Critical Infrastructure and Risk

timer Asked: Feb 6th, 2019
account_balance_wallet $40

Question Description

In a minimum of 550 words and using provided documentation, discuss what is meant by "acceptable risk" in determining a risk management plan relating to critical infrastructure, and how the level of acceptable risk may differ among stakeholders.

Additional peer-reviewed documents and articles are welcomed as well.

Unformatted Attachment Preview

Order Code RL31556 Report for Congress Received through the CRS Web Critical Infrastructures: What Makes an Infrastructure Critical? Updated January 29, 2003 John Moteff, Claudia Copeland, and John Fischer Resources, Science, and Industry Division Congressional Research Service ˜ The Library of Congress Critical Infrastructures: What Makes an Infrastructure Critical? Summary The Bush Administration’s proposal for establishing a Department of Homeland Security includes a function whose responsibilities include the coordination of policies and actions to protect the nation’s critical infrastructure. However, the proposal did not specify criteria for how to determine criticality or which infrastructures should be considered critical. Over the last few years, a number of documents concerned with critical infrastructure protection have offered general definitions for critical infrastructures and have provided short lists of which infrastructures should be included. None of these lists or definitions would be considered definitive. The criteria for determining what might be a critical infrastructure, and which infrastructures thus qualify, have expanded over time. Critical infrastructures were originally considered to be those whose prolonged disruptions could cause significant military and economic dislocation. Critical infrastructures now include national monuments (e.g. Washington Monument), where an attack might cause a large loss of life or adversely affect the nation’s morale. They also include the chemical industry. While there may be some debate about why the chemical industry was not on earlier lists that considered only military and economic security, it seems to be included now primarily because individual chemical plants could be sources of materials that could be used for a weapon of mass destruction, or whose operations could be disrupted in a way that would significantly threaten the safety of surrounding communities. A fluid definition of what constitutes a critical infrastructure could complicate policymaking and actions. At the very least, a growing list of infrastructures in need of protection will require the federal government to prioritize its efforts. Essentially the federal government will have to try to minimize the impact on the nation’s critical infrastructure of any future terrorist attack, taking into account what those impacts might be and the likelihood of their occurring. There are number of ways the government can prioritize. First, not all elements of a critical infrastructure are critical. Additional study will be necessary to identify those elements that are the most critical. Other approaches include focusing on vulnerabilities that cut across more than one infrastructure, interdependencies where the attack on one infrastructure can have adverse effects on others, geographic locations where a number of critical infrastructure assets may be located, or focusing on those infrastructure belonging solely to the federal government or on which the federal government depends. The National Strategy for Homeland Security, released by the Bush Administration in July 2002, states that the federal government will set priorities for critical infrastructure protection based on a consistent methodology and an approach that will allow it to balance the cost and expected benefits. It does not discuss what that methodology or approach might be. Congress may want to focus some of its oversight on how the Administration proposes to set priorities and what criteria it uses to do so. This report will be updated as warranted. Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 What Is a Critical Infrastructure? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Which Assets of a Critical Infrastructure Need Protection? . . . . . . . . . . . . . 8 Surface Transportation: River Crossings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Transportation Systems: Air Traffic Control (ATC) . . . . . . . . . . . . . . . . . . 10 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Appendices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 What is Infrastructure? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 How the Criteria and Components of Critical Infrastructure Have Expanded Over Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 List of Tables Table 1. What Constitutes Critical Infrastructure Over Time . . . . . . . . . . . . . . . 17 Critical Infrastructures: What Makes an Infrastructure Critical? Introduction Section II of President Bush’s June 2002 proposal for establishing a Department of Homeland Security prescribed the responsibilities of the Department’s Undersecretary for Information Analysis and Infrastructure Protection. Those responsibilities included: ! ! ! ! comprehensively assessing the vulnerabilities of the key resources and critical infrastructures in the United States; ....identifying protective priorities and supporting protective measures...; developing a comprehensive national plan for securing the key resources and critical infrastructures in the United States; and taking or seeking to effect necessary measures to protect the key resources and critical infrastructures in the United States....1 Nowhere in the Administration’s proposed legislation was critical infrastructure defined. However, other documents, including previous legislation, have defined critical infrastructure and provided illustrative lists of infrastructures that fall within those definitions. The following discussion recounts how the definition (and the list of illustrative examples) has broadened over time and what impact this may have on developing and implementing critical infrastructure protection policy. Background What Is a Critical Infrastructure? Before “critical infrastructure” became a term of interest in the terrorism and homeland security debate, the seemingly similar term “infrastructure” was a subject debated by public policymakers. In the 1980s, for example, a