Lesson 3 Overview

Effective critical infrastructure protective programs and resilience strategies are comprehensive, coordinated, cost effective and risk-informed.

Risk management actions involve measures designed to prevent, deter and mitigate the threat; reduce vulnerability to an attack or other disaster; minimize consequences; and enable timely, efficient response and restoration.

This lesson provides an overview of the Collaborating to Implement the risk management framework. By the end of this lesson, you will be able to:

Explain the elements of the risk management framework
Describe how the risk management framework can be used to enhance critical infrastructure security and resilience within and across the critical infrastructure sectors.
Identify activities incorporated in the risk management framework.

Managing Risk

Risk is influenced by the nature and magnitude of a threat, the vulnerabilities to that threat and the consequences that could result. Managing risks to critical infrastructure requires an integrated approach across this broad community to:

Identify, deter, detect, disrupt and prepare for threats and hazards to the Nation’s critical infrastructure;
Reduce vulnerabilities of critical assets, systems and networks; and
Mitigate the potential consequences to critical infrastructure of incidents or adverse events that do occur.

Given the diverse authorities, roles and responsibilities of critical infrastructure partners, flexible, proactive and inclusive partnerships are required to advance critical infrastructure security and resilience.

Glossary

Risk

refers to the “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood [a function of threats and vulnerabilities] and the associated consequences.”

Glossary

Threat

A natural or manmade occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment and/or property.

Glossary

Vulnerability

A physical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard.

Glossary

Consequence

The effect of an event, incident, or occurrence, including the number of deaths, injuries and other human health impacts along with economic impacts both direct and indirect and other negative outcomes to society.

Identifying Risks and Prioritizing Security Investments

The NIPP risk management framework establishes a process for identifying risks and prioritizing security and resilience initiatives and investments within and across sectors. The Strategic National Risk Assessment (SNRA), executed in support of PPD-8, helps identify the types of incidents that pose the greatest known threat to the Nation's homeland security, along with the uncertainty of potential interconnected events with unknown consequences.

The objective is to ensure that government and private sector resources are applied where they offer the most benefit for mitigating risk by lessening vulnerabilities, deterring threats and minimizing the consequences of all hazards, including terrorist attacks and other manmade and natural disasters.

Investments for ensuring security and resilience can include a wide range of activities, such as

Hardening facilities, building resilience and redundancy and incorporating hazard resistance into facility design
Initiating active or passive countermeasures installing security systems and implementing cybersecurity measures
Promoting workforce surety programs, conducting training and exercises
Planning for business continuity, including restoration and recovery actions

