Critical Infrastructure and Cyber Security in the US
The purpose of this session long project is to provide you with the opportunity to prepare a paper or
report on Critical Infrastructure Protection (CIP) that is of particular interest to your community
(Philadelphia), state (Pennsylvania), or the United States in general. The following information is essential
in ensuring your success with this course component.
The project is to include at least the following information:
Length: This Case Assignment should be at least 10 pages not counting the title page and references.
References: A total of 10 reference (at least four references should be included from academic sources
listed below). Quoted material should not exceed 10% of the total paper (since the focus of these
assignments is critical thinking). Use your own words and build on the ideas of others. When material is
copied verbatim from external sources, it MUST be enclosed in quotes. The references should be cited
within the text and also listed at the end of the assignment in the References section (preferably in APA
Organization: Subheadings should be used to organize your paper.
The following items will be assessed in particular:
CRITICAL INFRASTRUCTURE AND CYBER SYSTEMS 2
Critical Infrastructure and Cyber Security in the US
As a matter of national safety, the aspect of critical infrastructure and cyber security
happens to be a significant issue in the US. Critical infrastructure refers to any system, facility,
or function that offers the foundation of national governance, security, reputation, economic
vitality, and way of life. Whether virtual or physical CI systems are so significant to the US that
there destruction can result into a debilitating effect on the nation’s security, national public
safety or health and national economic security among others (O’Connor, 2010). Cyber systems
and critical infrastructure (CI) always experience attacks on an industrial level. As a result,
several businesses and organizations in the country are often affected negatively by such attacks.
Attacks on critical infrastructure and cyber systems make organizations to suffer in terms of
industrial surveillance and intellectual property theft, which lead to enormous losses to the
economy of US. As such, identifying suitable methods that the local and state governments,
private and public sectors and other agencies can employ in enhancing suitable critical
infrastructure cyber security is vital in addressing the issues related to CI and cyber systems
CRITICAL INFRASTRUCTURE AND CYBER SYSTEMS 3
attacks. Some of the methods employed by these parties are information sharing and programs
that are aimed at collecting information related to security.
Sharing of information has been noted as the principle method of ensuring the security of
critical infrastructure and cyber systems. However, this process needs to be executed in a way
that does not compromise or risk the safety or security of the source. Information sharing across
the conventional boundaries of organizations is vital in ensuring the safety of both CI and cyber
systems in the country (Brattberg, 2012). Information sharing happens to be a crucial component
of the significant mission of the DHS (Department of Homeland Security), which is aimed at
creating a shared situational awareness about malicious cyber operations (The National
Cybersecurity and Communications Integration Center). As such, the DHS ensures that both the
state and local law enforcement have access to information, which is critical for the protection of
the nation’s CI. Besides, the DHS ensures that information is made confidential with the aim of
ensuring that the sources are protected. This undertaking ensures that vital information continues
to flow to authorities concerned with law enforcement.
Significance of Information Sharing in Relation to the Security of CI and Cyber Systems
Availing information to the law enforcement authorities helps in ensuring that these
parties have a vital tool for safeguarding American citizens. Achieving this goal requires that the
law enforcement agencies monitor the core areas that have been noted to be vulnerable to attacks
from internal and external sources. Information sharing among the officers offers suitable
mechanisms of identifying threat pictures, vulnerabilities, and their effect on the citizens.
Moreover, it enhances the collection, reception and evaluation of risk-related or threat-related
CRITICAL INFRASTRUCTURE AND CYBER SYSTEMS 4
Information sharing also provides a suitable platform on which the national and local
governments alongside the private and local sector partners can establish efficient methods of
safeguarding the CI and cyber systems. Furthermore, it ensures that the processes identifying,
tracking, accessing and communicating of risk-related information are achieved in a single
process. This strategy is significant in enhancing the safety of civil liberties and confidentiality
of Americans and businesses.
Sharing of information provides a suitable mechanism through which the public can
report suspicious events or activities to law enforcement agencies (Headayetullah, 2010). The
DHS ensures that this goal is accomplished using awareness interventions, which are aimed at
enriching the public or citizens with skills and knowledge on indicators of terrorism and violent
crime. In addition, this department is involved in international and federal partnerships with the
aim availing resources and information to the local and state enforcement authorities. One of the
programs that are employed in gathering information from the public is the C 3 (Critical
Infrastructure Cyber Community Voluntary Program).
