Terrorists and the Energy Infrastructure: What's the Risk?

In a brief paper published under the auspices of the Naval Postgraduate School, Dr. Michael Mihalka and Dr. David Anderson analyze the risk of catastrophic terrorism targeting the energy infrastructure. They argue that the risk is relatively slight when compared to other threats:

The threat from and effect of transnational terrorism [to the energy sector] is much less than many pundits have argued. In essence, the transnational terrorism poses a challenge well within the parameters of natural events and the ability of the current security system to handle.

Well, we must remember that the prime threat to the security of supply in the short-term perspective is not terrorism, or even politics. It's Mother Nature.

It's certainly true that a terrorist group would really have to "go big" to replicate the kind of disruption to the energy sector that Hurricanes Katrina and Rita caused.

Energy is one sector in which the ability to respond and recover can be a real deterrent. A primary goal of any direct attack on energy infrastructure would be economic. But if the economic damage is mitigated by resiliency in the sector, then there's less rationale for the attack.

On Risk, Soft Targets, Vulnerability, and The Big Picture

Good stuff from Bob Baylor in Losantiville, whose wide-ranging post deals with risk assessment, soft targets, and the efficacy of interdiction efforts (including "see something..." programs discussed a couple of days ago at HLS Watch and right here.)

Using the example of a fictional county commissioner who must prioritize projects, Bob writes:

Often as the saying goes it’s the squeakiest wheel that gets the grease. Prioritization of projects may make sense from a fiscal point of view, however it does not change the fact that many other vulnerabilities may exist but due to a lack a funding must be left until sufficient dollars become available. By addressing vulnerabilities in such a manner, the county commissioner in this example could be increasing the likelihood that their community may be attacked.

Tacticians regardless of their motivations and allegiances look for areas of weakness in their enemies defenses to exploit. Major homeland security projects will call the potential terrorists attention to which structures have been protected and by default which ones have not.

In one sense ... hardening one area against attack may provide the inspiration needed to divine the true area of vulnerability.

Granted, this assumes a relatively high level of sophistication on the part of the adversary. But as we have seen in the past, some terrorist groups are capable of such sophistication.

But regardless of the level of sophistication of the adversary, it's true that they'll try to exploit the areas of vulnerability that they perceive can be successfully attacked. U.S. forces in Iraq have dealt with this problem, as insurgents there constantly shifted locations, targets, and modes of attack.

Bob describes how this tendency to seek softer targets can affect risk:

Going back to my example of the county commissioner, efforts to insure vital areas and critical infrastructures are protected could drive a terrorist to plan an attack from an adjacent location. The location may not have sufficient funding nor have the same risk associated as their neighbor.

For instance, the city water supply may originate from a remote area outside the county and thus susceptible to attack. Taking steps to protect water supplies may cause terrorist planners to note other targets such as power substations, fiber optic cables, or agricultural areas.

Viewed in this light - as an effort to protect targets vs. an effort to exploit them - it's a never-ending game of cat and mouse. Which leads to a few thoughts:

1. Protecting vulnerable assets, in and of itself, is a necessary but never sufficient approach to homeland security. You simply cannot protect everything all at once.
2. Trade-offs are a necessary; assessing and managing risks are critical to homeland security.
3. You have to take other steps to detect and deter. Protection is only one element of prevention. You have to deter adversaries and pre-empt their activities, too.
4. Risk assessment should look beyond jurisdictional borders. Regional thinking is vital, as I suggested in this post a few days ago about the Bay Area's new Regional Emergency Coordination Plan. Because urban, suburban, and rural areas are interlinked with infrastructure networks, what occurs in one can affect the others. Because we are a nation of networks, a given jurisdiction may not have direct control over some of the assets that make it vulnerable.

This is why, as Bob suggests, regional thinking ought not be limited to response, but to prevention as well. A vulnerability in one section of the network can have a widespread effect on the entire network, because all critical infrastructure networks include choke points and critical nodes. As the recent GAO report on maritime security pointed out:

[T]he liquified natural gas (LNG) facility in Everett, Massachusetts is the only facility importing LNG in the Northeast. LNG is very important to the Northeast during heating season because natural gas movement into the Northeast is constrained during the winter because existing pipelines to New England are fully utilized.

A report prepared by the Power Planning Committee of the New England Governor’s Conference, Inc., concluded that if LNG from the Everett facility and satellite operations elsewhere in the region is not available on a peak winter day, the region could have insufficient gas supply to meet the needs of all customers for space heating and some key electric generators. An attack that damages the Everett LNG facility during a cold winter could result in natural gas shortages or price spikes.

Clearly the Everett LNG facility is a critical - and easily recognized - node in the energy supply system of the Northeast. But what other critical nodes affect the Northeast?

Thinking more locally: What critical infrastructure networks are present in your jurisdiction? Oil and gas pipelines? Telecommunications? Electricity? Agriculture?

Now the big questions: Are there any critical nodes in these networks, within the boundaries of your jurisdiction? If so, exactly how critical are those nodes? What would be the impact of losing one of those critical nodes? (Remember the cascading failures of the 2003 Northeast Blackout?)

