Defense Critical Infrastructure: Actions Needed to Improve the Identification and Management of Electrical Power Risks and Vulnerabilities to DOD Critical Assets
Highlights
The Department of Defense (DOD) relies on a global network of defense critical infrastructure so essential that the incapacitation, exploitation, or destruction of an asset within this network could severely affect DOD's ability to deploy, support, and sustain its forces and operations worldwide and to implement its core missions, including those in Iraq and Afghanistan as well as its homeland defense and strategic missions. In October 2008, DOD identified its 34 most critical assets in this network--assets of such extraordinary importance to DOD operations that according to DOD, their incapacitation or destruction would have a very serious, debilitating effect on the ability of the department to fulfill its missions. Located both within the United States and abroad, DOD's most critical assets include both DOD- and non-DOD-owned assets. DOD relies overwhelmingly on commercial electrical power grids for secure, uninterrupted electrical power supplies to support its critical assets. DOD is the single largest consumer of energy in the United States, as we have noted in previous work. According to a 2008 report by the Defense Science Board Task Force on DOD's Energy Strategy, DOD has traditionally assumed that commercial electrical power grids are highly reliable and subject to only infrequent (generally weather-related), short-term disruptions. For backup supplies of electricity, DOD has depended primarily on diesel generators with short-term fuel supplies. In 2008, however, the Defense Science Board reported that "[c]ritical national security and homeland defense missions are at an unacceptably high risk of extended outage from failure of the [commercial electrical power] grid" upon which DOD overwhelmingly relies for its electrical power supplies. Specifically, the reliability and security of commercial electrical power grids are increasingly threatened by a convergence of challenges, including increased user demand, an aging electrical power infrastructure, increased reliance on automated control systems that are susceptible to cyberattack, the attractiveness of electrical power infrastructure for terrorist attacks, long lead times for replacing key electrical power equipment, and more frequent interruptions in fuel supplies to electricity-generating plants. As a result, commercial electrical power grids have become increasingly fragile and vulnerable to extended disruptions that could severely impact DOD's most critical assets, their supporting infrastructure, and ultimately the missions they support.
DOD's most critical assets are vulnerable to disruptions in electrical power supplies, but DOD lacks sufficient information to determine the full extent of the risks and vulnerabilities these assets face. All 34 of these most critical assets require electricity continuously to support their military missions, and 31 of them rely on commercial power grids--which the Defense Science Board Task Force on DOD Energy Strategy has characterized as increasingly fragile and vulnerable--as their primary source of electricity. DOD Instruction 3020.45 requires DOD to conduct vulnerability assessments on all its most critical assets at least once every 3 years. Also, the Office of the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs ASD(HD&ASA) has requested the U.S. Army Corps of Engineers--which serves as the Defense Critical Infrastructure Program's Defense Infrastructure Sector Lead Agent for Public Works--to conduct preliminary technical analyses of DOD installation infrastructure (including electrical power infrastructure) to support the teams conducting Defense Critical Infrastructure Program vulnerability assessments on the most critical assets. (1) As of June 2009, and according to ASD(HD&ASA) and the Joint Staff, DOD had conducted Defense Critical Infrastructure Program vulnerability assessments on 14 of the 34 most critical assets.18 DOD has not conducted the remaining assessments because it did not identify the most critical assets until October 2008. To comply with the instruction, DOD would have to complete Defense Critical Infrastructure Program vulnerability assessments on all most critical assets by October 2011. (2) DOD has neither conducted, nor