InfoGram

May 17, 2001

NOTE: This InfoGram will be distributed weekly to provide members of the emergency services sector with news and information concerning the protection of their critical infrastructures. For further information please contact the U.S. Fire Administration's Critical Infrastructure Protection Information Center at (301) 447-1325 or email at usfacipc@dhs.gov.

New National CIP Plan

An official of President Bush's Administration said that writing has begun on a new version of the federal government's plan for protecting critical infrastructures. Claiming that the existing plan is flawed, the White House official also said the new plan will be ready for action later this year. The Commerce Department's Critical Infrastructure Assurance Office is now coordinating with several other federal departments and agencies on the revised CIP plan. Meetings have already occurred with the banking and finance, electric power, rail transportation, oil and gas, and telecommunications industries as well as state and local law enforcement agencies. Kenneth Juster, an undersecretary in the Department of Commerce, noted that the task force designing the plan soon will make recommendations to President Bush on "structuring an integrated approach to national economic, governance, and national security aspects of cyber-security and critical infrastructure protection." National Security Council Senior Director, Richard Clarke, said that the plan will be written "by the government and the private sector, by the owners and the operators of the critical infrastructure-the electric power grid, banking system, transportation system, etc., and by the people who use it."

Power Outages Versus Service

Power outages present potential problems for all service providers. Recently, the loss of power supply due to an accident caused an Internet Service Provider to go offline for several hours. In another part of the United States, an unexpected "blackout" prevented electronic authentication system operations at a key data center. The reality of power outages, regardless if from accidents, rolling blackouts, etc., should provide incentive to consider implementation of alternative power sources. Since power outages are predicted for several areas of the United States this summer, it would be prudent for the emergency first response community to prepare for the worst. It is for this reason that a robust source of alternative power is needed at departments located in the nation's major metropolitan areas.

Real or Fake Warning

Symantec Corporation, an anti-virus software vendor, has issued a real warning about a fake virus alert that looks like an email bulletin from the vendor itself. Symantec's representative said that the problem with the bogus email is that it comes with a new Internet worm attached. The worm, written as a Microsoft Visual Basic script, is designed to probe the address book of recipients who use the Outlook Express email application and send copies of itself to the contacts it finds there. In their advisory about the worm, Symantec said it is not a threat to data stored on infected PC's and has yet to be widely distributed. The worm can be eradicated from an infected system with most up-to-date virus-detection software. Symantec says the worm is fairly easy to remove manually for people comfortable with the Windows registry editor.

Cracking Down on Security Lapses

What should be done about an employee who chronically breaks the department's security policies and jeopardizes the continued successful operation of the emergency cyber-systems? In a national conference, information system security experts agree that accountable leaders must set firm policies and drop the hammer when necessary on employees who violate those policies. When dealing with information and communications for emergency services, "administrators should carry out 'ruthless enforcement' of internal security policies," advised a deputy chief information officer. And Patrick Milligan, manager of security strategies and technologies at Ford Motor Company, said he feels comfortable holding employees accountable for security mistakes because each of them must pass a certification process to access those systems. "So if they're certified to be there, they have been educated to be there."

The Human Factor

A recent article in the Security Manager's Journal discussed the human factor in computer security. A senior security manager for a Fortune 500 company wrote that showing people the consequences of their actions gets better results than simply requiring them to follow procedures without explanation. When a security breach does occur, he recommends that a senior accountable manager meet with the responsible person and thoroughly review the damage caused in terms of mission degradation, risk of danger, diminished company reputation, and possible financial loss.

Electrical Power

The North American Electric Reliability Council (NERC) released its 2001 Summer Assessment. "The assessment concludes that California will experience difficulties meeting its projected electricity demand this summer," said the NERC President and CEO. "California electricity users will experience rotating blackouts much more so than last summer or this winter." The report also states that extreme drought conditions there and elsewhere in the United States will adversely affect the available output of hydroelectric resources. "We expect that current conditions throughout the nation will likely cause electricity shortages in many major metropolitan areas of the nation this summer."

USFACIPC Weekly Lexicon: Continuity of Services

Refers to controls that ensure all physical and cyber services continue without interruption or are promptly resumed after the occurrence of an expected or unexpected event.