Transcript Document

Introduction to the National
Infrastructure Protection Plan
IS 860
Amelia Muccio
Director of Disaster Planning
NEW JERSEY PRIMARY CARE ASSOCIATION
Lesson 1 Overview
• Explain the criticality of protecting and ensuring
the continuity of critical infrastructure (CI) and
key resources (KR) of the United States.
• Describe how the NIPP provides the unifying
structure for the integration of CI/KR protection
efforts into a single national program.
• Define CI/KR and protection in the content of the
NIPP.
Collaborative Partnerships
• The NIPP was developed through a collaborative
partnership representing the DHS; other Federal
agencies; State, tribal, and local gov’t; and the
private sector.
Critical Infrastructure and Key Resources (CI/KR)
• CI: refers to assets, systems, and networks,
whether physical or virtual to the U.S. that the
incapacity or destruction of such assets, systems,
or networks would have a debilitating impact on
security, national economic security, public health
or safety, or any combination of those matters.
• KR: as defined in the Homeland Security Act of
2002, are publicly or privately controlled
resources essential to the minimal operations of
the economy or gov’t.
Importance of CI/KR
• Terrorists attacks on CI/KR and other manmade
or natural disasters could significantly disrupt the
functioning of gov’t and business alike, and
produce cascading effects far beyond the affected
CI/KR and physical location of the incident.
NIPP
• The NIPP provides the unifying structure for the
integration of CI/KR protection efforts into a
single national program.
• The NIPP establishes an overall framework for
integrating programs and activities that are
currently underway in the various sectors, as well
as new and developing CI/KR protection efforts.
NIPP Goal
• Achieving the NIPP goal requires:
• Understanding and sharing information about
terrorists threats and other hazards.
• Building security partnerships to share
information and implement CI/KR protection
programs.
• Implementing a long-term risk-management
program.
• Maximizing efficient use of resources for CI/KR
protection.
Building on Homeland Security Strategies
• Builds on the principles of the President’s
National Strategy for Homeland Security and its
companion strategies for the physical protection
of critical infrastructure and key assets and the
securing of cyberspace.
• Fulfills requirements in Homeland Security
Presidential Directive 7 (HSPD-7) and the
Homeland Security Act of 2002.
The Terrorist Threat
• Terrorists attacks against CI/KR across the U.S.
could serious threaten national security, result in
mass casualties, weaken the economy, and
damage public morale and confidence.
All-Hazards Approach
• The direct impacts, disruptions, and cascading
effects of natural disasters and manmade incidents
on the Nation’s CI/KR are well documented.
Integration Framework
• Many owners and operators, gov’t emergency
managers, and first responders have developed
strategies, plans, policies, and procedures for
preparing for, mitigating, responding to, and
recovering from a variety of natural and manmade
incidents.
Security Partnerships
• The NIPP defines security partners as those
Federal, State, regional, Territorial, local, or tribal
gov’t entities, private sector owners and operators
and representative organizations, academic and
professional entities, and certain not-for-profit
and private volunteer orgs that share in the
responsibility for protecting the Nation’s CI/KR.
• NIPP provides the framework that allows these
partners to work collaboratively.
Sector-Specific Nature of CI/KR Protection
• HSPD 7 designated responsibility to various
Federal gov’t departments to serve as SectorSpecific Agencies (SSAs) for each of the CI/KR
sectors.
• SSAs are responsible for working with DHS to
implement the NIPP sector partnership model and
risk management framework, develop protective
programs and related requirements, and provide
sector-level CI/KR protection guidance.
The Value Proposition
• The public-private partnership called for in the
NIPP provides the foundation for effective CI/KR
protection.
• Gov’t and private-sector bring core competencies.
• Prevention, response, mitigation, and recovery
efforts are most efficient and effective when there
is full participation of gov’t and private sector
partners.
• The success of the partnership depends on
articulating the mutual benefits to gov’t and
private sector partners.
Private Sector Capabilities
• Management of a vast majority of CI/KR in many sectors.
• Knowledge of CI/KR assets, networks, facilities,
functions, and other capabilities.
• Capability to take initial first-response actions in the event
of an incident.
• Ability to innovate and to provide products, services, and
technologies to address security gaps.
• Robust mechanisms for sharing and protecting sensitive
information regarding threats, vulnerabilities,
countermeasures, and best practices.
Risk Management Framework
• The cornerstone of the NIPP is its risk
management framework.
• This framework establishes the process for
combining consequence, vulnerability, and threat
information to produce a comprehensive,
systemic, and rational assessment of national or
sector-specific risk that drives CI/KR protection
activities.
Adaptive Nature of Terrorist Threat
• A risk-based approach will provide the basis for
an effective risk management strategy and
efficient resource allocation.
Information Sharing Among Security Partners
• Robust, multidirectional information sharing.
