 23–24 performance, concept of, 16–17 post-9/11 period, 34 push, pull, lag, and delay in the network environment, 20 regional (small system) level, 21–24 relevance to CIP, 20 reliability engineering, 29 research and understanding, 36 results of local impact in the immediate sense, 18–20 software-as-a-service, 26 solar farms, 19 the state today, 35–36 surplus of demand, 32 TCP/IP, 26 threat vector, 28, 31

Denial of service attack, 166 Designated sector-specific agencies and critical infrastructure sectors, 296–299 Design of objects, 29 DHS, see US Department of Homeland Security (DHS) Digital subscriber line (DSL), 138 Distributed control systems (DCS), 131 Distributed Denial of Service attacks, 130 DOT HAZMAT classifications, 198–200 class 1 (explosives), 199 class 2 (gases), 199 class 3 (flammable liquids), 199 class 4 (flammable solids), 199 class 5 (oxidizers), 199–200 class 6 (toxic materials), 200 class 7 (radioactive materials), 200 class 8 (corrosive materials), 200 Due diligence checks, 50 in divestiture processes, 76, 237 gaps, 243

E Electrical grid, 1, 19 description of, 51 requirement to maintain, 47 Electric Power Research Institute (EPRI), 273 Electronic Funds Transfers (EFT), 260 Emergency Detour Routes, 21 Emergency Management Cycle, 2, 277 End User License Agreements, 85 Enterprise networks, 134 Environmental Protection Agency, 146 European Programme for Critical Infrastructure Protection, 39 Exception tracking, development of methodologies for, 151 Export Administration Regulations (EAR), 116 Export-controlled information, 116–117

F Federal Acquisition Regulations (FAR), 118 Federal Advisory Committee Act, 105 Federal Bureau of Investigation (FBI), 27 Cyber Division, 125 InfraGard, 125–126

314  ◾ Index

Federal Energy Regulatory Commission (FERC), 122, 136, 146 Firewall, 27, 135, 150, 221 First responders, 168–169 classifications, 170 dealing with terrorist activities, 196 equipment use by, 177 recuperation of, 292 support of, 187 tasks performed by, 176 Flat network, 261 “For official use only” (FOUO), 107, 111–112 Fragility, see Demand, capacity, fragility, and the emergence of networks Freedom of Information Act (FOIA), 98, 100, 102, 109 Fukushima nuclear generating facilities, incident involving, 273 Future Energy Jobs Act (FEJA), 51

G Global-centric network, 3 Glossary, 305–309 “Good Samaritan” law, 93 Government Facilities Sector, 257 Gramm-Leach-Bliley Act, 120 “Green position,” 227

H Harmonized Threat and Risk Assessment methodology, 82 HAZMAT agents, storing of, 192 classifications, see DOT HAZMAT classifications containment of, 191 protocols to secure, mitigate, and remove, 191–192 transportation incident involving, 171 HAZWOPER, see Occupational Safety and Health Administration (OSHA) Hazardous Waste Operations and Emergency Response (HAZWOPER) Health Insurance Portability and Accountability Act, 121 Homeland Security Act of 2002, 12 Human-machine interface (HMI), 143 Hurricanes Katrina and Sandy, 2 Hybrid attack, 28 Hybrid regulations, 249

I Illinois Tollway, 63 Impacts, 302–303 Incident action plan (IAP), 181, 193–194 Incident Command System (ICS), 48, 180 Incident response plans (IRPs), 149, 151 Industrial Control Systems (ICS), 129 awareness procedures, 180–181 Joint Working Group (ICSJWG), 152 performance procedures, 188–189 Industrial Internet of Things, 81 Information sharing and intelligence, reinvention of, 73–93 barriers to information sharing, 90–91 cloud as amplifier, 84 cloud computing, 82–83 clouds and concealed conduits, 85–87 consequence-benefit ratio (approach to information sharing), 93 context affecting sensitivity, 78–82 corporate perspective, 75–76 credibility, 74 data vs. information vs. intelligence, 74–75 “Good Samaritan” law, 93 importance of background to context, 75–78 injury, 78 Internet-of-Things environment, network protection in, 78 linking the trusted computing base and user communities, 87–90 lost revenue, 80 need-to-know principle, 88 open-source information and intelligence, 92–93 open sources, rise of, 91–92 reliability, 74 risk management, 77 sensitivity, categories of, 80 smartphone, unprotected, 78 threat assessment, 76 threat vectors, 78 thresholds, 79 vulnerabilities, 79 Insider threat, 203–216 ability to abuse processes, 208 ability to camouflage activities, 210 ability to lengthen the breach, 207–208 ability to target, 207 adapting, 213–214

