Skip to content

The Definition of “Critical Infrastructure”

2016 October 12
by Jason Nairn, CPP, CISSP
usace_fremont_bridge_portland

The term “critical infrastructure”, like “homeland security”, is broad and ambiguous.  A deconstruction of phrase is not particularly helpful, as it generates more questions like “what is meant by ‘critical'” and ‘what qualifies as ‘infrastructure'”?  The USA PATRIOT Act defines “critical infrastructure” as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters” (USA Patriot Act of 2001 (42 U.S.C. §5195c(e)).  This consequence-based definition is referenced in National Infrastructure Protection Plan as well.  This definition, while helpful, does little to demystify critical infrastructure as a concept.

In 2003, a large scale blackout was experienced by much of the Northeastern United States.  Obviously, the electrical system is critical infrastructure according to the definition provided above.  But given the reported cause of the Blackout, software, human factors and system deficiencies, these systems may also meet the definition of critical infrastructure.  Their failure certainly had a debilitating impact on security, economy, public health and safety.  So where does the critical infrastructure begin?  Since much of our infrastructure is systems within systems, which parts are critical?  The definition provides little granularity for those that care about the protection of critical systems.

At the core, the USA PATRIOT Act definition is inadequate to describe the role of critical infrastructure in society, which is a better way of thinking about critical infrastructure and key resources.  At the most basic level, the definition of critical infrastructure is systems that we build to reduce our dependence on, and the effects of, the natural world.  The best definition of critical infrastructure is to describe what the phrase means, and what the characteristics of CRITICAL Infrastructure are.  These characteristics include the fact that most critical infrastructure are themselves systems or networks, or are critical components of systems or networks.  These are interdependent with other infrastructure and their criticality is self-organized.  Critical infrastructure is often reliant on other infrastructure and therefore it tends to organize itself into scale-free networks with critical nodes and links to other infrastructure.

I propose the following foundational definition of critical infrastructure:

Critical infrastructure are interdependent, organized systems that are essential for supporting and sustaining communities and their separation from the natural world.

The Difference Between Education and Training

2016 June 19
by Jason Nairn, CPP, CISSP
blooms_taxonomy_verbs

Homeland security as a vocational paradigm is unique.  Rather than being simply a field of study or discipline itself, it encompasses several major disciplines as part of its scope.  This is why “homeland security” is hard to describe, and is often referred to as an “enterprise”.  The complexity of homeland security extends to its fields and disciplines as well, many of which require a combination of a foundational education and job-specific training.  Consequently, I am often asked about the difference between education and training, and I believe there is a difference, one worth understanding.

Education and training are sometimes used interchangeably, and when they are, some will seek to correct matters by citing proverbial guidance.  For instance, one can be trained to fly an airplane without the knowledge of the physics of flight.  Flight training provides the former, and aeronautical education the latter.  And of course there is the example of sex education versus training.  But these examples fail to consider that education can happen during training sessions, and training can occur as part of an education.  So what is the difference?  And why should it matter?

The key to understanding the difference lies in an understanding of learning objectives, and cognitive domains.  While this sounds difficult, it really isn’t.

The learning objectives of training are typically framed in a way that informs students about a specific topic.  This may involve an individual piece of equipment, a unique method, or a complex process.  Often the scope of training is limited, and a demonstration of competency is sufficient to judge the efficacy of the training process.  The goal of training is knowledge transfer, from trainer to trainee, and demonstrated comprehension on the part of the trainee.  The result is what I will call “applicable knowledge”.  The student is able to apply the results of the training in a specific way to make them more effective at whatever they might be doing – putting out fires or saving someone from choking.  Applicable knowledge is represented by the first three levels of Bloom’s Learning Taxonomy – Knowledge, Comprehension and Application.

The purpose of education is somewhat different.  The learning objectives are (or should be) aimed at providing what I will call “foundational knowledge”.  Unlike applicable knowledge, foundational knowledge is transformational.  It supports the student by providing theoretical bases for the way things are, transforming their understanding of the world, at least a part of it.  Foundational knowledge is represented by the last three levels of Bloom’s Taxonomy – Analysis, Synthesis and Evaluation.  Armed with foundational knowledge, a student should be able to create his or her own unique method or complex process based on their theoretical knowledge of the way things are.

