Regulations that Affect Critical Infrastructure

As the CEO of ISI Security, one of the most difficult and time-consuming aspects of my job is keeping up with the laws and regulations affecting my company. This is compounded by the fact that it’s also the job of my company to keep up with the evolutionary changes in the laws and emerging security trends affecting our clients, a multifaceted task that includes reading and digesting the statute as written along with studying the legal implications and impacts.

We must keep up with the directives made by the executive branch of government. Many times lawmakers craft broad legislation that is actually worded in a very vague manner and then leave it up to the individual agencies to form the policies that put the written law into practice.

There also are instances when the executive branch acts unilaterally to plug holes in previously written legislation and policy. A recent example of this is the Aug. 1, 2013, issuance of Presidential Executive Order Number 13650—Improving Chemical Facility Safety and Security. Even though there is the established body of law concerning the safety of chemical facilities, the president felt it was necessary to issue a new set of policies. Oftentimes, these executive orders fill gaps in legislation that are of a time-sensitive nature and can’t safely wait for the legislative branch to act upon.

Following the terrorist attacks of Sept. 11, 2001, Congress passed the Homeland Security Act, creating the Department of Homeland Security (DHS). One of the first things congress tasked DHS with was securing the nation’s critical infrastructure. In response, DHS crafted NIPP, the umbrella term representing the 16 individual Sector-Specific Plans (SSP), each corresponding to its associated sector of protection.

Laws affecting the safety and security of six major industries are discussed, giving a more complete understanding of the laws and the effects these laws have on the industry.

Chemical industry. Failure of security at these locations can lead to a catastrophic loss of capital through damage or destruction of expensive facilities as well as the potential for mass casualties of site personnel and innocent citizens living in their vicinities.

The Chemical Facility Anti-Terrorism Security Act (CFATS) is managed by the Department of Homeland Security, and sets up a safety certification regime for high risk chemical production and storage facilities. In addition, the NIPP Chemical Sector-Specific Plan of 2010 also governs the security of chemicalrelated facilities, and for the most part, mirrors most of the regulatory schemes laid out in CFATS.

Other legislative schemes are mainly those involved with the transportation of chemical components or feed stocks to and from either processing facilities or their final destinations with their customers. Some of these legal structures are:

  • Maritime Transportation Security Act—DHS & Coast Guard;
  • HM-232—DOT Rules Affecting Over-the-Road Transportation;
  • Rail Transportation Security Final Rule—TSA; and
  • Updated Pipeline Security Guidelines—TSA. In light of the continuing terrorism threat and the ever-present threat of large scale industrial accidents, regulation in this area is expected to steadily increase.

Financial industry. As the proverbial backbone of our economy, repercussions from a serious terrorism incident to a major financial institution would be swift and sweeping. A serious attack on one key component could lead to a catastrophic cascade of system-wide failures that could ultimately bring the nation’s financial sector and economy to a standstill.

In response, DHS, in coordination with the Financial and Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC), developed the Banking and Finance SSP. This policy was published in May of 2007 as part of the NIPP and details the identification, risk assessment, and plan development and implementation of the nation’s financial sector.

Medical industry. While it shares with other sectors that it is considered a soft target, medical facilities are unique because of their ubiquitous nature. Most large cities have several major hospitals that make protecting this sector quite difficult and costly.

There are multiple potentially dangerous elements kept in medical facilities including large quantities of drugs, biological agents, toxins, flammable gasses and radiological machinery that could be used to cause serious mayhem in the hands of terrorists.

In 2010, Department of Health and Human Services, in conjunction with the Healthcare and Public Health Coordinating Council, published the updated Healthcare and Public Health SSP. The major goals of this SSP are to identify assets, systems, and networks; assess risks; prioritize infrastructure; develop and implement protective programs and resilience strategies; and measure effectiveness.

Although these goals are somewhat interchangeable with other sectors, it is the size and scope of the related facilities that sets the financial sector apart. As the poster-child for soft target infrastructure and the emerging targeting of soft targets by terrorists, regulations involving security will naturally increase.

Distribution industry. It is not unusual for distribution facilities to have little to no visible security, with it being limited to fences and security guards at best. Because of this, the distribution industry could be considered the softest soft target. Of main concern is the food distribution sector.

