Creating A Roadmap to Achieve Critical Infrastructure Protection
Critical infrastructure protection is part of the domain of every security professional. Although our specific facilities may not be considered critical infrastructure, we have interdependencies with it—water, power, chemicals, telecommunications, transportation, banking, and finance, to name a few.
Globally, there are many definitions of critical infrastructure and key resources (CIKR). CIKR relates to a nation’s security, public health and safety, economic vitality, and way of life. CIKR includes physical or virtual assets, systems, and networks so vital that the incapacity or destruction of such assets, systems, or networks would have a debilitating impact on security, national economic security, public health or safety, or any combination of those matters.
For the private sector, the impacts of a loss of critical infrastructure directly affect the enterprise through impacts to people, finances, stakeholders, reputation, and equipment. A significant loss in any one of these areas could ultimately result in the failure of the enterprise. Many organizations are experiencing this now as they feel the effects of a weakened supply chain, staffing issues, and unrest due to the COVID-19 pandemic. The current semi-conductor shortage is already having a financial impact on organizations. Ford Motor Company is forecasting a $2.5 billion loss this year, and that is just one manufacturer of many.
The risks which can impact an enterprise are many but generally fall into three categories:
- Person Driven Event, which includes crime, terrorism, and civil unrest.
- Natural Disasters, including floods, earthquakes, wind storms, tornadoes, limnic events, and drought.
- Accidental Hazards,which include structural collapse, derailments, and hazardous material spills.
Any of these events, depending on the magnitude, can have a significant impact on the enterprise. As security professionals, how can we prevent these events from occurring or minimize the impact?
Standards to the Rescue
ASIS International, in its role as a Standards Developing Organization (SDO), develops standards and guidelines to serve the needs of security practitioners in today’s global environment. Preparing standards and guidelines is carried out through the ASIS Standards and Guidelines Committees and governed by the Professional Standards Board (PSB). The standards development process is nonproprietary and consensus-based, utilizing the knowledge, experience, and expertise of ASIS membership, security professionals, and the global security profession. ASIS International is a worldwide organization and has a global focus on its Standards. In other words, the roadmap below is equally adaptable in Dubai as it is in Denver.
The Roadmap
Through its Standards and Guidelines efforts, ASIS International provides security professionals a comprehensive roadmap for success. Some standards, such as Investigations, have a particular focus. Other standards have a more extensive scope and provide a path to successfully identifying and mitigating Enterprise Risk and ensuring organizational resilience.
The Enterprise Security Risk Management (ESRM) Guideline describes the ESRM approach. It explains how it can enhance a security program while aligning security resources with organizational strategy to manage risk. Utilizing ESRM, security professionals work with asset owners to identify and prioritize assets and risks to mitigate those risks and create a holistic security program that supports the organization’s mission. ESRM is a global strategy and, as such, is being infused into ASIS Standards and Guidelines.
ESRM is the first connection to a quality critical infrastructure protection program. To protect infrastructure, we have to understand the various risks, threats, and impacts to operations. We cannot afford to silo risk and must consider risk and its depth and breadth of impacts. All risk is shared. An example is our cyber systems; we do not own all of them, but all of our devices connect to the cyber backbone. Loss of the cyber network creates a significant impact on the continued operation of physical security systems.
The first steps to establish an ESRM program are identifying and prioritizing assets and the risk to those assets. Accomplishing this requires a risk assessment.
The Risk Assessment Standard is one I heavily rely on identifying risks for my clients. Many security practitioners have learned the Problem-Solving Process at some time in our lives. The first steps in the Problem-Solving Process are defining the problem, analyzing the problem, and identifying solutions. In the world of risk assessment, this equates to identifying risk, analyzing risk, and identifying mitigations.
The Risk Assessment Standard guides users on developing and sustaining a coherent and effective risk assessment program, including principles for managing an overall risk assessment program and performing individual risk assessments along with confirming the competencies of risk assessors and understanding biases. This standard describes a well-defined risk assessment program and individual assessments to provide the foundation for the risk management process. Seven annexes offer additional guidance for applying risk assessments and potential treatments.
Physical Asset Protection (PAP)
Understanding physical security, physical protection systems, and identifying threats and vulnerabilities is required knowledge when conducting a risk, threat, and vulnerability assessment. The Physical Asset Protection Standard utilizes a management systems approach to assist organizations in designing, implementing, monitoring, evaluating, and maintaining a physical asset protection (PAP) program. It also provides guidance on identifying, applying, and managing physical protection systems (PPS) to safeguard an organization’s assets (e.g., people, property, and information).
Annex A of the PAP Standard provides guidance on security convergence, Crime Prevention Through Environmental Design (CPTED), site hardening, security lighting, physical barriers, intrusion detection systems, physical entry, and access control, video systems, alarms, communications, display, and security personnel.
The above information will not make you an expert practitioner but will undoubtedly provide you with the fundamental knowledge needed to manage risk, threat, and vulnerability assessments.
The practice of physical security requires a considerable amount of knowledge and expertise. The PAP Standard provides an in-depth overview, but practitioners may want greater knowledge and should seek out board certification as a Physical Security Professional (PSP).
Business Continuity
The need for adaptable and flexible business continuity programs has been made apparent with the global response to the COVID-19 pandemic. Prepared enterprises demonstrated the ability to continue in the face of adversity with changed business models. Others, who were unprepared, could not adapt and failed.
Business continuity should be considered as a part of a comprehensive CIKR program. The practice of business continuity ensures the resilience of the enterprise and its ability to adapt to change in adverse situations. It also ensures that the critical operations required to keep an enterprise running continue to operate during events when critical dependencies required for operations are disrupted. The Business Continuity Management Guideline specifies steps that an organization can take to establish a business continuity management program to effectively manage a disruptive event with the potential to impact an organization’s ability to survive. It also outlines actions to help ensure continued viability.
In simple terms, business continuity is the enterprise’s ability to carry out its everyday activities and functions in the face of adversity. Some potential events could be a pandemic, a business crisis, natural disasters, or workplace violence.
There are two principal processes within the practice of business continuity that impact critical infrastructure protection and the continued longevity of the business. They are a Business Impact Analysis (BIA) and a Business Continuity Plan (BCP). Business impact analysis is a process to help plan for the inevitability of consequences and their cost. It’s another aspect to consider when addressing risk.
We use business impact analysis to predict the consequences of disruptions to a business, its processes, and systems by collecting relevant data, develop strategies to create a resilient enterprise in the case of an emergency or disaster.
A BCP is an ongoing process supported by senior management and funded to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure the continuity of operations through personnel training, plan testing, and maintenance.
To be concise, the BCP addresses the plans, policies, procedures, resources, and training utilized when confronted with adversity to ensure the continued resilience and longevity of the business.
Critical infrastructure protection is an in-depth study and a subject on to itself. In application, it can be very complex with many moving parts. Through ASIS International and our Standards and Guidelines, we can provide security practitioners with a road map for success. The journey can be long and arduous, and nobody said it would be easy. What is important is that we keep the end goal of a resilient enterprise in mind, ensure we are adding value to our respective enterprises, and celebrate our successes along the way as we achieve each milestone.
Jeffrey A. Slotnick, CPP, PSP, is president of Setracon Enterprise Security Risk Management Services Inc. He is a trusted advisor, leader, risk consultant, ESRM advocate, security management professional, physical security specialist, Quality Management professional, public speaker, author, and media consultant. Slotnick is a senior regional vice president for ASIS International, faculty advisor for the University of Phoenix Bachelor of Science in Cyber Security and Security Management Degree Program, and a 20 year reserve law enforcement officer for the City of Centralia, Washington.