NIPP and Tuck
JUST AFTER MIDNIGHT ON APRIL 16 of last year, someone slipped into an underground vault near a freeway in San Jose, California, and cut multiple telephone cables. Then, 30 minutes later, snipers opened fire on a nearby electrical substation, knocking out 17 transformers that funnel power to Silicon Valley. Electric-grid officials were able to prevent a blackout by rerouting power around the downed station, but it took workers almost a month to repair the station and get it up and running again.
While such incidents may be rare, they highlight security concerns and new forms of terrorism that target critical infrastructure. Darren T. Nielsen, CPP, PCI, PSP, senior compliance auditor of cybersecurity for the Western Electricity Coordinating Council, says that both physical attacks and cyberthreats are something that industry leaders need to address through expanding perimeter security beyond substation fences.
“We are very good at controlling and monitoring access for persons who enter and exit our perimeters with approval, but we lost sight of the surrounding landscape where significant damage can and did occur,” explains Nielsen, who is also the chair of the ASIS International Utilities Security Council. “The utility sector industry has spent extensive amounts of money on capital projects to adhere to the North American Electric Reliability Corporation standards, but I believe we can do more.”
The Department of Homeland Security (DHS) agrees with Nielsen and has issued an updated National Infrastructure Protection Plan (NIPP) to address additional security concerns facing critical infrastructure. The plan, which was released in December of 2013 to update the 2009 version, outlines how the government and private sector can work together to manage risks in the 16 critical infrastructure sectors.
The 2013 NIPP summarizes the state of American critical infrastructure by focusing on goals to manage risk and outlining 12 calls to action for both the government and the private sector to advance efforts to secure infrastructure. These calls to action range from developing joint planning efforts to managing risks to promoting regional recovery after incidents.
Bob Kolasky, the director of strategy and policy at DHS’s Office of Infrastructure Protection, headed the Integrated Task Force that created the 2013 version of the NIPP. “I think the last [NIPP] built a nice framework to work together, but this [one goes beyond that and says] here’s some specific things we’re going to do to achieve that,” he explains. To create the 2013 version, DHS reached out to the private sector, nonprofits, state and local governments, and tribal councils to attempt to include as many viewpoints as possible.
Unlike the previous version, the 2013 edition focuses on the security goals the United States is trying to achieve as a nation and less on the responsibilities of various federal bureaucracies. DHS tried to strike a new tone of being more inclusive and focusing on the shared actions that the critical infrastructure community has as a whole.
Crucial to accomplishing the goals laid out in the NIPP is the understanding that the private sector owns a majority of the critical infrastructure and that most of the decisions to make infrastructure secure and resilient are made by the private sector. DHS has recognized this and wants to provide information to help the private sector make the best decisions it can and encourage it to share best practices. “The private sector is going to make decisions in the right way and we want to help them do that,” Kolasky says. “We also recognize that federal government can help spur innovation by funding innovation…but the private sector is the best source of innovation…so this plan is designed to not forget that security and resilience decisions will always be made in the context of ‘do they make good business sense?’”
Despite this attempt at collaboration, Nielsen expresses doubts about whether the new NIPP will get the private sector to share information about threats. One of the calls to action within the 2013 NIPP is greater shared situational awareness “without acknowledging a fundamental roadblock to sharing sensitive and classified information systems,” Nielsen says. “The intelligence community operates in an isolated environment and can’t, or won’t, create adequate tear-lines to get information to levels of classification that allow pertinent threat information to be shared with critical infrastructure owners and operators.”
Additionally, the interactions that the private sector and state and local governments have with the federal government impede information sharing, says Nielsen, who was working in the utilities industry when the 2009 NIPP was released. “Much of the information sharing and planning occurred in the state and local levels of law enforcement, EMS, and utilities via organizations such as the FBI’s InfraGard, fusion centers, and industry-specific security workgroups,” he explains. “The missing piece was real interactive communication with the federal and national level and tangible links to get things done.”
However, the new NIPP is designed to resolve some of these issues, allowing the critical infrastructure community to accomplish more of its goals outlined in the 2013 version. “At the core, this is a plan that promotes the idea of working largely in a voluntary context to achieve higher levels of security and resilience,” Kolasky explains. “And to do so, the underlying philosophical, strategic approach is risk management.”
Changes. While a focus on risk management has remained the same in the NIPP, DHS has also introduced some new factors. One major change is a greater focus on cybersecurity.
“This is much more of a plan than the previous one of thinking about cybersecurity as part of an integrated approach to enterprise management,” Kolasky says. “Earlier versions sort of separated cybersecurity from physical security. As we worked with our industry partners, we’ve understood that they’re making cyber decisions within the context of other decisions, and it’s important not to separate those two and that cybersecurity incidents can have physical consequences.”
When the 2009 version of the NIPP was released, there was the belief that you could keep systems off the Internet and keep them safe, what Kolasky calls an “air gap.” But now, “we’re in a world where the idea of an air gap is largely not enough” due to interdependencies of suppliers and the rapid growth of the cloud. In addition, technology has fundamentally changed “operations of infrastructure, and that could have cascading impacts if something were to happen on physical infrastructure.”
Nielsen thinks the focus on cyber is a step in the right direction, noting that business leaders as well as the public are paying attention as the media covers more incidents of hacking. But he maintains a firm belief that critical infrastructure needs strong physical protection as well.
Another change from the 2009 plan involved moving two formerly independent sectors under different categories within the NIPP. The postal and shipping sector was brought into the transportation sector, given DHS’s recognition that “most of the postal and shipping is done via transportation networks.” In addition, the national monuments and icons sector was moved into the government facilities sector, Kolasky explains.
Implementation. The 2013 NIPP initiatives are voluntary for the private sector, but the federal government will be required to adopt the new approaches, which will be enforced by Secretary of Homeland Security Jeh Johnson’s office.
Additionally, the NIPP has created Cross Sector Councils that will work with DHS to develop updated sector-specific plans for the 16 critical sectors. Those sector-specific plans will be updates on the 2010 versions that were released in coordination with the 2009 NIPP, and they will focus on how each sector can implement the NIPP. The private sector is already making great strides on its own, but Nielsen says that he thinks it will step up to the challenge to meet the goals outlined in this new version of the NIPP.
“I believe the industry, as a whole, desires to do the right thing to ensure our nation remains secure and resilient,” Nielsen says. “To meet this challenge, many cogs in the wheel are at work to enhance collaboration across multiple lines of business.”