InfoGram

October 9, 2003

NOTE:This InfoGram will be distributed weekly to provide members of the emergency services sector with news and information concerning the protection of their critical information systems. It has been prepared by NATEK Incorporated for the US Fire Administration. For further information please contact the U.S. Fire Administration's Critical Infrastructure Protection Information Center at (301) 447-1325 or email at email at usfacipc@dhs.gov.

Protecting CIP Information

The first article in the last six InfoGrams briefly discussed the critical infrastructure protection (CIP) process as it applies to emergency first responders. These articles explained the systematic, analytical process that makes CIP a time-efficient and resource-restrained practice to protect the people, physical assets, and communication systems that are indispensably necessary for survivability, continuity of operations, and mission success. The prevailing philosophy of CIP is to protect only those people and things that really need protection to avoid the unwarranted or wasteful application of scarce resources.

Knowing the organizational critical infrastructures is the first step of the CIP process. The second step involves determining the "all-hazards" threats against each of these critical infrastructures. Analyzing the vulnerabilities of those critical infrastructures that are credibly threatened is the third step. The fourth step pertains to assessing the risks of doing nothing about threatened and vulnerable critical infrastructures. When the practitioner establishes that the risk of degradation or loss of a critical infrastructure is unacceptable because of potential catastrophic results, then he/she proceeds to applying countermeasures-the fifth and final step of the CIP process.

When and where the CIP process has been practiced, the CIPIC encourages municipal leaders and department chiefs to make occasional public announcements that the critical infrastructures of the community emergency services are being protected. Such announcements should not be a ruse or disinformation campaign, but an honest declaration for the benefit of both citizens and foes alike. This can be accomplished without divulging any details that would be useful to adversaries. In other words, it is advantageous for everyone to know that the community and its emergency responders have performed the CIP process, while not disclosing particularly sensitive information.

The CIPIC advises that the CIP process itself should be followed with confidentiality. However, it is especially important to earnestly protect the results of the third (Analyzing the Vulnerabilities) and fourth steps (Assessing the Risks) of the process. The outcome of these steps is explicitly sensitive information that has tremendous value to the plans and operations of terrorists. Permitting public access to what and where are the vulnerabilities as well as those vulnerabilities for which risk is accepted will likely negate any implemented countermeasures. The CIPIC recommends that chief officers maintain such sensitive information exclusively at their level.

Planning for Multiple Threats and Events

Accidental and man-made incidents throughout the world teach harsh lessons to emergency first responders about the potential for multiple threats and events to degrade or destroy critical infrastructures. Recent catastrophes demonstrated that the hazards encountered could include fire, falling debris, explosions, burning fuel, hazardous materials, collapsing structures, heat stress, exhaustion, respiratory irritants, and more. Many of these same events verified that emergency responders must be prepared for a myriad of additional threats, including secondary explosive devices and chemical, biological, and radioactive contaminants.

These possibilities further substantiate the utility of the CIP process and its second step-determining the "all-hazards" threats to the critical infrastructures of firefighters and emergency medical personnel. Credible knowledge of the multiple threats and the probability of multiple incidents enable CIP practitioners (i.e., chief officers) to competently finalize the remaining steps of the process. The desirable consequence of completing the CIP methodology is the application of protective measures that mitigate or eliminate the vulnerabilities of department critical infrastructures to the multiple threats and events.

Planning for and executing countermeasures derived from the process will significantly reduce the frustration verbalized as follows by an unknown first responder: "When you have all the hazards lumped together, nothing out there will protect against everything." Furthermore, protective measures applied to what really needs protection will facilitate the bottom line of CIP: Mission Assurance.

Preparing for HazMat Incidents

It is common knowledge that hazardous material (HazMat) is constantly moving in the United States throughout the year. Recognizing that vehicles carrying HazMat traverse the roads, rails, and waterways within the jurisdictions of emergency responders, those affected departments have planned and rehearsed for HazMat incidents. Yet there is growing concern among CIP specialists regarding the annual increase in the ground transportation of dangerous cargo. Security experts believe there are larger amounts of hazardous material along the highways and railways, and at the truck stops and rail-yards of the nation.

More dangerous cargo transport in our country is an additional burden for communities, particularly firefighters and other first responders. It necessitates comprehension of all the additional routes that HazMat (e.g., radioactive, flammables, poisons) moves along as well as the sites where it may stop for short or long durations. This understanding is crucial to conduct proactive emergency planning for each new route or location, and to perform realistic rehearsals involving mutual aid, government, and non-government agencies. Such planning and rehearsing is absolutely essential to protect community critical infrastructures from the devastating effects of an accidental or deliberate incident.

Promoting Individual Preparedness

At all levels of government our nation continues to plan and prepare for future terrorist attacks. However, in some situations, individuals will have to rely on themselves to protect their own health and safety. Therefore, it is logical that individual preparedness should be an important part of a community's emergency strategy.

Many people know how to respond in such disasters as fires and hurricanes, but few would know what to do if someone were to use a chemical, radiological, nuclear, or biological weapon in their vicinity. Although the characteristics of terrorist attacks may vary widely and their likelihood is highly uncertain, they can all create unfamiliar and very dangerous circumstances. Consequently, individuals need an overall strategy they can use to prepare for and respond to incidents involving weapons of mass destruction (WMD).

The RAND Corporation recently published its "Quick Guide," which presents a strategy that individuals can adopt to prepare for and respond to terrorist WMD attacks. The strategy is designed to provide simple and clear guidance for individuals to help protect themselves in the event of an actual attack involving extremely hazardous and unfamiliar conditions.

The "Quick Guide," Individual Preparedness and Response to Chemical, Radiological, Nuclear, and Biological Terrorist Attacks, can be seen and downloaded from the web at: http://www.rand.org/publications/MR/MR1731.