View
232
Download
7
Category
Tags:
Preview:
Citation preview
NIPP 2013: Partnering for Critical Infrastructure Security and Resilience
EMI Higher Education Symposium5 June 2014
Presenter’s Name June 17, 2003Unclassified
Strategic Drivers
2
Presenter’s Name June 17, 2003Unclassified
Critical Infrastructure TodayCritical Infrastructure defined: “Assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on national security, economic security, national public health or safety, or any combination thereof.”
16 Critical Infrastructure Sectors
• Chemical• Commercial
Facilities• Communications• Critical
Manufacturing• Dams• Defense Industrial
Base• Emergency
Services• Energy• Financial Services• Food & Agriculture
• Government Facilities
• Healthcare and Public Health
• Information Technology
• Nuclear Reactors, Materials and Waste
• Transportation Systems
• Water & Wastewater Systems
3
Presenter’s Name June 17, 2003Unclassified
Today’s Risk LandscapeAmerica remains at risk from a variety of threatsincluding:
• Acts of Terrorism
• Cyber Attacks
• Extreme Weather
• Pandemics
• Accidents or Technical Failures
NIPP 2013 offers a distributed approach for addressing the diverse and evolving risk environment.
4
Presenter’s Name June 17, 2003Unclassified
National PoliciesPresident Obama announced two policies related to critical infrastructure security and resilience in February 2013:
Presidential Policy Directive 21: Critical Infrastructure Security and
Resilience
Executive Order 13636: Improving Critical Infrastructure
Cybersecurity
“The Nation's critical infrastructure provides the essential services that underpin American society. Proactive and coordinated efforts are necessary to strengthen and maintain secure, functioning, and resilient critical infrastructure that are vital to public confidence and the Nation's safety, prosperity, and well-being.”
– Presidential Policy Directive (PPD) 21
5
Presenter’s Name June 17, 2003Unclassified
Critical Infrastructure PreparednessNIPP 2013 aligns critical infrastructure security and resilience with National preparedness policies.
Presidential Policy Directive 8:
National Preparedness
Strengthens the security and resilience of the United States through systematic preparation for the threats that pose the greatest risk to the security of the Nation.
6Risk Elements
Nat
ion
al P
rep
ared
nes
s M
issi
on
Are
as
Presenter’s Name June 17, 2003Unclassified
NIPP 2013 Vision
A Nation in which physical and cyber critical infrastructure remain secure and resilient, with vulnerabilities reduced, consequences minimized, threats identified and disrupted, and response and recovery hastened
Security: Reducing the risk to critical infrastructure by physical means or defensive cyber measures to intrusions, attacks, or the effects of natural or manmade disasters
Resilience: The ability to prepare for and adapt to changing conditions, and withstand and recover rapidly from disruptions
7
Presenter’s Name June 17, 2003Unclassified
NIPP 2013 Goals
• Assess and analyze critical infrastructure threats, vulnerabilities and consequences to inform risk management
• Address multiple threats through sustainable efforts to reduce risk; account for costs and benefits of security investments
• Enhance critical infrastructure resilience; minimize the adverse consequences of incidents…as well as conduct effective responses…
• Share actionable and relevant information across the critical infrastructure community to build awareness and enable risk-informed decision making
• Promote learning and adaptation during and after exercises and incidents
8
Presenter’s Name June 17, 2003Unclassified
Core Tenets
• Coordinated and comprehensive risk identification and management
• Cross-sector dependencies and interdependencies
• Enhanced information sharing
• Comparative advantage in risk mitigation
• Regional and SLTT partnerships
• Cross-jurisdictional collaboration
• Security and resilience by design
9
Presenter’s Name June 17, 2003Unclassified
Evolution from 2009 NIPPSecurity and ResilienceElevates security and resilience as the primary aim of critical infrastructure homeland security planning efforts
Cyber-Physical IntegrationIntegrates cyber and physical security and resilience efforts into an enterprise approach to risk management
Partnership StructureFocuses on establishing a process to set critical infrastructure national priorities determined jointly by the public and private sector
InternationalAffirms that critical infrastructure security and resilience efforts require international collaboration
