Critical Infrastructure Protection Overview Building a safer, more secure, more resilient America The National Infrastructure Protection Plan, released on June 30, 2006, states its goal is to: “Build a safer, more secure, and resilient America by enhancing protection of the Nation’s critical infrastructure and key resources to prevent, deter, neutralize, or mitigate the effects of deliberate efforts by terrorists to destroy, incapacitate, or exploit them; and to strengthen national preparedness, timely response, and rapid recovery in the event of an attack, natural disaster, or other emergency.” The President directed the Secretary of Homeland Security to coordinate and implement national initiatives and develop a national plan to unify and enhance CI/KR protection efforts through an unprecedented partnership involving the private sector, as well as Federal, State, local, and tribal governments. The National Infrastructure Protection Plan (NIPP) meets the requirements that the President set forth in Homeland Security Presidential Directive 7 (HSPD-7), Critical Infrastructure Identification, Prioritization, and Protection, and provides the overarching approach for integrating the Nation’s many CI/KR protection initiatives into a single national effort. This briefing provides an overview of the key elements of the plan.
Goal Build a safer, more secure, and more resilient America by enhancing protection of the Nation’s CI/KR to prevent, deter, neutralize, or mitigate the effects of deliberate efforts by terrorists to destroy, incapacitate, or exploit them; and strengthening national preparedness, timely response, and rapid recovery in the event of an attack, natural disaster, or other emergency. The goal of the NIPP is to: “Build a safer, more secure, and more resilient America by enhancing protection of the Nation’s CI/KR to prevent, deter, neutralize, or mitigate the effects of deliberate efforts by terrorists to destroy, incapacitate, or exploit them; and strengthening national preparedness, timely response, and rapid recovery in the event of an attack, natural disaster, or other emergency.” Protection includes actions to mitigate the overall risk to CI/KR assets, systems, networks, functions, or their interconnecting links resulting from exposure, injury, destruction, incapacitation, or exploitation. In the context of the NIPP, this includes actions to deter the threat, mitigate vulnerabilities, or minimize consequences associated with a terrorist attack or other incident. Protection includes a wide range of activities, such as hardening facilities, building resiliency and redundancy, incorporating hazard resistance into initial facility design, initiating active or passive countermeasures, installing security systems, promoting work force surety programs, and implementing cyber security measures, etc.
Homeland Security Strategic Framework The development of the NIPP was built on a series of progressively focused national policy documents designed to use a risk management framework to foster a more secure environment for the nation’s citizens and critical infrastructure: National Strategy for Homeland Security & National Security Act of 2002. National Strategy for the Physical Protection of Critical Infrastructures and Key Assets: Strategy to secure infrastructures and assets vital to American public health and safety, national security, governance, economy and public confidence. National Strategy to Secure Cyberspace: Plan to engage and empower Americans to secure portions of cyberspace that they own, operate or control or with which they interact. Homeland Security Presidential Directive (HSPD) 7: Critical Infrastructure Identification, Prioritization, and Protection to establish national policy for Federal Departments and agencies to identify and prioritize CI and protect it from terrorist attacks. These and other directives and initiatives shown on this graphic provide an overall coordinated approach to homeland security. The NIPP is as a key component of the Nation’s all-hazards homeland security framework
CI/KR Protection is Vital to America What is CI/KR? Assets, systems, and networks, whether physical or virtual, so vital to the United States that the incapacity or destruction of such assets, systems, or networks would have a debilitating impact on security, national economic security, public health or safety, or any combination of those matters Why is CI/KR Important? Essential to the Nation’s security, public health and safety, economic vitality, and way of life What is CI/KR? Assets, systems, and networks, whether physical or virtual, so vital to the United States that the incapacity or destruction of such assets, systems, or networks would have a debilitating impact on security, national economic security, public health or safety, or any combination of those matters Why is CI/KR Important? Protecting the critical infrastructure and key resources (CI/KR) of the United States is essential to the Nation’s security; public health and safety; economic vitality; and way of life. Attacks on CI/KR could significantly disrupt the functioning of government and business alike and produce cascading effects far beyond the targeted sector and physical location of the incident. Direct terrorist attacks and natural, manmade, or technological hazards could produce catastrophic losses in terms of human casualties, property destruction, and economic effects, as well as profound damage to public morale and confidence. Attacks using components of the Nation’s CI/KR as weapons of mass destruction could have even more devastating physical and psychological consequences.