It is important to note that foundational knowledge can be a result of training.  For instance, a course on a specific risk analysis methodology could include a module on the history of risk evaluation and assessment that explains why risk assessment is important and how it changed the world.  The training module on the history of risk adds foundational knowledge to the student’s repertoire, while the hands on training in the method arms the student with a tool for risk assessment application.  Both are important and essential to the success of the student.  The educational component adds richness to the training.

In the same way, an educational course of study can equip students with practical tools.  A college-level course on risk assessment could include a module on a specific risk assessment methodology.  In this way, the student leaves the course with not just the “why”, but the “how” as well.  The training in the specific method, in this way, adds richness to the educational course of study.

The effective and deliberate combination of training and education in a course of study can be an indicator of sound instructional design.  As such, an understanding of the distinction is important.

 

 

 

 

Security and the Hyperloop

2016 June 11
by Jason Nairn, CPP, CISSP
_69257095_69257094

In May, a test of Elon Musk’s Hyperloop transportation concept was conducted in the Nevada desert.  While much of the discussion around the Hyperloop’s potential has been in the area of cargo transport, the project has always been envisioned as a people mover.  In 2013, when the idea was initially released, there was a public comment period.  The initial submittals outlined the Hyperloop concept, including the structural components like the stanchions or “pylons” that support the elevated track and low pressure tube.  On August 13, 2013, I submitted the following commentary for the consideration of those working on the project.  My comments outline some of the security issues that the new transportation infrastructure brings to mind.  Seldom do security professionals have the opportunity to consider the security of critical infrastructure systems BEFORE they are built!  I never received a response, so I place my comments here for posterity and invite comment and discussion.

to: hyperloop@spacex.com,
hyperloop@teslamotors.com
date: Tue, Aug 13, 2013 at 9:17 PM
subject: Security Considerations Impact Efficiency of Pylon System

 

Elon and Companies,

Thanks for innovating!  Here is some feedback:
The pylons are the most significant structural components of this system.  Security considerations affect some of the efficiencies cited as advantages.  Given the proposed spacing of 100 feet and the tube wall thickness of less than 1 inch, it is assumed that the failure of any pylon given the 100 foot spacing could cause system failure. As both outbound and inbound tubes are supported by the same system of pylons, there is no redundancy.  Further, bad actors may come to understand the single point of failure and target remote and accessible supports.  As such, the following considerations are respectfully offered for your perusal.
Pylons Must Be Secured
The pylons must be secured from attack.  The risk of earthquake is significant, but so is the risk of terrorist attack.  Transportation sector targets are favored by terrorist groups (i.e. underwear bomber, 9/11, Sarin gas in Japan, Madrid bombings, London bombings, etc).  Thus the pylons must be secured from tampering by criminal or terrorist elements.  The modes of attack may include explosives (especially directional or “shaped” charges commonly used in building demolition to fail reinforced concrete columns), projectiles, or mechanical demolition.  The threat of these attacks may be diminished by making the pylons less accessible.
This may be accomplished by purchasing surrounding property to create standoff distance. However, this undermines the claim that pylons need less space than other modes.  Fencing or barriers may be installed.  However this undermines the claim of aesthetics.  Pylons may also be secured via electronic means that provide detection and alarm if approached.  However this will require response elements be employed along the length of the system in order to interrupt a potential attack in time to mitigate damage.  Finally, accessibility could be reduced through the use of innovative techniques related to CPTED or “Crime Prevention Through Environmental Design”.  This might include the placement of pylons in inaccessible areas or in areas of controlled access (i.e. BETWEEN the lanes of the interstate).  This may greatly reduce options for placement and raise costs.
Pylons Should Be Redundant
As the risk of the destruction of TWO adjacent pylons is much less than the risk of a single pylon being impacted, it is appropriate to consider redundancy to reduce risk.  Options for redundancy in the pylon system include the use of different, structurally separate pylons for outbound and inbound traffic tubes, or an increase in the number of pylons (decrease the spacing) to achieve a safety factor (i.e. 50 feet instead of 100 feet).  Each of these options raises costs significantly.  Ultimately, the final designers will likely have to consider that the best option is to do both AND install crossovers throughout the system that would allow a hyperloop pod to switch from one tube to the other, offering a way to transport riders to their destination (rather than back to the origin) in the event of tube failure or interruption.
These are some initial thoughts that I hope you find helpful.  Best of luck with your project!
Jason P. Nairn, CPP, CISSP
Concordia University – Portland

Critical Infrastructure is the Front Line of the New Cold War

2015 October 27
by Jason Nairn, CPP, CISSP
Bonneville_Dam_2359

Increasingly, critical infrastructure is becoming the battleground for a global power struggle to see which country (or collective) will emerge as the superpower of the digital age.  The United States’ significant conventional military superiority remains a reality.  But our enemies seem willing to concede the might of the US military in favor of anonymous, targeted cyber attacks on critical infrastructure and key resources.  Today’s New York Times story on the activity of Russian naval vessels near undersea cables reminds us that there are many vulnerabilities in the global information infrastructure.

