One of the key issues confronting the Department of Homeland Security (DHS), the Department of Defense (DoD), state, local and tribal governments and America's private sector is how to collectively protect the nation's critical infrastructure. DoD guidance and programs have been in place for some time, and there are processes and procedures to define roles and responsibilities for protection and response — although the anticipated threats have diverged somewhat as we confront the asymmetrical terrorist threats of today rather than threats from nation-states alone.

One only needs to review the media coverage of recent weeks to find articles highlighting a terrorist plot against Ft. Huachuca, Ariz. There does not appear to be clear evidence of nation-state involvement — leaving us in the gray zone between direct military action against an aggressor and a law enforcement action directed toward collecting evidence and prosecuting foreign nationals through our court system. Cyber-attacks are another example of emerging threats that have demonstrated malicious intent to disrupt and damage our country — as in recent reports of attacks on the DoD mail system leading back to Chinese Web sites. These threats serve notice that our perimeter is being probed constantly by an elusive, well-informed and educated enemy. The private sector is also under attack by external agents of foreign governments and terrorist networks. In those cases where there is clear alignment with the DoD industrial base and sites related to Chemical, Biological, Radiological/Nuclear and Explosives, the effectiveness of a strong public-private partnership is being demonstrated every day. For example, Northrop Grumman's own manufacturing facilities for aircraft assemblies, ships and military electronics fall well within the DoD Critical Infrastructure Protection (CIP) guidelines.

The challenge for DHS is in motivating and encouraging partnerships across public, private and DoD domains, each with different organizational and cultural objectives governed under our current governance systems. With 85 percent of the country's critical infrastructure in the hands of the private sector, this challenge dwarfs the not inconsiderable DoD CIP program. DHS is now 5-years-old and still lacks a complete, detailed inventory of the CIP resources in the country. It doesn't have an efficient method for updating the information it has received through programs such as Protected Critical Infrastructure Information (PCII) either. Rather, DHS is depending on the 17 Sector Coordinating Councils to promulgate critical information to their sectors, thinking that private industry is more likely to accept a relationship of this magnitude from their private sector peers. The opportunity for inaction or incomplete risk analysis is high in sectors with little or no interdependence. Others, such as electrical power generation and distribution and financial institutions with high reliance on others in their sector, are far more cooperative. In the end, the measure of effectiveness for federal government relationships (in all of its regulatory, enforcement and inspection guises) will be measured by the willingness of the private sector to accept a relationship built on new levels of trust.

From a private sector perspective, operation of manufacturing facilities and other core infrastructure must be competitive in the market. Security is an added cost that hurts profitability and competitiveness. Research on the regulated energy and water industries indicates effective federal standards can be established across the public-private domains. These industries are far more regulated and have established their operations in areas where there is little to no competition and the barriers to entry are extremely high (adding a second municipal water distribution system, for example). Establishing federal tax and insurance incentives, limiting corporate liability and developing industry standards may motivate increased security and circumvent excessive federal mandates.

In addition, the fact that these infrastructure components are privately held creates an additional layer of complexity, since there is no community plan that is easily owned by geographically collocated infrastructure owners within or across sectors. Each owner/operator has his or her own plan and likely a trust relationship with DHS along with state and local government. This creates a mosaic of overlapping plans with no coherent understanding of the interdependencies and impacts in the face of a natural or terrorism event.

The question of partnering approaches is a gray area since each private sector participant has different risk tolerances and trust sensitivities when dealing with the public sector. Even threats that represent clear and present danger to the infrastructure and surrounding populations are at issue when it comes to public awareness. The public sector is bound to inform the citizens it protects; the private sector has a responsibility to its shareholders to maintain its brand and profitability. Building security partnerships with federal guidance that are considerate of these two points of view may not be sufficient to secure critical infrastructure. The implementation of a dual-purpose strategy and change management principles is needed to further enhance the efficiency of security partnerships. Making security a fundamental element of the business models for CIP owners — without harming their ability to effectively compete — stands as a significant challenge in today's rapidly expanding and globalized economies.

Developing strong, bi-directional trust agreements in today's threat environment will take time and patience in order to mature into effective arrangements for both sides of this issue. Supporting and enhancing sector-specific plans for highly interdependent businesses looks to be the path of least resistance today. While the loss of infrastructure in these sectors would have tremendous impact, other less cross-reliant sectors have the potential for much more lethal incidents, particularly when viewed in the context of local impacts on other sector collated resources such as freight terminals, train switch yards and petrochemical manufacturing and storage facilities. Getting a community plan in place that looks at the risk scenarios across sectors is necessary and within reach.
— Bruce Walker

About the Author

Bruce Walker is the director of Homeland security for Northrop Grumman.

A CASE IN POINT:

America's 131 million electricity customers are at risk if the grid goes down

Forty percent of energy consumption in America is in the form of electricity. At the center of the supply that fuels our food, shelter, water, law and order is the electric grid. But a decrease in transmission facilities and an increase in demand have left the grid so congested that the ongoing question of its vulnerability is one that security experts haven't quite answered.Recently, the Office of Electric Reliability (OER) for the Federal Energy Regulatory Commission (FERC) raised the issue to House committees, suggesting that because the grid's operating systems are connected to the Internet, the risk of cyberattack is escalating.

