Critical Infrastructure Vulnerability:
An Overview Of The Report To The President From The Commission On Critical Infrastructure Protection

By Geary W. Sikich
Principal
Logical Management Systems, Corp.
Center for Crisis Management Studies
P.O. Box 1998
Highland, IN 46322
Tel: (219) 922-7718
Fax: (219) 922-7719
E-Mail: GSikich@aol.com

"A deadlier world in the 21st Century....

Are you prepared? A small spark, a large explosion, or a misinterpreted phrase - you never know what will trigger activation of your crisis management plan."

Imagine the following scenario. A foreign government, at odds with the U.S. over sanctions imposed on it, targets one of the U.S.'s critical infrastructures; specifically the petrochemical industry. Its goal disruption of the critical infrastructures that drive the American economy. However, there will be no bombs raining down from the sky or explosions caused by saboteurs, no there will be devastation of a different kind.

Using a new breed of warrior, the information warrior, the foreign government hacks into the systems of the various oil companies, that control the flow of petrochemical products throughout the U.S. Once in, the hackers begin to alter the data and operational codes of systems that control the flow of raw materials and finished products. They are patient in their nefarious enterprise. For all intents and purposes, systems that control the flow and processes seem to be operating within parameters. Then, one day, without warning, control room operators at refineries, petrochemical facilities, pipelines and terminals begin to experience a variety of problems. Valves that do not operate, gauges that give false readings, systems that begin to shut down for no apparent reason. Soon confusion turns into panic; panic into chaos. Tankers cannot unload raw materials. The flow of products in pipelines is disrupted. The flow of raw materials to the process units is curtailed. Emergency plans are activated. Calls are made to activate Emergency Response Teams. There is, however, one small problem that becomes very apparent. The Emergency Response Teams have nothing to do in the way of response. That's because the typical Emergency Response Teams are not trained, prepared or equipped to deal with an information systems attack. They are trained, prepared and equipped to deal with fires, spills and explosions. However, none of these have occurred; as yet.

Rapidly, the layers of management within the system begin to get involved in the response. Crisis Management Plans are activated. However, for the majority of the responding entities these plans offer little assistance, as they have focused, for the most part, on how to address the media during a crisis. They will prove valuable later, when the media begins to report in earnest on the events that have disrupted America.

Now, upper management is involved. Questions are raised. Answers are sought. Information systems personnel at all levels are feverishly trying to undo the damage. Successes come in small increments. It takes over a month to get the system back to ninety percent of operating capacity. One month that has changed the face of America. The U.S. is in the grip of winter. There are shortages in heating oil, gasoline, diesel fuel.

The American economy begins to grind to a halt. Prices start to skyrocket. Food shortages occur, as the transportation system is affected. Telecommunications systems are affected. Public Utilities are affected. Banking and finance centers are affected. Prices of the affected oil companies tumble on Wall Street, soon, a cascading effect is felt as other stocks start to tumble; personal investments and savings are, in some cases, wiped out. Credit card and other debt begins to soar. Water supply systems, government and related services are affected.

As businesses begin the recovery process much analysis is undertaken. "How could this have happened?", seems to be a constant question on everyone's lips. In one month's time the basic foundations of America's vibrant economy are shaken. The effect is like dominos, as it cascades throughout the world.

Sound like the stuff of science fiction or the latest Jack Higgins, Tom Clancy or Frederick Forsyth novel? Perhaps, but not to the President's Commission on Critical Infrastructure Protection. To Commission, this is an all too real scenario.

If your appetite hasn't been wetted yet here are some more examples of what may lie ahead:

Thirsty? Think about this the next time you turn on the faucet to fill your glass with cold water for a drink. What if.... A disgruntled worker at a water treatment facility in your city were to pour five gallons of trichloroethylene (TCE) into the treated water heading for your tap. One gallon of TCE will contaminate approximately two-hundred ninety two million (292,000,000) gallons of water beyond the safe drinking water standard established by the U.S. EPA. Drink up!

Or....Chicago, rush hour, the Dan Ryan Expressway, (or your city, take your pick) a truck in front of you slows and you see his hazard lights start to flash. Traffic, which has been at a crawl, comes to an almost dead halt. The man stops the truck in the middle of the freeway, blocking off two lanes and snarling traffic in all four as motorists attempt to negotiate around the stalled vehicle. The truck; is stopped under an overpass on one of the busiest freeways in the world. You curse at the driver as he gets out, just another motorist with a problem. He gets out and lifts the hood. Apparently, he has had a breakdown. He appears to be working on a problem with the engine. In reality he is setting the timer on a device that will detonate a bomb. A car stops. The driver appears to be offering assistance, the truck's driver and the man get in. The car drives away, leaving the abandoned truck. Have a nice commute!

