Securing critical infrastructure: portfolio based approach

can all agree and share information on the same particular set of assets.

HSNW: In the wake of the massive 11 March earthquake that struck Japan, have you noticed any changes in the mindsets of critical infrastructure operators in terms of having plans in place?

BW: I still think it is a still a little too early to tell what is happening in terms of the fallout from those events. Companies are only starting to explore ways to understand, manage, and plan for catastrophic events in the aftermath of Japan.

But, one of the things that is very interesting from the U.S. perspective is we saw plants in the United States idling because of critical commodities or products that they could only get from Japan. I can imagine a case in which an individual auto manufacturing plant in Tennessee could have the best continuity plans with redundant power, good security, and good operational controls to make sure that the plant continues to operate, but if those supplies are not coming in the front door, the plant will idle.

These concerns are very similar to what the cyber world is about as they are many steps removed from what a business can begin to manage and plan for. In other words, like in cyber, your vulnerabilities may not be about your defenses or your critical resources, but things that are many degrees outside of your static control that may impact you.

HSNW: Speaking of cyber, what are your thoughts on the Obama administration’s new cybersecurity plan? In particular, what are your thoughts on the proposed provision of having government oversight where DHS reviews a company’s cybersecurity plan and will actually penalize them if it is found to be inadequate?

BW: As I read through the plan and think about it, I wonder how it is going to be implemented. I think that implementation is always a challenge with these plans. I do not know that the government feels like it is doing the best job at implementing its own cybersecurity plans and securing its own assets, so how it will look at businesses and their cybersecurity plans will be a big challenge.

This is a new frontier and I like that there is leadership. Every day you read about major intrusions into the networks of large companies that you would think are very serious and have significant capabilities. We are seeing a very hostile environment out there and