InfoGram

November 8, 2001

NOTE: This InfoGram will be distributed weekly to provide members of the emergency services sector with news and information concerning the protection of their critical infrastructures. For further information please contact the U.S. Fire Administration's Critical Infrastructure Protection Information Center at (301) 447-1325 or email at usfacipc@dhs.gov.

Operations Security

Operations Security and Critical Infrastructure Protection are closely related processes. The purpose of Operations Security (OPSEC) is to protect sensitive �unclassified� information which can be exploited by adversaries to disrupt operations and cause catastrophic events. The purpose of Critical Infrastructure Protection (CIP) is to protect the critical physical and cyber systems upon which survivability and mission accomplishment depend. According to these definitions, OPSEC is about protecting sensitive information and CIP is about protecting mission essential people and things.

For the last ten months, the USFA CIPIC has appropriately promoted the protection of critical infrastructures. However, it is now necessary to urgently foster the protection of sensitive information that can be used by terrorists to identify vulnerable targets and plan future attacks. Since the horrific events of 11 September, countless individuals (even among the emergency services) have openly discussed data that could be immensely useful to our adversaries. Chat rooms, bulletin boards, and electronic mail have contained details pertaining to the numbers, locations, and capacity of water reservoirs, dams, petrochemical pipelines, gasoline terminals, liquefied natural gas lines, etc., etc.

Emergency first responders, indeed all citizens, must stop discussing sensitive information via these and all methods of open source communications. Police, fire, and EMS personnel must lead by example and avoid unprotected conversation of any information that could assist the plans and operations of those who desire to destroy our nation! Practice OPSEC!!

Personal Digital Assistants

To enhance operational effectiveness, numerous fire and EMS departments throughout the U.S. have issued Personal Digital Assistants (PDAs) to their leaders. PDAs accommodate the retrieval of sensitive information in real time from the central main-frame system. As an additional convenience, PDAs also provide wireless access to the Web from almost anywhere. Users view details of an active incident, contact a fire engine in the field, perform alpha paging, open fire personnel schedules, send messages to the dispatcher, access important information, etc.

Because the odds of losing a PDA are good, manufacturers are seeking the same level of security with PDAs that they once did for laptops. But until these companies can secure the resident and remote data access, the loss of a PDA can be potentially devastating. Just the possibility that somebody could access a department's sensitive information should be enough to cause nightmares among chief leaders and their IT managers.

Departmental use of PDAs poses two OPSEC problems: controlling data access through remote connections, and the unauthorized access to the data. Considering these vulnerabilities, PDA operators should use the off & lock feature, power-on password protection feature, and any applications offering advanced encryption standards to encrypt and decrypt data. These features should adequately protect a department's sensitive information if a PDA device is lost or stolen.

Financing Infrastructure Protection

During the last two months, chief leaders of the fire and emergency medical services all over America have reviewed the preparedness of their departments to respond future terrorist attacks. Most have even pondered the probable costs of critical infrastructure protection in terms of money, manpower, time, and equipment. Therefore, it is no surprise that many community leaders are actively searching for the dollars to support preparedness and protection programs.

Perhaps there is a lesson to be learned from the City Council of Burlington, Iowa. Earlier this month, council members unanimously approved the sale of $2.5 million in general obligation bonds to renovate the Burlington Central Fire Station. �Moody's Investors Service assigned a very favorable rating to the bond issue, which is secured by the city's general obligation unlimited tax pledge." According to Moody's, "the pressure on property tax is somewhat mitigated in that approximately 41 percent of the city's general obligation debt is paid from sources other than property tax, such as tax increment financing funds, enterprise revenue, and road-use tax

Combating Cyberterrorism

As written earlier in this InfoGram, CIP is also about the protection of the cyber systems upon which emergency first responders depend. The following are brief reminders to ensure that fire and EMS departments are prepared to handle a cyberattack:

• Practice the CIP process to identify threatened and vulnerable cyber systems requiring protection measures.
• Layer protective measures and have multiple security controls in effect.
• Apply redundancy where possible and practicable.
• Establish controls over Internet access.
• Use routers and firewalls; monitor compliance through intrusion detection.
• Respond immediately when you suspect a problem.
• Contact the NIPC (information below) if under a cyberattack.

USFACIPC Weekly Lexicon: Program

A set of instructions in code that, when executed, causes a computer to perform a task. A collection of software algorithms designed to accomplish some task.