Military planners employ a deliberate and comprehensive process to plan attacks on the critical infrastructures of potential adversaries. As a corresponding matter of fact, sophisticated and determined threat actors are continuously evaluating U.S. critical infrastructures in preparation for potential future conflicts. This is a perspective with which intelligence analysts and attack planners are very familiar.
However, this perspective is not as widely shared by the risk-management planners and managers responsible for the protection of critical infrastructure assets. This limited perspective can lead to a narrow protection focus that does not account for the critical nodes in the larger infrastructure and infrastructure support systems. This potential shortfall is effectively addressed by security and protection programs that incorporate a process of viewing our critical infrastructure assets through the prism of a sophisticated and determined adversary. This is an intelligence targeting approach to critical infrastructure protection.
All critical infrastructure protection specialists should be familiar with the deliberate target development process that sophisticated and determined threat actors are known to be employing in preparation for hostilities. Unfortunately, however, this approach is rarely applied to critical infrastructure protection programs. In fact, any targeting intelligence analyst reviewing the risk-management strategies for critical infrastructures from a target system analysis attack planning perspective would conclude that most protection and consequence management planning efforts are simplistic in comparison. Based on such a comparison, it is likely that adversaries conducting this level of analysis understand the exploitable vulnerabilities associated with the infrastructure assets they study better than the asset protection managers. This is not an indictment on the many well-intentioned asset protection professionals; rather, it reflects the fact that this level of analytical rigor is primarily exercised in the realm of intelligence targeting by those who are focused on destruction/debilitation, and not mirror-imaging for protection purposes.
America’s priority critical infrastructure assets are likely known to potential adversaries with interests in understanding our key capabilities. In addition to state militaries that are certainly planning to attack U.S. infrastructure in the event of hostilities, there are several non-state actors, to include transnational terrorist organizations, who may have intentions to attack U.S. infrastructure targets for various purposes. Therefore, infrastructure asset security planners and managers must operate under the valid assumption that adversaries are constantly and meticulously studying critical infrastructure assets to identify exploitable vulnerabilities. Given this key consideration, it is imperative that processes are in place to identify these very vulnerabilities to ensure they are afforded the necessary risk management evaluation.
Critical Infrastructure Protection Extends Beyond Target Hardening
The U.S. government has effective methodologies to identify the individual critical infrastructure assets that are the very most vital to sustaining our national security — militarily, economically and otherwise. Risk management in support of critical infrastructure protection is a process that is easily understood in concept, but difficult to execute in practice. Simply stated, the process involves placing known or assessed threat capabilities against identified vulnerabilities to determine the risks that must be considered for mitigation, remediation, or acceptance. As a point of emphasis, the risk assessment stage of the process should be performed to develop valid risk assessments based on a critical analysis of specific threat actor capabilities to exploit specific identified vulnerabilities. Risk assessments that are not based on a sound threat/vulnerability assessment perspective can lead to under-informed and even invalid risk management decisions, in turn leading to the misallocation of resources and miscalculation of risk reduction.
U.S. government agencies have deliberate programs for protecting our most critical assets, but they are generally based on generic threat capabilities and limited attack methodologies. This results in assets that are evaluated more so on criticality than vulnerability-based risks. This may result in providing resources to protect already sufficiently protected assets while leaving less critical, but much more vulnerable, assets relatively less protected. In addition, there is a strong tendency to protect critical assets through a “bunker hardening” mentality, which often leads to the development of security programs that do not fully acknowledge that the enemy gets a vote – and may not default to an equally simplistic “brute force” targeting approach.
U.S government agencies with critical national security capabilities employ a “design threat methodology” intended to institute facility physical security measures to protect against the range of postulated threats that may emerge over the life cycle of the facility design. As a result, our most critical assets, which are usually expansive and harder targets themselves, are usually located on controlled-access facilities that provide the highest levels of security feasible. However, many critical infrastructure risk management programs tend to follow a facility-only or “inside the wire” approach to vulnerability identification, and risk assessment. This approach lends itself to a continuous process of reinforcing the asset’s strengths, while potentially failing to identify the vulnerabilities that may be exploited in a manner rendering the “inside the wire” fortifications much less relevant.
Intelligence analysts with experience in planning and executing military campaigns with objectives to cripple foreign infrastructures (e.g. Iraq, Serbia) can enlighten the critical infrastructure protection community regarding how simplistic the “inside the wire” approach may be in the protection of our national security, mission-essential assets. Intelligence planners with this level of experience understand how a determined and capable adversary will plan and execute attacks to debilitate key infrastructure assets in a systematic, multi-dimensional, and enduring manner. Not leveraging this degree of perspective and expertise in the protection of our critical infrastructure is tantamount to wishing away, or at least underestimating, the enemy.
Incorporating a Red Team Intelligence Targeting Perspective
Operating under the assumption that adversaries are constantly studying our critical infrastructure assets — and given the strong likelihood there will be no specific information regarding how an adversary might plan to attack a given asset — the best understanding regarding vulnerabilities and risks to the asset may be achieved by studying the asset and its targetable profile from the perspective of the adversary. Red Teaming is an intelligence analysis method that views a problem from the perspective of a potential adversary to bridge information gaps with analytical judgments based on logical argumentation. As it applies to critical infrastructure protection, a Red Teaming analytical approach is a proven, effective means to assess how a potential adversary would likely attack a critical asset.