2011 Strategic National Risk Assessment (SNRA) National-Level Events


Threat/Hazard Group	Threat/Hazard Type	National-level Event Description
Natural	Animal Disease Outbreak	An unintentional introduction of the foot-and-mouth disease virus into the domestic livestock population in a U.S. state
Natural	Earthquake	An earthquake occurs within the U.S. resulting in direct economic losses greater than $100 Million
Natural	Flood	A flood occurs within the U.S. resulting in direct economic losses greater than $100 Million
Natural	Human Pandemic Outbreak	A severe outbreak of pandemic influenza with a 25% gross clinical attack rate spreads across the U.S. populace
Natural	Hurricane	A tropical storm or hurricane impacts the U.S. resulting in direct economic losses of greater than $100 Million
Natural	Space Weather	The sun emits bursts of electromagnetic radiation and energetic particles causing utility outages and damage to infrastructure
Natural	Tsunami	A tsunami with a wave of approximately 50 feet impacts the Pacific Coast of the U.S.
Natural	Volcanic Eruption	A volcano in the Pacific Northwest erupts impacting the surrounding areas with lava flows and ash and areas east with smoke and ash
Natural	Wildfire	A wildfire occurs within the U.S. resulting in direct economic losses greater than $100 Million
Technological/ Accidental	Biological Food Contamination	Accidental conditions where introduction of a biological agent (e.g., Salmonella, E. coli, botulinum toxin) into the food supply results in 100 hospitalizations or greater and a multi- state response
Technological/ Accidental	Chemical Substance Spill or Release	Accidental conditions where a release of a large volume of a chemical acutely toxic to human beings (a toxic inhalation hazard, or TIH) from a chemical plant, storage facility, or transportation mode results in either one or more offsite fatalities, or one or more fatalities (either on- or offsite) with offsite evacuations/shelter-in-place
Technological/ Accidental	Dam Failure	Accidental conditions where dam failure and inundation results in one fatality or greater
Technological/ Accidental	Radiological Substance Release	Accidental conditions where reactor core damage causes release of radiation
Adversarial/ Human-Caused	Aircraft as a Weapon	A hostile non-state actor(s) crashes a commercial or general aviation aircraft into a physical target within the U.S.
Adversarial/ Human-Caused	Armed Assault	A hostile non-state actor(s) uses assault tactics to conduct strikes on vulnerable target(s) within the U.S. resulting in at least one fatality or injury
Adversarial/ Human-Caused	Biological Terrorism Attack (non-food)	A hostile non-state actor(s) acquires, weaponizes and releases a biological agent against an outdoor, indoor, or water target, directed at a concentration of people within the U.S.
Adversarial/ Human-Caused	Chemical/ Biological Food Contamination Terrorism Attack	A hostile non-state actor(s) acquires, weaponizes and disperses a biological or chemical agent into food supplies within the U.S. supply chain
Adversarial/ Human-Caused	Chemical Terrorism Attack (non-food)	A hostile non-state actor(s) acquires, weaponizes and releases a chemical agent against an outdoor, indoor, or water target, directed at a concentration of people using an aerosol, ingestion, or dermal route of exposure
Adversarial/ Human-Caused	Cyber Attack against Data	A cyber-attack which seriously compromises the integrity or availability of data (the information contained in a computer system) or data processes resulting in economic losses of a Billion dollars or greater
Adversarial/ Human-Caused	Cyber Attack against Physical Infrastructure	An incident in which a cyber-attack is used as a vector to achieve effects which are beyond the computer (i.e., kinetic or other effects) resulting in one fatality or greater or economic losses of $100 Million or greater
Adversarial/ Human-Caused	Explosives Terrorism Attack	A hostile non-state actor(s) deploys a man-portable improvised explosive device (IED), Vehicle-borne IED, or Vessel IED in the U.S. against a concentration of people and/or structures such as critical commercial or government facilities, transportation targets, or critical infrastructure sites, etc., resulting in at least one fatality or injury
Adversarial/ Human-Caused	Nuclear Terrorism Attack	A hostile non-state actor(s) acquires an improvised nuclear weapon through manufacture from fissile material, purchase, or theft and detonates it within a major U.S. population center
Adversarial/ Human-Caused	Radiological Terrorism Attack	A hostile non-state actor(s) acquires radiological materials and disperses them through explosive or other means (e.g., a radiological dispersal device or RDD) or creates a radiation exposure device (RED)

Risk Management Framework

The cornerstone of the NIPP is its risk analysis and management framework. NIPP 2013 builds upon and updates the risk management framework.

This framework consists of several components, including three interwoven elements of critical infrastructure (physical, cyber and human) and five steps toward implementing the risk management framework.

The elements are integrated through information sharing feedback loop, as appropriate. In addition, this framework minimizes the number of steps or “chevrons” by including prioritization with the implementation of risk management activities.

Click on each chevron to access more information about these steps

Click on “Elements of Critical Infrastructure” or “Information Sharing Feedback Loop” for more information about these features of the risk management framework

Elements of Critical Infrastructure. Physical, Cyber, Human. Set Goals and Objectives. Identify Infrastructure. Assess and Analyze Risks. Implement Risk Management Activities. Measure Effectiveness. Information sharing.

Set Infrastructure Goals and Objectives

This National Plan establishes a set of broad national goals for critical infrastructure security and resilience. These national goals are supported by objectives and priorities developed at the sector level, which may be articulated in Sector-Specific Plans (SSPs) and serve as targets for collaborative planning among SSAs and their sector partners in government and the private sector.

Sector-Specific Plans are:

Tailored to address the unique perspective and risk landscape and methodologies and approaches associated with each sector.
Developed jointly by the SSAs in close collaboration with Sector and Government Coordinating Councils (SCCs and GCCs) and others, including State, local, tribal and territorial critical infrastructure partners with key interests or expertise appropriate to the sector.

