Your Guide to U.S. Critical Infrastructure
Your Guide to U.S. Critical Infrastructure
1
2
GovLoop Guide
Contents 3 Introduction
18
Financial Services
4 Managing the Mounting Complexity of Critical Infrastructure
19
Food & Agriculture
20
Government Facilities
6
Chemical
21
Healthcare & Public Health
7
Commercial Facilities
8
Communications
22 Maintaining Resilient State & Local Assets in Utah
9
Critical Manufacturing
11 Providing Resiliency and End-to-End Security for Your Networks
24
Information Technology
25
Nuclear Reactors, Materials & Waste
26
Transportation Systems Water & Wastewater Systems
12
Dams
27
13
Defense Industrial Base
14
Emergency Services
28 Maintaining Secure Critical Infrastructure
15
Energy
17 Supporting Critical Infrastructure in the Cloud
30 Sector Interdependencies 31 Conclusion 33 About & Acknowledgments
Your Guide to U.S. Critical Infrastructure
1
2
GovLoop Guide
Introduction Consider the dozens of actions you take every single day as a citizen in the United States. You turn on your light switch when you wake up; you get water out of your faucet to fill up the coffee maker. You drive on roads or take a bus to work; you buy items online and conduct your banking through the internet. All of these actions are so common that they are nearly invisible to us in 2016, but the truth is they are all reliant on an underlying fabric of essential services that underpin American society and serve as the backbone of our nation’s economy, security, and health. That’s critical infrastructure and it’s something everybody in government should endeavor to know more about. With that in mind, this GovLoop guide serves as an overview of critical infrastructure in government today – what it is, why it matters, how each sector works, and what you as a government employee need to know about it. We’ve included overviews of the 16 sectors that make up critical infrastructure in government as a whole, and delve into important statistics, functions, and definitions for each of them. We also interview two government experts who work in critical infrastructure in different capacities, to highlight how government actually safeguards our assets. As you’ll learn in this guide, the definition of critical infrastructure is evolving and its operation is tightly interwoven with how the entire public sector works and serves the country. We hope this overview gives you a deeper understanding of what critical infrastructure in America means today, and how it might impact us in the future.
Your Guide to U.S. Critical Infrastructure
3
Managing the Mounting Complexity of Critical Infrastructure An interview with Caitlin Durkovich, Assistant Secretary for Infrastructure Protection, and Marty Edwards, Director of Industrial Control Systems Cyber Emergency Response Teams, at the Department of Homeland Security
A primary responsibility of the Department of Homeland Security (DHS) is maintaining and securing the assets, systems, and networks comprising the 16 critical infrastructure sectors. That’s no easy task and – as Caitlin Durkovich, the Assistant Secretary for Infrastructure Protection within the National Protection Programs Directorate, and Marty Edwards, Director of Industrial Control Systems Cyber Emergency Response Teams (ICS-CERT) explained – it’s only getting more difficult. In a recent interview with GovLoop, Durkovich and Edwards explained how critical infrastructure is becoming more complex to monitor, maintain, and secure in the light of an ever-changing and complex world. “We’ve gotten very good at preparing for the consequences of the higher frequency, lower consequence events like tropical storms, tornados and small earthquakes,” said Durkovich. She
4
GovLoop Guide
also said they were prepared to confront other common security incidents like physical insider threats and even low-grade terrorist attacks. Those perils still exist for critical infrastructure sectors. However, new risks and challenges are also emerging. Durkovich and Edwards described the fluid landscape of critical infrastructure today as vulnerable to an increased connectivity of cyber systems and an amplified interdependency between sectors challenge critical infrastructure owners and operators.
NEW CHALLENGES What’s probably most ubiquitous is the expanding network of IT systems connecting critical infrastructure to the internet. “Almost all of the sectors, and even some outliers that people don’t necessarily think about, are becoming more and more dependent on cyber-enabled devices,” said Edwards.
While those digital capabilities allow infrastructures to be monitored and maintained in innovative new ways, the connections they rely on also create new vulnerabilities. As Edwards noted, “Anywhere there is a connection, there is a risk.” Of course, increased cyber connectivity and the risks it brings is not a new occurrence in our everyday lives. However, Edwards impressed the serious impact that connectivity can have in critical infrastructure. “You know, it’s one thing if a single person gets their hard drive locked by a ransomware attack, and has to pay several hundred dollars to get it unlocked,” he said. “It’s a totally different scenario if an entire hospital is unable to perform their medical duties because all of their computing infrastructure has been taken ransom.” While many private sector companies are taking steps to secure those connections, Edwards said many companies are also struggling to initiate effective cybersecurity
“We’re trying to level the playing field to get all of the owners and operators of these critical assets to recognize that cyber is a real risk that they have to plan and mitigate for.” Marty Edwards, Director of Industrial Control Systems Cyber Emergency Response Teams (ICS-CERT)
strategies. “That’s our biggest challenge,” he said. “We’re trying to level the playing field to get all of the owners and operators of these critical assets to recognize that cyber is a real risk that they have to plan and mitigate for.” This enhanced cyber connectivity is also creating more ties between sectors, as they all become interlocked on the same physical and cyber grids. “What we have seen is an evolution where it is increasingly difficult to bucket and bin the world of critical infrastructure neatly into 16 sectors,” Durkovich said. “In part, that’s because you have companies that operate in multiple sectors. But more importantly, it’s because we have created this complex ecosystem of critical infrastructure, where you have critical functions that are dependent on other critical functions.” To confront that reality, the department and its partners are moving away from an asset-focused approach to maintenance and security. Instead, they look at the interconnectivity of sectors to mitigate the “cascading impact” that one service disruption might have on others. However, that holistic approach requires better coordination and new skills to create.
