Introduction to the National Infrastructure Protection Plan IS 860 Amelia Muccio Director of Disaster Planning NEW JERSEY PRIMARY CARE ASSOCIATION.

Introduction to the National Infrastructure Protection Plan

IS 860Amelia Muccio

Director of Disaster PlanningNEW JERSEY PRIMARY CARE ASSOCIATION

Lesson 1 Overview

• Explain the criticality of protecting and ensuring the continuity of critical infrastructure (CI) and key resources (KR) of the United States.

• Describe how the NIPP provides the unifying structure for the integration of CI/KR protection efforts into a single national program.

• Define CI/KR and protection in the content of the NIPP.

Collaborative Partnerships

• The NIPP was developed through a collaborative partnership representing the DHS; other Federal agencies; State, tribal, and local gov’t; and the private sector.

Critical Infrastructure and Key Resources (CI/KR)

• CI: refers to assets, systems, and networks, whether physical or virtual to the U.S. that the incapacity or destruction of such assets, systems, or networks would have a debilitating impact on security, national economic security, public health or safety, or any combination of those matters.

• KR: as defined in the Homeland Security Act of 2002, are publicly or privately controlled resources essential to the minimal operations of the economy or gov’t.

Importance of CI/KR

• Terrorists attacks on CI/KR and other manmade or natural disasters could significantly disrupt the functioning of gov’t and business alike, and produce cascading effects far beyond the affected CI/KR and physical location of the incident.

NIPP

• The NIPP provides the unifying structure for the integration of CI/KR protection efforts into a single national program.

• The NIPP establishes an overall framework for integrating programs and activities that are currently underway in the various sectors, as well as new and developing CI/KR protection efforts.

NIPP Goal

• Achieving the NIPP goal requires:• Understanding and sharing information about

terrorists threats and other hazards.• Building security partnerships to share information

and implement CI/KR protection programs.• Implementing a long-term risk-management program.• Maximizing efficient use of resources for CI/KR

protection.

Building on Homeland Security Strategies

• Builds on the principles of the President’s National Strategy for Homeland Security and its companion strategies for the physical protection of critical infrastructure and key assets and the securing of cyberspace.

• Fulfills requirements in Homeland Security Presidential Directive 7 (HSPD-7) and the Homeland Security Act of 2002.

The Terrorist Threat

• Terrorists attacks against CI/KR across the U.S. could serious threaten national security, result in mass casualties, weaken the economy, and damage public morale and confidence.

All-Hazards Approach

• The direct impacts, disruptions, and cascading effects of natural disasters and manmade incidents on the Nation’s CI/KR are well documented.

Integration Framework

• Many owners and operators, gov’t emergency managers, and first responders have developed strategies, plans, policies, and procedures for preparing for, mitigating, responding to, and recovering from a variety of natural and manmade incidents.

Security Partnerships

• The NIPP defines security partners as those Federal, State, regional, Territorial, local, or tribal gov’t entities, private sector owners and operators and representative organizations, academic and professional entities, and certain not-for-profit and private volunteer orgs that share in the responsibility for protecting the Nation’s CI/KR.

• NIPP provides the framework that allows these partners to work collaboratively.

Sector-Specific Nature of CI/KR Protection

• HSPD 7 designated responsibility to various Federal gov’t departments to serve as Sector-Specific Agencies (SSAs) for each of the CI/KR sectors.

• SSAs are responsible for working with DHS to implement the NIPP sector partnership model and risk management framework, develop protective programs and related requirements, and provide sector-level CI/KR protection guidance.

The Value Proposition

• The public-private partnership called for in the NIPP provides the foundation for effective CI/KR protection.

• Gov’t and private-sector bring core competencies.• Prevention, response, mitigation, and recovery efforts

are most efficient and effective when there is full participation of gov’t and private sector partners.

• The success of the partnership depends on articulating the mutual benefits to gov’t and private sector partners.

Private Sector Capabilities

• Management of a vast majority of CI/KR in many sectors.

• Knowledge of CI/KR assets, networks, facilities, functions, and other capabilities.

• Capability to take initial first-response actions in the event of an incident.

• Ability to innovate and to provide products, services, and technologies to address security gaps.

• Robust mechanisms for sharing and protecting sensitive information regarding threats, vulnerabilities, countermeasures, and best practices.

Risk Management Framework

• The cornerstone of the NIPP is its risk management framework.

• This framework establishes the process for combining consequence, vulnerability, and threat information to produce a comprehensive, systemic, and rational assessment of national or sector-specific risk that drives CI/KR protection activities.

Adaptive Nature of Terrorist Threat

• A risk-based approach will provide the basis for an effective risk management strategy and efficient resource allocation.

