By Sandy Smith
T he critical infrastructure of the United States includes the assets and systems that, if disrupted, would threaten our national security, public health and safety, economy and way of life. Although the industries, services and systems that make up our country's critical infrastructure can be found in both the public and private sectors, the Department of Homeland Security (DHS) estimates that more than 85 percent falls within the private sector.
In February 2003, the United States released the "National Strategy for Physical Protection of Critical Infrastructures and Key Assets." The strategic plan addresses the threat of terrorist acts in the United States by asking critical infrastructure owners and operators to "identify and assure the protection of key assets and services within their juris-
dictions." The document identifies a clear set of goals and objectives, defines roles and responsibilities and identifies major initiatives that will drive protection efforts for public health and safety, national security, governance, economy and public confidence.
The plan identifies critical infrastructures for agriculture and food, water, public health, emergency services, defense industrial base, telecommunications, energy, transportation, banking and finance, the chemical industry and postal and shipping. It also addresses national monuments and icons, nuclear power plants, dams, government facilities and commercial key assets.
According to the strategic plan, the objectives that underpin efforts to protect the critical infrastructure of the country include:
- Identifying and assuring the protection of those infrastructures and assets that are deemed most critical in terms of national-level public health and safety, governance, economic and national security and public confidence questions;
- Providing timely warning and assuring the protection of those infrastructures and assets that face a specific, imminent threat; and
- Assuring the protection of other infrastructures and assets that may become terrorist targets over time by pursuing specific initiatives and enabling a collaborative environment in which federal, state and local governments and the private sector can better protect the infrastructures and assets they control.
As the national strategy states: "Homeland security, particularly in the context of critical infrastructure and key asset protection, is a shared responsibility that cannot be accomplished by the federal government alone. It requires coordinated action on the part of federal, state and local governments; the private sector; and concerned citizens across the country."
9/11 and Risk Levels
Everything changed on September 11, says Michael Assante, vice president and chief security officer for American Electric Power (AEP). "That was a watershed event. Everyone started talking about critical infrastructure security, but there was not a clear definition of the threats, the assets to be protected and how service could be disrupted and what that meant financially and the impact on public safety."
He says management at AEP quickly realized that the company had to do more than talk about the need to develop infrastructure security: it had to take action. Security and risk management functions were elevated in importance, and a senior executive position was created to oversee them. The company began to identify assets based on whether they were critical, essential or important, says Assante, and tiers of risk were created. "We had to identify what had an acceptable level of risk, and if the level was unacceptable, what we could do to drive that level down."
Infrastructure security for AEP includes protecting physical assets, information assets, employees and business continuity. Risk scores for various scenarios – ranging from natural disasters to corporate espionage to terrorist acts – are assigned based on whether the asset is critical, essential or important and the likelihood that asset would or could be placed at risk.
The company must rely on reports from DHS and other agencies to tailor its security measures to respond to risks. "If we hear that Al-Qaeda is targeting the electrical sector in the United States, then that drives the risk scores up," says Assante. "It's all based on the probability of our structures and assets being targeting. The greater the likelihood, the higher the risk score."
He notes that groups like Al-Qaeda tend to go for two types of large targets: symbolic ones, like the World Trade Center, and targets that would have a gross economical impact if destroyed or taken off-line. There are precedents for attacks on power providers, he adds. In 1996, the Provisional IRA came close to succeeding in a plan to disrupt the power grid around London. More recently, a plot was uncovered to disrupt the power grid of Sydney by a Pakistani member of Al-Qaeda.
But, as it now stands, "We get a lot more strategic than actionable intelligence," says Assante. "There are not enough information-sharing devices. I'm a former intelligence officer, so I know what questions to ask and with some of the answers, I think, 'What if I'd never asked that question? What if I didn't know to ask that question?'"
That's a problem, he adds, because not everyone in charge of security [at critical sites] is a former intelligence officer and has the connections he has. "We have relationships built with law enforcement agencies, and we get access to information that other companies don't get," Assante acknowledges.
He adds that specific intelligence about threats is extremely important to utility companies when looking at detection and response "along thousands of miles of lines, unmanned substations and other critical assets."
