Lets Get Critical

Threat and vulnerability assessments are the foundations of critical infrastructure protection

• By Col. Timothy D. Ringgold
• Aug 02, 2007

IN the spring of 1942, a small team of British and American engineers and scientists were asked to assess the critical nodes in the German industrial complex. The purpose of this process was to develop target lists for the strategic bombing campaign and to find the critical links. This study, known as the critical infrastructure assessment, concluded that ball bearing factories and petroleum refineries should be at the top of the targeting list.

It was obvious that anti-friction bearings play a vital role in any industrial economy, but 1940s-era German machinery was believed to be more dependent on ball bearings than most. It's estimated that the German aviation industry consumed an average of 2.4 million bearings per month. For instance, a Junkers Ju88 bomber airframe alone, exclusive of its engines, required 1,056 ball bearings while a single 200-centimeter searchlight required 90. Therefore, it was important to attack the factories in Germany that produced these bearings. With a severe cut in the availability of these important components, the British and Americans hoped to significantly cripple the ability of the German war machine to produce aircraft, tanks and other necessary machinery.

Since bearing construction was concentrated to just a few plants, with Schweinfurt accounting for more than 40 percent of production, it made the ball bearing industry in general—and Schweinfurt in particular—an obvious target. Schweinfurt's small size made it even more attractive; it was what made it easy for bombardiers to locate and hit the bearing plants.

During the researchers' briefing to senior government officials, someone, almost in jest, asked if the Germans or Japanese might be conducting the same study on the United States. What began as a flippant remark turned into a second study. This time, the team assessed American vulnerabilities. Its conclusions were shocking and certainly not intuitively obvious.

Today, the United States possesses both the world's strongest, most capable military force and the world's largest national economy. Those seeking to oppose our interest face formidable odds on traditional battlefields—where our technology and reach cannot be directly challenged. However, U.S. military predominance also is the catalyst for enemies seeking an asymmetrical advantage over American interests. Those seeking such an advantage may use unconventional approaches, like improvised explosive devices, to circumvent or undermine our strengths while exploiting our vulnerabilities, placing those things that we take for granted at risk.

The aftermath of the Sept. 11, 2001, attacks on the Pentagon and the World Trade Center illustrates the high vulnerability of America's infrastructure to terrorist attacks and the massive consequences of not protecting it. These vulnerabilities include potential for attacks against physical structures, cyber structures or the American people.

Individuals, private agencies and governments conduct risk assessments routinely. Along the same lines, protecting critical infrastructure requires a process by which thousands of sites can be prioritized for increased protection. To accomplish this task, threat and risk assessments are widely recognized as valid decision support tools used to establish and prioritize security program requirements. A threat analysis, the first step in determining risk, identifies and evaluates each threat on the basis of various factors, like capability and intent to attack an asset, the likelihood of a successful attack and lethality.

Risk management is the deliberate process of understanding "risk"—the likelihood that a threat will harm an asset with some severity of consequences—and deciding on and implementing actions to reduce it. Risk management principles acknowledge that:
• While risk generally cannot be eliminated, it can be reduced by enhancing protection from validated and credible threats.
• Although many threats are possible, some are more likely to occur than others.
• All assets are not equally critical.

Generally, risk assessment is a deliberate, analytical process to identify the threats that can exploit vulnerabilities in an organization's specific assets. These variables are ranked according to predetermined criteria like the probability of a threat targeting a specific asset or the impact of a vulnerability being exploited by a specific threat. The risk assessment results in a prioritized list of risks (i.e., threat-asset-vulnerability combinations) that can be used to in selecting safeguards to reduce vulnerabilities and create a certain level of protection. What distinguishes risk assessment from critical infrastructure protection is the scope of the endeavor and the consequences of being wrong, not the process itself.

This process applies to both physical and to cyber assets, but current procedures may hamper effective private responses to terrorism. For example, company information systems are designed to reduce the risk of terrorism. Design security is a passive form of defense. An active defense seeks the source of an infrastructure breach to counter-attack and limit the attacker's ability to do harm. However, this active process is the responsibility of government and is not a legitimate option for firms in the private sector. Owners and operators of critical infrastructures lack sufficient threat and vulnerability information to make informed risk management decisions. They must rely on government to provide the threat assessment necessary for informed decision making. Therefore, without increased public-private cooperation in the area of critical infrastructure protection, both the ability to defend critical nodes and the ability to restore functioning of those nodes in the event of a crisis will be severely undermined.

Most Americans recognize that protecting critical infrastructures from acts of terrorism is a responsibility that does not rest with any one level of government or even solely with government. Critical infrastructure protection is a national problem and responsibility, not just a federal one. Any solution that does not heavily involve state and local governments and private sector owner/operators is doomed to failure. Since much of what is considered critical infrastructure is owned and operated by the private sector, information sharing between government and the private sector, and between private firms, is essential.

Information sharing also raises a number of problems. The private sector primarily wants information from government on potential threats. Government, at the same time, may want to limit information dissemination so it does not compromise intelligence sources or investigations. In fact, most government threat assessments are classified. For its part, the government wants specific information on intrusions that companies may hold as proprietary or may want to protect to prevent adverse publicity. Success will depend on the ability of each side to demonstrate it can hold in confidence the information exchanged.