Skip to main content
SpringerLink
Log in
Book cover

Critical Infrastructure Security and Resilience pp 35–54Cite as

Risk Analysis for Critical Infrastructure Protection

  • Chapter
  • First Online:

Abstract

Until recently, infrastructure owners and operators only had to worry about local acts of nature and the occasional vandal to maintain their services to a prescribed standard. All that changed with the 1995 Tokyo Subway Attacks and 9/11 which ushered in the unprecedented threat of domestic catastrophic destruction by non-state actors. Now infrastructure owners and operators find themselves under almost constant global cyber attack, the consequences of which could be catastrophic. Critical infrastructure protection has been a core mission of the Department of Homeland Security since its foundation in 2002. This chapter examines the work of the Department to protect the nation’s critical infrastructure, and efforts to develop a uniform risk analysis to guide its strategic planning and facilitate cost-benefit-analysis of mitigation measures on the part of infrastructure owners and operators.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD   169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    More precisely, the 2002 Homeland Security Act was the largest reorganization of Federal government since the National Security Act of 1947 formalized the structural changes that occurred during World War II creating a new Department of Defense and Central Intelligence Agency.

  2. 2.

    Observation made by Intel founder Gordon Moore in 1965 that the number of transistors per silicon chip doubles about every 18 months.

  3. 3.

    PPD-21 released in 2013 by the Obama administration was only the most recent executive order to define critical infrastructure. Critical infrastructure was originally defined in PDD-68 released in 1998 by the Clinton administration. PDD-68 identified twelve infrastructure sectors. PDD-68 was superseded by HSPD-7 released in 2003 by the Bush administration identifying eighteen infrastructure sectors. Although the number of critical infrastructure sectors changed in each iteration, the definition of critical infrastructure remained relatively unchanged. It is not inconceivable that a future executive order might again change the number of critical infrastructure sectors.

  4. 4.

    From the outset, the US government has claimed that 85% of critical infrastructure is privately owned. Despite this claim, nobody knows the true percentage of private versus public infrastructure.

  5. 5.

    Although US law may grant regulatory control over many facets of critical infrastructure, those same laws may not necessarily authorize regulatory authority over industry security measures. Thus, for example, although the 1970 Clean Air Act, 1972 Clean Water Act, and 1974 Safe Drinking Water Act give the Environmental Protection Agency authority to regulate drinking water and waste treatment utilities, those same laws do not give EPA authorization to regulate security measures for those utilities.

  6. 6.

    GPRA was amended in 2011 by the GPRA Modernization Act of 2010.

  7. 7.

    The NIST Cybersecurity Framework is but one of a number of process maturing models for improving critical infrastructure cybersecurity. The NIST Cybersecurity Framework itself was based upon the 2012 Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) developed with support from the Department of Energy. In 2012 the Department of Transportation released its Roadmap to Secure Control Systems in the Transportation Sector. And in May 2013, DHS reported it was employing the Cyber Assessment Risk Management Approach (CARMA) to assess cybersecurity in the Information Technology Sector (i.e., “Internet”).

  8. 8.

    To date, the worst disaster in US history outside the Civil War was the 1900 Galveston Hurricane in which an estimated 6000–12,000 people perished.

References

  1. 9/11 Commission (2004) A failure of imagination: the 9/11 commission report. US Government Printing Office, Washington, DC

    Google Scholar 

  2. American Water Works Association (2010) Risk analysis and management for critical asset protection (RAMCAP) standard for risk and resilience management of water and wastewater systems. American Water Works Association, Washington, DC

    Google Scholar 

  3. Anderson GB, Bell ML (2012) Lights out: impact of the August 2003 power outage on mortality in New York, NY. Epidemiology 23(2):189–193

    Article  Google Scholar 

  4. Brass CT (2012) Changes to the government performance and results act (GPRA): overview of the new framework of products and processes. Congressional Research Service, Washington, DC

    Google Scholar 

  5. Bucci S (2009) A most dangerous link. US Naval Institute, Annapolis

    Google Scholar 

  6. Congress US (2002) Homeland security act of 2002. US Government Printing Office, Washington, DC

    Google Scholar 

  7. George R, White R, Chow CE, Boult T (2017) Apples-to-Apples: LIRA vs. RAMCAP. Homeland Security Affairs, Volume November, p. Article 17071

    Google Scholar 

  8. Idaho National Laboratory (2016) Cyber threat and vulnerabilty analysis of the US electric sector. Idaho National Laboratory, Idaho Falls

    Google Scholar 

  9. Lewis TG, Darken RP, Mackin T, Dudenhoeffer D (2012) Model-based risk analysis for critical infrastructures. In: Critidal infrastructure security: assessment, prevention, detection, response. WIT Press, Ashurst/Southampton, pp 3–19

    Chapter  Google Scholar 

  10. Minkel J (2008) The 2003 Northeast blackout – five years later. [Online] Available at: https://www.scientificamerican.com/article/2003-blackout-five-years-later/. Accessed 7 Mar 2018