Security Partners Sector-Specific Agencies: Implementation of the NIPP and guidance for development of SSPs Other Federal Departments, Agencies, and Offices: Implementation of specific roles designated in HSPD-7 or other relevant statutes and executive orders State, Territorial, Local, and Tribal Governments: Development and implementation of a CI/KR protection program as a component of their overarching homeland security program Private Sector Asset Owners and Operators: CI/KR protection, coordination, and cooperation The NIPP defines Security partners as: “Those Federal, State, regional, territorial, local, or tribal government entities, private sector owners and operators and representative organizations, academic and professional entities, and certain not-for-profit and private volunteer organizations that share responsibility for protecting the Nation’s critical infrastructures and key resources.“ Primary roles for CI/KR security partners include: DHS: Manage the Nation’s overall CI/KR protection framework and oversee NIPP development and implementation. Sector-Specific Agencies: Implement the NIPP framework and guidance as tailored to the specific characteristics and risk landscapes of each of the CI/KR sectors designated in HSPD-7. Other Federal Departments, Agencies, and Offices: Implement specific CI/KR protection roles designated in HSPD-7 or other relevant statutes, executive orders, and policy directives. State, Local, and Tribal Governments: Develop and implement a CI/KR protection program as a component of their overarching homeland security programs. Private Sector Owners and Operators: Undertake CI/KR protection, restoration, coordination, and cooperation activities, and provide advice, recommendations, and subject-matter expertise to the Federal Government.
Designated Sectors and Lead Agencies DHS is responsible for coordinating the overall national effort to enhance protection of CI/KR across sectors. HSPD-7 designated 17 Sector Specific Agencies (SSAs) to be responsible for the 17 CI/KR sectors defined in HSPD-7. SSAs are responsible for working with DHS to implement the NIPP sector partnership model and risk management framework, develop protective programs and related requirements, and provide sector-level CI/KR protection guidance in line with the overarching guidance established by DHS pursuant to HSPD-7. Working in collaboration with security partners, they are responsible for developing and submitting Sector Specific Plans and sector-level performance feedback to DHS to enable national cross-sector CI/KR protection program gap assessments. SSAs are also responsible for collaborating with private sector security partners and encouraging the development of appropriate information-sharing and analysis mechanisms within the sector. In addition to its overarching leadership and cross-sector responsibilities, DHS serves as the SSA for 10 of the CI/KR sectors identified in HSPD-7. Additional, cross-cutting, DHS CI/KR protection roles and responsibilities include: Identifying, prioritizing, and coordinating Federal action in support of the protection of nationally critical assets, systems, and networks, with a particular focus on CI/KR that could be exploited to cause catastrophic health effects or mass casualties comparable to those produced by a weapon of mass destruction Establishing and maintaining a comprehensive, multi-tiered, dynamic information-sharing network designed to provide timely and actionable threat information, assessments, and warnings to public and private sector security partners; including protecting sensitive information voluntarily provided by the private sector
Sector Partnership Model National-Level Coordination: The DHS Office of Infrastructure Protection (OIP) facilitates overall development of the NIPP and SSPs, provides overarching guidance, and monitors the full range of associated coordination activities and performance metrics. Sector Partnership Coordination: The Private Sector Cross-Sector Council (i.e., the Partnership for Critical Infrastructure Security (PCIS) Government Cross-Sector Council NIPP Federal Senior Leadership Council (FSLC) State, Local, and Tribal Government Coordinating Council (SLTGCC), Individual SCCs and GCCs create a structure through which representative groups from Federal, State, local, and tribal governments and the private sector can collaborate and develop consensus approaches to CI/KR protection. Regional Coordination: Regional partnerships, groupings, and governance bodies enable CI/KR protection coordination among security partners within and across geographical areas and sectors. They facilitate enhanced coordination between jurisdictions within a State where CI/KR cross multiple jurisdictions, and help sectors coordinate with multiple States that rely on a common set of CI/KR. DHS may selectively convene regionally based councils to address issues that cross sectors or jurisdictions, as required. Provides the framework for security partners to work together in a robust public-private partnership.
