Evaluation of U.S. Infrastructure Protection Programs
Dave Carlson - January 19, 2007
Protecting national critical infrastructure is a vast challenge. This article focused on representative examples of infrastructure overseen by three federal agencies. The Department of Homeland Security is responsible for cyberspace security, including information systems controlling critical systems. The Bureau of Reclamation keeps Hoover Dam safe by various methods, including rerouting traffic and screening visitors. The Transportation Security Administration oversees critical transportation infrastructure security, including airport security and pipeline security programs. While each organization responsible for critical infrastructure protection has emplaced significant policies and procedures for protecting their responsible areas, there still is a great deal to be accomplished. Because all of these systems are so vast, it may not be possible to secure them adequately.
Evaluation of U.S. Infrastructure Protection Programs
Several U.S. government agencies are responsible for infrastructure protection. Each is charged with protecting a specific portion of the infrastructure. This article will evaluate critical infrastructure protection programs of three agencies: Department of Homeland Security, Bureau of Reclamation, and Department of Transportation.
The Department of Homeland Security leads efforts for cyberspace security. The Bureau of Reclamation oversees security of the Hoover Dam. The Transportation Security Administration is charged with security of critical transportation capability. Are these agencies adequately meeting specific challenges in their segment of critical infrastructure protection?
Department of Homeland Security
The Department of Homeland Security (DHS) is responsible for security in cyberspace, including “recovery efforts for public and private critical infrastructure information systems” (GAO, 2005, p. 6). DHS is responsible for the following Critical Infrastructure Protection (CIP) areas:
- Develop a national plan for critical infrastructure protection that includes cybersecurity.
- Develop partnerships and coordinate with other federal agencies, state and local governments, and the private sector.
- Improve and enhance public/private information sharing involving cyber attacks, threats, and vulnerabilities.
- Develop and enhance national cyber analysis and warning capabilities.
- Provide and coordinate incident response and recovery planning efforts.
- Identify and assess cyber threats and vulnerabilities.
- Support efforts to reduce cyber threats and vulnerabilities.
- Promote and support research and development efforts to strengthen cyberspace security.
- Promote awareness and outreach.
- Foster training and certification.
- Enhance federal, state, and local government cybersecurity.
- Strengthen international cyberspace security.
- Integrate cybersecurity with national security. (GAO, 2005, p. 7)
GAO (2005) reported that DHS continues to face significant challenges in meeting their CIP responsibilities (p. 11). GAO (2005) cited several key DHS challenges, including inadequate organizational and ineffective communication (p. 11). Additionally, DHS faces a challenge of “providing and demonstrating the value DHS can provide” (GAO, 2005, p. 11). The GAO (2005) report concluded that DHS needs to address underlying challenges before it can achieve significant results in coordinating cybersecurity activities to give the nation an “effective focal point it needs to better ensure the security of cyberspace for public and private critical infrastructure systems” (pp. 15-16).
GAO is not alone in their assessment that DHS is not adequately prepared to meet the many challenges of securing critical infrastructure against cyber attack. Some of the more significant challenges involve infrastructure systems that rely on Internet connectivity.
U.S. infrastructure is not adequately prepared to defend against such risks. Many of the core protocols that run the Internet are fundamentally at risk, such as Internet routing, e-mail transfer, and end-user authentication. The entire infrastructure has fundamental usability issues that encourage end-users to make security decisions that are not in their own best interests. (Williams, 2006, ¶ 16)
Bureau of Reclamation
The Bureau of Reclamation is the part of the U.S. Department of the Interior. The Bureau of Reclamation is the largest wholesale supplier of water and the second largest producer of hydroelectric power in the United States (Bureau of Reclamation, 2006, ¶ 2-3). They are responsible for making it possible to irrigate the farmland that produces 60% of the country’s vegetables (Bureau of Reclamation, 2006, ¶ 2). Their most significant charge is Hoover Dam.
The destruction of Hoover Dam would strike a devastating blow to the United States. A breach in Hoover Dam would have the potential of releasing almost ten million gallons of water (http://www.usbr.gov/lc/hooverdam/faqs/lakefaqs.html) on Southern California and a flood of almost biblical proportions on the city of Los Angeles. There can be no rational argument against Hoover Dam being considered part of the critical national infrastructure.