Are there critical nodes of networks that lie in other jurisdictions, whose loss would cause harm within your own jurisdiction? Water reservoirs? Power stations? Communications assets? Critical transportation assets (e.g., bridges)?

Unless these questions are asked, communities put themselves at greater risk. As Bob puts it:

Too often communities implement systems to reduce terrorist attacks but do so in a vacuum without looking at how such actions may fit into larger strategic plan.

Only when you start looking beyond jurisdictional boundaries does a true understanding of risk become apparent.

Got Infrastructure?

A thought regarding the continued dust-up in New York over the Buckeye Pipeline:

"Sections of this pipeline are located in areas not visible to routine police and security patrols," Rasinya said in his testimony to representatives of the state Senate and the Police Department, the Mayor's Office of Emergency Management, the American Red Cross and local Civilian Emergency Response Teams.

Right now, the pipeline is protected only by a broken Cyclone fence that is easy to break through or hop over.

Putting aside the question of the seriousness of this particular plot, the attention on the pipeline raises a legitimate question for local emergency preparedness and response personnel:

What are the critical infrastructure elements in your community?

The US is criss-crossed with critical infrastructure networks. Besides fuel and natural gas pipelines, are there key nodes in the electric grid? Key chokepoints in the transportation and shipping network (e.g., bridges, tunnels, distribution centers)? Telecommunications hubs? Aqueducts? Financial centers?

These questions apply to all-hazards preparedness, not just terrorism preparation and prevention. Knowing the critical infrastructure nodes translates into better opportunities for prevention, as well as improved response and recovery.

What Chertoff Said

DHS Secretary Michael Chertoff said a few things worth noting in a recent speech to the Sacramento Chamber of Commerce. Mostly it's stuff he has said before, but it's good every once in a while to take note of what the guy in charge is saying. So...

On public/private collaboration:

[Emergency preparedness] has to be a public/private partnership because most of the assets and employees which are threatened in any situation, whether it's a potential terrorism attack or a natural disaster, most of those assets and employees are in private hands. ... And therefore, this is really an area where partnership is very important.

On risk management:

[I]n this world, you cannot eliminate risk. ... What we have to do is manage risk.

What do we mean by risk? Well, we look at three things. We look at threats, we look at vulnerabilities, and we look at consequences. We try to weigh where the threats are, where we are most vulnerable, and, perhaps most important, what would the consequences be if a particular threat came to pass.

On viewing security as an investment, rather than a cost:

[T]here is a very important business case to be made with respect to investments in homeland and national security. After all, a good part of what you need to do when you invest your resources in producing economic activity is to protect your investment. You've got to protect your assets, you've got to protect your employees, you've got to protect your business processes and your good will.

And therefore, investment in protection of infrastructure or people against all kinds of threats is very much at the core of your business mission, and that's why I think there is a real confluence of objectives here between government and its responsibility to protect the country, and you as business leaders in your obligation to protect your own investments.

On rail security:

[W]e have focused on the most significant risks to our rail transportation system. One of those is the risk of transportation of hazardous chemicals ...

At the end of last year, we issued a proposed regulation that will require major railroads to improve the monitoring of rail cars that carry toxic inhalation chemicals. Rail companies have to make sure these cars are not left unattended in rail yards, especially where they are near major cities or population centers. They have to be able to track the whereabouts of these cars at all times, and then they have to put these rail cars on the safest, economically practicable routes.

This regulation also illustrates another key element of the way we approach these problems, because it was developed working in partnership with the rail industry and the chemical industry at every step of the process, so that we did have a fair, intelligent and not hysterical risk-based strategy. We didn't simply propose these regulations unilaterally.

This is a pretty sunny summary. Actually, the rules on chemical plant security are quite contentious. (See these posts). And DHS still needs to complete a comprehensive risk assessment of the rail sector. (See these posts.)

The new rules are great for tracking the location of hazardous chemicals on the rails, but railroad companies have only five minutes to share this information with DHS. When local authorities get the information is a different question - and perhaps a more important question, given that local first responders are the ones who have to deal with any incident. And a lot of local communities need better information and preparation regarding their local rail risks. (See this post.)

On emergency preparedness:

[U]nder our National Infrastructure Protection Plan, which is how we work with the private sector to decrease the vulnerabilities in private sector infrastructure, we're developing specific plans to heighten protection for infrastructure in areas like agriculture, drinking water facilities, and dams.

Well, yes. But based on these comments, you'd think the process was smooth and remarkable only for its exemplary collaboration between the public and private sectors. But it hasn't really been that smooth, in part because DHS needs to do a better job of collaborating with the sectors. (See these posts for full details, but here's a notable quotable: "...a lack of trust in DHS and fear that sensitive information would be released are recurring barriers to the private sector’s sharing information with the federal government.") So the plans are getting put into place, but DHS does need to do a better job of listening to its public sector partners.

