• United States



Director, Critical Infrastructure Protection Programs, North American Electric Reliability Corp. (NERC)

The private sector is the key to success for the Department of Homeland Security

Feb 01, 20177 mins
Critical InfrastructureIT LeadershipIT Skills

Infrastructure protection is a shared responsibility that cannot be met by government alone.

hacking critical infrastructure security
Credit: Thinkstock

With the inauguration of our 45th President of the United States recently behind us, a new administration will be met with emerging and imminent threats to our homeland. As new leadership is appointed by the President and confirmed, the U.S. Department of Homeland Security (DHS) will maintain a clear understanding of their role within the national security apparatus, and will continue the difficult work of keeping Americans safe and critical infrastructure secure.

John Kelly, the newly confirmed DHS Secretary and former Marine Corps four-star General, has recently addressed the numerous homeland security issues facing the country. His main focus will be on defeating terrorism, more robust cybersecurity protections, and infrastructure security and resiliency. DHS is a huge federal department with many moving parts. The agency includes Customs and Border Protection, Secret Service, Coast Guard, Transportation Security Administration, and numerous offices dedicated to cyber and physical security missions. However, while the 240,000 employees serve a critical role within government, it’s the private sector that will help and ensure continued success at DHS.

It is widely understood that over 85% of all critical infrastructure is owned and operated by the private sector. Power grid operators, water treatment specialists, and chemical process engineers are the first to encounter security threats at their particular work stations. These subject matter experts are typically supported by cyber and facility security professionals dedicated to keeping their systems and infrastructure secure. The first line of defense resides outside of government and lands squarely in the hands of private industry. Fortunately, industry has long had the support and interest from DHS.

Currently, the most significant reliability threat to the U.S. power grid is associated with squirrels and balloons, and not a coordinated cyber-attack inspired by state-sponsored hackers. However, we have recently seen noteworthy interest in disabling or destroying critical infrastructure. Coordinated attacks specifically targeting the grid are rare, but an attack by a disgruntled former employee, ideologically motivated activist, or a criminal stumbling across a “soft target”, could inflict significant damage.

DHS has always let the Sector Specific Agency (SSA), the Department of Energy (DOE), take the lead on coordinating response, recovery, and the security of the power grid. However, we may see DHS take a more active interest as a result of hackers causing a blackout in western Ukraine. After cutting off power to nearly 250,000 homes and businesses, this event demonstrated how a grid attack in North America could rapidly deteriorate and cascade into a catastrophic national security event. Under the new administration, it will be vitally important to increase information sharing with the electricity sector, provide additional security clearances, and tackle many of the lessons learned from grid security exercises.

The Chemical Facility Anti-Terrorism Standards (CFATS), one of the few regulations spearheaded by DHS, identifies and regulates high-risk chemical facilities to ensure they have security measures in place to reduce the risks associated with dangerous chemicals. Currently, there are approximately 2700 facilities falling into strict compliance with the 18 Risk Based Performance Standards (RBPS), which provide individual facilities the flexibility to address their unique security challenges. Chemical plants, oil refineries, and water treatment facilities have long worked with DHS, government coordinating councils, and the trade associations to ensure the regulation is effective and remains malleable to existing threats and vulnerabilities found within the sector.

While CFATS got off to a rough start in 2007, industry and government have seemingly ironed out many points of contention. The Top-Screen process, which identifies facilities responsible for economically critical and mission-critical chemicals, has been streamlined and made painless for industry users. In addition, compliance inspections are now underway and the “help desk” has been a resource for those wanting to gain valuable insight. With over 4,000 inspections complete, CFATS is an example of the government using the expertise found within industry to help craft compliance guidance to better protect high-risk chemical facilities.

The United States Coast Guard enforces the Maritime Transportation Security Act (MTSA) which allows for the authority to regulate facilities located on or adjacent to waterways under U.S. jurisdiction. The Coast Guard typically conducts at least one scheduled audit and one unannounced “spot check” each year. MTSA-regulated facilities must complete a Facility Security Assessment (FSA) that identifies and evaluates critical assets, critical infrastructures, and potential threats and vulnerabilities to those assets.

The facility must then develop and submit a Facility Security Plan (FSP). The importance of keeping our ports and waterways secure cannot be overstated. Approximately 90 percent of all global trade and over 25 percent of our Gross Domestic Product moves via the sea. A terrorist attack at our ports could severely disrupt the supply chain, which would be catastrophic to our economy. Private industry and the Coast Guard have a long history of working together to mitigate safety, security, and environmental risks to U.S. ports and maritime critical infrastructure.

Cybersecurity at DHS has turned into a top priority and the department has seen tangible progress. The National Cybersecurity and Communications Integration Center (NCCIC), which can be characterized as the federal government’s 24/7 hub for cybersecurity information sharing, technical assistance, and incident response has grown to be a very useful resource for industry.