DHS RESOURCES HELP BRIDGE THE GAP Durkovich summarized the primary challenge DHS seeks to address: “How do you continue to build a critical infrastructure workforce that understands the aging, older infrastructure, yet has the skills to
bring that company into the modern era, and understand all of the principles that we’ve been talking about here today?” To create a private sector capable of maintaining and securing an increasingly complex critical infrastructure environment, the department provides a number of services including coordination, training, and education of asset owners and operators. “We have a number of different ways that we coordinate with both private and state and local owners of critical infrastructure assets,” Durkovich said. “The first is really on the ground. We have over a hundred protective security advisors. These are security specialists who are in every state and major urban area to bring to bear the suite of DHS resources. They can do a vulnerability assessment of a critical infrastructure facility – helping owners understand where their strengths and weaknesses are and where they can make investments to improve that security and resilience posture.” To increase the efficacy and reach of these collaborations, Durkovich said DHS is beginning to integrate more small and medium-sized businesses, as well as non-traditional private sector partners like churches and community centers, into coordinated efforts. However, the department faces a unique challenge in achieving that objective. While Durkovich mentioned one program where her office has direct oversight of high-risk chemical facilities, most of the department’s collaboration with the private sector is done on a voluntary basis. Similarly, ICS-CERT’s partnerships with the private sector are not mandatory, instead relying
on a willingness from infrastructure owners to invest in cybersecurity. Where DHS cannot play a central role in daily operations and collaboration, the department provides training so that others can bring the necessary security skills into private companies and critical infrastructure assets. “The government itself is certainly challenged with hiring enough cybersecurity professionals, and we work every day on various programs to try to help bridge that gap – whether it’s our advanced university placement programs and partnerships we have with educational institutions, or our own internal training,” Edwards said. Finally, DHS maintains a wealth of educational resources to make critical infrastructure best practices available to all sectors. Edwards pointed to multiple DHS resources for securing critical assets connected to the internet as a primary asset. Those resources are available online. “And in the case of some sort of incident or event, owners and operators are certainly welcome to reach out to us, and we can deploy a team if necessary to help them deal with the effects of whatever has occurred,” he said. That’s the key role that Durkovich’s and Edwards’ DHS teams play in creating a robust critical infrastructure ecosystem. While they build the strategies and plans to strengthen the nation’s critical infrastructure, their real objective is to empower and enable private owners and operators to manage an increasingly complex environment of critical assets.
Your Guide to U.S. Critical Infrastructure
5
Chemical The chemical sector broadly is responsible for the conversion of natural resources like crude oil and gas, metals, water, air and minerals into elemental chemicals or complex compounds that are used in a range of domestic, commercial and industrial areas. The sector is divided into five main areas: basic chemicals, specialty chemicals, agricultural chemicals, pharmaceuticals, and consumer products.
800,000 workers employed in this sector to
manufacture, store, & transport chemicals
96% of U.S. goods in 2013 were manufactured using chemical sector products.
$600,000,000,000 to $700,000,000,000 chemical sector yearly revenue
SECTOR LEADERSHIP
Sector-Specific Agency (SSA): Department of Homeland Security The majority of chemical sector facilities are privately owned, making it more complex for DHS and other public sector entities to manage. Energy, environmental, and security agencies all have a role to play in regulating the sector, while emergency response organizations step in when sector security fails.
3 THINGS TO KNOW Physical security is a primary concern for the chemical sector. Physically insecure chemical manufacturing can have negative environmental impacts. Additionally, poor manufacturing or security processes can create critical national security risks. To diminish that risk, DHS has created Chemical Facility Anti-Terrorism Standards and a Chemical Security Awareness Guide for all privately owned facilities, as well as an annual Chemical Sector Security Summit.
6
GovLoop Guide
Geography is a crucial consideration for the chemical sector. Many chemical facilities are geographically concentrated around coastal ports, positioned for massive importing and exporting of materials and products. To move those chemicals within the United States, this sector is heavily reliant on another critical infrastructure – transportation systems.
Oil and natural gas production comprise a large portion of chemical manufacturing operations in the United States. As a result, the health of the chemical sector is closely tied to the economic health of the country, as well as mobility of citizens.
Commercial Facilities The Commercial Facilities (CF) sector deals largely with public, unsecure spaces. Because most of these spaces are privately managed, there is very little interaction between sector owners and the federal government. The sector is made up of eight subsectors, including gaming, lodging, entertainment and media, outdoor activities, public assembly, sports leagues, retail, and real estate.
>100
active-shooter preparedness workshops delivered by the commercial facilities sector since 2007
Entertainment and familyoriented venues, like theme and amusement parks, were visited by 341 million people in 2007, generating $12 billion in revenue.
$4.4 TRILLION
In 2008, the retail subsector generated over $4.4T in annual sales.
SECTOR LEADERSHIP
SSA: Department of Homeland Security As the commercial facilities sector is, for the most part, privately owned, DHS has a more complicated time managing it. Councils, such as the Sector Coordinating Council (SCC) and the Government Coordinating Council (GCC), however, have allowed owners and operators in the sector to interact with one another as well as other organizations at the local, regional, and federal levels.
3 THINGS TO KNOW As part of the 2015 sector-specific plan, the CF sector identified 24 priorities that CF bodies across the country are preparing to implement. These activities are being set into motion with the goal of improving safety, security, and the strength of the CF sector across the U.S.
Because facilities all operate on an open public access system, security in the commercial facilities sector is a highly vested interest at the national level. With limited security barriers, the ability to move about the space so freely, many facilities being internationally recognized landmarks, the significant amount of revenue generated, and general public safety, security for the CF sector has proven to be the largest cause of stress among owners and operators, as well as federal agencies involved.
Social media has had a highly significant impact on the CF sector in recent years. If an attack happens, then the sector has the new duty of responding quickly, as well as publicly. Social media also makes it much easier for an attacker to organize others, or even organize a protest or mob.
Your Guide to U.S. Critical Infrastructure
7
Communications The communications sector brings an “enabling function” to all other critical infrastructure sectors. This sector is made up of five core networks: broadcasting, cable, satellite, wireline, and wireless. Together, those functions generate about 7 percent of the U.S. economy. The sector, however, faces a variety of physical, cyber and manmade risks.
internet, c. 2000
Information and communication technology companies contributed over $1 trillion to the nation’s gross domestic product in 2014, and also provided the U.S. with 3.5 million jobs.
More than 7,700 cable systems comprise the U.S. cable network.
mobile data, c. 2013
In 2013, mobile data traffic alone was almost 18 times the size of the internet circa 2000.
SECTOR LEADERSHIP
SSA: Department of Homeland Security The communications sector is privately owned, which makes management and responsibility a complex issue. The Communications Sector Coordinating Council (CSCC) and Communications Sector Government Coordinating Council (CGCC) have come together to organize and prepare the sectors’ private owners against any threats or attacks.
3 THINGS TO KNOW While the communications sector does rely some on other sectors, it is the most relied-on sector in the U.S.’s critical infrastructure. At the very least, the other sectors rely on the communications sector for simple day-to-day collobaration and coordination within and between agencies.
8
GovLoop Guide
Global political unrest plays a large part in the risk assessment of the communications sector. Because the sector is private, and has vendors, suppliers, factories, and employees located internationally, monitoring geopolitical standings, as well as weather and economic standings, is a crucial aspect of securing the sector as a whole.
Because tech and communications are ever-evolving, this sector is one of the more dynamic sectors. Since the last time the sector underwent an update in 2010, the Communications sector has been focused on keeping up with the rapidly changing network infrastructures, cloud technologies, IoT, mobile broadbands, Internet Protocol networks, and Voice over IP’s that are transforming the way the sector, and the government as a whole, works.
