Law

Congressional Research Service ˜ The Library of Congress

CRS Report for Congress Received through the CRS Web

Order Code RL32561

Risk Management and Critical Infrastructure Protection: Assessing, Integrating, and Managing

Threats, Vulnerabilities and Consequences

Updated February 4, 2005

John Moteff Specialist in Science and Technology Policy

Resources, Science, and Industry Division

Risk Management and Critical Infrastructure Protection: Assessing, Integrating, and Managing Threats,

Vulnerabilities, and Consequences

Summary

The 9/11 Commission recommended that efforts to protect various modes of transportation and allocation of federal assistance to state and local governments should be based on an assessment of risk. In doing so, the Commission was reiterating existing federal policy regarding the protection of all the nation’s critical infrastructures. The Homeland Security Act of 2002 (P.L. 107-296) and other Administration documents have assigned the Department of Homeland Security specific duties associated with coordinating the nation’s efforts to protect its critical infrastructure, including using a risk management approach to set priorities. Many of these duties have been delegated to the Information Analysis and Infrastructure Protection (IA/IP) Directorate.

Risk assessment involves the integration of threat, vulnerability, and consequence information. Risk management involves deciding which protective measures to take based on an agreed upon risk reduction strategy. Many models/methodologies have been developed by which threats, vulnerabilities, and risks are integrated and then used to inform the allocation of resources to reduce those risks. For the most part, these methodologies consist of the following elements, performed, more or less, in the following order.

! identify assets and identify which are most critical ! identify, characterize, and assess threats ! assess the vulnerability of critical assets to specific threats ! determine the risk (i.e. the expected consequences of specific types

of attacks on specific assets) ! identify ways to reduce those risks ! prioritize risk reduction measures based on a strategy

The IA/IP Directorate has been accumulating a list of infrastructure assets

(specific sites and facilities). From this list the Directorate is selecting assets that have been judged to be critical from a national point of view. The Directorate intends to assess the vulnerability of all the assets on this shorter list. According to Directorate officials, vulnerability assessments and threat information are considered when determining the risk each asset poses to the nation. This risk assessment is then used to prioritize subsequent additional protection activities. The IA/IP Directorate’s efforts to date, however, raise several concerns, ranging from the process and criteria used to populate its lists of assets, its prioritization strategy, and the extent to which the Directorate is coordinating its efforts with the intelligence community and other agencies both internal and external to the Department. This report will be updated as needed.

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 IA/IP’s Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 A Generic Model for Assessing and Integrating Threat, Vulnerability,

and Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Using Assessments to Identify and Prioritize Risk Reduction

Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Status of DHS’s Implementation of Its Critical Infrastructure Protection

Effort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Questions and Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Identifying Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Selecting High Priority Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Assessing Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Assessing Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Assessing Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Risk Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Prioritizing Protection Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

1 The Intelligence Reform and Terrorism Prevention Act of 2004 (S. 2845, P.L. 108-458), legislating some of the recommendations of the Commission’s report, included a requirement to develop a National Strategy for Transportation Security that includes the development of risk-based priorities.

Risk Management and Critical Infrastructure Protection: Assessing, Integrating, and Managing Threats, Vulnerabilities, and

Consequences

Introduction

As part of its chapter on a global strategy for protecting the United States against future terrorist attacks, the 9/11 Commission recommended that efforts to protect various modes of transportation and allocation of federal assistance to state and local governments should be based on an assessment of risk.1 In doing so, the Commission was affirming existing federal policy regarding the protection of all the nation’s critical infrastructures. The Homeland Security Act of 2002 and other Administration documents have assigned the Department of Homeland Security specific duties associated with coordinating the nation’s efforts to protect its critical infrastructure. Many of these duties have been delegated to the Information Analysis and Infrastructure Protection (IA/IP) Directorate. In particular, the IA/IP Directorate is to integrate threat assessments with vulnerability assessments in an effort to identify and manage the risk associated with possible terrorist attacks on the nation’s critical infrastructure. By doing so, the Directorate is to help the nation set priorities and take cost-effective protective measures.

This report is meant to support congressional oversight by discussing, in more detail, what this task entails and issues that need to be addressed. In particular, the report defines terms (e.g. threat, vulnerability, and risk), discusses how they fit together in a systematic analysis, describes processes and techniques that have been used to assess them, and discusses how the results of that analysis can inform resource allocation and policy.

While the IA/IP Directorate has been given this task as one of its primary missions, similar activities are being undertaken by other agencies under other authorities and by the private sector and states and local governments. Therefore, this report also discusses the Department’s role in coordinating and/or integrating these activities.