[P]reparation in advance for the unthinkable, gives you a leg-up in being able to respond when the unthinkable actually comes to pass.

No argument there. Nicely said.

Philosophically, I think Chertoff's emphasis on managing risks, working with private sector partners, and imagining the unimaginable is on target. The sticky parts come when you try to implement policies. Resistance and lack of trust can gum up the best laid plans. That, I think, is DHS' biggest challenge.

Protecting the Food Sector: How Is DHS Doing?

Even more housecleaning: In February, DHS' Office of the Inspector General (OIG) published an analysis of DHS' role in defending the food sector, which is one of the critical infrastructure sectors identified in the National Infrastructure Protection Plan (NIPP).

The OIG's analysis is lengthy and comprehensive, resulting in 16 recommendations. My review will be selective, focused only on a couple of those recommendations. First, some background on OIG's report:

This report examines DHS activities relating to post-harvest food, and focuses on prevention, protection, preparedness, and detection efforts.

There are four main limitations in DHS’ related efforts.

• First, DHS must improve internal coordination.
• Second, DHS needs to engage its public and private food sector partners more effectively.
• Third, DHS could do more to prioritize resources and activities based on risk.
• Finally, DHS must fully discharge its food sector responsibilities.

The report makes clear that the risk to the food sector is real:

Food products may be deliberately contaminated with chemical, biological, or radiological agents. In 2003, the FDA wrote that, “If an unintentional contamination of one food … can affect 300,000 individuals, a concerted, deliberate attack on food could be devastating, especially if a more dangerous chemical, biological, or radionuclear agent were used.”

The effects could be significant:

The Centers for Disease Control and Prevention (CDC) estimates that the United States experiences 76 million illnesses, 325,000 hospitalizations, and 5,000 deaths from unintentional food contamination each year. Recent USDA estimates place the annual cost of premature deaths caused by a single common foodborne illness, salmonellosis – an illness resulting from infection with Salmonella bacteria – at over $2.1 billion.

Commentators on the subject have observed that an adverse food sector event could also reduce state and local governments’ ability to maintain order and deliver essential services. A major food contamination event could engender public panic on a local or mass scale, depending on the affected food product and population, and media coverage of the incident.

As I indicated, the OIG made 16 recommendations, but I'm going to focus on the ones that deal with DHS' relationships with other agencies and the food industry. My two emphases will be collaboration and information sharing.

Collaboration

The OIG report clearly indicates that DHS needs to improve its collaborative relationships. Everyone is not singing from the same songbook:

Vibrant cooperation and support between government and the private sector are needed to fully understand vulnerabilities, study possible consequences, prepare for threats, and implement mitigation measures.

One major complication to effective collaboration is the sheer size and complexity of the food industry:

The post-harvest food industry accounts for 12% of the nation’s economic activity and employs more than 10% of the American workforce. It consists of enormous subsectors, including business lines addressing processing, storage, transportation, retail, and food service. Statistics on just two of these subsectors serve to illustrate the magnitude of the sector.

The National Restaurant Association projects that the industry’s 925,000 U.S. locations will reach $511 billion in sales for 2006, serving over 70 billion “meal and snack occasions” for the year. Meanwhile, the nation’s $460 billion food retail business consists of more than 34,000 supermarkets, 13,000 smaller food markets, 1,000 wholesale club stores, 13,000 convenience stores, and 28,000 gas station food outlets.

Regulatory systems are equally complicated, encompassing all levels of government:

Regulation of the food industry is divided between federal, state, and local agencies. State, territorial, and local governments conduct oversight of food retail and food service establishments within their jurisdictions. These levels of government oversee restaurants, institutional food service establishments, and hundreds of thousands of food retailers. Within the federal government, primary responsibility for food safety rests with two agencies. The Food Safety and Inspections Service of the U.S. Department of Agriculture (USDA) oversees the processing of red meat, poultry, and processed egg products. The Food and Drug Administration (FDA) of the Department of Health and Human Services (HHS), in turn, regulates the processing of virtually all other food products. In addition to these two, several other federal agencies provide oversight of food processing, distribution, and retail.

But this complexity makes effective collaboration even more critical:

External coordination is essential for DHS to succeed in executing its responsibilities for food defense and critical infrastructure protection. Relationships with food sector partners are important because of the operational control and regulatory sway that they have with the sector. Related input from public and private sector partners is particularly valuable in light of DHS’ limited food sector experience. Partnerships with governmental entities are also vital because DHS shares so many food sector responsibilities.

To that end…

The Food Information Sharing and Analysis Center (Food ISAC) was established in February 2002…

According to industry representatives, the Food ISAC distributed some useful threat and vulnerability information to food industry associations and firms in 2002 and early 2003. By mid 2003, however, DHS’ Office of Infrastructure Protection had concluded that, as implemented, the Food ISAC was not well-suited to serve the department’s full range of information sharing and analysis objectives.

