Critical Infrastructure Security
A quick US Critical Infrastructure Security primer, largely based on a report from the Congressional Research Service. What is Critical Infrastructure Security, what regulations govern it, and how has it been done so far?
This is a quick US Critical Infrastructure Security primer, largely based on a report from the Congressional Research Service.
What is Critical Infrastructure?
Critical Infrastructure (CI) was defined in 1998 in Presidential Decision Directive PDD-63 as "physical and cyber-based systems essential to the minimum operations of the economy and government," but the government's definition of CI has expanded since then to encompass a more society-centric set of assets. Presidential Policy Directive PPD-21 in 2013 defined CI as the "essential services that underpin American society," a much broader definition inclusive of many additional types of assets.
Critical Infrastructure Security:
CI security has two elements: critical infrastructure protection (CIP), and critical infrastructure resilience (CIR). CIP hardens CI against disruption (prevention), while CIR seeks to ensure continuity of CI functions under disruption (recovery and stability).
Critical Infrastructure Asset Identification:
The government has struggled to accurately track CI assets (individual instances of critical infrastructure, like a single dam). Unclear guidelines on CI asset identification lead to a lack of standardization and poor prioritization: the National Asset Database grew in three years from 160 critical assets to 77,069 assets, many of which could not reasonably be considered critical. While that rapid expansion of identified assets occurred in 2003-2006, asset identification issues have persisted at a significant but lower extent since then and the government continues to lack a lean and complete database of CI assets.
Critical Infrastructure Asset Ranking:
Prioritizing what CI to secure requires some capability to rank assets. Such ranking has proven to be a difficult task. Threat, Vulnerability, and Consequence (or Impact) are used by DHS to evaluate the risk to an asset, and those factors are used in numerous equations from other agencies and organizations as well. While many risk equations exist, they all suffer from being too vague and therefore ineffective, or being more specific but too complex and single-use. This is perhaps unsurprising, since these elements (threat, vulnerability, impact) are each topics of significant analysis, with numerous unknowns in each element.
Government's Role -- Governing Regulations and Laws:
POTUS first laid out requirements for CIP in PDD-63 in the late 90s, Congress further defined CI in 2001 in the USA PATRIOT Act, DHS' NIPP (National Infrastructure Protection Plan) 2013 provided additional guidance on implementation of CI security and resilience initiatives through collaborative efforts, and PPD-21 identified CI sectors and assigned certain responsibilities to 'sector specific agencies.'
The government has taken a collaborative approach to CI security, desiring private sector to take voluntary actions to support CIP and CIR. This desire was laid out explicitly in PDD-63.
Private Sector's Role -- Steps Taken:
The private sector is widely considered to own 85% of America's CI. This belief does not appear to have a verifiable factual grounding, however it is clear that the majority of CI is owned by the private sector. As a result, private organizations have a key role to play in securing CI. Intrusions of CI have expanded in scope and scale, most notably leading to a short but significant disruption of fuel supplies to the American East Coast resulting from Colonial Pipeline's decision to shut down its distribution systems after they were victims of a ransomware attack.
Private sector has failed to take sufficient voluntary actions to provide protection or resilience of American CI. There are narrow cases where security standards have been effectively implemented---the North American Electricity Reliability Corporation (NERC) developed the NERC CIP (Critical Infrastructure Protection) standards for electricity providers of certain sizes. However, the efficacy of NERC CIP ultimately is derived from government action, not voluntary private sector action: NERC's regulatory power to enforce CIP standards through hefty fines flows from the Energy Policy Act of 2005.
While regulation has been de-prioritized in PDD-63, the approach thus far has demonstrated that actions short of regulation do not result in the protection or resilience needed.
Ultimately, since the vast majority of CI is owned by the private sector, government's executive role in safeguarding CI is necessarily limited. The legislative branch can and should use its law-making authorities to establish new mandatory security requirements.
The Cyberspace Solarium Commission proposed in their report that a new term of "SICI" (Systemically Important Critical Infrastructure) be applied to a select subset of CI which would then be under stricter security and resilience requirements. This recommendation should be followed, and all SICI organizations should be mandated to be able to operate manually under contested conditions.
Photo by Joshua Tsu on Unsplash