U.S. critical infrastructure protection
In the U.S., critical infrastructure protection is a concept that relates to the preparedness and response to serious incidents that involve the critical infrastructure of a region or the nation.
The American Presidential directive PDD-63 of May 1998 set up a national program of "Critical Infrastructure Protection". In 2014 the NIST Cybersecurity Framework was published after further presidential directives.
History
The U.S. CIP is a national program to ensure the security of vulnerable and interconnected infrastructures of the United States. In May 1998, President Bill Clinton issued presidential directive PDD-63 on the subject of critical infrastructure protection. This recognized certain parts of the national infrastructure as critical to the national and economic security of the United States and the well-being of its citizenry, and required steps to be taken to protect it.This was updated on December 17, 2003, by President George W. Bush through Homeland Security Presidential Directive HSPD-7 for Critical Infrastructure Identification, Prioritization, and Protection. The updated directive would add in agriculture to the list of critical infrastructure within the country; this would undo the omission of agriculture from the 1998 presidential directive. The directive describes the United States as having some critical infrastructure that is "so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety."
Overview
Take, for example, a computer virus that disrupts the distribution of natural gas across a region. This could lead to a consequential reduction in electrical power generation, which in turn leads to the forced shutdown of computerized controls and communications. Road traffic, air traffic, and rail transportation might then become affected. Emergency services might also be hampered.An entire region can become debilitated because some critical elements in the infrastructure become disabled through natural disaster. While potentially in contravention of the Geneva Conventions, military forces have also recognized that it can cripple an enemy's ability to resist by attacking key elements of its civilian and military infrastructure.
The federal government has developed a standardized description of critical infrastructure, in order to facilitate monitoring and preparation for disabling events. The government requires private industry in each critical economic sector to:
- Assess its vulnerabilities to both physical or cyber attacks
- Plan to eliminate significant vulnerabilities
- Develop systems to identify and prevent attempted attacks
- Alert, contain and rebuff attacks and then, with the Federal Emergency Management Agency, to rebuild essential capabilities in the aftermath
Infrastructure sectors
- Banking and finance: - The Department of the Treasury is responsible for coordinating the protection of not just systems but also maintaining public confidence, through industry initiatives such as the Financial Services Information Sharing and Analysis Center
- Transportation: - The Department of Transportation is responsible for protecting, upgrading, and maintaining the road, rail, air, and water transport infrastructure. This also includes computer-controlled just-in-time delivery systems, distribution optimization systems via hubs and traffic operation centers that are consolidated into key locations, and regulation of the transportation of hazardous materials.
- Power: - The Department of Energy oversees energy supplies including electricity, works with the Nuclear Regulatory Commission for the protection of nuclear materials and power, and has recently put up over $350 million working to fund renewable energy production in rural and remote areas. This includes solar and wind production in these typically flat and sunny areas. Note that CIP in this sector is different from energy security, which is the politics and economics of supply. Additionally, operating under the auspices of the Federal Energy Regulatory Commission is the North American Electric Reliability Corporation, a non-profit organization that defines and enforces reliability standards for the bulk power system.
- Information and communications: - Overseen by the Department of Commerce, most areas of life rely on telecommunications and information technology.
- Federal and municipal services: - Overseen jointly by Federal and State agencies. They guarantee continuity of government at the federal, state, and local levels to meet for provision of essential services.
- Emergency services: - Overseen by the Health and Human Services, this includes emergency health services and public health
- Fire departments: - Overseen by the Federal Emergency Management Agency.
- Law enforcement agencies: - Overseen jointly by the Department of Justice and the Federal Bureau of Investigation to ensure the orderly running of activities during times of threat or crises.
- Public works: - Overseen by the United States Environmental Protection Agency. This includes safe water systems and drainage.
- Agriculture and food, with the Department of Agriculture overseeing the safe supply of meat, poultry, and egg products.
- National monuments and icons, under the Department of the Interior
In May 2007 the DHS completed its sector-specific plans for coordinating and dealing with critical events. the Continuity of government in time of a catastrophic event can be used to preserve the government as seen fit by the president, at which point the welfare of the government can be placed above the welfare of the citizenry of the United States ensuring that the government is preserved to rebuild the economy and country when it is deemed safe to return to the surface of the United States of America.
Significance
On March 9, 1999, Deputy Defense Secretary John Hamre warned the United States Congress of a cyber terrorist "electronic Pearl Harbor" saying, "It is not going to be against Navy ships sitting in a Navy shipyard. It is going to be against commercial infrastructure". Later this fear was qualified by President Clinton after reports of actual cyber terrorist attacks in 2000: "I think it was an alarm. I don't think it was Pearl Harbor. We lost our Pacific fleet at Pearl Harbor. I don't think the analogous loss was that great."There are many examples of computer systems that have been hacked or victims of extortion. One such example occurred in September 1995 where a Russian national allegedly masterminded the break-in of Citicorp's electronic funds transfer system and was ordered to stand trial in the United States. A gang of hackers under his leadership had breached Citicorp's security 40 times during 1994. They were able to transfer $12 million from customer accounts and withdraw an estimated $400,000.
In the past, the systems and networks of the infrastructure elements were physically and logically independent and separate. They had little interaction or connection with each other or other sectors of the infrastructure. With advances in technology, the systems within each sector became automated, and interlinked through computers and communications facilities. As a result, the flow of electricity, oil, gas, and telecommunications throughout the country are linked—albeit sometimes indirectly—but the resulting linkages blur traditional security borders.
While this increased reliance on interlinked capabilities helps make the economy and nation more efficient and perhaps stronger, it also makes the country more vulnerable to disruption and attack. This interdependent and interrelated infrastructure is more vulnerable to physical and cyber disruptions because it has become a complex system with single points of failure. In the past an incident that would have been an isolated failure can now cause widespread disruption because of cascading effects. As an example, capabilities within the information and communication sector have enabled the United States to reshape its government and business processes, while becoming increasingly software driven. One catastrophic failure in this sector now has the potential to bring down multiple systems including air traffic control, emergency services, banking, trains, electrical power, and dam control.
The elements of the infrastructure themselves are also considered possible targets of terrorism. For example, the 2022 attack on North Carolina’s power substations near Carthage leaving tens of thousands of residents without power. The ordeal left residents without proper heating, hot water, and the ability to cook for days as repairs took place. Authorities noted that the attack was intentionally committed via gunfire. Traditionally, critical infrastructure elements have been lucrative targets for anyone wanting to attack another country. Now, because the infrastructure has become a national lifeline, terrorists can achieve high economic and political value by attacking elements of it. Disrupting or even disabling the infrastructure may reduce the ability to defend the nation, erode public confidence in critical services, and reduce economic strength. Additionally, well chosen terrorist attacks can become easier and less costly than traditional warfare because of the interdependence of infrastructure elements. These infrastructure elements can become easier targets where there is a low probability of detection.
The elements of the infrastructure are also increasingly vulnerable to a dangerous mix of traditional and nontraditional types of threats. Traditional and non-traditional threats include equipment failures, human error, weather and natural causes, physical attacks, and cyber-attacks. For each of these threats, the cascading effect caused by single points of failure has the potential to pose dire and far-reaching consequences.