Although it would be very difficult for terrorists to effectively adulterate a food product with a toxin, virus or dangerous bacteria, the results of a successful attack would be beyond catastrophic. The impact of public confidence would be of such a scope that it would likely lead to cascading effects throughout the economy.

These regulations are codified in the NIPP Food and Agriculture Site-Specific Plan of 2010, covering food defense and food safety. Food safety deals with keeping the food supply free from accidental contamination, while food defense refers to protection against intentional adulteration. A terrorist attack on the food supply would be virtually indistinguishable from an accidental contamination in its early stages, so from a security standpoint, preparation is the same.

While an attack on distribution is unlikely given the low probability of widespread effect, these facilities are extremely soft targets that would require much less planning, expertise and financial backing than an attack on a hardened location. Unlike some other sectors, it is unlikely that new legislation will be implemented in this sector at this time.

Detention and prison industry. Having the unique task of securing unauthorized outside entry while also securing those inside from getting out, there aren’t any well-known bodies of law mandating the types and levels of required security at prisons and detention facilities.

At the federal level, the main body of regulation is the National Institute for Corrections (NIC), which is tasked with creating, maintaining and updating accepted jail procedures for all federal detention facilities. At the state level, each state maintains its own procedures for its facilities.

Looking forward, there is no reason to think that there will be any significant adjustment to the accepted procedures in the detention industry, except, as the nation moves forward with the Global War on Terror (GWOT) and the potential closing of the terrorist detention facility at Guantanamo Bay, Cuba, there may be an increase in the number of high-value terrorist prisoners detained inside the continental United States. This would require an increased number of super-max facilities and an increase in security of the infrastructure from the outside and inside.

Laws and regulations governing security at critical infrastructure locations amass thousands of pages. Provided here is only a glimpse into the challenges facing our nation’s industries. As a whole, the body of laws and regulations will necessarily increase to keep up with known and emerging threats, while decision makers in each of these industries must rely on the wise counsel of others to keep abreast of these changes.

This article originally appeared in the April 2014 issue of Security Today.

Featured

  • Security Today Announces The Govies Government Security Award Winners for 2025

    Security Today is pleased to announce the 2025 winners in The Govies Government Security Awards. The awards honor outstanding government security products in a variety of categories. Read Now

  • Survey: 60 Percent of Organizations Using AI in IT Infrastructure

    Netwrix, a cybersecurity provider focused on data and identity threats, today announced the release of its annual global 2025 Cybersecurity Trends Report based on a global survey of 2,150 IT and security professionals from 121 countries. It reveals that 60% of organizations are already using artificial intelligence (AI) in their IT infrastructure and 30% are considering implementing AI. Read Now

  • New Research Reveals Global Video Surveillance Industry Perspectives on AI

    Axis Communications, the global industry leader in video surveillance, has released its latest research report, ‘The State of AI in Video Surveillance,’ which explores global industry perspectives on the use of AI in the security industry and beyond. The report reveals current attitudes on AI technologies thanks to in-depth interviews with AI experts from Axis’ global network and a comprehensive survey of more than 5,800 respondents, including distributors, channel partners, and end customers across 68 countries. The resulting insights cover AI integration and the opportunities and challenges that exist with regard to security, safety, business intelligence, and operational efficiency. Read Now

  • SIA Urges Tariff Relief for Security Industry Products

    Today, the Security Industry Association has sent a letter to U.S. Trade Representative Jamieson Greer and U.S. Secretary of Commerce Howard Lutnick requesting relief from tariffs for security industry products and asking that the Trump administration formulate a process that allows companies to apply for product-specific exemptions. The security industry is an important segment of the U.S. economy, contributing over $430 billion in total economic impact and supporting over 2.1 million jobs. Read Now

  • Report Shows Cybercriminals Continue Pivot to Stealthier Tactics

    IBM recently released the 2025 X-Force Threat Intelligence Index highlighting that cybercriminals continued to pivot to stealthier tactics, with lower-profile credential theft spiking, while ransomware attacks on enterprises declined. IBM X-Force observed an 84% increase in emails delivering infostealers in 2024 compared to the prior year, a method threat actors relied heavily on to scale identity attacks. Read Now

New Products

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.