Risk ManagementUpdates the critical infrastructure risk management framework and addresses alignment to the National Preparedness System, across the prevention, protection, mitigation, response, and recovery mission areas
Regional and Local PartnershipsSupports execution of the National Plan and achievement of the National Preparedness Goal at both the national and community levels, with focus on leveraging regional collaborative efforts
Call to ActionPresents a detailed Call to Action with steps that will be undertaken, shaped by each sector’s priorities and in collaboration with critical infrastructure partners, to make progress toward security and resilience
10
Presenter’s Name June 17, 2003Unclassified
Risk Management Framework
• Information sharing enables partners to benefit from broader knowledge and capabilities to support risk decision-making
• Risk tolerance and priorities will vary
• Consider costs and benefits during decision making
• Integrates information sharing as a core component
11
Critical Infrastructure Risk Management Framework
Presenter’s Name June 17, 2003Unclassified
Many Stakeholders, Many Strengths
Comparative Advantage
• Engaging in collaborative processes
• Applying individual expertise
• Bringing resources to bear
• Building the collective effort
• Enhancing overall effectiveness
12
Presenter’s Name June 17, 2003Unclassified
Partnership StructuresNational Level Councils
• Sector Coordinating Councils (SCCs)• Government Coordinating Councils (GCCs)• State, Local, Tribal, and Territorial Government Coordinating Council
(SLTTGCC)• Critical Infrastructure Cross Sector Council• Federal Senior Leadership Council• Regional Consortium Coordinating Council
National, Regional, and Local Organizations
• Public Private Partnerships• Regional Partnerships• State and Local Councils• Non-Governmental Organizations
Information Sharing Mechanisms
• Information Sharing and Analysis Centers (ISACs)• Fusion Centers
13
Presenter’s Name June 17, 2003Unclassified
Call to ActionA whole of community approach to advancing the national effort
14
Build on Existing Partnerships
Innovate in Managing Risk
Focus on Outcomes
Presenter’s Name June 17, 2003Unclassified
Build upon Partnership Efforts
Set National Focus through Joint Priority Setting Determine Collective Actions through Joint Planning Efforts Empower Local and Regional Partnerships to Build Capacity Nationally Leverage incentives to Advance Security and Resilience
Innovate in Managing Risk
Enable Risk-Informed Decision-Making through Enhanced Situational Awareness Analyze Infrastructure Dependencies, Interdependencies, and Associated Cascading Effects Rapidly Identify, Assess, and Respond to… Cascading Effects During and Following Incidents Promote Infrastructure, Community, and Regional Recovery Strengthen Coordinated Technical Assistance, Training, and Education Improve Critical Infrastructure Security and Resilience by Advancing R&D Solutions
Focus on Outcomes
Evaluate Achievement of Goals Learn and Adapt During and After Exercises and Incidents
15
Call to Action
Presenter’s Name June 17, 2003Unclassified
Build upon Partnership Efforts
Set National Focus through Joint Priority Setting Determine Collective Actions through Joint Planning Efforts Empower Local and Regional Partnerships to Build Capacity Nationally Leverage incentives to Advance Security and Resilience
Innovate in Managing Risk
Enable Risk-Informed Decision-Making through Enhanced Situational Awareness Analyze Infrastructure Dependencies, Interdependencies, and Associated Cascading Effects Rapidly Identify, Assess, and Respond to… Cascading Effects During and Following
Incidents Promote Infrastructure, Community, and Regional Recovery Strengthen Coordinated Technical Assistance, Training, and Education Improve Critical Infrastructure Security and Resilience by Advancing R&D Solutions
Focus on Outcomes
Evaluate Achievement of Goals Learn and Adapt During and After Exercises and Incidents
16
Call to Action
Presenter’s Name June 17, 2003Unclassified
Enable Risk Informed Decision Making Through Enhanced SituationalAwareness
Undertake a partnership-wide review of impediments to information sharing
Build upon the functional relationship deliverable from Presidential Policy Directive 21 (PPD-21)
Develop streamlined, standardized processes to promote integration and coordination of information sharing
Develop interoperability standards to enable more efficient information exchange through defined data standards and requirements
Call to Action
17
Presenter’s Name June 17, 2003Unclassified
Identify, Assess, and Respond to Unanticipated Infrastructure CascadingEffects During and Following Incidents
