GOVERNOR’S OFFICE OF

Overview of California’s Critical Infrastructure Protection Program

Brian L. Keith Deputy Director, Critical Infrastructure Protection

California Office of Homeland Security

Chemical Facilities Anti-Terrorism Standards (CFATS) Workshop

July 31, 2008

California Critical Infrastructure

Facts

Water — 34 lakes and reservoirs; 1468 dams, 140 of which have a capacity greater than 10,000 acre-feet; 701 miles of canals and pipelines; and 1595 miles of levees

Transportation — 50,000 lane miles of highways; 257 public use airports, 42 are certified for air carrier operations; 186,076 miles of public roads;12,000 bridges and 120,000 miles of major railroad tracks

Agriculture — 74,000 farms, and $26 billion in farming related sales since 2002

Finance — 6619 commercial banks with deposits of $753 billion; 562 credit unions with $115 billion in assets

Oil and Natural Gas — 6,000 miles of hazardous liquid pipelines; 21 refineriesand 100 terminal facilities

Electrical Power — 500 power plants; 25,000circuit mile “electron highway”

Chemical — Approximately 2,500 “high risk” facilities

Critical Infrastructure and Key Resource (CI/KR) Sectors

National Risk Management Framework

California's Strategy

Prevent terrorist attacks within the United States;

Reduce America’s vulnerability to terrorism; and

Minimize the damage and recover from attacks that do occur.

Critical Infrastructure- How do we: Identify Prioritize Protect

National Asset Database (NADB)

This inventory can be used to determine which assets systems, or networks are nationally critical, state critical, or locally critical based on the most current risk profile.

The NADB identifies baseline criteria that serve as a guide for integrating existing methodologies or modifying them so they can be used to support national-level comparative risk assessments within and between the 17 Critical Infrastructure/Key Resource Sectors.

Soon to be replaced by DHS’s Infrastructure Critical Asset Viewer (ICAV)

Automated Critical Asset Management System (ACAMS)

ACAMS is a secure, Web-based information management tool designed specifically to capture, store, and view critical asset data.

Sector Partnerships and Communication Networks

Automated Critical Asset Management System

(ACAMS)Constellation/ACAMS is a secure, Web-based

information management tool designed specifically to capture, store, and view critical asset data. Features include:

Critical asset inventory and prioritization modeling

Asset manager questionnaires Critical asset assessments Site specific pre-incident security enhancement

plans Buffer Zone Plans Building inventories Site specific post-occurrence/response plans

ACAMS focus is on two key functions:

Collecting and communicating information for prevention

Strategic pre-incident planning measures to assist in an effective response to critical incidents including, but not limited to terrorism.

California Critical Infrastructure ProtectionHow do we manage Risk?

To determine risk, we are working with security partners to assess consequences, vulnerabilities, and threats associated with the asset, system, or network.

Threat

Vulnerabilities Consequence______

RISK = f (T) (V) (C)

Risk can be calculated for an asset, system, or network at the national, sector, regional, or local level.

The result is a comprehensive, systematic assessment of risk.

California Critical Infrastructure ProtectionHow do we calculate Risk?

What is the Protected Critical Infrastructure Information (PCII)

Program?

The PCII Program is an information sharing and protection tool that encourages the private sector to voluntarily share sensitive information with the government with the assurance that the information, if it satisfies the requirements of the Critical Infrastructure Act of 2002 will be protected from public disclosure through the Freedom of Information Act, State and local sunshine laws, and use in civil litigation.

In 2005, the California legislature passed AB1495 which provides similar protection from the California Public Records Act.

In August 2006, California became among the nation’s first PCII accredited states.

Critical Infrastructure-How do we:Identify Prioritize Protect

Conduct Statewide Data Calls for Tier 1 & Tier 2 Assets

National Center for Risk and Economic Analysis of Terrorism Events (CREATE) consequence studies

Sandia National Labs Selection Criteria

Sandia Selection Criteria Tool(California Specific)

The NIPP – The Role of Private Sector

Owners and operators generally represent

the first line of defense for the CI/KR under

their control.

Private sector owners and operators are

responsible for taking action to support risk

management planning and investments in

security as a necessary component of

prudent business planning and operations.

Public/Private Partnerships

Homeland Security Advisory Committee (HSAC)

Business Executives for National Security (BENS)

Infragard

Model Program -Ventura County Economic Development Association (VCEDA) TRIAD Initiative

Business Continuity Planning

1. Carefully assess how your company functions, both internally and externally, to determine which staff, materials, procedures and equipment are absolutely necessary to keep the business operating.

2. Review your business process flow chart if one exists

3. Identify operations critical to survival and recovery4.

5. Include emergency payroll, expedited financial decision-making and accounting systems to track and document costs in the event of a disaster

6. Establish procedures for succession of management. Include at least one person who is not at the company headquarters, if applicable

Critical Infrastructure-How do we: Identify Prioritize Protect

Suggested Physical Protective Measures through the Buffer Zone Protection Program (BZPP)

DHS Comprehensive Review Program for Tier 1 sites

Various other sector specific grant programs (IPP) involving Railroads, Seaports, Mass Transit, Chemical Industry, and others.

Provide awareness level training to Private Sector (PSCT) Training. Long Beach, Oakland

Information Sharing through the STTAC, RTTACS, and TLO Program

How do we Counter the Threat?

RTTACs

• RTTACs are comprised of law enforcement, fire and emergency personnel and have an analytical focus.

• RTTACs are either co-located or have close relationship with FBI to augment analytical capabilities.

• RTTACs are or will be housed in regional fusion centers (LA-JRIC, SC-CCIC, SD-LECC)

• RTTACs coordinate & train Terrorism Liaison Officers (TLOs) assigned within their jurisdiction

• RTTACs also have critical infrastructure focus and liaison (80% in private hands)

Examples of Protective Security Implementation

CitiesSectors Events

Augment guard force Increase check pointsIncreased vigilance

Deploy sensors Human intelligenceDeploy additional law

enforcement

Air defenseEstablish buffer zone Establish barriers

Don’t publicize VIP

attendance

Harden critical structural

components

Disperse hazardous

components

Principles of ProtectiveSecurity

Defend

Devalue

Detect

Deter

Critical Infrastructure-How do we: Measure Effectiveness

Developing metrics to measure capabilities, preparedness efforts, training

Using Risk Mitigation Reports to drive grant funding:

Investment justifications

Assisting Private Sector with Business Continuity Plans to ensure Resiliency in the business community

Assisting state and local governments with Continuity of Operations Continuity of Government Planning (COOP/COG)

Repeating the Risk Management cycle

Questions?

Brian KeithDeputy Director, Critical Infrastructure Protection

brian.keith@ohs.ca.gov(916) 601-8249

Thank you!!!