Critical Manufacturing This sector focuses on the identification, assessment, prioritization, and protection of nationally significant manufacturing industries that may be susceptible to manmade and natural disasters. There are several manufacturing industries core to the sector including primary metals, machinery, electrical equipment, and transportation equipment.
In 2013, the U.S. manufacturing industry represented 12.5% of GDP, contributing $2.08 trillion.
On its own, manufacturing in the U.S. would be the eighth-largest economy in the world.
60% percent of U.S. exports produced by the manufacturing industry
SECTOR LEADERSHIP
SSA: Department of Homeland Security In addition to DHS leadership, the Critical Manufacturing Government Coordinating Council – a self-organized, self-governed council of representatives from more than 60 manufacturing companies – provides a forum for private companies to coordinate on sector strategy, policy, information sharing, and risk management activities.
3 THINGS TO KNOW With rising international commerce, manufacturers’ supply chains have grown more extensive, complex, and interdependent – involving potentially hundreds of suppliers in as many regions. A global web of transportation pathways, information technology, and cyber and energy networks have created supply chain efficiencies that enable just-in-time shipments and reduced inventories – but also decrease the ability to absorb disruptions.
Manufacturers in the sector process raw materials and primary metals; produce engines, turbines, and power transmission equipment; produce electrical equipment and components; and manufacture cars, trucks, commercial ships, aircraft, rail cars, and their supporting components.
Critical manufacturing facilities are heavily clustered around major U.S. coastal ports. This not only allows for the easy delivery of raw materials imports and international product distribution, but also subjects multiple producers to local and regional disruptions.
Your Guide to U.S. Critical Infrastructure
9
Download Your Free Report
Cisco 2016 Midyear Cybersecurity Report Learn security industry insights and key findings taken from threat intelligence and the latest cybersecurity trends.
10
GovLoop Guide
Providing Resiliency and End-toEnd Security for Your Networks An interview with Marc Blackmer, Product Marketing Manager, Industry Solutions, Cisco In April 2015, news broke that personally identifiable information on more than 21.5 million federal employees, contractors and applicants had been compromised because of a hack of the Office of Personnel Management (OPM). OPM estimated it will spend more than $133 million in the next three years to provide identity theft protection services to the victims. And although the OPM breach marked the single greatest loss of information by a government agency, it was just the latest and largest in a string of other government breaches. All of these attacks have brought security to the forefront of federal officials’ attention. And while there is no quick fix, the need for an end-to-end solution is overwhelming, because as the breaches show, security is everyone’s problem — not just IT’s. The good news for agencies is that there is help. GovLoop sat down with Marc Blackmer, Product Marketing Manager at Cisco, a leader in networking and cybersecurity, to discuss how agencies can obtain end-to-end security for control networks with an operations technology approach that helps to improve service resiliency. Blackmer explained that when it comes to securing end points in terms of critical infrastructure, traditional cybersecurity approaches can’t always be used. “With critical infrastructure you’re talking about the power grid, nuclear power, water supplies, transportation, and more,” he explained. “So the typical security approaches can’t be applied in that space. If you get things
wrong and you shut down a critical section of a manufacturing plant or anything like that, there is the possibility for real physical damage to happen to both people and the environment.” Additionally, the federal government faces the challenge of needing to respond to security and compliance challenges as networks evolve from closed systems to Internet-enabled operational technology (OT) connectivity. Facilities continue to be networked and Internet of Things (IoT) endpoints proliferate as the technology creates new opportunities for increased efficiency and operational effectiveness. Yet extensive legacy hardware and software that are not designed to address security dominate existing systems. A holistic approach to the cybersecurity risks facing the country’s critical infrastructure has been something that Cisco has developed over the years. They realize that protecting critical infrastructure requires a comprehensive solution—not one single product. To provide a solution that works, multiple products must operate together without introducing complexity or impacting accessibility while providing excellent levels of protection for the federal sector. As Blackmer explained, an end-to-end security architecture that supports critical infrastructure can’t be just about cybersecurity. It must also include physical security, cybersecurity, compliance, intrusion detection and prevention, data center security, and security management. This all has to be done realizing that services must stay resilient and up-and-running.
This is where Cisco’s ability and experience comes in. Cisco has been developing innovative networking products for more than 30 years and has a large installed base in networks around the globe. As threats to networks have evolved, Cisco responded with a Secure Development Lifecycle to ensure that security is built in to the underlying architecture of solutions and embedded throughout the enterprise. Ensuring this security is a continuous process. As new products are developed and existing products are updated, security is embedded into every platform. “We have decades of experience designing, implementing, and operating control networks and are uniquely positioned to advise our government customers on best practices, policies and hiring, as well as provide technical expertise,” Blackmer said. He also explained that integration with technical partners extends Cisco’s capabilities even further, which gives their customers more visibility and control. At the end of the day, end-to-end security is about a holistic, comprehensive framework that allows for visibility and control. “When it comes to the public sector and critical infrastructure, it’s a different ballgame,” Blackmer said. “So we’re very adept at making sure our solutions are effective in a manner that is appropriate for the environment we are protecting. If there’s an outbreak within a power grid, the lights still need to be kept on for the public. Cisco has that experience and knowledge to help mitigate the threat while making sure services still remain up and resilient.”
Your Guide to U.S. Critical Infrastructure
11
Dams Dams deliver critical water retention and control services, including municipal and industrial water supplies, sediment and flood control, river navigation for inland bulk shipping, industrial waste management, and recreation. Consequences of dam sector disruption are broken down into three categories: economic impact, human health, and impact on critical functions such as irrigation or hydropower generation.
There are over
87,000 dams spread across the United States.
At least 10% of U.S. cropland is irrigated by the dams sector.
More than 43 percent of the U.S. population is protected from flooding by dams.
SECTOR LEADERSHIP
SSA: Department of Homeland Security The majority of this sector is managed by private organizations. About 65 percent of U.S. dams are privately owned, and approximately 77 percent are regulated by state dams safety offices.
3 THINGS TO KNOW While natural and manmade disasters are a risk for this sector, one of the major concerns for dams is the current limitation in funding for maintenance and rehabilitation. According to DHS, an estimated 4,000 dams and 91 percent of federally inspected levees are in need of immediate repair.
12
GovLoop Guide
Not all components of the dams sector are created equal. To prioritize between the wide array of assets, DHS created a strategy called the Consequence-Based Top Screen. It is supported by an online tool, which analyzes how any asset might impact the U.S. infrastructure in a “worst reasonable case scenario.” It also establishes common criteria for measuring consequence elements like human health and mission disruption.
While dams are regulated by government agencies, management companies primarily maintain privately owned assets’ physical security. To assist private owners with dam security, DHS provides guidance on suspicious activity indicators like bomb threats, overflights, and weapons discoveries. It also offers an Activity Reporting Tool for industry to relay that information to relevant authorities at all levels of government.
