Lesson 1 Overview

Examples of natural and manmade disasters, such as the Oklahoma City bombing, Hurricanes Katrina and Sandy, significant cyber-attacks and disruptions to the power grid, have impacted America's national and economic security as we are increasingly reliant on critical infrastructure, including cyber-based information systems. Regardless of what kind of hazard occurs within the Nation (natural or manmade), critical infrastructure is affected in some significant way (for example, disruption, damage, or destruction). When our critical infrastructure isn’t fully functional, society suffers because the products and services provided by critical infrastructure underpin everything that we rely on to live our lives – food, water, healthcare, electricity, communications, transportation, etc.

By the end of this lesson you will be able to:

Define critical infrastructure, security and resilience.
Describe the unifying structure for integration of security and resilience efforts.
Explain the importance of critical infrastructure partnerships.
Recognize the seven Core Tenets and explain how they support critical infrastructure security and resilience

Audio Transcript

Critical infrastructure, such as water, energy, electricity and petroleum products, represent day-to-day goods and services that are a part of the life of every single American.

Critical infrastructure provides the foundation for the Nation’s ability to maintain our way of life.

Protecting the critical infrastructure of the United States is essential to the Nation’s security, public health and safety, economic vitality and way of life. Disruption of America’s critical infrastructure could significantly interrupt the functioning of government and business alike and produce cascading effects far beyond the targeted sector and physical location of the incident. Direct terrorist attacks and natural, manmade, or technological hazards could produce catastrophic losses in terms of human casualties, property destruction and economic effects, as well as profound damage to public morale and confidence.

The National Infrastructure Protection Plan is the path forward toward building and enhancing protective measures for the critical infrastructure that sustain commerce and communities throughout the United States.

Critical Infrastructure

Our national well-being relies upon secure and resilient critical infrastructure—those assets, systems and networks that underpin American society.

NIPP 2013 guides the national effort to manage risk to the Nation’s critical infrastructure. This national effort is shared by all levels of government and owners and operators of critical infrastructure. The Nation’s critical infrastructure is largely owned and operated by the private sector; however, Federal, State, Local, Tribal and Territorial governments also own and operate critical infrastructure, as do foreign entities and companies.

Critical Infrastructure

Critical infrastructure includes systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

Some examples of critical infrastructure include:

Tunnels serving as a primary conduit for transportation, water, electric, communications and gas lines
Supply lines bringing power, communications, food and water to a community
Financial services underpinning our economic system

National Infrastructure Protection Plan (NIPP)

NIPP 2013 influences critical infrastructure security and resilience planning at all governmental and owner and operator levels by establishing a vision, mission and goals that are supported by a set of Core Tenets focused on risk management and partnership.

Building on the partnership and risk management framework introduced in 2006, the 2013 update is informed by changes in the risk, policy and operating environments and from experiences gained and lessons learned since the previous NIPP was issued.

The NIPP Mission and Vision

The strategic direction is driven by a common vision and mission; a Nation in which:

Physical and cyber critical infrastructure remain secure and resilient;
Essential services and products continue to be delivered in the face of incidents; and
Communities and businesses adapt to changing conditions and withstand and rapidly recover from potential disruptions.

This vision complements and supports the President’s priorities for national security, national preparedness and community resilience. Critical infrastructure partners collectively identify priorities, articulate clear goals, mitigate physical and cyber risks, measure progress and adapt based on feedback and the changing environment to strengthen security and resilience.

Click on the “Mission” and “Vision” boxes to read the NIPP Mission and Vision

Mission with an arrow pointing downward, Vision with an arrow pointing downward

The NIPP Mission

The NIPP Mission is “To strengthen the security and resilience of the Nation’s critical infrastructure, by managing physical and cyber risks through the collaborative and integrated efforts of the critical infrastructure community.”

The NIPP Vision

The NIPP Vision is “A Nation in which physical and cyber critical infrastructure remain secure and resilient, with vulnerabilities reduced, consequences minimized, threats identified and disrupted and response and recovery hastened.”

Security and Resilience

Presidential Policy Directive 21 (PPD-21) defines security and resilience as follows:

Security: Reducing the risk to critical infrastructure by physical means or defens[ive] cyber measures to intrusions, attacks, or the effects of natural or manmade disasters.