…and in 2003 many of the functions of the Food ISAC were moved to other newly created organizations …

In August 2003, Office of Infrastructure Protection managers assembled more than 200 food and agriculture sector representatives to discuss the department’s vision for information sharing and coordination. According to the Office of Infrastructure Protection, the assembled sector representatives were then given the opportunity to develop a new organizational structure. Two bodies emerged from this DHS-facilitated process – the Food and Agriculture Government Coordinating Council and the Food and Agriculture Sector Coordinating Council.

Meanwhile, the Food ISAC's output was not effectively replaced. A potentially valuable collaborative partnership was being spoiled:

By spring 2006, the Food ISAC’s contact with the government had deteriorated to the extent that, according to the ISAC, it did not have a dedicated DHS point of contact. This has contributed to a decline in the volume and scope of information disseminated to industry by the ISAC. Industry representatives reported that the flow of information from the ISAC to the private sector had declined, and that this decline had not been offset by increased information flow from other sources.

Instead of drawing on the food industry’s post-9/11 momentum on critical infrastructure protection efforts, DHS effectively alienated the ISAC’s leadership and disengaged from its operations. Meanwhile, as we discuss later, the coordination and information sharing mechanisms DHS instituted to address the ISAC’s limitations have been slow to develop and are only partially successful.

Meanwhile, as DHS was working to establish the two new councils, another problem was developing. According to food industry personnel, there was a lack of cooperative spirit:

Past and present council members attributed this sluggish start to DHS. They reported that DHS had taken a “top-driven” approach to its critical infrastructure protection leadership role, and that this detracted from the vitality of the councils and sapped the cooperative spirit from the process.

This approach reportedly created a difficult environment for the growth of collaborative efforts and did little to foster productive working relationships with industry leaders and government experts. Several council participants we interviewed said that DHS needed further growth as a business partner.

In its work with the councils, DHS in some ways acted more like a boss than a partner:

Early Sector Coordinating Council and Government Coordinating Council meetings did not foster efforts to formulate policy, and when DHS solicited the ideas and recommendations of council members on policy matters, the solicitation process was sometimes regarded as flawed. One limiting factor for policy development during meetings was a shortage of time to comment on draft documents. Some Sector Coordinating Council members reported that their association members generally did not comment on DHS drafts because they were provided insufficient time to do so. This made it hard for food associations to communicate their members’ concerns. DHS may have thus lost out on important insights from major components of the nation’s food sector.

And the results were less than optimal - a view which is furthered by GAO reporting on the National Infrastructur Protection Plan (NIPP). See this post for a summary of GAO's recent findings.

[NIPP] Sector-Specific Plans, which are authored by the Sector-Specific Agencies, discuss how each sector will address infrastructure protection. While DHS reportedly developed the Sector-Specific Plan template over the course of a year, it allowed the Sector-Specific Agencies just two months to complete their draft Sector-Specific Plans. This was an especially challenging task because the Sector Specific Agencies were asked to consult with their stakeholders as part of the Sector-Specific Plan formulation process. As a result, staff from the Sector-Specific Agencies indicated that Draft Sector-Specific Plans were assembled hurriedly and were not as valuable as they could have been.

As a result, the councils have also slumped …

Frustration with the slow pace of council progress and disenchantment with DHS’ management style and level of engagement may have led to declining participation in the Government Coordinating Council. Our analysis of Government Coordinating Council meeting minutes shows a difficulty achieving what the Council’s charter calls a “decision-making quorum.”

… and they're feeling unneeded …

[D]uring the crisis following Hurricane Katrina, the Federal Emergency Management Agency was asked to attend a joint session of the councils, but did not do so. The councils were an untapped resource that could have been more involved in getting food and bottled water to affected citizens. We were told that, due to DHS’ perceived unresponsiveness, companies used their own connections to provide food assistance to hurricane victims.

So, what's the answer for DHS? The same as it was in the beginning - foster trusting relationships. Collaboration is not a simple transactional relationship. It is built on mutual respect and trust – and it takes time.

DHS’ ability to foster and maintain a positive relationship with the coordinating councils will do much to determine the department’s overall effectiveness in providing leadership, coordination, and support of food defense efforts.

Information Sharing

There are also issues with information sharing between DHS and the food sector. One problem deals with the ever-troubled Homeland Security Information Network (HSIN):

The Homeland Security Information Network Food and Agriculture portal is a web-based tool for sharing threat and analytical information with sector representatives. DHS engaged food sector representatives in the design and online layout of the portal starting in October 2004. More than a year-and-a-half later, these discussions were still ongoing.

Another problem? Redundancy:

While food sector representatives were aggrieved by the portal’s early stage of development, [the OIG is] concerned that the HSIN's Food and Agriculture portal may essentially duplicate an FBI effort. A limited access web community with information on threats, vulnerabilities, and protective efforts related to the food and agriculture sectors, the FBI’s AgInfraGard became operational in March 2006. As described by the FBI and food sector representatives with access to the web community, much of AgInfraGard’s content is similar to that of the Homeland Security Information Network’s portal. The FBI believes its system is developing more quickly than the Homeland Security Information Network’s and has greater capability for information exchange. Meanwhile, according to one FBI analyst, the DHS system “takes information but it doesn’t give a lot.”