Index  ◾  315

alternative approach to staffing and resource management, 215–216 changing attitude towards employment, 205 controlling, 214–215 definition, 203–204 impact on intent and commitment, 205–206 “inside track,” 203 intent and commitment, 204–206 job descriptions, 215 knowledge, skills, abilities, and resources, 206–208 lateral movement, 207 listening, 212–213 mobility within the community, 209–210 motivation, 204–205 need for organizations to listen, adapt and control, 210–215 observing, 212 proximity to the community, 208–209 proximity and mobility, 208–210 reward aspect of attack, 206 smart devices, 214 USB connection to company network, 214 0-day scenario, 207 Intelligence, value of, 44; see also Information sharing and intelligence, reinvention of Interdependencies, 23, 251–266 blurred line between government and business, 255 cluster, 259 Commercial Facilities Sector, 257 comparing the topography of interdependencies with flat/ hierarchical networks, 261–264 current trends in business, 252–254 emergence of the key sectors (energy, transportation, telecommunications, and financial), 259–261 flat network, 261 Government Facilities Sector, 257 “just-in-time” system, 253 looking at the world (community), 251–252 network capacity, 264 pandemic planning, 252 perfect storm, conditions for, 265 rise of the networked machines (Internet of Things), 256 shift and change government and regulation, 254–255 spoke and hub network, 261 “strong bonds,” 262

trends in the alignment of interdependencies, 256–259 vital dependency, 258 vulnerability, 263 “weak bonds,” 262 “zero-day” exploits, 256 International frameworks, 37–57 “air-gap,” 43 areas of potential risk or concern, 56–57 backdoor elimination, 55 botnet, 53, 55 cloud environments, information provided into, 45 competition, 44 due diligence checks, 50 electrical grid, 47, 51 expanding beyond the traditional response, 48–56 governments, collaborative roles of, 38 intelligence, value of, 44 international agreements, 42 international influence, 41 Internet service providers, focus of, 54 Internet of Things, 54 IT threat profiles, 44 lack of credible expertise, 57 meeting the dragons on the map, 37–41 observe-orient-decide-act loop, 47 passive personality theory, 53 risk management, 56 security, approach to, 56 standards organizations, 41 strategic activities, 40 target audiences, 45–48 treasure defined, 42 Universality Theory, 53 who owns the treasure, 41–42 International Maritime Organization (IMO), 47 International Organization for Standardization (ISO), 154 International Ship and Port Facility Security (ISPS) Code, 242 International terrorism, threat of, 12 International Traffic in Arms Regulations (ITAR), 116 Internet service provider (ISP), 54, 138 Internet of Things (IoT), 54, 78, 81, 256 ISIS, 2

J “Just-in-time” system, 253

316  ◾ Index L Leadership in Energy and Environmental Design (LEED), 52 Lessons Learned programs, 125–126 LINUX system, 133 “Load shedding,” 19 Local area networks (LANs), 131

M Malware, 141, 165 Microsoft Windows, 133 Mirai attack, 130 Moore’s law, 156

N NAFTA agreement, 237 NASA Jet Propulsion Laboratory, 270 National Cyber Security Division (NCSD) (DHS), 146, 156 National Fire Prevention Association 472, 195–196 National Infrastructure Protection Center (NIPC), 125 National Institute of Standards and Technology (NIST), 147, 154 National Oceanographic and Atmospheric Agency, 52 National Response Framework (NRF), 38, 46 National Response Plan (NRP), 38 Near Term Task Force (NTTF), 273 Need-to-know principle, 88 Network(s); see also Demand, capacity, fragility, and the emergence of networks breach, 208 capacity, 264 cellular, 162, 197 -enabled equipment, 177 enterprise, 134 flat, 261 -hopping, 165 intrusion detection systems, 151 local area, 131 partitioned, 221 protection, in Internet-of-Things environment, 78 risk management, 56 sniffing, 141 spoke and hub, 261 WiFi, 131

Nongovernmental organizations (NGOs), 4 North American Electric Reliability Corporation (NERC), 8, 46, 146, 154 North American Emergency Response Guidebook (ERG), 171–172 Nuclear Energy Institute (NEI), 274

O Observe-Orient-Decide-Act (OODA) model, 45 Occupational Safety and Health Administration (OSHA) Hazardous Waste Operations and Emergency Response (HAZWOPER), 196–197 Officially induced error, 71, 245 OmniTrax, 49 Ontario Hydro, 64 OODA (observe, orient, decide, and act) loops climate change, 286 international body, 47 safeguard design, 234 Open-source(s) information and intelligence, 92–93 rise of, 91–92 Operations security (OPSEC), 114 OSI model, 27, 233

