Critical - Critical Infrastructure Protection Evolving Definitions Links to Security and Risk Analysis Recall from last class Information warfare

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Critical Infrastructure Protection Evolving Definitions Links to Security and Risk Analysis Recall from last class Information warfare Cyberterrorism Cyberterrorism is a component of information warfare, but information warfare is not necessarily cyberterrorism. Information warfare Information warfare is the gathering or use of information to gain an advantage over another party. "Those actions intended to protect, exploit, corrupt, deny or destroy information or information resources in order to achieve a significant advantages, objective or victory over an adversary." (John Alger, National Defense University) Information warfare Six components: Psychological operations (psy-ops) Electronic warfare Military deception Physical destruction Security measures Information attacks Terrorism Definitions Little agreement among govt or academic analysts Terrorism is defined as the actual or threatened use of violence by an individual or group motivated by ideological or political objectives. The goal of terrorism is to intimidate or coerce a government or its people. Synonyms: violence, intimidation, unconventional warfare Four categories of cyber terrorism/information warfare Infrastructure attacks Information attacks Technological facilitation Promotion Why Define Critical Infrastructure? Guides Direction of Resources & Investment Risks of Not Defining Inadequate Protection or Response Capability Risks of Defining unclear or unstable understanding leads to inefficient security policy Risks of Fluid Definition Pvt Sector becomes uncompetitive How much CI is under Pvt Sector Control? News CIA Says Hackers Have Cut Power Grid Several cities outside the U.S. have sustained attacks on utility systems and extortion demands.,141564-c,hack Video: the most vulnerable infrastructures The Power Grid It's one of the nation's most vulnerable infrastructures. Control system experts explain why it's such a weak link and how it could be a prime target for terrorists. What is Infrastructure? Many & varied definitions Go to Google, Wikipedia right now! Clinton & Bush Admins plus Congress Fragmented Historical Development Presidential Decision Directive 63 (PDD 63) , 1998 Executive Order 13228, 2001 USA PATRIOT Act, 2001 Homeland Security Act National Strategy for Homeland Security, 2002 National Strategy for Physical Infrastructure Protection, 2003 Homeland Security Presidential Directive (HSPD-7), 2003 What is Infrastructure? National Council on Public Works Improvement 1984 "any physical asset that is capable of being used to produce services or other benefits for a number of years" "Public goods" character Non rival, under-produced by competition High fixed costs, long economic lives, strong links to economic development, & tradition of public sector involvement CRS 31556 (1.29.03) Provisional definition basic facilities, services, and installations needed for the functioning of a community or society, such as transportation and communications systems, water and power lines, and public institutions including schools, post offices, and prisons Perhaps too broad, subject to interpretation E.O. 13010 (7.15.96) Pres. Clinton Established Commission on Critical Infrastructure Protection (PCCIP) "Infrastructure" Framework of interdependent networks and systems comprising identifiable industries, institutions (including people and procedures), and distribution capabilities that provide a reliable flow of products and services essential to the defense and economic security of the U.S., the smooth functioning of government at all levels, and society as a whole E.O. 13010 (7.15.96) What is "Critical?" "certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the U.S." EO 13010's provisional list of Critical Infrastructures: telecommunications; electrical power systems; gas & oil storage & transportation; banking and finance; transportation; water supply systems; emergency services (e.g., medical, police, fire, & rescue) & continuity of government. PDD-63 (5.22.98) Presidential Decision Directive #63 establish a national capability within five years to protect "critical" infrastructure from intentional disruption Noteworthy: specific mention of "cyber" infrastructure See CRS rl32631(10.1.04) @ 5, 10, 15 USA Patriot Act, 2001 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Many 's Controversial, some w/ Sunset: Expanded Federal investigation powers Detention of aliens, designation of terrorist orgs. Roving wiretaps (landline, cells, work ph) Online surveillance-ISP subpoena if relevant to investig: email covers, URLs Secret searches, Interagency info share Monitor confidential Atty-Client communications Also some not-so Controversial Provisions Critical Infrastructure Protection Act of 2001 (CIPA) Critical Infrastructure Under USA Patriot's CIPA 1016(e) " and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." Must Decompose "Critical Infrastructure" Object: "systems and assets" Tangibility: "physical or virtual" Significance: "so vital to the U.S." Risk: "incapacity or destruction" Impact: "debilitating" ... on ..."security, national economic security, national public health or safety, or any combination" CIPA Findings Legislative History is Relevant to Interpreting Statutes, Regulations, Caselaw, Regulatory Policy decisions, Expenditures CIPA Findings read in light of USA Patriot's passage US recent terrorism victim Nat'l resolve to counteract terrorism CIPA Findings IT is center node of Bush Govt & defense/nat'l security infrastructure Ensure reliable provision of cyber & physical infrastructure services critical to maintaining Nat'l defense, continuity of govt, econ prosperity & quality of life CIPA Calls for Enhancing Modeling & Analytical Capabilities