  11. Morrow M (2016) America’s water infrastructure is in need of a major overhaul. [Online] Available at http://www.foxbusiness.com/features/2016/01/28/america-s-water-infrastructure-is-in-need-major-overhaul.html. Accessed 6 Feb 2016

  12. National Institute of Standards and Technology (2014) Framework for improving critical infrastructure cybersecurity. National Institute of Standards and Technology, Washington, DC

    Book  Google Scholar 

  13. Neifert A (1999) Case study: sarin poisoning of subway passengers in Tokyo, Japan, in March, 1995. Camber Corporation, Huntsville

    Google Scholar 

  14. Office of Homeland Security (2002) National strategy for homeland security. The Whitehouse, Washington, DC

    Google Scholar 

  15. President’s Commission on Critical Infrastructure Protection (1997) Critical foundations: protecting America’s infrastructures. US Government Printing Office, Washington, DC

    Google Scholar 

  16. The President of the United States (2002) A reorganization plan for the department of homeland security. US Government Printing Office, Washington, DC

    Google Scholar 

  17. The White House (2013a) Executive order 13636, improving critical infrastructure cybersecurity. The Federal Register, Washington, DC

    Google Scholar 

  18. The White House (2013b) PPD-21, critical infrastructure security and resilience. The White House, Washington, DC

    Google Scholar 

  19. The Whitehouse (1998) PDD-63, critical infrastructure protection. The Whitehouse, Washington, DC

    Google Scholar 

  20. The Whitehouse (2001) EO 13228, establishing the office of homeland security and the homeland security council. The Whitehouse, Washington, DC

    Google Scholar 

  21. The Whitehouse (2013) Presidential policy directive – critical infrastructure security and resilience. Office of the Press Secretary, Washington, DC

    Google Scholar 

  22. US Department of Homeland Security (2013) National infrastructure protection plan. US Department of Homeland Security, Washington, DC

    Google Scholar 

  23. US Department of Homeland Security (2006) National infrastructure protection plan. US Department of Homeland Security, Washington, DC

    Google Scholar 

  24. US Department of Homeland Security (2010a) 2010 quadrennial homeland security Review. US Department of Homeland Security, Washington, DC

    Google Scholar 

  25. US Department of Homeland Security (2010b) Energy sector-specific plan. Department of Homeland Security, Washington, DC

    Google Scholar 

  26. US Department of Homeland Security (2014a) 2014 quadrennial homeland security review. US Department of Homeland Security, Washington, DC

    Google Scholar 

  27. US Department of Homeland Security (2014b) National protection and programs directorate (NPPD) office of infrastructure protection (IP). US Department of Homeland Security, Washington, DC

    Google Scholar 

  28. US Environmental Protection Agency (2014a) Climate change adaptation plan. US Environmental Protection Agency, Washington, DC

    Google Scholar 

  29. US Environmental Protection Agency (2014b) EPA response to EO13636, improving critical infrastructure cybersecurity. US Environmental Protection Agency, Washington, DC

    Google Scholar 

  30. US Environmental Protection Agency (n.d.) How the drinking water state revolving fund works. [Online] Available at: http://www.epa.gov/drinkingwatersrf/how-drinking-water-state-revolving-fund-works#tab-1. Accessed 6 Feb 2016

  31. US-Canada Power System Outage Task Force (2006) Final report on the implementtion of task force recommendations, s.l.: s.n

    Google Scholar 

  32. Volz D, Gardner T (2018) In a first, US blames Russia for cyber attacks on energy grid. [Online] Available at: https://www.reuters.com/article/us-usa-russia-sanctions-energygrid/in-a-first-u-s-blames-russia-for-cyber-attacks-on-energy-grid-idUSKCN1GR2G3 . Accessed 3 Apr 2018

  33. White R (2014) Towards a unified homeland security strategy: an asset vulnerability model. Homeland Security Affairs 10:Article 1

    Google Scholar 

  34. White Ricahrd, Burkhard A, Boult T, Chow CE (2016) Towards a comparabgle cross-sector risk analysis: a re-examiniation of the risk analysis and management for critical asset protection (RAMCAP) methodology. s.l., s.n., pp 28–40

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Colorado, Colorado Springs, CO, USA

    Richard White

Authors
  1. Richard White
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Richard White .

Editor information

Editors and Affiliations

  1. Department of Informatics, Athens University of Economics and Business, Athens, Greece

    Dimitris Gritzalis

  2. Directorate E. Space, Security and Migration European Commission – Joint Research Centre, Ispra, Italy

    Marianthi Theocharidou

  3. Department of Informatics, Athens University of Economics and Business, Athens, Greece

    George Stergiopoulos

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

White, R. (2019). Risk Analysis for Critical Infrastructure Protection. In: Gritzalis, D., Theocharidou, M., Stergiopoulos, G. (eds) Critical Infrastructure Security and Resilience. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-030-00024-0_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-00024-0_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-00023-3

  • Online ISBN: 978-3-030-00024-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation