These include energy facilities, transportation assets, water treatment plants, financial institutions and commercial office buildings. Argonne also developed statistical and data-mining procedures to analyze and display the data collected in easy-to-use “dashboards.”
The program, called the Enhanced Critical Infrastructure Protection (ECIP) Program, relies on information collected by 93 DHS Protective Security Advisors (PSAs) who are located throughout the United States. The PSAs use a Web-data collection template that Argonne developed for DHS. The ECIP template — and underlying methodology — has more than 1,500 variables covering six major security-related components (e.g., physical security and security management) and 42 subcomponents (e.g., access control). Data collected as part of the ECIP Program undergo extensive quality assurance and quality control processes.
To facilitate comparisons among critical assets across the 18 critical infrastructure and key resources sectors (for example: Energy, Critical Manufacturing, Transportation Systems, and Water), Argonne has developed a procedure to use the collected data to estimate a vulnerability index (VI). The process for developing a VI begins with development of a protective measures index (PMI). The PMI is constructed so that it increases as protective measures are added. The gathered information is used to assist DHS in analyzing sector (e.g., Energy) and subsector (e.g., electricity, oil, and natural gas) vulnerabilities to identify potential ways to reduce vulnerabilities and to assist in preparing sector risk estimates. The owner/operator of infrastructure facilities also receives a dashboard, which analyzes the data collected for a specific asset. To date, more than 1,200 interactive “what if” analysis dashboards have been delivered to facilities across the United States. The dashboards show a comparison of the facility’s protection posture with that of similar sector/subsectors visited. This comparison gives the operator a feel for the asset’s security strengths and weaknesses, which may be contributing factors to its vulnerability and protection posture.
The development of the PMI and the associated VI is intended to assist DHS in conducting analyses of the vulnerabilities associated with the nation’s critical infrastructure and to explore cost-effective ways to reduce those vulnerabilities. In addition, the approach can provide valuable information to owners and operators about where they stand relative to similar assets, and protective measures that they may want to consider to reduce their vulnerability. The applications and uses of the PMI are at a very early stage in the ECIP Program, and improvements in concept and approach are expected as the program matures. ECIP results, however, have been prominently featured in DHS reports on progress in protecting the nation’s critical infrastructure.
Recently, work has begun on developing a resiliency index from the question set of the ECIP that will assess the robustness, resourcefulness (pre-event and post-event), and recovery of a facility based on the same concept.