INFRASTRUCTUTRE SECURITY“To build and implement a robust strategy to protect our critical infrastructures and key assets from furtherterrorist exploitation, we must understand the motivations of our enemies as well as their preferred tacticsand targets.” Submitted by: ADHAR
Contents• Introduction• AIM of Infrastructure Security• Areas of critical infrastructure• Potential threats to infrastructures• Identifying Weaknesses in a Critical Infrastructure• Defence Critical Infrastructure Program Procedures• Example: Department of Homeland
Introduction Infrastructure security is the security provided to protectinfrastructure, especially critical infrastructure, such as airports,highways , rail transport, hospitals, bridges, transport hubs, networkcommunications, media, the electricity grid, dams, power plants, seaports,oil refineries, and water systems etc.
AIM of Infrastructure SecuritySafeguard the basic three basic assets:1. Physical assets (e.g. facilities, components, real estate, animals, and products etc.)2. Human assets (e.g. operations, and sensitive area andinformation etc.)3. Cyber assets (e.g. electronic and computer networks )
Areas of critical infrastructurei. Agriculture & Foodii. Wateriii. Public Healthiv. Emergency Servicesv. Governmentvi. Defence Industrial Basevii. Information and Telecommunicationsviii. Energyix. Transportationx. Banking and Financexi. Chemical Industry and Hazardous Materialsxii. Postal and Shipping.
Agriculture & FoodThis industry accounts for a large share of Gross Domestic Product. Areas ofconcern include: Supply chains for feed, animals and animal products; Crop productionand supply chains of seed, fertilizer and other related materials; post-harvestingcomponents of processing, production and packaging, storage.Water This sector is divided into two areas: fresh water supply and wastewater collection. Thewater sector criticality extends to both public health and the economy.Public healthThis area consists of state/local health departments, hospitals, health clinics, mentalhealth facilities, laboratories, mortuaries, and pharmaceutical stockpiles. All of thesewould be critical after any form of attack or natural event. The personnel andfacilitieswithin this sector are trained and ready to react to emergency situations.
Emergency servicesThis area includes fire, rescue, emergency medical service (EMS), and lawenforcementorganizations. The emergency services sector differs from otherinfrastructures in its focus and criticality is in its personnel and equipment,ratherGovernmentthan a facility. The government itself can be viewed as a critical infrastructure, withits ability tocommand and control the response to any attack, terrorist or naturalto any of ourDefence baseinfrastructures. The private sector is critical to the Department of Defence effectively conductindefence missions, mobilizing and deploying of our military forces abroad.
Information & TelecommunicationThe telecommunications sector is vast and dispersed, containing both cyber anphysicalelements. The telecommunications sector provides voice and data service to thpublicand private users through use of the Public Switched Telecommunications Netw(PSTN), the internet, and private enterprise networks..EnergyEnergy is the infrastructure that supplies the driving force in most ofAmerican life today.Energy of some kind heats our homes, moves us for one point to anotherand drives ourbusinesses and industry. The energy sector is critical to the well being ofour economy,national defence and quality of life. The sector is divided into to
TransportationThe area includes aviation, rail, pipelines, highways, trucking andbusing, and publicmass transit. The scope of the transportation sector makes it critical to bothour economyBanking and Finance.and national security.This sector is made up of physical structures and assets as well aspersonnel and cyberassets. Retail and wholesale banking institutions are located in large officebuildingswith large groups of people. The financial sectors infrastructure includescomputernetworks, storage devices and telecommunications networks. This sector isalso
Chemical industries.This sector impacts several other sectors; finance, agriculture, water, healthcare, etc. The Chemical industry produces fertilizer for agriculture, chlorinefor water purification and polymers that create plastics from petroleum. Thesector is also a lucrative terroristtarget due environmental impact from the physical destruction of many of itsPostal and shipping.sitesThe postal system is interconnected with other infrastructuresystems, especiallytransportation. The postal service controls thousands of points of entry aswell asmillions of facilities.
Potential threats to infrastructure“The insider threat to critical infrastructure is one or more individualswith the accessand/or inside knowledge of a company, organization, or enterprisethat would allowthem to exploit the vulnerabilities of that entity’ssecurity, systems, services, products, or facilities with the intent to
Terrorism - person or groups deliberately targeting criticalinfrastructure for political gain CITATION: World trade center 9/11 September 11 Attacks, coordinated terrorist strike on the United States in 2001 that killed about 3,000 people and shook the nation to its core. twin towers of the World Trade Centre in the financial district of New York City. The buildings burst into flame and then collapsed, killing thousands. A third terrorist crew smashed their plane into the Pentagon, headquarters of the U.S. military in Arlington, Virginia.
Sabotage - person or groups such as ex-employee, political groups against governments, environmental groups in defence of environment.CITATION: Bangkoks International Airport Seized byProtestorsOn 25 November 2008, the People’s AllianceDemocracy executed what they called"Operation Hiroshima"[A convoy of hundreds of PADmembers dressed in yellow blocked the two ends ofthe road in front of the terminal buildingof Suvarnabhumi International Airport andblockaded the main road to the airport. The airport isBangkoks main airport and an important regionalhub. PAD leaders mounted a mobile stage andproceeded to criticize the government. All
Information warfare - private person hacking for private gain orcountries initiating attacks to glean information and also damage acountrys infrastructure.CITATION: Cyber attacks during the 2008South Ossetia warOn 5 August 2008 South Ossetia war a seriesof cyber attacks swamped and disabledwebsites of numerous SouthOssetia, Russian, Georgian, and Azerbaijaniorganisations.South Ossetia to envoy to Moscow, claimed thatGeorgia was attempting to cover up informationon events which occurred in the lead up to thewar.
