Monday, November 24, 2014

Critical Infrastructure : Crashing The System

IN THE HIGH desert some 50 miles west of Idaho Falls, the terrain is so rugged that the vehicle in which your correspondent was touring the facilities at Idaho National Laboratory (INL) ended up with two shredded tyres. Originally set up in the 1940s to test naval artillery, the high-security government lab now worries about weapons of a different kind. Some of its elite engineers help protect power grids, telecoms networks and other critical infrastructure in America against cyber-attacks and other threats.

The lab boasts its own 61-mile (98km) electrical grid and seven substations. It also has a wireless network and an explosives test bed. These can all be used by government agencies and businesses to run experiments that would be hard or impossible to conduct in an operational setting. “There are not many places in the world where you can crash a power system without incident,” says Ron Fisher, who oversees the Department of Homeland Security’s programme office at the lab.
The tour covers the site of a 2006 experiment that subsequently got a lot of attention. Known as the Aurora test, it demonstrated how it was possible to launch a cyber-attack on a big diesel generator by exploiting a weakness in a supervisory control and data acquisition (SCADA) system. Such systems are used to monitor and control physical equipment in everything from power stations to water-treatment plants. In a video of the attack on YouTube, bits can be seen flying off the generator, followed by black smoke.

Teams from the INL and other engineers have since been advising utilities on how to secure SCADA systems. Many of these were designed to work in obscurity on closed networks, so have only lightweight security defences. But utilities and other companies have been hooking them up to the web in order to improve efficiency. This has made them visible to search engines such as SHODAN, which trawls the internet looking for devices that have been connected to it. SHODAN was designed for security researchers, but a malicious hacker could use it to find a target.

The worry is that a terrorist may break into a control system and use it to bring down a power grid or damage an oil pipeline. This is much harder to do than it sounds, which explains why so far America has seen no power outages triggered by a cyber-attack. Squirrels and fallen branches have done more damage.

Nevertheless, the case of Stuxnet shows what is possible. In 2010 the malicious code was used to attack the system that controlled centrifuges for enriching uranium at Iran’s nuclear facility in Natanz, causing them to spin out of control. To pull this off, however, the masterminds behind Stuxnet had to find a way to smuggle the code into the facility, possibly on a USB stick, because the system had been kept isolated from the internet.

As more control systems are connected to the web, more vulnerabilities will inevitably appear. Already security researchers are discovering flaws in things such as communications protocols that govern the flow of data between utilities’ SCADA systems and the remote substations they control. Hence talk about defence-in-depth strategies, which ensure that vital areas are covered by a number of back-up systems. Multiple bulwarks greatly increase the cost of security, but that may be a price the companies have to pay.

http://www.economist.com/


Homeland Security and Public Safety : Strategies for Defending the Border and Protecting Critical Infrastructure

Paul Stockton, the former assistant secretary of defense for Homeland Defense and Americas’ Security Affairs, discusses the strategy of "security in depth."

Paul Stockton
Paul Stockton is the former assistant secretary of defense for Homeland Defense and Americas’ Security Affairs. David Kidd/e.Republic

Paul Stockton is the former assistant secretary of defense for Homeland Defense and Americas’ Security Affairs, where he served as the DOD’s domestic crisis manager and was responsible for supervising the department’s homeland defense activities, including critical infrastructure protection, domestic crisis management, defense support of civil authorities and Western Hemisphere security matters. He led the department’s response to Superstorm Sandy and other disasters. 

Stockton is an internationally recognized leader in infrastructure resilience and U.S. national security and foreign policy. He is currently the managing director of economic analysis firm Sonecon. 

Emergency Management: You suggested recently that there is a better use of National Guard troops than stationing them at the border with Mexico, and you discuss a strategy of “security in depth.” Can you explain what you mean?