A different struggle has arisen regarding the type of information to share. In trying to analyze the food sector, DHS has focused on identifying assets. But they're not getting the full information on food assets:

As of January 2006, the National Asset Database had information on 77,069 infrastructure assets around the nation. Of those, 6,486 assets, or eight percent, were listed as relating to the post-harvest food sector.

Despite the broad geographic distribution of food industry assets and the prevalence of major food processing, transit, retail, and service facilities in all major U.S. cities, all but 2 of [the 20 most populous U.S.] counties had fewer than ten food assets listed in the National Asset Database.

One problem: Information about food assets is not being fully shared among federal agencies:

One reason data limitations such as these persist is that the Office of Infrastructure Protection has been unable to exploit existing federal information about food industry assets. Office of Infrastructure Protection staff reported that, in one case, this was the result of the FDA’s unwillingness to share information. Office of Infrastructure Protection staff advised us that they had sought the registered food facility list that FDA is required by law to maintain, but said that FDA had resisted sharing this information.

A bigger problem may be that analyzing systems, not assets, is probably the most appropriate means of analyzing the food sector:

The USA PATRIOT Act defines critical infrastructure to include systems and assets, yet the National Asset Database emphasizes assets. To date, the most advanced step by DHS to define parts of the food system has been the development of a sector taxonomy to support the classification of National Asset Database assets.

Industry and federal partners…held that DHS had focused too intently on assets, and devoted too little thought and energy to understanding the food sector as a system.

It doesn't have to be that way. Other federal agencies use a systems approach to analyze the food sector:

USDA and FDA ... focus their vulnerability and consequence assessments on particular industry subsystems and food products, rather than on particular assets.

And private sector representatives agree:

Food sector representatives said that DHS’ asset-orientation would result in an understatement of food sector risk for three reasons.

• First, they perceived that the DHS’ focus on assets led the department to emphasize the effects of asset destruction over asset exploitation. As discussed earlier, the greatest concern to many in the food sector relates to the exploitation of the sector to distribute intentionally adulterated foods.
• Second, food sector representatives pointed out that important links in the food supply chain are not easily captured in an asset-based model.
• Finally, food sector representatives expressed concern that DHS’ asset-orientation would lead it away from an understanding of the second- and third-order effects of a food contamination incident. In focusing on a particular food industry asset, they believed DHS would lose perspective on upstream and downstream consequences of an incident affecting that asset. For example, contamination at a processing facility might not just affect that facility.

Accordingly, to grasp the second- and third-order effects of an adverse food event at a single facility, DHS must first understand that facility’s place within the food supply chain and larger economic system.

The OIG suggests, once again, better dialogue. The risk to the food system is not going to be fully understood unless DHS casts a wide net and listens to its partners.

A more effective dialogue between DHS and its partners is needed to address concerns about asset exploitation, assets that do not have fixed coordinates, and system-wide impacts that the malevolent exploitation of food sector assets might have.

Without effective collaboration and information sharing, risk analysis and resulting interventions are not likely to be optimally effective.

Governor's Guide to Homeland Security

The National Governor's Association (NGA) recently released A Governor's Guide to Homeland Security, the purpose of which is:

...to provide governors with an overview of their homeland security roles and responsibilities and to offer some guidance on how to approach issues such as mutual aid, information sharing, obtaining assistance from the military, and protecting critical infrastructure.

Essentially the document is a primer on preparation and response. It assumes that the reader is generally unfamiliar with many planning and response mechanisms, so it spends a lot of time describing these. It's useful for anyone who wants an overview of emergency preparation and response from the state-level perspective.

Some portions of the guide are worth highlighting, though, mostly because they describe efforts to collaborate and share information. Most interesting is the description of some public-private partnerships. While the guide points out that ...

Partnering effectively with the private sector to improve disaster preparedness and response is an area of emergency management that has begun to receive attention only recently.

... and ...

Thus far, most public-private partnerships in the area of emergency preparedness and response exist at the local, rather than at the state, level.

... there is a real need, and some real benefits, to collaborating with the private sector - especially with owners of critical infrastructure assets:

Governors should work closely with the private sector to develop emergency response and risk communications plans for incidents affecting privately owned systems or infrastructure. Forging a trust-based relationship between emergency response officials and the private sector is essential to ensure effective security preparations, including accurate vulnerability assessments and the integration of private-sector emergency response plans with those of government agencies.

During the 2004 hurricane season, Florida utilities sent representatives to the state emergency operations center (EOC) and to local government EOCs. Other utility officials were available by telephone or other communications systems. As a result, emerging problems were capable of being solved at the local level by officials who felt empowered to make critical decisions and then report what they had accomplished.

Within government, the need for information sharing remains great:

A lack of information sharing can be an obstacle to implementing an effective homeland security strategy. The fragmented nature of data collection and incident reporting among state, local, and federal law enforcement agencies hinders their ability to connect information that may point to terrorist plots or other ongoing criminal activity, and the private sector—which owns a significant amount of data and an estimated 85 percent of the nation’s critical infrastructure—often is not connected to the homeland security intelligence and information-sharing networks.