Defense Industrial Base The defense industrial base (DIB) sector is the global industrial complex that enables research and development of military weapons systems and their components. It provides products and services to ensure sustainable military operations at home and abroad.
$113
100,000+
MILLION
companies & subtractors operate in partnership with the Department of Defense, providing both services & materials
approved by DoD for 2011-2016 to convert the DIB Cybersecurity & Information Assurance Pilot into a full-time program
The sector has 5 main goals: 1. Manage sector risk 2. Foster collaboration, information sharing & training 3. Ensure personnel security 4. Provide physical security 5. Promote information security
SECTOR LEADERSHIP
SSA: Department of Defense DoD is responsible for coordinating all critical infrastructure efforts across the defense industrial base and its partners. Specifically, the chairman of the Defense Industrial Base Sector Coordinating Council helms the defense industrial base.
3 THINGS TO KNOW The DIB has a set of 16 risk mitigation activities that establish the roadmap for continued improvement of protection efforts throughout the sector. These include business continuity plans, dependency analysis, and sector outreach activities.
The public sector component of the defense industrial base consists of laboratories, manufacturing facilities, and capabilities for production of uniquely military materials and services. On the other hand, the private sector element of DIB delivers the products to DoD.
Private sector partnership in the DIB is voluntary. This is one of the biggest challenges the DIB partnership faces in implementing the sector-specific plan. While many large defense industry firms place great emphasis on protecting their infrastructure, many smaller firms face difficulties allocating the capital to participate in the partnership.
Your Guide to U.S. Critical Infrastructure
13
Emergency Services The emergency services sector’s (ESS) mission is to save lives, protect property and the environment, assist communities impacted by disasters, and aid recovery during emergencies. It includes five key functions: law enforcement, fire and emergency services, emergency medical services, public works and emergency management. The ESS includes geographically distributed facilities and equipment in both paid and volunteer capacities.
2.5
MILLION
career & volunteer personnel serving in all 50 states, 5 territories & the District of Columbia
1.2 million law enforcement
37,000 public works
1.1 million fire & rescue services
240,000 EMS
9,000 emergency management
SECTOR LEADERSHIP
SSA: Department of Homeland Security Efforts in this sector are often organized by a combination of federal, state, local, tribal, and territorial governments. But private entities, such as industrial fire departments and private security organizations, also play a key role in providing emergency services.
3 THINGS TO KNOW Natural disasters and extreme weather, cyberattacks or disruptions, violent extremist and terrorist attacks, and nuclear incidents are among the persistent risks to the sector. To mitigate these risks, the most recent sector-specific plan identified four goals to increase security and resilience, including partnership engagement; situational awareness; prevention, preparedness, and protection; and recovery and reconstitution.
14
GovLoop Guide
As the average age of personnel across the sector increases and workers retire, there is a risk of losing key experience and expertise. Efforts to fill those vacancies could draw employees with less expertise, presenting both recruitment and response challenges at agencies.
There’s a massive effort under way to build a nationwide, wireless broadband network dedicated to public safety. The First Responder Network Authority (FirstNet), an independent authority within the Commerce Department, is spearheading the initiative, which will have big implications for first responders at the national, state and local levels. Congress allocated spectrum and up to $7 billion in funding for the construction of the network.
Energy Composed of three segments – electricity, oil, and natural gas – the energy sector is called the backbone of all critical infrastructures by some. It is considered especially important because it provides an enabling function to all other sectors.
170+
More than 6,413 power plants with approximately 1,075 gigawatts of installed generation comprise this sector.
activities and programs currently under way by energy sector partners to support National Infrastructure Protection Plan 2013 goals
how electricity is produced nuclear power plants (20%)
coal (48%)
natural gas (22%)
SECTOR LEADERSHIP
SSA: Department of Energy More than 80 percent of the energy sector is privately owned. According to the Department of Energy (DOE), cooperation through industry groups has resulted in substantial information sharing of best practices across the sector.
3 THINGS TO KNOW Like most other critical infrastructure sectors, energy is a prime target for cyberattacks. Recently, DOE proposed up to $34 million for 12 projects across individual energy sectors to “enhance the reliability and resilience of the nation’s energy critical infrastructure through innovative, scalable, and costeffective research, development and demonstration of cybersecurity solutions.”
The risks to the energy sector are expansive, both in diversity and geographic reach. Because the U.S. imports significant energy resources, political instability, civil unrest, and terrorist activities, as well as changes in international regulations and legislation, can have significant impacts on the health of this U.S. sector. Because the energy sector is heavily reliant on pipelines to distribute its products, transportation disruptions are also a major concern.
The energy sector’s key research and development areas include reducing the social consequences of natural disasters and climate events, developing innovative tools and technologies to harden critical infrastructure and enhancing cybersecurity capabilities to address evolving cyberthreats.
Your Guide to U.S. Critical Infrastructure
15
16
GovLoop Guide
Supporting Critical Infrastructure in the Cloud An interview with Adam Clater, Chief Cloud Architect at Red Hat The requirements and considerations for safeguarding critical infrastructure continue to expand. Increasingly, government missions rely on information technology to execute. Often, these systems are connected to an even wider array of other tools, devices, and networks that comprise the nation’s infrastructure. As a result, many agencies are challenged to support their critical infrastructure goals with a scalable, high-performance IT infrastructure. In an interview with GovLoop, Adam Clater, Chief Cloud Architect at Red Hat, explained how government can meet that challenge through open source solutions that support intelligent cloud deployments. Red Hat is a leading provider of open source solutions for the public sector. When an agency is considering a transition to the cloud or an even more complex move from one cloud to another, open source tools and expertise can help ease the transition and ensure security. First, Clater emphasized the need to start small. “That’s really the most important thing. Find a project within your datacenter that’s going to be low impact, and build a team around it for the transition,” he said. Then, he suggested building a culture around that success and use that to build momentum towards bigger projects that could be made more efficient with cloud. Next, Clater recommended automating transition considerations and cloud capabilities as much as possible. “By leveraging open source technology, agencies can begin
to automate their processes within their datacenter quickly, in a way that everyone who’s participating within the entire IT infrastructure can understand and be part of that selection and transition process,” Clater said. That way, organizations can make intelligent decisions about how to transition and which providers to use, as they build a more robust IT infrastructure in the cloud. Finally, organizations must ensure that as they move their IT infrastructure off-premise, they maintain full visibility into both cloud and local networks. A holistic view is key to ensuring your infrastructure – and the critical assets you support – are constantly secured and performing during cloud transitions. Of course, many agencies have moved beyond only using the infrastructure-as-a-service model today. “The conversation used to be about moving to the cloud,” Clater said. “But now we see customers no longer talking about whether they are moving to the cloud, but which providers they’re going to use to support their applications.” However, Clater explained that as agencies select applications to place in secure cloud environments, they often ignore the need to continually secure the application itself. Instead, they trust the cloud provider to instill security into operations. “When we start talking about security and we start talking about certifications, we also need to make sure that we’re talking about the security of our software supply chain” said Clater.
