Critical Infrastructure: Critical Manufacturing Sector
KeywordsDependencies Infrastructure concentration Interdependencies Risk Supply chains
- Critical Infrastructure
“Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters” (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism [USA PATRIOT] Act, 2001, § 1016).
- Critical Manufacturing Sector
Privately owned and operated assets (manufacturing plants, logistical distribution facilities, storage facilities, and center business offices) that convert raw materials and manufactures specialized materials and equipment vital to the construction, electrical, defense, and industries among others (U.S. Department of Homeland Security [DHS] 2015a).
The Critical Manufacturing Sector (CMS) is just one of many critical infrastructure sectors that play an important role in support of a democratic nation and help to ensure US economic vitality and national security. However, the CMS is not immune to challenges as supply chain disruptions at the national and global levels can induce severe consequences (Executive Office of the President 2017). These high-level challenges are just the beginning as the CMS faces a myriad of risks (natural hazards, technological hazards, and human-caused incidents) and cross-sector dependencies, which can result in significant cascading effects.
The remainder of this entry provides a general overview of the CMS to enable a general understanding. Within the discussion, key operational characteristics of the CMS are reviewed along with a description of the current threat and hazard picture to include critical cross-sector dependencies. This discussion will also include mission, goals, and priorities of the CMS along with the partnership structure. Partnerships and information sharing within the CMS are elevated due to a high private ownership share of sector assets. Overall, this entry provides a basic understanding of the CMS to enable critical evaluation of current policies, practices, and needed activities to address gaps in security and resilience.
The CMS consists of the manufacturing industries which have significant national economic implications and are considered crucial for operations within other infrastructure sectors. The main activities of the CMS are to process and manufacture. Processing involves converting raw materials and primary metals into useable products that are subsequently utilized in manufacturing. Specific manufacturing that is deemed critical includes machinery (engine, turbines, power-transmission, heavy machinery), electrical components (motors, transformers, generators), and transportation (for surface, water, and rail modes). Further, the CMS produces highly specialized parts and equipment essential to specific US industries, particularly the Defense Industrial Base Sector. Additionally, the CMS produces the backbone materials and components for the Energy Sector and Transportation Systems Sector. Therefore, failures and/or disruptions in the CMS can cause severe consequences in terms of economic impact and cascading effects to other infrastructure sectors. Lastly, the US economic prosperity and continuity are dependent on the CMS, and this sector’s production comprises 12 percent of the nation’s gross domestic product (GDP) and employs approximately 12 million individuals.
Sector Components and Assets
Due to the diversity of manufacturers and high private ownership share, the CMS is organized into four subsectors based on functions and operations. Regardless of subsector, facilities (manufacturing, processing, and distribution), offices (sales and headquarters), and product storage are included as key assets. Characteristics of each subsector are provided below per the Critical Manufacturing Sector-Specific Plan (CM SSP).
Primary Metals Manufacturing: Converts raw materials into assemblies, intermediate products, and end products. These products can include sheet metal, bar stock, I-beams, slabs, or pipes. Processes aluminum, iron, and steel that supports transportation, urban centers, energy supply, clean water, safe food, and defense. There are 4,556 manufacturers in this subsector.
Machinery Manufacturing: Produces engines, turbines, and power-transmission equipment. Products support infrastructure and primary operations in a number of critical US industries. Includes heavy-equipment manufacturing. There are 24,124 manufacturers in this subsector.
Electrical Equipment, Appliance, and Component Manufacturing: Produces specialized equipment, assemblies, intermediate products, and end products for power generation. These products include transformers, electric motors and generators, and industrial controls. There are 5,765 manufacturers in this subsector.
Transportation Manufacturing: Produces cars and trucks, aircraft and component parts, aerospace products and parts, railroad cars and other railroad products, and other transportation equipment. There are 11,814 manufacturers in this subsector. (DHS 2015a, p. 4).