• When owners/operators are provided with comprehensive
picture of threats and hazards to CI/KR and participate in
ongoing multidirectional information flow, their ability to
assess risks, make prudent security investments, and take
protective actions is sustainably enhanced.
• When the gov’t is equipped with an understanding of
private sector information needs, it can adjust its
information collection, analysis, synthesis, and
dissemination activities accordingly.
Information Sharing (con’t)
• When the private sector is assured that critical
infrastructure information that it shares with the
gov’t will be protected from release or disclosure,
the Nation’s CI/KR protection capabilities will be
enhanced.
Information Flow and Protection
• The NIPP information sharing approach
constitutes a shift from a strictly hierarchical to a
networked model, allowing distribution and
access to information to enable decentralized
decision-making and actions.
• Information in the network is:
• Protected
• Safeguarded
• Monitored
NIPP Components
• The NIPP covers the full range of physical, cyber,
and human protection within and across all of the
Nation’s CI/KR sectors:
•
•
•
•
•
•
•
•
Executive Summary
Introduction
Authorities, Roles, and Responsibilities
The Protection Program Strategy
Organizing and Partnering
Integrating CI/KR Protection
Ensuring an Effective and Efficient Program
Providing Resources for the CI/KR Protection Program
Lesson 2 Overview
•
•
•
•
•
DHS
SSAs
Other Federal departments/agencies
State, local, and tribal jurisdictions
Private-Sector owners and operators
Homeland Security Act of 2002
• Provides the primary authority for the overall
homeland security mission and provides the basis
for DHS responsibilities in the protection of the
Nation’s CI/KR.
HSPD-7
• The national approach to CI/KR protection is
provided through the unifying framework
established by HSPD-7.
• This directive establishes the U.S. policy for
enhancing protection of the Nation’s CI/KR and
mandates a national plan to actuate that policy.
• Security of Homeland Security as the principal
Federal office to lead CI/KR protection efforts.
SSAs
• SSAs are responsible for working with DHS to
implement the NIPP sector partnership model and
risk management framework, develop protective
programs and related requirements, and provide
sector-level CI/KR protection guidance in line
with overarching guidance.
• SSAs also develop sector-specific plans and
feedback.
SSAs Assignments
SSA------------------CI/KR
•
•
•
•
•
•
•
•
•
•
•
•
•
Dept of Agriculture Agriculture and Food
HHS
““
DoD
Defense Industrial Base
Dept of Energy
Energy
HHS
Public Health/Healthcare
Dept of Interior
Monuments/Icons
Dept of Treasury
Banking/Finance
EPA
Drinking H20/Water Treatment
DHS OIP
Chemical, Dams, Nuclear Reactors, Waste
DHS Cyber
IT
TSA
Postal and Shipping
TSA
Transportation
Immigration
Gov’t Facilities
Other Federal Agencies
• Assist in assessing risk, prioritizing CI/KR, and
enabling protective actions and programs within
that sector.
• Support the national goal of enhancing CI/KR
protection through their roles as the regulatory
agencies for owners and operators represented
within specific sectors when so designated by
statue.
State and Territorial Gov’t
• Serve as crucial coordination hubs, bringing
together prevention, protection, response, and
recovery authorities; capacities; and resources.
• Coordinate requests for Federal assistance when
the threat or incident situation exceeds
jurisdictional capabilities.
• Develop and implement statewide/regional CI/KR
protection programs that reflect the full range of
NIPP activities.
Local Gov’t
• Provide critical public services and functions in
conjunction with private-sector owners and
operators.
• Drive emergency preparedness, as well as local
participation in NIPP and SSP implementation,
across a variety of jurisdictional security partners.
Tribal Gov’t
• Tribal gov’t roles and responsibilities regarding
CI/KR mirror those of State and local gov’t.
• Under NIPP, tribal gov’t must ensure close
coordination with Federal, State and local and
international counterparts to achieve synergy in
the implementation of the NIPP/SSP frameworks.
Regional Partners
• Regional security partners include a variety of
public-private initiatives that cross jurisdictional
and/or sector boundaries and focus on homeland
security and phases of disaster mgt.
• Specific regional initiatives range in scope from
orgs that include multiple jurisdictions and
private-sector partners within a single State to
groups that involve jurisdictions and enterprises
in more than one State and internationally
focused.
Regional Partners: Best Practices
• Pacific Northwest Economic Region
• The region established by statute in all member
States and provinces, sponsors binational,
multijurisdictional CI/KR protection
interdependency exercises, and has developed an
action plan outlining several physical and cyber
CI/KR protection projects with important regional
impact.
Boards, Commissions, Authorities, Councils, and
Other Entities
• Perform regulatory, advisory, policy, or business
oversight functions related to various aspects of
CI/KR operations and protection within and
across sectors and jurisdictions.
• These entities may serve as SSAs within a State
and contribute expertise.