developed additional guidelines and time frames for conducting, these vulnerability assessments on any of the five non-DOD-owned most critical assets located in the United States or foreign countries, citing security concerns and political sensitivities. (3) The U.S. Army Corps of Engineers has not completed the preliminary technical analyses requested because it has not yet received infrastructure-related information regarding the networks, assets, points of service, and inter- and intradependencies related to electrical power systems that it requires from the military services. (4) Although DOD is in the process of developing guidelines, it does not systematically coordinate Defense Critical Infrastructure Program vulnerability assessment processes and guidelines with those of other, complementary DOD mission assurance programs--including force protection; antiterrorism; information assurance; continuity of operations; chemical, biological, radiological, nuclear, and high-explosive defense; readiness; and installation preparedness--that also examine electrical power vulnerabilities of the most critical assets, because DOD has not established specific guidelines for such systematic coordination. (5) The 10 Defense Critical Infrastructure Program vulnerability assessments we reviewed did not explicitly consider assets' vulnerabilities to longer-term (i.e., of up to several weeks' duration) electrical power disruptions19 on a mission-specific basis, as DOD has not developed explicit Defense Critical Infrastructure Program benchmarks for assessing electrical power vulnerabilities associated with longer-term electrical power disruptions. With more comprehensive knowledge of the most critical assets' risks and vulnerabilities to electrical power disruptions, DOD can better avoid compromising crucial DOD-wide missions during electrical power disruptions. This additional information may also improve DOD's ability to effectively prioritize funding needed to address identified risks and vulnerabilities of its most critical assets to electrical power disruptions.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Defense | To ensure that DOD has sufficient information to determine the full extent of the risks and vulnerabilities to electrical power disruptions of its most critical assets, the Secretary of Defense should direct the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs, in collaboration with the Joint Staff's Directorate for Antiterrorism and Homeland Defense, combatant commands, military services, and other Defense Critical Infrastructure Program stakeholders, as appropriate, to complete Defense Critical Infrastructure Program vulnerability assessments, as required by DOD Instruction 3020.45, on all of DOD's most critical assets by October 2011. |
On 6/23/11, DOD reported that the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD [HD&ASA]) Defense Critical Infrastructure Program (DCIP) Office has been working closely with the Joint Staff, which is assigned responsibility for the implementation of vulnerability assessments in DOD Instruction 3020.45, to ensure that DCIP vulnerability assessments focus on DOD's most critical assets. The Joint Staff, in coordination with OASD (HD&ASA) has begun ensuring that these most critical assets are assessed utilizing an all-hazards and mission-assurance approach, including the development of a self-assessment capability. On 6/10/11, the DCIP Office provided a schedule of vulnerability assessments that were planned for completion by 10/10/11. Assessments were to be conducted by the Mission Assurance Division of the Naval Surface Warfare Center in Dahlgren, Virginia. On 7/7/12, DOD reported that the DCIP vulnerability assessments on all critical assets from the 2008 critical asset list had been assessed or were removed from the updated 2010 critical asset list due to risk reduction activities or further criticality analysis and, therefore, no longer required this type of assessment. In July 2013, DOD reported that all critical assets from the 2008 and 2010 lists were assessed and that the department currently is working on follow-on assessments to meet the 3-year cycle requirement. DOD also provided GAO with a copy of a classified remote assessment of the last remaining non-DOD-owned site abroad. With this action in July 2013, DOD has implemented GAO's recommendation.