Key Sector Operating Characteristics
The importance of the CMS can be summed in one specific figure: CMS produces 60% of all of US exports. Facilities, employees, suppliers, and customers around the world are part of the complex international, interdependent networks of raw materials and finished products in which CMS assets operate. Although it improves production agility, this complex global network increases the exposure of the CMS to a myriad of risks and conditions. In fact, disruptions in supply chains are one of the top security and resilience concerns of the CMS. This is because present supply chains focus on efficiency (e.g., lean inventories) and just-in-time practices, but this also increases vulnerability of CMS assets to long-term disruptions. This is because CMS assets are part of the network that links suppliers, vendors, partners, integrators, contractors, and customers not only to their asset, but also to other industries and businesses. Therefore, CMS assets must ensure resilience against supply chain disruptions, which includes constant monitoring and a proactive stance to mitigate any disruptions.
The US government by itself cannot create a secure and resilient CMS, especially in relation to high private sector ownership. Rather, the end goal requires a dedicated whole-of-nation approach involving public and private stakeholders. Leading this whole-of-nation approach is the designated Sector-Specific Agency (SSA) as defined in Presidential Policy Directive (PPD) 21: Critical Infrastructure Security and Resilience (Executive Office of the President 2013). The designated SSA for the CMS is DHS. More specifically, the Office of Infrastructure Protection is the delegated responsible entity within DHS.
The National Infrastructure Protection Plan (NIPP) defines a partnership structure for the infrastructure sectors that is facilitated through Government Coordinating Councils (GCCs) and Sector Coordinating Councils (SCCs). The SCCs are comprised of owners and operators and enable them to work directly with one another. Typically organized under subsectors within an overall infrastructure sector, SCCs are self-organized, self-run, and self-governed councils consisting of owners and operators and their representatives and serve as principal collaboration points between the GCCs and the SSAs. As for the GCCs, SSAs work closely with state, local, tribal, and territorial (SLTT) agencies through the GCCs to enable sharing of actionable, relevant risk information; exchanging of best practices; building of cross-sector situational awareness; and enabling risk-informed decision-making.
The importance of SLTT agencies is illustrated by the fact they work in close proximity to the owners or operators of the CMS. Coordination with SLTT agencies is imperative as all incidents start local and these agencies are first to respond to any incident. Therefore, SLTT agencies provide important local capability to include mutual aid agreements and communication plans where appropriate. It is the responsibility of the SSA to cultivate relationships and information sharing between SLTT agencies and the GCCs and SCCs to enhance situational awareness and addresses identified risks to the CMS. This illustrates that the success of a sector’s partnership model depends on the ability to leverage knowledge, capabilities, and resources through GCC and SCC activities. Through this collaboration exchange, owners and operators of CMS assets can better understand risks and interdependencies and develop appropriate security and resilience strategies to mitigate identified risks.
Despite the diverse collection of assets within the CMS, common risks exist that each sector must address. Natural disasters, active shooters, and terrorist threats are persistent risks across the CMS as well as geopolitical events due to its linkage to a global supply chain (DHS 2014). Further, cyber attacks risks continue to grow as reliance on networked systems continues to rise. This illustrates the need to comprehensively examine risks across the CMS through existing partnership structures in an effort to ensure security and resilience. Although numerous risks can be discussed, the following sections focus on those risks deemed significant. It is acknowledged there are other significant risks to the CMS, but these risks will not be discussed for the sake of brevity. Expanded information on risks to the CMS is accessible via the CM SSP.
Within the CMS, geographic concentration helps to reduce overall costs due to a localization of expertise and reduction in logistical operations. However, this concentration can increase vulnerability to geographic risks and local disasters that can produce cascading effects (Parfomak 2008). Although the CMS is widely dispersed across the nation, certain subsectors or aspects are concentrated in specific regions, which require additional security and resilience activities. For example, CMS facilities are geographically concentrated around coastal ports (Parfomak 2008). This placement supports the importing and exporting logistics of materials and products within the sector. Further, the global supply chain also converges in strategic geographic areas thereby creating chokepoints that can cause and magnify disruptions. This is especially relevant to global maritime transportation in areas such as the Malaccan Strait (Indian Ocean), Gulf of Hormuz (Middle East), and the Panama Canal (links Atlantic and Pacific Oceans). However, disruption in access to rare and and/or scarce raw materials may also create vulnerabilities. Therefore, global networks must be constantly monitored in order to anticipate, respond to, and mitigate possible disruptions.