CRS-2

2 Office of Homeland Security, National Strategy for Homeland Security, July 2002. 3 Ibid. p. 33. 4 Ibid. p. 64.

Background

IA/IP’s Responsibilities

The Homeland Security Act of 2002 and other Administration documents have assigned the Department of Homeland Security specific duties associated with coordinating the nation’s efforts to protect its critical infrastructure. Many of the duties discussed below have been delegated to the Information Analysis and Infrastructure Protection Directorate.

The National Strategy for Homeland Security,2 anticipating the establishment of the Department of Homeland Security, stated:

! “… the Department would build and maintain a complete, current, and accurate assessment of vulnerabilities and preparedness of critical targets across critical infrastructure sectors…[This assessment will] guide the rational long-term investment of effort and resources.3”

! “… we must carefully weigh the benefit of each homeland security endeavor and only allocate resources where the benefit of reducing risk is worth the amount of additional cost.4”

Among the specific tasks delegated to the Undersecretary for Information Analysis and Infrastructure Protection by Section 201(d) of the Homeland Security Act of 2002 (P.L. 107-296, enacted November 25, 2002) were:

! “… identify and assess the nature and scope of terrorist threats to the homeland;”

! “… understand such threats in light of actual and potential vulnerabilities of the homeland;”

! “… carry out comprehensive assessments of the vulnerabilities of the key resources and critical infrastructures of the United States, including the performance of risk assessments to determine the risk posed by particular types of terrorist attacks within the United States ….”

! “… integrate relevant information, analyses, and vulnerability assessments … in order to identify priorities for protective and support measures ….”

! “… develop a comprehensive national plan for securing the key resources and critical infrastructure of the United States ….”

! “… recommend measures necessary to protect the key resources and critical infrastructure of the United States ….”

CRS-3

5 Office of Homeland Security, The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, February 2003. 6 Ibid. p. 23. 7 Homeland Security Presidential Directive Number 7, Critical Infrastructure Identification, Prioritization, and Protection, December 17, 2003. 8 The Clinton Administration referred to these as Lead Agencies in its Presidential Decision Directive Number 63 (PDD-63, May 1998). HSPD-7 supercedes PDD-63 in those instances where the two disagree. 9 The Department did not meet this deadline. A draft plan is still in review. The Department intends to release elements of the plan in 2005. See, See CQ Homeland Security, Jan. 28, 2005, “Still Waiting: Plan to Protect Critical Infrastructure Overdue from DHS,”at [http://homeland.cq.com/hs/display.do?docid=1507251&sourcetype=31]. This site was last viewed on February 4, 2005. It is available only by subscription. 10 Just as one example, the 9/11 Commission Report (released July 22, 2004, see page 396) when discussing the basis upon which federal resources should be allocated to states and localities, stated that such assistance should be based “strictly on an assessment of risks and vulnerabilities.” Later, in the next paragraph, it stated “the allocation of funds should be based on an assessment of threats and vulnerabilities.” In the next paragraph it stated that

(continued…)

The National Strategy for the Physical Protection of Critical Infrastructure and Key Assets 5 stated:

! “DHS, in collaboration with other key stakeholders, will develop a uniform methodology for identifying facilities, systems, and functions with national-level criticality to help establish federal, state, and local government, and the private-sector protection priorities. Using this methodology, DHS will build a comprehensive database to catalog these critical facility, systems, and functions.6”

Homeland Security Presidential Directive Number 7 (HSPD-7)7 stated that the Secretary of Homeland Security was responsible for coordinating the overall national effort to identify, prioritize, and protect critical infrastructure and key resources. The Directive assigned Sector Specific Agencies8 the responsibility of conducting or facilitating vulnerability assessments of their sector, and encouraging the use of risk management strategies to protect against or mitigate the effects of attacks against critical infrastructures or key resources. It also gave the Secretary to the end of calendar year 2004 to produce a comprehensive, integrated National Plan for Critical Infrastructure and Key Resources Protection.9 That Plan shall include a strategy and a summary of activities to be undertaken to: define and prioritize, reduce the vulnerability of, and coordinate the protection of critical infrastructure and key resources.

