Homeland Security Presidential Directive Seven (HSPD-7, issued in December 2003), established the national requirement to protect critical infrastructure. By definition, Critical Infrastructure consists of “People, assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacity or destruction will have a debilitating impact on security, the nation’s economy, public health or safety, or a combination of those matters.”
Also by definition, Critical Infrastructure Protection, or CIP, consists of “the proactive activities [needed] to protect the indispensable people, physical assets, and communications/cyber systems from any degradation or destruction caused by all hazards.” In February 2003 – prior to the issuance of HSPD-7, it should be noted – HSPD-5 was published. Its purpose: “To enhance the ability of the United States to manage domestic incidents by establishing a single comprehensive national incident management system [NIMS].”
Although there is a direct relationship between NIMS, established by HSPD-5, and CIP, established by HSPD-7, the potential synergistic benefits of combining NIMS and CIP are sometimes overlooked. In some instances, integration of the NIMS principles – particularly as they relate to the basic elements of the Incident Command System (ICS) – with CIP is not fully recognized. Indeed, the principal NIMS components do contribute to the effectiveness of critical infrastructure protection, but the ways in which the NIMS/CIP relationship can be fostered are sometimes not recognized and/or fully understood.
For example, the Incident Command System has historically been considered to be an operational tool for use during emergency situations. As such, it sometimes is overlooked that many of the processes and systems employed in an ICS capacity are equally applicable even when there is no immediate emergency. However, those processes and systems are, in fact, fundamental steps useful for management in any context. For the reader who recalls lessons in ICS-300 in which the so-called “Planning P” is emphasized, the student is provided a planning model that captures all of the steps in an orderly planning process. That same model can readily be adapted for use in a CIP setting.
A Context of Fundamental Importance
A primary purpose of ICS, as outlined in the “Command and Management” component of NIMS, is to ensure the effective and efficient use of resources – which, it is not always recognized, is not solely a function of designating certain resources for specific purposes and establishing a clear chain of command. It is that, of course. But it also is a system encompassing processes designed both to: (a) identify resource shortcomings; and (b) provide a means to amend and/or alter incident objectives when the specific resources needed are not readily available.
In that context, a fundamental ICS process can be applied to CIP operations. The basic steps in what is called the P-O-S-T process can be incorporated, for example, in the CIP Process Methodology and used to assist in determining the direction of certain clearly defined CIP initiatives. For those not familiar with the P-O-S-T process – which identifies the essential requirements needed to establish an organization and framework for the incident-command structure – it includes four operating principles: P –identifying Priorities; O –determining Objectives; S – developing Strategies; and T – implementing Tactics (or Tasks) relative to the situation being confronted.
Because they are similar in many ways to an emergency-incident management challenge, Critical Infrastructure Protective measures are basically a management challenge as well. The management of either or both challenges is more readily achieved through use of an orderly and systematic process. Fortunately, the P-O-S-T process can be used in much the same manner to meet both types of challenges.
Life Safety – The Priority of “Paramount Importance”
In ICS, as in many other operational areas in the field of homeland security, there are several important (but sometimes competing) priorities that must be taken into consideration: Life Safety; Incident Stabilization; and Property Preservation (or protection). These three priorities are generally stated in that order – i.e., Life Safety is of paramount importance. (Not incidentally, the acronym L-I-P is often used to remind ICS personnel of the order of priorities – Life Safety, Incident Stabilization, Property Preservation).
Although these three core priorities form the basis for almost all decision making, they often can be expanded (or sub-categorized, so to speak) to establish priorities within priorities. For example, recognizing that funds, personnel, and other resources are limited, decision-makers may have to determine, within the major priority of Property Preservation, whether it is more important to implement preservation and/or protective initiatives for either: (1) a major highway that has been determined to be vulnerable during a natural-hazard scenario; or (2) a public-safety facility – e.g., a fire station – vulnerable to the same hazard. After considering the potential impact of the loss of either the highway or the fire station, the decision-makers (managers, or “commanders”) would then have to resolve the question as to which one is more important to the community, and which one might safely be postponed or by-passed.
It is in that context that the priority within a priority decisions are determined. Both possibilities involve property protection, but one possibility might be judged to be more critical, given the specific constraints involved. Perhaps the rationale used would be that damage to the highway would have greater long-term disruptive effects, whereas fire apparatus and personnel may be only temporarily displaced – and with adequate advance notice could be relocated and therefore not totally and permanently “lost.”
After the priorities are placed in order, the next step in this orderly process is to determine objectives. Using the above example, if the priority selected is to protect the highway from flooding, the objective might be to implement flood-control measures – which, not incidentally, might also protect the fire station as a secondary beneficial outcome.
After the specific objective has been determined, a strategy (or sometimes multiple strategies) for achieving the objective must be formulated. Several different strategies, of course, may be reviewed and evaluated. In some instances the most attractive strategies in terms of outcome may be constrained by the lack of available resources – i.e., the funds required to use the tactics needed and/or accomplish the tasks that have been agreed upon. In an ICS setting, the decisions made are generally determined during a “Tactics Meeting” in which the key players discuss both the available resources, and the needed resources, to determine if a particular course of action can be effectively undertaken.
A Focus on Simplicity and Objectivity
In the tactics meeting a basic ICS form (ICS 215) is customarily used to clearly, and in one and the same document, capture all of the relevant information needed – including but not necessarily limited to the anticipated tactical action (or task), the resources on hand, and the resources needed. Using simple addition and/or subtraction, the command staff can and should be able to determine whether the tactic/task specified should be undertaken. Based on the discussion that follows, an objective decision can then be made as to whether the effort can be supported with a reasonable expectation of success.
In the P-O-S-T process – as also shown in the previously mentioned “Planning P” – there must be an ongoing assessment which ensures that specific tactics/tasks either can be accomplished with the resources already available or that the resources needed can and probably would be acquired. In ICS, as used for emergencies, there is typically a continuous dialogue between the Incident Commander (who establishes overall objectives), the Operations Section Chief (who generally selects specific ad hoc objectives), and other members of the General and Command Staff – i.e., those responsible for Planning, Logistics, Finance/Administration, Safety, Liaison, and Public Information from start to finish. All of those involved in the dialogue, of course, should possess the situational awareness needed to carry out the P-O-S-T process. The same fundamental process will work in Critical Infrastructure Protection.
The preceding represents neither the first nor the last example of the many ways in which fundamental management challenges and decision-making can be improved using the basic principles incorporated in the concepts and applications spelled out in ICS guidelines. In short, the sometimes daunting task of implementing Critical Infrastructure Protection may be simplified considerably by using the P-O-S-T process to assist both in determining direction and in making important decisions.
For additional information on the definitions set forth at the beginning of the preceding article see The Critical Infrastructure Protection Process Job Aid (FA-313, 2nd Edition, August 2007).