The destruction or disruption of an enemy’s national infrastructures is a fundamental principle of war. Another key tenet of conflict is that an attacking element will endeavor to avoid engaging an opponent’s defensive strengths; rather, it studies the enemy to identify vulnerabilities and other exploitable defensive weaknesses that will enable asymmetric advantage. Critical infrastructure protection programs should incorporate sophisticated threat analysis and assessment methodologies to facilitate well-informed risk management decisions. In assessing the threat to any given critical infrastructure asset, it is necessary to identify any associated potentially exploitable vulnerabilities to enable a logical evaluation of how a range of potential adversaries with varying objectives and capabilities may plan and execute an attack against the asset. This level of evaluation is performed by identifying the asset’s dependencies on supporting infrastructures and a Red Team analysis approach to examine threats through the eyes of the enemy.
Essentially every asset that performs critical functions in support of national (and economic) security is reliant on supporting infrastructures to function. A comprehensive target development process is the cornerstone of any sophisticated attack planning process. Target development approaches adversary capabilities from a target systems perspective. Target systems are typically a broad set of interrelated, functionally associated components and linkages that perform a specific function or series of functions. System level target development links these multiple target systems and their components to reflect both their intra- and interdependency that, in aggregate, contribute to overall capability of the system. In the case of a critical infrastructure asset, the target system is every conceivable component that contributes to the sustained functionality of the asset. From the target development and attack planning perspective, any such components that are identified as susceptible to attack represent exploitable vulnerabilities in the system. The systematic examination of a target system and its components enables attack planners to determine the necessary type and duration of the action that must be exerted on each target to create the desired effects on the overall system.
Critical Infrastructure Target System (Dependency) Analysis
A key enabler in any infrastructure Red Teaming effort is dependency analysis. The practice of critical path (dependency) analysis is key to understanding how individual components and entities support the overall target system. As it applies to the system supporting a critical infrastructure asset, the system is evaluated to identify which elements of the system directly or indirectly enable the functionality of the asset.
Dependency analysis is a process to map out an asset’s key supporting infrastructures and specific components thereof, such as supporting electrical power distribution stations, communications transmission stations, water pumping stations or mains, and transportation network components (dependencies), to identify specific nodes associated with a given supporting infrastructure that serve to sustain the asset in some manner. These nodes represent potential targets, which if attacked in a disruptive or destructive manner would cause direct or cascading impacts on the asset’s functionality without having to directly attack the better protected asset itself.
From the threat perspective, supporting infrastructures expand an asset’s “targetable profile” well beyond the asset itself. In fact, these supporting infrastructures may very well represent the “soft underbelly” or “Achilles’ heel” of an otherwise secure critical asset. The more sophisticated and capable adversaries with stand-off capabilities to directly attack critical assets would likely employ an attack methodology that also factors in the disruption of supporting infrastructures for more certain and enduring impacts. Less-capable threat actors intent on attacking an asset may view an indirect (asymmetric) attack on the more vulnerable supporting infrastructure as the only viable means of causing disruptions to the asset, as opposed to a direct attack on an often-times secure and expansive critical asset. The Red Teaming approach is an effective method of assessing the likely supporting infrastructure nodes a given threat actor would target based on known or assessed threat actor capabilities.
In relation to well-secured critical assets, key components of supporting infrastructures will likely be more vulnerable to, and therefore at most risk to, both kinetic and cyber attack methods. As it applies to kinetic attacks against supporting infrastructure components, an adversary will likely require fewer resources (personnel, equipment, munitions) and realize a much higher probability of successfully executing a single attack, or multiple simultaneous attacks, without detection or capture. As it applies to cyber attacks, the networks associated with critical assets and the facilities housing these assets are generally either encrypted, closed, or otherwise protected. Alternatively, supporting infrastructure owners generally have fewer incentives or resources to invest in the more effective network protection measures, and are therefore much more vulnerable to remote access by sophisticated cyber threat actors for the purpose of cyber attack or other methods of cyber manipulation.
Threat capabilities metrics can be applied to identified “high-risk nodes” to Red Team and assess which threat actors, or categories of threat actors, are capable of attacking a single node in isolation or multiple nodes simultaneously. This level of threat analysis facilitates well-informed calculations regarding the functional impacts (consequences) on the asset based on any given threat scenario.
Instituting a Methodology
An intelligence targeting approach to critical infrastructure protection is the best means to determine how an adversary might actually attack a critical infrastructure asset — short of gaining access to the enemy’s actual attack plans. Risk management in support of our most critical national assets is well served by an institutionalized methodology that establishes dependency data collection requirements and procedures, and applies valid threat actor capabilities metrics to associate likely threat scenarios with the specific dependency data-sets associated with any given critical asset.
There are various geospatially enabling applications that can facilitate the visualization of this type of threat capabilities-based dependency analysis methodology. In addition to critical node analysis, such applications facilitate advanced complex network analysis methods to include multiple dependency layer analysis or single dependency critical path analysis. Modeling and simulation has proven effective in validating threat scenario models and calculating the impacts of disruptions to supporting critical infrastructures on critical assets, and should be further leveraged in support of an institutionalized, whole-of-government dependency threat analysis process.
Given this enhanced level of understanding, leaders with critical infrastructure protection responsibilities can prioritize public sector engagement to address the expanded vulnerability profiles, and better decide where risk reduction resources should be allocated. For example, potential risk mitigation measures may include increased security at identified high-risk nodes, or building increased resiliency into a supporting infrastructure by increasing redundancy beyond the attack capabilities of the threat actors of concern.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected] Our editorial guidelines can be found here.