Natural disaster - hurricane or natural events which damage critical infrastructure such as oil pipelines, water and power grids. CITATION: Economic effects of KatarinaThe economic effects of Hurricane Katrina, whichhit Louisiana, Texas and Mississippi in late August2005,Administration has sought $105 billion forrepairs and reconstruction in the region, making itthe costliest natural disaster in US history. And thisdoes not account for damage to the economycaused by potential interruption of the oil supply and
Identifying Weaknesses in a Critical Infrastructure Identifying critical infrastructure weakness is based on a riskmanagement framework. It is continuously influenced by the everchanging threat environment, both physical and natural. The goal is toreduce the vulnerabilities to our nation’s assets from attack and naturaldisaster. Critical infrastructures are composed of physical, personal, andcyber components, and as any of those three portions change so doesthe list of critical assets requiring security.
ASSE TSPHYSICA L Identifying and assessing Normalizing, analysing, and Implementing protectiveHUMAN Identifying critical assets vulnerabilities prioritizing programs Measuring performanceCYBER Feedback to correlating threats to mitigation programs/effectiveness Infrastructure weakness analysis
IDENTIFYING CRITICAL ASSETS• The first step will be to identify the critical assets located within area of responsibility.• The process should be an on-going with constant review of unit missions, higher headquarters missions and requirements, as well as the overall operations within location.• The information collected should be used as the base for further discussionIDENTIFYING AND ASSESSING VULNERABILITIES• Potential areas of weakness need to be identified as well as protective measures that need to be undertaken to mitigate those vulnerabilities.• Interdependencies within and between infrastructures need to be identified to minimize cascading effects.• The vulnerability assessment needs to take into account
NORMALIZING, ANALYSING, AND PRIORITIZING STUDY RESULTS• The group of accumulating the vulnerability assessments needs to normalize the information from each subordinate section or staff, and then prioritize against all of the assets the higher organization is responsible for.• It will identify which areas offer the greatest risk and the best benefit from protective measures IMPLEMENTING PROTECTIVE PROGRAMS • The information gathered during the process will assist in developing and executing programs to protect or minimize damage to infrastructures. • The staff or organization can find assistance in developing programs from their agencies. e.g. Department of Homeland Security (DHS).
MEASURING PERFORMANCE• Metrics need to be established for each protective measure to ensure they are being performed consistently, are sustainable and are effective.• Continuous review of the metrics will result in improvements to the framework and the protection plan
Defence Critical Infrastructure Program Procedures DCIP risk management procedures for all critical infrastructures. Thepurpose of the DCIP is to ensure the availability of assets critical to allinfrastructures. Once risks are assessed in all tasks and missions then possibleresponses can be reviewed and emplaced to ensure all missions will beaccomplished no matter what actions are taken against an infrastructure.The DCIP Interim Implementation Guidance stresses that Riskmanagement is cyclical, as changes are constantly made to systems andpersonnel are replaced, risks to infrastructures must be re-assessed.
Criticality Risk Vulnerabilit Assessment Threats and y hazards RiskManagement Remediation Risk Response Mitigation Reconstitution Defence Critical Infrastructure Program Procedures flow diagram
Example: Department of Homeland Security• Officially established in January 2003.• The department’s mission is to help prevent terrorist attacks in the United States, reduce the country’s vulnerability to terrorism, and assist in recovery after an attack.• The department was created in response to the September 11, 2001, terrorist attacks against the World Trade Centre and the Pentagon as a way to oversee and coordinate security functions previously performed by dozens of different government. agencies.
The department has four main divisions known as directorates, each administered by an undersecretary.• The Directorate of Border and Transportation Security is responsible for preventing terrorists from entering the United States; for protecting air, land, and sea transportation systems; and for enforcing immigration laws.• The Directorate of Emergency Preparedness and Response is responsible for coordinating the federal government’s response to terrorist attacks and major disasters and for assisting in recovery.• The Directorate of Science and Technology is charged with overseeing efforts to protect the United States from attacks involving chemical, biological, radiological, and nuclear weapons. It also conducts and funds research related to homeland security.• The Directorate of Information Analysis and Infrastructure Protection is responsible for analysing intelligence from a vast array of federal, state, and local agencies in order to detect terrorist threats and identify vulnerabilities in the
SUPPORTING AGENCIESMany agencies assist the DHS in its mission. Primary responsibility forinvestigating and prosecuting acts of terrorism rests with law enforcementagencies, including the Department of Justice, the Federal Bureau ofInvestigation (FBI), and state and local law enforcement agencies. TheCIA gathers overseas intelligence about terrorist threats. Other membersof the intelligence community, such as the National Security Agency(NSA) and the Defence Intelligence Agency (DIA), also provide the DHSwith information.