The OER has the responsibility to oversee mandatory, enforceable reliability standards for the electric grid based on the Energy Policy Act of 2005, enacted by Congress in August 2005. Joseph McClelland, director of the OER, recently presented stronger regulations that he sees are necessary to secure the grid. Among the committeewas the House Homeland Security Cybersecurity Subcommittee.

Chairmen hit back at the regulations, recommending that the Department of Homeland Security (DHS) develop a better system for guiding private industry efforts to secure control systems.

“[If] this administration doesn't recognize and prioritize these problems soon, the future isn't going to be pretty,” says Jim Langevin, D-R.I. “For a society whose very function depends on reliable power, the disruption of electricity to chemical plants, banks, refineries, hospitals, water systems and military installations presents a terrifying scenario.”

Responding to the chairmens' requests to get DHS involved was Gregory Garcia, DHS assistant secretary of cybersecurity and telecommunication. Because the nation's power generation facilities are not the property of the government, Garcia says that it is hard for DHS to develop standards. “Because the private sector owns and operates 90 percent or so of the critical infrastructure that we need to protect, responsibility for protecting our nation's control systems lies heavily with the private sector,” Garcia says.

Jim Woolsey, vice president of Booz Allen & Hamilton for Global Strategic Security and former director of the U.S. Central Intelligence Agency (CIA), agrees with Garcia about the lack of responsibility across the board.

“Authority for security of the grid is not clear in federal legislation. Right now, most security responsibility is under the state level, and at that level, a lot of the people thinking about security are not thinking about things like an attack to the grid. They are thinking about guards and gates at headquarters,” Woolsey says. “We need a federal role. We need to give authority to FERC energy experts.”

Woolsey has his own concerns about the grid's vulnerabilities, which center in two areas. The first is the aforementioned cyber threat to the Supervisory Control and Data Acquisition (SCADA) systems, which are the electronic controls for the grid. Terrorists could study these systems that distribute electricity and plan attacks to create system collapses. Although he says that there are some good fixes for this vulnerability out there, he hasn't seen any investments in them. “It costs money and there is no incentive under the current system for the grid to be maintained in a secure and redundant way,” Woolsey says. “Because SCADA is being increasingly hooked up over the Internet using standardized software products, we've reduced the resilience of the grid, and we really need to take steps to make it more resistant against these hacks.”

The second major vulnerability is the physical threat to transformers, which Woolsey says are not even protected by a covering. “Transformers just need a simple bulletproof protection. They sit out in electric substations and can take a substantial amount of time to replace. Also, there are hardly any spares, and for some reason, which I don't understand, the spares are stored right next to the ones being used.”

Destroying a transformer (and its closely located spare) is an especially potent thought since the release of a video produced by the DHS. The video shows the results of a simulated attack on a power network, including a turbine that dramatically overheats and shuts down. It is known as the Aurora Generator Test.

“It's so graphic,” says Amit Yoran, former U.S. cybersecurity chief for the Bush administration. “Talking about bits and bytes doesn't have the same impact as seeing something catch fire.”

Even McClelland addressed the threat to equipment in his testimony, claiming that the prevalence in the industry of “legacy equipment” may not be readily adaptable for purposes of cybersecurity protection. His testimony states that if this equipment is left vulnerable, it could be the focal point of efforts to disrupt the grid, and that replacing this equipment or retrofitting it to incorporate cybersecurity protection could be costly. But a successful cyber attack could damage the bulk-power system and economy in ways that cost far more.

And according to an NERC survey of 236 industry executives, 65 percent of respondents believe it is highly likely that that aging infrastructure will impact reliability, and 53 percent believe that could be at a “high severity” level.

Bringing together his concerns for the grid, Woolsey says, “Those two things together, or a simultaneous attack on both, could be extremely serious.”

He says that another vulnerability is the fact that so many people rely on one central source of electricity, and that it is a good idea for hospitals, government buildings, police stations and even homes to have as much ability as they can to carry on critical functions, even if all electrical needs cannot be met.

“Generating electricity locally can help isolate failures, and can take a load off the grid,” Woolsey says. “If you can slim down on electricity needs, it can have a major effect and satisfy critical parts with locally generated energy and electricity.”

Woolsey points to a 2003 blackout that left 3 million without electricity because a tree branch fell on some power lines. In just 9 seconds an entire section of the Northeast and Canada was without power.

Woolsey says that vulnerability to attack will decrease — or increase — in time, depending on what the country does. “Right now we aren't doing much to reduce it, but one bright spot is the increasing efficiency, reduced costs and improved performance of batteries, such as storage batteries and flow batteries. This all makes it feasible and affordable for buildings and homes to do their own electricity generation,” he says.