Critical Infrastructure Cyber Community Voluntary Program
The US relies on CI every day to provide water, energy, financial services, transportation
and other capabilities that support the needs of the American people and their way of living.
Over the years, advancements in technology have led to the evolvement of these capabilities,
which has enhanced their running. With the increased dependence cyber-reliant systems, issues
of vulnerabilities and threats have also increased.
Safeguarding the cyber security systems of the country’s CI happens to be matter of high
concern for the national government. In relation to this, in February 2013, President Barrack
Obama endorsed the executive order 13636, which was aimed at enhancing the critical
CRITICAL INFRASTRUCTURE AND CYBER SYSTEMS 5
infrastructure cyber security. In the same year, the president released the PPD-21 (Presidential
Policy Directive), which was targeted at increasing the overall resilience of the nation’s CI
(Harrop & Matterson, 2013) . One of the core elements of the executive order is the
establishment of the cyber security model or the framework by the NIST (National Institute of
Standards and Technology). This framework is meant to assist critical infrastructure
organizations and sectors in managing and reducing their cyber threats.
Since there is a robust connection between physical security and cyber security, the DHS
has established a partnership with the CI community with the aim of developing a voluntary
intervention to encourage the application or use of the framework in strengthening critical
infrastructure cyber security. The C 3 program acts a coordination point or center within the
Federal government for CI owners and operators who have interest in enhancing their cyber
threat management activities. The C 3 voluntary intervention has three objectives. This program
aims at supporting the industry in enhancing its cyber resilience. Besides, the intervention
focuses on increasing the use the framework and community’s awareness on this model. Lastly,
the intervention aims at encouraging organizations to engage in the management of cyber
security as a component of an all-hazards strategy to enterprise risk management.
In February 2014, the launch of the C 3 voluntary program coincided with the release of
the ultimate Framework (Vladimirovich, 2014). The first focus of this program is involvement
with the SSAs (Sector Specific Agencies) and organizations by means of the Framework to
establish a guideline on how to implement the Framework. The subsequent stages of the C 3
voluntary intervention will widen the intervention’s coverage to every critical infrastructure and
businesses or organizations of all sizes that have interest in using the Framework.
Activities of the C 3 voluntary program
CRITICAL INFRASTRUCTURE AND CYBER SYSTEMS 6
This intervention focuses on three principle activities.
Communications and Outreach
The C 3 voluntary intervention acts as a center of contact and client relationship manager
to help organizations or businesses with the use of the Framework. Besides, it provides guidance
to interested sectors and organizations to the Department of Homeland security and other private
and public sector resources (Vladimirovich, 2014). This guidance is provided with the aim of
supporting the use of the framework for cybersecurity.
The intervention promotes feedback from stakeholder businesses concerning their
experiences with the help of its resources to execute the Framework (Vladimirovich, 2014). The
programs operates with organizations to comprehend how these organizations use the
Framework, and to obtain information on how the program and the Framework can be improved
to serve organizations in a suitable way. Moreover, this intervention ensures that the feedback
obtained from these organizations is availed to the NIST, to assist in guiding the establishment of
the next edition of the Framework and related efforts.
This program focuses on assisting stakeholders with the comprehension of the use of the
Framework and other efforts that are associated with cyber risk management. Furthermore, it
aims at supporting the establishment of sector-specific and general guidance for the
implementation of the framework. The intervention also aims at working with the 16 sectors of
critical infrastructure to establish a sector specific for using the framework in a suitable manner
(Haynes, 2004). Some of these sectors include food, communications, healthcare, defense,
information technology and argicluture.