P Pandemic planning, 252 Passive personality theory, 53 Perfect storm, 65, 260, 265 Personal protective equipment (PPE), 174, 181 Physical security, evolution of, 161–201 awareness-level guidelines, 172–178 awareness-level training, 179–180 awareness and performance-level training, 183–184 awareness, performance, and management training, 190 basic protocols, 173–174 cellular networks, 162, 197 contingency planning, 167 core offices tested, 162–168 denial of service attack, 166 department protocols for medical response personnel, 195 DOT HAZMAT classifications, 198–200 example (North American Emergency Response Guidebook), 171–172 external threat, 164

Index  ◾  317

first responder, 168–169 first responder classifications, 170 guideline classifications, 170–171 how to use equipment properly, 177–178 IAP development, 193–194 ICS awareness procedures, 180–181 ICS management procedures, 190–191 ICS performance procedures, 188–189 importance of implementing an emergency response plan, 201 internal threat, 164 Level A (operations level), 179–182 Level B (technician level), 182–191 malware, 165 National Fire Prevention Association 472, 195–196 operational levels defined, 178 OSHA Hazardous Waste Operations and Emergency Response, 196–197 performance-level guidelines, 178 Plan-Do-Check-Act cycle, 166 planning and management-level guidelines, 189 procedures for performing specialized tasks, 186–187 procedures for protecting incident scenes, 175–176 procedures for protecting a potential crime scene, 194–195 protocols to secure, mitigate, and remove HAZMAT, 191–192 recognize incidents, 173 scene security and control procedures, 176 self-protection measures, 174–175 self-protection, rescue, and evacuation procedures, 184–186 self-protection and rescue measures, 181–182 skilled support personnel, 197 smart technology, 162 specialist employee, 197–198 USB key, 165 WiFi-enabled technology, 166 WMD agents, 179, 187 WMD procedures, 182–183 Plan-Do-Check-Act cycle, 166 Privacy Act, 119 Privacy information, 119–120 Private sector, definition of, 4–5 Process Control Systems, 81 Procurement integrity law, 119 Programmable logic controller (PLC), 132

Pseudo-intelligent threat, 221 Public-private partnerships (P3), 59–72 balancing points, 69–71 the coming financial crisis, 65–67 criteria, 61 critical services, localization of, 67 definition, 11, 59–60 establishment of new capacity, 62–64 maintenance of existing capacity, 64–65 major arrangements, 61–62 miscellaneous forms of public-private cooperation and the erosion of governance, 67–69 overbalanced system, 68 spectrum, 60–62 transportation sector, 63 Public sector, definition of, 5–7 Public switched telephone network (PSTN), 131 Purdue model, 223

R Read-only memory (ROM) chip, 143 Regulatory oversight, challenges in, 235–250 balancing public safety and business operations, 237–239 balancing resilience and financial responsibility, 246–248 consultation, cooperation, or coercion, 241–244 critical capacities for regulators, 244–246 critical challenge in regulatory development process, 240 evolving threat, 242 hybrid regulations, 249 ISPS Code, 242 membership versus competition, 249–250 officially induced error, 245 picking the right mechanisms, 248 private associations and membership, emerging role of, 249 private sector competition, 238 role of regulatory oversight, 235–237 Reliability engineering, 29 Remote terminal unit (RTU), 131, 143 Right to Financial Privacy Act, 120 Risk, major elements of, 217 Risk Based Performance Standard (RBPS), 155 Risk management basis of, 79 decision making and, 77, 232

318  ◾ Index

goals, 228 networks, 56 regulatory oversight systems and, 248 safeguard design, 227–228 Rotations per minute (RPM), 269

S Safeguard design, 217–234 aligning outcomes to assets, 225–227 aligning risk management and controls, 228–231 Bell LaPadula model, 23 Biba model, 223 Clark-Wilson model, 223 concentrating the control, 228 control design, 228–234 data in motion, 223 electronic threat, 222 focusing the control (asset), 224–227 “green position,” 227 “inside-outward” model, 225, 229 integration of the harmonized model, 232–234 OODA loops, 234 OSI model, 233 “outside-inward” model, 225, 229 Purdue model, 223 responding to the threat, 217–224 risk, major elements of, 217 risk management, 227–228 “swim lane,” 217 threat, influence exerted by, 224 threat outcome, 224–225 understanding capacity, opportunity and resources, 220–222 understanding intent, 218–220 understanding proximity and mobility, 222–224 vulnerability, 218 Safeguards information (SGI), 127 Sandia National Laboratories, 46 SCADA, see Supervisory control and data acquisition (SCADA) SearchMil.com, 113 Sector-specific agencies, 296–299 Security of Canada Information Sharing Act, 42 Sensitive but unclassified (SBU) designation, 106–108 Sensitive Security Information, 98 Sensitive unclassified nonsafeguards information (SUNSI), 126–127

