At the Department of Homeland Security (DHS), Caitlin Durkovich leads the Department’s efforts to strengthen public-private partnerships and coordinate programs to protect the nation’s critical infrastructure, assess and mitigate risk, build resilience, and strengthen incident response and recovery. She spoke with The Cipher Brief about what DHS is doing to protect critical infrastructure.
TCB: What types of actors, such as states, terrorists and criminals, represent the greatest threat to our critical infrastructure? How do you expect these threats to change in the future?
Caitlin Durkovich: I think we do well in preparing for known challenges, but we also face new hazards and potential impacts to infrastructure from events like extreme weather and climate change, aging and failing infrastructure, and certainly cyber attacks. When we look at the past and study our future needs, we see that our infrastructure is becoming more complex and more interconnected, and our physical infrastructure is increasingly more reliant on cyber networks and systems to operate.
Working with our public and private-sector partners, the Office of Infrastructure Protection (IP) within the Department of Homeland Security identifies critical infrastructure threats – not just for protection, but for resilience, mitigation, and recovery – and provides protective measures that may be implemented to better protect facilities and individuals from all hazards.
We provide infrastructure owners and operators direct access to working with our experienced field-based critical infrastructure and security experts, called Protective Security Advisors (PSA). The PSA program’s primary mission is to proactively engage with federal, state, local, tribal, and territorial government mission partners and members of the private sector stakeholder community to protect critical infrastructure.
TCB: What are the most common sources of vulnerability or insecurity for critical infrastructure systems? How can these problems best be mitigated?
CD: Securing critical infrastructure is a national priority that requires planning and coordination across the public and private sectors. Among many of the potential vulnerabilities we face, one is simply related to the aging of today’s infrastructure. Our infrastructure provides us the water we drink, the transportation that moves us, the bridges that connect us, and the communication systems we rely on to stay in touch with friends and family. At the Department of Homeland Security, we work to promote the development of secure and resilient infrastructure when it needs replacing.
We are working to engage stakeholders from across the public and private sectors to identify additional needs and gaps in the tools, information, and resources available to support decisions about critical infrastructure development. We support a number of activities, including research on innovative methods for addressing gaps, and incentivizing owners and operators to build in security and resilience during initial development.
Over the course of many years of working with our infrastructure partners, we’ve continued to recognize the importance of improving information sharing through joint training and exercises that can best enhance infrastructure resilience and incident response. We participate in, conduct, and host numerous exercises with our infrastructure partners – with and across all sectors – to continually test coordination, response, and resilience efforts against a variety of physical and cyber threats.
TCB: What can businesses do to work better with the government to protect critical infrastructure? What can government do to work better with businesses?
CD: November is Critical Infrastructure Security and Resilience Month, and DHS is using this time to remind businesses, elected officials, and the public of the importance that critical infrastructure plays in our daily lives.
It’s important to recognize that infrastructure security and resilience is a joint responsibility. Government and business need to remain vigilant as we monitor, prepare for, adapt to, and mitigate vulnerabilities caused by changes in the physical and environmental landscape. Over the last year, we have engaged with our partners across the critical infrastructure community to update and release the 2015 Sector-Specific Plans for building resilience and reducing risk. By applying the actions outlined in the plans, sector participants are able to create products and tools that support the local and regional jurisdictions where facilities and systems are located.
Through trusted relationships and robust information sharing practices between government and business – during steady-state and incident response and recovery efforts – we’re able to ensure an open, two-way dialogue to provide comprehensive situational awareness information and the importance of resilience by discussing common vulnerabilities and recommended protective measures for infrastructure.
TCB: Director of National Intelligence James Clapper said the cyber-threat is more likely to consist of a large number of small attacks that impose increasing costs to the U.S., rather than a single catastrophic attack. Does this accurately reflect the threat to critical infrastructure, and if so, are there any differences in terms of how businesses should prepare for countering a single large attack versus a multitude of small ones?
CD: It is critical that we find ways to ensure we are addressing cyber threats. Cyber attacks are of big concern, not only because of the loss of personal information, but for the damage a cyber attack could have on physical infrastructure. As smarter technology is employed to enhance convenience and streamline costs, we face new vulnerabilities.
DHS offers numerous evaluation and assessment tools to assist companies in determining their site’s level of risk in this area. Similar to the Infrastructure Survey Tool that our Protective Security Advisors provide to help inform risk from a physical security point of view, the Department offers a host of cyber-focused tools and programs as well.
DHS’s Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) works directly with critical infrastructure owners and operators to investigate and address cyber vulnerabilities. ICS-CERT also assists critical infrastructure system owners in identifying customized malware activity, conducting forensics on unique hardware/software configurations, and in developing recovery plans that maximize system availability.
The Department’s United States-Computer Emergency Readiness Team (US-CERT) develops timely and actionable information alerts that are continuously distributed to federal departments and agencies, as well as to state and local governments, private sector organizations, and international partners.