Paul Stockton: We’re asking our customs and border patrol and our state and local law enforcement and other members of the border team to play defense on our 1-yard line. That is we’re allowing adversaries too much freedom to come up to the border and have our own folks on the last line of defense. Instead we ought to play football further down the field and take the security fight further toward its source and partner with Mexico, Guatemala, Honduras and countries in the region to go after the transnational criminal organizations (TCOs) close to their basing, and begin to intensify intelligence-led operations in cooperation with our partners well before illicit flows get to our border. 

EM: You describe putting National Guard troops at the border in football terms as a goal-line stand. That would suggest there is not much hope of success?

PS: We can use our resources much more effectively if in addition to continuing our capabilities right at the border, or if you will, goal-line defense, that we also move to the south even more strongly than we currently are and together with the nations with whom we can partner, do much more to conduct intelligence-led operations and take down the transnational criminal organizations before they can bring their illicit trafficking to the U.S. border. 

We also need to prioritize the way we think about the threats posed by transnational crime organizations. We know that TCOs are interested potentially in trafficking not only unaccompanied children but much more severe challenges to the U.S. The commander of Southern Command, Gen. John Kelly, has argued that the United States faces potentially existential threats from transnational criminal organizations attempting to move terrorists or even weapons of mass destruction to the U.S. We need to focus on the threats to the U.S. that TCOs pose that are of greater significance to U.S. security and build an intelligence-led security system in partnership with nations in the region that focuses on those most severe challenges. 

EM: I sense in your response that we’re not focusing enough on potentially catastrophic threats.

PS: I believe we ought to prioritize the way we deal with illicit flows toward the U.S. and concentrate our efforts on the threats that are most severe and take seriously the risk that in the future these transnational criminal organizations will not only traffic in minors but traffic in terrorists and even potentially, weapons of mass destruction. 

There is some very important progress that isn’t getting the attention it needs and that I hope will be sustained. There are three particular opportunities for progress. First of all, Secretary for Homeland Security Jeh Johnson has under development what he calls Southern Border and Approaches Campaign Planning. It’s very important that progress in that planning effort be sustained because it provides a framework for much greater emphasis on dealing with transnational criminal organizations at their home bases rather than at the U.S. border.

Second, one of the important and really valuable parts of both House and Senate bills in Congress is an emphasis on the need for improved metrics for understanding whether our investment in security is paying off. Building such metrics will be especially important if we are going to shift toward security in depth so that we can assess the degree to which assisting foreign countries in Central America and Mexico on its southern border are making effective use of our support to them. 

Last, we need to ensure that we’re fully leveraging technology, especially for detection and monitoring of illicit flows and to be able to understand how we can bring together multiple data sources to provide for intelligence-led operations. Just like our military conducts intelligence-led operations abroad, I think we can use technology much more effectively in partnership with nations in the region to focus our security assets and take down these TCOs in a much more efficient way than would otherwise be possible. Technology, sensors, data integration — these are the keys to progress.

EM: I want to switch to cybersecurity. Will you discuss how government and industry can and should work together to strengthen the resilience of the power grid and what should develop from these partnerships?

PS: These partnerships between industry and government, all levels of government, are advancing very rapidly. There is extensive collaboration under way, and I believe that voluntary collaboration is the best way, the most rapid way, to make progress against nontraditional hazards — the cyberthreat, electromagnetic threats, all of these less familiar hazards that the grid was never designed to be able to survive. My concern is that the threat is growing just as rapidly, maybe even more rapidly, and that we need to avoid congratulating ourselves prematurely but reinforce the collaborative efforts that are under way to take on what I call “black sky challenges.” 

Today we have a grid that has been optimized for reliability purposes around functioning on a blue sky day. Events much worse than Sandy could strike and we could be facing hazards that would create bigger power outages, [for a] much greater geographic scope and potentially for a much longer duration. Building resilience against these extraordinary black sky hazards needs to become a special focus of government/industry collaboration. 

EM: And part of that is getting industry to invest in resilience?

