1

Protecting Critical Infrastructure

Kaylene Wood

DSC 3013: Introduction to Homeland Security 19417

Professor Bevan

October 7, 2021
 2
Protecting Critical Infrastructure

Abstract

Critical infrastructure is defined as “systems and assets, whether physical or virtual, so

vital to the United States that the incapacity or destruction of such systems and assets would have

a debilitating impact on security, national economic security, national public health or safety, or

any combination of those matters,” (NIPP, 2013, pg. 13). This definition is vague because

critical infrastructure is encompassed by nearly every public and private program/resource. To

protect these systems and assets, there have been investments made in cybersecurity measures,

frameworks created for planning against an attack, frameworks created for recovery in the case

of an attack, and extensive collaboration methods have been developed between agencies. There

are constant threats being made against the infrastructure of the US, but there is also constant

research being done to push for improvements and amendments to acts that are already in place.
 3
Protecting Critical Infrastructure

Introduction

The protection of critical infrastructure is hugely important for homeland security, due to

it being present in nearly every facet of American life. “Critical infrastructure” includes any

asset or system that would cause devastating effects to security, economic security, public health

or safety, or a combination of these if it were to be damaged or destroyed (NIPP, 2013). Since

9/11, there have been significant changes made to legislation and programs to further increase

security of assets. Cybersecurity investments, frameworks to prevent destruction, frameworks to

recover from destruction, and communication/collaboration practices have been made in

response to the ever-present threats to critical infrastructure.

Background

There are 16 groups of critical infrastructure that are recognized in the National

Infrastructure Protection Plan (NIPP) and Cybersecurity and Infrastructure Security Agency

(CISA). The categories of critical infrastructure are: Chemical, Commercial Facilities,

Communications, Critical Manufacturing, Dams, Defense Industrial Base Sector, Emergency

Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare

and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste,

Transportation Systems, Water and Wastewater Systems.

Approximately 85% of critical infrastructure is controlled by the private sector (Gaines,

Kappeler, Kremling, 2019). Relationships between the firms, federal government, and state and

local police must be established to create layered protection and allow stakeholders to participate
 4
Protecting Critical Infrastructure
in developing a security system. The Department of Homeland Security, Department of

Agriculture, Department of Health and Human Services, Department of Defense, Department of

Energy, Department of Treasury, Department of Transportation, and The Environmental

Protection Agency are all involved in various sections of infrastructure protection. Coordinating

with these agencies are Sector Coordinating Councils (SCCs), Government Coordinating

Councils (GCCs), and Regional Consortium Coordinating Councils (RC3) (NIPP, 2013). It

takes data from each of these agencies to effectively create frameworks and guidelines that

coincide with each infrastructure source.

In 2013, The NIPP was revisited and amended to include more current information

regarding threat assessment, communications between agencies, reducing vulnerabilities, and

mitigating damage in the case of an event. Executive Order 13636, which directs the federal

government to work with critical infrastructure owners and operators to share information and

develop approaches to cybersecurity, inspired much of the change made to the NIPP in 2013

(White House, 2021). The increasing use of technology has created the need for more expansive

upgrades to the NIPP. Technology and wireless communication/controls within critical

infrastructure systems leads to more possibilities of a remote attack. Investing in cybersecurity

has proven to be an important step in asset protection. The NIPP is carried out by collaborating

organizations and agencies, CISA is the leading federal agency to do this. “CISA works with

businesses, communities, and government partners at all levels to provide training and other

tools and resources related to critical infrastructure security” (CISA, 2021). Part of their

responsibilities is to work directly with critical infrastructure holders to determine the most

effective security before and possibly after an attack or event. CISA is also tasked with sharing

information with public and private sectors in the event of an attack.

many forms of critical infrastructure, especially water systems. In February of 2021, the water

treatment plant in Oldsmar was hacked. An employee witnessed his computer accessing

chemical balance controls he did not authorize. The hacker was able to change the sodium-

hydroxide amount to a dangerous, and possibly lethal, level. This was able to be reversed by a

supervisor, but the chance for an attack was made evident. It was discovered that the protections

used by the water treatment plant were not strong enough and left gaps for a hacker to sneak

through (Cyberinsiders et al., 2021). Situations like this are more common amongst smaller

facilities that do not have as many resources to actively fight an attack or stop it in time. This

attack emphasized the importance of infrastructure protection and cybersecurity, no matter the

size of the network and system.