|
| Department of Defense | To ensure that DOD has sufficient information to determine the full extent of the risks and vulnerabilities to electrical power disruptions of its most critical assets, the Secretary of Defense should direct the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs, in collaboration with the Joint Staff's Directorate for Antiterrorism and Homeland Defense, combatant commands, military services, and other Defense Critical Infrastructure Program stakeholders, as appropriate, to develop additional guidelines, an implementation plan, and a schedule for conducting Defense Critical Infrastructure Program vulnerability assessments on all non-DOD-owned most critical assets located in the United States and abroad in conjunction with other federal agencies, as appropriate, that have a capability to implement the plan. |
On 6/23/11, the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD [HD&ASA]) Defense Critical Infrastructure Program (DCIP) Office reported that it has been working closely with the Joint Staff, which is assigned responsibility for the implementation of vulnerability assessments in DOD Instruction 3020.45, to ensure that DCIP vulnerability assessments focus on DOD's most critical assets. The Joint Staff, in coordination with OASD (HD&ASA) had begun ensuring that these most critical assets were assessed utilizing an all-hazards and mission-assurance approach, including the development of a self-assessment capability. Non-DOD-owned assets, especially those owned abroad, require agreement of owners and present significant challenges. The ASD (HD&ASA) DCIP Office was coordinating with the appropriate offices to determine if remote assessments of these assets were possible. On 6/10/11, DOD reported that assessing critical non-DOD-owned assets in the United States is limited to voluntary participation. Assessing critical non-DOD-owned assets located overseas presents numerous challenges and dangers. As an alternative, DOD was attempting to conduct remote desk-top assessments using open source and classified information to satisfy as many of the DCIP benchmarks and standards as possible. On 8/17/11, DOD reported that a DCIP vulnerability assessment was conducted on-site (through coordination with the host nation) on the only one non-DOD-owned critical asset. DOD also reported on 8/17/11 that four of the five non-DOD-owned assets (from the 2008 critical asset list) were removed from the updated 2010 critical asset list due to risk reduction activities or further criticality analysis and, therefore, no longer required this type of assessment. DOD also provided GAO with a copy of a classified remote assessment of the last remaining non-DOD-owned site abroad. In July 2013, DOD reported that no non-DOD-owned assets remained on the 2012 critical asset list, so DOD suspended this capability. DOD has agreements with the Department of Homeland Security for sharing its non-DOD-owned domestic assets to allow DHS's Protective Security Advisor to assess and share the results with DOD as they do for all other Federal departments and agencies with similar assets. With this action in July 2013, DOD has implemented GAO's recommendation.
|
| Department of Defense | To ensure that DOD has sufficient information to determine the full extent of the risks and vulnerabilities to electrical power disruptions of its most critical assets, the Secretary of Defense should direct the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs, in collaboration with the Joint Staff's Directorate for Antiterrorism and Homeland Defense, combatant commands, military services, and other Defense Critical Infrastructure Program stakeholders, as appropriate, to establish a time frame for the military services to provide the infrastructure data required for the Public Works Defense Infrastructure Sector Lead Agent--the U.S. Army Corps of Engineers--to complete its preliminary technical analysis of public works (including electrical system) infrastructure at DOD installations that support DOD's most critical assets. |
On 6/23/10, DOD reported that the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD [HD&ASA]) Defense Critical Infrastructure Program (DCIP) Office had been working closely with the U.S. Army Corps of Engineers (USACE), which is the lead agent for the Public Works Defense Sector, to ensure that proper characterization of critical assets was taking place from a public works perspective. A milestone plan was established by the DCIP Office for the military services to provide infrastructure data to the Public Works Defense Infrastructure Sector Agency (DISLA)--USACE. As stated in Step 7 of DOD Manual 3020.45 Volume 1, Defense Critical Infrastructure Program (DCIP): DOD Mission-Based Critical Asset Identification Process (CAIP), October 24, 2008, the Public Works Sector requires infrastructure data from the military services to conduct dependency analysis of "commercial utility support (electric power, natural gas, etc., as appropriate) to critical assets of interest." The timeframe is dictated in DOD Manual 3020.45 Volume 5, Defense Critical Infrastructure Program (DCIP): Execution Timeline, May 24, 2010. On 8/19/11, DOD reported that dependency analysis must be initiated E+31 and completed within 17 months. E date has been established by the Defense Critical Infrastructure Office as 7/1/10. The effort, while time intensive, had so far been successful and was on-going. USACE had completed its characterization of public works infrastructure "outside the fence" for all of DOD's most critical assets, and was working with the military services to obtain information on the public works infrastructure "inside the fence." For the Public Works DISLA to conduct an in-depth dependency analysis, the data from the military services was expected to be given shortly after E+31. The Public Works Sector DISLA had been in coordination with OASD (HD&ASA); DUSD (I&E); Joint Staff (J-34); Defense Threat Reduction Agency; and the Mission Assurance Division of the Naval Surface Warfare Center in Dahlgren, Virginia. A course of action was developed on 6/2/10 with OUSD (AT&L) as lead agency for acquiring military installation utility infrastructure data. The Public Works Sector DISLA provided a list of geographic information system data elements to those organizations conducting the analysis. The Public Works Sector DISLA continues to support DUSD (I&E) and other associated agencies to obtain infrastructure data to meet the milestones established by DOD Manual 3020.45, Volume 5. In July 2013, DOD provided GAO with a copy of DOD Manual 3020.45, Volume 5 with the classified attachments. With these actions, DOD has implemented GAO's recommendation.