That means not only knowing what security controls are in your cloud environment but also what software is used within the platform and its applications. You also need to know who created the software and how it is to be maintained over the life of your mission. That’s where open source vendors play a role. Using trusted vendors to vet security based on open source standards is key. As Clater noted, “When agencies start migrating applications, that’s when leaders should be saying, ‘I know that the open source project has capabilities that are important to me, but has a trusted third party guaranteed that I’m using, for example, FIPS 140-2 compliant encryption, or adhering to other standards required by my security organization?’” Agencies should confirm software meets all required standards through third-party validation. Moreover, Clater recommended pulling in partners at all stages of the process to make sure cloud migrations are seamlessly executed without risking the IT infrastructure or the critical assets they support. With so much on the line, it’s not an option to have security or performance lapse during cloud migrations. Nevertheless, agencies have to seek new and scalable solutions if they are going to support increasingly digital and interconnected critical assets and keep the nation running. Open source technologies and services can help government make that seamless transition.
Your Guide to U.S. Critical Infrastructure
17
Financial Services This sector encompasses businesses that manage money, including credit unions, banks, credit-card companies, insurance companies, accounting companies, consumer-finance companies, stock brokerages, investment funds and even government-sponsored enterprises. Citizens use products of this sector to deposit funds, make payments to other parties, provide credit and liquidity to customers, invest funds, and transfer financial risks.
$
The U.S. exported $104.7 billion in financial services in 2014
and had a $35 billion surplus in financial services and insurance trade.
$15.967 TRILLION
The private equity industry in the U.S. is composed of nearly 3,847 investment firms and employs 11.3 million people.
amount of valued assets the U.S. had as of 2015
SECTOR LEADERSHIP
SSA: Department of the Treasury It may come without surprise that the majority of banks and businesses in the financial services sector are privately owned. The Treasury, however, oversees the production of currency, disbursement of payments to the public, revenue collection, and economic growth to support job creation, investment and economic security.
3 THINGS TO KNOW Financial institutions vary in size and presence, ranging from some of the world’s largest global companies with thousands of employees to community banks and credit unions that serve smaller communities to newer organizations who only serve customers online.
18
GovLoop Guide
Financial markets in the U.S. are the largest and most liquid in the world, with financial services helping to facilitate the export of U.S. manufactured goods, agricultural products and a number of other economic services. There, the financial services sector depends on collaboration between a broad set of partners, including trade associations, private companies, federal government agencies and financial regulators. These partners seek to reduce the physical and cybersecurity risks that pose the biggest threats to the sector.
(The Financial Services SectorSpecific Plan details plans to improve the sector’s security and resilience. Specifically, the plan outlines goals to implement and maintain structured routines for sharing timely and actionable information related to threats and vulnerabilities among firms, across sectors of industry and between the private sector and government.
Food & Agriculture The food and agriculture sector comprises the production, processing, and delivery systems that feed people and animals within the U.S. and beyond. The sector also imports ingredients and finished products, which involves a network of growers, processors, suppliers, transporters, distributors and consumers. The federal government designated the sector as critical infrastructure in 2003.
1/5
The sector accounts for roughly one-fifth of the nation’s economic activity.
This sector includes approximately: 2.1 million farms
935,000 restaurants
200,000+ food manufacturing, processing & storage facilities
In 2012, agricultural product sales totaled $400 billion. Crops and livestock each accounted for roughly half the sector.
SECTOR LEADERSHIP
SSA: Department of Agriculture & Department of Health and Human Services Most food and agriculture systems are privately owned, but the Agriculture Department and Food and Drug Administration have shared regulatory responsibilities for food. USDA is tasked with regulating meat, poultry, and processed egg products. The FDA has responsibility for all other food products.
3 THINGS TO KNOW The greatest threats to this sector include food contamination and disruption, disease and pests, severe weather and cyberthreats.
The sector is becoming increasingly reliant on technology. One area of interest is the use of Industrial Control Systems (ICS) in many food production and processing facilities to enhance connectivity and remote access. But the sector is struggling to keep pace with new cyber vulnerabilities of these systems.
The food and agriculture sector is heavily dependent on many other sectors, including water and waste systems for clean irrigation and processing water, transportation systems to move livestock and products, and the chemical sector for fertilizers and pesticides.
Your Guide to U.S. Critical Infrastructure
19
Government Facilities The government facilities sector includes public sector buildings that are owned or leased by federal, state, local, and tribal governments. The functions of these buildings vary from general use office buildings, to special use military buildings, embassies, courthouses, and national laboratories.
The scope of the sector is massive, with more than 3 billion square feet in federal property.
The sector includes the properties of over 87,000 municipal governments.
According to the sector’s 2011 annual report, government facilities have been the most frequently attacked sector since 1968, underscoring the need for robust physical security.
SECTOR LEADERSHIP
SSA: Department of Homeland Security & General Services Administration Unlike many other sectors, this one is managed almost entirely by government. It is co-managed by DHS and GSA, while DHS’s Federal Protective Service serves as the Sector-Specific Agency for the government facilities sector. The sector’s government coordination council is a collaborative body made up of 26 member organizations ranging from the FCC to the state of Maryland and the U.S. Capitol Police.
3 THINGS TO KNOW There are two subsectors in the government facilities sector: the education and families subsector and the national monuments and icons subsector. The former covers educational facilities owned by the government and private sector while the latter includes many of the national monuments and icons throughout the country.
20
GovLoop Guide
The sector also includes a cyber element that helps secure and protect sector assets like access control systems and CCTV systems.
The government facilities sector is also vulnerable to attacks by nefarious actors and natural hazards based on the geographical location of the buildings. The sector must be prepared to ensure that government functions and services are sustained in the event of a natural or manmade disaster. On the federal side, the Department of Homeland Security’s Interagency Security Committee works to enhance the quality and effectiveness of security of federal buildings.
Healthcare & Public Health The healthcare and public health (HPH) sector protects other sectors from natural and manmade hazards, including terrorism, infectious disease outbreaks, and natural disasters. The sector operates in every U.S. state and territory and plays an unparalleled role in response and recovery efforts across the other sectors.
This sector comprisesd about 17.4% ($2.9 trillion) of total U.S. GDP in 2013.
Over 14 million workers, or 10 percent of America’s total workforce, are employed by the HPH sector.
85% of the sector is privately owned and operated.
SECTOR LEADERSHIP
SSA: Department of Health and Human Services In addition to HHS, two coordinating councils – one of private sector members and one of public organizations – also manage the sector. While separate entities, the two councils come together in working groups on awareness and implementation, risk management, and cybersecurity.
3 THINGS TO KNOW Most of the healthcare and public health sector’s assets are privately owned and operated. The publicprivate partnership, however, is crucial to seamless operation of the sector. Particularly, the sector is highly dependent on the communications, emergency services, energy, food and agriculture, information technology, transportation systems, and water and wastewater systems sectors.
HPH has eight different subsectors: direct patient care, health information technology, health plans and payers, mass fatality management services, medical materials, laboratories, blood and pharmaceuticals, public health, and federal response and program offices.
Key initiatives for the HPH sector include giving presentations that inform on the critical infrastructure protection program, funding public health responders, disseminating a biweekly newsletter highlighting HPH articles and reports, working with public health manufacturers, and assessing risks.
Your Guide to U.S. Critical Infrastructure
21
Maintaining Resilient State & Local Assets in Utah An interview with Kathy McMullin, Planner at the Infrastructure Resilience Program of the Utah State Division of Emergency Management
The Department of Homeland Security (DHS) provides a wealth of resources and guidance to regional and local jurisdictions, to help them protect and maintain critical infrastructure. However, Kathy McMullin, Planner with the Utah State Division of Emergency Management, described the necessary role that state government can play in providing more localized support. McMullin works in Utah’s Infrastructure Resilience Program, which is charged with safeguarding Utah’s critical assets from manmade and natural disasters. “We’re working to make sure that we know what we have in each sector, especially the lifeline sectors (power, water, communication and transportation), and then understand where they’re vulnerable, what they’re dependent on to continue or to recover, and making sure that we can be available to recover and give a local jurisdiction the information they need to respond quickly,” she said.
22
GovLoop Guide
THINK BIG FIRST That’s a large job, given the sheer expanse of even a single state’s critical infrastructure network. “Everything is infrastructure,” said McMullin. “So, what we try to do is think big first.” When McMullin’s office works with a district, it starts by considering which infrastructure components might have the biggest impact on the community if they were to fail. For instance, if one facility employs a high volume of citizens, the local economy would be greatly impacted if the building had to be shut down due to service disruption or failure. In some cases, McMullin explained that the “big” implications of an infrastructure disruption aren’t so clear. She offered an example: “We had a fire marshal who was responding to an emergency where the power had gone out. That seems relatively minor. However, the power was affecting both a nursing home and an airport,” she said.
That service disruption quickly escalated. Responders had to quickly determine which other assets might be impacted in the immediate area. For those local operations, like the nursing home, which they knew were impacted, teams also had to investigate which facilities had back-up power supplies and which were totally dependent on the grid. “There was a little bit of chaos immediately as they were trying to determine, if we only have a certain number of resources that have to be dispatched immediately, where they should go first,” McMullin said.
SEGMENT TO DECREASE COMPLEXITY To avoid similar situations and help local jurisdictions quickly prioritize between sectors and assets, Utah’s Infrastructure Resilience Program breaks down sectors into smaller geographic segments. The team then works with individual counties to identify assets within those areas.
For more rural areas, McMullin explained that this process could be relatively straightforward given the limited population and assets supporting it. For denser population areas, her team sets qualifications to initially narrow the scope of critical infrastructure assets.
PRIORITIZE WITH STANDARDIZED SCORING Once a community has identified its assets, regional emergency managers can use the Utah Critical Infrastructure Prioritization Tool to determine which are most important to their local operations. While DHS provides similar tools on a national scale, this tool was created specifically for Utah’s environment. The tool is an Excel-based program that calculates asset importance based on 10 standardized questions. Six questions investigate how important the asset is to the community on economic, symbolic, and service levels. The criteria
even consider if the asset could be weaponized. Then, four additional questions determine the potential impact of that asset’s failure. The tool’s real value is in its standardization, according to McMullin. It allows a local manager to prioritize every asset, from any critical infrastructure sector, by one set of criteria. “You can use it for mitigation planning, or continuity of operations plans. You can also apply federal grant money toward prioritizing your assets. And it also speeds up your response times in cases of emergency,” she said. “Ultimately, you improve your local threat picture. You can understand what you’re vulnerable to, and respond quicker using that score.” Build Ongoing Relationships But while the tool empowers local authorities and businesses to manage their own assets, the Utah government continues to provide support and guidance. The tool allows managers to take ownership, but it also gives the state an accurate picture of asset ownership. “That’s another great benefit to identifying your critical
infrastructure: You know your owners and operators, and you can offer them resources,” McMullin said. That collaboration between the state government and local owners also lets the Infrastructure Resilience Program continually refine its processes and tools. In cooperation with Utah’s Protective Security Advisor, Ralph Ley, McMullin said her team “makes sure that everybody has the communication from federal to state, that we have those relationships set up so that we can get the resources we need, get the support we need, and make sure that the program is rolling out as smoothly as we like it to, and that we continually make improvements to it.” That’s the ultimate goal of McMullin’s office – to continually improve. That requires building sustainable relationships between local and state critical infrastructure managers, in order to offer guidance, share resources, and prioritize the wide expanse of assets in Utah.
Your Guide to U.S. Critical Infrastructure
23
Information Technology The IT sector covers telecommunications and software services, including companies that develop software in various fields such as the internet, applications, networks and database management. Additionally, IT can comprise technology hardware and equipment, including manufacturers and distributors of communications equipment, computers and other electronic equipment.
$3.8 TRILLION
The global IT industry market is expected to reach $3.8 trillion in 2016, up from $3.7T in 2015.
About 5.9 million workers are employed in technical (e.g., software developers and network administrators) and non-technical (e.g. HR, finance, marketing) positions within this sector.
78% of U.S. execs are concerned about the speed of technological change in their industry.
SECTOR LEADERSHIP
SSA: Department of Homeland Security Specifically, the Office of Cybersecurity and Communications within DHS is responsible for enhancing the security, resilience and reliability of the nation’s cyber and communications infrastructure.
3 THINGS TO KNOW Sector functions are operated by a combination of entities that maintain and reconstitute the network, including the internet. Although IT infrastructure has a certain level of inherent resilience, its interdependent and interconnected structure presents challenges for coordinating public and private sector preparedness and protection activities. One of these challenges includes the question of security vs. privacy, which is magnified by volume, variety of big data, streaming nature of data acquisition and highvolume inter-cloud migration. 24
GovLoop Guide
The Information Technology Sector-Specific Plan outlines several priorities for the IT sector, including better risk management, increased cybersecurity resilience, improved situational awareness and information sharing, and strengthened public-private partnerships to improve security and resilience.
With the exponential growth of the IoT, there’s an increasing need to properly secure devices and systems from hackers and cyberattacks. The Security Tenets for Life Critical Embedded Systems meets this need by providing basic security guidelines to ensure that lifecritical embedded systems across all industries have a common understanding of what is needed to protect human life, prevent loss or severe damage to equipment and prevent environmental harm.
