NIPP 2013: Partnering for Critical Infrastructure Security and Resilience EMI Higher Education Symposium 5 June 2014.

NIPP 2013: Partnering for Critical Infrastructure Security and Resilience

EMI Higher Education Symposium5 June 2014

Presenter’s Name June 17, 2003Unclassified

Strategic Drivers

2


Critical Infrastructure TodayCritical Infrastructure defined: “Assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on national security, economic security, national public health or safety, or any combination thereof.”

16 Critical Infrastructure Sectors

• Chemical• Commercial

Facilities• Communications• Critical

Manufacturing• Dams• Defense Industrial

Base• Emergency

Services• Energy• Financial Services• Food & Agriculture

• Government Facilities

• Healthcare and Public Health

• Information Technology

• Nuclear Reactors, Materials and Waste

• Transportation Systems

• Water & Wastewater Systems

3


Today’s Risk LandscapeAmerica remains at risk from a variety of threatsincluding:

• Acts of Terrorism

• Cyber Attacks

• Extreme Weather

• Pandemics

• Accidents or Technical Failures

NIPP 2013 offers a distributed approach for addressing the diverse and evolving risk environment.

4


National PoliciesPresident Obama announced two policies related to critical infrastructure security and resilience in February 2013:

Presidential Policy Directive 21: Critical Infrastructure Security and

Resilience

Executive Order 13636: Improving Critical Infrastructure

Cybersecurity

“The Nation's critical infrastructure provides the essential services that underpin American society. Proactive and coordinated efforts are necessary to strengthen and maintain secure, functioning, and resilient critical infrastructure that are vital to public confidence and the Nation's safety, prosperity, and well-being.”

– Presidential Policy Directive (PPD) 21

5


Critical Infrastructure PreparednessNIPP 2013 aligns critical infrastructure security and resilience with National preparedness policies.

Presidential Policy Directive 8:

National Preparedness

Strengthens the security and resilience of the United States through systematic preparation for the threats that pose the greatest risk to the security of the Nation.

6Risk Elements

Nat

ion

al P

rep

ared

nes

s M

issi

on

Are

as


NIPP 2013 Vision

A Nation in which physical and cyber critical infrastructure remain secure and resilient, with vulnerabilities reduced, consequences minimized, threats identified and disrupted, and response and recovery hastened

Security: Reducing the risk to critical infrastructure by physical means or defensive cyber measures to intrusions, attacks, or the effects of natural or manmade disasters

Resilience: The ability to prepare for and adapt to changing conditions, and withstand and recover rapidly from disruptions

7


NIPP 2013 Goals

• Assess and analyze critical infrastructure threats, vulnerabilities and consequences to inform risk management

• Address multiple threats through sustainable efforts to reduce risk; account for costs and benefits of security investments

• Enhance critical infrastructure resilience; minimize the adverse consequences of incidents…as well as conduct effective responses…

• Share actionable and relevant information across the critical infrastructure community to build awareness and enable risk-informed decision making

• Promote learning and adaptation during and after exercises and incidents

8


Core Tenets

• Coordinated and comprehensive risk identification and management

• Cross-sector dependencies and interdependencies

• Enhanced information sharing

• Comparative advantage in risk mitigation

• Regional and SLTT partnerships

• Cross-jurisdictional collaboration

• Security and resilience by design

9


Evolution from 2009 NIPPSecurity and ResilienceElevates security and resilience as the primary aim of critical infrastructure homeland security planning efforts

Cyber-Physical IntegrationIntegrates cyber and physical security and resilience efforts into an enterprise approach to risk management

Partnership StructureFocuses on establishing a process to set critical infrastructure national priorities determined jointly by the public and private sector

InternationalAffirms that critical infrastructure security and resilience efforts require international collaboration

Risk ManagementUpdates the critical infrastructure risk management framework and addresses alignment to the National Preparedness System, across the prevention, protection, mitigation, response, and recovery mission areas

Regional and Local PartnershipsSupports execution of the National Plan and achievement of the National Preparedness Goal at both the national and community levels, with focus on leveraging regional collaborative efforts

Call to ActionPresents a detailed Call to Action with steps that will be undertaken, shaped by each sector’s priorities and in collaboration with critical infrastructure partners, to make progress toward security and resilience

10


Risk Management Framework

• Information sharing enables partners to benefit from broader knowledge and capabilities to support risk decision-making

• Risk tolerance and priorities will vary

• Consider costs and benefits during decision making

• Integrates information sharing as a core component

11

Critical Infrastructure Risk Management Framework


Many Stakeholders, Many Strengths

Comparative Advantage

• Engaging in collaborative processes

• Applying individual expertise

• Bringing resources to bear

• Building the collective effort

• Enhancing overall effectiveness

12


Partnership StructuresNational Level Councils

• Sector Coordinating Councils (SCCs)• Government Coordinating Councils (GCCs)• State, Local, Tribal, and Territorial Government Coordinating Council

(SLTTGCC)• Critical Infrastructure Cross Sector Council• Federal Senior Leadership Council• Regional Consortium Coordinating Council

National, Regional, and Local Organizations

• Public Private Partnerships• Regional Partnerships• State and Local Councils• Non-Governmental Organizations

Information Sharing Mechanisms

• Information Sharing and Analysis Centers (ISACs)• Fusion Centers

13


Call to ActionA whole of community approach to advancing the national effort

14

Build on Existing Partnerships

Innovate in Managing Risk

Focus on Outcomes


Build upon Partnership Efforts

Set National Focus through Joint Priority Setting Determine Collective Actions through Joint Planning Efforts Empower Local and Regional Partnerships to Build Capacity Nationally Leverage incentives to Advance Security and Resilience