As in wars past, a focus of the next war will be the crippling of infrastructure.  The difference is that this can now be done remotely, without physical invasion, from cyberspace, or from international waters.  It can be done via drones.  It can be done by people that don’t exist, via groups you’ve never heard of, from places you’ll never find.  And it won’t be done to fortresses or government compounds built for resilience, but to private corporations and municipal utilities built for profit and service.

So what can we do to better protect critical infrastructure?  Here are five ideas:

  1. Provide grants to critical infrastructure owners and operators, directly, to protect their networks.
  2. Restore and fund the Buffer Zone Protection Program.
  3. Enable DHS Protective Security Advisers to initiate projects based on the results of vulnerability assessments they conduct, especially when they find critical vulnerabilities.
  4. Conduct random penetration testing of US infrastructure to find vulnerabilities and report them.
  5. Initiate a nationwide campaign to raise awareness of our vulnerabilities and assist the public in reporting threats to critical infrastructure.

We need to think about what, realistically, can be done that is MEASURABLE.

 

Cyberdiplomacy and Cyber War

2015 September 7
by Jason Nairn, CPP, CISSP

This article that appeared in Tech Crunch this week reminded me of a post that I published here in 2013.  The changing landscape in cyberspace and the issue of statecraft in cyberspace is a subject of this article, and lies at the heart of the issue that I find interesting.  That is, what is missing with regard to the defense of the homeland in state-sponsored cyber war?  I think it may be the link between government and private-sector infrastructure, or a diplomatic realm for discussing cyber activities, but I am not sure – there are likely several things.  I am not sure I captured them in 2013, but I continue to find the issue fascinating.  Your comments are welcome.

Here is a reblog of the earlier article:

On the Need for a New Diplomatic Dimension for Cyberspace – Originally published in September 2013

In the wake of Mandiant’s APT1 report and in the midst of the Edward Snowden affair, it has become increasingly apparent that cyber diplomacy is something different than traditional international statecraft, and that the current diplomatic model is not sufficient.  Countries of the world, including and especially the United States, are attempting to manage cyber-related issues via existing diplomatic fora, using existing diplomatic resources.  The results are predictably disappointing, since cyberspace rarely conforms to the traditional business models of the 20th Century and before.

In June (2013) the State Department issued a press release to announce the United States’ conformation to the findings of the United Nations’ Group of Governmental Experts on Cyber Issues regarding the effective applicability of the UN Charter and international law to cyberspace.  Little attention was paid to the announcement, but its significance should be noted.  The overlay of existing international law and pre-cyber landscape charters is convenient (easy), but will not conquer the wicked problems of today and certainly not tomorrow.  The ability to be engaged in a cyber war with a country in the virtual world while simultaneously maintaining “normal” diplomatic relations in the “real world” cannot be addressed by current standards.  This is the state of affairs today as the Mandiant report illustrates.  Yet, as normal diplomatic procedures require careful rapprochement,
diplomats dance the dance and each party avoids discussing the issue directly while business interests are drained of their intellectual property like a water park after Labor Day.

The answer is not the United Nations or governments, which is why the problem may never be solved adequately in the current generation.  What matters in the networked world is data and infrastructure, and threats and vulnerabilities.  Nations are data owners (or at least holders), but so are companies, groups and individuals (like Snowden (he’s currently a holder)).  Nations also own infrastructure, but so do the private sector entities which own, for instance, the end user interface and telecommunications infrastructure.  A forum must be established where these stakeholders can operate on more of an equal footing, where countries are considered stakeholders just like the companies that own the networks on which they ply their trade.  The solution lies in a new dimension, one that is not formed in the crucible of the United Nations but is rooted in the networked world in which it must operate.  The management of our global network must be something complex and wonderful like the internet itself.  Where the power is held in the hands of those with the knowledge, information and interest to influence the direction of the global network.  It must be dependent on self-organized criticality.