Or....On your way home, you observe a man in the train station. Foot traffic is heavy, it's rush hour. You, nor anyone else, pays much attention as the man drops a crumpled piece of tin foil, that looks like a spent candy wrapper. No one notices the flesh colored rubber gloves that the man is wearing. The man proceeds through the busy terminal nonchalantly dropping more crumpled up candy wrappers.

People tread over the tin foil spreading the contents throughout the terminal and on to the trains that are departing the city. It's not candy wrappers the man has dropped. It happens to be a biological agent, and it's being spread through the air as people trample the tin foil wrappers on their way to their trains and home. By the time you get home, you feel the symptoms of the flu coming on. You go to the bathroom and get some Alka-Seltzer cold tablets and a couple of Tylenol and decide to go to bed early. Pleasant dreams!

Or....An underground group targets your city's electrical distribution grid, planting charges at several unmanned sub-stations. After a series of explosions, your power goes out. You and many of your neighbors and local businesses are in the dark. No television or telephone service, No working traffic lights. Utility crews frantically begin to reroute distribution, repair crews survey the damage. Tune in to CNN for more information, that is, if your television is working!

Or....A hacker penetrates the fire-walls of a major bank and begins to manipulate various accounts. One of them happens to by yours. The hacker also puts a code into the banks main computer files. He knows that his unauthorized activities will eventually be discovered. He is, however, fairly sure that the apparently innocuous line of code he has inserted will be extremely difficult to discover amongst the millions of lines of code that operate your bank's systems; that is until it is activated, with devastating consequences. Want to write that check for the mortgage yet?

Or....go ahead, I'm sure you can come up with something.

Could you or your firm be affected by such events? The President's Commission on Critical Infrastructure Protection (PCCIP) thinks so. The Commission was chartered to conduct a comprehensive review and recommend a national policy for protecting critical infrastructures and assuring their continued operation. Under Executive Order 13010, certain national infrastructures have been identified and designated as so vital, that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States.

On October 15, 1997 the Commission presented its report on critical infrastructure vulnerabilities to President Clinton. Our research and the report to the President, indicates a significant dilemma facing the United States today is the growing interdependence of critical infrastructures. For example, water, sewage and public utilities are commonly found linked together within a city's control system. As technology advances, so to does the means for those bent on disruption and mayhem or less nefarious pursuits to interdict the systems we have become to dependent on.

Expectations, we all have them. You turn on the light switch and expect the lights to function. You turn the thermostat up and expect heat; down and expect cool air. You lift the telephone receiver off the hook and expect a dial tone. You turn the water on and expect clean, drinkable water. Ask yourself one question. What if...? What if, the lights didn't go on; the heat or cooling didn't work. You picked up the telephone and didn't get a dial tone. The report of the PCCIP states in its introduction:

"The United States is in the midst of a tremendous cultural change - a change that affects every aspect of our lives. The cyber dimension promotes accelerating reliance on our infrastructures and offers access to them from all over the world, blurring traditional boundaries and jurisdictions. National defense is not just about government anymore, and economic security is not just about business. The critical infrastructures are central to our national defense and our economic power, and we must lay the foundations for their future security on a new form of cooperation between the private sector and the federal government."

The Critical Infrastructures studied consist of:

The Commission divided its work into five "sectors" based on the common characteristics of the included industries. The sectors are:

The Commission characterized the sectors, studied their vulnerabilities and looked for solutions. They prepared comprehensive working papers for each of the five sectors providing specific recommendations. Other sections of the report contain information on issues that were not sector specific. Among them is a paper on Research and Development Recommendations, which outlines a comprehensive set of topics regarding the long term needs of infrastructure protection. A paper on National Structures, which contains the Commission's conclusions and recommendations about the functions and responsibilities for infrastructure assurance and the creation of jointly staffed units in the federal government and private sector that represent infrastructure owners and operators. Also included in the report is a paper on Shared Infrastructures: Shared Threats, which is an analysis of the vulnerabilities and threats facing the critical infrastructures. While the report recognized the significance of physical threats, it concluded that government and industry have a significant amount of experience in dealing with them. It was the cyber threat that received most of the report's attention. Cyber issues dominated the analysis because networked information systems present fundamentally new security challenges.