In cooperation with other government agencies, the Bureau of Reclamation has instituted several measures to protect Hoover Dam. Three of these security measures include, protection of navigable waterways by the U.S. Coast Guard, building of a by-pass bridge by the U.S. Department of Transportation, and internal physical security measures instituted by the Bureau of Reclamation.
Even though the measure was temporary (November 2001 – June 2002), the U.S. Coast Guard established security zones around the Hoover Dam to prevent any type of attack by water. The zone prohibited “all vessel traffic from entering, transiting or anchoring within the above described areas, and prohibiting all unauthorized shore based activities in areas surrounding the waterfront structures” (EPA, 2001, p. 7271) to protect the dam and related structures. This is an indicator that The Bureau of Reclamation acknowledged a viable threat and took appropriate measure to guard against that threat.
A significant permanent measure established to protect Hoover Dam is the construction of a bi-pass bridge over the Hoover Dam area. This accomplishes two major objectives: reduce vehicle traffic congestion across the dam and protect the dam against a vehicle borne explosive device. One of the specific purposes is to “safeguarding dam and power plant facilities and the waters of Lake Mead and the Colorado River from hazardous spills or explosions” (http://www.hooverdambypass.org/purpose_overview.htm).
Another measure implemented to protect the Hoover Dam is a process of screening visitors to the Dam. Following the attacks on 9/11, the dam was closed to visitors. It was opened again in December 2001 for “abbreviated public tours that provide limited access into the dam and power plant” (Meyers & Mouritsen, 2002, p. 181). The security procedures are similar to those implemented in federal buildings and court houses. Visitors walk through a detector and items, such as purses, are run through an x-ray machine.
Transportation Security Administration
Following the September 2001 attacks on the United States, when several commercial airliners were hijacked and turned into human-guided missiles, the Transportation Security Administration and Department of Transportation immediately concentrated on increasing passenger screeners and upgrading x-ray machines at the nation’s airports (Flynn, 2002, p. 10). This deliberate coordinated terrorist attack on the United States forced the Department of Transportation to increase their efforts to secure critical infrastructure under their supervision.
In December 2001, Richard C. Reid, lit a match on board American Airlines Flight 63 from Paris to Miami in a failed attempt to ignite an improvised explosive device hidden in his shoe (CNN, 2001, ¶ 1-2). That incident prompted a new security procedure in America’s airports. During pre-flight screening, passengers now must remove their shoes and send them through the x-ray machines with their carry-on luggage.
Smith (2004) reveals that “the inherent challenges of securing transportation infrastructure presented to Federal, state and local agencies are unlike any that the US has ever faced. The threats have no boundaries—jurisdictionally, nor in terms of disciplines they affect” (p. 360). This presents the Transportation Security Administration with a unique challenge. Measures that were sufficient in the past, no longer have the ability to defend against current threats. “To adequately secure transportation infrastructure it is imperative that new approaches and processes be developed and implemented” (Smith, 2004, p. 360).
Fletcher (2002) offers the following as examples of Critical Transportation Infrastructure (CTI):
- Major arterial highways and bridges comprising the National Highway System (HNS), including the Strategic Highway Network (STRAHNET) and National Intermodal Connectors.
- International marine harbors, ports and airports.
- Major railroads, including depots, terminals and stations.
- Oil and natural gas pipelines.
- Transportation Control Systems (e.g., air traffic control centers, national rail control centers). (p. 2)
“The Transportation Security Administration (TSA), within the Department of Homeland Security (DHS), is the lead federal agency for security in all modes of transportation including pipelines… The Office of Pipeline Safety (OPS), within the Department of Transportation (DOT), is the lead federal regulator of pipeline safety” (OpenCRS, 2004, ¶ 2). The TSA has required pipeline operators to develop and maintain security plans to protect their pipelines.