Information Sharing Among Security Partners

• Robust, multidirectional information sharing.

• When owners/operators are provided with comprehensive picture of threats and hazards to CI/KR and participate in ongoing multidirectional information flow, their ability to assess risks, make prudent security investments, and take protective actions is sustainably enhanced.

• When the gov’t is equipped with an understanding of private sector information needs, it can adjust its information collection, analysis, synthesis, and dissemination activities accordingly.

Information Sharing (con’t)

• When the private sector is assured that critical infrastructure information that it shares with the gov’t will be protected from release or disclosure, the Nation’s CI/KR protection capabilities will be enhanced.

Information Flow and Protection

• The NIPP information sharing approach constitutes a shift from a strictly hierarchical to a networked model, allowing distribution and access to information to enable decentralized decision-making and actions.

• Information in the network is:• Protected• Safeguarded• Monitored

NIPP Components

• The NIPP covers the full range of physical, cyber, and human protection within and across all of the Nation’s CI/KR sectors:

• Executive Summary• Introduction• Authorities, Roles, and Responsibilities • The Protection Program Strategy• Organizing and Partnering• Integrating CI/KR Protection• Ensuring an Effective and Efficient Program• Providing Resources for the CI/KR Protection Program

Lesson 2 Overview

• DHS• SSAs• Other Federal departments/agencies• State, local, and tribal jurisdictions• Private-Sector owners and operators

Homeland Security Act of 2002

• Provides the primary authority for the overall homeland security mission and provides the basis for DHS responsibilities in the protection of the Nation’s CI/KR.

HSPD-7

• The national approach to CI/KR protection is provided through the unifying framework established by HSPD-7.

• This directive establishes the U.S. policy for enhancing protection of the Nation’s CI/KR and mandates a national plan to actuate that policy.

• Security of Homeland Security as the principal Federal office to lead CI/KR protection efforts.

SSAs

• SSAs are responsible for working with DHS to implement the NIPP sector partnership model and risk management framework, develop protective programs and related requirements, and provide sector-level CI/KR protection guidance in line with overarching guidance.

• SSAs also develop sector-specific plans and feedback.

SSAs AssignmentsSSA------------------CI/KR

• Dept of Agriculture Agriculture and Food• HHS “ “• DoD Defense Industrial Base• Dept of Energy Energy• HHS Public Health/Healthcare• Dept of Interior Monuments/Icons• Dept of Treasury Banking/Finance• EPA Drinking H20/Water Treatment• DHS OIP Chemical, Dams, Nuclear Reactors, Waste• DHS Cyber IT• TSA Postal and Shipping• TSA Transportation• Immigration Gov’t Facilities

Other Federal Agencies

• Assist in assessing risk, prioritizing CI/KR, and enabling protective actions and programs within that sector.

• Support the national goal of enhancing CI/KR protection through their roles as the regulatory agencies for owners and operators represented within specific sectors when so designated by statue.

State and Territorial Gov’t

• Serve as crucial coordination hubs, bringing together prevention, protection, response, and recovery authorities; capacities; and resources.

• Coordinate requests for Federal assistance when the threat or incident situation exceeds jurisdictional capabilities.

• Develop and implement statewide/regional CI/KR protection programs that reflect the full range of NIPP activities.

Local Gov’t

• Provide critical public services and functions in conjunction with private-sector owners and operators.

• Drive emergency preparedness, as well as local participation in NIPP and SSP implementation, across a variety of jurisdictional security partners.

Tribal Gov’t

• Tribal gov’t roles and responsibilities regarding CI/KR mirror those of State and local gov’t.

• Under NIPP, tribal gov’t must ensure close coordination with Federal, State and local and international counterparts to achieve synergy in the implementation of the NIPP/SSP frameworks.

Regional Partners

• Regional security partners include a variety of public-private initiatives that cross jurisdictional and/or sector boundaries and focus on homeland security and phases of disaster mgt.

• Specific regional initiatives range in scope from orgs that include multiple jurisdictions and private-sector partners within a single State to groups that involve jurisdictions and enterprises in more than one State and internationally focused.

Regional Partners: Best Practices

• Pacific Northwest Economic Region• The region established by statute in all member

States and provinces, sponsors binational, multijurisdictional CI/KR protection interdependency exercises, and has developed an action plan outlining several physical and cyber CI/KR protection projects with important regional impact.

Boards, Commissions, Authorities, Councils, and Other Entities

• Perform regulatory, advisory, policy, or business oversight functions related to various aspects of CI/KR operations and protection within and across sectors and jurisdictions.