Public Hearings and Outreach

The Commission conducted extensive meetings with a range of professional and trade associations concerned with the infrastructures, private sector infrastructure users and providers, academia, different state and local government agencies, consumers, federal agencies, and numerous others. Of special interest were five public meetings in major cities.

Commission members attended dozens of conferences and roundtables with a variety of groups, and arranged two strategic simulations with participants drawn from across the infrastructures and from all levels of government. A World Wide Web site was established to facilitate contact with the Commission and provide a forum for questions and comments.

Increasing Dependence and Interdependence on Critical Infrastructures

What the Commission found was:

"The development of the computer and its astonishingly rapid improvements have ushered in the Information Age that affects almost all aspects of American commerce and society. Our security, economy, way of life, and perhaps even survival, are now dependent on the interrelated trio of electrical energy, communications, and computers."

The Chinese have a saying, "Opportunity is always present in the midst of crisis". The Commission's report shows that America's critical infrastructures underpin every aspect of our lives and that these infrastructures are extremely vulnerable to old and newly identified threats. We need to recognize that the rules have changed. No longer can we react in the way we have been taught to think. If we do, we will not be able to address the threat(s) effectively.

While a satchel full of dynamite or a truckload of fertilizer and diesel fuel are recognized threats with known outcomes the specter of cyber threats is one that hangs over our heads like the sword of Damocles. Today, the right command sent over a network to a power generating station's control computer could be just as effective as a backpack full of explosives, and the perpetrator would be harder to identify and apprehend.

The Commission stated:

"rapid growth of a computer-literate population ensures that increasing millions of people possess the skills necessary to consider such an attack. The wide adoption of public protocols for system interconnection and the availability of "hacker tool" libraries make their task easier."

One must also consider the resources required to conduct a physical attack versus those to conduct a cyber attack. Physical attacks generally dictate a large logistics operation, while the resources for a cyber attack generally consist of a personal computer and a simple telephone connection to an Internet Service Provider anywhere in the world. Today this is enough to cause a great deal of harm.

The Commission recognized that our energy and communications infrastructures, already growing in complexity and operating closer to designed capacity present an increased vulnerability with the almost guaranteed possibility of cascading effects on the other infrastructures. Because of their technical complexity, some of these dependencies may be unrecognized until a major failure occurs.

A Wide Spectrum of Threats

Of the many people with the necessary skills and resources, some may have the motivation to cause substantial disruption in services or destruction of the equipment used to provide the service. The Commission compiled a list of the kinds of threats and the scope of potentially adverse consequences for the infrastructures. They recognize that it may not be possible to categorize the threat until the perpetrator is identified (for example, we may not be able to distinguish industrial espionage from national intelligence collection). The report cited the following examples:

"Natural events and accidents. Storm-driven wind and water regularly cause service outages, but the effects are well known, the providers are experienced in dealing with these situations, and the effects are limited in time and geography.

Blunders, errors, and omissions. By most accounts, incompetent, inquisitive, or unintentional human actions (or omissions) cause a large fraction of the system incidents that are not explained by natural events and accidents. Since these usually only affect local areas, service is quickly restored; but there is potential for a nationally significant event.

Insiders. Normal operation demands that a large number of people have authorized access to the facilities or to the associated information and communications systems. If motivated by a perception of unfair treatment by management, or if suborned by an outsider, an "Insider" could use authorized access for unauthorized disruptive purposes.

Recreational hackers. For an unknown number of people, gaining unauthorized electronic access to information and communication systems is a most fascinating and challenging game. Often they deliberately arrange for their activities to be noticed even while hiding their specific identities. While their motivations do not include actual disruption of service, the tools and techniques they perfect among their community are available to those with hostile intent.

Criminal activity. Some are interested in personal financial gain through manipulation of financial or credit accounts or stealing services. In contrast to some hackers, these criminals typically hope their activities will never be noticed, much less attributed to them. Organized crime groups may be interested in direct financial gain, or in covering their activity in other areas.

Industrial espionage. Some firms can find reasons to discover the proprietary activities of their competitors, by open means if possible or by criminal means if necessary. Often these are international activities conducted on a global scale.

Terrorism. A variety of groups around the world would like to influence US policy and are willing to use disruptive tactics if they think that will help.

National intelligence. Most, if not all, nations have at least some interest in discovering what would otherwise be secrets of other nations for a variety of economic, political, or military purposes.

Information warfare. Both physical and cyber attacks on our infrastructures could be part of a broad, orchestrated attempt to disrupt a major US military operation or a significant economic activity."