National Multi-Year Priorities:

Developed with input from all levels of the partnership, National multi-year priorities will complement these goals. These priorities might focus on particular goals or cross-sector issues where attention and resources could be applied within the critical infrastructure community with the most significant impact. Critical infrastructure owners and operators, as well as State, Local, Tribal, Territorial and regional entities, can identify objectives and priorities for critical infrastructure that align to these national priorities, national goals and sector objectives, but are tailored and scaled to their operational and risk environments and available resources.

Identify Infrastructure

To manage critical infrastructure risk effectively, partners must identify the assets, systems and networks that are essential to their continued operation, considering associated dependencies and interdependencies. This aspect of the risk management process also should identify information and communications technologies that facilitate the provision of essential services.

Critical infrastructure partners view criticality differently, based on their unique situations, operating models and associated risks. The Federal Government identifies and prioritizes nationally significant critical infrastructure based upon statutory definition and national considerations. SLTT governments identify and prioritize infrastructure according to their business and operating environments and associated risks. Infrastructure owners and operators identify assets, systems and networks that are essential to their continued operations and delivery of products and services to customers. At the sector level, many SSAs collaborate with owners and operators and SLTT entities to develop lists of infrastructure that are significant at the national, regional and local levels.

Effective risk management requires an understanding of criticality as well as the associated interdependencies of infrastructure. This National Plan identifies certain lifeline functions that are essential to the operation of most critical infrastructure sectors. These lifeline functions include communications, energy, transportation and water. Critical infrastructure partners should identify essential functions and resources that impact their businesses and communities. The identification of these lifeline functions can support preparedness planning and capability development.

Assess and Analyze Risks

Assess Risk

Risk is assessed as a function of consequence, vulnerability and threat. Consideration is given to the potential direct and indirect consequences of a terrorist attack or other hazards, known vulnerabilities to those threats or hazards and the nature and magnitude of the threat.

Critical infrastructure risks can be assessed in terms of the following:

Threat – natural or manmade occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment and/or property.
Vulnerability – physical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard.
Consequence – effect of an event, incident, or occurrence.

Risk assessments are conducted by many critical infrastructure partners to inform their own decisionmaking, using a broad range of methodologies. These assessments allow critical infrastructure community leaders to understand the most likely and severe incidents that could affect their operations and communities and use this information to support planning and resource allocation in a coordinated manner.

To assess risk effectively, critical infrastructure partners—including owners and operators, sector councils and government agencies—need timely, reliable and actionable information regarding threats, vulnerabilities and consequences. Non-governmental entities must be involved in the development and dissemination of products regarding threats, vulnerabilities and potential consequences and provide risk information in a trusted environment. Partners should understand intelligence and information requirements and conduct joint analysis where appropriate. Critical infrastructure partnerships can bring great value in improving the understanding of risk to both cyber and physical systems and assets. Neither public nor private sector entities can fully understand risk without this integration of wide-ranging knowledge and analysis.

Analyze Risk

Risk assessments are conducted on an asset, system, or network basis. Once the three components of risk—consequence, vulnerability and threat—have been assessed for one or more given assets, systems, or networks they must be integrated into a defensible model to produce a risk estimate. DHS has identified a number of risk assessment characteristics and data requirements to produce results that enable cross-sector risk comparisons; these are termed core criteria. These features provide a guide for improving or modifying existing methodologies as well as developing new ones.

Implement Risk Management Activities

Decision makers prioritize activities to manage critical infrastructure risk based on the criticality of the affected infrastructure, the costs of such activities and the potential for risk reduction. Some risk management activities address multiple aspects of risk, while others are more targeted to address specific threats, vulnerabilities, or potential consequences. These activities can be divided into the following approaches:

Identify, Deter, Detect, Disrupt and Prepare for Threats and Hazards

Establish and implement joint plans and processes to evaluate needed increases in security and resilience measures, based on hazard warnings and threat reports.
Conduct continuous monitoring of cyber systems.
Employ security protection systems to detect or delay an attack or intrusion.
Detect malicious activities that threaten critical infrastructure and related operational activities across the sectors.
Implement intrusion detection or intrusion protection systems on sensitive or mission-critical networks and facilities to identify and prevent unauthorized access and exploitation.
Monitor critical infrastructure facilities and systems potentially targeted for attack (e.g., through local law enforcement and public utilities).

