One of the most difficult challenges that the Department of Homeland Security has faced in the past three years has been its efforts to identify, prioritize, and protect critical infrastructure consistent with a risk-based methodology. The recent ruckuses over homeland security grant allocations and asset databases that contain popcorn shops and petting zoos are symptoms of this broader challenge.
One cause of this difficulty is the lack of a common set of models, frameworks, and terminologies for understanding critical infrastructure threats and vulnerabilities. There have been dozens of efforts to develop risk models for different type of infrastructure in the past few years, but too often these have seemed haphazardly-designed or only applicable to a narrow segment of infrastructure.
Ted Lewis’s new book, “Critical Infrastructure Protection and Homeland Security: Defending a Networked Nation” is an important step is remedying this intellectual gap. The book attempts to develop a systematic, structured approach for analyzing critical infrastructure, one that acknowledges the complexity of many of the nation’s key systems but identifies commonalities and linkages among the different national infrastructures. As Lewis, a professor at the Naval Postgraduate School, writes in the introduction:
The question addressed by this book is, â€œwhat should be protected, and how?â€ This question is nontrivial because of the enormous size and complexity of infrastructure in the United States. The solution is made even more challenging by the entangled regulatory and system interdependencies of the various infrastructure sectors. The answer is to allocate the nationâ€™s scarce resources to the most critical components of each infrastructureâ€”the so-called critical nodes. In short, the best way to protect infrastructure is to identify and protect (harden) the critical nodes of each sector. But what parts of these vast structures are â€œcritical?â€ This question is key. I claim that the optimal policy for critical infrastructure protection is to identify and protect a handful of critical assets throughout the United States. For example, perhaps less than 100 essential servers maintain the World Wide Web. There are perhaps fewer than a dozen critical nodes in the nationâ€™s energy supply chain, and maybe as few as 1000 key links in the major power grids that all other sectors depend on so heavily.
The first three chapters of the book provide strategic context and historical background. Chapters 4-6 of the book develop a fully-formed theory of critical infrastructure protection, one that plots out system nodes and links, and conducts risk assessment based on network theory and fault tree analysis. This method, which Lewis refers to as “Model-Based Vulnerability Analysis” is the type of dynamic analytical framework that needs to inform homeland security grant allocation decisions, which today (at least from external impressions) seem to be based on a static picture of the nation’s infrastructure that undervalues the importance of hubs and linkages.
The chapters that follow take a deeper look at key infrastructure sectors, such as water, power, energy, telecommunications, and Internet, adjusting the model for the unique characteristics of each sector.
The book is written as a student textbook, but it should be equally valuable for current practitioners. You can read the preface and first chapter here, as well as order it. For those whose jobs involve making decisions about critical infrastructure, or who have a general interest in the topic, this book is a very worthwhile investment.