much debated issue was whether there was a national crisis in the condition of America’s infrastructure–its roads, bridges, dams, wastewater treatment systems, etc. With no standard or agreed definition, the concept of infrastructure in policy terms has been fluid, as it appears to be today. (For more discussion of these earlier definitions of 1 For more information on various aspects of the President’s proposal and the Congressional response, see Homeland Security on the CRS Home Page [] . CRS-2 and debate regarding “infrastructure,” see the Appendix, What is Infrastructure? In this report.) More recently, as homeland security as been assigned the highest national priority, the term “critical infrastructure” has developed into a major policy concern. Documents dealing with critical infrastructure protection have provided broad definitions of what makes an infrastructure critical. Executive Order 13010,2 signed by President Clinton on July 15, 1996, which established the President’s Commission on Critical Infrastructure Protection, alluded to what makes an infrastructure critical: “Certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States.”3 According to this Executive Order (EO) these infrastructures included: ! ! ! ! ! ! ! ! telecommunications;4 electrical power systems; gas and oil storage and transportation; banking and finance; transportation; water supply systems; emergency services (including medical, police, fire, and rescue); and, continuity of government. Using the language of this EO, the Commission’s final report5 to the President defined critical infrastructure in the Glossary as: “Infrastructures so vital that their incapacitation or destruction would have a debilitating impact on defense or economic security.” The following supporting definitions were provided: Infrastructures: The framework of interdependent networks and systems comprising identifiable industries, institutions (including people and procedures), and distribution capabilities that provide a reliable flow of products and services essential to the defense and economic security of the 2 Executive Order 13010—Critical Infrastructure Protection. Federal Register, July 17, 1996. Vol. 61, No. 138. pp 37347-37350. Reference is on page 37347. 3 Ibid. p. 37347. 4 Throughout this report, sectors that are identified as being critical will be bolded the first time they appear. 5 President’s Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America’s Infrastructure, October 1997. CRS-3 United States, the smooth functioning of government at all levels, and society as a whole. Debilitated: A condition of defense or economic security characterized by ineffectualness. Defense security: The confidence that Americans’ lives and personal safety, both at home and abroad, are protected and the United States’ sovereignty, political freedom, and independence, with its values, institutions, and territory intact are maintained. Economic security: The confidence that the nation’s goods and services can successfully compete in global markets while maintaining or boosting real incomes of its citizens. The Commission’s report also defined the infrastructures of each of the sectors mentioned in this EO. Banking and Finance: Entities such as retail and commercial organizations, investment institutions, exchange boards, trading houses, and reserve systems, and associated operational organizations, government operations, and support activities that are involved in all manner of monetary transactions, including its storage for saving purposes, its investment for income purposes, its exchange for payment purposes, and its disbursement in the form of loans and other financial instruments. Electric Power Systems: Generation stations, transmission and distribution networks that create and supply electricity to end-users so that end-users achieve and maintain nominal functionality, including the transportation and storage of fuel essential to that system. Emergency Services: Medical, police, fire, and rescue systems and personnel that are called upon when an individual or community is responding to emergencies. These services are typically provided at the local level. In addition, state and federal response plans define emergency support functions to assist in the response and recovery. Gas and Oil Production Storage and Transportation: The production and holding facilities for natural gas, crude and refined petroleum, and petroleum-derived fuels, the refining and processing facilities for these fuels and the pipelines, ships, trucks, and rail systems that transport these commodities from their source to systems that are dependent upon gas and oil in one of their useful forms. Information and Communications: Computing and telecommunications equipment, software, processes, and people that support: ! ! the processing, storage, and transmission of data and information; the processes and people that convert data into information and information into knowledge; and, CRS-4 ! the data and information themselves. Transportation: Physical distribution systems critical to supporting the national security and economic well-being of this nation, including the national airspace systems, airlines, and aircraft, and airports; roads and highways, trucking and personal vehicles; ports and waterways and the vessels operating thereon; mass transit, both rail and bus; pipelines, including natural gas, petroleum, and other hazardous materials; freight and long haul passenger rail; and delivery services. Water Supply System: Sources of water, reservoirs, and holding facilities, aqueducts and other transport systems, the filtration, cleaning and treatment systems, the pipelines, the cooling systems and other delivery mechanisms that provide for domestic and industrial applications, including systems for dealing with water runoff, waste water, and firefighting. In response to the Commission’s report, President Clinton signed Presidential Decision Directive Number 63 (PDD-63) on May 22, 1998.6 The Directive defined critical infrastructures as “those physical and cyber-based systems essential to the minimum operations of the economy and government.”7 According to the Directive, these included, but were not limited to, telecommunications, energy, banking and finance, transportation, water systems and emergency services. The Directive also directed certain agencies to identify sector liaisons in those sectors mentioned above, plus: ! ! ! intelligent transportation systems; continuity of government services; public health services (including prevention, surveillance, laboratory services); and, 6 The Clinton Administration’s Policy on Critical Infrastructure Protection: Presidential Decision Directive No. 63, White Paper, May 22, 1998. 