Reduce Vulnerabilities

Build security and resilience into the design and operation of assets, systems and networks.
Employ siting considerations when locating new infrastructure, such as avoiding floodplains, seismic zones and other risk-prone locations.
Develop and conduct training and exercise programs to enhance awareness and understanding of common vulnerabilities and possible mitigation strategies.
Leverage lessons learned and apply corrective actions from incidents and exercises to enhance protective measures.
Establish and execute business and government emergency action and continuity plans at the local and regional levels to facilitate the continued performance of critical functions during an emergency.
Address cyber vulnerabilities through continuous diagnostics and prioritization of high-risk vulnerabilities.
Undertake research and development efforts to reduce known cyber and physical vulnerabilities that have proved difficult or expensive to address.

Mitigate Consequences

Share information to support situational awareness and damage assessments of cyber and physical critical infrastructure during and after an incident, including the nature and extent of the threat, cascading effects and the status of the response.
Work to restore critical infrastructure operations following an incident.
Support the provision of essential services such as: emergency power to critical facilities; fuel supplies for emergency responders; and potable water, mobile communications and food and pharmaceuticals for the affected community.
Ensure that essential information is backed up on remote servers and that redundant processes are implemented for key functions, reducing the potential consequences of a cybersecurity incident.
Remove key operational functions from the Internet-connected business network, reducing the likelihood that a cybersecurity incident will result in compromise of essential services.
Ensure that incidents affecting cyber systems are fully contained; that asset, system, or network functionality is restored to pre-incident status; and that affected information is available in an uncompromised and secure state.
Recognize and account for interdependencies in response and recovery/restoration plans.
Repair or replace damaged infrastructure with cost-effective designs that are more secure and resilient.
Utilize and ensure the reliability of emergency communications capabilities.
Contribute to the development and execution of private sector, SLTT and regional priorities for both near- and long-term recovery.

The above activities are examples of risk management activities that are being undertaken to support the overall achievement of security and resilience, whether at an organizational, community, sector, or national level.

The Prioritization Process

The prioritization process, now incorporated into the Implement Risk Management Activities step of the NIPP risk management framework, involves aggregating, combining and analyzing risk assessment results to determine which assets, systems, networks, sectors, or combinations of these face the highest risk so that risk management priorities can be established.

It also provides the basis for understanding potential risk-mitigation benefits that are used to inform planning and resource decisions.

The NIPP risk management framework provides the process for developing comparable estimates of the risk relevant to critical infrastructure.

Comparing the risk faced by different entities helps identify where risk mitigation is needed and to subsequently determine and help justify the most cost-effective risk management options.

In addition, this prioritization process develops information that can be used during incident response to help inform decision makers regarding issues associated with critical infrastructure restoration.

Measure Effectiveness

While the results of risk analyses help set national and sector priorities, performance metrics allow NIPP partners to track progress against these priorities. The metrics provide a basis to establish accountability, document actual performance, facilitate diagnoses, promote effective management and provide a feedback mechanism to decision makers.

The critical infrastructure community evaluates the effectiveness of risk management efforts within sectors and at national, State, local and regional levels by developing metrics for both direct and indirect indicator measurement. SSAs work with SCCs through the sector-specific planning process to develop attributes that support the national goals and national priorities as well as other sector-specific priorities. Such measures inform the risk management efforts of partners throughout the critical infrastructure community and help build a national picture of progress toward the vision of this National Plan as well as the National Preparedness Goal. At a national level, the National Plan articulates broad area goals to achieve the Plan’s vision that will be complemented by a set of multi-year national priorities. The critical infrastructure community will subsequently evaluate its collective progress in accomplishing the goals and priorities.

This evaluation process functions as an integrated and continuing cycle:

Articulate the vision and national goals;
Define national priorities;
Identify high-level outputs or outcomes associated with the national goals and national priorities;
Collect performance data to assess progress in achieving identified outputs and outcomes;
Evaluate progress toward achievement of the national priorities, national goals and vision;
Update the national priorities and adapt risk management activities accordingly; and
Revisit the national goals and vision on a periodic basis.

