Critical Infrastructure Protection and Resilience, North America2019-05-08 11:41:57
Transcript of Brian Harrell – CISA, US DHS keynote address today at this year’s Critical Infrastructure Protection and Resilience North America Conference
Let’s Do Our Part in the Collective Defense of the Nation’s Critical Infrastructure
Good morning and thank you for welcoming me this afternoon to Tampa, Florida. At the Cybersecurity and Infrastructure Security Agency (CISA), we see opportunities like this as a chance to engage with industry and our state and local partners and share our vision and key initiatives to defend today and secure tomorrow. I want to open this discussion with a challenge. As I move through today’s speech, I challenge you to think about the future of infrastructure protection and your role in securing our nation’s industries, and the communities in which we live. More than that, I challenge you to think about what you could do to make your facility, your campus, your customers, and your employees more secure and more resilient.
I raise this challenge because, quite frankly, the government is only part of the solution to the threats that face us today. The world is shrinking and more interconnected than ever, thanks to technological advances that are the hallmark of the 21st century. With this technology and interconnectedness comes the ability to exploit new vulnerabilities and spread hate, terrorism, and bigotry quickly around the globe. An action or idea from halfway across the globe can easily inspire a motivated attacker overseas, or here in the United States. We have seen a hate-filled and violent segment of society determined to kill innocent people, targeting our most vulnerable sites and venues crowded with the most individuals.
In our own country, we have seen more attacks on civilians. In just the past few weeks, we have seen an attack on a synagogue and a vehicle-ramming attack on pedestrians in California as well as a shooting at a university in North Carolina. This, of course, comes on the heels of the Sri Lanka attack where over 250 people were killed overseas.
April marked the anniversaries of milestone attacks on our soil, including the 1995 Oklahoma City bombing, the 1999 Columbine High School shooting, the 2007 Virginia Tech shooting, and the 2013 Boston Marathon bombing, to name just a few.
While we have learned from these attacks, adversaries have as well. In just the past couple of years, we have seen more attacks on locations that naturally attract crowds of people: the Harvest Festival concert in Las Vegas, the Tree of Life Synagogue in Pittsburgh, and a well-travelled jogging path in New York City. Unfortunately, these attacks have shown that significant death tolls and carnage can be achieved by targeting our public gathering places and spaces.
Over the years, CISA, has built on lessons learned from events at home and abroad to develop robust tools, training, and resources that partners in law enforcement, government and industry can use to help prevent or mitigate future attacks. Our goal is to provide value and subject matter expertise to improve security in public venues to make to deter and prevent attacks.
Today, our agency’s mission covers critical infrastructure security, civilian federal facility security, infrastructure control systems, federal networks, soft targets and crowded places, and much more.
Like I mentioned earlier, what the U.S. Government does through initiatives, regulation, and information sharing is only part of the picture. It take the combined effort, intellect, knowledge and capability of government and industry combined to build a strong, collective defense to the threats of today and tomorrow. We are in this together. What impacts you can impact me, and what impacts me can quickly impact you. Collective defense is a strategy that requires the government, industry, and the average citizen of this country to be mindful of threats, watchful for bad-actors, and proactive to warn authorities when a security threat materializes.
Introducing the Cybersecurity and Infrastructure Security Agency
I want to take a few minutes to share with you a bit about my organization, CISA. The elevation of the Department of Homeland Security’s National Protection and Programs Directorate into CISA in November 2018 was a critical step in ensuring the federal ecosystem has the resources, authorities, and mission alignment to enable effective and lasting partnership in addressing the Nation’s cyber and physical risks. It also gave us a name that describes what we do: cyber and critical infrastructure security.
I joined CISA in December of 2018, but my familiarity with CISA’s predecessor, the National Protection and Programs Directorate (NPPD), goes back nearly 15 years during my tenure in the private sector.
Threats to critical infrastructure have been both physical—including severe storms, and human interference—and cyber, though recently the cyber threat is coming more and more from nation states. Over the past few years, our critical infrastructure has leveraged the wonders of technology to improve service and efficiency. However, along with the benefits have come new vulnerabilities and risks.