National effort Modeling & Analytical Capacities Requires extensive modeling & analytic capabilities [for] Evaluating appropriate mechanisms to ensure the stability these [are] complex & interdependent systems, [will] underpin policy recommendations [must] achieve continuous viability & adequate protection of critical infrastructure Disruption Minimization is Focus physical or virtual disruption operations of critical infrastructures Ltd to: rare, brief, geographically limited in effect, manageable, & minimally detrimental Of: economy, human & government services, national security National Competences Compare w/ SRA Program Goals! Modeling, simulation, & analysis of systems comprising CI cyber infrastructure, telecommunications infrastructure, & physical infrastructure, Why? enhance understanding of large-scale complexity of such systems facilitate modification of such systems to mitigate threats National Competences Acquire Data Data Needed to Create Models Educate Policymakers Use Modeling for Policy Recommendations Fed agenci8es, Pvt Sector persons & entities Critiquing covered?!? Role of Press?!? Role of Academics?!? Analysis, Implications, Responses From State & Local Govt Private sector Which assets of a critical infrastructure need protection? Not all elements of a critical infrastructure are critical. "The electric power infrastructure includes 92,000 electric generating units (including fossil fueled, nuclear, and hydroelectric units), 300,000 miles of transmission lines, and 150 control centers, regulating the flow of electricity. The nation's water infrastructure includes 75,000 dams and reservoirs, thousands of miles of pipes and aqueducts, 168,000 public drinking water facilities, and 16,000 publically owned waste water treatment facilities." Highway system The U.S. highway system consists of 4 million interconnected miles of paved roadways, including 45,000 miles of interstate freeway and 600,000 bridges. The Freight rail networks extend for more than 300,000 miles and commuter and urban rail system's cover some 10,000 miles. Even the more contained civil aviation system has some 500 commercialservice airports and another 14,000 smaller general aviation airports scattered across the country. These networks also contain many other fixed facilities such as terminals, navigation aids, switch yards, locks, maintenance bases and operation control centers. Critical assets There are a number of ways policy makers may try to prioritize their efforts. As discussed above, some elements within a critical infrastructure are far more critical than others. Some elements, or portions of an infrastructure, may be lightly used or somewhat redundant. If these segments were unavailable, their loss would be an inconvenience, but such a loss would hardly be ruinous. One option, therefore, would be to focus on identifying the truly critical assets and doing things to harden (or toughen) them against attack or to reduce the impact of their loss, either by building in redundancies or through relocation or redesign (to reduce associated hazards) over time. Identify elements The National Highway System, which is a category of roads that includes the interstate highway system, constitutes only 4% of the nation's public road milage, but carries over 44% of all travel.25 A similar situation exists in the aviation system. Of the 546 commercial airports that had airline service in April 2001, fully 70% of all airline passenger boardings occurred at just 31 airports Other approaches Other approaches include focusing on vulnerabilities that cut across more than one infrastructure, interdependencies where the attack on one infrastructure can have adverse effects on others, geographic locations where a number of critical infrastructure assets may be located, or focusing on those infrastructure belonging solely to the federal government or on which the federal government depends. across more than one infrastructure Another possible way of prioritizing resource allocations is to identify vulnerabilities or solutions that cut across more than one infrastructure. To some extent, information systems are a common vulnerability to many of the other infrastructures. Solutions to information system vulnerabilities could be applied generally, whether it is establishing and implementing best practices or developing more secure software (examples?). Another related technology that cuts across more than one infrastructure are remote control systems. Much attention has already been focused on the vulnerabilities of supervisory control and data acquisition systems (SCADAs) used in energy, water, transportation, and chemical infrastructures. interdependencies between infrastructures Another way is to identify interdependencies between infrastructures. None of the infrastructures mentioned above are completely isolated from the others. Energy production depends on transportation. Transportation depends on energy. They both depend on information networks. Information networks depend on energy. geographic locations there may be geographic locations where a number of critical assets of one or more infrastructures are located that might warrant priority. One of the impacts associated with the attacks on the World Trade Center was that the area housed a number of assets associated with banking and finance, electric power, and telecommunications, some of which had no backup assets located elsewhere. Class activity, one bonus point Which bridge is more critical? Compare Woodrow Wilson Bridge (I-95), DC with Chesapeake Bay Bridge, MD. Answer the questions of the form. Map: use Google Maps to locate the two bridges Read the links about the two bridges ...
View Full Document

This note was uploaded on 03/31/2008 for the course SRA 211 taught by Professor Luyong during the Spring '08 term at Pennsylvania State University, University Park.

Ask a homework question - tutors are online