DHS plan to protect critical infrastructure goes beyond cybersecurity

Friday - 1/31/2014, 2:26pm EST

Federal Drive panel discussion

Download mp3

When Hurricane Sandy blew through New York and New Jersey in the fall of 2012, power and transportation systems were crippled for days and weeks.

That, in part, fueled the government's efforts to make these systems, known as critical infrastructure, more "resilient" — better able to absorb and recover from natural disasters, terrorist attacks, cyber intrusions and other adverse conditions.

The Federal Transit Administration recently announced it would award $3 billion in competitive grants to protect critical transportation platforms from future natural disasters.

And just last month the Homeland Security Department published its updated National Infrastructure Protection Plan, a governmentwide framework for securing critical infrastructure on a much wider scale.

"The NIPP is the guiding document across a public-private partnership of how we're going to make progress toward security resilience," said Bob Kolasky, the director for strategy and policy in DHS' Office of Infrastructure Protection during a Federal Drive panel discussion hosted by Tom Temin and Jason Miller.

The NIPP follows an executive order and presidential policy directive on cybersecurity and critical infrastructure issued by President Barack Obama last February. However, the NIPP is not limited to cyber threats but to the full range of risk-management when it comes to critical infrastructure, Kolasky said.

One of the key elements of the plan is that "cybersecurity should be dealt with in the context of overall enterprise risk management," Kolasky said. "Our approach within DHS to infrastructure protection means bringing cyber into all-hazards protection but NIPP, itself, deals with not only cybersecurity but threats of extreme weather, pandemics, the terrorism and things like that."

Greater collaboration between industry, government

The aim of the updated plan is to make all sectors of critical infrastructure more "resilient."

"We see in events like Katrina, for example, the tie-in or interdependencies between different infrastructure sectors and how a failure in one geographic area of the country can impact the economy elsewhere," said Ernie Edgar, general counsel at Atkins North America and chairman of the board of The Infrastructure Security Partnership (TISP). "And so that's really been a lot of our discussion. And so when we look at the NIPP, it's really an evolution of that thought. ... And it's going to continue to evolve."

TISP is a conglomeration of industry groups that worked to bring the voice of industry as well as state and local government to the table when DHS was drafting the updated plan. "That's really been the quantum leap," Edgar said, saying the new plan lays the groundwork for more of a collaborative approach between industry and industry.

Kerry Thomas, senior director of homeland security programs at ABS Consulting, who's contributed to all three previous versions of the plan in some form, said bringing input from all stakeholders — federal, state and local, and private industry — was essential.

"The challenge with critical infrastructure protection, in this country at least, is so much of that infrastructure is not owned by a government agency," he said. "And so there do have to be partnerships. You can address it through a regulatory framework and grant programs, but then there's this third leg of the stool that really is very important, which is public-private partnerships."

Kolasky said the updated plan includes the concept of comparative advantage.

"The public sector and the private sector — and local governments and the federal government — have different things that they bring to the table, and let's take advantage of that and let's not replicate," Kolasky said. "Let's let the private sector do what they're good at, for example, innovation."

Information sharing a 'two-way street'

In addition to the updated version of the NIPP and the recent transit grants, the Federal Emergency Management Agency has also created resiliency frameworks for disaster-recovery operations.

"There are many things that are currently happening to move ourselves within a direction of resilience," said William "Bill" Anderson, director and chief operating officer at TISP. "That's at the federal level. You bring it down to the level of the local level, to the companies — everybody has a responsibility with this in looking at how we can reshape how infrastructure is designed and built."

Another element of the NIPP that has evolved is a more collaborative approach to information sharing, ABS Consulting's Thomas' said.

"One of the criticisms of prior versions of the NIPP has been that the federal government really took a lot of information and state and local partners and critical-infrastructure partners didn't see a lot coming back their way," Thomas said. "I think this version of the NIPP takes pains to really address that and explore ways to make it more of a two-way street and an effective partnership."

DHS' Kolasky said the goal was to create multiple layers and levels of communication, through state and local fusion centers, Information Sharing Analysis Centers (ISACs) and other means. The end goal is to fusing together those disparate pieces of data and creating actual situational awareness, he said.

"What we're trying to build through the NIPP is a network to put that information together and do something with that information — get it out to the right people," Kolasky said.

RELATED STORIES:

Industry, DHS at odds over draft plan to secure critical infrastructure

White House issues cyber order, giving NIST, DHS lead roles

NIST puts finishing touches on critical infrastructure cyber framework