On July 16, 2021, the Florida Department of Economic Opportunity discovered that

57,920 unemployment claimants’ information had been accessed and possibly released to an

unknown party. In response, the DEO had to increase the network controls and purchase a year

of identity protection for the affected. This attack could potentially cause financial crisis and

ruin for these people. It also forced the DEO to pay for the protection of roughly 58,000

identities (WFLA 8, 2021). If the attack were to be recreated on a larger scale, the economic

effect could be detrimental to the state and long lasting. Protection of financial services and

information technologies for something as important as a state-wide benefit provider is essential.

Cybersecurity actions need to be updated frequently to help manage outside access and potential

weak spots. These programs are nation-wide and have the potential to effect millions of people

and cost millions, if not billions, in damage to the country.

Analysis
 6
Protecting Critical Infrastructure
Collaboration between levels of government, public and private sector entities, and

stakeholders is one of the largest areas of infrastructure security. NIPP describes a five-step

process of information sharing that is used between every party involved. It begins by

establishing the three areas of critical infrastructure which are physical, cyber, and human. It

then displays the order of information relay: set goals and objectives, identify structure, assess

and analyze risks, implement risk management activities, and measure effectiveness (NIPP,

2013, pg. 21). Interdependence across each level of government and public/private sector is the

primary way critical infrastructure protection is developed and carried out. Private sector

owners/operators collaborate with federal government counterparts and agencies is and will be

the leading means to advance security and resilience (NIPP, 2013).

Councils create connections between federal, state, local, and private agencies when

developing critical infrastructure protection. Every level of government is involved with the use

of Government Coordinating Councils (GCCs), Federal Senior Leadership Council (FSLC), and

the State, Local, Tribal, and Territorial Government Coordinating Council (SLTTGCC). Each of

the 16 sectors of critical infrastructure have a federal agency assigned to them as well. These

federal agencies have a better understanding of critical infrastructure and risks when developing

relationships with owners and vendors. Local, state, and federal legislation is created to further

protect critical infrastructure. This is done through executive orders and applications by agencies

involved in the issue at hand.

Critical infrastructure can be attacked or destroyed by internal and external organizations

or individuals. Many of these threats come from terrorist groups. Terror groups usually plan on

large-scale acts to cause mass destruction or death (Gaines, Kappeler, Kremling, 2019).

Attacking critical infrastructure is one way to follow through on such a plan. Domestic and
 7
Protecting Critical Infrastructure
foreign terrorist groups pose the biggest threats to critical infrastructure. Small scale terror-based

groups and individuals with personal vendettas are also responsible for interferences with and

destruction of resources.

Rioting, terrorism, bombing, theft, and financial crime, among many others, are some of

the approaches used to damage critical infrastructure. Physical resources and human assets are

the most likely to be affected by crimes such as rioting, bombings, and theft. Organized crime

and terrorism organizations are responsible for may of these events, but they are also guilty of

financial crime to raise funds (Gaines, Kappeler, Kremling, 2019). If terrorist groups were able

to freely access systems such as public health, emergency services, or government facilities, they

would be able to inflict harm on the entire country. The enemies to the US are clever and do not

have boundaries to stop their attempts. The technology and weapons are every changing, which

reinforces the importance of constantly upgrading and monitoring security measures used for

America’s critical infrastructure.

Alternatives

The policies in place were established to monitor security, practice risk assessment and

management, create frameworks for infrastructure security, and direct

communications/collaborations between agencies and sectors. Focusing on cybersecurity has

benefitted many aspects of critical infrastructure and increased protection for networks and

communications systems. Cybersecurity is proven effective, but only if the asset can make this

investment. Smaller, private infrastructure resources may not have the financial standing to

purchase the security systems that larger resources can. The gaps in cybersecurity make it easier

for enemies to gain access through the deteriorating systems (NIPP, 2013). The guidelines in

place rely on interdependence between agencies, private firms, and the federal government. This
 8
Protecting Critical Infrastructure
can create strong bonds and provide helpful information for infrastructure protection plans, but

also create opportunities for infiltration. Having to connect with various organizations at

different levels of influence can open the door to exploitation and weakened security. These

connections are also voluntary. This allows the owners and operators of infrastructure to have

private control, but also leaves room for corruption. There may be a lack of oversight in many

situations, allowing for serious mistakes to be made or intentional sabotage.