Today, we live in a tightly interdependent cyber-physical environment. An impact in one area can very quickly ripple across sectors to create disruptions across a community or even the nation. This mission has never been more important to our nation’s preparedness and resilience, as the threats we face – digital and physical, manmade, technological, and natural – are more complex, and the threat actors more diverse, than at any point in our history.
As our nation absorbs new technologies and innovation, CISA is leading with a bold vision on how we can adapt, enhance coordination across government, and better serve industry in our common mission to secure cyberspace.
CISA’s leadership has laid out five overarching priorities, which the agency implements through programs that are delivered at the headquarters and regional levels. These cover:
· Supply Chain/5G/China
· Industrial Control Systems (ICS)
· Soft Target/Crowded Places Security
· Federal Network Security
· Election Security
The Threat Environment
It goes without saying that the five priorities that I just mentioned are aligned to what we see as key threats today. Within CISA’s Infrastructure Security Division, our efforts are perhaps most aligned to support the threats to soft target security, but we also support efforts to manage risk across the entire threat landscape.
In fact, I am very much focused on the convergence between cyber and physical systems. Thanks to the efficiency and convenience that web-enabled processes and systems offer, our critical infrastructure is more interconnected than ever. That also means we have increased risks and vulnerabilities. For example, nation-state actors like China or Russia can launch a cyberattack on our critical infrastructure from across the globe.
CISA is also looking at emerging threats like those from unmanned aircraft systems, or drones, operated by hostile actors.
While our mission covers a wide scope, I’ll try to cover some of the highlights in the time I have here today.
Our Regional Approach
While CISA’s headquarters team works to develop guidelines, checklists, tools, resources, training and other information, it is CISA’s field force that delivers much of this information to partners around the country. CISA’s ten regional offices oversee a nationwide network of personnel who offer hands-on technical assistance, training and connection to CISA’s full scope of resources.
Within the regions, our Protective Security Advisors regularly work with owners and operators of venues or events that could be considered soft targets, as well as more traditional critical infrastructure industry partners. Of note, they provide active shooter preparedness training, vulnerability assessments, and in-person training and presentations that inform the development of effective emergency action plans.
In 2018 we:
· Conducted 570 active shooter preparedness briefings, 60 workshops, and nearly 2,700 assist visits across the country, which focused on coordination, training, and education on active shooter incidents. In addition, the Active Shooter Webpage received more than 1.1 million views.
· Enhanced nationwide capabilities to counter threats from improvised explosive devices (IEDs) by providing training to 10,922 stakeholders through 667 training events. This training has proven effective in saving lives in bombing incidents.
· Conducted 684 Infrastructure Survey Tool assessments, in coordination with facility owners and operators to identify and document the overall security and resilience of the facility.
Collective Defense and our Information Sharing Approach
Earlier, I mentioned collective defense. This is a concept that drives CISA’s approach to how we identify and manage threats.
CISA takes a collective defense approach to threats, on the premise that no single entity in government or industry has the whole threat picture, nor does anyone have the market cornered on solutions to mitigate the threats. Only by working together, with each contributing expertise, skills, knowledge, and good ideas can we hope to identify, prevent, and mitigate threats coming from across the physical and cyber realms.
Information sharing is a critical component of this collective defense, and CISA has a long history of establishing successful partnerships, such as the sector-specific model for collaborating and sharing information with critical infrastructure owners and operators. Moreover, we share information through a multitude of platforms, ranging from in-person classified or unclassified meetings to online portals like HSIN-CI, TRIPwire and Gateway, to field-based efforts conducted by our Protective Security Advisors or other regional staff.
· For example: after the Easter attacks in Sri Lanka, CISA immediately reached out to its stakeholders and leveraged other tools like TRIPwire to provide current information and threat assessments to share with law-enforcement partners and industry stakeholders. Through our sector partnership relationships with commercial facilities, CISA shares information with partners in the hotel and lodging subsector, and through the Faith-Based Information Sharing and Analysis Organization (FB-ISAO), CISA was able to reach out to faith-based groups to share the latest threat information.
· One of our information sharing programs actually has a booth at this conference, so I encourage you to stop by CISA’s HSIN-CI booth later to learn about the many resources and information sharing platforms the agency has to offer.
This activity is the latest in efforts that, since the beginning of the year, have included: engagements with 48,000 faith leaders on security best practices and multiple tabletop exercises. For example, last month we conducted an exercise with the Secure Community Network. We have also recently collaborated with the FBI on a vehicle-ramming mitigation video for the car rental industry, and Protective Security Advisors pursue ongoing engagement throughout the year with partners in communities nationwide.
Again, what the government does is only part of the equation. My challenge to you is to find out how you can be part of the collective defense at the community level, as well as at the national level. Fortunately, our PSAs can be a terrific resource to help you figure out where and how to connect, and if you haven’t already, I encourage you to reach out to one in your region. If you don’t know where to start, you can email NICC@hq.dhs.gov to find out who your local PSA is.
How CISA is Working to Protect Soft Targets and Crowded Places
CISA is leading the Department’s efforts to help prevent and mitigate attacks on what those in the security industry know as soft targets and crowded places. In fact, soft target security is one of CISA’s top five priorities.
In 2018, the DHS published an overview of its Soft Targets and Crowded Places Security Plan. The plan established a more coordinated approach within DHS to mitigate risks posed to these facilities and leverage the breadth of capabilities maintained throughout the Department to better support the private sector in its efforts to keep venues and patrons safe. The Department identified four focus areas that it will build on, including direct support to security operations, threat information sharing, capacity building, and research and development.
Shortly after the plan overview was issued, CISA stood up a Soft Targets and Crowded Places Task Force to serve as the Department’s focal point for coordinating on resources, tools, training and information to help other government and private sector partners secure these locations.
Much of what it has developed to help more traditional critical infrastructure partners is relevant as well to entities that are by their nature more open and accessible to the public. The Soft Targets and Crowded Places Task Force is taking various programs, such as the Active Shooter Preparedness and Security Program, and further targeting its application and messaging to emphasize their importance to venues like houses of worship, theaters, museums, special events or other gatherings.
With its increased focus on securing soft targets and crowded places, the Task Force can devote attention and effort to developing resources focused on mitigating a range of evolving threats, such as from unmanned aircraft systems, vehicle ramming, fire as a weapon, insider threat, and complex, coordinated attacks. As the task force continues to execute existing programs and provide resources to decision makers in soft target venues, it is also innovating new capabilities to more directly reduce risk. Information on available resources is included in a Security of Soft Targets and Crowded Places Resource Guide that is freely available on DHS.gov.
Other resources that are available online include downloadable materials such as pocket cards, posters, fact sheets, and others that provide information on actions that can be taken before, during, and after an incident to reduce the impacts of an attack, as well as online training and resources that focus on behavioral indicators and other pertinent matters that can increase the probability of survival if an attack occurred.
Many of these resources are translated into nine of the most commonly spoken languages in the U.S. to reach the broadest audience possible. We also maintain resources to assist the critical infrastructure community in conducting independent exercises that address the needs of their organizations and industry focus areas. Our goal is to provide organizations with information to mitigate risk, and to the general public to inform actions that can save lives.
On the voluntary security side, we have our Bomb-Making Materials Awareness Program (BMAP). BMAP increases public and private sector awareness of explosive precursor chemicals and improvised explosive device components so point-of-sale employees will recognize and report suspicious acquisitions of materials prior to the manufacturing of homemade explosives or IEDs. We also include the chemical sector as one of the 16 sectors that we work with on a voluntary basis, through the sector coordinating councils.
In addition to the voluntary partnerships that are central to the majority of CISA’s effort, we manage the Chemical Facility Anti-Terrorism Standards, or CFATS, program. This program was developed based in response to a real and evolving threat from the potential weaponisation of chemicals, as we have seen in the past few years in the attacks in Brussels, Turkey, Paris etc.
CFATS focuses on security at high-risk chemical facilities to ensure that they take measures to reduce risks associated with certain hazardous chemicals and make sure those chemicals do not fall into the hands of someone who wants to exploit them in a terrorist attack. The program requires high-risk facilities to comply with 18 Risk-Based Performance Standards that include such as cybersecurity, response, training, and personnel surety.