7 The distinction between physical-security and cyber-security is almost inextricable and not clearly articulated. For example, physical assets in the electric power infrastructure would typically include the generation plant, the turbines and other equipment inside, and distribution lines and towers. However, the computer hardware and communication lines that help control the generation and flow of electricity could be considered physical assets or cyber assets. The data transmitted and stored on the computers and transmitted over the communication lines and the software used to process and control that data are typically considered cyber assets. Physical security typically means protecting the physical assets (including computer equipment) from damage caused by physical forces such as explosion, breakage, wind, fire, etc. Cyber-security could also mean the physical protection of cyber assets. Cyber-security, however, typically includes the protection of both physical and cyber assets from operational failure or from being otherwise compromised by others gaining unauthorized computer access (including remote access) to the operating software or data. Providing physical- and cyber-security of critical infrastructures requires a broad range of effort that can be quite varied (from installing jersey walls to installing firewall software), and different people or policies may be talking about different activities. CRS-5 ! personal health services. It also identified critical infrastructures that are primarily the responsibility of the federal government: ! ! ! ! law enforcement and internal security; foreign intelligence; foreign affairs; and, national defense. The Directive also set a goal that within five years the nation should be able to protect the national critical infrastructures from intentional attacks that would significantly diminish the abilities of: ! ! ! the federal government to perform essential national security missions and to ensure the general public health and safety; state and local governments to maintain order and to deliver minimum essential public services; and, the private sector to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial, and transportation services. “Any disruptions or manipulations of these critical functions must be brief, infrequent, manageable, geographically isolated and minimally detrimental to the welfare of the United States.”8 The first version of a National Plan for Critical Infrastructure (also called for by PDD-63)9 defined critical infrastructures as “those systems and assets—both physical and cyber—so vital to the Nation that their incapacity or destruction would have a debilitating impact on national security, national economic security, and/or national public health and safety.”10 While the Plan concentrated on cyber-security of the federal government’s critical infrastructure, the Plan refers to those infrastructures mentioned in the Directive. Following the September 11, 2001 attacks, President Bush signed new Executive Orders relating to critical infrastructure protection. E.O. 13228,11 signed October 8, 2001, established the Office of Homeland Security and the Homeland Security Council. Among the duties assigned the Office was to: 8 Ibid. p2. 9 Defending America’s Cyberspace: National Plan for Information Systems Protection. Version 1.0. An Invitation to a Dialogue. White House. 2000 10 Ibid. Executive Summary. p 1. Section 1016 of the USA Patriot Act (P.L.107-56), passed October 16, 2001, used essentially the same definition. 11 Executive Order 13228—Establishing the Office of Homeland Security and the Homeland Security Council. Federal Register, Vol. 66, No. 196, October 8, 2001. pp51812- 51817. CRS-6 “coordinate efforts to protect critical infrastructures..[and] with federal, state, and local agencies and private entities to: strengthen measures for protecting energy production, transmission, and distribution services and critical facilities; other utilities; telecommunications; facilities that produce, use, store, or dispose of nuclear material...; ...coordinate efforts to protect critical public and privately owned information systems...; ensure that special events determined by appropriate senior officials to have national significance are protected...; protect transportation systems within the United States, including railways, highways, shipping ports and waterways, and airports and civilian aircraft...; protect United States livestock, agriculture, and systems for the provision of water and food for human use and consumption....”12 In a separate Executive Order 13231,13 signed October 16, 2001, President Bush established the President’s Critical Infrastructure Protection Board. Although the name of the Board might imply a broad mandate, the Board’s duties focus primarily on the nation’s information infrastructure. However, the EO makes reference to the importance of information systems to other critical infrastructures such as “telecommunications, energy, financial services, manufacturing, water, transportation, health care, and emergency services.”14 This EO also reiterates the goal established in PDD-63, although stated within the more limited context of protecting against attacks on the nation’s information infrastructure, that “any disruptions that occur are infrequent, of minimal duration, and manageable, and cause the least damage possible.”15 Shortly after the Administration issued these Executive Orders, Congress passed the USA PATRIOT Act (P.L. 107-56). Section 1016 of the Act, called the Critical Infrastructures Protection Act of 2001, defined critical infrastructures as: “ and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would 12 Ibid. Section 3 (e) (i), (ii), (iv), (v) and (vi), pp. 5183-5184. 13 Executive Order 13231—Critical Infrastructure Protection in the Information Age. Federal Register, Vol. 86, No. 202. October 18, 2001. pp. 53063-53071. 14 Ibid. Section 1 (a), p. 53063. 15 Ibid. Section 1 (b), p. 53063 CRS-7 have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.”16 Earlier in Section 1 ...
Purchase answer to see full attachment

