Skip Navigation LinksASIS International / Membership / Member Center / Security Spotlight / Critical Infrastructure Protection

Critical Infrastructure Protection

​​​​​​​This fall, Hurricane Harvey’s floodwaters triggered a spill of almost 500,000 gallons of gasoline from two storage tanks on the Houston Ship Channel, marking the largest spill reported to date after the storm slammed into the heart of Texas’s huge petrochemical industry.  Evidence also surfaced of multiple serious potential cyberattacks to electrical systems through Dragonfly malware. 

Meanwhile, 2017 marked the 20th anniversary of exercises conducted by the Pentagon that uncovered vulnerabilities to the U.S. critical infrastructure and exposed gaps in the government’s response, leading to the U. S. Cyber Command.  At an October symposium, senior leaders discussed the future of the nation’s cyber infrastructure, the interplay between innovation and cyber insecurity, and the policy choices that should be central to a national debate.

The following ASIS and security industry thought leaders offer their assessments on historical, topical, and potential threats to a nation’s critical infrastructure.​

» View Past Security Spotlight Topics​​​
​ ​​​​

Free Resources: Critical Infrastructure Security ​

(All resources are free - login/creation of free account required)

ASIS Council Resources


Critical Infrastructure Resource Guide ​(2011)
ASIS Critical Infrastructure Working Group

This guide was created to serves as a reference for all infrastructure categories and industries. It can assist both the private and public sectors with information relevant to critical infrastructure protection, disaster resilience, and continuity operations.  Its conclusions are based on expertise with the nation’s 18 critical infrastructures and key resources from ASIS councils, the U. S. Department of Homeland Security, and academia.

Utility Security Risk Management: Security Program Fundamentals
White Paper, 2013
ASIS Utilities Security Council ​

This 29-page, peer reviewed paper written by security experts in both the public and private sector, describes advancements in comprehensive risk management in critical and high-risk environments, including nuclear generation, gas and oil refineries, and dam safety.  Several charts depict a framework for managing risk. Key points include:

  • The expansion of utilities assets into the public domain—especially as it relates to the proliferation of IT assets in the smart grid and control systems—increases the potential for attacks.

  • A simple formula, risk = probability + consequences, can be used to measure risk for a utility.

  • If the risk assessment is inadequate, outdated, or unused, the utility could be held liable for damages if, for example, a patient became sick because the hospital did not have clean water.


​Recorded Seminar Sessions


protecting power grid image.png Protecting the U.S. Power Grid from Physical Attack – September 2016

Securing the United States electric grid is a top priority for regulators and utilities. Current events have prompted security professionals to improve physical security measures at facilities. Four speakers review best practices for securing the electric infrastructure; discuss threats to transmission substations, generating plants, and electricity control centers; and consider the future of security regulation in the electricity sector. 

Implementing an Effective Food Defense and Security Plan – September 2016

In light of the 2016 Food Safety Modernization Act Final Rule, security professionals are tasked with reducing supply chain food adulteration vulnerabilities and developing a “Food Defense Plan.” The speaker examines resources available to the food defense practitioner to minimize risk exposure and meet outlined regulatory requirements.

Defending Industrial Control Systems in Critical Infrastructure – September 2016

Industrial control systems impact your everyday life (though most never give them a second thought), like the car you drive, the water you drink, the energy you consume and the devices that assure your medical health. This discussion measures industrial control systems cyber success, provides actionable industrial cyber safety, leverages virtual environments for real-time forensic value and monitoring, builds upon strong digital design principles, and shares perspectives on industrial control system compromise while discussing public game changing cyber threats. ​


Webinars


Cyber: The New Frontier for Terrorist & Geopolitical War – August 30, 2017

The cyber frontier has joined land, sea, and air as a concern with unique challenges and hard-to-identify actors.  The speaker discusses specific threats to U.S. critical infrastructure, including power grids, water supply, and nuclear plants. Methods of attack and 21st century hacking, data breaches, and informative warfare explored.  Specific steps for risk and threat prevention and mitigation are also outlined.

SM   US government grid.png Securing the North American Electricity Grid – June 7, 2017

The speakers review best practices for securing electric infrastructure and discuss the ongoing threat to transmission stations, generating plants, and electricity control centers. They discuss the newly implemented NERC CIP-014 Physical Security Standard and the future of security regulation in the electricity sector. They also explore how the standard has affected industry and overall system reliability.              

Protecting North America’s Electric Grid From Physical Attack – April 27, 2016

Current and former representatives from the North American Electric Reliability Corporation (NERC) and the Electricity Security Information Sharing and Analysis Center (E-ISAC) discuss three topics: the CIP-014 physical security reliability standard; information sharing between utilities and government partners; and physical security assessment reviews and outreach visits. The status of the future Design Basis Threat initiative is also reviewed.


Security Management Articles


Survey of INFOSEC Professionals Paints a Dark Picture of Cyber Defenses – July 2017

A majority of information security professionals believe that U.S. critical infrastructure will be breached by a cyberattack in the next two years.

Power Play: Resilience & Infrastructure – June 2017

Standardization is often seen as a positive in modern society, but there are risks in creating a monoculture—a homogenous culture lacking diversity—especially in cyberspace. 

What the U.S. Government Can Do To Protect the Grid – June 2017

A report discusses eight challenges for the U.S. government to address to increase the electric grid’s cybersecurity, including ways to improve coordination across government agencies, review laws and regulations, and address system architecture.

