Defense Critical Infrastructure: Actions Needed to Improve the Identification and Management of Electrical Power Risks and Vulnerabilities to DOD Critical Assets
Highlights
The Department of Defense (DOD) relies on a global network of defense critical infrastructure so essential that the incapacitation, exploitation, or destruction of an asset within this network could severely affect DOD's ability to deploy, support, and sustain its forces and operations worldwide and to implement its core missions, including those in Iraq and Afghanistan as well as its homeland defense and strategic missions. In October 2008, DOD identified its 34 most critical assets in this network--assets of such extraordinary importance to DOD operations that according to DOD, their incapacitation or destruction would have a very serious, debilitating effect on the ability of the department to fulfill its missions. Located both within the United States and abroad, DOD's most critical assets include both DOD- and non-DOD-owned assets. DOD relies overwhelmingly on commercial electrical power grids for secure, uninterrupted electrical power supplies to support its critical assets. DOD is the single largest consumer of energy in the United States, as we have noted in previous work. According to a 2008 report by the Defense Science Board Task Force on DOD's Energy Strategy, DOD has traditionally assumed that commercial electrical power grids are highly reliable and subject to only infrequent (generally weather-related), short-term disruptions. For backup supplies of electricity, DOD has depended primarily on diesel generators with short-term fuel supplies. In 2008, however, the Defense Science Board reported that "[c]ritical national security and homeland defense missions are at an unacceptably high risk of extended outage from failure of the [commercial electrical power] grid" upon which DOD overwhelmingly relies for its electrical power supplies. Specifically, the reliability and security of commercial electrical power grids are increasingly threatened by a convergence of challenges, including increased user demand, an aging electrical power infrastructure, increased reliance on automated control systems that are susceptible to cyberattack, the attractiveness of electrical power infrastructure for terrorist attacks, long lead times for replacing key electrical power equipment, and more frequent interruptions in fuel supplies to electricity-generating plants. As a result, commercial electrical power grids have become increasingly fragile and vulnerable to extended disruptions that could severely impact DOD's most critical assets, their supporting infrastructure, and ultimately the missions they support.
DOD's most critical assets are vulnerable to disruptions in electrical power supplies, but DOD lacks sufficient information to determine the full extent of the risks and vulnerabilities these assets face. All 34 of these most critical assets require electricity continuously to support their military missions, and 31 of them rely on commercial power grids--which the Defense Science Board Task Force on DOD Energy Strategy has characterized as increasingly fragile and vulnerable--as their primary source of electricity. DOD Instruction 3020.45 requires DOD to conduct vulnerability assessments on all its most critical assets at least once every 3 years. Also, the Office of the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs ASD(HD&ASA) has requested the U.S. Army Corps of Engineers--which serves as the Defense Critical Infrastructure Program's Defense Infrastructure Sector Lead Agent for Public Works--to conduct preliminary technical analyses of DOD installation infrastructure (including electrical power infrastructure) to support the teams conducting Defense Critical Infrastructure Program vulnerability assessments on the most critical assets. (1) As of June 2009, and according to ASD(HD&ASA) and the Joint Staff, DOD had conducted Defense Critical Infrastructure Program vulnerability assessments on 14 of the 34 most critical assets.18 DOD has not conducted the remaining assessments because it did not identify the most critical assets until October 2008. To comply with the instruction, DOD would have to complete Defense Critical Infrastructure Program vulnerability assessments on all most critical assets by October 2011. (2) DOD has neither conducted, nor developed additional guidelines and time frames for conducting, these vulnerability assessments on any of the five non-DOD-owned most critical assets located in the United States or foreign countries, citing security concerns and political sensitivities. (3) The U.S. Army Corps of Engineers has not completed the preliminary technical analyses requested because it has not yet received infrastructure-related information regarding the networks, assets, points of service, and inter- and intradependencies related to electrical power systems that it requires from the military services. (4) Although DOD is in the process of developing guidelines, it does not systematically coordinate Defense Critical Infrastructure Program vulnerability assessment processes and guidelines with those of other, complementary DOD mission assurance programs--including force protection; antiterrorism; information assurance; continuity of operations; chemical, biological, radiological, nuclear, and high-explosive defense; readiness; and installation preparedness--that also examine electrical power vulnerabilities of the most critical assets, because DOD has not established specific guidelines for such systematic coordination. (5) The 10 Defense Critical Infrastructure Program vulnerability assessments we reviewed did not explicitly consider assets' vulnerabilities to longer-term (i.e., of up to several weeks' duration) electrical power disruptions19 on a mission-specific basis, as DOD has not developed explicit Defense Critical Infrastructure Program benchmarks for assessing electrical power vulnerabilities associated with longer-term electrical power disruptions. With more comprehensive knowledge of the most critical assets' risks and vulnerabilities to electrical power disruptions, DOD can better avoid compromising crucial DOD-wide missions during electrical power disruptions. This additional information may also improve DOD's ability to effectively prioritize funding needed to address identified risks and vulnerabilities of its most critical assets to electrical power disruptions.