What do you think is the most difficult of the 18 CIKR sectors to protect, and why? Course Textbook(s) Lewis, T. G. (2020). Critical infrastructure protectio

CYB 4303, Critical Infrastructure Protection in Cybersecurity 1

Course Learning Outcomes for Unit I Upon completion of this unit, students should be able to:

1. Evaluate the various sectors of critical infrastructure protection (CIP) in the United States. 1.1 Outline the critical sectors and infrastructures identified in the National Infrastructure Protection

Plan (NIPP).

4. Examine cybersecurity challenges within critical infrastructure protection (CIP) in the United States. 4.1 Discuss how the different catastrophe theories apply to Critical Information and Key

Resources (CIKR) systems. Required Unit Resources Chapter 1: Origins of Critical Infrastructure Protection Chapter 3: Theories of Catastrophe Unit Lesson

Introduction Over the last five decades, the world has become interdependent and interconnected both from a cyber- based and physical perspective. In the United States, the nation’s critical infrastructure has reached a high level of complexity encompassing not only one sector but also all sectors relying on each other to sustain essential economic and governmental operations. As the graphic below outlines, these sectors include the eight critical Infrastructure sectors: banking and finance, emergency law enforcement services, emergency services, energy, information and communication, public health services, transportation, and water supplies. Because of advances in technology and the necessity of needed efficiencies, these sectors, systems, and assets have become increasingly interlinked and automated.

UNIT I STUDY GUIDE Origins of Critical Infrastructure Protection

CYB 4303, Critical Infrastructure Protection in Cybersecurity 2

UNIT x STUDY GUIDE Title

Critical Infrastructure Protection (CIP) History

From where did the idea of critical infrastructure protection (CIP) come? The history of CIP goes back many centuries. In the 3rd century BC, the Chinese emperor, Qin Shi Huang, devised a system to protect and reinforce, in many strategic areas, the Great Wall of China. In key territories, a massive army of soldiers continuously maintained, fortified, and protected the wall. The Great Wall had thousands of guard towers distributed at specific intervals. In ancient Rome, Roman aqueducts were critical to Rome’s cities and thus developed protections to safeguard this critical infrastructure. Assante (2009) noted that the critical nature of the aqueducts is best understood by an inscription found in Lyons, France, regarding ancient Roman law, which states “By command of Emperor Trajanus Hadrianus Augustus, no one is permitted to plough, sow, or plant within the space determined for protection of the aqueduct” (p. 2). The Chinese and Romans understood the importance of protecting critical assets. The Chinese and Romans proactively addressed security when building their infrastructures. As an example, it is not insignificant that the first Roman aqueduct was built underground as a security measure as Figure 2 depicts (Assante, 2009). More recently, in 1963, John F. Kennedy created the National Communication System, or NCS, to facilitate the government’s ability to communicate during emergency scenarios. In 1979, the Federal Emergency Management Agency (FEMA) was established to

Banking & Finance •Banking & Stock Markets •Sector-specific agency: Treasury

Emergency Law Enforcement Services •Justice/FBI •Sector-specific agency: FBI

Emergency Services •Emergency Fire and Continuity of Government

•Sector-specific agency: FEMA

Energy •Electric Power, Gas and Oil production and

storage •Sector-specific agency: Energy

Information & Communications •Telecommunications and the Internet •Sector-specific agency: Commerce

Public Health Services •Public health, surveillance, laboratory

services, and personal health services •Sector-specific agency: HHS

Transportation •Aviation, Highways, Mass Transit, Rail,

Pipelines, Shipping •Sector-specific agency: Transportation

Water Supply •Water and its distribution •Sector-specific agency: Environmental

Protection Agency

Figure 1. Eight Critical Infrastructure Sectors (Lewis, 2020; 12019, 2012; Breher, 2015; LEEROY Agency, 2014; lkaika, 2015; Muhammad, 2018; Petra, 2009; Pexels, 2016; skeeze, 2015)

Figure 2. Roman aqueduct built underground as a security measure (Bukvoed, 2017)

CYB 4303, Critical Infrastructure Protection in Cybersecurity 3

UNIT x STUDY GUIDE Title

manage and coordinate events such as hurricane and earthquake hazard reduction. Terrorist events in the 1980s and 1990s led Bill Clinton to establish the President’s Commission on Critical Infrastructure in 1998 (Lewis, 2020). As illustrated in Figure 1, the commission’s work resulted in the identification of the eight critical infrastructure sectors in the Presidential Decision Directive 63 of 1998 (Lewis, 2020). The events of September 11, 2001 brought about significant changes and expansion of critical infrastructure protection. Following 9/11, the U.S. government expanded its security framework directives to protect additional areas at the state and local levels. According to Hart and Ramsay (2011), the National Strategy for Homeland Security was released in 2002, the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets and Homeland Security Presidential Directive 7 replaced PDD63 in 2003, and the publication of the National Infrastructure Protection Plan (NIPP) was released in 2006 with major revisions introduced in 2009. In 2003, Homeland Security Presidential Directive 7 was authorized to replace PDD63. Homeland Security Presidential Directive 7, in essence, expanded the protected critical sectors to 13 areas and added five key resource areas making it 18 Critical Infrastructure and Key Resources (CIKR) sectors (Hart & Ramsay, 2011). The additional critical sectors included agriculture and food, defense industrial base, national monuments and icons, chemical, commercial facilities, critical manufacturing, dams, nuclear power plants, information technology, and postal and shipping (NIPP, 2013).

Critical Information and Key Resources (CIKR) The interconnectedness of the nation’s critical sectors has introduced vulnerabilities at many levels. Vulnerabilities are present stemming from natural disasters, human error, and equipment failures as well as physical attacks and cyberattacks over communication lines. Lewis (2020) stated that because of the multifaceted nature of critical infrastructure protection (CIP), security of these sectors is a difficult task.

The National Infrastructure Protection Plan (NIPP) identifies critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters” (NIPP, 2013, p. 7). The NIPP also expanded the original eight sectors defined by PDD63 to 18 as depicted in Table 1 below. The original eight are shown in orange with the expanded sectors shown in purple.

Agriculture and Food Water Nuclear Reactors Defense Industrial Base Chemical Information Technology Energy Commercial Facilities Communications Healthcare and Public Health Critical Manufacturing Postal & Shipping National Monuments & Icons Dams Transportation Systems Banking and Finance Emergency Services Government Facilities

Table 1. Eighteen critical infrastructure and key resource (CIKR) sectors (NIPP, 2013, p. 9) As we will cover throughout this course, each CIKR sector has physical, human, and cyber elements. The impact of each element within each sector and associated vulnerabilities vary from sector to sector. Many sectors, such as energy, water, and government structures, are heavily reliant on physical components while others, such as information technology, communications, and transportation systems, have mostly cyber elements. The air traffic control (ATC) system, as an example, relies heavily on technology to function. According to the Critical Infrastructures 2003 Report from Congress, the ATC system handles around 3.5 million aircraft movements per month (Moteff, Copeland, & Fischer, 2003). Air transportation systems in the world including major hubs in the United States rely heavily on computer systems, making them vulnerable to

CORE CONCEPTS

Critical Infrastructures refer to systems such as communication, transportation, waterway, and financial systems as well as assets such as nuclear plants and major airports so vital to the economy and security of the United States that their failure or destruction would have an incapacitating impact on the country (NIPP, 2013).

CYB 4303, Critical Infrastructure Protection in Cybersecurity 4

UNIT x STUDY GUIDE Title

cyberattacks. The same can be said for electrical power systems, water supplies, banking and finance systems, and emergency services.

Cybersecurity Cybersecurity is the protection against the criminal or unauthorized use of electronic data. Because critical infrastructures make up the backbone of our nation’s economy, health, and security, it stands to reason that they need protection. Approximately 85% of the critical infrastructures are owned by the private sector, which makes protection of assets a more complex endeavor (Lewis, 2020). Barack Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity because critical infrastructures are so essential to national economic security and national public health and safety. “It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats” (The White House: Office of the Press Secretary, 2013, para. 5). The National Infrastructure Protection Plan (NIPP) outlines how government and private sector participants work together to manage risks and achieve security and resilient outcomes.

Policy Critical infrastructure protection (CIP) starts with policy. All CIP activities take place within policy, laws, strategy, and plans. Policies and laws provide the authority to implement CIP as written in the Homeland Security Act of 2002. This act is a mandate to provide the Department of Homeland Security with the proper authority and assign reporting agencies and policy to establish a framework for the dissemination and sharing of information affecting critical infrastructures and key resources (Hart & Ramsay, 2011). Other important presidential directives outlining policy regarding CIP include the Homeland Security Presidential Directives (HSPD). Of these, HSPD 7 is critical in understanding CIP. HSPD 7 “establishes a national policy for federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks” (Department of Homeland Security, 2003, para. 3).

Summary Critical infrastructure protection (CIP) started long before the events of 9/11. Plans for the protection of key resources had been proposed, and some implemented, as early as the 1960s. The 9/11 events just accelerated the proposals already in process as well as identified other areas critical to national security. As the course progresses, we will examine CIP, its history, and the nation’s CIKRs, including an overview of the different elements and their impacts within each sector. While there are many cross-sector interdependencies to review, we will concentrate on the dependencies of the different sectors as they relate to information technology and the Internet with a focus on highly complex computer-controlled systems. Last, we will also discuss the major agencies created by the government and their roles in protecting CIKRs. For this unit, the chapter reading introduces you to the origins of critical infrastructure protection and to the theories of catastrophe.

References 12019. (2012). Surgery-operation-hospital [Photograph]. Pixabay. https://pixabay.com/en/surgery-operation-

hospital-79584/ Assante, M. J. (2009). Infrastructure protection in the ancient world. Cite Seer X.

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.401.7316&rep=rep1&type=pdf Breher, T. (2015). Bank note Dollar USD US-dollar money funds bills [Photograph]. Pixabay.

https://pixabay.com/en/bank-note-dollar-usd-us-dollar-941246/ Bukvoed. (2017). Mey-Kedem-H [Photograph]. Wikimedia Commons.

https://commons.wikimedia.org/wiki/File:Mey-Kedem-H-14309.jpg

CYB 4303, Critical Infrastructure Protection in Cybersecurity 5

UNIT x STUDY GUIDE Title

Department of Homeland Security. (2003). Homeland Security Presidential Directive 7: Critical infrastructure identification, prioritization, and protection. https://www.dhs.gov/homeland-security-presidential- directive-7

Hart, S., & Ramsay, J. D. (2011). A guide for Homeland Security instructors preparing physical critical

infrastructure protection courses. Homeland Security Affairs, 7(1). 1-27. https://search-proquest- com.libraryresources.columbiasouthern.edu/docview/1266215283?accountid=33337

LEEROY Agency. (2014). Antenna tower transmission communication [Photograph]. Pixabay.

https://pixabay.com/en/antenna-tower-transmission-498438/ Lewis, T. G. (2020). Critical infrastructure protection in homeland security: Defending a networked nation (3rd

ed.). Wiley. lkaika. (2015). Pipe water plumbing industrial construction [Photograph]. Pixabay.

https://pixabay.com/en/pipe-water-plumbing-industrial-1159854/ Moteff, J., Copeland, C., & Fischer, J. (2003). Critical infrastructures: What makes an infrastructure critical?

Federaltion of American Scientists. https://fas.org/irp/crs/RL31556.pdf Muhammad, F. (2018). Emergency room hospital ambulance rescue Houston [Photograph]. Pixabay.

https://pixabay.com/en/emergency-room-hospital-ambulance-3323451/ NIPP (2013). U.S. Department of Homeland Security, National Infrastructure Protection Plan. Department of

Homeland Security. https://www.dhs.gov/sites/default/files/publications/national-infrastructure- protection-plan-2013-508.pdf

Petra. (2009). MI promotion Sasketchewan prairie oil production [Photograph]. Pixabay.

https://pixabay.com/en/mi-promotion-sasketchewan-prairie-1044575/ Pexels. (2016). Train transportation platform railroad metro [Photograph]. Pixabay.

https://pixabay.com/en/train-transportation-platform-1285288/ skeeze. (2015). Police highway patrol SWAT team California CHP [Photograph]. Pixabay.

https://pixabay.com/en/police-highway-patrol-swat-team-755410/ The White House, Office of the Press Secretary. (2013, February 12). Executive Order-Improving critical

infrastructure cybersecurity [Press release]. https://obamawhitehouse.archives.gov/the-press- office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

Suggested Unit Resources In order to access the following resources, click the links below. In the textbook, Figure 3.3 shows how the sand pile experiment simulates a landslide (Lewis, 2020, p. 49). The Lewis Sandpile video shows an animation of these tables changing during the experiment. Note that there is no audio in this video. In the textbook, Figure 3.4 shows diagrams of three Tragedy of Commons scenarios (Lewis, 2020, p. 53). The Lewis Tragedy of the Commons video in the list found here shows an animation of these tables changing over time. Note that there is no audio in this video. In the textbook, Figure 3.6 shows two diagrams of an electric power grid Tragedy of Commons, with increasingly fragile power grid due to inadequate transmissions (Lewis, 2020, p. 55). The Lewis Transmission video shows an animation of these tables changing over time. Note that there is no audio in this video.