Since 9/11, there has been considerable discussion and debate about the need to increase surveillance and security of "critical infrastructure assets".

According to a new book, Open Target: Where America Is Vulnerable to Attack, by former Homeland Security Department Inspector General Clark Kent Ervin, the United States has 80,000 dams, 66,000 chemical plants, 2,800 power plants, 5,000 public airports, and 1,800 federal reservoirs.

This post provides a synopsis of information about infrastructure security on the world wide web and includes a brief overview of: (1) government legislation, (2) scholarly journals and articles, (3) news articles, and (4) research funding and programs.

(1) Government legislation related to infrastructure security:

Prior to 9/11, the Clinton administration had developed a policy on critical infrastructure protection. The policy defines "critical infrastructures" as "those physical and cyber-based systems essential to the minimum operations of the economy and government," including, "telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private."

The Clinton directive on Critical Infrastructure Protection (PDD-63) had called for "a national effort to assure the security of the increasingly vulnerable and interconnected infrastructures of the United States (see Wikipedia for an excellent summary.).

After 9/11, this initiative jumped to the top of the political list of priorities. On October 16, 2001, President Bush issued Executive Order Critical Infrastructure Protection. Here is the EO's policy statement:

Section 1. Policy.

(a) The information technology revolution has changed the way business is transacted, government operates, and national defense is conducted. Those three functions now depend on an interdependent network of critical information infrastructures. The protection program authorized by this order shall consist of continuous efforts to secure information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems. Protection of these systems is essential to the telecommunications, energy, financial services, manufacturing, water, transportation, health care, and emergency services sectors.

(b) It is the policy of the United States to protect against disruption of the operation of information systems for critical infrastructure and thereby help to protect the people, economy, essential human and government services, and national security of the United States, and to ensure that any disruptions that occur are infrequent, of minimal duration, and manageable, and cause the least damage possible. The implementation of this policy shall include a voluntary public-private partnership, involving corporate and nongovernmental organizations.

In Feb. 2003, Bush released the, National Strategy for the Physical Protection of Critical Infrastructures and Key Assets.

During the period from 2001 to 2003, two researchers at American University cataloged dozens of reports on critical infrastructure security generated at all levels of government. This collection of reports -- called the Critical Infrastructure Information Database -- is organized in the following categories: Whitehouse, executive agencies, GAO, congress, state-legislation, judicial-federal, and judicial-state.

(2a) The main journals covering infrastructure security appear to be:

• Journal of Contingencies and Crisis Management

• ASCE Journal of Infrastructure Systems

(2b) Three of the more succinct and comprehensive analyses of infrastructure security in the scholarly literature include:

• Heller, (2002) "Life-Cycle Infrastructure Risk Management : R&D Needs"
  
  • Presents a holistic approach to infrastructure risk management and suggests that "terrorist risks must be addressed within the context of other extreme as well as everyday risks to infrastructure."

• Rinaldi, Peerenboom & Kelly, (2001) "Identifying, understanding and analyzing critical infrastructure interdependencies" Control Systems Magazine - IEEE, 21(6),11-25.
  
  • Explicitly defines the terms infrastructure, infrastructure dependencies, and infrastructure interdependencies and introduces the fundamental concept of infrastructures as complex adaptive systems.

• Pikus, Irwin, (2003) "Critical Infrastructure Protection: Are We There Yet?" Journal of Infrastructure Systems., 9(1), 1-5.

It appears that the major theoretical perspectives that have been applied to shed light on the problems of infrastructure security include:

• risk management,
• infrastructure interdependence,
• adaptive systems,
• complexity theory, and
• sensors and real-time monitoring.

(3) Two recent news articles on the need for greater infrastructure security:

First, an article titled Dropping our Guard argues that since 9/11 congress has been terribly slow to enact any meaningful improvements in infrastructure security. The article gives an example of a round-the-clock infrastructure surveillance system that promised to improve the security of thousands of the country's critical infrastructure sites, economically and quickly, that was never adopted.

Second, an article in the Edmonton Sun, Alberta Gaurds Against Attacks on Oil & Gas, suggests that the Province of Alberta is increasingly investing in surveillance systems to protect "more than 125,000 operating oil and gas wells; more than 25,000 oil and gas batteries, or storage facilities; more than 330,000 kilometres of pipelines; 20,000 kilometres of electricity transmission lines; 155,000 kilometres of distribution lines; 56 electricity generating plants, eight coal mines and 38 commercial oilsands plants."

(4a) Agencies funding research on infrastructure security:

Homeland Security
According to the US Congressional Budget Office, 30% of the $41B Homeland Security Budget for 2004 was allocated to the protection of critical infrastructure and key assets. We did not find immediately accesible data on how this funding was distributed.

National Science Foundation
In 2005, the NSF awarded approximately $2.5M distributed to 10 different researchers through their Information Technology and Infrastructure Systems (ITIS) program. However, the ITIS is just one branch of a larger NSF cluster called the "Division of Civil and Mechanical Systems." For an overview of the research activities funded by the cluster, see this 2002 presentation by the ITIS chair, Miriam Heller.

(4b) Major research efforts on infrastructure security:

The Infrastructure Security Partnership
Offers an up-to-date listing of events related to infrastructure security.

Rand - Infrastructure, Safety and Environment
Focus is on physical infrastructure and the environment.

The Transportation Research Board
Offers a comprehensive database of documents and reports related to security of transportation infrastructure.

IP3 - According to this news article, IP3 was "a consortium of two dozen cybersecurity organizations charged with coordinating a national research and development program, with a $8.5 million, two-year research program for securing computer-based systems that control critical infrastructures, such as dams." However, the $8.5M must have run out because a Google search on IP3 comes up empty.

Posted by rjorr at May 16, 2006 4:24 PM