|
| Department of Defense | To ensure that DOD has sufficient information to determine the full extent of the risks and vulnerabilities to electrical power disruptions of its most critical assets, the Secretary of Defense should direct the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs, in collaboration with the Joint Staff's Directorate for Antiterrorism and Homeland Defense, combatant commands, military services, and other Defense Critical Infrastructure Program stakeholders, as appropriate, to finalize guidelines currently being developed to coordinate Defense Critical Infrastructure Program assessment criteria and processes more systematically with those of other DOD mission assurance programs. |
On 7/10/12, DOD reported that DOD Directive 3020.40, Defense Critical Infrastructure Program (DCIP) (Aug. 19, 2005), acknowledges the existence of, and the synergistic effect of various complimentary risk management program activities and security related functions in its definition of Mission Assurance. The other activities respond to their own directives and appropriations, and several have their own assessment programs, but they have not yet been brought under a common mission assurance umbrella. Critical Infrastructure Protection (CIP) at the installation level is in its early stages and is not yet mature. For example, many of the positions dealing with CIP at the installation level are additional duties. The Joint Staff was overseeing a vulnerability assessment way ahead to better synchronize these efforts. On 7/10/12, DOD also reported that ASD(HD&ASA) had appointed a Mission Assurance Director to whom the Defense Critical Infrastructure Office and Antiterrorism/Force Protection Offices now report. The estimated completion date for a Mission Assurance Strategy that addresses roles and responsibilities and the way ahead was 12/31/10. In May 2011, DOD reported that the Mission Assurance Strategy that addresses the coordination of DCIP assessment criteria and processes with those of other DOD mission assurance programs was still in final coordination and expected to be released on 9/1/11. In January 2012, DOD reported that the Mission Assurance Strategy was placed on hold pending release of overarching strategy documents to ensure alignment and noted the updated release date was now 7/1/12. On 7/13/12, DOD reported that The Mission Assurance Strategy had been signed on 5/7/12. With this action, DOD has implemented GAO's recommendation.
|
| Department of Defense | To ensure that DOD has sufficient information to determine the full extent of the risks and vulnerabilities to electrical power disruptions of its most critical assets, the Secretary of Defense should direct the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs, in collaboration with the Joint Staff's Directorate for Antiterrorism and Homeland Defense, combatant commands, military services, and other Defense Critical Infrastructure Program stakeholders, as appropriate, to develop explicit Defense Critical Infrastructure Program guidelines for assessing the critical assets' vulnerabilities to long-term electrical power disruptions. |
On 6/23/11, DOD reported that ASD (HD&ASA) Defense Critical Infrastructure Protection (DCIP) Office will review current vulnerability assessment criteria and standards and work with the Joint Staff to include considerations of long-term electrical power disruptions. Vulnerabilities are directly related to mission and its duration and the duration of the outage. A significant number of critical assets have back-up power sources available in the event that commercial power is disrupted. As GAO noted in its report (GAO-12-147, Oct. 23, 2009), 25 of the 34 assets surveyed reported that electrical power disruptions resulted in no or minimal impact to their missions. The Department is working on providing the same protection from commercial power disruption to the remaining assets. DOD also reported on 6/23/11 that to assist DOD Components in completing the Congressionally-mandated vulnerability assessments for all DOD Tier One critical assets, and determine the susceptibility of the most important assets' electrical vulnerabilities, DOD developed the Defense Critical Infrastructure Protection Self-Assessment Tool (DSAT), which was implemented in April 2010. On 4/13/10, ASD (HD&ASA) signed a memorandum to DOD Components allowing use of the DSAT to conduct these assessments. DSAT was made available to DOD Components during the week of 4/19/10. Assessments of the most important assets were to be completed by mid-August 2010. As the DCIP Benchmarks and Standards are built into the tool, these efforts will assess critical electrical power concerns. As installations and asset owners complete the DSAT, they will have enough information to begin addressing remediation efforts. On 8/17/11, DOD reported that the DSAT tool updated and used to gather electric power data for Congressionally mandated assessment of all Tier One assets. ASD(HD&ASA) has developed an explicit DCIP guideline for assessing the critical assets' vulnerabilities to long-term electrical power disruptions by incorporating risk mitigation Benchmarks and Standards into DSAT. An Electric Power Questions Module was added to DSAT to address critical electrical power concerns. Screen shots of DSAT electric power benchmarks were submitted to GAO with this update. In July 2013, DOD provided GAO with a copy of 21 electric power grid questions with classified attachments regarding critical assets' vulnerabilities to long-term electrical power disruptions. With these actions, DOD has implemented GAO's recommendation.
