January 26, 2006 InfoGram

This InfoGram will be distributed weekly to provide members of the Emergency Services Sector with information concerning the protection of their critical infrastructures. For further information, contact the Emergency Management and Response - Information Sharing and Analysis Center (EMR-ISAC) at (301) 447-1325 or by email at emr-isac@fema.dhs.gov.

CIP Process for All Hazards

The ongoing threats of terrorism, natural disasters, and hazardous material accidents within the United States continue to motivate local protection activities. These actions often necessitate the application of scarce resources such as money, time, personnel, equipment, and materials. Consequently, numerous municipalities and emergency departments have depleted their limited assets and can do no more without state or federal funding. Many critical infrastructure protection (CIP) experts believe this weakened condition may have been caused occasionally by imprudent reaction and spending, all of which is precisely what transnational terrorists seek to achieve.

For American communities and Emergency Services Sector (ESS) organizations, the EMR-ISAC recommends the simplistic CIP Process for a balanced and regulated response to the all-hazard threats mentioned above. The CIP process is an analytical model or template to guide the systematic protection of critical infrastructures. More basically, it is a reliable decision sequence that assists leaders in ultimately determining exactly what really needs protection as well as when the protection should be activated. As a time-efficient and resource-restrained practice, the process ensures the protection of only those infrastructures upon which survivability, continuity of operations, and mission success depend. It consists of the following steps:

• Identifying critical infrastructures essential for mission accomplishment.
• Determining the threats against those infrastructures.
• Analyzing the vulnerabilities of threatened infrastructures.
• Assessing the risks of the degradation or loss of a critical infrastructure.
• Applying countermeasures where risk is unacceptable.

Conscientious implementation of the CIP Process should ensure that reaction, prioritization, and spending properly targets only those personnel, physical assets, and communication/cyber systems (i.e., critical infrastructures) that are truly vulnerable and at serious risk of degradation or loss. For more information about this process, see the CIP Process Job Aid: http://www.usfa.fema.gov/downloads/doc/cipc-jobaid.doc.

CIP Countermeasures

When a community or organization (e.g., emergency departments and agencies) has determined what internal critical infrastructures are truly vulnerable to man-made and natural hazards and at serious risk of degradation or loss, it should consider applying countermeasures: also called protection measures. There are many different countermeasures available for use. Some are simple and cost nothing, some are complex and expensive, and others are the result of ingenuity and creativity. Many are applicable to a wide range of threats and infrastructures, while others are designed to meet the unique needs of a specific threat or infrastructure. Furthermore, some measures may be tactical in nature, but others may address long-term strategic requirements.

CIP countermeasures usually include personnel, equipment, and procedures intended to safeguard a critical infrastructure against all-hazard threats and, additionally, to mitigate the effects of an attack. Selected measures can be activated on a permanent basis to serve as routine protection for an infrastructure; however, others are implemented only during periods of increased threat or heightened alert. Regardless of the type, nature or basis of the countermeasure, the EMR-ISAC asserts that each one should accomplish one or more of the following objectives:

• Reduce the target value of the threatened and vulnerable infrastructure (Devalue).
• Observe the probability of a natural disaster or presence of adversaries (Detect).
• Make the infrastructure more difficult to degrade by man-made and natural disasters (Deter).
• Protect the infrastructure from all forms of deliberate, natural or accidental attack (Defend).

Protecting ESS Cyber Infrastructure

The data theft of private and professional proprietary information is occurring with troubling frequency and escalating amounts of information falling into the wrong hands. This reality has the potential to adversely affect Emergency Services Sector (ESS) cyber systems, which are an essential component of sector critical infrastructures. Crime statistics substantiate that hackers have become more sophisticated and dedicated to their criminal work on a full-time basis.

The consensus among computer specialists is that cyber criminals, who in the past were interested primarily in seeking fame, now have their eye on financial profit and gain. Hackers are increasingly involved in releasing worms that hide and gather personal and professional proprietary information versus introducing viruses that take down entire computer networks. Personal and corporate account takeovers are especially appealing to hackers and much of the information they steal reaches the streets where it is sold to other criminals.

Experts predict a rise in specialized hacker groups and in botnets, which are networks designed for hacking. Both scenarios are dangerous for ESS organizations trying to conduct legitimate and vital computing business. However, the computer authorities point out that most of these problems are preventable. A recent article in InformationWeek suggests five steps to secure business or home computers:

1. Close holes by obtaining and applying software security patches as soon as they become available. Most vendor websites offer index pages or catalogs of all current updates. No matter what software the ESS organization uses, experts consider closing the holes to be a top priority.
2. Block intruders with a quality firewall even if the machine is already protected by a hardware firewall or router. Those devices work well against external intrusions, but not against "phone home" exploits and similar "attack from within" malware (i.e., malicious software).
3. Stop infections caused by hostile software that can still infiltrate the computer, especially from "trusted sources," e.g., co-workers' computer workstations and others on the local area network. Install up-to-date antivirus protection, much of which is available for free downloading.
4. Prevent subversion by adding one or more of the many free or low-cost tools (e.g., Antispyware, SpywareBlaster, Ad-Aware, etc.) that can prevent spyware and other malware from being installed on a computer or can help find and eliminate it after the fact.
5. Lock down the machine by using hard-to-crack passwords and/or encrypting and password-protecting files, folders or even entire drives to immunize them from spies and data thieves.

The EMR-ISAC suggests using an Internet search engine to locate the many sites that offer information, tools, and testing relevant to the five steps.

Railroad Safety Follow-Up

Radioactive materials rail transportation planning was a topic in the 19 January 2006 InfoGram. As a follow-up, the EMR-ISAC examined the recently released National Transportation Safety Board (NTSB) report (http://www.ntsb.gov/publictn/2005/RAR0504.pdf) (PDF, 1.3 Mb, Adobe Acrobat (PDF) Help) on the chemical spill in January 2005, when a railcar containing chlorine ruptured after colliding with an engine on a side track. Nine people died, more than 500 were treated after inhaling chlorine fumes, and approximately 5,000 residents within a one-mile radius of the accident were evacuated. The report identified train speed, railroad worker fatigue, and lack of notification signals in "dark territory" as some of the significant issues. Another report about this event seen at http://www.chemicalspill.org/railcar.html, offered the following summarized remarks relevant to the Emergency Services Sector (ESS):

• First responders must use Personal Protective Equipment and Self Contained Breathing Apparatus before direct or indirect (e.g., airborne) contact with a chemical.
• Responder organizations in proximity to sites susceptible to chemical spills must have access to quality chemical monitors for their own protection and that of nearby residents.
• Ambient humidity may cause chlorine to disrupt the operation of vehicle ignitions and cell phones.
• Timely notifications to the National Response Center are essential to expedite responses by emergency departments and agencies.

Finally, the report included a reminder to ESS organizations about Operation Respond�, a program designed to improve the information available to first responders at hazardous material and passenger train incidents. One of its primary focuses is the national distribution of the Operation Respond Emergency Information System (OREIST).

OREIST software connects police and fire departments with the databases of railroad and motor carriers, so in the event of a hazardous material incident, responders can obtain quick, accurate information on the cargo contents free of any charges. ESS organizations not currently using the system can visit http://www.oreis.org for more information.