Tutor Answer

School: Duke University



Critical Infrastructure and Risk

Student’s name:
Institutional affiliation:




Critical Infrastructure and Risk
Question: Discuss what is meant by acceptable risk in determining risk management relating to
critical infrastructure and how the level of acceptance risk differs among stakeholders.
Acceptable risk refers to risk exposure that is deemed manageable and easy to recover
stability after its occurrence for a community, organization, individual or nation. Risk is usually
evaluated and determined in terms of the probability of its occurrence, as well as the impact of
the risk when it occurs (John, 2015). They serve to set the practical targets for risk management
and are often more helpful than the ideal that no risk is acceptable. The level of acceptable risk
can be lowered to zero depending on cost and the effect of secondary risk. According to Fischhof
et al., (1981 as cited in Lathrop & Watson, 1982), r...

flag Report DMCA

awesome work thanks

Similar Questions
Hot Questions
Related Tags
Study Guides

Brown University

1271 Tutors

California Institute of Technology

2131 Tutors

Carnegie Mellon University

982 Tutors

Columbia University

1256 Tutors

Dartmouth University

2113 Tutors

Emory University

2279 Tutors

Harvard University

599 Tutors

Massachusetts Institute of Technology

2319 Tutors

New York University

1645 Tutors

Notre Dam University

1911 Tutors

Oklahoma University

2122 Tutors

Pennsylvania State University

932 Tutors

Princeton University

1211 Tutors

Stanford University

983 Tutors

University of California

1282 Tutors

Oxford University

123 Tutors

Yale University

2325 Tutors