The terms “vulnerabilities,” “threats,” “risk,” “integrated,” and “prioritize” are used repeatedly in the documents cited above. However, none of the documents defined these terms or discussed how they were to be integrated and used. Also, in hearings, articles in the press, and other public discourse these terms are used loosely, clouding the intent of what is being proposed or discussed.10 What might seem trivial

CRS-4

10 (…continued) resources “must be allocated according to vulnerabilities.” 11 Roper, Carl. A. Risk Management for Security Professionals, Butterworth-Heinemann. 1999.

differences in definitions can make a big difference in policy and implementation. The following section provides definitions and a generic model for integrating them in a systematic way.

A Generic Model for Assessing and Integrating Threat, Vulnerability, and Risk

Many models/methodologies have been developed by which threats, vulnerabilities, and risks are integrated and then used to inform the cost-effective allocation of resources to reduce those risks. For this report, CRS reviewed vulnerability assessment models or methodologies, including some developed and used, to varying degrees, in certain selected sectors (electric power, ports, oil and gas). These are listed in the Reference section of this report. In addition, this report draws upon information contained in a book by Carl Roper entitled Risk Management for Security Professionals.11 Essential elements of these models/methods have been distilled and are presented below. They may provide some guidance in overseeing DHS’s methodology as it is developed and employed.

For the most part, each of the methodologies reviewed consist of certain elements. These elements can be divided into: assessments per se; and, the use of the assessments to make decisions. The elements are performed, more or less, in the following sequence:

Assessments ! identify assets and identify which are most critical ! identify, characterize, and assess threats ! assess the vulnerability of critical assets to specific threats ! determine the risk (i.e. the expected consequences of specific types

of attacks on specific assets) Using Assessments to Identify and Prioritize Risk Reduction Activities ! identify and characterize ways to reduce those risks ! prioritize risk reduction activities based on a risk reduction strategy

Assessments.

Identifying Assets and Determining Criticality. The infrastructure of a facility, a company, or an economic sector, consists of an array of assets which are necessary for the production and/or delivery of a good or service. Similarly, the infrastructure of a city, state, or nation consists of an array of assets necessary for the economic and social activity of the city and region, and the public health and welfare of its citizens. The first step in the process is to determine which infrastructure assets to include in the study. The American Chemistry Council, the Chlorine Institute, and the Synthetic Organic Chemical Manufacturers Association, in their Site Security

CRS-5

12 American Petroleum Institute and the National Petrochemical and Refiners Association, Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, May 2003, p. 4.

Guidelines for the U.S. Chemistry Industry, broadly define assets as people, property, and information. Roper’s Risk Management for Security Professionals (and DOE’s Energy Infrastructure Risk Management Checklists for Small and Medium Sized Energy Facilities) broadly define assets as people, activities and operations, information, facilities (installations), and equipment and materials.

The methodologies reviewed do not provide a definitive list of such assets but suggest which ones might be considered. For example, people assets may include employees, customers, and/or the surrounding community. Property usually includes a long list of physical assets like buildings, vehicles, production equipment, storage tanks, control equipment, raw materials, power, water, communication systems, information systems, office equipment, supplies, etc. Information could include product designs, formulae, process data, operational data, business strategies, financial data, employee data, etc. Roper’s examples of activities and operations assets include such things as intelligence gathering and special training programs. Many methodologies suggest considering, initially, as broad a set of assets as is reasonable.

However, not every asset is as important as another. In order to focus assessment resources, all of the methodologies reviewed suggest that the assessment should focus on those assets judged to be most critical. Criticality is typically defined as a measure of the consequences associated with the loss or degradation of a particular asset. The more the loss of an asset threatens the survival or viability of its owners, of those located nearby, or of others who depend on it (including the nation as a whole), the more critical it becomes.

Consequences can be categorized in a number of ways: economic; financial; environmental; health and safety; technological; operational; and, time. For example, a process control center may be essential for the safe production of a particular product. Its loss, or inability to function properly, could result not only in a disruption of production (with its concomitant loss of revenue and additional costs associated with replacing the lost capability), but it might also result in the loss of life, property damage, or environmental damage, if the process being controlled involves hazardous materials. The loss of an asset might also reduce a firm’s competitive advantage, not only because of the financial costs associated with its loss, but also because of the loss of technological advantage or loss of unique knowledge or information that would be difficult to replace or reproduce. Individual firms, too, have to worry about loss of reputation. The American Petroleum Institute and the National Petrochemical and Refiners Association (API/NPRA) in their Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries also suggested considering the possibility of “excessive media exposure and resulting public hysteria that may affect people that may be far removed from the actual event location.12”

CRS-6

While the immediate impact is important, so, too, is the amount of time and resources required to replace the lost capability. If losing the asset results in a large immediate disruption, but the asset can be replaced quickly and cheaply, or there are cost-effective substitutes, the total consequence may not be so great. Alternatively, the loss of an asset resulting in a small immediate consequence, but which continues for a long period of time because of the difficulty in reconstituting the lost capability, may result in a much greater total loss.

