Regulations that Affect Critical Infrastructure -- Security Today

Regulations that Affect Critical Infrastructure

By Ray Gilley
Apr 01, 2014

As the CEO of ISI Security, one of the most difficult and time-consuming aspects of my job is keeping up with the laws and regulations affecting my company. This is compounded by the fact that it’s also the job of my company to keep up with the evolutionary changes in the laws and emerging security trends affecting our clients, a multifaceted task that includes reading and digesting the statute as written along with studying the legal implications and impacts.

We must keep up with the directives made by the executive branch of government. Many times lawmakers craft broad legislation that is actually worded in a very vague manner and then leave it up to the individual agencies to form the policies that put the written law into practice.

There also are instances when the executive branch acts unilaterally to plug holes in previously written legislation and policy. A recent example of this is the Aug. 1, 2013, issuance of Presidential Executive Order Number 13650—Improving Chemical Facility Safety and Security. Even though there is the established body of law concerning the safety of chemical facilities, the president felt it was necessary to issue a new set of policies. Oftentimes, these executive orders fill gaps in legislation that are of a time-sensitive nature and can’t safely wait for the legislative branch to act upon.

Following the terrorist attacks of Sept. 11, 2001, Congress passed the Homeland Security Act, creating the Department of Homeland Security (DHS). One of the first things congress tasked DHS with was securing the nation’s critical infrastructure. In response, DHS crafted NIPP, the umbrella term representing the 16 individual Sector-Specific Plans (SSP), each corresponding to its associated sector of protection.

Laws affecting the safety and security of six major industries are discussed, giving a more complete understanding of the laws and the effects these laws have on the industry.

Chemical industry. Failure of security at these locations can lead to a catastrophic loss of capital through damage or destruction of expensive facilities as well as the potential for mass casualties of site personnel and innocent citizens living in their vicinities.

The Chemical Facility Anti-Terrorism Security Act (CFATS) is managed by the Department of Homeland Security, and sets up a safety certification regime for high risk chemical production and storage facilities. In addition, the NIPP Chemical Sector-Specific Plan of 2010 also governs the security of chemicalrelated facilities, and for the most part, mirrors most of the regulatory schemes laid out in CFATS.

Other legislative schemes are mainly those involved with the transportation of chemical components or feed stocks to and from either processing facilities or their final destinations with their customers. Some of these legal structures are:

Maritime Transportation Security Act—DHS & Coast Guard;
HM-232—DOT Rules Affecting Over-the-Road Transportation;
Rail Transportation Security Final Rule—TSA; and
Updated Pipeline Security Guidelines—TSA. In light of the continuing terrorism threat and the ever-present threat of large scale industrial accidents, regulation in this area is expected to steadily increase.

Financial industry. As the proverbial backbone of our economy, repercussions from a serious terrorism incident to a major financial institution would be swift and sweeping. A serious attack on one key component could lead to a catastrophic cascade of system-wide failures that could ultimately bring the nation’s financial sector and economy to a standstill.

In response, DHS, in coordination with the Financial and Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC), developed the Banking and Finance SSP. This policy was published in May of 2007 as part of the NIPP and details the identification, risk assessment, and plan development and implementation of the nation’s financial sector.

Medical industry. While it shares with other sectors that it is considered a soft target, medical facilities are unique because of their ubiquitous nature. Most large cities have several major hospitals that make protecting this sector quite difficult and costly.

There are multiple potentially dangerous elements kept in medical facilities including large quantities of drugs, biological agents, toxins, flammable gasses and radiological machinery that could be used to cause serious mayhem in the hands of terrorists.

In 2010, Department of Health and Human Services, in conjunction with the Healthcare and Public Health Coordinating Council, published the updated Healthcare and Public Health SSP. The major goals of this SSP are to identify assets, systems, and networks; assess risks; prioritize infrastructure; develop and implement protective programs and resilience strategies; and measure effectiveness.

Although these goals are somewhat interchangeable with other sectors, it is the size and scope of the related facilities that sets the financial sector apart. As the poster-child for soft target infrastructure and the emerging targeting of soft targets by terrorists, regulations involving security will naturally increase.

Distribution industry. It is not unusual for distribution facilities to have little to no visible security, with it being limited to fences and security guards at best. Because of this, the distribution industry could be considered the softest soft target. Of main concern is the food distribution sector.