• These entities may serve as SSAs within a State and contribute expertise.

• Housing authorities, water and sewer boards, park commissions (examples)

Commissions: Public Utility

• Creating networks among utility regulators and other Federal, State, local, and private sector entities to address cross-sector issues.

• Recommending strategies to facilitate information sharing.

• Recommending cost-effective solutions • Identifying and prioritizing issues, researching

best practices, and disseminating information.

Private-Sector Owners and Operators

• Owners and operators generally represent the first line of defense for the CI/KR under their control.

• Private-sector owners and operators are responsible for taking action to support risk mgt planning and make prudent investments in security measures by:

• Continuity of Business and EMPs• Protect facilities against physical and cyber attacks and natural

disasters• Guarding against the insider threat• Building increased resiliency and redundancy into business processes

and systems • Minimize impact of surrounding communities

Sector Coordinating Councils (SCCs)

• The sector partnership encourages CI/KR owners and operators to create or identify a Sector Coordinating Council as the principal entity for coordinating with the gov’t on a wide range of CI/KR protection activities and issues.

• The PCIS provides senior level, cross sector strategic coordination through partnerships with DHS and the SSAs.

Government Coordinating Councils (GCCs)

• Formed as the government counterpart for each SCC to enable interagency and cross-jurisdictional coordination.

• GCC is compromised of all levels of gov’t.• Government Cross-Sector Council addresses

cross-sector issues.

Critical Infrastructure Partnership Advisory Council (CIPAC)

• Directly supports the NIPP sector partnerships by providing a legal framework for members of the SCCs and GCCs to engage in joint CI/KR protection-related activities.

• CIPAC serves as a forum for gov’t and private sector security partners to engage in a broad spectrum of activities including planning, coordination, and implementation of operational activities.

Regional and Int’l Coordination

• Regional: regional partnerships, groupings, and governance bodies enable CI/KR protection within and across geographical areas and sectors.

• Int’l: The U.S.-Canada-Mexico Security and Prosperity Partnership, North Atlantic Treaty Org Senior Civil EP Committee, and other non-governmental and public-private orgs enable a range of CI/KR protection through int’l agreements.

Advisory Councils

• Provide advice, recommendations, and expertise to the gov’t regarding CI/KR.

• Enhance private-public partnerships• Engagement of PPP

AC Examples

• Homeland Security Advisory Council: advice to Secretary of DHS

• Private Sector Senior Advisory Committee: provides HSAC (above) with expertise

• National Infrastructure Advisory Council: provides the President with advice

• National Security Telecommunications Advisory Committee: industry-based advice and expertise

Academia, Research Centers, and Think Tanks

• Establishing Centers of Excellence• Supporting research• Analyzing, and sharing best practices• Disseminating guidelines• Conducting research for new technologies

Lesson 3 Overview

• Describe how the use of the risk mgt framework ensures a steady state of protection within and across the CI/KR sectors.

• Indentify the risk mgt activities implemented by security partners.

Managing Risk

• The NIPP risk mgt framework establishes a process for identifying risks and prioritizing protection initiatives and investments within and across sectors.

• Gov’t and private sector offer the most benefit for mitigating risk by lessening vulnerabilities, deterring threats, and minimizing the consequence of terrorist attacks and other manmade and natural disasters.

What is Risk?

• Risk is defined as a measure of potential harm that encompasses threat, vulnerability, and consequence.

• Risk is the expected magnitude of loss due to an event along with the likelihood of such an event occurring and causing that loss.

NIPP Risk Mgt Framework

• Setting security goals• Identifying assets• Assessing risks• Prioritizing and implementing corrective

programs• Measuring performance• Taking corrective action

NIPP Risk Mgt Framework (con’t)

• Applicable to the general threat environment, as well as to specific threats or incidents situations

• Structured to promote continuous improvement to enhance CI/KR protection

• Tailored ad applied on an asset depending on the fundamental characteristics of the individual CI/KR sectors.

SSAs Responsibilities

• Developing and implementing Sector-specific plans

• Fostering communication• Coordinating sector-wide risk mgt• Prioritizing sector risks and needs

DHS Responsibilities

• Supporting risk mgt efforts by providing guidance, tools, and analytical support to SSAs and other security partners.

• Using the results obtained in sector-specific risk mgt efforts to conduct cross-sector risk analysis and mgt activities.

• Working with security partners to identify and share threat information, lessons learned and best practices.

Physical, Cyber, and Human Elements

• Physical: tangible property• Cyber: electronic information and

communication systems, and the information contained therein

• Human: critical knowledge of functions or people uniquely susceptible to attack

Set Security Goals

• Security partners work together to define specific outcomes, conditions, end points, or performance targets that collectively constitute an effective protective posture.