Vague warnings – such as "Al-Qaeda is targeting infrastructure assets" – are really not helpful, says Assante. But specific information, such as "Al-Qaeda is targeting utilities in the Midwest," is helpful. "The more information we get about the threat, the state, the region, the area, the better," he says. "We need to know: What is the threat to the U.S. infrastructure, and, specifically, to energy and electric power utilities."
Chief Polly Hanson of the Washington, D.C. Metropolitan Transit Police says that much of that transit system was built before crime prevention via environmental design was a factor. Now, she says, a push is on to perform "target hardening" – such as including police officers in the reviews of architectural plans; keeping strategic doors locked; utilizing alarm systems; adding bomb-mitigating trash cans; providing better personal protective equipment for employees; and adding recording devices to security monitors.
"Back in the '70s, when a lot of the monitoring systems were installed, VCRs cost $1,000 – a lot of money at the time. Now, we record what our monitors have always seen," says Hanson.
"Security costs money," she adds. "It's the responsibility of the property holder to build that in. There is a hesitancy to do from the beginning what you're probably going to have to do later."
The Metro Transit Police did not wait until 9/11 to begin identifying risks to the system. Hanson says the Aum Shinrikyo sarin gas attack on the Tokyo subway system in 1995 and the July 27, 1996, bombing at Centennial Olympic Park in Atlanta by Eric Rudolph – who has since confessed and pled guilty to that and other deadly bombing attacks in order to escape the death penalty – raised alarms within many venues and systems where public safety and large numbers of passengers or participants are factors.
Risks to transportation security and service in Washington, D.C., could include terrorist acts, demonstrators marching on the Capitol or thousands of people riding public transportation to attend the opening day of the Washington Nationals.
"The stadium is in close proximity to our station, so that posed a particular type of concern," Hanson says. Security was tight that day since an attack could have had both a symbolic and economic impact, as well as a large casualty toll.
Unlike a power plant or other type of property where trespassers are easily spotted and security measures can be taken to keep them away from critical assets, a transit system is open to just about anyone who buys a ticket. Hanson says the Metro Transit Police have enlisted the help of all transit system employees – including maintenance personnel, custodians, train operators and others – to help identify passengers who are acting in a suspicious manner. In fact, said Hanson, the transit authority has leveraged all of its assets, including passengers. An "Is that your bag?" campaign alerted passengers to be wary of unattended packages and bags and report them to a transit employee. That means 700,000 pairs of eyes on the lookout for anything suspicious.
She said that when the Department of Homeland Security issues an alert for the Washington, D.C. area, all public entities – the police, fire, emergency response, public utilities and the Metro transit authority – communicate and leverage their various resources.
"Communication and partnerships, with our employees, with federal and local response agencies and with our passengers, is key" to protecting the system, says Hanson.
Partnerships have been key in another American city's efforts to reduce crime and protect the infrastructure.
One Infrastructure Protection Project
The city of New Orleans is employing a new, high-tech approach to fighting crime and boosting security by deploying a network of Sony Electronics' Internet protocal (IP)-based, SNC-RZ30N cameras as the "eyes" of a surveillance system designed to provide infrastructure protection and increased crime-fighting capability. The system incorporates the latest in networking, wireless communications, telecommunications and fiber optics, entailing a collaborative effort between the city and several partners.
"Leveraging cutting-edge technology to find creative, cost-effective solutions has been a top priority in my administration," says Mayor C. Ray Nagin. "With this system in place, it will be like virtual police patrolling our streets, deterring and fighting crime."
The cameras are configured into systems that are mounted high on power poles above city streets, and have the power to pan, tilt and zoom to help police identify and apprehend criminals. Many of these cameras are currently watching over crime "hot spots" throughout the Sixth Police District in New Orleans.
The powerful IP cameras can read a license plate from hundreds of feet away, and feature remote-controlled pan/tilt/zoom, a 25X optical zoom lens, day/night and wireless capabilities. Essentially, the cameras can "walk a beat." Images captured on the street are digitized and sent via the city's network to a main server archive for Internet-based monitoring from any location – whether it's police headquarters or a patrol vehicle.
"The surveillance cameras are virtual police officers out on the street corners in high-crime areas," said Detective Mike Carambat of the New Orleans Police Department. "When we investigate a crime captured by the surveillance cameras, those cameras become a cop who has already done a greater part of the investigation. Plus," he said, "These surveillance cameras give us the perfect witness – a witness that will never tell a lie, has total recall and will always cooperate with the police throughout the investigation and prosecution."
The cameras bring New Orleans "both defense in depth for high-priority hard and soft homeland security targets along with a huge increase in crime reduction capability," said Colonel Terry Ebbert, director of homeland security for New Orleans. "Our ability to protect citizens and structures just received an unbelievable boost."
The New Orleans security camera initiative brought together a range of technologies and companies to make the project work. Southern Electronics, the project's general contractor, put together a team of technology partners to deploy the system.
"There were basically three technologies that we had to integrate in this project. The first was finding a camera that had the ability to communicate from an IP standpoint on an Ethernet network. The second was getting the cameras mounted on a light pole powered by the public power grid. And the third was finding a network and the capability of bringing those camera images back to the district stations," said Iggie Perrin, president of Southern Electronics and project coordinator.
Another unique aspect of the New Orleans citywide security project is its adopt-a-camera program, which brings in citizens as partners in the project. The city has set up a Web site (www.iseecrime.com) that allows citizen groups, neighborhood organizations, businesses, churches and other community organizations to adopt a camera. The program allows organizations to pay for a camera and place that camera in a location of their choice. This initiative establishes a partnership with community groups to help fund the program and broaden the city's security canopy by increasing the number of cameras rolled out under the program.
Other Partnerships in Action
In June 2004, the U.S. Department of Homeland Security, in partnership with local private sector and the Federal Bureau of Investigation, launched the first Homeland Security Information Network-Critical Infrastructure (HSIN-CI) Pilot Program in Dallas, Texas. Locally operated pilot programs in Seattle, Indianapolis and Atlanta soon followed. The pilot program operated throughout the course of the year to determine the feasibility of using this model for other cities across the country.
The HSIN-CI pilot program, modeled after the FBI Dallas Emergency Response Network, expands the reach of the department's Homeland Security Information Network (HSIN) initiative – a counterterrorism communications tool that connects 50 states, five territories, Washington, D.C., and 50 major urban areas to strengthen the exchange of threat information – to include critical infrastructure owners and operators in a variety of industries and locations, as well as first responders and local officials. As part of the HSIN-CI pilot program, more than 25,000 members of the network have access to unclassified sector-specific information and alert notifications on a 24/7 basis.
"HSIN-CI connects our communities – the government community to the private sector community to the law enforcement community – the better we share information between our partners, the more quickly we are able to implement security measures where necessary," said then-Secretary of Homeland Security Tom Ridge at the time the program was announced.
The HSIN-CI network allows local and regional areas to receive targeted alerts and notifications in real time from Department's Homeland Security Operations Center (HSOC) using standard communication devices including wired and wireless telephones, e-mail, facsimile and text pagers. The network requires no additional hardware or software for federal, state or local participants. The technical capacity of the network includes the ability to send:
- 10,000 outbound voice calls per minute
- 30,000 simultaneous inbound calls through an information hotline
- 5,000 simultaneous e-mail messages
- 3,000 simultaneous facsimile transmissions.
In addition, HSIN-CI network, in partnership with the FBI, provides a reporting feature that allows the public to submit information about suspicious activities through the FBI Tips Program that is then shared with the department's HSOC.
Homeland Security Information Network-Critical Infrastructure is governed and administered by local experts from the private and public sector with the support of regional coordinators. The four pilot communities have also established Infrastructure Advisory Panels to assist in the administration and overall governance of the program locally; manage counter-terrorism and public safety information sharing; and to review and validate HSIN-CI applications.
The pilot program allows local users to provide a unique perspective on the areas' vulnerabilities, activities and response plans along with the locally known representatives from agencies involved in incident management and response. The HSIN-CI Pilot Program is part of the ongoing efforts by the Department of Homeland Security and other federal agencies to improve information sharing and collaboration among all of those involved in strengthening homeland security.
"We believe that this program builds relationships that are critical in providing a more secure environment for local communities and the nation," said Zalami Azmi, chief information officer, Federal Bureau of Investigation. "This program expands the department's efforts to share information and build relationships that will be crucial in the event of an emergency that is either a terrorist threat, man-made or natural disaster."