Lack of awareness=Lack of Preparedness?

While the general public, to a great extent, seems unaware of the extent of the vulnerabilities in the services that we all take for granted, the Commission found that "within government and among industry decision makers, awareness is limited". Interviews with industry and government decision makers revealed "that there has not yet been a cause for concern sufficient to demand action".

"It is not surprising that infrastructures have always been attractive targets for those who would do us harm. In the past we have been protected from hostile attacks on the infrastructures by broad oceans and friendly neighbors. Today, the evolution of cyber threats has changed the situation dramatically. In cyberspace, national borders are no longer relevant. Electrons don't stop to show passports".

Commission on Critical Infrastructure Protection Report

The Commission recommended several actions in its report that should be considered to increase the public and private sector's sensitivity to these threats and reduce our vulnerabilities at all levels.

Related to the lack of awareness is the need for a national focus or advocate for infrastructure protection. Following up on their report to the President, the Commission recommended that "we need to build a framework of effective deterrence and prevention". They recognized that, "These infrastructures are so varied, and form such a large part of this nation's economic activity, that no one person or organization can be in charge".

"With the existing rules, you may have to solve the crime before you can decide who has the authority to investigate it."

While the threat of an imminent attack or a credible threat sufficient to warrant a sense of immediate national crisis does not currently exist, the Commission strongly recommended that we take action to reduce our vulnerabilities. Presently, the investments for deterrence are relatively modest, but will surely rise with time and, should an attack occur will escalate dramatically.

A Blurring of the Traditional Lines of Demarcation

The Commission sees a shared responsibility between the government sector and the private sector. Today the national defense is no longer the exclusive domain of the government.

Additionally, we should note that as a result of globalization by U.S. industries we have become more vulnerable to disruption as the result of an external event that has no apparent impact on the U.S. as can be seen by the recent financial troubles in Southeast Asia. The Commission cited:

"National security requires much more than military strength. Our world position, our ability to influence others, our standard of living, and our own self-image depend on economic prosperity and public confidence. Clear distinctions between foreign and domestic policy no longer serve our interests well.

At the same time, the effective operation of our military forces depends more and more on the continuous availability of infrastructures, especially communications and transportation, that are not dedicated to military use".

Commission Recommendations

The Commission specifically recommended:

Your Quandary: What to do?

How prepared is your company to deal with the loss of critical infrastructures, vital to its survival? How vulnerable is your company to the disruption of infrastructures critical to daily operations? Does your current crisis management plan address these questions?

Looking back at the Chinese quote on crisis, we must realize that every crisis carries two elements, danger and opportunity. No matter the difficulty of the circumstances, no matter how dangerous the situation, at the heart of each crisis lies a tremendous opportunity. At the heart of the critical infrastructure vulnerability issue is an opportunity for industry and government to begin developing and implementing an "All Hazards" approach to crisis (incident) management planning. This approach consists of:

Although no two Crisis Management Programs are exactly alike, these are critical aspects that must be addressed in any Crisis Management Program.

Ask yourself, "Why do we need a Crisis Management Program with an "all hazards" approach"? Put simply, such a program allows you to provide for:

Analysis of Vulnerabilities

How do you reduce the vulnerability posed by potential crises? You need a system that will advise you of current, future and potential vulnerabilities. Such a system will allow you to identify early indicators of vulnerability. In order to accomplish this task, a survey of all operations should be undertaken. The survey should include:

The ultimate benefits to be gained from this type of survey are in terms of identifying areas in need of attention, establishing a list of potential crisis situations, determining what commitments your organization is comfortable with and documenting current efforts. Once the survey program has been developed and implemented, it must be evaluated and kept up-to-date.

This can be accomplished by reviewing actual responses and by conducting a detailed audit of each element of the business.

The survey program is the initial step, toward reducing vulnerability. Next, you must organize the operation. The management chain is critical to this process. You must ensure that all levels of management become part of the program.

This can be achieved in several ways:

This can be very effective and it gets the message out to all personnel that your company is serious about crisis management preparedness.

Another perspective on this issue really begets changing the "corporate culture," i.e., making crisis management preparedness a part of the way you do business.

This discussion is limited by the space available to a brief highlight of some approaches that can be undertaken. Each company will find its situation and circumstances to be unique to its corporate culture. Therefore, an in-depth analysis of your company's operating environment should be undertaken before developing a program or attempting to address the above items.