Another issue which decision makers may consider is if the loss of a particular asset could lead to cascading effects, not only within the facility or the company, but also cascading effects that might affect other infrastructures. For example, the loss of electric power can lead to problems in the supply of safe drinking water. The loss of a key communications node can impair the function of ATM machines.

The initial set of assets are categorized by their degree of criticality. Typically the degree of criticality is assessed qualitatively as high, medium, or low, or some variation of this type of measure. However, even if assessed qualitatively, a number of methodologies suggest being specific about what kind of consequence qualifies an asset to be placed in each category. For example, the electric utility sector methodology suggests that a highly critical asset might be one whose loss would require an immediate response by a company’s board of directors, or whose loss carries with it the possibility of off-site fatalities, property damage in excess of a specified amount of dollars, or the interruption of operations for more than a specified amount of time. Alternatively, an asset whose loss results in no injuries, or shuts down operations for only a few days, may be designated as having low criticality.

For those sectors not vertically integrated, ownership of infrastructure assets may span a number of firms, or industries. Whoever is doing the analysis may feel constrained to consider only those assets owned and operated by the analyst or analyst’s client. For example, transmission assets (whether pipeline, electric, or communication) may not be owned or operated by the same firms that produce the commodity being transmitted. Both the production assets and the transmission assets, however, are key elements of the overall infrastructure. Also, a firm may rely on the output from a specific asset owned and operated by someone else. The user may consider that asset critical, but the owner and operator may not. Some of the methodologies reviewed encourage the analyst to also consider (or at least account for) the vulnerability of those assets owned or operated by someone else that provide critical input into the system being analyzed. These “interdependency” problems have been talked about, mainly in the context of inter-sector dependencies (e.g the reliance of water systems on electric power), but they may also exist intra-sector. The interdependency issue is both a technical one (i.e. identifying them) and a political/legal one (i.e. how can entity A induce entity B to protect an asset).

Identify, Characterize, and Assess Threat. Roper and the API/NPRA define threat as “any indication, circumstance or event with the potential to cause loss

CRS-7

13 American Petroleum Institute, op. cit., p. 5. 14 Roper, op. cit. , p. 43. 15 This quote is taken from the Government Accountability Office testimony, Homeland Security: Key Elements of a Risk Management Approach, GAO-02-150T, before the Subcommittee on National Security, Veteran’s Affairs, and International Relations, House Committee on Government Reform, October 21, 2001. It is used in several of the other methodologies reviewed.

or damage to an asset.13” Roper includes an additional definition: “The intention and capability of an adversary to undertake actions that would be detrimental to U.S. interests.14”

To be helpful in assessing vulnerability and risk, threats need to be characterized in some detail. Important characteristics include type (e.g. insider, terrorist, military, or environmental (e.g. hurricane, tornado)); intent or motivation; triggers (i.e events that might initiate an attack); capability (e.g. skills, specific knowledge, access to materials or equipment); methods (e.g. use of individual suicide bombers, truck bombs, assault, cyber); and trends (what techniques have groups used in the past or have experimented with, etc.).

Information useful to characterizing the threat can come from the intelligence community, law enforcement, specialists, news reports, analysis and investigations of past incidents, received threats, or “red teams” whose purpose is to “think” like a terrorist. Threat assessment typically also involves assumptions and speculation since information on specific threats may be scant, incomplete, or vague.

Once potential threats have been identified (both generically, e.g. terrorists, and specifically, e.g. Al Qaeda) and characterized, a threat assessment estimates the “likelihood of adversary activity against a given asset or group of assets.15” The likelihood of an attack is a function of at least two parameters: a) whether or not the asset represents a tempting target based on the goals and motivation of the adversary (i.e. would a successful attack on that asset further the goals and objectives of the attacker); and, b) whether the adversary has the capability to attack the asset by various methods. Other parameters to consider include past history of such attacks against such targets by the same adversary or by others, the availability of the asset as a target (e.g. is the location of the target fixed or does it change and how would the adversary know of the target’s existence or movement, etc.). The asset’s vulnerability to various methods of attack (determined in the next step) may also affect the attractiveness of the asset as a target.

