Since its inception in 2000, a primary component of the Department of the Navy Critical Infrastructure Protection (DON CIP) Program has been identifying vulnerabilities associated with DON critical assets that, if exploited, could jeopardize mission execution. The following article describes the current vulnerability assessment strategy being implemented by the DON CIO in his role as the DON Critical Infrastructure Assurance Officer (CIAO).
Enabling warfighter mission assurance has become an increasingly complex goal, with threats to our troops and facilities becoming more asymmetric, insidious — and ever-present.
As Department of Defense (DoD) guidance on critical infrastructure protection (CIP) has evolved to address the current environment, the DON CIP team's efforts in support of DoD have also evolved. In one key DON CIP area, vulnerability assessment, the DON CIP team now supports the Chief of Naval Operations Integrated Vulnerability Assessments (CNO IVAs) by conducting the relatively new "Defense Critical Infrastructure Program (DCIP) Assessment" as part of a CNO IVA.
In this role, the team assists CNO IVA teams in identifying any weaknesses in infrastructures and interdependencies that could potentially affect an installation's ability to complete its mission essential tasks.
Background
Recognizing the role that supporting foundational infrastructure plays in an installation's ability to perform its mission essential tasks, the DCIP community sought to develop a consistent, "best practices" approach to assessing such infrastructure.
As a result of those efforts, in early 2006, the Assistant Secretary of Defense for Homeland Defense and America's Security Affairs (ASD (HD&ASA)) issued a comprehensive set of DCIP benchmarks and standards for use with existing IVA protocols.
DCIP benchmark areas include: energy (electric power, natural gas and petroleum); transportation (roads, rail, aviation, seaports and waterways); water systems (potable, industrial and firefighting); chemical storage and use; heating, ventilation and air conditioning (HVAC); communications; and wastewater.
The CNO IVA-DCIP Assessment focuses on DoD-owned, leased and managed assets but also examines commercial providers outside installation fence lines.
The DON CIP team's past experience in evaluating commercial dependency issues during Naval Integrated Vulnerability Assessments (NIVAs) prompted the Naval Criminal Investigative Service (NCIS) to request CIP team assistance for three CNO IVA-DCIP Assessments during the summer and fall of 2006. Those trial sites were: Naval Air Station (NAS) Oceana in Virginia Beach, Va.; NAS Whidbey Island, Wash., and NAS Sigonella, Italy.
The success of those trials led to a request for similar support for six CNO IVA-DCIP Assessments in fiscal year 2007. Sites selected for these efforts are: Naval Station Guantanamo Bay, Cuba; Naval Surface Warfare Center Dahlgren, Va.; Naval Station Great Lakes, Ill.; Construction Battalion Center Gulfport, Miss.; Naval Weapons Station Earl, N.J.; and Naval Base Ventura County, Calif.
In performing these assessments, the objective of the DON CIP team has been to determine whether vulnerabilities exist within supporting infrastructure networks, and if they do exist, whether their compromise would jeopardize mission execution.
Approach
The DON CIP Team's NIVA approach included three primary phases: pre-assessment research; on-site evaluation and collaboration; and post-assessment analysis/reporting.
This approach, which is complementary to current DCIP methodology, has evolved such that it now also incorporates specific guidance from the DCIP Training Program, implemented by the ASD (HD&ASA) in accordance with DoD Directive (DoDD) 3020.40.
How does the DON CIP Team add value to the CNO IVA? The team’s approach includes the following activities, categorized by phase.
Pre-Site Visit Research
In addition to coordinating activities with the NCIS Security Training Assistance Assessment Team (STAAT) leader, CIP team pre-assessment actions include:
• Reviewing prior Joint Staff IVA, CNO IVA and other similar reports;
• Soliciting critical CIP-related planning documents, drawings, schematics, etc.;
• Reviewing the installation’s assets on the Navy Critical Asset List (CAL);
• Developing a Mission Decomposition Review template of the installation’s mission, mission essential tasks and critical assets, which provides a tool that links these items to supporting infrastructure networks; and
• Contacting key installation personnel (public works, security, emergency management, commanding officer (CO) and senior staff) and commercial service providers to set up interviews.
On-Site Evaluation
The team tailors the assessment to the installation’s mission essential tasks, local geography and key utility services. Once on-site, following a “windshield tour,” primary activities include:
• Using DCIP benchmarks as guidance during visual inspections of critical areas and for conducting interviews with key installation participants and commercial service representatives;
• Reviewing Installation Critical Assets with the CO and updating the list as appropriate;
• Validating/updating Mission Decomposition Template with the CO and senior staff;
• Photographing critical assets and plotting with GPS;
• Supporting Consequence Management Planning assessment actions;
• Collaborating with the NCIS team each evening at a “hot wash” of the day’s findings;
• Participating in final out-brief of findings to the CO and senior staff; and
• Providing information on another DON CIP initiative: the “Command Remediation Visit” and its Analysis, Strategy and Action Plan (ASAP) Course. (See CHIPS January-March 2007 at http://www.chips.navy.mil/archives/07_jan/web_pages/CIP.html for more information.)
Post-Assessment Analysis/Reporting
Once the assessment is complete, post-assessment activities include:
• Providing the DCIP assessment report to NCIS for incorporation into a final report;
• Recommending updates to the Navy CAL based on findings;
• Updating photo files and latitude and longitude data of the installation’s critical assets; and
• Collaborating on a specific plan of action based on the assessment’s findings, if the command is interested in remediation assistance.
A Value-Added Evolution
The CIP team’s collaboration with NCIS directly supports the DCIP objective of ensuring consistent, thorough assessments of supporting infrastructure networks in a manner complementary to other DoD programs and efforts, such as: force protection; antiterrorism; information assurance; continuity of operations; Chemical, Biological, Radiological, Nuclear, and High Yield Explosive (CBRNE); readiness; and installation preparedness.
This evolution of DON CIP vulnerability assessment support not only utilizes skills gained from years of NIVA experience, it also enables the completion of a greater number of DCIP assessments on critical DON entities and assets, enhancing CIP posture throughout the DON and contributing to the DoD’s efforts for warfighter mission assurance.
For more information go to the DON CIO Web site http://www.doncio.navy.mil/, and click on the Projects Teams tab for the Critical Infrastructure Protection link.