PS: Industry is investing heavily in resilience. The electric power companies are ramping up their investment against these nontraditional hazards very rapidly. The challenge lies in reaching consensus by public utility commissioners, industry and other stakeholders and what kinds of investments have the greatest value for building resilience and what kinds of investments are generally prudent and necessary in an environment where keeping rates low is an imperative, especially for the poorest ratepayers. 

EM: You mentioned Superstorm Sandy. What did you take away from that in terms of our ability to become resilient to a similar or worse incident?

PS: Two key lessons came out of Sandy for me. First, the ability of the government to innovate under fire and build new mechanisms to support the electric industry for restoring power is terrific. We were able to work with the leadership of the Department of Energy, with FEMA and above all, the electric power industry to build new kinds of support missions to assist industry in restoring power. For example, flying utility trucks across the nation from California and the state of Washington to New York to support utility power restoration on transport aircraft. That mission had never been executed. We were able to glue it together, building the airplane while it was flying. That’s my first takeaway — that government can partner very effectively with industry under fire. 

The second lesson is that we shouldn’t have to do that. That’s the hard way of doing business. It’s important now that we not only learn the lessons of Sandy and institutionalize the best practices that we developed in the heat of that crisis, but that we also anticipate even worse events than Sandy and begin to build the plans and capabilities and collaborative mechanisms. So when industry needs assistance in a black sky event, one worse than Sandy, the government will already have the plans and capabilities to collaborate with industry so that government support will be most effective.
Jim McKay  |  Editor
Jim McKay is the editor of Emergency Management. He lives in Orangevale, Calif., with his wife, Christie, daughter, Ellie, and son, Ronan. He relaxes by fly fishing on the Truckee River for big, wild trout. Jim can be reached at jmckay@emergencymgmt.com

Critical Infrastructure Protection : James Demby Leads the Way for FEMA’s National Dam Safety Program

Communicating the risk to populations downstream of dams is one goal of the National Dam Safety Program.

James Demby is the senior technical and policy adviser and program manager for the FEMA National Dam Safety Program. He advises Sandra Knight, FEMA’s deputy federal insurance and mitigation administrator for mitigation, on matters pertaining to national dam safety. 

Demby is a professional engineer registered in Virginia and has worked for the U.S. Army Corps of Engineers. His work for the corps included geotechnical design projects; analysis of military construction; and civil works projects such as barracks complexes, military family housing projects, hazardous waste sites, highway bridge foundation design, federal navigation channels, and levees and flood control structures.

What is the role of the National Dam Safety Program?

The purpose of the Dam Safety Program is to reduce the risk to life and property from dam failure; that’s the short answer. Part of that is bringing together expertise and resources from federal and nonfederal communities. In the Dam Safety Program we have participation from various federal agencies that have some type of role in dams — in ownership, regulating dams or building dams; they have some role from the federal perspective. Then you have state dam safety representatives who bring expertise from the state perspective, and you have representatives from the private sector. You bring in these experts to look at dam safety issues from a national perspective.

One state doesn’t have a dam safety program. What’s the significance of that? 

In Alabama dams are regulated by the state. That means they’re not being inspected, and there’s not a requirement for emergency action planning for high hazard-potential dams. That means that within the state, they don’t necessarily have a good sense of the hazards that dams potentially pose to people downstream. 

By not having a dam safety program that’s legislated by the state, it can’t participate in the National Dam Safety Program, whereby FEMA provides state assistance grants that go to dam safety activities. 

Alabama — although it does not have a legislated dam safety program — has begun actions over the last couple of years to identify the state’s dams, and to establish, inventory and provide that information to the National Inventory of Dams. The state is taking steps toward getting a program. The first step is getting a sense of what the need is. 

What about the lack of knowledge of the people across the country who live below dams, in terms of the danger they’re in?

We provide national assistance grants to state dam safety programs. The hope is that they will coordinate with local and state emergency managers to identify the risks within their state, and with that coordination with the state dam safety officials and emergency managers, develop specific strategies within their state to address the dangers. One area within the Dam Safety Program is public awareness. That’s one of the functional activities identified in the National Dam Safety [Program] Act. 