Natural Hazards, Climate Change, and Extreme Weather
Natural hazards are a constant threat to all critical infrastructure sectors. Severe storms, hurricanes, earthquakes, tornadoes, volcanoes, drought, floods, landslides, tsunamis, and wildfires can cause significant property and economic damage, threaten safety of employees and facilities, and restrict access to critical resources such as power, water, transportation, and food supplies. Natural threats are typically present in defined geographic areas thereby increasing the vulnerability of physical assets and employees in those areas. Specific natural threats that can affect the CSM both domestically and globally should be identified according to likelihood of occurrence. Global weather is important as well in the CMS because natural disasters in other global regions can result in cascading disruptions in supply chains. This is in addition to natural disasters interrupting critical dependent sector services (e.g., Energy Sector) resulting in delays or shutdowns.
Today, the risk of natural hazards is increasing due to climate change. Although it occurs gradually over time, impacts from climate change are presently viewable and are projected to worsen in the future. In fact, the CMS is already impacted by climate change both in the United States and globally. This has led to both DHS and the US Department of Defense (DOD) to view climate change as a threat multiplier. Natural hazards and extreme weather result in risks such as power interruptions, wildfires, regional flooding, droughts, and severe storms, and each carries its own consequences to CMS assets. However, climate change has made extreme weather events more frequent and intense. Therefore, climate change has altered the frequency and intensity of natural hazards and severe weather, which can produce significant cascading effects on the CMS. For example, the Energy Sector can be stressed through extreme heat and diminished precipitation thereby causing possible power interruptions to CMS assets. Further, sea-level rise accompanied by storm surge increases coastal flooding, which impacts CMS assets geographically concentrated in coastal areas. An example of this is the impact on shipbuilding operations in the Newport News and Norfolk (VA) area (Parfomak 2008). Therefore, actions related to risk assessment, mitigation, resilience, and adaptation must include climate change in addition to natural hazards and severe weather. If not, historical examples provide poignant examples of how the CMS has been affected significantly by climate-related hazards.
Active Shooter/Armed Attacker
The DHS Interagency Security Committee (ICS) defines an active shooter as “an individual or individuals actively engaged in killing or attempting to kill people in a populated area” (Interagency Security Committee 2015, p. 1). Although a firearm is the most common weapon used in active shooter/armed attacker events, other weapons – knives, bats, etc. – can be utilized to harm innocent individuals. Active shooter events pose significant challenges to all CMS assets (such as workplace violence) as the incidents do not follow a specific pattern or a method to the selection of victims. Therefore, active shooter incidents are sometimes impossible to predict and/or prevent. This is further complicated by the fact that active shooter incidents require less resources and planning than other attack methodologies, such as an explosive attack. The frequency of active shooter incidents has increased over the past several years, and incidents have occurred at numerous CMS assets.
As illustrated in previous events, active shooter incidents quickly evolve and are dynamic. Virtually all active shooter incidents end via force by responding law enforcement agencies or through suicide by the assailant. Therefore, CMS assets and on-site individuals must be prepared to address and mitigate an active shooter incident prior to arrival of law enforcement resources. This preparedness can be in the form of security protocols as well as ensuring employees are trained both mentally and physically to deal with an active shooter situation. Overall, recent events illustrate the need to reduce the risk of active shooter incidents to include ongoing preparedness and strengthening of prevention and protection efforts.
