1 / 19

Enhanced Critical Infrastructure Protection ECIP Facility ...

MikeCarlo
Download Presentation

Enhanced Critical Infrastructure Protection ECIP Facility ...

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Enhanced Critical Infrastructure Protection (ECIP) Facility Dashboard

    2. The weakest point is selected on the assumption that a wrong-doer would select the weakest entrance or access point or closest distance from a critical asset to carry out an attack. Therefore, the IST survey results show the most conservative calculation of the facility’s existing protective measures. The relative importance assigned to each attribute (e.g., concrete vs. chain link fence construction) was derived from a group of subject matter experts, including PSAs and others trained in security and vulnerability methodologies from different critical infrastructure sectors. The relative importance values were validated using a group of subject matter experts from APEX, an association made up of security directors from top Fortune 500 companies. The weakest point is selected on the assumption that a wrong-doer would select the weakest entrance or access point or closest distance from a critical asset to carry out an attack. Therefore, the IST survey results show the most conservative calculation of the facility’s existing protective measures. The relative importance assigned to each attribute (e.g., concrete vs. chain link fence construction) was derived from a group of subject matter experts, including PSAs and others trained in security and vulnerability methodologies from different critical infrastructure sectors. The relative importance values were validated using a group of subject matter experts from APEX, an association made up of security directors from top Fortune 500 companies.

    3. Protective Measures Index (PMI) - Review Based on Six “Level 1 Components” Physical Security Security Management Security Force Information Sharing Protective Measures Assessment Dependencies

    4. The numbers in parentheses show the number of questions for each Level 1 or Level 2 component. The total number of selections across all question is much greater (about 1500). The numbers in parentheses show the number of questions for each Level 1 or Level 2 component. The total number of selections across all question is much greater (about 1500).

    5. Fences Gates Closed circuit television (CCTV) Intrusion detection systems (IDS) Parking Access control Security lighting Vehicle access control Building envelope

    7. Level 3 Components Affect Vulnerability (Fences Example) As shown by this slide, the ECIP PMI methodology is based on mathematics and decision analysis. The equation is one of many used to calculate the PMI for each level of the IST components. Additional information on this math is available in a special paper that describes the methodology, which is available from any PSA. As shown by this slide, the ECIP PMI methodology is based on mathematics and decision analysis. The equation is one of many used to calculate the PMI for each level of the IST components. Additional information on this math is available in a special paper that describes the methodology, which is available from any PSA.

    8. 8 This slide shows the different components used to make up a fence PMI calculation. It shows the relative importance assigned to each type of Level 3 selection and the worst and best levels achievable for each. Each Level 2 component has a similar set of sections and relative weights that comprise the final roll-up calculation into the Level 2 PMI. This slide shows the different components used to make up a fence PMI calculation. It shows the relative importance assigned to each type of Level 3 selection and the worst and best levels achievable for each. Each Level 2 component has a similar set of sections and relative weights that comprise the final roll-up calculation into the Level 2 PMI.

    10. Comparing Facility and Subsector Generally a facility PMI will be compared to the DHS critical infrastructure/key resource subsector that contains facilities that most resemble the facility’s function and make-up (e.g., electric power). Occasionally, there will be an insufficient number of facilities in the subsector and the comparison will be against the average for the larger group of facilities in the entire sector (e.g., energy). Alternatively, there may be times when there are a sufficient number of facilities in a segment and the comparison will be against the average for a narrower group of facilities that are very similar to the facility (e.g., electric transmission substations). Generally a facility PMI will be compared to the DHS critical infrastructure/key resource subsector that contains facilities that most resemble the facility’s function and make-up (e.g., electric power). Occasionally, there will be an insufficient number of facilities in the subsector and the comparison will be against the average for the larger group of facilities in the entire sector (e.g., energy). Alternatively, there may be times when there are a sufficient number of facilities in a segment and the comparison will be against the average for a narrower group of facilities that are very similar to the facility (e.g., electric transmission substations).

    11. Dashboard – Overall Tab “Overall” tab shows the overall facility PMI and the PMIs for each major component (Level 1) of the facility PMI (blue bar) and the low, average, and high PMI for the subsector (dots). Touch on the bar or dots to see the exact PMI figures.

    12. Dashboard – Component Screens

    13. Dashboard Buttonology The IST Level 1 Components are shown as tabs across the top. Touching a tab opens to the PMIs for each of the Level 2 and 3 Components within that section. The dark blue bar is the PMI for the answer in the IST (Facility: Existing) The light blue bar (Facility: Scenario) moves to reflect changes to the PMI based on manipulation of the buttons to reflect different scenarios. The subsector average PMI is shown in grey. A dial to the left indicates the existing PMI for that Level 2 section (e.g. CCTV); it moves to show the scenario PMI when changes have been made to the Level 3 answers. The bars above the dial show the Overall Facility PMI and Level 1 PMI (e.g., Physical Security) - black is existing and does not move, and blue moves to show the changes from the scenario selected.

    14. Dashboard Buttonology (cont’d) For Yes/No questions, the dark blue bar will not be visible if the answer input is “No.” If the answer input is “Yes,” the bar will extend all the way to the right.

    15. Dashboard Buttonology (cont’d)

    16. Dashboard Interpretation The Dashboard is a way to display facility-specific information obtained through the ECIP Shows the PMI calculations for each component of the IST PMI has a constructive sense in that it increases (gets better) as protective measures are added The Dashboard shows the difference between the individual facility’s specific PMI and the average PMI for other like facilities (usually the critical infrastructure subsector) The product should not give the impression that the subsector average PMIs are indicative of desired or adequate performance

    17. Dashboard Interpretation (cont’d) The Dashboard draws attention to components that are well below or well above the subsector average and may deserve additional study. There may be very good reasons why a facility has a component PMI that is below subsector average. Example: An urban facility where parking is allowed on the street would result in a low standoff number; no additional facility action may be possible May just note the vulnerability and consider other protective measures enhancements (e.g., additional CCTV along the facility street-side to identify suspicious vehicles) Each facility is different and will mitigate vulnerabilities and implement protective measures based on an individualized assessment of risks taking into consideration threat, assets to be protected, and facility characteristics.

    18. Dashboard is a Tool The Dashboard is simply a tool, and the PMI is simply a reflection of existing protective measures at the facility, not a definitive determination of facility vulnerability. DHS is not advocating that any particular protective measures be installed/utilized at a facility based solely on the relative impact to the facility’s PMI reflected in the scenario element of the Dashboard. It is recognized that not all protective measures are appropriate at every facility. Therefore, simply raising the PMI for a section in the Dashboard is not necessarily directly correlated to a reduction in vulnerability for a particular facility unless it is an appropriate measure that is properly integrated with the facility’s current security posture and effectively implemented.

    19. Questions and Comments Questions concerning navigation or use of the Dashboard, as well as suggestions for improvements or corrections concerning existing protective measures data should be directed to the PSA. Corrections to existing data can be made by the PSA. These corrections can be incorporated into a revised Dashboard. Questions concerning navigation or use of the Dashboard, as well as suggestions for improvements or corrections concerning existing protective measures data should be directed to the PSA. Corrections to existing data can be made by the PSA. These corrections can be incorporated into a revised Dashboard.

More Related