A continued insistence on the application of current diplomatic technology in cyberspace is likely to diminish the progress of the human race.  The evolution of the networked human will be slowed by the Dickensian chains of nation-based world order.  The so-called “Arab Spring” provides evidence that the youth of the world with access to today’s technology cannot be satisfied when burdened by the constraints of national governments unwilling to free them to take full advantage of a networked Earth.  While the former generation’s power brokers attempt to make these disturbances about political and religious issues (because that is what they know), the heart of the issue is really growing pains.  We are evolving as a species faster than our organizational structure will allow.

A positive first step would be the recognition that national sovereignty is not a major factor in the future paradigm, and that the United Nations, which has failed to act promptly and responsibly to address conventional issues, is simply not equipped to manage the complexity of a networked solar system.

Homeland Security and the Honey Bee

2015 May 19
by Jason Nairn, CPP, CISSP
honeybee-1

Homeland security is not a precisely-defined discipline.  Rather, it tends to encompass issues that relate to risks to the people, stability and infrastructure of the United States.  Consequently, when an issue arises that is associated with these risks, a thought-provoking exercise for scholars in homeland security is to note the role of homeland security professionals, and the Department of Homeland Security, in addressing the issue.  Such an opportunity is presented with today’s announcement of a national strategy for the promotion of honey bees and other pollinators.

Over the past several years, entomologists have noted a decline in the populations of honey bees and other pollinators.  These declines are worrisome because of the role pollinators play in the food supply.  Additionally, the global decline in certain insect species could indicate a larger problem the magnitude of which has yet to be discovered.  These concerns have reached the White House.

In June of 2014, President Obama released a Presidential Memorandum calling for the development of a strategy to protect and promote honey bees and other pollinators.  Section 1 of the memo outlined the departments involved, and the Department of Homeland Security was conspicuously absent.  Yet DHS maintains the National Infrastructure Protection Plan, the goal of which is to “identify, deter, detect, disrupt and prepare for threats and hazards to the nation’s critical infrastructure”, and among the identified critical infrastructure sectors is Food and Agriculture.

So what can DHS bring to the issue of bees and butterflies?  The answer is the resilience model.  While the leaders of the task force – the Department of Agriculture and the Environmental Protection Agency – will undoubtedly focus on the causes of pollinator decline, the improvement of habitat and the support of growers and beekeepers, someone needs to focus on resilience in the face of declining pollinator populations.  DHS has programs in place for mobilizing readiness in the face of disasters, and by many accounts, the decline of the honey bee is disastrous.

In 2014, DHS announced its intent to focus on climate change, recognizing the need to prepare for the resulting impact on homeland security.  At the time, a senior DHS official was quoted in Reuters as saying “increasingly, we’ve moved not only from a security focus to a resiliency focus”.  If this is true, honey bees are a homeland security issue.

Utilities Are Adopting the Incident Command System

2015 April 28
by Jason Nairn, CPP, CISSP
IMUntcLogo

Increasingly, public and private utility companies are moving to the Incident Command System as a framework for responding to incidents.  The increase in incidents affecting their infrastructure, and the ubiquitous use of the National Incident Management System have prompted movement among critical infrastructure owners and operators toward the national standard.

However straight ICS is not always the best solution for utilities, and electricity, gas, water and telecommunications infrastructure systems require an approach that takes into account the complexity of networks.  According to Electric Energy T&D Magazine, 52% of utilities surveyed employ some sort of in-house or combination FEMA-based and in-house training in incident management.  This indicates that utilities are tailoring ICS for their own unique applications.  As a result, there could be different versions of ICS among utilities, complicating the response to incidents, especially where mutual aid and multi-company collaboration is required.  While some ICS is better than no ICS, standards would help the industry stay focused on the core tenets of NIMS, like the avoidance of company-specific jargon.

The recent announcement by the Western Energy Institute of a strategic partnership to create a National Training Center for Utility Incident Management makes sense.  Incident management curriculum designed by utilities, for utilities will focus ICS for the industry and provide training in best practices that serve the utilities specifically.  The goal of the national center is to develop cost-effective, world-class training tailored specifically for utilities that will increase the pace of the adoption of incident management best practices, like the Incident Command System, among critical infrastructure.  This will result in a more resilient national critical infrastructure system.