Adversaries have successfully executed cyber attacks against the CMS over the past several years (Bennett 2016). These attacks have released unimaginable amounts of private and confidential data and have resulted in damages in excessive of hundreds of millions of dollars. Cyber attacks do not only come from sole individuals or groups but also from state-sponsored activities from countries such as Russia, China, and North Korea. This has led to an increase in hacktivism or politically motivated cyber attacks. Another area of concern related to cyber attacks is the increasing use of comprehensive, computerized building management systems, which control heating, ventilation, and air conditioning (HVAC) systems, access control systems, surveillance systems, etc. These systems reside on networks which makes them vulnerable to a cyber attack or a significant network outage. Of particular importance is the possibility of a cyber attack leading to local or system-wide outages resulting in the loss of ability to control physical access, lighting, temperature, or even life-safety systems.
The more significant danger of cyber attacks in the CMS is intrusion into industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. Unauthorized intrusion into these systems has the potential to result in severe negative impacts to the CMS asset that could cascade and create impacts in other sectors dependent on specific production provided by the CMS. As such, the cyber risk has been recognized by the CMS as a high-priority concern (DHS 2015b; Government Accountability Office 2015). In response to the cyber risk, CMS owners/operators can follow cybersecurity implementation framework guidance detailed in the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST 2015).
The recognition and focus on cyber attacks are important due to recent successful, high-profile cyber attacks in the CMS. In fact, the US Computer Emergency Response Team (2017) has reported that threat actors are increasingly targeting assets within the CMS through the use of “open-source reconnaissance, spear-phishing emails (from compromised legitimate accounts), watering-hole domains, host-based exploitation, and ongoing credential gathering” (p. 1). Further, the number of investigations into cyber attacks by DHS increases each year, in which most attacks are related to spear-phishing campaigns. The increasing reliance on computer networks for operations as well as security presents increased risk of cyber attacks by individual external (hacktivists) and internal (sabotage by former employees) to the CMS.
Terrorism and Violent Extremism
Certain characteristics of the CMS increase the target attractiveness to a potential terrorist or violent extremist. As such, the threats of attack from terrorists and violent extremists are major contributors to the risk profiles of the CMS. Overall, the CMS represents attractive targets to both domestic and international terrorist groups as well as violent extremists. Therefore, the CMS must be cognizant of the changing domestic and international terrorist threats, including the threat from homegrown violent extremists (HVEs). Some counterterrorism experts consider HVEs as the most immediate threat to US infrastructure. One of the reasons is that HVEs can be US citizens or legal permanent residents, which enables them to freely operate throughout US society. This increases the risk of insider threats in which radicalized individuals who work in the CMS can exploit vulnerabilities through their inside knowledge. However, HVEs typically have less access to resources and training, which results in their planning and attack methodology being simpler and less technical. This asymmetric threat presents challenges in predicting and interdicting attack plots.
Unmanned Aircraft Systems
Unmanned aircraft systems (UAS) are an emerging threat to the CMS. The increased use of UAS throughout the Nation is a serious concern due to the ability to use them to cause damage to persons and property (Coullahan 2017). UAS are particularly worrisome to CMS assets because they enable individuals to access restricted and previously unreachable areas, such as the air space above a facility. The ability to access this space could provide opportunities to cause significant damage or casualties. Further, adversaries can utilize UAS to obtain information about a facility – security layouts – thereby providing highly valuable information for planning and executing an attack.
Supply Chain Disruptions
As previously discussed, today’s global supply chain is optimized for productivity and efficiency. Therefore, disruptions in the supply chain can quickly cause cascading effects especially if raw materials cannot reach CMS assets. An absence of raw materials will also cause the inability to manufacture and deliver finished products. Disruptions in the global supply chain are the result of one or many causes, including civil unrest and natural disasters. Technology also plays a role as the Maritime Transportation System (MTS) is dependent on Global Positioning Systems (GPS) and resulting positioning, navigation, and timing data. Disruptions in the ability to obtain GPS data through either unintentional or intentional (cyber attack) means have the potential to create significant cascading supply chain disruptions. Therefore, CMS assets must be able to withstand infrequent, yet high-impact risks related to the global supply chain.