• Housing authorities, water and sewer boards, park
commissions (examples)
Commissions: Public Utility
• Creating networks among utility regulators and
other Federal, State, local, and private sector
entities to address cross-sector issues.
• Recommending strategies to facilitate information
sharing.
• Recommending cost-effective solutions
• Identifying and prioritizing issues, researching
best practices, and disseminating information.
Private-Sector Owners and Operators
• Owners and operators generally represent the first line of
defense for the CI/KR under their control.
• Private-sector owners and operators are responsible for
taking action to support risk mgt planning and make
prudent investments in security measures by:
• Continuity of Business and EMPs
• Protect facilities against physical and cyber attacks and
natural disasters
• Guarding against the insider threat
• Building increased resiliency and redundancy into
business processes and systems
• Minimize impact of surrounding communities
Sector Coordinating Councils (SCCs)
• The sector partnership encourages CI/KR owners
and operators to create or identify a Sector
Coordinating Council as the principal entity for
coordinating with the gov’t on a wide range of
CI/KR protection activities and issues.
• The PCIS provides senior level, cross sector
strategic coordination through partnerships with
DHS and the SSAs.
Government Coordinating Councils (GCCs)
• Formed as the government counterpart for each
SCC to enable interagency and crossjurisdictional coordination.
• GCC is compromised of all levels of gov’t.
• Government Cross-Sector Council addresses
cross-sector issues.
Critical Infrastructure Partnership Advisory
Council (CIPAC)
• Directly supports the NIPP sector partnerships by
providing a legal framework for members of the
SCCs and GCCs to engage in joint CI/KR
protection-related activities.
• CIPAC serves as a forum for gov’t and private
sector security partners to engage in a broad
spectrum of activities including planning,
coordination, and implementation of operational
activities.
Regional and Int’l Coordination
• Regional: regional partnerships, groupings, and
governance bodies enable CI/KR protection
within and across geographical areas and sectors.
• Int’l: The U.S.-Canada-Mexico Security and
Prosperity Partnership, North Atlantic Treaty Org
Senior Civil EP Committee, and other nongovernmental and public-private orgs enable a
range of CI/KR protection through int’l
agreements.
Advisory Councils
• Provide advice, recommendations, and expertise
to the gov’t regarding CI/KR.
• Enhance private-public partnerships
• Engagement of PPP
AC Examples
• Homeland Security Advisory Council: advice to
Secretary of DHS
• Private Sector Senior Advisory Committee:
provides HSAC (above) with expertise
• National Infrastructure Advisory Council:
provides the President with advice
• National Security Telecommunications Advisory
Committee: industry-based advice and expertise
Academia, Research Centers, and Think Tanks
•
•
•
•
•
Establishing Centers of Excellence
Supporting research
Analyzing, and sharing best practices
Disseminating guidelines
Conducting research for new technologies
Lesson 3 Overview
• Describe how the use of the risk mgt framework
ensures a steady state of protection within and
across the CI/KR sectors.
• Indentify the risk mgt activities implemented by
security partners.
Managing Risk
• The NIPP risk mgt framework establishes a
process for identifying risks and prioritizing
protection initiatives and investments within and
across sectors.
• Gov’t and private sector offer the most benefit for
mitigating risk by lessening vulnerabilities,
deterring threats, and minimizing the consequence
of terrorist attacks and other manmade and natural
disasters.
What is Risk?
• Risk is defined as a measure of potential harm
that encompasses threat, vulnerability, and
consequence.
• Risk is the expected magnitude of loss due to an
event along with the likelihood of such an event
occurring and causing that loss.
NIPP Risk Mgt Framework
•
•
•
•
Setting security goals
Identifying assets
Assessing risks
Prioritizing and implementing corrective
programs
• Measuring performance
• Taking corrective action
NIPP Risk Mgt Framework (con’t)
• Applicable to the general threat environment, as
well as to specific threats or incidents situations
• Structured to promote continuous improvement to
enhance CI/KR protection
• Tailored ad applied on an asset depending on the
fundamental characteristics of the individual
CI/KR sectors.
SSAs Responsibilities
• Developing and implementing Sector-specific
plans
• Fostering communication
• Coordinating sector-wide risk mgt
• Prioritizing sector risks and needs
DHS Responsibilities
• Supporting risk mgt efforts by providing
guidance, tools, and analytical support to SSAs
and other security partners.
• Using the results obtained in sector-specific risk
mgt efforts to conduct cross-sector risk analysis
and mgt activities.
• Working with security partners to identify and
share threat information, lessons learned and best
practices.
Physical, Cyber, and Human Elements
• Physical: tangible property
• Cyber: electronic information and
communication systems, and the information
contained therein
• Human: critical knowledge of functions or
people uniquely susceptible to attack
Set Security Goals
• Security partners work together to define specific
outcomes, conditions, end points, or performance
targets that collectively constitute an effective
protective posture.