CRITICAL INFRASTRUCTURE AND CYBER SYSTEMS 7
Channels through which Organizations, Businesses, and the Public can engage in the
The C 3 voluntary intervention interacts with organizations, businesses and the public
through four channels. The program uses the regional DHS personnel from the CSA (Cyber
Security Advisor) and PSA (Protective Security Advisor) programs in interacting with the target
parties. These personnel engage in direct interaction with organizations or businesses in their
regions concerning cybersecurity and CI protection. The second channel of interaction is the
CIPAC (Critical Infrastructure Partnership Advisory Council) framework. This partnership takes
into consideration the government, CI sector owners and operators (Geer, 2013). The partnership
aims at ensuring the presence of a range of activities for the protection of the CI. The third
channel is direct involvement with organizations, businesses and public. These parties may
access the program’s website. The last interaction channel is the RFI (Request for Information)
that offers a suitable platform on which the public can present their views on cybersecurity’s
policies and solutions.
Private and Public Sectors’ Best Practices for Safeguarding the CI and Cyber Systems
Guaranteeing the protection and resilience the country’s cyber and CI systems is a shared
responsibility among various stakeholders or parties. Currently, both the private and public
sectors are engaged in several methods of safeguarding the CI and cyber systems via
partnerships. In relation to this, the IP (Infrastructure Protection) office is dedicated to
strengthening and expanding CI across all regions in the U.S. The IP is accomplishing this goal
by engaging in activities that strengthen personnel at the regional level. Moreover, the IP is
engaged in strengthening of interventions and potentials to offer support to regional partnerships.
CRITICAL INFRASTRUCTURE AND CYBER SYSTEMS 8
Financial Services ISAC (Information Sharing and Analysis Centers), which was
established by security, banking and finance organizations in October 1999, happens to be
among the organizations, which have been established to enhance the process of safeguarding the
cyber systems and CI (Haynes, 2004). Both the public and private sectors are involved in the
maintenance of databases to which their members are required to report information about
security threats, vulnerabilities, events and solutions or opinions. This information in then
evaluated by security experts who proceed to alert members depending on the urgency or
seriousness of the matter. The information posted on the databases is kept private with the aim of
protecting the sources.
Both the private and public sectors are associated with early or immediate notification of
risks, sharing of anonymous or unspecified information and offering expertise on subject matter.
Furthermore, these sectors contribute significantly to the provision of trending information and
other benchmark date. The membership list is always kept private. These sectors also play a vital
role in establishing standards that are used in initiating, executing and improving information
security for cyber systems and CI. The benchmarks formed by these sectors address issues of
security, reliability and safety in operations. Besides, the benchmarks help in addressing matters
concerning the design of systems for securing cyber systems and CI. Some organizations have
also established study groups, which are in charge of identifying and documenting vulnerabilities
and threats. Furthermore, other private and public organizations are involved in the coordination
and promotion of consensus-based standards.
Private and Public Sectors’ Best Practices for Safeguarding Cyber Systems and CI
Sharing of information is considered critical for attaining secured cyber systems and CI.
Information sharing enhances the continuous flow of vital data concerning threat-related matter.
CRITICAL INFRASTRUCTURE AND CYBER SYSTEMS 9
Both the private and public play a significant role in ensuring that this goal is accomplished. The
information obtained from the members is made private with the aim of ensuring their safety.
In many situations, the two sectors make information inaccessible or unreachable even to
the national government. Therefore, people are always motivated to offer information without
fear. However, this undertaking may create problems to matters involving research. One of the
problems associated with this approach is that researchers may lack substantial or adequate data
concerning securities threat matters as this information is often hidden. On the other side, the two
sectors should ensure that that their communication systems are safeguarded even in times of
disaster. This is approach is vital in avoiding the disruption of such systems as it was seen in the
case of the communication capabilities of public agencies, which were eroded by the Hurricane
Katrina’s disaster (Miller, 2007).
Coordinating and promoting of consensus-based benchmarks is significant in minimizing
duplication and overlap, which are always associated with benchmark-related efforts (Haynes,
2004). These benchmarks also ensure that entities adhere to policies and regulations concerning
cyber systems and CI security. Thus, the practices adopted by the public and private sectors are
vital in safeguarding the CI and cyber systems.
Role of the Local Government, State Government, and Private Sector in Securing Cyber
Systems and CI
Many interventions have been established to aid in securing cyber systems and the CI.