In 2016, the NCCIC disseminated more than 6,000 bulletins and responded on-site to 32 cybersecurity incidents. With the recent classification of election systems as “critical infrastructure”, this will add to the mounting pressure for the department to expand its cyber resources, funding, and expertise. This expansion will only aid the private sector when they are faced with cyber threats and will assist with intrusion detection and prevention capabilities.

DHS recently released a refreshed version of its National Cyber Incident Response Plan (NCIRP), with a strong focus on how the U.S. can react to cybersecurity threats to critical infrastructure. The NCIRP describes a national approach to dealing with cyber incidents. In addition, it also addresses the important role that the private sector, state and local governments, and multiple federal agencies play in responding to incidents and how the actions of all fit together for an integrated response.

As mentioned above, the majority of infrastructure in North America is owned and operated by the private sector. Because of this, it is vital that the public and private sectors work together to share relevant threat information. Over the past few years, DHS, the FBI, and the Department of Energy have made considerable strides in improving information sharing and giving classified access to intelligence products such as bulletins, alerts, and secret level briefings.

These data points have been used to mitigate threats, reduce risk, and update internal security policies. This data flow has enhanced communications between security teams, management, and board members by providing authoritative threat warnings. Ultimately, information sharing is a two-way street. Private sector entities must remove the words “compliance risk” from their lexicon and readily share timely information as it happens.

Nobody knows their systems better than they do. Cybersecurity alerts coming from industry professionals are imperative to the collaborative exchange process. Simultaneously, federal intelligence partners must alert those within the private sector who actually have the ability to mitigate threats. This partnership can become stronger and timelier with additional security clearances given to the private sector.

Given today’s cyber and physical security threats to the nation, the boundaries between the private and public sector have blurred. Whereas traditional national security has been the domain of the federal government, homeland security is not solely the responsibility of federal agencies, but also of state and local government and the private sector. Homeland security is a shared responsibility that cannot be met by government alone.

Uninterrupted operation of basic services such as energy, communications, water, transportation, and unbroken access to other goods and services used on a daily basis are essential to America’s security, safety, economic vitality. Congressman Mike McCaul (R-TX), Chairman of the House Committee on Homeland Security, recently said that, “DHS needs to work more urgently to assist the private sector in defending the nation’s critical infrastructure, including communications, the electric grid and nuclear energy.”

This is a partnership and we need to lean on each other’s strengths and expertise.


Brian Harrell is a nationally recognized expert on critical infrastructure protection, continuity of operations, and cybersecurity risk management. Harrell is the President and Chief Security Officer at The Cutlass Security Group, where he provides critical infrastructure companies with consultation on risk mitigation, protective measures, and compliance guidance. In his current role, he has been instrumental in providing strategic counsel and thought leadership for the security and resilience of the power grid and has helped companies identify and understand emerging threats. Advising corporations throughout North America, Harrell has worked to increase physical and cybersecurity mitigation measures designed to deter, detect, and defend critical systems. Harrell is also a Senior Fellow at The George Washington University, Center for Cyber and Homeland Security (CCHS) where he serves as an expert on infrastructure protection and cybersecurity policy initiatives.

Prior to starting his own firm, Harrell was the Director of the North American Electric Reliability Corporation’s (NERC) Electricity Information Sharing and Analysis Center (E-ISAC) and was charged with leading NERC’s efforts to provide timely threat information to over 1900 bulk power system owners, operators, and government stakeholders. During his time at NERC, Harrell was also the Director of Critical Infrastructure Protection Programs, where he led the creation of the Grid Security Exercise, provided leadership to Critical Infrastructure Protection (CIP) staff, and initiated security training and outreach designed to help utilities “harden” their infrastructure from attack.

Prior to coming to the electricity sector, Harrell was a program manager with the Infrastructure Security Compliance Division at the U.S. Department of Homeland Security (DHS) where he specialized in securing high risk chemical facilities and providing compliance guidance for the Chemical Facility Anti-Terrorism Standards (CFATS). For nearly a decade of world-wide service, Harrell served in the US Marine Corps as an Infantryman and Anti-Terrorism and Force Protection Instructor, where he conducted threat and vulnerability assessments for Department of Defense installations.

Harrell has received many accolades for his work in critical infrastructure protection and power grid security, including awards from Security Magazine, CSO, AFCEA and GovSec. Harrell maintains the Certified Protection Professional (CPP) certification and holds a bachelor’s degree from Hawaii Pacific University, a master of education degree from Central Michigan University, and a master of homeland security degree from Pennsylvania State University.

The opinions expressed in this blog are those of Brian Harrell and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.