That’s one of the things we realized we need to improve on with the Dam Safety Program — providing more of an outreach strategy to communicate the risk from a broad perspective [of the dangers] to populations downstream of dams. On our current grants that we put out for 2010, we have some language to try to address the gap in awareness of dangers downstream. One of the initiatives in the 2010 state assistance grants was to encourage state safety officials, once they identify dams that are unsafe or at risk, to coordinate and provide that information to state and local emergency managers and local decision-makers, like mayors or city council members, so they’ll have the situational awareness of a dam that poses a threat to a community. 

You’ve said money probably should be distributed differently. Can you elaborate?

Currently money is distributed based on the language in the Dam Safety Act, and that’s based on a distribution of the number of dams in the state and the number of dams nationally that fall under the National Inventory of Dams. 

One concern that’s been raised from the states is that it might be more effective if the money is based more on risk as opposed to just a straight formula based on the number of dams. That way you make sure the federal investment is going to the areas that have the most risk. 

What areas are most at risk? Do people in those areas know how at risk they are?

The states are the front line for dam safety because 85 percent of the nation’s 83,000 dams are regulated by states. With that said, state officials should have a good understanding of the dams that are at risk in their states. 

It’s imperative that state dam safety officials communicate that information and work with state and local emergency managers so that there is good situational awareness at the state and local levels of dams that potentially threaten populations downstream. 

From a national perspective, that is information we don’t collect as part of the National Dam Safety Program. With the National Inventory of Dams, what we do have is information on the hazard-potential classification. But that’s not really a risk-based classification. It’s a classification on: If the dam fails there is — say, for high-hazard classification — probably loss of life. Significant hazard potential means if that there’s a dam failure there would be substantial economic impact downstream. There’s a low-hazard classification; that is if the dam fails, there would be no impact to life or property. But those are not risk-informed classifications; they’re based on consequences.

How concerned are you about the threat of a terrorist attack on the nation’s dams?


The Infrastructure Protection Office in the Department of Homeland Security primarily addresses the terrorist threat. The whole dam sector is broken down into two parts: FEMA has the responsibility of dam safety and DHS specifically looks at the security side — so they’re more focused on the terrorist-sabotage area. 

With that said, as far as the critical infrastructure and the sectors identified as part of the critical infrastructure, dams are one of the critical infrastructure areas, so there is great concern. We want to make sure that there is a national framework and approach to make sure that our critical infrastructure is being hardened and protected from terrorist threats. 

 
Jim McKay  |  Editor
Jim McKay is the editor of Emergency Management. He lives in Orangevale, Calif., with his wife, Christie, daughter, Ellie, and son, Ronan. He relaxes by fly fishing on the Truckee River for big, wild trout. Jim can be reached at jmckay@emergencymgmt.com.
www.emergencymgmt.com 

Cyberattack on U.S. Infrastructure

A highly disruptive cyberattack on U.S. critical infrastructure

In March 2013, Director of National Intelligence James Clapper identified cyber attacks as the greatest threat to U.S. national security. Critical infrastructure—the physical and virtual assets, systems, and networks vital to national and economic security, health, and safety—is vulnerable to cyber attacks by foreign governments, criminal entities, and lone actors. Due to the increasingly sophisticated, frequent, and disruptive nature of cyber attacks, such an attack on critical infrastructure could be significantly disruptive or potentially devastating. Policymakers and cyber security experts contend that energy is the most vulnerable industry; a large-scale attack could temporarily halt the supply of water, electricity, and gas, hinder transportation and communication, and cripple financial institutions.