So far, efforts to share information about potential threats and responses have largely been funneled through state fusion centers (which I've previously discussed here, here, here, here, here, and here). The guide briefly describes how a few of these fusion centers operate:

Arizona’s fusion center, known as the Arizona Counter-Terrorism Information Center (ACTIC), opened in 2004 as the state’s central analysis hub for real-time crime and terrorism-related intelligence and information. ACTIC is staffed with more than 200 detectives, special agents, analysts, and other personnel representing 34 state, local, and federal agencies. ACTIC also includes a complete integration of the FBI’s Joint Terrorism Task Force (JTTF).

Georgia’s Information Sharing and Analysis Center (GISAC) has an analytical and investigatory role. Each investigator is assigned an analyst, and officials report regular contact between investigators and their assigned analysts to share information.

The Illinois Statewide Terrorism Intelligence Center (STIC) includes analysts and representatives of agencies dealing with narcotics, sex offenses, violent crimes, andmotor vehicle theft. ... In 2005, the Illinois STIC colocated its facility with the state emergency operations center.

In 2006, North Carolina opened its Information Sharing and Analysis Center (ISAAC). The ISAAC serves as the focal point for collection, analysis, and dissemination of information on possible terrorist and criminal threats. ... ISAAC staff collaborate to analyze information from a variety of sources, including tips from the public, public records such as driver’s license and vehicle registration records, and national law enforcement databases.

Because collaboration among agencies is also vital, the guide also describes some of the intrastate mutual aid organizations that states have set up:

Several states already had, or have since developed, state-wide mutual aid programs. In April 2002, for example, Iowa introduced a voluntary statewide mutual aid program known as the Iowa Mutual Aid Compact (IMAC). Modeled on the national Emergency Management Assistance Compact, IMAC establishes a system through which political subdivisions can help each other during disasters that have been declared either by local officials or by the governor.

Kansas has a similar statewide mutual aid system, created in the 2006 Kansas Intrastate Mutual Aid Act. The act provides for a system of intrastate mutual aid between participating political subdivisions in cases of declared disasters as well as during drills and exercises in preparation for such disasters.

In Illinois, meanwhile, the fire service developed and implemented a mutual aid system that began in the northern part of the state but has since expanded to all of Illinois, southern Wisconsin, and parts of Indiana. The Mutual Aid Box Alarm System (MABAS) comprises hundreds of fire departments and provides an orderly system for dispatching fire and emergency medical service equipment and personnel to fires, accidents, or other incidents. ... The system is managed through geographic divisions by which local fire departments can access assistance. From its inception, MABAS included procedures for ensuring the integration of assisting personnel and equipment into the local command structure.

Also regarding mutual aid, the guide points out that all 50 states are now part of the Emergency Management Assistance Compact (EMAC):

The National Governors Association has endorsed EMAC and, in 2006, Hawaii became the 50th state to join the compact, which also counts District of Columbia, Puerto Rico, and the U.S. Virgin Islands among its members.

However, the experience of Hurricane Katrina shows that EMAC remains unfamiliar to some local and federal agency personnel:

Out-of-state teams were able to reach affected areas of the Gulf Coast efficiently through EMAC deployments. However, their integration with response crews already on the ground was complicated by the fact that many local officials, and some federal officials, were unfamiliar with EMAC and questioned or rejected the credentials of the EMAC-deployed teams.

In addition to intrastate mutual aid and EMAC, states can also see benefits from regional organizations:

Similarly, governors should consider working together to develop strategies for managing events that affect regions of the country. In some regions, this already is taking place.The Pacific NorthWest Economic Region (PNWER), which comprises Alaska, Idaho, Montana, Oregon, Washington, and the Canadian provinces of Alberta, British Columbia, and the Yukon, created a partnership for regional infrastructure security to develop a regional protection, preparedness, and response plan for dealing with infrastructure-related emergencies.

In 2006, Arizona Governor Janet Napolitano signed a memorandum of understanding with California Governor Arnold Schwarzenegger, Texas Governor Rick Perry, and New Mexico Governor Bill Richardson that will enable the four southwest border states to share unclassified and classified intelligence information to provide better security along the border.

One thing that affects states' ability to choose various options for homeland security is the underlying structure of their homeland security organizations. The guide points out that states have chosen one of three main structures:

Homeland Security Advisor with Committee/Coordinating Council: Some governors have appointed homeland security advisors or directors to provide direct counsel to and speak on behalf of the governor on matters related to homeland security. [T]he advisor often chairs a committee — made up of representatives of relevant state agencies, including public safety, the National Guard, emergency management, public health, and others—charged with developing preparedness and response strategies. [Examples: Maryland, Nebraska, Washington]

Department of Homeland Security: [G]overnors are beginning to create state departments of homeland security that have the statutory authority to oversee operations as well as to develop all-hazards approaches to mitigation, preparedness, and response. [Examples: Alabama, Arizona, Delaware, Indiana]

Homeland Security Functions Under Existing Agencies: In many states, the homeland security functions have been assigned to an existing agency, such as public safety or the military department. Generally, these homeland security advisors, at a minimum, coordinate response resources and activities across the various state agencies, and in many cases, they have planning and budgetary authority. [Examples: Florida, Idaho]

Critical Infrastructure Protection Plans: An Update

There's new information regarding this post from December.

