Critical infrastructure sectors need to seize opportunities for information sharing and greater threat awareness to construct risk-management programs that fend off attacks, states a new guide from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the State Department released to coincide with National Infrastructure Security and Resilience Month.
“Critical infrastructure is the foundation on which daily vital societal and economic functions depend, and disruption or loss to any element of critical infrastructure has the potential to severely impact our lives,” says A Guide to Critical Infrastructure Security and Resilience. “Working together and sharing good practices, approaches, and experiences will help promote and enhance national – and global – critical infrastructure security and resilience today and in the future.”
The guide notes that the four designated lifeline functions – transportation, water, energy, and communications — are “so critical that a disruption or loss of one of these functions will directly affect the security and resilience of critical infrastructure within and across numerous sectors.”
“The choice of sectors prioritized in outreach efforts should reflect an understanding of the infrastructure’s interconnectedness and interdependencies, recognize existing industry associations, and align to government agencies’ roles and oversight responsibilities.”
Sectors at risk of physical or cyber attacks, due to natural causes or accidents as well as malicious actors, include healthcare, nuclear and chemical facilities, the food chain, dams and power stations, government and financial facilities, water treatment and sewer systems, critical manufacturing and more. Threats include extreme weather and other natural disasters, pandemics, malfunctions and industrial accidents, hacking, terror attacks, active shooters, foreign influence operations and the investment of potentially hostile foreign powers in segments of American infrastructure.
“Rather than focusing on one type of threat or hazard at a time, such as hurricanes or terrorism, states should identify all threats and hazards that pose the greatest risks to critical infrastructure, which allows for more effective and efficient planning and resource allocation,” says the guide, highlighting the increasingly diffuse threat of either simple or complex attacks to soft targets and crowded places.
In a joint statement opening the guide, CISA Assistant Director for Infrastructure Security Brian Harrell and State Department counterterrorism coordinator Ambassador Nathan Sales stressed that “as attacks on soft targets and crowded places continue across the globe, the need to address current and emerging challenges increases.”
“Therefore, the Department of Homeland Security and Department of State are working together to enhance domestic and global security, with ongoing programs, and recognizing that new approaches may be needed to address these evolving issues,” they added.
The guide highlights the role played by Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) in helping critical infrastructure owners and operators protect facilities, specifically singling out the Real Estate Information Sharing and Analysis Center (RE-ISAC) as an “excellent example” of public-private security partnerships bringing together industry representatives to aggregate, share and assess information to ensure “the quality, relevance, and overall value of the resulting information increases exponentially.”
Voluntary infrastructure security partnership programs “must have strong value propositions or business cases to demonstrate the benefits of participation to ultimately be successful.”
To facilitate information sharing, CISA and the State Department recommend identifying appropriate stakeholders, providing actionable threat info in a user-friendly and timely manner, processing intel so that it can be shared more widely, and expecting private-sector members report back suspicious activity or concerns in a protected environment.
“A critical infrastructure security and resilience program should reflect the existing operational environment, and cultural values/ beliefs, and build upon existing relationships, efforts, and policies,” the guide states. “It should align with and support other programs so that resources are effectively utilized, existing capabilities and communities leveraged, and roles and responsibilities are understood.”
“…Collaboration and information sharing across the critical infrastructure community are fundamental to the overall process. Establishing mechanisms that foster open collaboration and ensure the exchange of timely and actionable information as well as best practices will help gain participation in the program — both as the program is designed and developed and when it is implemented.”
Basic steps for developing and implementing a critical infrastructure security and resilience plan include establishing goals, stakeholders and scope, studying relevant programs for best practices, outlining roles and responsibilities, establishing coordination and information sharing mechanisms, building a risk management framework with timelines and metrics for success, conducting training exercises and education, and promoting the program through outreach and awareness.
Effective risk management includes resource allocation tailored to threats, understanding and addressing cross-sector risks, assessing both physical and cyber threats, and actively engaging in information sharing with government and private-industry partners, both domestic and international.
“Training should be available in many different forms to ensure the broadest reach, including instructor-led courses, webinars, web-based independent study courses, and written guidance and job aids,” the guide advises. “…An additional benefit of training and education efforts is building relationships among the stakeholders, particularly in practical exercises. Developing greater trust and understanding within a sector facilitates a more effective response in times of crisis.”
Training topics can include active-shooter or bomb threats, cyber hygiene, bag or patron screening, supply chain risk management and insider threats, incident management and response, and dealing with specific attack tactics including vehicle attacks or improvised explosive devices.
“Critical infrastructure security and resilience impacts everyone,” the guide emphasizes. “While not all stakeholders are engaged in the more detailed elements of the program, they still need a high-level understanding of the risks so they have adequate information and greater confidence in their decisions regarding risk mitigation and management activities — especially those that may require changes in their daily operations and lives.”