Friday, June 20, 2014

Must Read for CyberWar Students and Spectators

I've just returned from an interesting and exhausting ICS security trip to Nigeria, Egypt and Dubai --- and as I was catching up on my reading I came across an excellent and well-written article regarding nation-state attacks on our critical infrastructure.  Kudos to Mike Riley and Jordan Robertson of Bloomberg!

The article in Bloomberg is UglyGorilla Hack of U.S. Utility Exposes Cyberwar Threat.

Rather than resummarize the article I'd strongly suggest you read it and think about the implications of the content.

It is pretty ugly.

Anyone who thinks we are ahead of the cyber attackers/criminals is sadly mistaken.

As noted by Representative Mike Rogers, R-Michigan: "This is as big a national security threat as I have ever seen in the history of this country that we are not prepared for."

Read and ponder....


Wednesday, June 11, 2014

OPINION: Does the NIPP Account for Infrastructure Neglect? Climate Change?

I am currently a candidate for a Masters in Infrastructure Planning and Management (IPM) at the University of Washington.  In my recent class on Transportation Infrastructure we prepared a response to a question regarding the Department of Homeland Security's (DHS) National Infrastructure Protection Plan (NIPP).

The question posed is in the box below....however, to answer the question a brief history of the NIPP and its development post 9/11 is summarized.

I think you will find this an interesting read and may make you wonder about the true value of the NIPP in today's environment.




Assigned Question

Do you think that the infrastructure protection plan as proposed by the Department of Homeland Security accounts for infrastructure neglect? Should it? Could this lack of maintenance of transportation infrastructure potentially be a much greater concern than terrorist attack or climate change? Would our national resources be better spent on maintenance activities as opposed to protection or adaption?


The question posed above is one that requires some background history and assimilation prior to finally offering a view.  Therefore, this discussion first highlights the history of the National Infrastructure Protection Plan (NIPP) – its genesis and modification.  Then at the end of the discussion responses to the questions posed above for this assignment are provided.

Genesis of National Infrastructure Protection Plan

On December 17, 2003, Homeland Security Presidential Directive - 7 (HSPD -7)[1] was issued by President George H. W. Bush.  The stated purpose of this Directive was:

1.  This directive establishes a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks.

Similarly in the Policy portion of HSPD-7 the emphasis again was on protecting critical assets from terrorist attack.  Paragraph 7 notes:

Later in HSPD-7 regarding implementation of the HSPD, Paragraph 27 notes that the Secretary of Homeland Security is to “…produce a comprehensive, integrated National Plan for Critical Infrastructure and Key Resources Protection…  The remaining implementation requirements are shown below:

In summary, HSPD was originally focused on protecting critical infrastructure from terrorist attacks with assigned responsibilities to the Secretary of Homeland Security.  The implementation directive was not specific to terrorist threats; however, it was inferred in the purpose of the HSPD and ultimate implementation mandates.

In 2006 the first issue of the National Infrastructure Protection Plan (NIPP) was issued by Department of Homeland Security (DHS) Chertoff.  The specific goal of the NIPP was noted below from Page 1 of the document.  As the reader can observe the focus is intended to prevent, deter, neutralize, or mitigate effects…by terrorists…That is the key emphasis of this plan and in this writer’s opinion.  But, it is agreed that there is some parenthetical response to “…natural disasters and other emergency.”

The theme of Secretary Chertoff’s Preface in the first NIPP was still primarily focused on terrorist threats although there was some discussion about protection of CI/KR from natural disasters.  Overall, however, the term “Attacks” was used repeatedly throughout the document (I stopped counting at 20 instances) and not once was there reference to climate or climate change – only “natural disasters.” And upon a quick survey the term “natural disasters” was almost always used in the same sentence with “terrorist.”
The conclusion of the 2006 NIPP is that it was issued in response to the terrorist threat which was in keeping with HSPD-7 issued in 2003 following the terrorist events of 9/11.

2009 NIPP

A new version of the NIPP was promulgated in 2009.  The goal of the NIPP remained the same as the 2003 edition except it showed the evolution of the programs and processes first introduced in 2006 and was developed collaboratively with the CI/KR partners of all levels of government and private sector.
Again the emphasis still appears to be focused on terrorist attacks with minimal inclusion of references to natural disasters and no references to climate change.
On a statistical note the term “Attack” is used 114 times; “terrorist” is used 157 times; and “natural disaster” is used 37 times, and “climate change” is not used at all in the 2009 NIPP.