The rising prevalence of cyber attacks was detailed in a 2013 report by the U.S. security firm Mandiant that linked the Chinese military to 140 cyber attacks against U.S. and foreign corporations. The same year, major U.S. banks called on policymakers for assistance after experiencing cyber attacks emanating from Iran. The Obama administration has emphasized the importance of cyber security—its fiscal year 2014 budget requested a 20 percent increase in funding. The United States has strengthened its offensive strategies by developing rules of engagement for cyber warfare and cyber weapons capabilities. However, cyberspace policy making remains decentralized with authority shared among the White House and five executive departments, resulting in gaps in U.S. cyber policy that leave vulnerabilities unaddressed.

http://www.cfr.org/global/global-conflict-tracker/p32137#!/?marker=2

Tuesday, November 18, 2014

Critical Infrastructure Sector- Nuclear Reactors, Materials and Waste Sector


Nuclear Reactors, Materials and Waste Sector

Sector Overview

Nuclear power accounts for approximately 20 percent of the nation's electrical generation, provided by 104 commercial nuclear reactors licensed to operate at 65 nuclear power plants throughout the United States. The sector includes nuclear power plants; non-power nuclear reactors used for research, testing, and training; manufacturers of nuclear reactors or components; radioactive materials used primarily in medical, industrial, and academic settings; nuclear fuel cycle facilities; decommissioned nuclear power reactors; and the transportation, storage, and disposal of nuclear and radioactive waste.

The sector is interdependent with other critical infrastructure sectors, including:

  • Chemical as a consumer of hazardous chemicals at fuel cycle facilities;
  • Energy as a supplier of electricity to the nation's electrical grid;
  • Healthcare and Public Health as a supplier of nuclear medicine, radiopharmaceuticals and in the sterilization of blood and surgical supplies; and
  • Transportation Systems through the movement of radioactive materials

Read the Nuclear Sector Snapshot (PDF, 2 pages - 1.24 KB)

Sector-Specific Plan

The Nuclear Reactors, Materials, and Waste Sector-Specific Plan (PDF, 142 pages – 1.56 MB) details how the National Infrastructure Protection Plan risk management framework is implemented within the context of the unique charcteristics and risk landscape of the sector. Each Sector-Specific Agency develops a sector-specific plan through a coordinated effort involving its public and private sector partners. The Department of Homeland Security is designated as the Sector-Specific Agency for the Nuclear Reactors, Materials, and Waste Sector.

Sector Resources

For resources available to Nuclear Reactors, Materials, and Waste Sector partners, check out the links on the right hand sidebar.

Last Published Date: November 14, 2014

Critical Infrastructure Sector- Information Technology Sector


Information Technology Sector

Sector Overview

The Information Technology Sector is central to the nation's security, economy, and public health and safety. Businesses, governments, academia, and private citizens are increasingly dependent upon Information Technology Sector functions. These virtual and distributed functions produce and provide hardware, software, and information technology systems and services, and - in collaboration with the Communications Sector - the Internet. The sector's complex and dynamic environment makes identifying threats and assessing vulnerabilities difficult and requires that these tasks be addressed in a collaborative and creative fashion.

Information Technology Sector functions are operated by a combination of entities - often owners and operators and their respective associations - that maintain and reconstitute the network, including the Internet. Although information technology infrastructure has a certain level of inherent resilience, its interdependent and interconnected structure presents challenges as well as opportunities for coordinating public and private sector preparedness and protection activities.

Sector-Specific Plan

The Information Technology Sector-Specific Plan (PDF, 88 pages – 2.2 MB) details how the National Infrastructure Protection Plan risk management framework is implemented within the context of the unique characteristics and risk landscape of the sector. Each Sector-Specific Agency develops a sector-specific plan through a coordinated effort involving its public and private sector partners. The Department of Homeland Security is designated as the Sector-Specific Agency for the Information Technology Sector.

Sector Resources

For resources available to Information Technology Sector partners, check out the links on the right hand sidebar.

Last Published Date: June 12, 2014

Critical Infrastructure Sector- Healthcare and Public Health Sector


Healthcare and Public Health Sector

Sector Overview

The Healthcare and Public Health Sector protects all sectors of the economy from hazards such as terrorism, infectious disease outbreaks, and natural disasters. Because the vast majority of the sector's assets are privately owned and operated, collaboration and information sharing between the public and private sectors is essential to increasing resilience of the nation's Healthcare and Public Health critical infrastructure. Operating in all U.S. states, territories, and tribal areas, the sector plays a significant role in response and recovery across all other sectors in the event of a natural or manmade disaster. While healthcare tends to be delivered and managed locally, the public health component of the sector, focused primarily on population health, is managed across all levels of government: national, state, regional, local, tribal, and territorial.

