The latest issue of C4ISR: The Journal of Net-Centric Warfare (June 2006) contains an article entitled “Mission Possible” by Peter Gross, the CEO/CTO at EYP Mission Critical Facilities Inc. that discusses the challenges faced in protecting critical infrastructure. Although the focus of the article is on C4ISR (of course), it makes a more general point about how the security environment has changed when it comes to critical infrastructure. Gross explains that “it was once enough to put up barbed wire and post a guard to protect the mission critical facility.” Clearly, that is insufficient in today’s security environment. Gross goes on to discuss how the DoD attempted to evolve as threats changed.
Since Gross was talking about C4ISR, he noted that the DoD’s first response was to establish military standards (MIL-STDs) for equipment it bought as well as TEMPEST standards to safeguard secure areas from prying ears and other standards to protect data and facilities. The problem, Gross noted, was that these were blanket standards that “did not allow supervisors … any latitude to account for local conditions.” He then rhetorically asks, “How can a single standard be made compliant in both Anchorage and Guam?” To account for local differences, the government unveiled “perfomance specifications (MIL-PRFs) to replace military standards.” As Gross notes, “It was finally understood that making everything look and sound the same was not enough if they performed at unacceptable levels.” Gross’ article points out the conundrum facing every organization — finding the balance between standardization and adaptation. Standards are crtical. We live in a plug-and-play world in which non-standard approaches inhibit rather than foster connectivity. But that is a topic for another day. I’d like to finish the discussion of critical infrastructure protection.
Gross is a proponent of “the industry model” that ranks infrastructure by its criticality to the overall system, with Tier I facilities requiring minimal protection and Tier IV facilities requiring maximum protection. The problem Gross points out is that connectivity has brought with it 24/7 vulnerability that makes every critical infrastructure data center a Tier IV facility. That can be translated to mean a large, non-productive commitment of resources for system protection. Of course, the costs of not providing protection can be even greater. Gross believes that costs can be kept to a minimum by looking at “whole system effectiveness.” In trying to judge this effectiveness, Gross recommends using a “triad of mathematical probabilities” that includes:
- Operational Readiness
- Quality of Design
In the article, he makes it clear that besides looking at a particular facility’s or system’s vulnerability, decision makers must look beyond the facility and ask questions like:
- Does building B have the same survivability requirements as building A?
- Does building B have the same protections to vulnerabilities as building A?
- Are there any circumstances where one building will be unavailable to the other during mission time?
- What do the interconnections and communication links between building A and B depend on?
- Who controls the infrastructure of any links noted in the line above?
- Do the support equipment and facilities meet the zero line requirements of buildings A and B?
I endorse this approach, but recommend looking inward as well as outward by prioritizing individual processes that must be protected, then determining how best to protect them. By parsing security requirements into their smallest components, resources can be more effectively applied to those things that matter most — those things that are “critical” within critical infrastructure. While the upfront effort to identify and protect processes is significant, the long-term pay off is worth it.
Gross concludes his article by encouraging the DoD “to adopt the industry standards, practices and processes” that he discussed. “We may not be able to predict how the attack will come,” Gross writes, “but we can ensure that when it comes, we are sufficiently prepared with fault- and failure-tolerant … facilities.” It’s all a part of being resilient.