Enhance the capability to rapidly identify and assess cascading effects involving the lifeline functions and contribute to identifying infrastructure priorities—both known and emerging—during response and recovery efforts
Enhance the capacity of critical infrastructure partners to work through incident management structures such as the ESFs to mitigate the consequences of disruptions to the lifeline functions
Call to Action
18
Presenter’s Name June 17, 2003Unclassified
Promote Infrastructure, Community, and Regional Recovery FollowingIncidents
Encourage States and localities to consider critical infrastructure challenges in pre-incident recovery planning, post-incident damage assessments, and recovery strategy development
Support examination of initiatives to enhance, repair, or replace infrastructure providing lifeline functions during recovery
Call to Action
19
Presenter’s Name June 17, 2003Unclassified
Strengthen Coordinated Development and Delivery of TechnicalAssistance, Training, and Education
Capture, report, and prioritize the technical assistance, training, and education needs of critical infrastructure partners
Examine current Federal technical assistance, training, and education programs to ensure that they support the national priorities and the risk management activities described in NIPP 2013
Leverage a wider network of partners to deliver training and education programs to better serve recipients and reach a wider audience while conserving resources
Partner with academia to establish and update critical infrastructure curricula that help to train critical infrastructure professionals
Call to Action
20
Presenter’s Name June 17, 2003Unclassified
Improve Critical Infrastructure Security and Resilience by AdvancingResearch and Development Solutions
Promote R&D to enable the secure and resilient design and construction of critical infrastructure and more secure accompanying cyber technology
Enhance modeling capabilities to determine potential impacts on critical infrastructure of an incident or threat scenario, as well as cascading effects on other sectors
Facilitate initiatives to incentivize cybersecurity investments and the adoption of critical infrastructure design features that strengthen all-hazards security and resilience
Prioritize efforts to support the strategic guidance issued by DHS
Call to Action
21
Presenter’s Name June 17, 2003Unclassified
Learn and Adapt During and After Exercises and Incidents
Develop and conduct exercises through participatory processes to suit diverse needs and purposes
Design exercises to reflect lessons learned and test corrective actions from previous exercises and incidents, address both physical and cyber threats and vulnerabilities, and evaluate the transition from steady state to incident response and recovery efforts
Share lessons learned and corrective actions from exercises and incidents and rapidly incorporate them into technical assistance, training, and education programs
Call to Action
22
Presenter’s Name June 17, 2003Unclassified
What You Can DoBuild Upon
Partnership EffortsInnovate in
Managing RiskFocus on Outcomes
Understand the critical infrastructure landscape and how to partner with owners and operators
Provide support for assessing criticality and managing risk
Rigorous study of exercises and incidents
Bring private sector into linkages with Emergency Management and Law Enforcement communities
Incorporate critical infrastructure perspectives into traditional emergency management curricula
Establishment/awareness of regional consortia with diverse stakeholders
Connect cyber/physical stakeholders
Encourage systems approach to understanding dependencies and interdependencies
Connect to the NICC/NCCIC Adopt the Cybersecurity Framework
23
Presenter’s Name June 17, 2003Unclassified
Resources and TrainingVisit www.dhs.gov/nipp for links to the full NIPP 2013 and the NIPP Supplements and critical infrastructure training:
NIPP Supplements• Connecting to the NICC and NCCIC • Executing a Critical Infrastructure Risk Management Approach• Incorporating Resilience into Critical Infrastructure Projects• NPPD Resources to Support Vulnerability Assessments
Critical Infrastructure Partnership CoursesIS 913 Achieving Results through Critical Infrastructure Partnership and CollaborationIS 921 Implementing Critical Infrastructure Protection Programs and CI TOOLKIT
Security Awareness Series CoursesIS 906 Workplace SecurityIS 907 Active ShooterIS 912 Retail Security AwarenessIS 914 Surveillance Awareness: What you can do IS 915 Protecting Critical Infrastructure Against Insider ThreatIS 916 Critical Infrastructure Security: Theft and Diversion – What You Can Do
24
Recommended