Enable Risk-Informed Decision-Making through Enhanced Situational Awareness Analyze Infrastructure Dependencies, Interdependencies, and Associated Cascading Effects Rapidly Identify, Assess, and Respond to… Cascading Effects During and Following Incidents Promote Infrastructure, Community, and Regional Recovery Strengthen Coordinated Technical Assistance, Training, and Education Improve Critical Infrastructure Security and Resilience by Advancing R&D Solutions

Focus on Outcomes

Evaluate Achievement of Goals Learn and Adapt During and After Exercises and Incidents

15

Call to Action


Build upon Partnership Efforts

Set National Focus through Joint Priority Setting Determine Collective Actions through Joint Planning Efforts Empower Local and Regional Partnerships to Build Capacity Nationally Leverage incentives to Advance Security and Resilience


Enable Risk-Informed Decision-Making through Enhanced Situational Awareness Analyze Infrastructure Dependencies, Interdependencies, and Associated Cascading Effects Rapidly Identify, Assess, and Respond to… Cascading Effects During and Following

Incidents Promote Infrastructure, Community, and Regional Recovery Strengthen Coordinated Technical Assistance, Training, and Education Improve Critical Infrastructure Security and Resilience by Advancing R&D Solutions

Focus on Outcomes

Evaluate Achievement of Goals Learn and Adapt During and After Exercises and Incidents

16

Call to Action


Enable Risk Informed Decision Making Through Enhanced SituationalAwareness

Undertake a partnership-wide review of impediments to information sharing

Build upon the functional relationship deliverable from Presidential Policy Directive 21 (PPD-21)

Develop streamlined, standardized processes to promote integration and coordination of information sharing

Develop interoperability standards to enable more efficient information exchange through defined data standards and requirements

Call to Action

17


Identify, Assess, and Respond to Unanticipated Infrastructure CascadingEffects During and Following Incidents

Enhance the capability to rapidly identify and assess cascading effects involving the lifeline functions and contribute to identifying infrastructure priorities—both known and emerging—during response and recovery efforts

Enhance the capacity of critical infrastructure partners to work through incident management structures such as the ESFs to mitigate the consequences of disruptions to the lifeline functions

Call to Action

18


Promote Infrastructure, Community, and Regional Recovery FollowingIncidents

Encourage States and localities to consider critical infrastructure challenges in pre-incident recovery planning, post-incident damage assessments, and recovery strategy development

Support examination of initiatives to enhance, repair, or replace infrastructure providing lifeline functions during recovery

Call to Action

19


Strengthen Coordinated Development and Delivery of TechnicalAssistance, Training, and Education

Capture, report, and prioritize the technical assistance, training, and education needs of critical infrastructure partners

Examine current Federal technical assistance, training, and education programs to ensure that they support the national priorities and the risk management activities described in NIPP 2013

Leverage a wider network of partners to deliver training and education programs to better serve recipients and reach a wider audience while conserving resources

Partner with academia to establish and update critical infrastructure curricula that help to train critical infrastructure professionals

Call to Action

20


Improve Critical Infrastructure Security and Resilience by AdvancingResearch and Development Solutions

Promote R&D to enable the secure and resilient design and construction of critical infrastructure and more secure accompanying cyber technology

Enhance modeling capabilities to determine potential impacts on critical infrastructure of an incident or threat scenario, as well as cascading effects on other sectors

Facilitate initiatives to incentivize cybersecurity investments and the adoption of critical infrastructure design features that strengthen all-hazards security and resilience

Prioritize efforts to support the strategic guidance issued by DHS

Call to Action

21


Learn and Adapt During and After Exercises and Incidents

Develop and conduct exercises through participatory processes to suit diverse needs and purposes

Design exercises to reflect lessons learned and test corrective actions from previous exercises and incidents, address both physical and cyber threats and vulnerabilities, and evaluate the transition from steady state to incident response and recovery efforts

Share lessons learned and corrective actions from exercises and incidents and rapidly incorporate them into technical assistance, training, and education programs

Call to Action

22


What You Can DoBuild Upon

Partnership EffortsInnovate in

Managing RiskFocus on Outcomes

Understand the critical infrastructure landscape and how to partner with owners and operators

Provide support for assessing criticality and managing risk

Rigorous study of exercises and incidents

Bring private sector into linkages with Emergency Management and Law Enforcement communities

Incorporate critical infrastructure perspectives into traditional emergency management curricula

Establishment/awareness of regional consortia with diverse stakeholders

Connect cyber/physical stakeholders

Encourage systems approach to understanding dependencies and interdependencies

Connect to the NICC/NCCIC Adopt the Cybersecurity Framework

23


Resources and TrainingVisit www.dhs.gov/nipp for links to the full NIPP 2013 and the NIPP Supplements and critical infrastructure training:

NIPP Supplements• Connecting to the NICC and NCCIC • Executing a Critical Infrastructure Risk Management Approach• Incorporating Resilience into Critical Infrastructure Projects• NPPD Resources to Support Vulnerability Assessments

Critical Infrastructure Partnership CoursesIS 913 Achieving Results through Critical Infrastructure Partnership and CollaborationIS 921 Implementing Critical Infrastructure Protection Programs and CI TOOLKIT

Security Awareness Series CoursesIS 906 Workplace SecurityIS 907 Active ShooterIS 912 Retail Security AwarenessIS 914 Surveillance Awareness: What you can do IS 915 Protecting Critical Infrastructure Against Insider ThreatIS 916 Critical Infrastructure Security: Theft and Diversion – What You Can Do

24

http://www.dhs.gov/nipp

NIPP 2013: Partnering for Critical Infrastructure Security and Resilience EMI Higher Education Symposium 5 June 2014.

Documents

cyber critical infrastructure

national security

unclassified nipp

economic security

national preparedness

greatest risk

national public health

recovery hastened security