Just as regular evaluation of progress toward the national goals informs the ongoing evolution of security and resilience practices, planned exercises and real-world incidents also provide opportunities for learning and adaptation.

For example, fuel shortages after Hurricane Sandy illustrated the interdependencies and complexities of infrastructure systems, the challenges in achieving shared situational awareness during large events and the need for improved information collection and sharing among government and private sector partners to support restoration activities.

The critical infrastructure and national preparedness communities also conduct exercises on an ongoing basis through the National Exercise Program and other mechanisms to assess and validate the capabilities of organizations, agencies and jurisdictions.

During and after such planned and unplanned operations, partners identify individual and group weaknesses, implement and evaluate corrective actions and share best practices with the wider critical infrastructure and emergency management communities.

Such learning and adaptation inform future plans, activities, technical assistance, training and education.

NIPP Performance Management

The key to NIPP performance management is to align outcome metrics to sector priorities. The 16 sectors are diverse, operate in every State and affect every level of government. As a result, NIPP priorities and many NIPP metrics will vary from sector to sector. All NIPP metrics must be specific and clear as to what they are measuring, practical or feasible in that the needed data are available and built on objectively measured data.

Measuring Performance

In addition to outcome metrics, other information will be utilized, such as output data and descriptive data.

Output (or Process) Data are used to gauge whether specific activities were performed as planned, track the progress of a task, or report on the output of a process. Output data show progress toward performing the activities necessary to achieve critical infrastructure protection goals and can serve as leading indicators for outcome measures. They also help build a comprehensive picture of critical infrastructure security status and activities. Examples include the number of protective programs implemented in a fiscal year, percentage of sector organizations exchanging critical infrastructure information and the level of response to a data call for asset information.

Descriptive Data are used to understand sector resources and activities, but do not reflect critical infrastructure security performance. Examples include: a narrative description of progress; the number of facilities in a jurisdiction; the population resident or working in the area affected by an incident; and the number of suppliers in an infrastructure service provider’s supply chain. NIPP metrics are evolving from the current focus on descriptive and output data to a focus on outcome metrics. Descriptive and output data have been critical during the initial implementation of the NIPP in order to closely track the progress of the sectors in building key NIPP elements, such as the SSPs and GCCs/SCCs. The next stage of NIPP implementation will concentrate on working with the sectors to identify and track outcome metrics that are aligned to sector priorities and provide NIPP partners with a more comprehensive assessment of the success of critical infrastructure security efforts.

Gathering Performance Information DHS works with the SSAs and sector partners to:

Gather the information necessary to measure the level of performance associated with the progress indicators. Given the inherent differences in critical infrastructure sectors, a “one size fits all” approach to gathering this information is not appropriate.
Determine the appropriate measurement approach to be included in the sector’s SSP.
Ensure that partners engaged with multiple sectors or in cross-sector matters are not subject to unnecessary redundancy or conflicting guidance in information collection.

Information collected as part of this effort is protected.Information collected as part of this effort is protected.

Assessing Performance and Reporting on Progress

The National Critical Infrastructure Annual Report:

Is based on information about priorities, requirements and related program funding information that is submitted to DHS by the SSA of each sector, the SLTTGCC and the RC3.
Analyzes information about sector priorities, requirements and programs in the context of the National Risk Profile, a high-level summary of the aggregate risk and protective status of all sectors.

The National Risk Profile:

Drives the development of national priorities, which, in turn, are used to assess existing critical infrastructure programs and to identify existing gaps or shortfalls in national critical infrastructure security efforts.
Provides the Executive Office of the President with information that supports both strategic and investment decisions related to critical infrastructure security and resilience.

Physical, Cyber and Human Elements

The three interwoven elements of critical infrastructure (physical, cyber and human) are explicitly identified and should be integrated throughout the steps of the framework, as appropriate.