Interagency Security Committee
One of what may be our best-kept secrets is the Interagency Security Committee, which CISA chairs. Created shortly after the 1995 terrorist attack in Oklahoma City, the ISC reflects the power of collective defense assists Federal Departments and Agencies to make defensible, risk-based, and resource-informed security decisions with the objective of enhancing the security posture of Federal facilities across the nation. Members include the most knowledgeable and experienced security professionals from across the government, who create security policies and standards for federal facilities. Members include the most knowledgeable and experienced security professionals from across the government. This group is responsible for hundreds of thousands of facilities and works collaboratively to produce guidance for all Departments and Agencies.
No single organization could hope to harness the sum of talent that comes together voluntarily in the ISC for the betterment of all. Membership covers the traditional disciplines of physical security, law enforcement, intelligence, along with technical experts like blast engineers, as well as specialists in building control systems, cybersecurity and emerging threat domains such as counter-UAS. The ISC leverages this collective body of knowledge to develop top-tier risk management resources.
While the committee produces guidance, policies and standards to help civilian federal civilian facilities improve security, some states, localities and even the private sector have adopted many aspects of the ISC’s approach.
Industrial Control Systems and Cyber-Physical Convergence
One of CISA’s top priorities is securing industrial control systems, and that goes hand in hand with issues arising from cyber-physical convergence. As our physical infrastructure systems grow ever more reliant on networking and web-enabled functions, we are introducing new vulnerabilities into our systems.
With this greater interdependency and interconnectivity among critical infrastructure—as well as other technology—a threat to one company or one sector can very quickly ripple across multiple sectors or industries. As we look at the threat environment, we need to look beyond traditional boundaries and think holistically about cyber and physical security.
Prioritizing and Stabilizing Critical Lifelines
Whether critical infrastructure suffers from a cyberattack, a physical attack, or a combination, the impacts can affect a whole community or region. We have seen this numerous times after significant hurricanes, most recently in the 2017 and 2018 hurricane and wildfire seasons.
Building on lessons learned from these events, we have been working with FEMA on the update to the National Response Framework, which guides the unified federal response to an incident. In particular, we have focused on what will be the new Emergency Support Function 14, through which we will work with industry partners to prioritize and stabilize critical lifeline functions, and by doing so, help the community on its path to recovery.
Related, CISA just released a list of 55 National Critical Functions. These are functions that are produced or enabled by critical infrastructure, and whose degradation could cause significant disruption to the nation’s security, economy, safety or public health. This new approach opens up thinking to account for risks that may be distributed across traditional sectors, new risks that may emerge over time, or risks that are nationally significant.
CISA will use this set of functions to develop a Risk Register by performing risk analysis, dependency analysis, and consequence modeling. The Risk Register will assess the likelihood and consequences of a significant degradation to a National Critical Function, along with identification of government and industry readiness to work together to reduce risk.
A Call to Action
Adversaries might be ideologically inspired individuals, or they could be nation states seeking to gain an economic or tactical advantage. They may leverage simple, low-tech tools in attacks, but they also leverage ideas, and inspiration found online—often from people across the world, as well as those closer to home.
The threat environment changes as quickly as ideas spread or technology evolves. In the end, resources are only part of the solution, and the only real defense is a collective defense. As I said at the beginning, everyone has a role to play in homeland security. A collective effort has never been more important than now.
I ask each of you to take action.
· Connect -- Reach out and develop relationships in your community, including local law enforcement. Connect with your Protective Security Advisor. Having these relationships established before an incident occurs can help speed up the response when something happens.
· Plan-- Take the time now to plan on how you will handle a security event should one occur. Learn from other events to inform your plans.
· Train— Provide your employees with training resources and exercise your plans often. The best laid plans must be exercised in order to be effective. Once you make a plan, it is very important to exercise it. A plan can only be effective if everyone understands it and knows what to do if there is an incident.
· Report—If you see something suspicious, let your local law enforcement know.
These are the four actions we recommend in our hometown security outreach, and I would add a couple more steps you can take:
· Communicate. If you have good ideas, or have learned good practices, share them. If you have capabilities, knowledge, or expertise, bring it to the table.
· Be informed. CISA offers a wealth of free information, tools and resources. In addition to reaching out to a PSA, go online and explore everything that is available on our website at CISA.gov.
The bottom line is that we must work together to ensure a more secure nation for ourselves and future generations. By sharing information and good practices, and by training and exercising together, the public and private sectors can increase the nation’s resilience to the threats of today and tomorrow.