The local government has developed community-based interventions that enhance awareness
creation to the community. Under these programs, individuals are equipped with adequate
knowledge on the indicators of terrorism and crime violence, which may impact negatively on
cyber systems and CI. Knowledge on indicators of crime/terrorism is an indispensable element of
CRITICAL INFRASTRUCTURE AND CYBER SYSTEMS 10
protecting information related to CI (A generic national framework for critical information
infrastructure protection, 2007). The local government also ensures that people are offered
feedback mechanisms through which they can submit crime and terrorism-related issues. These
feedback systems offer a suitable platform on which vital information is shared.
The state government has developed various agencies that assist helps in enhancing the
safety of cyber systems and CI. This undertaking is facilitated by the Department of Homeland
Security. These agencies engage in robust partnerships with public and private sectors with the
aim of enhancing the safety of cyber systems and CI. Moreover, the agencies help in developing
appropriate methods of recognizing vulnerabilities and threats, and their remedies.
Private and public sectors also contribute significantly to enhancing the safety of cyber
systems and CI (Brattberg, 2012). These sectors have developed databases on which members
can post information or opinions on issues related to security threats, and offer solutions to such
matters via their security experts. The information posted on the databases is given to law
enforcement agencies and the state government to enable necessary or corrective measures to be
adopted. Besides, the two sectors have guidelines, which can be employed in facilitating the
process of safeguarding cyber systems and CI.
Other Methods of Enhancing Critical Infrastructure Cyber security
NIST has established a crucial framework that can be employment in enhancing critical
infrastructure cyber security in several ways. This model offers owners of CI and other parties
with voluntary guidance on suitable methods of protecting assets and information from
cybercrimes or attacks. The framework is divided into three principle elements that include core,
tiers and profiles. NIST’s model establishes best practices that always employed in CI industries
CRITICAL INFRASTRUCTURE AND CYBER SYSTEMS 11
The Core is divided into five functions that include protect, identify, respond, detect and
recover. Taking into consideration the fact that these functions are often used together, they can
be employed in helping organizations comprehend and transform their cyber security programs
into efficient and functional system (Geer, 2013). The tires enable organizations to evaluate the
extent at which their systems meet goals established in the NIST’s framework. Consequently,
profiles assist organizations in attaining a higher state of cyber security sophistication.
NIST’s model for improving critical infrastructure cyber security was developed as
response or reaction to the executive order 13636 (Haynes, 2004). The president assigned the
NIST with the task of developing a set of methodologies, standards and processes, which align
business, policy and technological strategies to address or handle cyber threats to CI. In relation
to this, the DHS has identified 16 different sectors that include food, information technology,
defense, agriculture and healthcare among others.
Labeling its framework as Version 1.0, the NIST acknowledges the fact that its model
need to be dynamic to enable it match the ever evolving technology and needs of cyber security.
In addition, NIST has developed a roadmap, which is aimed at advancing the critical
infrastructure cyber security (Geer, 2013). This roadmap offers the future path for
adjusting/updating and improving version 1.0. As it continues to create new editions of its
model, NIST anticipate remaining at the core of collaboration between government agencies and
industry to assist owners of CI in comprehending, executing and improving the model.
Just as in the case of the C 3 voluntary intervention, NIST framework is voluntary
(Haynes, 2004). Currently, the departments of commerce, homeland security, and treasury are
involved reviewing methods and mechanisms of creating incentives, which will motivate
organizations and businesses to execute the guidance.
CRITICAL INFRASTRUCTURE AND CYBER SYSTEMS 12
In conclusion, the safety of critical infrastructure and cyber systems relies on the aspect
of sharing information. This goal is accomplished through the establishment of a broad network,
which takes into consideration the local government, state government, private, and public
sectors, and agencies such as NIST. Besides, this network includes the American citizens who
are allowed to post information databases that have been developed by the mentioned parties.
Sharing of information is significant in ensuring that the security levels of CI and cyber systems
are achieved in an efficient manner. However, it is vital to note that the shared information needs
to be kept private to safeguard the interests of the sources.
A generic national framework for critical information infrastructure protection (CIIP) (2007).
Manual Suter Center for Security Studies, ETH, Zurich.