Although it would be very difficult for terrorists to effectively adulterate a food product with a toxin, virus or dangerous bacteria, the results of a successful attack would be beyond catastrophic. The impact of public confidence would be of such a scope that it would likely lead to cascading effects throughout the economy.

These regulations are codified in the NIPP Food and Agriculture Site-Specific Plan of 2010, covering food defense and food safety. Food safety deals with keeping the food supply free from accidental contamination, while food defense refers to protection against intentional adulteration. A terrorist attack on the food supply would be virtually indistinguishable from an accidental contamination in its early stages, so from a security standpoint, preparation is the same.

While an attack on distribution is unlikely given the low probability of widespread effect, these facilities are extremely soft targets that would require much less planning, expertise and financial backing than an attack on a hardened location. Unlike some other sectors, it is unlikely that new legislation will be implemented in this sector at this time.

Detention and prison industry. Having the unique task of securing unauthorized outside entry while also securing those inside from getting out, there aren’t any well-known bodies of law mandating the types and levels of required security at prisons and detention facilities.

At the federal level, the main body of regulation is the National Institute for Corrections (NIC), which is tasked with creating, maintaining and updating accepted jail procedures for all federal detention facilities. At the state level, each state maintains its own procedures for its facilities.

Looking forward, there is no reason to think that there will be any significant adjustment to the accepted procedures in the detention industry, except, as the nation moves forward with the Global War on Terror (GWOT) and the potential closing of the terrorist detention facility at Guantanamo Bay, Cuba, there may be an increase in the number of high-value terrorist prisoners detained inside the continental United States. This would require an increased number of super-max facilities and an increase in security of the infrastructure from the outside and inside.

Laws and regulations governing security at critical infrastructure locations amass thousands of pages. Provided here is only a glimpse into the challenges facing our nation’s industries. As a whole, the body of laws and regulations will necessarily increase to keep up with known and emerging threats, while decision makers in each of these industries must rely on the wise counsel of others to keep abreast of these changes.

This article originally appeared in the April 2014 issue of Security Today.

Featured

Survey: Nearly Half of Employees Hide Workplace AI Use

Laserfiche, a SaaS provider of intelligent content management and business process automation, recently released new survey findings on AI adoption in the workplace, revealing that nearly half of Americans (49%) who use AI at work keep it to themselves, with 15% deliberately avoiding telling their manager. Read Now
- Artificial Intelligence
- Cybersecurity
46% of Enterprise Passwords Are Vulnerable to Cracking

Picus Security recently released The Blue Report™ 2025, based on more than 160 million real-world attack simulations. Now in its third year, the report provides a data-driven assessment of how well security controls perform against today’s threats — and this year’s findings are the most concerning to date. Read Now
- Cybersecurity
Community-Led Video Security Network Transforms Pennsylvania City Public Safety

A community-supported video security initiative has transformed public safety in Lancaster, Pennsylvania. The citizen-led collaboration demonstrates how open platform video technology can help revitalize struggling urban areas. Read Now
- Government
Browser-Based AI Agents: The Silent Security Threat Unfolding

Some of the most revolutionary advances in artificial intelligence include browser-based AI agents, which are self-sustaining software tools integrated into web browsers that act on behalf of individuals. Read Now
- Cybersecurity
Report: Cybercriminals Abandon Tech Tricks for Personalized Email Deception Tactics

VIPRE Security Group, a cybersecurity, privacy, and data protection company, has released its email threat landscape report for Q2 2025. Through an examination of worldwide real-world data, this report sounds the alarm on the most significant email security trends observed in the second quarter of 2025, enabling organizations to develop effective email security defenses for the remainder of the year. Read Now
- Cybersecurity

Security Today eNews

Sign up today for essential industry news and product information that can help you stay afloat in the fast-paced world of security.

Email Address*Country*

Please type the letters/numbers you see above.

Survey: Walking Alone at Night is the Greatest Safety Fear of Women Nationwide

Survey: Nearly Half of Employees Hide Workplace AI Use

PureTech Systems, Clear Align Partner to Deliver Advanced Autonomous Security, Command-and-Control for U.S. Air Force Tactical Security System

Securitas and AlertMedia Offer Emergency Response Solutions

46% of Enterprise Passwords Are Vulnerable to Cracking

Webinars

Whitepapers

New Products

4K Video Decoder

3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.
AC Nio

Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.
HD2055 Modular Barricade

Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.