In this article, we will take a close look on what the Department of Homeland Security is doing to protect critical infrastructure. Because of its potential to create catastrophic destruction,
Critical Infrastructure Protection by Homeland Security
Critical infrastructure protection was a core mission assigned to the department in the 2002 Homeland Security Act. And remains a specific goal in the 2014 Quadrennial Homeland Security Review.
The framework for protecting the nation’s infrastructure was first set out by President Clinton in PDD-63. And was continued under President Bush in HSPD-7 and President Obama, in PPD-21. That framework is built upon a National Infrastructure Protection Plan, that promotes partnerships between government and industry, to implement a Risk Management Framework, and document progress in sector specific plans.
Responsibility for the National Infrastructure Protection Plan is vested in the Office of Infrastructure Protection within the Department of Homeland Security, National Protection and Programs Directorate. The DHS Office of Infrastructure Protection manages the five steps of the Risk Management Framework.
In Step 1, the office works with industry representatives to establish infrastructure protection goals and document these in Sector-Specific Plans. The Sector-Specific Plans are supposed to be updated ever four years. The most recent public versions were released in 2016.
In Step 2, the Office of Infrastructure Protection Information Collection Division works with state governments to annually update a list of critical infrastructure under the National Critical Infrastructure Prioritization Program. The NCIPP is protected information not releasable to the public.
For Step 3, DHS protective security advisors will conduct Site Assistance Visits and complete security surveys and resilience assessments at the request of infrastructure owners and operators. The Infrastructure Survey Tool employed by the protective security agents consists of 1500 questions, examining both physical and cybersecurity measures. The results are compiled by Argonne National Laboratories and presented in the form of a dashboard, showing how the facility’s security compares with similar facilities in its sector. As a result of risk analysis, owners and operators are expected
in Step 4 to take actions to reduce their vulnerability or enhance the resilience of their infrastructure. Owners and operators are willing to take on increased security and resilience, subject to cost. Market forces and regulatory restrictions constrain what measures are practical. Federal funds administer under the Department of Homeland Security, Homeland Security Grant Program. And other such programs administered by FEMA help state and local governments compensate for what measures industry cannot implement.
Step 5, measure effectiveness. This is meant to provide a means of assessing progress towards protective goals set out in the Sector-Specific Plans. To date, DHS has been unable to develop a uniform set of metrics to measure progress towards improved security and resilience. In fact, every step of the Risk Management Framework is fraught with problems and the process is not nearly as coherent as described. Perhaps one reason, is that the process is entirely voluntary on the part of industry. And for both legal and business reasons, industry does not entirely trust government. Accordingly, the Department of Homeland Security has also tried to help industry help itself by establishing sector related information sharing and analysis centers. The sector related ISACs are managed by industry and provide a central clearinghouse for reporting problems and seeking solutions.
In addition to working with industry through the National Infrastructure Protection Plan, the Department of Homeland Security, Office of Infrastructure Protection, manages the National Infrastructure Coordinating Center, which maintains continuous watch on the status of the nation’s infrastructure. If something happens requiring federal support, then ICC will perform the necessary coordination.
So let us review what we have learned in this article.
- Critical infrastructure protection is overseen by the DHS Office of Infrastructure Protection.
- The DHS Office of Infrastructure Protection works in partnership with industry according to provisions of the National Infrastructure Protection Plan.
- The implementing procedure of the National Infrastructure Protection Plan is the Risk Management Framework.
- In Step 1 of the Risk Management Framework, DHS works with industry to identify protective goals in the Sector-Specific Plans. In RMF
- Step 2, DHS works with state governments annually to update its inventory under the National Critical Infrastructure Prioritization Program.
- In Step 3, DHS Protective Security Advisors, when asked, will conduct Site Assistance Visits using an Infrastructure Survey Tool to assess both physical and cybersecurity measures.
- In Step 4, DHS FEMA offers funding under the Homeland Security Grant Program and other programs to assist state and local governments in making up for security measures that are impractical or beyond the influence of infrastructure owners and operators.
- In Step 5, DHS is supposed to measure progress towards achieving security goals listed in corresponding Sector-Specific Plans. But DHS has been unable to develop any such objective metrics.
The National Infrastructure Protection Plan Risk Management Framework is a voluntary system fraught with problems at every step and not necessarily trusted by industry.
To help industry help itself, DHS was instrumental in establishing Information Sharing Analysis Centers for reporting problems and sharing solutions. Finally, the Department of Homeland Security National Infrastructure Coordinating Center stands watch over the status of the nation’s infrastructure and stands ready to coordinate Federal support should it be needed.