Some examples of protective measures to increase critical infrastructure security include:

Addressing threats and vulnerabilities
Sharing accurate information and analysis on current and future risks
Installing exterior locks and positioning bollards around an important building
Properly marking and storing sensitive information

Resilience: The ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions; includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.

Some examples of preparedness efforts to increase critical infrastructure resilience include:

Having accurate information and analysis about risk
Planning for mitigation, response, and recovery activities
Performing regular back-ups of information systems
Pre-positioning emergency provisions in a separate location

NIPP 2013 Goals

The vision and mission depend on achieving five goals that strategically direct the focus of critical infrastructure activities.

The National Goals include:

Assess and analyze risks to critical infrastructure
Address the human, physical and cyber threat
Enhance security and resilience through advance planning
Share actionable and relevant information across the critical infrastructure community
Promote learning and adaptation

These goals will be augmented by the regular development of more specific risk management and capability enhancement priorities determined by the critical infrastructure partnership.

Click on the “Goals” box for complete descriptions of the five National Goals

National Infrastructure Protection Plan Goals

Assess and analyze threats to, vulnerabilities of and consequences to critical infrastructure to inform risk management activities;
Secure critical infrastructure against human, physical and cyber threats through sustainable efforts to reduce risk, while accounting for the costs and benefits of security investments;
Enhance critical infrastructure resilience by minimizing the adverse consequences of incidents through advance planning and mitigation efforts and employing effective responses to save lives and ensure the rapid recovery of essential services;
Share actionable and relevant information across the critical infrastructure community to build awareness and enable risk-informed decisionmaking; and
Promote learning and adaptation during and after exercises and incidents.

Mission and Vision both have downward arrows pointing to Goals

A Whole-Community Approach to Building and Sustaining Unity of Effort

Based on the vision, mission and goals, the critical infrastructure community works jointly to set specific national priorities, while considering resource availability, progress already made, known capability gaps and emerging risks. Jointly-developed priorities drive national action and are supplemented by sector, regional, State, Local, Tribal and Territorial priorities.

Performance measures will be set based on the goals and Joint National Priorities. National reporting mechanisms include measuring progress, which helps build a common understanding of the state of security and resilience efforts.

The interrelationship of these elements is depicted in the National Plan’s approach to building and sustaining unity of effort.

Graphic entitled “Critical Infrastructure Community: Partnership-based collective action.” Shows the NIPP 2013 Elements. Core Tenets: Values and assumptions that guide planning and activities throughout cycles (National; Sector, Regional, SLTT). Vision: Where we want to be. Mission: Who we are and why we are here. Goals: What we want to accomplish. Priorities: What we will do: NIPP 2013: Partnering for Critical Infrastructure Security and Resilience Call to Action and Activities (Multi-Year); Additional Priorities to Be Identified Through Partnership Priority-Setting and Joint Planning Processes. Performance Measures: How we will know we have accomplished our goals/priorities.

The National Plan’s Approach to Building and Sustaining Unity of Effort

The critical infrastructure community works collaboratively to set specific national priorities, while considering resource availability, progress already made, known capability gaps and emerging risks.

Importance of Critical Infrastructure Partnerships

The community involved in managing risks to critical infrastructure is wide-ranging, composed of partnerships among private and public owners and operators; all levels of governments; regional entities; non-profit organizations; and academia. Secure and resilient critical infrastructure is achieved when the stakeholders leverage the full spectrum of capabilities, expertise and experience of their partners and share actionable and relevant information to effectively build situational awareness and effective risk-informed decisionmaking.

NIPP 2013 Supplements

NIPP 2013 is augmented by a series of supplements that serve as tools and resources that can be used to implement specific aspects of the Plan.

Connecting to the National Infrastructure Coordinating Center (NICC) and the National Cybersecurity and Communications Integration Center (NCCIC)
Executing a Critical Infrastructure Risk Management Approach
Incorporating Resilience into Critical Infrastructure Projects
National Protection and Programs Directorate Resources to Support Vulnerability Assessments

You will learn more about each of these supplements in later lessons.

The Core Tenets

Given the diverse roles and responsibilities across the infrastructure community, a proactive, collaborative and inclusive partnership among all levels of government and the private and non-profit sector is required to ensure optimal use of existing capabilities and to develop new ones. Additionally, infrastructure critical to the United States transcends national boundaries, requiring cross-border collaboration, mutual assistance and other cooperation.

