Critical Infrastructure Protection Plans: An Update

There's new information regarding this post from December.

GAO has updated its survey of critical infrastructure planning and preparations. According to the National Infrastructure Protection Plan (NIPP), the various critical infrastructure councils (e.g., telecommunications, public health, etc.) were supposed to submit their protection plans at the end of December 2006.

The good news? They all made the deadline:

All the sectors met the December 2006 deadline to submit their sector-specific plans to DHS, although the level of collaboration between the sector and government councils on the plans, which the NIPP recognizes as critical to establishing relationships between the government and private sectors, varied by sector. Issuing the NIPP and completing sector plans are only first steps to ensure critical infrastructure is protected.

In its earlier reporting, GAO commented that sectors with long histories of collaboration and information-sharing, typically due to more significant regulation (e.g., banking, nuclear power) were much farther ahead than sectors without such a history (e.g., public health).

For those sectors, an ongoing problem has been a lack of trust - which is always the basis for effective collaboration and information-sharing:

Challenges most frequently cited included the lack of an effective relationship with DHS as well as private sector hesitancy to share information on vulnerabilities with the government or within the sector for fear the information would be released and open to competitors. GAO’s past work has shown that a lack of trust in DHS and fear that sensitive information would be released are recurring barriers to the private sector’s sharing information with the federal government...

Building trust takes time, of course. But on the other hand, you don't need permission from DHS to build relationships with others when you have a common interest.

So far, only one sector - transportation - has not formed a council. However, separate transportation modes had done so:

As of March 2007, the transportation systems sector had yet to form a sector council, but a DHS Infrastructure Protection official said each transportation mode—such as rail, aviation, and maritime—has established a sector council.

(On the subject of the transportation sector, it's worth noting that DHS itself has yet to produce a required risk assessment of the entire transportation sector, as indicated in this post from a couple of weeks ago.)

And even though the plans have been submitted, and are currently being reviewed by DHS, there is a long way to go:

Like the NIPP, these plans are only a first step; they are to lay out how the sector will identify its most critical assets and resources and what methodologies each will use to assess risks, but are not required to address how the sector is actually assessing risk and protecting its most critical assets.

I found this tidbit especially noteworthy:

Council members cited as a key facilitating factor the fact that some sectors had prior plans that they could update to satisfy NIPP requirements. For example, the energy sector had developed a protection plan in anticipation of the Year 2000 (Y2K) computer threat, and that process was beneficial in developing its sector-specific plan for the NIPP.

In other words, if you make risk management a part of what you do - and you establish relationships and share information with others who share common interests - when there is a need to band together and develop solutions, you will be much better prepared. This applies to more than just critical infrastructure sectors. This applies to everyone. Luck favors the prepared.