The Healthcare and Public Health Sector is highly dependent on fellow sectors for continuity of operations and service delivery, including: Communications, Emergency Services, Energy, Food and Agriculture, Information Technology, Transportation Systems, and Water and Wastewater Systems.

Sector-Specific Plan

The Healthcare and Public Health Sector-Specific Plan (PDF, 72 pages – 2.16 MB) details how the National Infrastructure Protection Plan risk management framework is implemented within the context of the unique characteristics and risk landscape of the sector. Each Sector-Specific Agency develops a sector-specific plan through a coordinated effort involving its public and private sector partners. The Department of Health and Human Services is designated as the Sector-Specific Agency for the Healthcare and Public Health Sector.

Sector Resources

For resources available to Healthcare and Public Health Sector partners, check out the links on the right hand sidebar.

Last Published Date: June 12, 2014

Critical Infrastructure Sector- Financial Services Sector


Financial Services Sector

Sector Overview

The Financial Services Sector represents a vital component of our nation's critical infrastructure. Large-scale power outages, recent natural disasters, and an increase in the number and sophistication of cyber attacks demonstrate the wide range of potential risks facing the sector. Financial institutions provide a broad array of products from the largest institutions with assets greater than one trillion dollars to the smallest community banks and credit unions. Whether an individual savings account, financial derivatives, credit extended to a large organization, or investments made to a foreign country, these products allow customers to:

  1. Deposit funds and make payments to other parties;
  2. Provide credit and liquidity to customers;
  3. Invest funds for both long and short periods; and
  4. Transfer financial risks between customers.

Financial institutions are organized and regulated based on services provided by institutions. Within the sector, there are more than 18,800 federally insured depository institutions; thousands of providers of various investment products, including roughly 18,440 broker-dealer, investment adviser, and investment company complexes; providers of risk transfer products, including 7,948 domestic U.S. insurers; and many thousands of other credit and financing organizations.

Sector-Specific Plan

The Financial Services Sector-Specific Plan (PDF, 96 pages – 3.37 MB) details how the National Infrastructure Protection Plan risk management framework is implemented within the context of the unique characteristics and risk landscape of the sector. Each Sector-Specific Agency develops a sector-specific plan through a coordinated effort involving its public and private sector partners. The Department of Treasury is designated as the Sector-Specific Agency for the Financial Services Sector. Presidential Policy Directive 21 changed the name of the Banking and Finance Sector to the Financial Services Sector in 2013.

Sector Resources

For resources available to Financial Services Sector partners, check out the links on the right hand sidebar.

Last Published Date: June 12, 2014

Critical Infrastructure Sector- Defense Industrial Base Sector


Defense Industrial Base Sector

Sector Overview

The Defense Industrial Base Sector is the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements. The Defense Industrial Base partnership consists of Department of Defense components, more than 100,000 Defense Industrial Base companies and their subcontractors who perform under contract to the Department of Defense, companies providing incidental materials and services to the Department of Defense, and government-owned/contractor-operated and government-owned/government-operated facilities. Defense Industrial Base companies include domestic and foreign entities, with production assets located in many countries.The sector provides products and services that are essential to mobilize, deploy, and sustain military operations. The Defense Industrial Base Sector does not include the commercial infrastructure of providers of services such as power, communications, transportation, or utilities that the Department of Defense uses to meet military operational requirements. These commercial infrastructure assets are addressed by other Sector-Specific Agencies.

Sector-Specific Plan

The Defense Industrial Base Sector-Specific Plan (PDF, 105 pages – 1.17 MB) details how the National Infrastructure Protection Plan risk management framework is implemented within the context of the unique characteristics and risk landscape of the sector. Each Sector-Specific Agency develops a sector-specific plan through a coordinated effort involving its public and private sector partners. The Department of Defense is designated as the Sector-Specific Agency for the Defense Industrial Base Sector.

Sector Resources

For resources available to Defense Industrial Base partners, check out the links on the right hand sidebar.

Last Published Date: June 12, 2014

Critical Infrastructure Sector- Dams Sector


Dams Sector

Sector Overview

The Dams Sector is composed of assets that include dam projects, hydropower generation facilities, navigation locks, levees, dikes, hurricane barriers, mine tailings, other industrial waste impoundments, and other similar water retention and water control facilities. The Dams Sector is a vital part of the nation's infrastructure and provides a wide range of economic, environmental, and social benefits, including hydroelectric power, river navigation, water supply, wildlife habitat, waste management, flood control, and recreation.

There are over 87,000 dams in the United States, approximately 65 percent are privately owned and state dams safety offices regulates more than 77 percent. The Dams Sector has interdependencies with a wide range of other sectors, including:

  • The Emergency Services Sector - Emergency response sometimes rely on Dams Sector assets for firefighting water supply, emergency water supply, and waterway access during a significant disaster where access by land is impossible.
  • The Energy Sector - Hydropower dams produce approximately 8 to 12 percent of the nation’s power needs.
  • The Food and Agriculture Sector - Dams Sector assets are a source of water for our nation's food and agriculture production.
  • The Transportation Systems Sector - Dams and locks manage navigable waters throughout inland waterways for shipping and recreation.
  • The Water and Wastewater Systems Sector - Water and wastewater management systems rely on Dams Sector assets to provide water to large populated areas and commercial facilities.

Sector-Specific Plan

The Dams Sector-Specific Plan (PDF, 136 pages – 1.45 MB) details how the National Infrastructure Protection Plan risk management framework is applied to the sector's unique characteristics and risk landscape. Each sector-specific agency develops a sector-specific plan through a coordinated effort involving its public and private sector partners. The Department of Homeland Security is designated as the Dams Sector's sector-specific agency.



Contact Information

For additional information, contact dams@hq.dhs.gov

Last Published Date: June 12, 2014

Critical Infrastructure Sector- Commercial Facilities Sector


Commercial Facilities Sector

Sector Overview

Facilities associated with the Commercial Facilities Sector operate on the principle of open public access, meaning that the general public can move freely throughout these facilities without the deterrent of highly visible security barriers. The majority of the facilities in this sector are privately owned and operated, with minimal interaction with the federal government and other regulatory entities.

The Commercial Facilities Sector consists of eight subsectors:

  • Public Assembly (e.g., arenas, stadiums, aquariums, zoos, museums, convention centers).
  • Sports Leagues (e.g., professional sports leagues and federations).
  • Gaming (e.g., casinos).
  • Lodging (e.g., hotels, motels, conference centers).
  • Outdoor Events (e.g., theme and amusement parks, fairs, campgrounds, parades).
  • Entertainment and Media (e.g., motion picture studios, broadcast media).
  • Real Estate (e.g., office and apartment buildings, condominiums, mixed use facilities, self-storage).
  • Retail (e.g., retail centers and districts, shopping malls).

Sector-Specific Plan

The Commercial Facilities Sector-Specific Plan (PDF, 174 pages - 1.46 MB) details how the 2013 National Infrastructure Protection Plan's risk management framework is implemented within the context of the unique characteristics and risk landscape of the sector. Each Sector-Specific Agency develops a sector-specific plan through a coordinated effort involving its public and private sector partners. The Department of Homeland Security is designated as the Sector-Specific Agency for the Commercial Facilities Sector.


This page includes videos to help you identify and report suspicious behavior and activity, information on Active Shooter Preparedness, and other Commercial Facilities publications.


This page has a listing of Commercial Facilities trainings that will better prepare both the private and public sector to identify suspicious behavior and respond to a disruptive event.

Last Published Date: August 27, 2014