GAO has updated its survey of critical infrastructure planning and preparations. According to the National Infrastructure Protection Plan (NIPP), the various critical infrastructure councils (e.g., telecommunications, public health, etc.) were supposed to submit their protection plans at the end of December 2006.

The good news? They all made the deadline:

All the sectors met the December 2006 deadline to submit their sector-specific plans to DHS, although the level of collaboration between the sector and government councils on the plans, which the NIPP recognizes as critical to establishing relationships between the government and private sectors, varied by sector. Issuing the NIPP and completing sector plans are only first steps to ensure critical infrastructure is protected.

In its earlier reporting, GAO commented that sectors with long histories of collaboration and information-sharing, typically due to more significant regulation (e.g., banking, nuclear power) were much farther ahead than sectors without such a history (e.g., public health).

For those sectors, an ongoing problem has been a lack of trust - which is always the basis for effective collaboration and information-sharing:

Challenges most frequently cited included the lack of an effective relationship with DHS as well as private sector hesitancy to share information on vulnerabilities with the government or within the sector for fear the information would be released and open to competitors. GAO’s past work has shown that a lack of trust in DHS and fear that sensitive information would be released are recurring barriers to the private sector’s sharing information with the federal government...

Building trust takes time, of course. But on the other hand, you don't need permission from DHS to build relationships with others when you have a common interest.

So far, only one sector - transportation - has not formed a council. However, separate transportation modes had done so:

As of March 2007, the transportation systems sector had yet to form a sector council, but a DHS Infrastructure Protection official said each transportation mode—such as rail, aviation, and maritime—has established a sector council.

(On the subject of the transportation sector, it's worth noting that DHS itself has yet to produce a required risk assessment of the entire transportation sector, as indicated in this post from a couple of weeks ago.)

And even though the plans have been submitted, and are currently being reviewed by DHS, there is a long way to go:

Like the NIPP, these plans are only a first step; they are to lay out how the sector will identify its most critical assets and resources and what methodologies each will use to assess risks, but are not required to address how the sector is actually assessing risk and protecting its most critical assets.

I found this tidbit especially noteworthy:

Council members cited as a key facilitating factor the fact that some sectors had prior plans that they could update to satisfy NIPP requirements. For example, the energy sector had developed a protection plan in anticipation of the Year 2000 (Y2K) computer threat, and that process was beneficial in developing its sector-specific plan for the NIPP.

In other words, if you make risk management a part of what you do - and you establish relationships and share information with others who share common interests - when there is a need to band together and develop solutions, you will be much better prepared. This applies to more than just critical infrastructure sectors. This applies to everyone. Luck favors the prepared.

Cyberterror Risk

In January the Congressional Research Service reported that the risk of cyberterror may be growing:

Persistent Internet and computer security vulnerabilities, which have been widely publicized, may gradually encourage terrorists to continue to enhance their computer skills, or develop alliances with criminal organizations and consider attempting a cyberattack against the U.S. critical infrastructure.

Reports indicate that terrorists and extremists in the Middle East and South Asia may be increasingly collaborating with cybercriminals for the international movement of money, and for the smuggling of arms and illegal drugs.

To date, the Federal Bureau of Investigation (FBI) reports that cyberattacks attributed to terrorists have largely been limited to unsophisticated efforts such as email bombing of ideological foes, or defacing of websites. However, it says their increasing technical competency is resulting in an emerging capability for network-based attacks. The FBI has predicted that terrorists will either develop or hire hackers for the purpose of complimenting large conventional attacks with cyberattacks.

The integration of physical attacks with cyberattacks is important to consider. If cyberterrorists were to take down a communication network as an isolated incident, it would be annoying and costly - but not earth-shattering. But on the other hand, if cyberterrorists were to take down the same communication network in conjunction with a physical attack, it could hinder the response and amplify the effects of the attack:

Many security experts also agree that a cyberattack would be most effective if it were used to amplify a conventional bombing or CBRN attack. Such a scenario might include attempting to disrupt 911 call centers simultaneous with the detonating of an explosives devices.

Terrorist recruiting also relies on the Internet:

The Internet is now used as a prime recruiting tool for insurgents in Iraq. Insurgents have created many Arabic-language websites that are said to contain coded plans for new attacks. Some reportedly give advice on how to build and operate weapons, and how to pass through border checkpoints.