So would it just be a safer bet to have a grid that is more likely to recover after an attack rather than one that is more sustainable to what is most likely an inevitable attack? Woolsey says no. “If we make it more resilient against attack, we can make it easier to recover quickly. To do this we can stockpile spare transformers and move toward locally distributed generation.”
— Stephanie Silk

FROM ANOTHER INDUSTRY:

Four-tiered program leads the chemical and fertilizer industry's efforts to secure its products

Responsibility for security of the chemical and fertilizer industries is shared among federal, state and local governments as well as the private sector. The Department of Homeland Security (DHS) has issued Chemical Facility Anti-Terrorism Standards (CFATS) for any facility that manufactures, uses, stores or distributes certain chemicals above a specified quantity.

Appendix A of the standards, or the Chemicals of Interest (COI) list, enables DHS to identify any chemical facility that is a potentially high-risk facility. These facilities participate in the Chemical Security Program spelled out in the CFATS Interim Final Rule, which requires covered facilities to fulfill certain risk-based performance standards on security. The first step to determine a facility's risk is to complete and submit a Chemical Security Assessment Tool (CSAT) Top Screen to DHS.

“The security issues that we are most concerned with are the [intentional] release of certain chemicals, and theft and diversion of materials that could be used as direct weapons or used indirectly to create weapons. [We are also interested in] chemicals that raise the issue of sabotage, and these would be chemicals that react with water,” says Marybeth Kelliher, deputy chief of the Policy and Programs Branch for the DHS Chemical Security Compliance Division.

The requirements encompassed 4,000 public comments from the industry, of which 75 percent came from propane producers, distributors and users. Comments from the propane industry led to a revision in which DHS focuses on high-risk facilities

The Web-based CSAT, which is the IT backbone of the CFATS program, has three components. The Top Screen, the first component, is the one being used the most so far, according to Kelliher. One-thousand facilities have submitted one, and 10,000 have registered to submit one.

Filling out a Top Screen will either place a facility in the preliminary tier or exclude them from the regulation altogether. If placed in the preliminary tier, DHS will notify the facility that they need to complete a Security Vulnerability Analysis (SVA).

An SVA will assess the security measures in place to mitigate or reduce the likelihood of success of an attack on an asset. The results of the analysis will then determine if that facility is labeled as high-risk.

The high-risk final tier facilities will need to complete a Site Security Plan (SSP), which captures specific security measures the facility must implement to meet the risk-based performance standards.

“We have the impression that it is an easy tool to use, and we hear from the industry that their objective by logging on early and taking the Top Screen is to get answers as early as possible,” Kelliher says.

Jim Schellhorn, director of environmental health, safety and security for Terra Industries Inc., Sioux City, Iowa, a nitrogen products manufacturer, says Terra has an active facility security program that includes protection of ammonium nitrate (which could be used to make a bomb).

He says that Terra is active in efforts to influence security policy and requirements within the fertilizer industry, and that they support reasonable, risk-based security requirements.

This program has prepared them for the Top Screen that DHS is requiring, and they have completed it at several of their facilities. Schellhorn says it was easy to use for the most part, but that they are concerned that smaller distribution and retail operations may have a more difficult time with compliance, attributing to the comments Kelliher says DHS already received.

Terra also wants consistent regulation across the United States, because as it is now, only Oklahoma, New York, Texas, South Carolina, California, Iowa, Kansas, Nevada and Maryland regulate ammonium nitrate.

H.R. 1680, the Secure Handling of Ammonium Nitrate Act of 2007 bill would authorize the regulation of the sale of ammonium nitrate, applying to any ammonium nitrate with a minimum of 33 percent nitrogen. As of press time, the bill had passed in the House, but not in the Senate.

“It's our opinion that this legislation is not going to have a significant downside for future use of ammonium nitrate in agriculture,” Schellhorn says.

Richard Gupton, vice president of Legislative Policy and Counsel for the Agricultural Retailers Association (ARA), says that as an active member of the Chemical Sector Coordinating Council, the ARA is supportive of the tier system DHS is providing.

Similar to the requests of the propane industry and Terra, Gupton says that the ARA recommended that DHS remove the chemical urea off of Appendix A. He says that it poses no security risk on its own, and that it needs to be combined with other products such as nitric acid.

The ARA, along with Terra, subscribe to a required SVA that addresses the unique characteristics of Ag Retailers. Their vulnerability index, based on the SVA results, finds that 83 percent of facilities have low security vulnerabilities, 17 percent have medium vulnerabilities and zero percent have high vulnerabilities.

“We're confident that those retailers that would have to go through DHS security regulations would be screened out and not be considered a high-risk facility,” he says.

Both Kelliher and Schellhorn are looking forward to the possible results of this new endeavor.

“A lot of the facilities that we are expecting to work with are what I consider good corporate citizens when it comes to security. And we'd like to give credit where credit is due for a security facility's performance,” Kelliher says.

The comments of Marybeth Kelliher, Jim Schellhorn and Richard Gupton are quoted with permission from a Webinar sponsored by Pike & Fischer, a provider of business, legal and regulatory information covering multiple areas including the agricultural chemical and fertilizer industry. The Webinar is available at www.pf.com.
— Stephanie Silk