Concordia University – Portland Unveils National Training Center for Utilities

2015 April 21
by Jason Nairn, CPP, CISSP
IMUntcLogo

Concordia University – Portland in partnership with the Western Energy Institute announced a new training center designed to provide incident management training tailored for utility companies.  The announcement was made at the WEI’s Spring Operations Conference in Las Vegas this week.  Here is the press release announcing the partnership and the new training center.

The training program is designed to support utilities in the implementation of ICS and other industry best practices in their organizations.  This new center will allow utilities to obtain concise, utility-focused training for their employees and managers at a reasonable cost.  Customized training packages include the use of the homeland security simulation center to provide hands-on application of concepts covered in the training program.

For more information, visit www.homelandsecuritysimulator.com.

 

Tips for Staying Engaged While Avoiding Information Overload

2015 April 5
by Jason Nairn, CPP, CISSP
king_arthur_round_table

Security professionals protect their employers and clients from the acts of Satan and the laws of Murphy, and the news is filled with stories of both.  There is always something in the news that might be interesting to the homeland security professional, and one could spend hours reading news stories, blogs, and journal articles filled with information relevant to our vocation.  Unfortunately, there just isn’t time in most professionals’ lives to gather it all in, analyze it, and add it to our knowledge base.  So how do we stay engaged professionally, without burning out on bad news and overtaxing our processors?

Here are four tips for staying engaged while remaining sane and productive:

  1. Focus on Your Area of ExpertiseWe have pointed out in HLSR that “homeland security” is a rather vague term, and encompasses a broad range of disciplines.  If you monitor everything related to the homeland security enterprise, you will get overloaded in a hurry.  Focus instead on your area of expertise. Most professionals operate within a discipline or a focus area.  We should pay the most attention to the stories, articles and blogs that serve our niche.  As for the rest – let it go.  Prioritize your thought resources.
  2. Cache the Good Stuff for Later – If you find a good story or article that is right in your wheelhouse, consider developing a database of good stuff and caching the pdf or link for later, when you have some downtime.  This will allow you the time to analyze the piece as you read, and to develop a thorough understanding of its content.  At the same time you will be developing a database of research relevant to your area of expertise that will serve you well in other ways.
  3. Monitor Trends, Not Individual Events – This is self-explanatory, but here is an example.  Over the past few months there have been almost daily stories of the dastardly deeds of groups like ISIS or ISIL and Boko Haram.  All of these stories provide accounts, often in excruciating detail, of the brutality of these terrorists.  Unless you are an ISIS expert (see #1) you can likely do without the gory details.  Focus your attention on trends, like radicalization, the growth of these groups and the general geography affected, and spare yourself the details and the emotional stress.
  4. Be Intentional About Engagement Time – Pick a time of day or a day of the week where you review the news and articles.  This will cause the engagement to be intentional, and will avoid the pitfalls of reviewing news bits during times when other productive work should be done.  Disconnecting from outside distractions is more important than ever in our connected workplace.  Scheduling engagement time will improve overall productivity.

 

 

The Terrorism – Emergency Management Gap

2015 April 2
by Jason Nairn, CPP, CISSP

Recently, I had the pleasure of meeting with a seasoned emergency management director with responsibility for a good-sized American city. Our discussion revolved around incident command, lessons learned from a major event, and the relationship between emergency operations centers and field incident command. As we talked, the emergency manager mentioned “the terrorism – emergency management gap”.  I hadn’t heard the phrase before.  It sounded like a practicing homeland security professional was describing something that happens in homeland security.  I wanted to know more about the phrase and what it means.

After some discussion I learned that the director was describing something he had noticed in the response to a violent incident.  Violent incidents, such as terrorist attacks or active shooters, elicit a tactical response by agencies that are not as accustomed to using the Incident Command System as a primary operational structure.  With active violence, the appropriate focus is on threat eradication and incident stabilization, and thus primary responders, including leaders, are typically focused on tactical operations.  In such a case no one is left behind to coordinate staging and assignment of arriving resources, evacuations and other coordination tasks.  With leaders in tactical mode, and the incident growing in complexity, the need to act strategically becomes increasingly important – thus the terrorism – emergency management gap.

At the heart of the “terrorism – emergency management gap” is an opportunity to engage agencies in a discussion about when and how to use incident command, unified command, and coordination assets (like EOC’s) in the response to a violent incident.

To his credit, the emergency management director with whom I met will be conducting an exercise to practice these concepts this year.  Perhaps in his city he will fill the gap.