September 11 (2001) attacks, 1, 33 SHODAN, 136 Short Message Service (SMS), 177 Situational awareness, 26, 189, 270, 286 Smart devices, 78, 197, 214, 256 Software-as-a-service, 26 Solar farms, 19 Spoke and hub network, 261 Structured Query Language (SQL) database, 156 Stuxnet, 137, 221 Subject-object pairing, 55 Subscription-based services, 26 SUNSI, see Sensitive unclassified nonsafeguards information (SUNSI) Supervisory control and data acquisition (SCADA), 129–159 adoption of standardized technologies with known vulnerabilities, 133–134 auditing controls, implementing of, 149 blogs, 158 “collateral damage,” 134 community challenges, 156–157 connectivity of control systems to unsecured networks, 134 control loops, 131 control system attacks, threats resulting from, 141 control system compromises, consequences resulting from, 138 control systems, components of, 131–132 control systems, definition of, 129–130 control systems, insecure connectivity to, 136 control systems, methods of securing, 143–145 control systems, publicly available information about, 136 control systems, securing of, 149 control systems, technology research initiatives of, 145 control systems, types of, 131 control systems, vulnerability concerns about, 132–133 control systems architecture development, 150 control systems Cyber Security Evaluation Tool, 154–156 cyber-attacks, 132 dial-up blocks, 139 enterprise networks, 134

Index  ◾  319

exception tracking, development of methodologies for, 151 falsified information, 137 firewall, 135, 150 future of, 157–158 implementation constraints of existing security technologies, 134–135 incident response plans, 149, 151 infrastructure, 157 issues in securing control systems, 142–143 mailing list, 158–159 malware, 141 online SCADA and SCADA security resources, 159 policy management and control mechanisms, development of, 150 process and security control initiatives, 147–149 resources, 158–159 security awareness and information sharing initiatives, 146–147 segment networks between control systems and corporate enterprise, 150–151 similarities between sectors, 152 US computer emergency readiness team CCSP, 152–154 vulnerability of control systems to attack, 137–138 wardialing, 138–140 wardriving, 140 warwalking, 141 wireless communication system, 136 Supply chains bodies of knowledge associated with, 20 disruptions in, 217, 259, 286 global, 3, 37 impact on, 18 just-in-case, 272 security, 224 serving infrastructure sectors, 38 shock absorber within, 254 stand-alone systems and, 26 state actors and, 41

T TCB, see Trusted computing base (TCB) TCP/IP, 26 Terrorist activities, first responders dealing with, 196 attacks, evolution of, 2 definition of, 194 potential use of WMD, 189

Threat(s); see also Insider threat agent, 219 assessment, 76, 220 delineation of, 219 evolving, 242 external, 164 hybrid, 34 influence exerted by, 224 internal, 164 of international terrorism, 12 pseudo-intelligent, 221 response to, 217–224 resulting from control system attacks, 141 spectrum, 1 understanding of, convergence and, 27–28 vectors, 28, 31, 78 Transportation network Churchill, 236 clean-up activities, 292 climate change and, 268 damaged, 16 Trusted computing base (TCB), 85

U Unclassified controlled nuclear information (UCNI), 107, 121, 122 Unified command system (UCS), 180, 188 United States Computer Emergency Readiness Team (US-CERT), 154 Universality Theory, 53 UNIX system, 133 USA PATRIOT Act, 103 USB key, 165 US Department of Defense (DOD), 107, 154 US Department of Energy (DOE), 273 US Department of Homeland Security (DHS), 12, 97, 154 CSSP, 152–154 National Cyber Security Division, 146, 156 Transportation Security Administration, 23 US Nuclear Regulatory Commission (NRC), 273

V Vehicle-based attacks, 161 Vital dependency, 258 Voice over Internet Protocol (VOIP), 177, 260

320  ◾ Index W

Y

Wardialing, 138–140 Wardriving, 140 Warwalking, 141 Weapons of mass destruction (WMD) agents, 179, 187, 192 potential terrorist use of, 189 procedures, 182–183 WiFi-enabled technology, 131, 166

Year 2000 (Y2K) issue, 1, 33, 83

Z “Zero-day” exploits, 207, 256