NIPP 2013 Partnering for Critical Infrastructure Security and Resilience

In February 2013, President Obama issued Presidential Policy Directive 21 (PPD-21), Critical Infrastructure Security and Resilience[2], which explicitly calls for an update to the NIPP. As noted by the 2013 NIPP, this update is informed by significant evolution in the critical infrastructure risk, policy, and operating environments, as well as experience gained and lessons learned since the NIPP was last issued in 2009.  The revised NIPP expands the view of the threats to critical infrastructure as depicted in the graphic (Figure 2) from page 8 of the NIPP.

As the reader can observe the focus on terrorist attacks has been substantially reduced to a more balanced perspective along with extreme weather, accidents, cyber-attacks, etc.
Also, as a comparison, the term “terrorist” is only used six times in the 2013 NIPP thus demonstrating a more balanced approach to protection of critical infrastructure.

The 2013 NIPP also demonstrated a more balanced approach to critical infrastructure protection when it included the seven core tenants listed below:
  1. Risk should be identified and managed in a coordinated and comprehensive way across the critical infrastructure community to enable the effective allocation of security and resilience resources.
  2. Understanding and addressing risks from cross-sector dependencies and interdependencies is essential to enhancing critical infrastructure security and resilience.
  3.  Gaining knowledge of infrastructure risk and interdependencies requires information sharing across the critical infrastructure community.
  4. The partnership approach to critical infrastructure security and resilience recognizes the unique perspectives and comparative advantages of the diverse critical infrastructure community
  5. Regional and State, Local Tribal and Territorial (SLTT) partnerships are crucial to developing shared perspectives on gaps and actions to improve critical infrastructure security and resilience.
  6. Infrastructure critical to the United States transcends national boundaries, requiring cross-border collaboration, mutual assistance, and other cooperative agreements
  7.  Security and resilience should be considered during the design of assets, systems, and networks.

Overall, the NIPP from its inception in 2003 to the 2013 edition has evolved from one focused on terrorist attacks and defense to one of a more balanced, all-hazard approach.  The 2013 NIPP has also provided an updated approach to not only critical infrastructure security but also to resilience.

Responses to Discussion Questions

With the background history provided, my responses to the questions posed include the following:

·       Do you think that the infrastructure protection plan as proposed by the Department of Homeland Security accounts for infrastructure neglect?

o      Sadly, the NIPP of 2003 and 2009 were both very focused on terrorist attack and defense and as such infrastructure neglect was not even considered.  The 2013 NIPP does allude to a more holistic approach, especially in Tenant #7 that discusses “Security and resilience … considered during the design, of assets, systems and networks.” 

o      On page 18 of the 2013 NIPP there is a discussion focused on risk management that takes into consideration the following elements:

§  Identify, Deter, Detect, Disrupt, and Prepare for Threats and Hazards
§  Reduce Vulnerabilities
§  Mitigate Consequences

Of interest, the “Reduce Vulnerabilities” element includes a statement “Employ siting considerations when locating new infrastructure, such as avoiding floodplains, seismic zones, and other risk-prone locations.”  This appears to at least try to address some elements of extreme weather (possibly due to climate change) for new designs but again, I did not see any discussion specific to maintaining and upgrading current infrastructure.  That said, the “siting considerations” can be – and should be – included in current infrastructure maintenance and upgrades as well as for new critical infrastructure such as roads, etc.
Under the discussion “Mitigate Consequences” there is a bullet that also could be related to current infrastructure –Repair or replace damaged infrastructure with cost-effective designs that are more secure and resilient.”  Hence, there is a subtle element of support to improving infrastructure with “…designs that are more secure and resilient…” but only if they are damaged.  Not if they are currently usable but need upgrades for increased resilience.

·         Should it?

o      Yes, it makes sense that emphasis on infrastructure should be sustained as well as improved via such approaches as corrective and preventive maintenance, design upgrades and improvements, etc.  As a suggestion to the future editions of the NIPP there needs to be particular emphasis and focus on current assets as well as future ones.  Also, the future NIPP editions should allow for some means of assessment and prioritization of current assets for design upgrades and corrective/preventive maintenance regardless of whether the infrastructure has failed (yet) or not. 

o      As I prepared this discussion I was reminded of Professor Jan Whittington’s research report Making Room for the Future: Rebuilding California’s Infrastructure where her research along with David Dowall observed that “California has a deferred maintenance crisis in its hands…extensive deferred maintenance backlogs in…transportation facilities.”  Here was an example where there was no policy guidance in the state of California to perform maintenance on its key assets.  Hence, one could observe a parallel issue with the US NIPP and its failure to really emphasize performance of maintenance on critical assets such as roads and bridges.