Identify Assets, Systems, Networks, and
Functions
• The next activity is to develop and maintain an
inventory of the assets, et al that compromise the
Nation’s critical infrastructure and key resouces
and their functions.
• The inventory allows for the inclusion of a wide
diversity of items, thereby reflecting the unique
nature of the different sectors.
Assess Risks
• Based on the inventory, risk is assessed as a
function of consequence, vulnerability, and threat.
• Consideration is given to the potential direct and
indirect consequences of a terrorist attack or other
hazards, know vulnerabilities to various potential
attack vectors, and general or specific threat
information.
Risk=f (Consequence, Vulnerability, and Threat)
• Consequence: the negative effects on public
health, economy, and the functioning of gov’t.
• Vulnerability: the likelihood that a flaw in a
system renders it susceptible to destruction.
• Threat: the likelihood that a particular asset will
suffer an attack or an incident.
Calculating Risk
• Risk assessments are conducted based on
consequence, vulnerability, and threat to a given
asset, system or network.
Existing Risk Assessment Tools
• Many institutions perform vulnerability and risk
assessments on their assets.
Prioritization Process
• Identify where risk mitigation is most pressing,
and subsequently to determine the most costeffective protective actions.
• Determine which CI/KR should be given priority
for protection and which alternative protective
actions represents the best investment based on
risk.
Protective Actions and Programs
• Deterring threats
• Mitigating vulnerabilities
• Minimizing consequences
•
•
•
•
Comprehensive
Coordinated
Cost-Effective
Risk-Based
Sector Specific Plans
• Are tailored to address the unique characteristics
and risk landscapes of each sector
• Developed by the SSAs in partnership with SCCs
and GCCs
Metric-Based System
• Measure perform by:
• Provides feedback on efforts to attain the goals
and objectives
• Provides a basis for establishing accountability,
documentation, promoting effective mgt, and
reassessing goals.
• Obtains a quantitative assessment
• Helps identify corrective actions and provide
decision makers with feedback
• Promotes informed decisions
Assessing Performance
• National Annual Report supports both strategic
and resource allocation decisions related to the
national CI/KR protection mission.
Continuous Improvement
• The NIPP includes a feedback loop for ensuring
continuous improvement of protective actions and
programs.
• “Baseline” information is compared to recent
information to measure the progress over time.
Lesson 4 Overview
• Fosters information sharing at all levels
• Provides guidance on the structure and content of
each sector’s CI/KR plan
• Helps to ensure an effective, efficient CI/KR
protection program over the long term
Benefits of Information Sharing
• Actionable information on threats and incidents
• Information pertaining to overall CI/KR status
• Owners and operators to assess risk and take
actions to safeguard their facilities.
• Gov’t to adjust its information collection,
analysis, synthesis, and dissemination activities
based on the needs of the private sector.
NIPP Information Sharing
• The NIPP approach constitutes a shift from a
strictly hierarchical to a networked model,
allowing distribution and access to information
both vertically and horizontally, as well as the
ability to enable decentralized decision making
and actions.
Networked Approach
• The NIPP uses a networked approach to
information sharing that represents a fundamental
change in how security partners share and protect
the information needed to analyze risk and make
decisions.
Safeguarding Against Unauthorized Disclosure
• NIPP implementation relies on the availability of
pertinent information provided by CI/KR owners
and operators, including the private sector.
• The NIPP recognizes that the disclosure of
sensitive business or security information could
cause serious damage to private firms, the
economy, public safety, or security through
unauthorized disclosure or access.
Protected Critical Infrastructure Information
Program
• PCII includes procedures that govern the receipt,
validation, handing, storage, marking, and use of
critical infrastructure information voluntarily
submitted to DHS.
• These procedures are also applicable to all
Federal, State, local, and tribal government
agencies and contractors that have access to,
handle, use, or store critical infrastructure
information that enjoys protection under the CII
Act of 2002.
Complementing Other Plans
• Homeland security pans and strategies at the
Federal, State, local, and tribal levels of gov’t that
address CI/KR protection within their respective
jurisdictions.
• Business continuity plans and resilience
measures.
National Response Plan
• The NIPP establishes the overall risk-based
approach that defines that Nation’s CI/KR steadystate protective posture.
• The NRP provides the approach and the overall
coordination for domestic incident mgt activities.
Ensuring an Effective, Efficient Program Over
the Long Term
• Building national awareness: to support the CI/KR
program
• Enabling education, training, and exercise programs: to
ensure that skilled professionals undertake NIPP
• Conducting R&D and using technology: improve CI/KR
• Developing, safeguarding, and maintaining data systems
and simulations: enable continuously refined risk
assessment
• Continuously improving the NIPP: and associated plans
and programs through ongoing mgt and revision, as
required.