The back-up plan
By Mel Gedruj
Critical Infrastructure as defined by Public Safety Canada “refers to processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government.”
By Mel Gedruj
The US Department of Homeland Security (DHS) defines it as “the backbone of our nation’s economy, security, and health.”
Ten sectors are listed as CI in Canada while 16 have been identified by the DHS in the U.S. For the purposes of municipal management, two to three are to be covered: Public Transit (PT), Water/Wastewater (W3) and the third could be Energy/Utilities.
Whether we are dealing with bus, rail or water systems, the important concept that dominates current thinking is “resilience.” This goes beyond mere security concepts to the management of the organization‘s multiple risks be they financial, affecting optimal service delivery or safety and security.
Another conceptual model to retain is that these systems are designed in a very similar way to IT networks. Therefore when establishing the required range of criticality, it is paramount to evaluate the consequential loss of each of the components. Resilience is also to be assessed. For instance, when reviewing water reservoirs or pumping stations, it would be advisable to check the areas served and when assuming a total loss of service, verify that another water asset maybe able to pick up the slack. Also, within the pumping station itself, the question would be, do we have enough redundancy in spare pumping capacity? As with any networks, what should be avoided is a single point of failure, which makes resilience a challenging goal to achieve.
What are the guidelines and standards we could rely on to assist us in our security management planning work? For Organizational resilience ISO 31000 Risk Management standard and ANSI/ASIS SPC.1.2009 (SPC stands for Security Preparedness and Continuity).
A good practitioner’s reference would be James LeFlar and Marc Siegel’s “Organizational Resilience: Managing the Risks of Disruptive events” (Taylor & Francis Group, 2013).
In it, they qualify the approach with an interesting outlook on these two standards: “It is like an Italian recipe; it tells you ‘what’ you need to do but let’s you determine the ‘how’ to fit your taste.”
Once the strategic level has been planned using the above noted methodologies, we need to deal with more practical issues of what to do in infrastructure and operational security management.
The American Water Wastewater Association publishes guidelines for physical security while the Canadian Water Waste Association has been promoting Cybersecurity in collaboration with Public Safety Canada. As for Hydro distribution security, the CEA issues guidelines to its members.
Transit was the subject of an extensive security enhancement from 2006 to 2009 through Transport Canada’s sponsored Transit Secure program delivered in rounds going from a large metropolitan system down to small ones. The take away from all the available knowledge shared via a number of them such as Canadian Cybersecurity Response Centre, the Infrastructure Security Partnership, WaterISAC or others, is that facility and cyber security are intertwined, in essence two faces of the same coin.
The reason being that Internet based communications have increased the vulnerability of our industrial controls systems ( SCADA). However, it should be noted that both wired and wireless systems need to be housed somewhere and CI assets are physical infrastructures on land or underground.
Mel Gedruj, OAA, CSPM is the president of V2PM Inc., specialized in municipal security management planning.