Nuclear Reactors, Materials & Waste The nuclear reactors, materials and waste sector (or nuclear sector) includes the nation’s 99 commercial nuclear power plants; 31 research, training, and test reactors (RTTRs); eight active fuel cycle facilities; waste management; and 18 power reactors and six fuel cycle facilities that are decommissioning or inactive. It also includes the transport, storage, use, and safe disposal of more than 3 million packages of radioactive or nuclear materials and waste annually.
20% of U.S. electricity is generated by nuclear power reactors. nuclear power plants
coal
99 commercial power plants currently exist in the U.S.
About 3 million Americans live within 10 miles of an operating nuclear power plant.
natural gas
SECTOR LEADERSHIP
SSA: Department of Homeland Security Nuclear sector assets are generally owned and operated by the private sector, but are the most highly regulated and heavily guarded of all civilian infrastructure. Public access to the highest-hazard nuclear materials is tightly controlled. The Nuclear Regulatory Commission (NRC) regulates the civilian use of nuclear material using a robust framework that requires all licensees to meet safety and security requirements to ensure the protection of public health and safety, the environment, and national security.
3 THINGS TO KNOW Accidents, failures, or disruptions in the nuclear sector could have severe human health and safety consequences and cascading effects on critical infrastructure sectors that rely on nuclear power or nuclear medicine and industrial uses. Uniquely hazardous characteristics make nuclear sector assets the most highly regulated and heavily guarded of all civilian infrastructures.
Climate change and increasingly severe natural disasters increase risks for nuclear power plants, many of which are operating with aging equipment. After a March 2011 earthquake and tsunami caused an unforeseen triple meltdown at Japan’s Fukushima-Daiichi nuclear power plant, U.S. nuclear facilities are re-evaluating their ability to withstand beyond-design-basis events.
The nuclear sector faces multiple rapidly changing cyberthreats, including hackers’ evolving ability to gain control of control technologies and computer-enabled vehicles, medical devices, small drones, and other items; state-sponsored industrial espionage; internet-based financial tampering; embedded malware in critical infrastructure hardware components; and supply chain attacks.
Your Guide to U.S. Critical Infrastructure
25
Transportation Systems The transportation system sector works to ensure the United States’ transportation system quickly, safely, and securely moves people and goods through the country and overseas. There are seven key subsectors within the transportation systems sector: aviation, highway and motor carrier, maritime transportation system, mass transit and passenger rail, pipeline systems, freight rail, and postal and shipping.
In 2013, 9.3% of the United States’ GDP was supported by the transportation sector.
In 2014, the transportation sector shipped approximately 19.6 billion tons of goods.
6%
percent of the U.S. workforce is employed in the transportation sector
SECTOR LEADERSHIP
SSA: Department of Homeland Security & Department of Transportation Under these sector-specific agencies, the Transportation Security Administration and the United States Coast Guard are the executive agents for the sector.
3 THINGS TO KNOW There are four strategic goals of the transportation systems sector, including the need to manage security risks to transportation infrastructure, support community resilience, promote collaboration across sectors and partners, and enhance preparedness and resilience of the global transportation system to safeguard U.S. interests.
26
GovLoop Guide
A particular challenge the sector faces is its aging infrastructure. Many of the structures in the transportation sector are aging and deteriorating. This is problematic because the loss of a key node or asset in the transportation network can have cascading impacts on passenger and freight movement, and ultimately could cause supply chain disruption.
With so many critical subsectors, information sharing is key in the transportation system sector. Promoting dependencies across transportation nodes allows for more effective and efficient transportation processes, as well as resiliency against physical and cyberattacks.
Water & Wastewater Systems Previously known only as the water sector, this sector had its name changed in 2013 to recognize the importance of properly treated wastewater to preventing diseases and protecting the environment. The sector is also responsible for maintaining safe drinking water to the public.
About 153,000 public drinking water systems are maintained by this sector.
More than 80% of the U.S. population relies on these systems for potable drinking water.
227 MILLION
Over 16,500 publicly owned treatment works provide wastewater service & treatment to more than 227 million people.
SECTOR LEADERSHIP
SSA: Environmental Protection Agency More than 16,000 wastewater treatment systems in the U.S. are publicly owned. Under the Safe Drinking Water Act, states can request primacy for their drinking water programs.
3 THINGS TO KNOW As the Flint, Mich., water crisis highlighted, access to safe drinking water can make or break a community. But events are not always that localized, with one municipality’s failure having significant impact on others due to a lack of redundancy in services. As a result, collaboration in disaster response is critical to this sector. The Water/Wastewater Agency Response Network (WARN) was created to ensure facilities effectively and holistically respond to and recover from emergencies.
Drinking water systems contain many components, but they are generally divided into physical, cyber, and human elements including employees and contractors. While the majority of components like water sources, treatment, and conveyance systems are physical, electronic control systems, employees and contractors are also heavily monitored to ensure ongoing security.
In addition to citing cyber events, aging infrastructure, and natural disasters, a 2013 Sector Priorities Work Group said one of the most significant risks to this sector was a lack of awareness. The group’s report stated, “Although the Water Sector has been defined as a lifeline sector, this is not commonly recognized among relevant stakeholders, a situation that can escalate consequences during area-wide events.”
