What is Critical Infrastructure?
According to the Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) “there are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
What are these 16 sectors whose assets are so vital to the United States?
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Base
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials and Waste
- Transportation Systems
- Water and Wastewater Systems
Changes to the approach - bringing the public and private sector together
The Homeland Security Act of 2002 that was signed into law by then President George W. Bush following the 9/11 terrorist attack placed an emphasis on anti-terrorism. Since that law was signed several Presidential Policy Directives (PPD) were enacted. The most recent one, PPD-21, advanced a national policy designed to strengthen and maintain secure, functioning, and resilient critical infrastructure. The most notable change, in PPD-21, was a shift from anti-terrorism to an all-hazards approach and the reduction from 18 to 16 sectors. However, over time the most significant change that occurred to the protection of our Nation and its Critical Infrastructure was completed through PPD-8: National Preparedness, in 2011, by then President Barack Obama. PPD-8 placed a significant responsibility on everyone, not just the government, to protect the Nation from hazards, such as terrorism, pandemics, and natural disasters. PPD-8 for all intent and purposes was designed to bring the public and private sector together in order to more efficiently and effectively protect the Nation.
Have we been successful with protecting the Nation?
Initially, one can answer the question by saying we have not seen any attack similar to the magnitude of 9/11 since the enaction of the Homeland Security Act or the subsequent PPDs, so it appears there has been a success. However, although we have not seen a direct attack from a foreign enemy, or hijacked planes flying into buildings, we’ve had our share of attacks coming from within the homeland, or what is often called domestic terrorism or individuals labeled as domestic violent extremists (DVE). This identification also includes those who may be inspired by foreign terrorists or other foreign influences to carry out an attack. The definitions can be different depending on whom you speak with or what agency becomes involved that triggers the criminal act to become terrorism. In any scenario, the mandate has never been clearer and more important than protecting our homeland is not solely a government responsibility but a collective effort between the public and private sectors that require innovation in technology, planning, qualified personnel, and comprehensive training to overcome the individuals or groups who seek to compromise, disrupt, harm, or destroy.
Working together to protect critical infrastructure begins with risk management
The approach to protecting critical infrastructure is based on multiple variables, with each situation being different. Each critical infrastructure sector drilled down to the facility itself presents a level of risk that requires mitigating steps to be taken. It all begins with the term risk management.
Risk, by definition, is the potential for an unwanted outcome resulting from an incident or occurrence
Therefore, risk management is how we manage that risk and, ultimately, what will be written into plans and how we prepare to prevent or minimize exposure to it. One of the more basic principles of risk management is that we must close the gap or shortfall that exists that is making the facility vulnerable. Sometimes, a facility doesn’t realize a gap or shortfall exists until the plans are tested.
How are plans tested?The most effective way to test a plan is to exercise them. According to the Federal Emergency Management Agency (FEMA):
Exercises help build preparedness for threats and hazards by providing a low-risk, cost-effective environment to:
- Test and validate plans, policies, procedures, and capabilities
- Identify resource requirements, capability gaps, strengths, areas for improvement, and potential best practices
There are discussion-based and operational-based exercises. Each one serves a different function for what will be the primary objective(s). A commitment to exercise frequently. Critical infrastructure facilities must maintain their readiness for the evolving element of hazards.
A call to action for those in charge of security at their facility
Valentis Group Inc can assist and support critical infrastructure clients with a consulting program designed to exercise, evaluate, and update written plans. Our methodology can focus on a community-wide approach to integrate partners into the exercises to improve readiness. Valentis relies on a combination of comprehensive plans and a trained security force that focuses on risk management to reduce client exposure and an enhanced ability to deter and defend against organized and active threats.