This InfoGram will be distributed weekly to provide members of the Emergency Services Sector with information concerning the protection of their critical infrastructures. For further information, contact the Emergency Management and Response - Information Sharing and Analysis Center (EMR-ISAC) at (301) 447-1325 or by email at emr-isac@fema.dhs.gov.
The Emergency Management and Response-Information Sharing and Analysis Center (EMR-ISAC) continues to promote critical infrastructure protection (CIP) throughout the nation's Emergency Services Sector (ESS) in its weekly InfoGram and other documents transmitted through DisasterHelp.gov. Specifically, the ISAC collects, analyzes, and disseminates information to assist the time-efficient and resource-restrained protection of personnel, physical assets, and communication/cyber systems (i.e., critical infrastructures) by the leaders, owners, and operators of ESS departments and agencies.
The EMR-ISAC recognizes that critical infrastructures are the foundation of every national, state, and local activity and, therefore, warrant attention and protection. Regarding ESS organizations, the logic of CIP has been to invest scarce resources to protect only the people, things, and systems that are truly critical for organizational survivability, continuity, and response-ability. This logic supports the perspective espoused by Sun Tzu in his Art of War: "He who protects everything protects nothing." Hence, the CIP philosophy encourages protective measures exclusively for that which is absolutely essential and really needs protection.
However, the EMR-ISAC realizes that many ESS departments and agencies experience much difficulty obtaining the resources necessary just to protect strictly critical infrastructure. Since these organizations and most municipalities cannot protect all critical infrastructures all the time, the ISAC suggests critical infrastructure resiliency as a possible cost-effective alternative. The Infrastructure Security Partnership (TSIP), a consortium of public and private professional agencies, refers to critical infrastructure resiliency as "the capability to expeditiously recover and reconstitute critical services with minimum disruption to public safety and health, the economy, and national security." TSIP advocates critical infrastructure resiliency to facilitate a quicker recovery from man-made and natural disasters and earlier return to normal operations.
As it applies to ESS organizations and their "response-ability" to citizens, the EMR-ISAC offers the following few examples of critical infrastructure resiliency for lengthy sustainment operations following a disaster:
In the past couple of years, numerous corporations and colleges experienced illicit intrusions into their information (i.e., computer) systems. Some of these organizations that detected the breaches are still assessing the extent of damage. They are struggling to ascertain which data may have been accessed and maybe stolen. Depending on the quality of the system, the entity may or may not be able to determine what pieces of information were compromised.
Information technology specialists claim that information systems (i.e., cyber) security breaches can result in a wide spectrum of damage. The EMR-ISAC contends that the greatest harm of an intrusion is identity theft of organizational personnel. Other damages of a computer system attack are the dollar costs of investigation, recovery, additional cyber security measures, contractual liabilities, and liability to victims who suffer actual losses.
Most people think of identity theft in terms of financial loss from identity fraud. However, identity theft can lead to other adverse consequences. Victims may also suffer from impersonation by the offender during criminal acts and a variety of fraudulent activities. Confronted with inquiries about their reputation, no credit rating, and extreme embarrassment, some victims have endured emotional distress and even clinical depression resulting in the loss of a lot of work time or jobs.
To protect their first responders from these undesirable and detrimental possibilities, the EMR-ISAC urges Emergency Services Sector leaders to ensure the outstanding security of the information systems that support their administration and operations. For expert cyber security preparedness and incident recovery assistance, contact the Department of Homeland Security (DHS) US Computer Emergency Readiness Team (US-CERT) at soc@us-cert.gov or at 1-800-282-0870. The US-CERT website is http://www.us-cert.gov.
Significantly tested during Hurricanes Katrina and Rita was the comprehension of state and local authorities regarding laws governing disaster preparedness and response. Consequently, the importance of understanding such laws in a disaster situation is an outcome that received the special attention of the American Bar Association (ABA). An ABA committee studied the matter and released a report this month to help emergency managers and other Emergency Services Sector (ESS) leaders better understand the scope and limitations of their authority under state and local disaster-related laws.
Upon reviewing the ABA report, the EMR-ISAC observed that one of the report's five chapters is devoted to state, local, and first responder issues. It explains important distinctions, e.g., the differences between the expression and clarity of authority; the implementation of authority; the actual exercise of authority; and the appropriateness of delegation of that authority. This particular section specified that state and local governments bear the responsibility for devising effective plans, procedures, and protocols, which make that authority operational and facilitate its exercise during incident response.
The state, local, and first responder issues' chapter poses seven important questions that should be discussed at the state and local levels with emergency management and emergency services providers as well as other critical infrastructure stakeholders. With some relationship to critical infrastructure protection, the section includes a reminder to revisit the ABA's checklist for state and local government attorneys to prepare for possible disasters (http://www.abanet.org/statelocal/checklist406.pdf) (PDF, 79.4 Kb, Adobe Acrobat (PDF) Help).
The full Hurricane Katrina Task Force Subcommittee Report can be viewed and downloaded at http://www.abanet.org/natsecurity/scolns_hurricane_katrina_report_feb_2006_2.pdf (PDF, Adobe Acrobat (PDF) Help).
All-hazards planners can take advantage of a new tool as a guide for conducting a risk assessment of their communities that uses a standard approach to hazard risk assessment. The Hazard Risk Assessment Instrument is a workbook that uses generic hazard models (earthquake, flood, hurricane, tornado, and terrorist bombing) to which the user applies the four steps of the risk assessment instrument: determining the probability of a mishap and the severity of the consequences, then scoring the consequences, and conducting risk analysis.
An examination of the instrument by the EMR-ISAC found it relevant to the Emergency Services Sector (ESS), especially members of the Emergency Medical Services (EMS). It offers practice in, and reinforcement of, the exercise of delineating the probability of threats, the third step in the critical infrastructure protection (CIP) process recommended by the ISAC. To complete the worksheets, the user must rank hazards based on a range of improbable to frequent. Sample completed worksheets that rank hazards and threats are provided, as are links to examples of mapping tools.
The full assessment tool, produced by the UCLA Center for Public Health and Disasters, can be accessed at https://www.cphd.ucla.edu/hrai.html.
The U.S. Fire Administration/EMR-ISAC does not endorse the organizations sponsoring linked websites, and does not endorse the views they express or the products/services they offer.
This INFOGRAM may contain copyrighted material that was not specifically authorized by the copyright owner. EMR-ISAC personnel believe this constitutes "fair use" of copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use copyrighted material contained within this document for your own purposes that go beyond "fair use," you must obtain permission from the copyright owner.
DHS and the FBI encourage recipients of this document to report information concerning suspicious or criminal activity to DHS and/or the FBI. The DHS National Operation Center (NOC) can be reached by telephone at 202-282-9685 or by email at NOC.Fusion@dhs.gov.
The FBI regional phone numbers can be found online at www.fbi.gov/contact/fo/fo.htm
For information affecting the private sector and critical infrastructure, contact the National Infrastructure Coordinating Center (NICC), a sub-element of the NOC. The NICC can be reached by telephone at 202-282-9201 or by email at NICC@dhs.gov.
When available, each report submitted should include the date, time, location, type of activity, number of people and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact.
Weekly INFOGRAM's are now available as an RSS Feed. More Information »
Last Reviewed: Historical Document
Happy New Year! Add this resolution to the top of your list: test all home smoke alarms each month - starting today! January 1, 2013 @ 10:04 AM ET
U.S. Fire Administration, 16825 S. Seton Ave., Emmitsburg, MD 21727 | USNG: 18SUJ00529652
(301) 447-1000 Fax: (301) 447-1346 Admissions Fax: (301) 447-1441