Trump’s Cybersecurity Executive Order Well Received by Experts – May 2017

The second of this three-part executive order (EO) focuses on critical infrastructure cyber security. It calls for reports to identify ways that agencies can support the cybersecurity efforts of those critical infrastructure entities at the greatest risk of attack, resulting in catastrophic effects on public health or safety, economic security, or national security.

SM airport security.png The Evolution of Airport Attacks – April 2017

The air transit system has been considered a prime target since the beginning of the modern era of terrorism. From a terrorist’s perspective, hundreds of people trapped inside a pressurized metal tube at 30,000 feet are ideal targets not only because the victims are so vulnerable, but because of the heavy media coverage such attacks generate. 

World Water Woes – January 2017

As a vital asset and symbol of democratic societies, water is a high-value target for terrorists. Also, the relative scarcity of water around the world can lead to global conflict. Author Yves Duguay encourages U.S. and Canadian security professionals to revisit the security risks associated with water and wastewater and assess the effectiveness of current layers of protection using an equation where risk is the product of likelihood, consequences, and vulnerabilities.

Infrastructure Protection Trends – September 2016

Some forward-thinking firms have adopted infrastructure resilience strategies that include contingency and emergency plans, which are practiced and reviewed with employees.  In these plans, communication is critical and can lead to a clear competitive advantage.  One negative trend is that infrastructure facilities are often guarded by officers with low pay and poor training. The security industry needs to rectify that vulnerability, say the speakers.

SM cyber pulls the plug.png Cyber Pulls the Plug – May 2016

A 2015 power grid attack in Ukraine used malware to create a backdoor and plant a KillDisk component on targeted computers that made them unbootable and destroyed files.  While the source of the attack is unclear, what made it possible is that many of Ukraine’s electric power facilities are connected to the Internet.  Experts think that other critical infrastructure sectors in North America—such as water systems—may be vulnerable to similar attacks because they do not have the same standards as the energy sector.  Companies need to assume that their systems will be breached and take steps to ensure that they can quickly detect, mitigate, and recover from an attack. ​

Wanted: Private Sector Help – February 2016

U.S. national intelligence leaders say they know what threats are going to test the nation and they are focusing their efforts on encouraging public and private organizations and employees to be the first line of defense.

 ‭(Hidden)‬ Free Resources

 ‭(Hidden)‬ Members-Only Resources

Critical Infrastructure Protection From a Private Security Perspective

ASIS Webinar

Speaker: Keith Melo, emergency management program coordinator, George Brown College, Ontario, Canada. Key points from the program include:

  • 85 percent of the world’s critical infrastructure is owned by the private sector. Partnerships —fire, police, hospitals, EMS—are key.

  • Emergency management is an ongoing process based on a changing threat risk assessments.

  • Leadership and training on the “Pillars of Preparedness” will help a business survive the domino effect caused by an incident at a neighboring utility, dam, or oil spill.


Utility Security Risk Management: Security Program Fundamentals
White Paper, 2013
ASIS Utilities Security Council ​

This 29-page, peer reviewed paper written by security experts in both the public and private sector, describes advancements in comprehensive risk management in critical and high-risk environments, including nuclear generation, gas and oil refineries, and dam safety.  Several charts depict a framework for managing risk. Key points include:

  • The expansion of utilities assets into the public domain—especially as it relates to the proliferation of IT assets in the smart grid and control systems—increases the potential for attacks.

  • A simple formula, risk = probability + consequences, can be used to measure risk for a utility.

  • If the risk assessment is inadequate, outdated, or unused, the utility could be held liable for damages if, for example, a patient became sick because the hospital did not have clean water.


Not yet an ASIS member?

Join now and gain access to
  • the world's largest library of security management resources
  • an online directory of ASIS members worldwide
  • a vast network of 234 local chapters
Learn more about the ASIS Advantage

​Members Only

Critical Infrastructure Protection: The Way Ahead

 ASIS Webinar

Speaker: Ron Martin, CPP, retired after a career with the U. S. Army and with the U. S. Department of Health and Human Services.

Martin cited numerous presidential directives and standards that provide guidance on forming security policies and protection efforts. He walked attendees through the National Infrastructure Protection Plan (NIPP) available on the Department of Homeland Security website. He also touched on presidential directives that have guided the federal response to critical infrastructure risks. Key points include:

  • Cyber threats are the greatest risk because the U.S. has many adversaries who would like to disrupt its resources.

  • DHS has been charged with identifying the critical infrastructure with the greatest cyber threat potential and give direction to the Executive Branch of the U.S. government.

  • A dashboard can be used to continuously monitor physical security information management, security event management, and security information management, thereby assessing security options for the future.


Securing Port and Maritime Assets

ASIS 2014 session

Speaker: Former Navy Seal Alan Oshirak. During his military service, Oshirak worked in the international maritime community and with the U.S. Coast Guard on port and harbor security issues.

During the session, Oshirak discussed the threats to international port security: external actors, insider threats, graft and corruption, piracy, and  labor unrest, including protests and demonstrations.  Key points include:

  • There is not a lot of integration among port authorities and ship owners on security matters, and this lack of coordination can tie up a port very quickly.

  • If a ship is simply passing through a port to another destination, it will rarely be pulled out of the queue to check its cargo.

  • If ships could be screened as many as two days before they enter a port, authorities would have a great chance to divert a ship if intelligence suspects illegal cargo or activities. It’s hard to stop a ship once it enters the port’s queue.


Sources of Information on the Security of Critical Infrastructure

ASIS IRC Reference Guide

A comprehensive review of the many books, Security Management articles, journals, annual seminar recorded sessions, and IRC security databases and catalog offerings.