As an example of a threat assessment technique, the U.S. Coast Guard, using an expert panel made up of Coast Guard subject matter and risk experts, evaluated the likelihood of 12 different attack modes against 50 different potential targets (i.e. 600 scenarios). Attack modes included “… boat loaded with explosives exploding along side a docked tank vessel,” or “… tank vessel being commandeered and intentionally damaged.” The Coast Guard also considered scenarios where port assets could be stolen or commandeered and used as a weapon or used to transport terrorists or terrorism materials. Potential targets included various types of vessels (including ferries), container facilities, water intakes, utility pipelines, hazardous materials

CRS-8

16 Roper, op. cit., p. 63. 17 American Petroleum Institute, op. cit., p. 5. 18 Federal Register, Department of Homeland Security, Coast Guard, Implementation of National Maritime Security Initiatives, Vol. 68, No. 126, July 1, 2003, p. 39245.

barges, etc. The panel of experts judged the credibility of each scenario. For example, using a military vessel for transporting terrorists or terrorism materials was judged not to be credible given the inherent security measures in place, but an external attack on a military target was considered credible. Each credible scenario was assigned one of 5 threat levels representing the perceived probability (likelihood) of it occurring, after considering the hostile group’s intent, its capabilities, prior incidents, and any existing intelligence.

The Electricity Sector’s methodology uses a checklist which asks for the specific attack mode (such as the use of explosives, truck bomb, or cyber attack) and whether it is likely that such an attack would be carried out by: a) an individual; or b) by an assault team of up to five members. In this case, the analyst is to identify likely targets for each type of attack scenario and the objective that the adversary would achieve by such an attack.

Likelihood can be measured quantitatively, by assigning it a probability (e.g. an 85% chance of occurring), or qualitatively, such as “Very High Threat Level,” which might mean there is a credible threat, with a demonstrated capability, and it has happened before. As with criticality, a number of methodologies suggested specific criteria be used to define what would constitute varying threat levels.

A threat assessment need not be static in time. Threats (i.e. the likelihood that an adversary may attack) may rise and fall over time, depending on events, anniversary dates, an increase in capability, or the need for the adversary to reassert itself. Intelligence may detect activity that indicates pre-attack activity or a lull in such activity, or an explicit threat may be made.

Assess Vulnerability. Roper defines vulnerability as a “weakness that can be exploited to gain access to a given asset.16” The API/NPRA expands this definition to include “… and subsequent destruction or theft of [the] … asset.17” The Coast Guard defines vulnerability as “the conditional probability of success given that a threat scenario occurs.18”

Weaknesses, like criticality, can be categorized in a number of ways: physical (accessibility, relative locations, visibility, toughness, strength, etc.), technical (susceptible to cyber attack, energy surges, contamination, eavesdropping, etc.), operational (policies, procedures, personal habits ), organizational (e.g. would taking out headquarters severely disrupt operations), etc.

Existing countermeasures may already exist to address these weaknesses. A vulnerability assessment must evaluate the reliability and effectiveness of those existing countermeasures in detail. For example, security guards may provide a certain degree of deterrence against unauthorized access to a certain asset. However,

CRS-9

19 Roper, op. cit., p. 73. 20 Federal Register, op. cit., p. 39245. 21 American Petroleum Institute, op. cit., p. 3.

to assess their effectiveness, a number of additional questions may need to be asked. For example, how many security guards are on duty? Do they patrol or monitor surveillance equipment? How equipped or well trained are they to delay or repulse an attempt to gain access? Have they successfully repulsed any attempt to gain unauthorized access?

Vulnerabilities are assessed by the analyst against specific attacks. API/NPRA identifies three steps to assessing vulnerabilities: 1) determine how an adversary could carry out a specific kind of attack against a specific asset (or group of assets); 2) evaluate existing countermeasures for their reliability and their effectiveness to deter, detect, or delay the specific attack; and 3) estimate current state of vulnerability and assign it a value. Specific types of attacks can be informed by the preceding threat assessment.

The Coast Guard measured vulnerability of potential targets for each attack scenario in four areas: 1) is the target available (i.e. is it present and/or predictable as it relates to the adversary’s ability to plan and operate); 2) is it accessible (i.e. how easily can the adversary get to or near the target); 3) what are the “organic” countermeasures in place (i.e. what is the existing security plan, communication capabilities, intrusion detection systems, guard force, etc.); and, 4) is the target hard (i.e. based on the target’s design complexity and material construction characteristics, how effectively can it withstand the attack). Each of these four vectors were eval

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.