Your Guide to U.S. Critical Infrastructure
27
TRANSFORM YOUR FACILITIES THE UNIVERSITY OF IOWA The Hawkeye’s Energy Control Center is saving more than $1.5 million per year on energy costs
Saves $3.3M per year, HVAC corrections saved $40,000 in one week
CARNEGIE MELLON UNIVERSITY CMU’s Intelligent Workplace Initiative reduced energy costs by 30%
THE SEATTLE MARINERS
SAN DIEGO INTERNATIONAL AIRPORT
Are saving $1.5 million over 3 years
SAN’s Smart Airport initiatives are preventing water leaks and enabling their new micro grid
Saving $10 million annually in energy and water
Campus-wide metering, over 1000 buildings Reduced water use by 25% in one year Ongoing Commissioning powered in real-time
24/7
Worldwide support from PI System experts
releases 25 + product
per year, providing ever-green functionality and security
17,000
Installations worldwide providing secure, scalable data access
35 + years 1.5Facilities and Energy Man Smarter Billion data streams being monitored by PI Systems
28
GovLoop Guide
www.osisoft.com/federal
Providing infrastructure for Operational Intelligence
Learn more www.osisoft.com/corporate/facilities
Maintaining Secure Critical Infrastructure An interview with David Doll, Industry Principal at OSIsoft Threats to critical infrastructure come in every shape and size. Physical threats from malicious actors and environmental instability are always concerns, while threats in cyberspace are mounting every day. Add onto those risks the fact that government funds are diminishing while critical assets are aging, and the challenge of maintaining security can seem overwhelming. To understand how organizations can take a smarter, more efficient approach to securing critical assets, we spoke with David Doll, Industry Principal at OSIsoft. OSIsoft provides an open enterprise infrastructure for agencies to connect sensor-based data, systems, and people. The company’s PI System captures data from virtually everything – from temperature sensors to meters and railroad cars - and serves it up in real time so people can save energy, prevent accidents, or gain insight into their processes. Doll said the first step to better security is to understand the key difference between operational technology (OT) and information technology (IT). He explained that difference with a security analogy: “When an IT system is hacked, you lose information. It could be very important information, but it’s information. When an OT system is hacked, things can shut down. Things can go boom. It’s a different level of problem.” Another difference is in the nature of the data itself. “IT systems use relational databases to store information. It’s rows and columns and schemas, nice and clean. OT systems rely on sensors and use time-series data. It’s messy and unpredictable. For certain analyses, companies may need to capture hundreds of thousands events per second. If you try to use IT technologies to handle raw OT data, you
are going to struggle and create big problems for yourself.” To understand that difference and how it should be incorporated into operational decisions, Doll suggested looking to private sector owners and operators of critical infrastructure. “There’s a lot of lessons out there from industrial companies that have been tackling these issues for decades so the federal space doesn’t need to reinvent the wheel,” he said. Many companies have created a middle layer in their infrastructure that organizes their operational; systems to allow for interoperability while protecting OT from IT failures. This approach is more than just applying firewalls to IT endpoints; it requires deploying a data platform between the IT and OT layers of your infrastructure that connects information to users and to the information systems they feed and rely upon. “Most vendors ignore this critical aspect because it’s just not what they do,” said Doll. “They’re either selling new sensor technologies or they’re making visualization and dashboard products – both of which can demo very easily and install quickly. But when you ignore that middle layer, you’re creating problems and adding risk.” Another OT security technique is to link OT and IT networks through one-way connections like diodes or video channels. That way, companies can see what’s happening in operations while insulating assets like transformers or pipelines from viruses or other attacks on IT networks. OT companies also need to think more deeply about security when they deploy assets. Doll explained that every connection to an OT system is added risk and every disparate
database increases complexity. These new IoT solutions that allow monitoring over the internet each create a new attack point, a new threat. And when each smart sensor or control system creates another island of data, it’s very difficult to have a complete view of what’s going on – another factor of risk. Owners and operators of critical infrastructure need to monitor and maintain their assets with real-time sensor data. People can make quicker and more informed decisions, understanding which critical infrastructure systems require attention or resources to safeguard. Doll described it as “getting the raw data turned into information and in front of the right people, in time to have an impact.” “Whether you need new dashboards tomorrow or install new technology next year, you can build on top of your same data infrastructure without going back to square one,” Doll said. Ultimately, creating a data infrastructure between IT and OT systems allows agencies to more efficiently manage and secure critical assets. It creates a middle layer from which everything can be integrated and monitored, creating more connections without increasing risk. “That’s what OSIsoft has been doing for over three decades,” Doll concluded. “We’re delivering a scalable, reliable data layer that will connect all of your IoT data sources. It can connect all of your existing, disparate systems and support your future initiatives, things you haven’t even thought of yet. This enables government agencies to gain real-time insight so they can continuously monitor, continuously improve, and continuously secure their critical infrastructure.”
Your Guide to U.S. Critical Infrastructure
29
Sector Interdependencies WATER & WASTEWATER SYSTEMS
CHEMICAL
COMMERCIAL FACILITIES
TRANSPORTATION SYSTEMS
COMMUNICATIONS
NUCLEAR REACTORS, MATERIALS & WASTE
CRITICAL MANUFACTURING
INFORMATION TECHNOLOGY*
DAMS
HEALTHCARE & PUBLIC HEALTH
DEFENSE INDUSTRIAL BASE*
GOVERNMENT FACILITIES*
EMERGENCY SERVICES FOOD & AGRICULTURE
ENERGY FINANCIAL SERVICES
*Dependencies for DIB are unlisted. Dependencies for the Information Technology and Government Facilities sectors have not yet been defined. 30
GovLoop Guide
Conclusion After reviewing each sector, you might assume that critical infrastructure – what it is, what it impacts, and who manages it – is set in stone. In reality, the 16 sectors that comprise U.S. critical infrastructure are subject to the same changes in industry innovations, citizen expectations, and political dynamics that any other government service must confront. In the next few years, we can expect to see critical infrastructure leverage new technologies, personnel, and processes as it changes:
What critical infrastructure is:
As citizens and government personnel rely on more technologies to keep the nation running and get their jobs done, it’s likely that more systems will be added to critical infrastructure. During the 2016 election cycle, government leaders debated whether election systems should be considered critical. And while they ultimately decided against inclusion of that sector, other ideas like carpooling systems are already moving in to take the public debate space.
What critical infrastructure impacts:
While many sectors are already clearly interdependent, the rise of virtualization, IoT, and other technology trends will only increase connections between various sectors and the technology that powers them. That will require superior collaboration among industries and government, as well as a greater awareness of how one sector failure could have drastic impacts on another.
Who manages critical infrastructure:
In the past, critical infrastructure was maintained locally by skilled professionals. But today, cybersecurity – a boundary-less field – is increasingly tied to success in all critical infrastructure sectors. While you might consider that the realm of advanced IT professionals, the view in agencies today is that cybersecurity is everyone’s job. From identifying phishing attacks to correctly using technology, it’s now the role of every employee to take part in protecting critical infrastructure. As the challenges and opportunities facing critical infrastructure sectors evolve, it will be government’s job to keep pace and even proactively identify ways to confront change.
Your Guide to U.S. Critical Infrastructure
31
About & Acknowledgments ABOUT GOVLOOP GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government. For more information about this report, please reach out to info@govloop.com. www.govloop.com | @GovLoop
THANK YOU
Thank you to Cisco, OSIsoft and Red Hat for their support of this valuable resource for public-sector professionals.
AUTHORS Catherine Andrews, Director of Content Courtney Belme, Editorial Fellow Nicole Blake Johnson, Technology Writer Francesca El-Attrash, Staff Writer Emily Jarvis, Senior Online & Events Editor Korey Lane, Editorial Fellow Hannah Moss, Senior Editor & Project Manager
DESIGNER Kaitlyn Baker, Graphic Designer
32
GovLoop Guide
Your Guide to U.S. Critical Infrastructure
33
1152 15th St. NW, Suite 800 Washington, DC 20005 (202) 407-7421 F: (202) 407-7501 www.govloop.com @govloop
34
GovLoop Guide