When a ransomware attack forced Colonial Pipeline to shut down last May, the Department of Homeland Security’s risk management clearinghouse began working through the implications of an extended fuel shortage.
Ultimately, the pipeline was down for just six days, with panic buying rather than an actual supply shortage leading to temporary fuel unavailability at gas stations up and down the East Coast.
But at the National Risk Management Center, officials did have concerns that the cyber attack on the pipeline, one piece of the nation’s critical infrastructure, would lead to “cascading effects” on transportation and other crucial activities, according to Bob Kolasky, assistant director for the NRMC.
“We were mapping where there were airports that might have potential shortages, and what was flying into those airports,” Kolasky said in an interview. “Did any of those airports have linkages to national security, delivery of key goods, other transportation hubs?”
The center, housed within the Cybersecurity and Infrastructure Security Agency, worked with interagency and industry partners to sketch out potential responses, whether it be surging additional fuel availability or reducing regulatory burdens to alleviate an extended shortage.
The pipeline incident proved to be another testing ground for the center’s “National Critical Functions” framework. The center published the list of 55 functions in 2019 and has continued to develop the new model while using the framework to respond to real-world scenarios, including the COVID-19 pandemic, according to Kolasky.
The functions cut across the 16 sectors that DHS has traditionally used to define critical infrastructure. Instead of viewing sectors in individual silos, the framework defines functions, such as distributing electricity or conducting elections, that are critical to the health and security of the nation.
“It evolves the framework to account for the fact that things are dependent,” Kolasky said. “There’s more dependencies, supply chains matter, third parties are part of the overall risk management approach. You can’t even manage the electricity sector just by working with electric companies. You have to work with communications companies, you have to work with IT companies, you have to work with financial companies, you have to work with local regulators.”
The so-called “functional decomposition” contributes to furthering a sort of “science” for understanding threats and vulnerabilities that could affect key functions, according to Kolasky.
It will also help the center distinguish which entities are most important to the nation. Lawmakers have introduced legislation that would require DHS identify so-called “systemically important critical infrastructure” and direct additional resources toward those entities.
“We are internally working to build better technical models for visualizing how the functions work that can be used systematically to better understand risk,” Kolasky said. “We’re doing a lot of work on prioritization around critical functions based on our understanding of that, and starting to direct our efforts around the critical functions that we think need the most collective action to address risk.”
Kolasky said key priorities for the NRMC in 2022 also include water security, continuing to improve the security of the healthcare system, and election security as the fall mid-terms loom large.
He said a key lesson for using the NCF framework has been the importance of “real-time data.” While it’s usually easy to monitor the functioning of most critical infrastructure, Kolasky said it’s harder to get information about risks to infrastructure, such as ongoing cyber attacks or supply chain issues.
“Understanding how infrastructure is operating, I think we can get better visibility without additional authorities,” Kolasky said. “Understanding the things that are putting that infrastructure at risk, we need a little more help from information sharing with our private sector partners.”