|
| Department of Defense | To enhance DOD's efforts to mitigate these assets' risks and vulnerabilities to electrical power disruptions and leverage previous assessments and multiple asset owners' information, the Secretary of Defense should direct the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs, in collaboration with the Joint Staff's Directorate for Antiterrorism and Homeland Defense, combatant commands, military services, and other Defense Critical Infrastructure Program stakeholders, as appropriate, to develop a mechanism to systematically track the implementation of future Defense Critical Infrastructure Program risk management decisions and responses intended to address electrical power-related risks and vulnerabilities to DOD's most critical assets. |
On 6/23/11, DOD reported that ASD (HD&ASA) Defense Critical Infrastructure Program (DCIP) Office had developed a draft DOD Manual 3020.45 Volume 5, Defense Critical Infrastructure Program (DCIP) Coordination Timeline, currently in coordination within the Department. The purpose of the manual is to provide uniform procedures for the execution of DCIP activities and timelines that OASD (HD&ASA), the Joint Staff, military departments, combatant commands (COCOM), Defense Agencies, and the Defense Infrastructure Sector Lead Agencies (DISLA) will use to coordinate the execution of activities and responsibilities assigned in DOD Directive 3020.40, DOD Instruction 3020.45, DOD Manual 3020.45 Volumes 1, and 2, and the resultant risk decision packages. The timeline will serve as a forcing function to ensure the accomplishment of tasks and to provide feedback to the components on status of actions, including electrical power-related risks and vulnerabilities. On 6/23/11, DOD also reported that DOD Manual 3020.45 Volume 5, Defense Critical Infrastructure Program (DCIP): Execution Timeline was issued on 5/24/10. The Execution Timeline identifies due dates for major DCIP responsibilities requiring coordination either individually or as part of other efforts. These major responsibilities include criticality, threats and hazards, vulnerability, risk response, and resourcing. Paragraph 4 of the Enclosure to the Manual provides guidance for the implementation of vulnerability assessment-related responsibilities, but does not get to the level of detail of specific vulnerabilities such as electric power-related risks. Within a given vulnerability assessment, the Benchmarks and Standards provide guidelines for assessing those details. The Manual does provide timelines for a post-assessment out brief and final report. Based on the DOD Manual 3020.45 Volumes 1, 2, and 5, systematic tracking of risk management decisions and responses on DOD's most critical assets can occur in a section of the online Critical Asset Identification Process (CAIP) tool. Initial training on the tool was to be conducted at the next DOD Defense Critical Infrastructure Integration Staff (DCIIS) meeting in June 2010. The tool requires coordination between the Departments, COCOMs, and DISLAs. As the COCOMs, military services, and DISLAs begin their analysis, this tool will greatly assist the accuracy and coordination between the asset owners and mission owners to ensure they are communicating. In June 2011, DOD reported that the CAIP tool was found to be insufficient to meet these coordination needs due to the classifications levels associated with some of these most critical assets. With release of the 2010 most critical asset list, the ASD (HD&ASA) directed the military services and Defense Agencies who own these assets to complete risk decisions packages (RDPs) where appropriate assessment data was available. On 3/31/11, the ASD received 24 packages that addressed remediation courses of action for these most critical assets. These packages were coordinated between assets owners and other DOD Components with interest in these assets. These packages covered remediation courses of action, including those for electric power. ASD and the Community maintain these documented means to track these actions. Additional packages will be submitted and/or updated annually. In July 2013, DOD noted that DOD tracks the implementation of risk management decisions through the biannual DCIIS meetings. These discussions are held at the TS/SCI level due to the sensitivity of the issues. DOD provided GAO with a copy of the most recent preparation e-mail for the 5/16/13 DCIIS to demonstrate this practice. With these actions, DOD has implemented GAO's recommendation.