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Defense | To ensure that DOD has sufficient information to determine the full extent of the risks and vulnerabilities to electrical power disruptions of its most critical assets, the Secretary of Defense should direct the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs, in collaboration with the Joint Staff's Directorate for Antiterrorism and Homeland Defense, combatant commands, military services, and other Defense Critical Infrastructure Program stakeholders, as appropriate, to complete Defense Critical Infrastructure Program vulnerability assessments, as required by DOD Instruction 3020.45, on all of DOD's most critical assets by October 2011. | On 6/23/11, DOD reported that the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD [HD&ASA]) Defense Critical Infrastructure Program (DCIP) Office has been working closely with the Joint Staff, which is assigned responsibility for the implementation of vulnerability assessments in DOD Instruction 3020.45, to ensure that DCIP vulnerability assessments focus on DOD's most critical assets. The Joint Staff, in coordination with OASD (HD&ASA) has begun ensuring that these most critical assets are assessed utilizing an all-hazards and mission-assurance approach, including the development of a self-assessment capability. On 6/10/11, the DCIP Office... provided a schedule of vulnerability assessments that were planned for completion by 10/10/11. Assessments were to be conducted by the Mission Assurance Division of the Naval Surface Warfare Center in Dahlgren, Virginia. On 7/7/12, DOD reported that the DCIP vulnerability assessments on all critical assets from the 2008 critical asset list had been assessed or were removed from the updated 2010 critical asset list due to risk reduction activities or further criticality analysis and, therefore, no longer required this type of assessment. In July 2013, DOD reported that all critical assets from the 2008 and 2010 lists were assessed and that the department currently is working on follow-on assessments to meet the 3-year cycle requirement. DOD also provided GAO with a copy of a classified remote assessment of the last remaining non-DOD-owned site abroad. With this action in July 2013, DOD has implemented GAO's recommendation.
View More |
| Department of Defense | To ensure that DOD has sufficient information to determine the full extent of the risks and vulnerabilities to electrical power disruptions of its most critical assets, the Secretary of Defense should direct the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs, in collaboration with the Joint Staff's Directorate for Antiterrorism and Homeland Defense, combatant commands, military services, and other Defense Critical Infrastructure Program stakeholders, as appropriate, to develop additional guidelines, an implementation plan, and a schedule for conducting Defense Critical Infrastructure Program vulnerability assessments on all non-DOD-owned most critical assets located in the United States and abroad in conjunction with other federal agencies, as appropriate, that have a capability to implement the plan. | On 6/23/11, the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD [HD&ASA]) Defense Critical Infrastructure Program (DCIP) Office reported that it has been working closely with the Joint Staff, which is assigned responsibility for the implementation of vulnerability assessments in DOD Instruction 3020.45, to ensure that DCIP vulnerability assessments focus on DOD's most critical assets. The Joint Staff, in coordination with OASD (HD&ASA) had begun ensuring that these most critical assets were assessed utilizing an all-hazards and mission-assurance approach, including the development of a self-assessment capability. Non-DOD-owned assets, especially...
|
| Department of Defense | To ensure that DOD has sufficient information to determine the full extent of the risks and vulnerabilities to electrical power disruptions of its most critical assets, the Secretary of Defense should direct the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs, in collaboration with the Joint Staff's Directorate for Antiterrorism and Homeland Defense, combatant commands, military services, and other Defense Critical Infrastructure Program stakeholders, as appropriate, to establish a time frame for the military services to provide the infrastructure data required for the Public Works Defense Infrastructure Sector Lead Agent--the U.S. Army Corps of Engineers--to complete its preliminary technical analysis of public works (including electrical system) infrastructure at DOD installations that support DOD's most critical assets. | On 6/23/10, DOD reported that the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD [HD&ASA]) Defense Critical Infrastructure Program (DCIP) Office had been working closely with the U.S. Army Corps of Engineers (USACE), which is the lead agent for the Public Works Defense Sector, to ensure that proper characterization of critical assets was taking place from a public works perspective. A milestone plan was established by the DCIP Office for the military services to provide infrastructure data to the Public Works Defense Infrastructure Sector Agency (DISLA)--USACE. As stated in Step 7 of DOD Manual 3020.45 Volume 1, Defense Critical Infrastructure...