·        Could this lack of maintenance of transportation infrastructure potentially be a much greater concern than terrorist attack or climate change?

o       As you look at this issue across the entire United States and across all transportation infrastructure one could make a case that the concern should be greater than that of a terrorist attack or climate change primarily due to the probability of occurrence is high for most transportation infrastructure and the number of opportunities for failure are high – especially when considering the number of vehicles traveling on the roads and each vehicle can offer a potential “event” and harm to the infrastructure.  Compare this to the number of hurricanes per season where the frequency of events is lower but the impact his much, much higher.

o       For instance when you do a risk analysis of risk vs. consequence, the terrorist consequence can be very high but the probability or likelihood of the event is low.  Hence we have the classic low probability – high consequence event.  The same applies to climate change when you look at such events as Katrina or Super Storm Sandy.  However, when you look at the probability of a transportation infrastructure failure anywhere across the US on a daily – or even hourly basis – the probability is high but the consequences may be less than (in most but not all cases) than a terrorist or major storm event.  So, in all, the integral of the equation so to speak may reveal that the transportation failures occur more frequently than terrorist attacks/climate change effects which could lead to higher costs in dollars and human life over a one year time period than the results of a year’s worth of terrorist attacks and climate change events such as storms.

o      The Federal Highway Administration includes an “integrated risk assessment” approach as alluded to in the paragraph above where they discuss climate change vulnerability assessment pilots.[3]

o      Optimally it would useful to have a comparison of the number of terrorist attacks for a specific geographic area versus the number of transportation infrastructure failures (e.g., bridges) for the same period of time to get a sense of probabilities.  As part of this thought experiment the following graphics were located on the Internet to help give a sense of “direction” for this comparison.  However, it is agreed that they are not a true “apples to apples” comparison.

Here is a graphic showing bridge failures.

And here is a graphic showing terrorist attacks:

Unfortunately I could not locate any data for the same time period to do an honest comparison either by events per year or costs per year.

·        Would our national resources be better spent on maintenance activities as opposed to protection or adaption?

o      This is a balancing act that requires policies to help ensure the funds and resources are spent on the right things.  Again, as shown in Dr. Whittington’s study, the State of California is not tasked with anti-terrorism activities yet they still did not spend money on infrastructure maintenance due to population rapid growth and focus on new assets.  Also, with most infrastructure being covered by the states and local entities, you again have a conflict between anti-terrorism dollars (Federal), dollars for climate change remediation (unknown contributor – Federal or State), and dollars for infrastructure maintenance State and local).  However, it is important to note that with the minimal amount of funds being used to pay for infrastructure maintenance today, any increase in resources to improve current asset integrity and safety would be better than the status quo.  This is especially true since replacing all the assets with new, safer and more secure facilities is not financially reasonable or fiscally reasonable.  And, the added taxes for such efforts would not be accepted by the general population because they don’t have ready visibility to how bad the current circumstances are in spite of the studies from the American Society of Civil Engineers.


"Bridges 101 - What Causes a Bridge Failure." Because I Can. January 31, 2012. (accessed May 10, 2014).
Department of Homeland Security Science and Technology Center of Excellence, University of Maryland. "National Consortium for the Study of Terrorism and Responses to Terrorism: Annex of Statistical Information." US Department of State. April 2014. (accessed May 10, 2014).
Dowell, David E., and Jan Whittington. Making Room for the Future: Rebuilding California's Infrastructure. Research Publication, San Francisco: Public Policy Institute of California, 2003.
US Department of Homeland Security. "Homeland Security Presidential Directive - 7: Critical Infrastructure Identification, Prioritization, and Protection." US Department of Homeland Security. December 17, 2003. (accessed May 10, 2014).
US Department of Homeland Security. National Infrastructure Protection Plan (2006). Washington, D.C.: US Department of Homeland Security, 2006.
US Department of Homeland Security. National Infrastructure Protection Plan (2009). Washington, DC: US Department of Homeland Security, 2009.
US Department of Homeland Security. National Infrastructure Protection Plan 2013: Partnering for Critical Infrastructure Security and Resilience. Washington, D.C.: US Department of Homeland Security, 2013.
US Department of Transportation Federal Highway Administration. Climate Change Vulnerability Assessment Pilots. March 27, 2014. (accessed May 10, 2014).