Engineering Mechanics Institute Conference 2013

Full Program »

“It Takes a Community” - An interdisciplinary educational approach to facility resilience

DOC Abstract
View File
doc
33KB

Wayne Boone
Carleton University
Canada

Abstract:
Threats to, and vulnerabilities of, critical infrastructures can be characterized as either technical or non-technical. Asset Protection and Security (AP&S) practitioners subscribe to the 80/20 Rule in the development of critical infrastructure protection (CIP) programs. Suicide bombings, natural disasters, espionage, or accidents are non-technical examples which may comprise 80% of all threats, with the more technical threats representing 20%, including cyber-attacks, precision guided weapons, or disruption of environmental systems. Vulnerabilities are similarly distributed, with the 80% non-technical, including such gaps as lack of situational awareness, incomplete intelligence on likely threats, incomplete information-sharing, lack of AP&S policy suite, or lack of oversight of policy compliance. The 20% technical vulnerabilities could include gaps such as incomplete facility hardening, lack of current IT system patches, unapproved electronic access control systems, lack of standoff distance, insufficient window hardening, etc.
Similarly, 80% of safeguards against those threats and vulnerabilities may be considered non-technical. Examples include visual surveillance, privilege restrictions, separation of duties, supervision and oversight by supervisors and AP&S specialists, investigations, incident management or personnel screening. Complementary technical safeguards representing the remaining 20% of an integrated protection posture could include facility hardening, electronic surveillance, electronic information redundancy [disaster recovery planning] or Security Testing and Evaluation (ST&E). Hybrid safeguards (both technical and non-technical) could include Crime Prevention through Environmental Design (CPTED) measures.
Application of the 80/20 Rule requires complementary and collaborative AP&S skillsets to implement appropriate and integrated safeguards to establish and maintain an effective protection posture within such a complex spectrum of threats, vulnerabilities and risks. The AP&S “community” must understand both the technical and non-technical components of facility risk, using a common vocabulary and doctrine, so as not to work at cross-purposes and possibly introduce new vulnerabilities. This paper argues that both efficiency and effectiveness in CIP can be achieved only when all AP&S specialties fall under a unified functional governance structure and when all understand what each specialized member (engineer, risk analyst, policy analyst) brings to the table. This integration of effort will facilitate information-sharing, foster more complete analysis and assessment of risks, provide a singular voice to senior management upon which informed decisions can be taken, and facilitate continual risk assessment. Interdisciplinary education programs such as Carleton University’s Master in Infrastructure Protection and International Security (IPIS) afford engineers, risk analysts and policy analysts with opportunities to study and work together toward a common, aligned and effective protection posture for our Critical Infrastructures.

 

Powered by OpenConf®
Copyright ©2002-2012 Zakon Group LLC