|
| Department of Defense | To ensure that DOD has sufficient information to determine the full extent of the risks and vulnerabilities to electrical power disruptions of its most critical assets, the Secretary of Defense should direct the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs, in collaboration with the Joint Staff's Directorate for Antiterrorism and Homeland Defense, combatant commands, military services, and other Defense Critical Infrastructure Program stakeholders, as appropriate, to finalize guidelines currently being developed to coordinate Defense Critical Infrastructure Program assessment criteria and processes more systematically with those of other DOD mission assurance programs. | On 7/10/12, DOD reported that DOD Directive 3020.40, Defense Critical Infrastructure Program (DCIP) (Aug. 19, 2005), acknowledges the existence of, and the synergistic effect of various complimentary risk management program activities and security related functions in its definition of Mission Assurance. The other activities respond to their own directives and appropriations, and several have their own assessment programs, but they have not yet been brought under a common mission assurance umbrella. Critical Infrastructure Protection (CIP) at the installation level is in its early stages and is not yet mature. For example, many of the positions dealing with CIP at the installation level...
|
| Department of Defense | To ensure that DOD has sufficient information to determine the full extent of the risks and vulnerabilities to electrical power disruptions of its most critical assets, the Secretary of Defense should direct the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs, in collaboration with the Joint Staff's Directorate for Antiterrorism and Homeland Defense, combatant commands, military services, and other Defense Critical Infrastructure Program stakeholders, as appropriate, to develop explicit Defense Critical Infrastructure Program guidelines for assessing the critical assets' vulnerabilities to long-term electrical power disruptions. | On 6/23/11, DOD reported that ASD (HD&ASA) Defense Critical Infrastructure Protection (DCIP) Office will review current vulnerability assessment criteria and standards and work with the Joint Staff to include considerations of long-term electrical power disruptions. Vulnerabilities are directly related to mission and its duration and the duration of the outage. A significant number of critical assets have back-up power sources available in the event that commercial power is disrupted. As GAO noted in its report (GAO-12-147, Oct. 23, 2009), 25 of the 34 assets surveyed reported that electrical power disruptions resulted in no or minimal impact to their missions. The Department is working...
|
| Department of Defense | To enhance DOD's efforts to mitigate these assets' risks and vulnerabilities to electrical power disruptions and leverage previous assessments and multiple asset owners' information, the Secretary of Defense should direct the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs, in collaboration with the Joint Staff's Directorate for Antiterrorism and Homeland Defense, combatant commands, military services, and other Defense Critical Infrastructure Program stakeholders, as appropriate, to develop a mechanism to systematically track the implementation of future Defense Critical Infrastructure Program risk management decisions and responses intended to address electrical power-related risks and vulnerabilities to DOD's most critical assets. | On 6/23/11, DOD reported that ASD (HD&ASA) Defense Critical Infrastructure Program (DCIP) Office had developed a draft DOD Manual 3020.45 Volume 5, Defense Critical Infrastructure Program (DCIP) Coordination Timeline, currently in coordination within the Department. The purpose of the manual is to provide uniform procedures for the execution of DCIP activities and timelines that OASD (HD&ASA), the Joint Staff, military departments, combatant commands (COCOM), Defense Agencies, and the Defense Infrastructure Sector Lead Agencies (DISLA) will use to coordinate the execution of activities and responsibilities assigned in DOD Directive 3020.40, DOD Instruction 3020.45, DOD Manual 3020.45...
|
| Department of Defense | To enhance DOD's efforts to mitigate these assets' risks and vulnerabilities to electrical power disruptions and leverage previous assessments and multiple asset owners' information, the Secretary of Defense should direct the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs, in collaboration with the Joint Staff's Directorate for Antiterrorism and Homeland Defense, combatant commands, military services, and other Defense Critical Infrastructure Program stakeholders, as appropriate, to ensure for DOD-owned most critical assets, and facilitate for non-DOD-owned most critical assets, that asset owners or host installations of the most critical assets, where appropriate, reach out to local electricity providers in an effort to coordinate and help remediate or mitigate risks and vulnerabilities to electrical power disruptions that may be identified for DOD's most critical assets. | On 6/23/10, DOD reported that in May 2007, the ASD(HD&ASA) Defense Critical Infrastructure Protection (DCIP) Office promulgated the DCIP Infrastructure Resiliency Guide that provides information for improving the resiliency of infrastructure systems, networks, and solutions for reducing risks to infrastructure networks. The Department has identified the common vulnerabilities to infrastructure as a result of numerous infrastructure vulnerability assessments conducted by multiple agencies and organizations within DOD. The guide is a compilation of these findings and the resultant corrective actions. The guide contains a section devoted to electric power and provides guidelines to...
|