The risk management framework is comprehensive and takes into account the assets, systems and networks that include one or more of the following elements:

Physical — tangible property
Cyber — electronic information and communications systems and the information contained therein
Human — critical knowledge of functions or people uniquely susceptible to attack

Information Sharing Loop

The framework now depicts the importance of information sharing throughout the entire risk management process. Information is shared through each step of the framework, to include the “measure effectiveness” step, facilitating feedback and enabling continuous improvement of critical infrastructure security and resilience efforts.

Qualitative Feedback

The NIPP provides mechanisms for qualitative feedback that can be applied to augment and improve the effectiveness and efficiency of public and private sector critical infrastructure protective programs and resilience strategies.

DHS works with sector partners to identify and share lessons learned and best practices for all aspects of the risk management process. DHS also works with SSAs to share relevant input from sector partners and other sources that can be used as part of the national effort to continuously improve critical infrastructure security and resilience.

Risk Management Framework Features

The critical infrastructure risk management framework is designed to provide flexibility for use in all sectors, across different geographic regions and by various partners. It can be tailored to dissimilar operating environments and applies to all threats and hazards.

The framework supports a collaborative decisionmaking process to inform the selection of risk management actions.

Many organizations have risk management models that have proved effective and should be maintained, however, this framework provides an organizing construct for those models.

The risk management framework:

Is applicable to threats such as disasters, manmade safety hazards and terrorism.
Integrates and coordinates strategies, capabilities and governance to enable risk-informed decisionmaking.
Is tailored and applied on an asset, system, network, or functional basis, depending on the fundamental characteristics of the individual critical infrastructure sectors.

Risk Reduction

In addition to the identified threat-, vulnerability- and consequence-reducing activities, risk reduction can be achieved through critical infrastructure and control system design.

Factoring security and resilience measures into design decisions early can facilitate integration of measures to mitigate physical and cyber vulnerabilities as well as natural and technological hazards at lower cost.

Governments and businesses can better invest in measures that increase the security and resilience of both critical infrastructure and the broader society through risk analysis, evidence-based design practices and consideration of costs and benefits.

Such efforts are also helpful during infrastructure recovery efforts, in those instances when the Federal Government is working with communities and industry to rebuild infrastructure.

NIPP 2013 Supplement: National Protection and Programs Directorate Resources to Support Vulnerability Assessments

Assessing vulnerabilities of critical infrastructure is an important step in developing security solutions and managing critical infrastructure risk. The Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) works with owners and operators to conduct vulnerability assessments of select critical infrastructure to inform its internal risk management processes and provide technical assistance to its State, local, tribal and territorial (SLTT) and private sector partners to enable their own risk assessments and security plans. NPPD provides additional resources, typically in the form of informational material on known vulnerabilities, to help owners and operators understand vulnerabilities at a more general level.

This supplement provides information on Federal resources that are used by DHS and available to SLTT governments and critical infrastructure owners and operators to identify and assess critical infrastructure vulnerabilities.

NIPP 2013 Supplement: Incorporating Resilience into Critical Infrastructure Projects

This supplement provides the steps that support development decisions and investments in infrastructure that will enhance the resilience of critical infrastructure systems. This supplement was developed through research into existing resilience strategies, including the Hurricane Sandy Rebuilding Strategy and the updated NIPP 2013, Partnering for Critical Infrastructure Security and Resilience.

It is intended for government decision makers at all levels who are undertaking new infrastructure projects or enhancing security and mitigation measures on existing government-owned infrastructure. It also can be used more broadly by all critical infrastructure owners and operators as decisions are made to invest in infrastructure replacements or improvements.

NIPP 2013 Supplement: Executing a Critical Infrastructure Risk Management Approach

Risk information allows partners to prioritize risk management efforts.

This supplement describes a useful critical infrastructure risk management approach which supports the risk management framework. The framework enables the integration of related critical infrastructure strategies, capabilities and governance structures to enable risk-informed decisionmaking. The risk management approach described in this supplement can be applied to all threats and hazards, although different information and methodologies may be used to understand each.

Lesson 3 Summary

In this lesson you learned to:

Explain the elements of the risk management framework
Describe how the risk management framework can be used to enhance critical infrastructure security and resilience within and across the critical infrastructure sectors.
Identify activities incorporated in the risk management framework.

Below are the NIPP 2013 resources referenced in this lesson for further review: