The Ultimate Guide to Securing Critical Infrastructure

This month marks 16 years since the horrible attacks of 9/11. That unforgettable event brought the issue of critical infrastructure protection (CIP) to the forefront of a national debate.

Not long after, a number of investigations took place. Early on, President George W. Bush told the nation that our intelligence gathering organizations had failed us.

And when you consider the attack method used, who would have ever guessed that jet airliners could be utilized in this manner to create so much destruction?

In the wake of 9/11, the Department of Homeland Security (DHS) was created. Someone had to organize and publish action plans, bring relevant parties together from both private and public sectors, train and advance the readiness of all concerned stakeholders, as well as act as a clearing house for all pertinent information.

The result was the formulation of what DHS calls its National Infrastructure Protection Plan (NIPP) 2013. It’s important professional security integrators understand key components of DHS’ NIPP.

The simple fact is the ultimate success of this plan is truly dependent on how well the physical security industry performs beside that of IT and other trades. Let’s delve into some of that knowledge needed by security integrators to get involved in CIP, what areas are mission-critical, and other considerations for making inroads into this specialty market.

How Integrators Fit Into the Picture

It isn’t all that difficult for most sizable security integrators to enter the world of government CIP. The first and most important thing is that the technical staff must have a solid understanding of the systems and components that go into typical CIP.

Second, office staff must have knowledge of DHS requirements so they can routinely provide the necessary accreditations and certifictions. Project managers and engineers must also be capable of understanding requests for information (RFIs) and request for quotes (RFQs) while responding to the rules set forth by relevant governing bodies. (See slideshow.)

“The key is to have a solid understanding of physical security principles and how to apply them to the environment in question. Understanding areas that can/must be controlled, the level of control required, and how to monitor, enforce and respond in an accident to mitigate risk and comply with industry standards,” says Sharon Shaw, client development manager with Tech Systems of Buford, Ga.“It’s not just about technology. It’s about using the technology to serve a specific purpose and achieve a certain objective.”

How does an integrator know what’s expected of its company? According to Robert Mitchell, a former security integrator and current director, government practice & law enforcement with surveillance manufacturer IC Realtime, the integration plan usually works from a blueprint and specifications.

There will be times when an integrator will be tasked with designing the system — larger ones like Tech Systems may assume this role more often than smaller firms because due to hiring individuals who possess the necessary credentials — or hiring an engineer to do it.

In the latter case, the integrator must know how to write an agnostic request for proposal (RFP) in order to keep the playing field mostly even, but leaning toward the equipment the designer wants to use in order to win the bid.

The question remains, does DHS provide direct input on what the security integrator must do?

“We’re not an engineering firm but we do work with our clients to lay out locations of devices and design an integrated system that meets their requirements and corporate guideline,” says Rick Tampier, senior director – sales & product strategy with Boca Raton, Fla.-based Red Hawk Fire & Security.

“Typically we don’t work directly with DHS. We follow the requirements of the owner/operator but offer our experience and knowledge, such as advising a power company on the newest NERC [North American Electric Reliability Corp.] requirements.”

Mitchell agrees with Tampier regarding the common DHS/integrator relationship. “It is a rare occasion when there is a direct interface between the integrator and the DHS threat assessor. In some rare instances the assessor is called in for clarification,” Mitchell says.

“This all depends on whether or not the site is designated a DHS AOI [area of interest]; in most cases the DHS threat assessment is provided to the stakeholder, owner/operator, with the ‘recommended target hardening.’ The integrators usually work with the owner/operator and or the engineer to provide a solution that will meet the needs of the threat assessment.”

The Department of Homeland Security identified 16 critical infrastructure areas in its National Infrastructure Protection Plan 2013 document, including transportation, nuclear reactors, dams and water systems, and more potential jobsites for security integrators.

NIPP’s 16 Critical Infrastructures

Now that you have a basic understanding of the participation and process considerations for protecting America’s most important critical infrastructures (CIs), here’s a look at the types of facilities, markets and coverage areas in which you may be working.

DHS identifies 16 CIs in its NIPP 2013 document:

• Chemical industry
• Commercial facilities
• Communications
• Critical manufacturing
• Dams
• Defense industrial base
• Emergency services
• Energy
• Financial services
• Food and agricultural
• Government facilities
• Healthcare and public health
• Information technology
• Nuclear reactors, materials and waste
• Transportation systems
• Water and wastewater systems

Integrators entering the CIP sector might be wondering, which of these 16 might be considered the most difficult to secure?

“In my opinion, power grids are most frequently attacked within the national infrastructure. This was not because of terrorism, but rather theft of commodity copper which posed as a multilayered threat to the grid and liability of the power authority being attacked,” says IC Realtime’s Mitchell. “Not only does this type of theft have the possibility of taking down the grid itself, but it opens the possibility of a lawsuit by a bad actor.”

There have been numerous cases of death by electrocution because the copper they selected was energized, he notes. The families of those electrocuted have been known to sue the power authority because they failed to keep the deceased out of harm’s way.

Also contained within the NIPP is the understanding that the majority of the nation’s CIs are owned and controlled by the private sector while this nation’s largest players on the national and global scene is that of the federal government and SLTT (state, local, tribal and territorial) governments.

It’s important that all stakeholders work together in order to assure the safety and services of all concerned, especially the general public — the NIPP 2013 was created for that purpose.

Cyber Addressed, but Not Clear-Cut

One thing is for sure, the more integrated a security system is with other systems within the structure, the more comprehensive the protection will be. DHS is well aware of this and has called on security integrators to keep cybersecurity clearly in mind when designing physical security.

“The integration of physical and cyber security planning is consistent with Executive Order 13636, Improving Critical Infrastructure Cybersecurity, which directs the Federal Government to coordinate with critical infrastructure owners and operators to improve information sharing and collaboratively develop and implement risk-based approaches to cybersecurity,” the NIPP 2013 plan states in its Executive Summary.

“In describing activities to manage risks across the five national preparedness mission areas of prevention, protection, mitigation, response, and recovery, the National Plan also aligns with the National Preparedness System called for in Presidential Policy Directive 8 [PPD-8], National Preparedness.”

However, although DHS calls for an integrated approach where it comes to cybersecurity, nowhere in the NIPP 2013 or any other document does it specify the degree or method of such integration.

“It actually states that the infrastructure shall protect cyber in both the government and private sector as a ‘partnership’ but not as an integrated solution with the physical aspect,” says Mitchell. “This actually is a shortcoming for the NIPP. There should be specific language that calls for full integration to be complete integration on all aspects of security.”

For example, if the access control system in an established and participating critical infrastructure facility shows a specific user to be out of the building, yet that user’s identification is used to access the computer terminal in his office, security personnel should be made aware of the discrepancy in real-time.

It could point to espionage within the organization’s rank and file. Mitchell believes there should be additional safeguards built into the security aspects of building and cybersecurity, integrating them in such a manner that it’s nearly invisible.

In the above case, until the access control system shows the user logged in with a valid credential, along with the user’s ID entered at the PC in his office, access to the terminal should be declined.

This kind of integration requires both access control login at the door and authentication at the PC. The above method would solve the issue of outside hackers somehow getting into the same terminal.

But what about cases where outside access is provided for employees who often work on the run? Access to the same terminal should be handled using VPN (Virtual Private Network) and a password for access to the company LAN (Local Area Network) firewall, for example.

Additional security measures can be implemented to solve the issue of outside hackers getting in, such as virtual servers and next-generation firewalls, to name a couple.

Today’s DHS continues to be the party of record that bears much of the responsibility for CIP, along with FEMA, ANSI, NIST, the SLTTs, and everyone in the private sector. This is especially true of IT and security integration companies.

Every one of us plays a significant role in protecting a good chunk of the 16 CIs identified by DHS. The name of the game is communication and the goal is the general prevention of events like 9/11.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Related Content

Global Security Operations Centers: Trends and Opportunities in 2024 and Beyond

Security Customers Push Integrators to Be Long-Term Partners, Not Just Salespeople

Genetec Underlines Dealer Centricity, Hybrid Approaches at Global Press Summit ’24

Security Industry Forecast: Experts Chime in, Sharing Expectations for 2024 and Beyond