Identify Assets, Systems, Networks, and Functions

• The next activity is to develop and maintain an inventory of the assets, et al that compromise the Nation’s critical infrastructure and key resouces and their functions.

• The inventory allows for the inclusion of a wide diversity of items, thereby reflecting the unique nature of the different sectors.

Assess Risks

• Based on the inventory, risk is assessed as a function of consequence, vulnerability, and threat.

• Consideration is given to the potential direct and indirect consequences of a terrorist attack or other hazards, know vulnerabilities to various potential attack vectors, and general or specific threat information.

Risk=f (Consequence, Vulnerability, and Threat)

• Consequence: the negative effects on public health, economy, and the functioning of gov’t.

• Vulnerability: the likelihood that a flaw in a system renders it susceptible to destruction.

• Threat: the likelihood that a particular asset will suffer an attack or an incident.

Calculating Risk

• Risk assessments are conducted based on consequence, vulnerability, and threat to a given asset, system or network.

Existing Risk Assessment Tools

• Many institutions perform vulnerability and risk assessments on their assets.

Prioritization Process

• Identify where risk mitigation is most pressing, and subsequently to determine the most cost-effective protective actions.

• Determine which CI/KR should be given priority for protection and which alternative protective actions represents the best investment based on risk.

Protective Actions and Programs

• Deterring threats• Mitigating vulnerabilities • Minimizing consequences

• Comprehensive• Coordinated• Cost-Effective• Risk-Based

Sector Specific Plans

• Are tailored to address the unique characteristics and risk landscapes of each sector

• Developed by the SSAs in partnership with SCCs and GCCs

Metric-Based System

• Measure perform by:• Provides feedback on efforts to attain the goals and

objectives• Provides a basis for establishing accountability,

documentation, promoting effective mgt, and reassessing goals.

• Obtains a quantitative assessment • Helps identify corrective actions and provide decision

makers with feedback• Promotes informed decisions

Assessing Performance

• National Annual Report supports both strategic and resource allocation decisions related to the national CI/KR protection mission.

Continuous Improvement

• The NIPP includes a feedback loop for ensuring continuous improvement of protective actions and programs.

• “Baseline” information is compared to recent information to measure the progress over time.

Lesson 4 Overview

• Fosters information sharing at all levels• Provides guidance on the structure and content of

each sector’s CI/KR plan• Helps to ensure an effective, efficient CI/KR

protection program over the long term

Benefits of Information Sharing

• Actionable information on threats and incidents• Information pertaining to overall CI/KR status• Owners and operators to assess risk and take

actions to safeguard their facilities.• Gov’t to adjust its information collection,

analysis, synthesis, and dissemination activities based on the needs of the private sector.

NIPP Information Sharing

• The NIPP approach constitutes a shift from a strictly hierarchical to a networked model, allowing distribution and access to information both vertically and horizontally, as well as the ability to enable decentralized decision making and actions.

Networked Approach

• The NIPP uses a networked approach to information sharing that represents a fundamental change in how security partners share and protect the information needed to analyze risk and make decisions.

Safeguarding Against Unauthorized Disclosure

• NIPP implementation relies on the availability of pertinent information provided by CI/KR owners and operators, including the private sector.

• The NIPP recognizes that the disclosure of sensitive business or security information could cause serious damage to private firms, the economy, public safety, or security through unauthorized disclosure or access.

Protected Critical Infrastructure Information Program

• PCII includes procedures that govern the receipt, validation, handing, storage, marking, and use of critical infrastructure information voluntarily submitted to DHS.

• These procedures are also applicable to all Federal, State, local, and tribal government agencies and contractors that have access to, handle, use, or store critical infrastructure information that enjoys protection under the CII Act of 2002.

Complementing Other Plans

• Homeland security pans and strategies at the Federal, State, local, and tribal levels of gov’t that address CI/KR protection within their respective jurisdictions.

• Business continuity plans and resilience measures.

National Response Plan

• The NIPP establishes the overall risk-based approach that defines that Nation’s CI/KR steady-state protective posture.

• The NRP provides the approach and the overall coordination for domestic incident mgt activities.

Ensuring an Effective, Efficient Program Over the Long Term

• Building national awareness: to support the CI/KR program• Enabling education, training, and exercise programs: to

ensure that skilled professionals undertake NIPP• Conducting R&D and using technology: improve CI/KR• Developing, safeguarding, and maintaining data systems and

simulations: enable continuously refined risk assessment• Continuously improving the NIPP: and associated plans and

programs through ongoing mgt and revision, as required.