Global Political and Social Implications
One important aspect of the US supply chain is that CMS assets are now more dependent on raw materials and minerals from foreign countries due to declining mining activity in the United States. This is in addition to CMS assets utilizing foreign markets to reduce overall costs related to component manufacturing, equipment, machinery, and labor. This dependence on international networks increases risk for CMS assets to a host of global risks. In addition to the global supply chain, the CMS must now keep abreast of global attitudes toward the United States, geopolitical unrest, economic conditions, and other risk factors associated with global markets. These risk and variables impact foreign operations, global supply chain providers, and raw material access and can result in significant cascading disruptions.
Primary Sector Dependencies and Interdependencies
Today, the US critical infrastructure sectors are highly dependent and interdependent on one another through physical and cyber linkages. After a natural disaster, man-made incident, or technological accident, a significant failure in one sector – such as in the Energy Sector or Water and Wastewater Systems Sector – has the potential to cascade and create significant impacts to other regions. Currently, the CMS has interdependencies with the sectors of Communications and Information Technology, and dependencies on the sectors of Chemical, Energy, Financial, Transportation Systems, and Water and Wastewater (DHS 2014, 2015a). Descriptions of select dependencies and independencies are provided below.
Energy: Provides power, which supports CMS functions. This is the primary dependency for the CMS. Without power, CMS assets cannot not function for an extended period of time, as access to backup power is often limited in scope. An interruption to the power supply would directly impact all CMS assets located in the affected electrical service region and could have cascading effects on other sectors.
Water and Wastewater Systems: Provides a supply of potable water and handles the treatment of wastewater. In some cases, continuous water sources are essential for critical manufacturing processes. Without these services, CMS assets would be forced to be shut down until services are restored.
Transportation Systems: Transportation systems allow employees and customers to travel to and from CMS assets to receive products and supplies. Manufacturers depend on multiple modes of transportation (aviation, freight rail, highway, and maritime) for the secure movement of raw materials and finished products.
Financial Services: Provides financial services to enable CMS assets to conduct daily business operations.
Communications: CMS asset owners and operators rely on the Communications Sector for telecommunications access for operations and logistics.
Information Technology: Enables day-to-day operations and financial transactions. Underpins supply chain coordination and control system processes.
Chemical: A consistent supply of a range of chemicals is required in multiple CMS processes (DHS 2015a, p. 3, 6–7).
In addition to external dependencies and interdependencies between sectors, the CMS also experiences internal interdependencies similar to other infrastructure sectors. For example, CMS assets engaging in Machinery Manufacturing is dependent on products from Primary Metals Manufacturing assets. However, Primary Metals Manufacturing assets are also dependent on Machinery Manufacturing assets to produce machinery and parts to enable raw material processing. Therefore, interdependency in this example is a two-way street relationship.
Today, the continual operation of the CMS is dependent and interdependent on other infrastructure sectors similar to those sectors that are interdependent with the CMS. Greater dependences and interdependencies, especially in the cyber realm related to communications and information technology, create the potential that even a localized disruption will have the ability to cascade to numerous CMS assets. This is in addition to the vulnerabilities within the global and national supply chains that can pose significant disruptions to the CMS.
Sector Mission, Goals, and Priorities
In alignment with the NIPP, each SSA develops a specific mission for their respective infrastructure sector, which is defined in individual SSPs. Listed below is the specific mission statement for the CMS.
Mission Statement: Strengthen the security and resilience of the Critical Manufacturing Sector by building an active public-private partnership to coordinate efforts that enable proactive risk reduction and effective response, recovery, and adaptation (DHS 2015a, p. 15).
In addition to defining the mission, the CM SSP identifies specific goals and priorities, which are aligned with the five overall national goals defined in the NIPP.
Improve information sharing and promote continuous learning. (NIPP Goal #4).
Identify sector-specific risks. (NIPP Goal #1).
Develop cost-effective strategies to reduce risks. (NIPP Goal #2).
