Malicious hackers from Russia and China have infected software programs related to the U.S. electrical grid that could be used to shut down the system at any time. Sound like a plot from the television series 24? Unfortunately, the situation was not created by Hollywood. In April 2009, the Wall Street Journal reported that national security officials found such viruses and the electric companies involved were unaware of the presence of the malicious code.
This case illustrates the need for the federal government to educate private-sector executives on the vulnerability of the country’s energy grid and other functions on which society depends. The private and public sectors tend to have different priorities when it comes to balancing the cost, the risk, and the security of our nation’s most valuable assets. For example, while it is more cost effective and efficient to manage energy distribution over the Internet, such an approach makes the energy grid susceptible to hackers as illustrated above.
The Federal Emergency Management Agency (FEMA), under the Department of Homeland Security, has been charged with protecting the nation’s critical infrastructure, including systems related to finance, electricity, oil, water, and telecommunications. To adequately train private- and public-sector employees in these areas, FEMA created the Competitive Training Grant Program, which awards funds to competitively selected applicants to develop and deliver innovative training programs that address high-priority national security training needs. Drawing from years of experience in critical infrastructure policy, Brien Benson, an associate research professor at Mason’s School of Public Policy, submitted a proposal with the university’s Critical Infrastructure Protection Program (CIPP ) to administer one of the training programs.
The submission was accepted, and the university received a $3.5 million cooperative agreement from FEMA to develop training in infrastructure protection directed at the electric power industry. Chosen from a pool of approximately 200 organizations that submitted proposals, Mason received the second largest award of the 11 accepted bids.
“This is an unusual undertaking for a university because it is not a research project or a formal executive training program,” Benson says. “Developing this program requires careful management and an innovative approach to be effective, and I think we’re uniquely suited for the task.”
Protection of critical infrastructure is an area of expertise for Mason. Since 2002, the university’s School of Law has operated the CIPP , which seeks to fully integrate the disciplines of law, policy, and technology to enhance the security of the cybernetworks, physical systems, and economic processes that support the nation’s critical infrastructure. Supported by a grant from the National Institute of Standards and Technology, an agency of the U.S. Department of Commerce, CIPP conducts research and publishes a monthly electronic newsletter for professionals who have an interest in critical infrastructure protection.
Under the leadership of retired Army lieutenant general and former Department of Defense inspector general Claude M. “Mick” Kicklighter, CIPP engages in basic and applied research activities and organizes conferences, workshops, and seminars on technology, legal, economic, and policy issues related to the program’s mission.
The FEMA training sessions will focus on enterprise risk management techniques to help industry and regulatory officials plan and manage potential threats to the public distribution of energy. Enterprise risk management helps organizations assess risk in case of incidents related to weather, terrorism, or other unplanned events. CIPP legal research associate Maeve Dion and chief of staff William Zachman also are involved in curriculum development and project administration.
“We’re using enterprise risk management because it is a widely accepted business tool used to help organizations deal with complex risks,” Benson says. “In addition, CIPP has experience in applying enterprise risk management strategies to critical infrastructure protection planning.”
The project will work in close cooperation with the Edison Electric Institute and the other major electric power trade associations, the American Public Power Association and the National Rural Electric Cooperative Association, in identifying audiences for the training.
One major training goal is to improve coordination at the state and local levels between industry and government officials, in particular regulatory officials and state officials charged with overall responsibility for energy security and continuity. Training sessions bring together public- and private-sector officials to encourage increased understanding of each other’s perspectives.
Another goal is to achieve a common understanding of language regarding risk, using a Department of Homeland Security risk lexicon booklet that provides formal definitions for many of the words and acronyms frequently used in risk management.
Still in development, the training program is expected to include a review of critical infrastructure protection case studies and a threat simulation based on a hurricane or terror attack. The courses will likely last one or two days, and planners want the sessions to include a mix of regulatory officials and power company executives. Presenters will include experts in infrastructure protection and enterprise risk management.
Instructional material developed under FEMA’s Competitive Training Grants Program must undergo a rigorous review process, which includes outside subject matter experts. The program development phase culminates with three pilot training sessions before public and industry executives. FEMA will formally approve the program for a nationwide rollout after the third session.
–Jim Greif, MPA ’07