Pipeline operators are doing their best to comply with TSA requirements, but are concerned about conflicting requirements ordered by OPS. The different agencies involved must improve their inter-agency communications, to ensure pipeline operators receive clear guidance concerning an appropriate balance between safety and security (OpenCRS, 2004, ¶ 4). “Although pipeline impacts on the environment remain a concern of some public interest groups, both federal government and industry representatives suggest that federal pipeline programs have been on the right track” (OpenCRS, 2006, ¶ 1).
There are multiple aspects to protecting critical national infrastructure. This paper focused on representative examples of infrastructure overseen by three federal agencies. The Department of Homeland Security is responsible for cyberspace security, the Bureau of Reclamation keeps Hoover Dam safe, and the Transportation Security Administration oversees critical transportation infrastructure security.
While each organization responsible for critical infrastructure protection has emplaced significant policies and procedures for protecting their responsible areas, there still is a great deal to be accomplished. Lewis (2006) identifies one of the most significant challenge to the problem is its vastness. “Each sector in the United States is a vast network that is so large and complex that it is impractical to protect every component of each sector” (p. 49).
Bureau of Reclamation. (2006). Bureau of Reclamation -- About us. Retrieved January 16, 2007 from http://www.usbr.gov/main/about/
Cordesman, A. H. (2002). Cyber-Threats, information warfare, and critical infrastructure protection: Defending the U.S. homeland. Westport, CT: Praeger.
EPA. (2002). Security Zones; Hoover Dam, Davis Dam, and Glen Canyon Dam. [Electronic version]. Federal Register, 67(33), 7270-7272. Retrieved January 19, 2007 from http://www.epa.gov/fedrgstr/EPA-IMPACT/2002/February/Day-19/i3927.htm
Fletcher, D. R. (2002). Spatial information technologies in critical infrastructure protection. National Consortium on Remote Sensing in Transportation. Retrieved January 19, 2007 from http://www.ncgia.ucsb.edu/ncrst/research/cip/CIPAgenda.pdf
Flynn, S. E. (2002). America -- still unprepared, still in danger: Report of an independent task force sponsored by the Council of Foreign Relations. [Electronic version]. New York: Council on Foreign Relations. Retrieved January 19, 2007 from http://www.arch.columbia.edu/Students/Spring2003/Lange.Lawrence/taskforcereport.pdf
GAO. (2005, July 19). Critical infrastructure protection: Challenges in addressing cybersecurity. [Electronic version]. GAO-05-827T. Testimony before the Subcommittee on Federal Financial Management, Government Information, and International Security, Senate Committee on Homeland Security and Governmental Affairs.
CNN. (2001, December 25). Shoe bomb suspect to remain in custody. Retrieved January 19, 2007 from http://archives.cnn.com/2001/US/12/24/investigation.plane/index.html
Lewis, T. G. (2006). Critical infrastructure protection in homeland security: Defending a networked nation. Hoboken, NJ:Wiley.
Myers, W. G., III and Mouritsen, K. E. (2002, Winter). The Department of the Interior’s role in national emergencies. [Electronic version]. National Resources & Environment, 16(3), 177-182. Retrieved January 19, 2007 from http://www.abanet.org/environ/pubs/nre/specissue/myersmouritsen.pdf
OpenCRS. (2004). Pipeline security: An overview of federal activities and current policy issues. Retrieved January 19, 2007 from http://opencrs.cdt.org/document/RL31990/2004-02-05%2000:00:00
OpenCRS. (2006). Pipeline safety and security: federal programs. Retrieved January 19, 2007 from http://opencrs.cdt.org/document/RL33347/
Smith, T. A. (2004). The inherent challenges of securing transportation infrastructure -- An examination of the National Capital Region. [Electronic version]. International Summer Academy on Technology Studies -- Urban Infrastructure in Transition. Retrieved January 19, 2007 from http://www.ifz.tugraz.at/index_en.php/filemanager/download/319/Smith_SA%202004.pdf
Williams, B. (2006). Cyber security research & development. Institute of Electrical and Electronics Engineers-United States of America (IEEE-USA) position statement approved 24 June 2006. Retrieved January 16, 2007 from http://www.ieeeusa.org/policy/positions/cybersecurity.asp