|
| Department of Defense | To enhance DOD's efforts to mitigate these assets' risks and vulnerabilities to electrical power disruptions and leverage previous assessments and multiple asset owners' information, the Secretary of Defense should direct the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs, in collaboration with the Joint Staff's Directorate for Antiterrorism and Homeland Defense, combatant commands, military services, and other Defense Critical Infrastructure Program stakeholders, as appropriate, to ensure for DOD-owned most critical assets, and facilitate for non-DOD-owned most critical assets, that asset owners or host installations of the most critical assets, where appropriate, reach out to local electricity providers in an effort to coordinate and help remediate or mitigate risks and vulnerabilities to electrical power disruptions that may be identified for DOD's most critical assets. |
On 6/23/10, DOD reported that in May 2007, the ASD(HD&ASA) Defense Critical Infrastructure Protection (DCIP) Office promulgated the DCIP Infrastructure Resiliency Guide that provides information for improving the resiliency of infrastructure systems, networks, and solutions for reducing risks to infrastructure networks. The Department has identified the common vulnerabilities to infrastructure as a result of numerous infrastructure vulnerability assessments conducted by multiple agencies and organizations within DOD. The guide is a compilation of these findings and the resultant corrective actions. The guide contains a section devoted to electric power and provides guidelines to government and private-sector decision makers and those responsible for electric power supply, to ensure electric power disruptions do not adversely or unexpectedly affect mission accomplishment. The guide includes such actions as (1) Understand the requirements for electric power, how it is delivered, and the relative priority for restoring power, (2) Ensure and maintain provider awareness of critical times when power is essential to mission execution, and (3) Work with the electric power providers to identify remedies to potential single points of failure. On 10/28/08, the ASD (HD&ASA) DCIP Office also promulgated DOD Manual 3020.45 Volume 2, DCIP Remediation Planning, which describes a process for DOD leaders, once risk has been assessed, to determine, plan, justify, and implement remediation actions to reduce risk to defense critical infrastructure. The manual acknowledges that the DOD mission depends upon public infrastructure networks and services such as transportation, electric power, and communication networks. The manual advises the DOD facility managers to establish good communications with public service providers about service requirement, and to review service level agreements, acquisition programs, contracts, and operational processes for opportunities to address and include stronger resiliency language and requirements for future remediation efforts. This guidance will be reinforced at DCIP collaboration forums such as the Defense Critical Infrastructure Integration Staff, Operational Advisory Board, and Defense Infrastructure Sector Council. On 8/17/11, DOD reported that remediation and mitigation measures are the responsibility of the asset owner. DCIP assessors work with Public Works officials at the various installations and sites. Part of the assessment deals with energy dependency and, inevitably, includes interviews with local power providers and their counterpart on the installation. These discussions can uncover vulnerabilities outside the fence line that may affect critical assets, but they also serve as a means for discussing potential solutions. This methodology reinforces the direction in current policy. In July 2013, DOD noted that implementation of the electric power survey questions require discussion with the commercial service provider to accurately answer the questionnaire. Specifically, survey questions 4, 8, 9, 13, and 21 require interaction with the commercial service provider. DOD also provided GAO with a copy of the questionnaire. With these actions, DOD has implemented GAO's recommendation.
|