Risk Management Framework Set Security Goals Identify Assets, Systems, Networks, and Functions Assess Risk (Consequences, Vulnerabilities, and Threats) Prioritize Implement Protective Programs Measure Effectiveness The NIPP Risk Management Framework is the cornerstone of the NIPP. The framework includes six steps which entail setting security goals; identifying assets, systems, networks, and functions; assessing risk; prioritizing; implementing protective programs; and measuring effectiveness. Risk is defined as the potential for loss, damage, or disruption to the Nation’s CI/KR resulting from destruction, incapacitation, or exploitation during some future or man-made or naturally occurring event. The NIPP Risk Management Framework: Establishes the process for combining consequence, vulnerability, and threat information to produce a comprehensive, systematic, and rational assessment of national or sector-specific risk Provides for continuous improvement and feedback Provides the framework to prioritize CI/KR protection for assets, systems, networks, and functions Is flexible and adaptable to the risk landscape of each sector
Networked Information Sharing The NIPP uses the Homeland Security Information Network (HSIN) approach to information sharing that most importantly “Real-Time Collaboration” between all security partners: Enables secure multidirectional information sharing between and across government and CI/KR owners and operators at all levels Provides mechanisms, using “need to know” protocols as required, to support the development and sharing of strategic and specific threat assessments, incident reports and threat warning, impact assessments, and best practices Allows and provides more access to information for security partners to assess risks, conduct risk management activities, allocate resources, and make continuous improvements to the Nation’s CI/KR protective posture DHS and other Federal agencies use a number of programs and procedures, such as the PCII, Nuclear Safeguards, and National Security Classification programs, to ensure that CI/KR information is properly safeguarded The PCII Program was established pursuant to the Critical Infrastructure Information (CII) Act of 2002. The Program provides a means for sharing private sector information with the government while providing assurances that the information will be exempt from public disclosure and will be properly safeguarded.
Summary National Response Framework Focuses on all-hazards response Joins elected and appointed executives with dedicated practitioners Articulates standard structures Describes effective unity of effort between jurisdictions, the private sector and NGOs Outlines shared objectives Guides effective response to save lives, protect property and meet basic human needs Serves the people, and communities of our great Nation
Clarifies Roles and Responsibilities Key Response Actions Community Response State Response Federal Response Gain and maintain situational awareness Assess situation, activate capabilities Coordinate Response Actions Demobilize State Coordinating Officer Governor’s Authorized Representative Principal Federal Official Federal Coordinating Officer Senior Federal Law Enforcement Official Joint Task Force (JTF) Commander Defense Coordinating Officer Other Senior Officials Federal Resource Coordinator 11
Organization of the Framework
Incident Annexes Biological Incident Catastrophic Incident Outline core procedures, roles and responsibilities for specific contingencies. Biological Incident Catastrophic Incident Cyber Incident Food and Agriculture Incident Mass Evacuation Incident Nuclear/Radiological Incident Terrorism Incident Law Enforcement and Investigation
National Planning Scenarios Defined by the National Preparedness Guidelines, these high consequence scenarios are being used to develop more granular strategic guidance and operational plans. Improvised Nuclear Device Major Earthquake Aerosol Anthrax Major Hurricane Pandemic Influenza Radiological Dispersal Device Plague Improvised Explosive Device Blister Agent Food Contamination Toxic Industrial Chemicals Foreign Animal Disease Nerve Agent Cyber Attack Chlorine Tank Explosion
National Incident Management System (NIMS) A consistent nationwide approach for all levels of government to work effectively and efficiently together to prepare for and respond to domestic incidents Core set of concepts, principles and terminology for incident command and multi-agency coordination
National Incident Management System Components Preparedness Communications and Information Management Resource Management Command and Management Incident Command System Multi-agency Coordination Systems Public Information
This concludes my briefing on the National Infrastructure Protection Plan – The nation’s first ever comprehensive risk management framework that is designed to help all of its security partners at all levels of government and the private sector to clearly define roles and responsibilities in protecting our CI/KR, assessing the risks to them, and prioritizing and delivering protective programs that will accomplish the stated goal of: “Build a safer, more secure, and more resilient America…” Thank You.