The National Plan establishes seven Core Tenets, representing the values and assumptions the critical infrastructure community should consider when conducting security and resilience planning.

Select each core tenet to expand its NIPP 2013 description

1. Coordinated and comprehensive risk identification and management. 2. Cross-sector dependencies and interdependencies. 3. Enhanced information sharing. 4. Comparative advantage in risk mitigation. 5. Regional and SLTT partnerships. 6. Cross-jurisdictional collaboration. 7. Security and resilience by design.

Core Tenet #1

Risk should be identified and managed in a coordinated and comprehensive way across the critical infrastructure community to enable the effective allocation of security and resilience resources.

Collaboratively managing risk requires sharing information (including smart practices), promoting more efficient and effective use of resources and minimizing duplication of effort. To ensure a comprehensive approach to risk management, the critical infrastructure community considers strategies to achieve risk mitigation, as well as other ways to address risk, including acceptance, avoidance, or transference.

Core Tenet #2

Understanding and addressing risks from cross-sector dependencies and interdependencies is essential to enhancing critical infrastructure security and resilience.

The way infrastructure sectors interact, including through reliance on shared information and communications technologies (e.g., cloud services), shapes how the Nation’s critical infrastructure partners should collectively manage risk. It is important for the critical infrastructure community to understand and appropriately account for dependencies and interdependencies when managing risk. For example, all sectors rely on functions provided by energy, communications, transportation and water systems, among others.

Core Tenet #3

Gaining knowledge of infrastructure risk and interdependencies requires information sharing across the critical infrastructure community.

Critical infrastructure community members possess and produce diverse information useful to the enhancement of critical infrastructure security and resilience. Sharing and jointly planning based on this information is imperative to comprehensively address security and resilience in an increasingly interconnected environment. For that to happen, appropriate legal protections, trusted relationships, enabling technologies and consistent processes must be in place.

Core Tenet #4

The partnership approach to critical infrastructure security and resilience recognizes the unique perspectives and comparative advantages of the diverse critical infrastructure community.

The public-private partnership is central to maintaining critical infrastructure security and resilience. A well-functioning partnership depends on a set of attributes, including trust; a defined purpose for its activities; clearly articulated goals; measurable progress and outcomes to guide shared activities; leadership involvement; clear and frequent communication; and flexibility and adaptability. All levels of government and the private and nonprofit sectors bring unique expertise, capabilities and core competencies to the national effort. Recognizing the value of different perspectives helps the partnership more distinctly understand challenges and solutions related to critical infrastructure security and resilience.

Core Tenet #5

Regional and SLTT partnerships are crucial to developing shared perspectives on gaps and actions to improve critical infrastructure security and resilience.

The National Plan emphasizes partnering across institutions and geographic boundaries to achieve security and resilience. Risks often have local consequences, making it essential to execute initiatives on a regional scale in a way that complements and operationalizes the national effort. This requires locally based public, private and non-profit organizations to provide their perspectives in the assessment of risk and mitigation strategies.

Core Tenet #6

Infrastructure critical to the United States transcends national boundaries, requiring cross-border collaboration, mutual assistance and other cooperative agreements.

The United States benefits from and depends upon a global network of infrastructure.. The distributed nature and interconnectedness of these assets, systems and networks create a complex environment in which the risks the Nation faces are not distinctly contained within its borders. Services provided by critical infrastructure are often dependent on information gathered, stored, or processed in highly distributed locations. It is imperative that the government, private sector and international partners work collaboratively to fully understand supply chain vulnerabilities and to implement coordinated, not competing, global security and resilience measures. The National Plan is focused on domestic efforts, while recognizing the international aspects of the national approach.

Core Tenet #7

Security and resilience should be considered during the design of assets, systems and networks.

As critical infrastructure is built and refreshed, those involved in making design decisions, including those related to control systems, should consider the most effective and efficient ways to identify, deter, detect, disrupt and prepare for threats and hazards; mitigate vulnerabilities; and minimize consequences. This includes considering infrastructure resilience principles.

Lesson 1 Summary

In this lesson you learned to:

Define critical infrastructure, security and resilience.
Describe the unifying structure for integration of security and resilience efforts.
Explain the importance of critical infrastructure partnerships.
Recognize the seven Core Tenets and explain how they support critical infrastructure security and resilience.

Below are the NIPP 2013 resources referenced in this lesson for further review: