Critical Infrastructure Protection and Policy

1
Critical Infrastructure Protection (and Policy)

• H. Scott Matthews
• March 5, 2003

2
Recap of Last Lecture

• Midterm Questions? Due today, 5pm!
• Infrastructure interdependencies exist
• 4 types, 6 dimensions
• Some caused by our influence,
• Some by management (systems)
• Some by necessity
• The interdependencies compound risk
• We do not yet understand them well
• Have high-level, not detailed models
• Infrastructure sectors depend on each other
  more than average sectors depend on them

3
Threat

• Any circumstance or event with the potential to
  cause harm to a system in the form of
  destruction, disclosure, adverse modification,
  and/or the denial of service.
• Examples Hackers, electrical storms
• Need to know likelihood of threats
• Sources National Information Systems  Security
  (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
  - generalized form of it

4
Vulnerability

• Weakness in a system, or its components (e.g.,
  system security procedures, design, controls)
  that could be exploited by a threat
• Examples Software bugs, structural design 

5
Risk

• The likelihood that a particular threat using a
  specific attack, will exploit a particular
  vulnerability of a system that results in an
  undesirable consequence
• Risk Assessment
• Process of analyzing threats to and
  vulnerabilities of a system and the potential
  impact the loss of system would have. 
• Resulting analysis is used as a basis for
  identifying appropriate and cost-effective
  counter-measures.   
• Computing expected loss functions

6
Risk Management

• The process concerned with identification,
  measurement, control and minimization of
  security risks in systems to a level commensurate
  with the value of the assets protected.  

7
Classic Warden Defense Model
Leaders
Organic Essentials
Infrastructure
Population
Military
8
New Defense Model
Military
Phys. Infrastructure
Leaders
Population
Econo-Tech. Infrastructure
9
Strategic Objectives of Plan

• Identify and protect infrastructures and assets
  most critical to society
• Provide warnings for specific, imminent threats
• Over time protect other assets through federal,
  state, local govt and private sector
  collaboration
• Homeland Security a Shared Responsibility
• Source The National Strategy for the Physical
  Protection of Critical Infrastructures and Key
  Assets, White House, Feb 2003.

10
To Achieve Strategic Vision

• Understand motivation of enemies
• Understand preferred tactics
• Comprehensive assessment of
• Assets and vulnerabilities
• Challenges of mitigating risk
• Key assets may not be part of critical
  infrastructure but affect prestige, morale,
  confidence (e.g. WTC, Golden Gate Bridge)

11
Effects of Attacks

• Direct - loss of service
• Attack on a critical node, system, function
• E.g. bridge
• Indirect
• Attack leads to behavioral/psychological
• Exploitation
• Using one to destroy another
• May involve interdependencies

12
Guiding Principles

• Assure safety, confidence, service
• Responsibility, accountability
• Collaborative partnerships govt/industry
• Market Solutions where possible
• Information sharing
• International cooperation
• Development of technology and expertise
• Safeguard privacy and freedoms

13
Responsibility Chain

• Federal Govt - oversee coordinate, set
  policies, ensure 3 strategic objs
• State and Local - identify and secure their
  assets, emergency response, act as central points
  for requesting help, coordinate information flows
• Private Sector - owns most of CI
• Continue to perform RA/RM, reassess
• Help identify vulnerabilities of national concern

14
Whats Missing?

• Anything non-terrorist
• Natural disasters
• Accidents
• Focus on terrorist-based attacks, while timely,
  is short-sighted given the range of threats and
  vulnerabilities to CI