The NIPP Risk Management Framework Diagram.
In the U.S. someone says “critical infrastructure,” what comes to mind? For some, it’s highways, electrical grids, and municipal water delivery systems. Others think of dams and railways. While those are all valid parts of infrastructure, it is important to realize that there are many other facets, or sectors, of critical infrastructure (CI). Dr. John Sullivan, vice-chairman of the American Board for Certification in Infrastructure Protection (ABCIP), puts it nicely: “Infrastructure is the glue that binds society together.” That glue includes stadiums, financial institutions, defense companies, farms, and many other portions of our society.
In post-9/11 American society, all of us, not just those responsible for public safety, must understand why it is important to protect those assets, both physical and electronic, that are critical to our everyday life. A water treatment plant in San Diego, right next to a military housing tract and within sight of the international border, is probably more at risk of being attacked than a bank in rural Kansas. However, if that bank is the Federal Reserve at Fort Leavenworth, then the threat becomes a higher priority than the water treatment plant.
As a result of the Alfred P. Murrah Federal Building bombing in Oklahoma City, former President Bill Clinton convened the President’s Commission on Critical Infrastructure Protection (PCCIP) in 1995. The commission’s report was one of the eye-openers that told government officials that our nation’s infrastructure was not well protected. One of the things that the PCCIP really focused on was the lack of protection for our cyber infrastructure.
President Clinton issued PDD-63 in 1998, in response to the report generated by the PCCIP, which mandated the establishment of the National Infrastructure Assurance Plan (NIAP), which was the precursor to today’s National Infrastructure Protection Plan (NIPP). The report recognized that certain portions of our infrastructure are vital to daily life and that proactive measures must be taken to protect them. While the nation was taking steps to protect its infrastructure, budget constraints and other priorities pushed the recommendations of the PCCIP to the back burner until the 9/11 attacks resulted in the establishment of the Department of Homeland Security.
President George W. Bush issued HSPD-7 in 2003, which set guidelines for the federal government to identify and prioritize U.S. critical infrastructure to protect it from terrorist attack. HSPD-7 also updated the definition of critical infrastructure to mean any assets that are “so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety.”
The NIPP was released in 2006 to provide a unifying strategy to integrate existing and future critical infrastructure protection systems and efforts into one national program. The NIPP stresses the importance of prioritization. While not all CI threats can be eliminated, we can prioritize those that have the greatest probability of happening and causing the most damage. The NIPP identified sector-specific agencies that were in charge of 18 sectors deemed critical; they in turn were responsible for sector-specific plans (SSPs). The following are the 18 sectors deemed critical and the agencies assigned to each:
Also, the 2006 NIPP focused on three principal objectives: Building security partnerships to implement critical infrastructure protection programs; Implementing a long-term risk-reduction program; and Maximizing efficient use of resources for critical infrastructure protection.
In 2009, the NIPP was updated to include a greater emphasis on risk management and resilience. It also discussed how each of the 18 sectors could work together in regional consortiums to address cross-sector risks. The 2009 NIPP outlined a common risk assessment approach, called the NIPP Risk Management Framework. The update also stressed that resiliency is just as important as protection. This also ties into Continuity of Operations (COOP), another concept that DHS stresses in emergency management planning. With COOP, the idea is that businesses should have programs in place that enable them to maintain operations in the wake of a disaster or terrorist attack. It is imperative that those in the public safety field understand the 2009 National Infrastructure Protection Plan (NIPP)—specifically, the NIPP Risk Management Framework. It is by this framework that Federal, state, local, and tribal governments determine where to focus their infrastructure protection efforts. The framework describes how to combine consequence, vulnerability, and threat information. The outcome of that process is a comprehensive, rational, and systematic assessment of risk associated with an asset, i.e. the water treatment plant, bank, and Federal Reserve described earlier.
The best part about the NIPP Risk Management Framework is that it, like NIMS and ICS, is scalable. You can use it to assess risk for a large corporation, government, or computer network, or you can use it to assess risk on your home, school, or small business. The steps remain the same; the only things that change are the expenditures of time, money, and staffing. For instance, if you have a broken window in your home, you could run a short risk assessment utilizing the NIPP Risk Management Framework. First, we set goals and objectives. The goal is to secure your personal valuable items and information, or critical infrastructure. We can identify your computer containing all of your personal information as your critical infrastructure. Then we assess the risks by determining the consequences, vulnerabilities, and threats. The consequences include loss of personal information, loss of proprietary business information, identity theft, intelligence gathering, etc. The vulnerability is that broken window, the lack of a robust security system around the computer (because who really has a retina scan to access their PC?), and the fact that you work, so are not always home to show a presence in the household. The threat is that someone may gain access to your home through the broken window, break another window, or walk through an exterior door to your residence. Now you would prioritize. Clearly, the first thing on your list is fixing that broken window. Then you buy some robust locks and consider a contract with a company that installs centrally monitored security systems. Your last priority might be that retina scanner for your computer.
So now that you’ve made your priority list, you will begin to implement programs to take care of those priorities. Get the window fixed, call the security company, and somehow procure a retina scanner. Finally, it’s time to measure effectiveness. Figure out a way to test the effectiveness. If that means trying to break into your own home, then so be it. Remember, folks, this is just an example of how to utilize the NIPP Risk Management Framework. We use this example to show that it can be utilized in almost any risk situation, large or small. Most of the nation’s critical infrastructure is owned and operated by private-sector companies. The number is often debated, but the general consensus is that 75%–95% of critical infrastructure assets are privately held. That means that the government must work with those business owners and operators to ensure that America is hardened against an attack against our homeland as well as natural disasters. These companies are encouraged to work with DHS to address risk identified through risk assessments. So what does all of this mean to you? No matter what sector you work in, you can assess the threats, vulnerabilities, and consequences involved with your business. You can even do so at home. Once you figure out the threats, vulnerabilities, and consequences, you can assign a value of risk to whatever you are assessing. Once you have that risk identified, you can take action to mitigate that risk. So what can you do? You can get involved with infrastructure protection at any level, whether it is within your home, company, or government. Check out ABCHS online courses. Start taking free FEMA courses online. There are hundreds of courses at training.fema.gov for you to increase your knowledge of NIMS, ICS, NIPP, COOP, and all of the other awesome acronyms that we use in the field of homeland security.
Shawn J. VanDiver, BS, CHS-V, SSI, CDP-I, CMAS, CAS-PSM serves in the United States Navy, operating in support of the global war on terror and the war on drugs, as well as providing sailors in his unit with force protection and anti-terrorism training. He is the assistant emergency management coordinator for his command as well as the lead CPR instructor, assistant safety officer, and hazmat coordinator for his division. He spent several months working for the County of San Diego Office of Emergency Services, developing relationships with and providing critical disaster preparedness information to military families in the San Diego area. VanDiver, who holds the rank of petty officer second class, is a graduate student completing his Master of Science degree in Homeland Security and Safety Engineering at National University in La Jolla, California. He earned a Bachelor of Science degree in Domestic Security Management from National University, with a minor in criminal justice. VanDiver is a Charter Member of the American Board for Certification in Infrastructure Protection and holds several certifications in homeland security and anti-terrorism.