Support research and development efforts and advanced planning to ensure rapid response and recovery. (NIPP Goals #3 and #5) (DHS 2015a, p. 15).
Evaluating interdependencies with other sectors and within supply chains.
Increasing engagement and collaboration both within the sector and with other critical infrastructure sectors.
Raising risk awareness at executive levels.
Improving cybersecurity knowledge, tools, capabilities, and practices.
Participating in cross-sector trainings and exercises to improve response and recovery. (DHS 2015a, p. 15).
As with all US infrastructure sectors, the CMS is vitally important to individuals, communities, and the nation overall. Another important aspect of the CMS is that it helps preserve the American way of life. For example, the CMS not only supports employment but also manufactures military equipment utilized to defend US national security. However, significant risks to security and resilience of the CMS continue to evolve. These risks include actions happening on the world stage as well as actions within numerous dependent and interdependent sectors. These risks must be addressed as the CMS is a critical contributor to US national security and economic vitality.
- Bennett, C. (2016). DHS: Cyberattacks on critical manufacturing doubled in 2015. The Hill. Retrieved from http://thehill.com/policy/cybersecurity/266081-dhs-critical-manufacturing-cyberattacks-have-nearly-doubled
- Coullahan, B. (2017). Unmanned aircraft systems in homeland security. In R. Baggett, C. Foster, & B. Simpkins (Eds.), Homeland security technologies for the 21st century (pp. 149–174). Santa Barbara: Praeger Security International.Google Scholar
- Executive Office of the President. (2013). Presidential policy directive 21: Critical infrastructure security and resilience. Washington, DC: Executive Office of the President.Google Scholar
- Executive Office of the President. (2017). Executive order 13806: Assessing and strengthening the manufacturing and defense industrial base and supply chain resiliency of the United States. Washington, DC: Executive Office of the President.Google Scholar
- Government Accountability Office. (2015). Critical infrastructure protection: Sector-specific agencies need to better measure cybersecurity progress (GAO-16-79). Washington, DC: Government Accountability Office.Google Scholar
- Interagency Security Committee. (2015). Planning and response to an active shooter: An interagency security committee policy and best practices guide. Washington, DC: U.S. Department of Homeland Security, Interagency Security Committee.Google Scholar
- National Institute of Technology. (2015). Framework for improving critical infrastructure cybersecurity (version 1.1, draft 2). Gaithersburg: National Institute of Technology.Google Scholar
- Parfomak, P. (2008). Vulnerability of concentrated critical infrastructure: Background and policy options. Washington, DC: Congressional Research Service.Google Scholar
- U.S. Computer Emergency Readiness Team. (2017). Alert (TA17-293a): Advanced persistent threat activity targeting energy and other critical infrastructure sectors. Washington, DC: U.S. Department of Homeland Security/U.S. Computer Emergency Readiness Team.Google Scholar
- U.S. Department of Homeland Security. (2014). Sector risk snapshots. Washington, DC: U.S. Department of Homeland Security.Google Scholar
- U.S. Department of Homeland Security. (2015a). Critical manufacturing sector-specific plan: An annex to the NIPP 2013. Washington, DC: U.S. Department of Homeland Security.Google Scholar
- U.S. Department of Homeland Security. (2015b). Critical manufacturing sector cybersecurity framework implementation guidance. Washington, DC: U.S. Department of Homeland Security.Google Scholar
- Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act (Public Law 107–56). 2001, October 26.Google Scholar
- Baggett, R., & Simpkins, B. (2018). Homeland security and critical infrastructure protection (2nd ed.). Santa Barbra: Praeger Security International.Google Scholar
- Lewis, T. (2014). Critical infrastructure protection in homeland security: Defending a networked nation (2nd ed.). Hoboken: Wiley.Google Scholar
- U.S. Department of Homeland Security. (2013). NIPP 2013: Partnering for critical infrastructure security and resilience. Washington, DC: U.S. Department of Homeland Security.Google Scholar