Critical Infrastructure: Degrees of Protection

Efforts in infrastructure protection in Canada existed to different degrees before the Sept 11 tragedies, but this event brought to the forefront the need to better define critical infrastructure. At the time, the Canadian Explosives Research Laboratory (CERL) of Natural Resources Canada (NRCan) was particularly active in this field. It had been involved with supporting various law enforcement agencies, tagging of explosives, explosive transport and production accidents, bombings and other incidents involving explosives.
 

Once energy was identified as one of the critical infrastructure sectors, NRCan took the lead in assessing the energy sector at the federal level. That is, in conjunction with Homeland Security, NRCan performed risk assessments which “crossed” the US/ Canada borders, including off-shore facilities.

As a result of this, NRCan funded work from private and educational institutions. One of these was Carleton University where, at the time, Professors A. O. Abd El Halim (Civil and Environmental Engineering) and Martin Rudner (Norman Paterson School of International Affairs), were already active in their fields with respect to security. Together, they had established the MIPIS (Master of Infrastructure Protection and International Security) Program, of which Professor Abd El Halim is the Program Director, and Dane Rowlands is now the Associate Director. 

The idea behind the MIPIS Program was to bring together the know-how of the engineering community with the “intelligence” gathered by those in the field of international studies/affairs, both of which support policy making. Some of the topics covered in this program include terrorism and international security, explosives and blast mitigation, cyber security, transportation security, national security, and intelligence. The program has now been expanded to include all engineering departments and now students can graduate either with MIPIS degree or a Master of Engineering (M. Eng) in Infrastructure Protection and International Security (IPIS). 

A student accepted in the MIPIS Program will need to take core courses from both the Department of Civil and Environmental Engineering and the Norman Paterson School of International Affairs. Various courses within this Program deal with Critical Infrastructure and Interdependencies. Anyone in the field of security can appreciate that this is a necessity to ensure continuity, resilience, and recovery. As a result, methods of risk assessments and mitigation solutions are the backbone of studies and practices in infrastructure protection.

Having performed many blast assessments, it was often clear that although technical issues were ever present and solvable, the overriding “intelligence” factor that changed hourly/daily was not always readily available. In addition, unlike other countries where terrorist acts were common, Canada did not have many experts in this field (luckily, there was no urgent need) which resulted in government contracts going to foreigners. There was – and continues to be – a need for more professionals in this field. Recognizing this, many universities have embraced the notion of critical infrastructure protection, and have created a variety of robust programs to fill this sector’s requirements.

In general, governments have identified Critical Infrastructure according to what they perceive to be important sectors that maintain their country’s social stability and economy. When these sectors were first identified in Canada, the government suddenly felt the scrutiny and the need to respond to the public’s expectations. Obviously, many were not at all focused on the potential of terrorist attacks. In fact, in security meetings, one could tell that representatives of some of these sectors were totally shocked that such threats existed against them. As a result, the process of “indoctrination” took a long time, and continues today. After all, Canada is a peaceful country and the government cannot come down too hard on these sectors in fear of stifling the economy.

Coincidentally, service providers within certain sectors were well-ahead of the game since they already had meticulously or inadvertently gone through risk assessments in order to provide contractual obligations to their clients. In so doing, they had covered, to various degrees, some of the protection elements needed against potential terrorist attacks. These included physical as well as IT-related security measures. Missing from their new requirement to have terrorism as part of their risk assessment was “intelligence”. Although the government has been sharing intelligence with various entities and individuals, they had not been doing so with most of the critical infrastructure sectors. There just had not been the need! Now, however, daily intelligence updates would be required if critical infrastructure sectors were expected to perform terrorism-related risk assessments and be diligent at maintaining their protection level. In general, service providers in such sectors rarely needed security clearances to deliver their objectives but once counter-terrorism security requirements were “imposed” by governments, individuals had to be designated and obtain the required clearance so that they could receive daily intelligence. This ongoing process takes a lot of time as it is costly to the service providers.

Although these sectors are often listed in no particular order, their criticality is not equal, and changes with internal or external events. In addition, each sector will have its own components, and different criticalities. Their “critical” ratings may be influenced by the country’s internal events but can also be forced upon them by external events. In the end, their ratings and effort to control and protect the particular critical sector will all come down to what the country can afford. All mitigation efforts will percolate down to what money is available.

So when it comes to protecting any asset, someone will need to decide its respective criticality while keeping in mind how much money is available to achieve the desired protection level. Examples of this are GSA and PWC ratings of government facilities. Not all facilities need or must be protected/retrofitted to the same level. It would be too expensive. What must be considered are not just the immediate costs but the liability one is willing to carry forward, because not all threats can be mitigated. Usually, the larger the initial investment, the lower the level of liability is, and vice versa. Unfortunately, unlike the immediate costs, the cost of liability will be uncertain, as future events are not easily predictable. Therefore, a good tenet to uphold is the maintenance phase of any risk assessment. A regular review of a risk assessment will highlight its appropriateness for the time as per its initial design threat or its inappropriateness considering new events. 

People in the field of security are often faced with defining criticalities within the identified Critical Infrastructure sectors. These can include down time/recovery time; losses (clients, money, reputation); deaths/injuries; the economy; and others. Of course, such parameters all need to be considered but, as usual, what a citizen considers appalling (ie death of an individual) and unacceptable, may not be rated as high by the government that may be more concerned with the potential future loss of hundreds of lives. 

Imagine, for example, the bombing of two bridges. The first is a bridge over a main highway in Ottawa. The damage prevents its use for a period of three months. The locals are furious and demand action. They can still get to where they need to go because there are redundancies built into the transportation infrastructure but it takes them a lot longer.

Compare that with an attack to the new (yet to be built) Windsor/Detroit River crossing. A single day of closing would result in enormous costs (considering that about 40% of the Canada/USA goods trade occurs through this point). Who will feel the effect? Depending on the duration of the closure of the crossings, businesses may collapse and individuals may lose their livelihood.

These examples show how events can be highly relevant locally, nationally or internationally and yet entirely non-critical to individuals far removed. Of course, if in these examples there were deaths, the whole sphere of influence changes, as would the people, governments and other institutions that would come to consider the transportation infrastructure as critical and needing special attention.

This superficial look at two similar events (bombing of a bridge) hints at the difficulty in objectively rating critical infrastructure. There are stakeholders everywhere. 

___
Ettore Contestabile is an Adjunct Research Professor in the Department of Civil and Envi­ronmental Engineering at Carleton University.

© FrontLine Security 2015