What is CIP?
The term “critical infrastructure” refers to assets of physical and computer-based systems that are essential to the minimum operations of an economy and its government. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems and emergency services, both government and private. Though many nation’s critical infrastructures have historically been physically and logically separated as systems that had little interdependence, at least, until 9/11, advances in information technology with efforts performed to improve efficiencies in these systems, infrastructures have become increasingly automated and more interlinked. Thus, these improvements have created new vulnerabilities to equipment failure, human error, weather and other natural causes, as well as physical and computer-related attacks.
Addressing these vulnerabilities necessitates greater flexibility, a massive evolutionary approach that spans both public and private sectors, protecting both domestic and international interests. Every department and agency of federal, state and local governments are responsible for protecting their own infrastructure; each department and agency should have measures assuring that information is valid and accurate, protecting that information as if it were considered an asset. Part of the assurance process conducts consistent testing and evaluation of their infrastructures, performing vulnerability assessments periodically against physical and computer-based systems, while obtaining expedient and valid authorities validating those systems. This applies to both public and private sectors. (1)
So what then, is “critical infrastructure protection”? The term “critical infrastructure protection” (CIP) pertains to the activities for protecting critical infrastructures. This includes people, physical assets, and communication (cyber) systems that are indispensably necessary for national, state and urban security, economic stability, and public safety. CIP methods and resources deter or mitigate attacks against critical infrastructures caused by people (e.g., terrorists, other criminals, hackers, etc.), by nature (e.g., hurricanes, tornadoes, earthquakes, floods, etc.), and by hazardous materials (HAZMAT) accidents involving nuclear, radiological, biological, or chemical substances. Quite simply put, CIP is about protecting assets considered invaluable to society that promote social well-being. (2)
Several years ago, U.S. policy makers considered the term “critical infrastructure” as an evolving and often ambiguous definition. Twenty years ago, the word “infrastructure” was defined primarily with respect to adequacies of the nation’s public works. In the mid-1990’s, however, the growing threat of international terrorism led policy makers to reconsider their definition of “infrastructure” in the context of national security. Successive federal government reports, laws, and executive orders have refined, and generally expanded, the number of infrastructure sectors and the types of assets considered to be “critical” for purposes of homeland security. (3)
This definition was adopted (by reference) within the Homeland Security Act of 2002 (P.L. 107-296, Sec. 2.4) establishing the Department of Homeland Security (DHS).
The National Strategy also adopts the definition of “critical infrastructure” in P.L. 107-56, and provides the following list of specific infrastructure sectors (and its assets) falling under that definition:
- information technology
- chemical and petroleum-chemical
- transportation systems
- emergency services (includes first responder services)
- postal and shipping services
- agriculture and food (include preparation, delivery and retail)
- public health and welfare
- drinking water / water treatment
- energy (both generation as well as transmission)
- banking and finance
- national monuments and icons
- defense industrial base
- key industry / technology sites
- large gathering sites (schools, public buildings)
- critical manufacturing (added April 2008)
What could impact a “critical infrastructure”? For starters, there are loosely-defined directives not directly tied with or to each other, either within or between different industrial sectors. Secondly, many industrial sectors utilize and employ services of much older technology referred to as “SCADA” (or “System Control and Data Acquisition systems”). SCADA represents something called “control systems” that may/may not be connected to a controlling computational device and/or may/may not directly be connected to a network, or in many cases, the Internet. SCADA systems are currently being revitalized and renovated in an effort to bring those systems more up-to-date, more current, and (specifically) enable them to be more secure. Most people are unaware of the importance of SCADA-controlled devices esp. with how debilitating their impact could be if affected resulting from either natural or manmade causes. Essentially, “control systems” are computer-based systems that are used by many infrastructures and industries to monitor and control sensitive processes and physicalfunctions.
Typically, control systems collect sensor measurements and operational data fromthe field, process and display this information, and relay control commands to local or remote equipment. In the electric power industry they can manage and control the transmission and delivery of electric power, for example, by opening and closing circuit breakers and setting thresholds for preventive shutdowns. Within certain industries such aschemical and power generation, safety systems are typically implemented to mitigate adisastrous event if control and other systems fail. In addition, to guard against both physical attack and system failure, organizations may establish back-up control centers that include uninterruptible power supplies and backup generators. To the best of our knowledge, there are no governing compliance bodies of authority that regulate, control and dictate coordinately any form of interoperability between each other, let alone between industrial sectors. Each industry (supposedly) self-regulates itself, but there appears to be any (if not) little communications between interest groups and their representative organizations. This, to us, poses a serious issue insofar as to the vast amount of control systems which exist throughout the United States, within more than one industrial sector, and the lack of any coordination between each sector.
Technically, SCADA is a form of IT, though many IT departments would vehemently deny that control systems are part of their core responsibilities, at least, from traditional operations of IT. Much of the news media’s and government’s attention has focused primarily on the Internet and implementing redundancies in duplicated networking paths for the Internet, though the Internet (as a whole) is (supposedly) self-healing and self-replicating in its path discovery mechanisms esp. on Tier 0 and Tier 1 backbones — which what makes up the Internet. The need for such elaboration is such that Information Technology is listed as 1 of 15 key critical infrastructures outlined by President Bush within HSPD-7; thus, IT (in effect) is a part of “critical infrastructure protection”. For that matter, so is SCADA. (4)
 The Library of Congress, CRS Report for Congress, Guarding America: Security Guards & U.S. Critical Infrastructure Protection, CRS- RL32670 (November, 2004).
 The Library of Congress, CRS Report for Congress: “Critical Infrastructure: Control Systems and the Terrorist Threat”, CRS-RL31534 (February 21, 2003).