Planning & Preparedness

Planning and Preparedness used in the broadest context means any and all measures taken to prevent, prepare for, respond, mitigate and recover from a crisis. It's with this perspective that we begin to breakdown the aspect of Preparedness. Preparedness consists of four critical aspects:

Preparation and Prevention: Any set of activities that prevent a crisis, reduce the chance of a crisis happening, or reduce the damaging effects of a crisis. Preparation and Prevention activities include, but are not limited to:

Detection and Incident Classification: Actions taken to identify, assess and classify the severity of a crisis. Detection and Classification activities include, but are not limited to:

Response and Mitigation: Actions taken to save lives, prevent further damage and reduce the effects of the crisis. Response and Mitigation activities include, but are not limited to:

Reentry and Recovery: Actions taken to return to a normal or an even safer situation following the crisis. Reentry and Recovery activities include, but are not limited to:

Resource Development

Development of your internal and external resources is the third component of the "All Hazards" approach. Training the Crisis Management/Response Organization is one of the critical success factors that must be addressed if an adequate response is to be achieved. The development of the vulnerability analysis, preparation of the plan, involvement of all levels of management and establishing preparedness is only part of the overall process. To ensure an adequate response, a trained organization is required. A "systems" approach to preparing effective training programs should consist of:

TASK ANALYSIS: When designing an integrated training program, first determine the skills, knowledge and procedures required for satisfactory performance of each task.

DEVELOPMENT: Learning objectives are defined from the skills, knowledge and procedures developed during task analysis. Instructional plans are then prepared to support the learning objectives.

IMPLEMENTATION: Training is systematically presented using appropriate instructional methods. Instruction may include lecture, self-paced or group-paced mediated instruction, simulation and team training.

EVALUATION: Performance standards and evaluation criteria are developed from the learning objectives. Performance is evaluated during the course and during field performance validation.

In addition to the development of resources through analysis, training and identification of external resources, a program to validate the proficiency of the Crisis Management Organization is also needed. This can be accomplished by establishing a program that supplements the training with drills and exercises. The drill program can vary in degree of complexity.

Information Management & Sharing

The need to establish and maintain an ongoing dynamic Crisis Management Program is essential. The crisis management process doesn't end just because you finished the crisis management plan, are in compliance, have involved management and trained the staff.

In order to facilitate planning requirements, a record of all initiatives should be retained. These records serve to document the accomplishments, requirements, commitments and reports relating to various program requirements. The identification of commitments in the areas of compliance, emergency preparedness and training is vital. The establishment of a defined information management system structure will ensure that documentation will be available when needed.

Senior management must be kept well informed. Information is a corporate asset. Information is expensive. It must be shared and managed effectively. Information management is also critical during a crisis. The need for active systems to provide information on materials, personnel, capabilities information on materials, personnel, capabilities and processes is essential. It is extremely important to have a system (and adequate back-up systems) in place that serves to identify, catalog, set priorities and track issues and commitments relating to crisis management and response activities.

Conclusion

In almost every instance of successful response to a crisis, management and response activities consisting of sound operating execution coupled with superior communication predominate. Operational response is essential. It is the one that saves lives, property and other assets. The ability to communicate is no less important. It's the one that saves the business.

The simple fact is: perception is reality. Public perception of your company's reaction to a crisis is as important as your operating response. Lessons learned in crises ranging from Three Mile Island to the Exxon Valdez validate the need for a dynamic crisis management program.

Trust and confidence in the abilities of middle level management must be established. "How well have my people prepared?" This question can only be answered satisfactorily, if you have established a level of trust and confidence, can communicate risk and are willing to allow these managers to practice upward management, that is to delegate up. They must have the ability to recognize needs and have a process in place that allows them to delegate up without fear of repercussions.

Few crises will be as dramatic as Three Mile Island or the Valdez ... unless it is your own. How well you respond depends on how well you are prepared.

About the Author

Geary W. Sikich is the author of, It Can't Happen Here: All Hazards Crisis Management Planning, published by PennWell Books. His second book, "Emergency Management Planning Handbook", is published by McGraw Hill. He is a Principal with Logical Management Systems, Corp. (LMS) based in Munster, Indiana. Mr. Sikich has over 20 years experience in management consulting in a variety of fields. He consults on a regular basis with companies worldwide on crisis management issues.

Copyrightc 1998, Geary W. Sikich, P.O. Box 1998, Highland, Indiana 46322. World rights reserved. No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic or other record, without prior agreement and written permission of the publisher.


[Search all CoOL documents]