There is never ending research and tests being performed on critical infrastructure, which

helps to keep the security stronger. In recent history, President Trump issued an executive order

to address the issue of interference with infrastructure reliant on positioning, navigation and

timing (PNT). He gave federal agencies one year to develop a plan to test the possible

manipulation of these devices (Miller, 2020). Doing this pushed for a timely examination of

weak spots in technology related infrastructure, necessary to create plans for improvement.

Another example of revisiting current policies was the 2014 amendment made to the Homeland

Security Act of 2002. This action was the motion to include electromagnetic pulse (EMP) events

in the catalog of potential destructive threats (Congress, 2014). Adding onto existing legislation

and framework to become more inclusive to possible risks is the most effective way to ensure the

security of critical infrastructure.

I believe there are many successful procedures in critical infrastructure protection

programs, but there is also room to enhance these practices. Continued and increased training

for personnel working directly with critical infrastructure being one of the most important. An

aging workforce leads to vulnerabilities. Retiring operators are not always replaced with a

properly trained substitute, making risks and weak areas present where they may not have been

before (NIPP, 2013). CISA also offers training programs for private firms, operators, vendors,
 9
Protecting Critical Infrastructure
and federal employees, which can provide certification in the realm of homeland security and

critical infrastructure security (CISA, 2021). These training sessions are not universally

mandatory, which may allow untrained individuals in positions of responsibility they may not be

prepared for. Investing in recruitment and training of multicultural applicants to agencies and

firms is another area that could provide solutions to some problems facing homeland security.

There is a two-fold effect that occurs when this happens. An increased reach of homeland

security/critical infrastructure protection and interagency diversity which could provide an

understanding of cross-cultural intervention. Experience from many backgrounds and

multilingual associates help to develop more methods to facilitate communication and

collaboration between the public and the agencies responsible for critical infrastructure

protection.

Conclusion

Critical infrastructure is a very broad topic, touching nearly every public and private

resource. Protecting these resources is extremely important to the security of the US because of

the damage that can occur if any of these assets or systems are destroyed. There is extensive

legislation and frameworks in place to provide security for critical infrastructure. There is

ongoing communication and collaboration between federal, private, and public agencies involved

in these protection mechanisms. There are opportunities to improve upon the policies and

procedures in place, but there are very strong relationships which are managing risks and risk

assessment.
 10
Protecting Critical Infrastructure
References

Cyberinsiders, By, & Cyberinsiders. (2021, April 1). Learning from the Oldsmar Water
Treatment Attack to prevent critical infrastructure breaches. Cybersecurity Insiders.
Retrieved October 7, 2021, from https://www.cybersecurity-insiders.com/learning-from-
the-oldsmar-water-treatment-attack-to-prevent-critical-infrastructure-breaches/

Gaines, L. K., Kappeler, V. E., & Kremling, J. (2019). Homeland Security and terrorism.
Pearson.

H.R.3410 - 113th Congress (2013-2014): Critical ... (n.d.). Retrieved October 8, 2021, from
https://www.congress.gov/bill/113th-congress/house-bill/3410.

Infrastructure security. Cybersecurity and Infrastructure Security Agency CISA. (n.d.).

Miller, M. C. and M. (2020, February 12). Trump signs executive order to guard critical
infrastructure that relies on GPS. TheHill. Retrieved October 8, 2021, from
https://thehill.com/homenews/administration/482738-trump-signs-executive-order-to-
guard-critical-infrastructure-that

National Archives and Records Administration. (n.d.). Foreign policy cyber security executive
order 13636. National Archives and Records Administration. Retrieved October 7, 2021,
from https://obamawhitehouse.archives.gov/issues/foreign-policy/cybersecurity/eo-13636

National Infrastructure Protection Plan - Homeland Security. (n.d.). Retrieved October 8, 2021,
from https://www.dhs.gov/sites/default/files/publications/National-Infrastructure-
Protection-Plan-2013-508.pdf

WFLA 8 On Your Side Staff, & McLarty, C. (2021, July 24). Florida's unemployment site
hacked, 57,000 accounts involved in Data Breach. WFLA. Retrieved October 7, 2021,
from https://www.wfla.com/news/florida/over-57000-unemployment-accounts-involved-
in-florida-deo-data-breach/