There are also links between more common criminal activity and terrorism. Most notably, drug trafficking:

Officials of the U.S. Drug Enforcement Agency (DEA), reported in 2003 that 14 of the 36 groups found on the U.S. State Department’s list of foreign terrorist organizations were involved in drug trafficking. ... Drug traffickers are reportedly among the most widespread users of computer messaging and encryption, and often have the financial clout to hire high level computer specialists capable of using steganography (writing hidden messages contained in digital photographs) and other means to make Internet messages hard or impossible to decipher.

Terrorists need money to fund their operations and often turn to illegal activities as sources of cash. This is an ongoing vulnerability for them.

The Threat to the Energy Infrastructure

The National Governors Association recently released a report on the threat to the nation's energy infrastructure, both from natural and man-made threats. The report provides a number of recommendations that state-level executives can take to manage the risk. The suggestions were generally not surprising - work with other states, the energy industry, develop response and recovery plans, etc.

I thought some of the more interesting information in the report dealt with the threat itself:

The nation’s diffuse energy infrastructure—with many pipelines and transmission lines running through sparsely populated areas and electricity substations sited in remote areas—makes the industry susceptible to sabotage by international terrorists, loosely organized home-grown movements, lone-wolf extremists, and common thieves and vandals. Documents discovered in Afghanistan and elsewhere since the September 11, 2001 terrorist attacks indicate that al Qaeda has targeted energy infrastructure, particularly nuclear power plants and oil and gas infrastructure in the United States and Saudi Arabia, as part of a campaign to disrupt the U.S. economy and inflict mass casualties.

[E]xperts warn switching systems that control electrical substations could be vulnerable to sabotage and, if damaged, are expensive and difficult to replace. … Should a number of critical switching stations come off line, entire segments of the grid could be affected for weeks.

In fact, significant terrorist attacks against electrical systems are common in other parts of the world. In Colombia, for example, the electrical grid is a favorite target of the Revolutionary Armed Forces of Colombia (FARC). Shortly before the country’s May 2006 presidential elections, a FARC bombing of the electrical grid serving the port city of Buenaventura left the city in darkness for days.

The energy sector in general, and the electric grid in particular, are highly exposed. It's important for local first responders to know the vulnerable points in the network in their area.

GAO: Critical Infrastructure Protection Progress Status

The GAO recently released a review of the nation's critical infrastructure protection plans. The plans are generally not as comprehensive as they really ought to be at this point.

One of the big problems is that the National Infrastructure Protection Plan (NIPP) was released 18 months late, in June 2006.

The NIPP is a base plan that is to serve as a road map for how DHS and other relevant stakeholders should use risk management principles to prioritize protection activities within and across sectors in an integrated, coordinated fashion. The NIPP also requires the individual sector-specific agencies to submit plans to DHS by the end of December 2006 detailing the application of the national plan’s core elements to each of their respective sectors.

With only 6 months to work with the NIPP, a number of infrastructure sectors have not been able to develop their plans at a high level of detail or specificity. The GAO found that all of the sectors are working on it, but their work varies widely. The NIPP relies on a collaborative model in which sector councils and government councils guide the sharing of information and development of plans to manage sector risks, but at this time, not all councils are created equal:

Each of the infrastructure sectors has established government councils, and voluntary sector councils have been formed in response to the recommended NIPP partnership model for all sectors except transportation systems. The characteristics and levels of maturity vary significantly across the sectors.

In general, the GAO found that the sectors in which there is a long history of regulation and sharing information have done by far the best job of organizing themselves and developing plans.

The more mature councils, including banking and finance and telecommunications, were able to focus on strategic activities, such as developing plans on how to resume operations as soon as possible after a disaster. In contrast, the newer councils—including public health and healthcare and commercial facilities—were still focusing on identifying key stakeholders and members, developing charters, and getting organized.

Representatives from 13 government and 10 sector councils agreed that having prior relationships—either formally between the federal government and the private sector based on regulatory requirements, or informally within and across industries—facilitated sector-specific plan development.

Some councils have struggled with sharing information, mostly due to distrust:

Representatives with six government and five sector councils noted that the private sector continues to be hesitant to provide sensitive information regarding vulnerabilities to the government as well as with other sector members due to concerns that, among other things, it might be publicly disclosed.

This report, as well as our past work, demonstrates that many private sector partners do not trust the government enough yet to share information on their security vulnerabilities.

DHS has set up an advisory council to deal with the sectors' hesitance in sharing information, but it's not yet clear if the new council is working:

To address this concern about public disclosure of sensitive information and to enhance information sharing, in March 2006 DHS created the Critical Infrastructure Partnership Advisory Council—open to members of all councils—that is exempt from the Federal Advisory Committee Act, but it is too soon to determine if this council has promoted more sharing.

Trust is significant, as has been widely documented. The GAO correctly focuses on personal relationships:

We reported that trust was critical to overcome members’ reluctance to disclose their weaknesses, vulnerabilities, and other confidential or proprietary business information, but that trust had to be built over time and through personal relationships.

For local first responders, these principles apply as well. Recognizing the threat to critical infrastructure is something that may take time, but it is effort well spent if the result is better preparedness and response.