InfoGram 19-10: May 13, 2010

This InfoGram will be distributed weekly to provide members of the Emergency Services Sector with information concerning the protection of their critical infrastructures. For further information, contact the Emergency Management and Response - Information Sharing and Analysis Center (EMR-ISAC) at (301) 447-1325 or by email at emr-isac@fema.dhs.gov.

Receive InfoGrams and Bulletins by Email

Photocopiers: Information Security Risk

Warnings about identity theft from mailbox thieves, computer hackers, email scams, lost laptops, etc., have been publicized for several years. However, only recently have experts occasionally reminded that digital photocopiers could be another risk to the identity and information security of individuals and organizations. The Emergency Management and Response—Information Sharing and Analysis Center (EMR-ISAC) learned from CBS News that nearly every photocopier built since 2002 contains a hard drive, which stores an image of each document copied, scanned, or emailed by the machine.

With the same kind of data-storage mechanism found in computers, the seemingly innocuous machines used to make copies of sensitive personal and organizational information can indefinitely retain the data being copied or scanned. According to an article in msnbc.com, industry experts say sensitive information from original documents could get into the wrong hands if the data on the copier’s disk are not protected with encryption or an overwrite mechanism. Unfortunately, as is the case within the private sector, the majority of digital machines used by Emergency Services Sector (ESS) departments and agencies are probably unprotected and vulnerable targets.

The EMR-ISAC confirmed that some photocopier vendors have begun offering a security kit to encrypt and overwrite images being copied or scanned and to prevent storage on the hard disks. A Xerox technical marketing manager said that many government agencies, financial institutions, and defense contractors dealing with sensitive information have initiated policies to ensure copier disks are either secured or effectively sanitized when the rental lease expires or the machine is sold. It would be prudent for ESS organizations to consider these same precautions to avoid potential information security risks.

Responder Safety versus IEDs

In the performance of duties, emergency responders encounter many challenges including suspicious packages, bomb threats, and even improvised explosive devices (IEDs). According to an article at the Journal of Emergency Medical Services (JEMS.com), August Vernon, an assistant coordinator for a county emergency management office, wrote that public safety agencies must learn to work together to deter explosive attacks from occurring in their jurisdictions and to safely respond when an attack occurs.

The Emergency Management and Response—Information Sharing and Analysis Center (EMR-ISAC) noted Mr. Vernon advised all responders to be “extremely cautious of any items that arouse curiosity, and remember that the exterior inspection of a suspected device doesn’t ensure its safety.” He recommended awareness and suspicion of the following:

• Unusual devices or containers with electronic components such as wires, circuit boards, cellular phones, antennas, and other attached or exposed items.
• Devices containing quantities of fuses, fireworks, match heads, black powder, incendiary materials, or other unusual materials or liquids.
• Materials placed in devices or packages such as nails, bolts, marbles, etc., that could be used for shrapnel.
• Ordnance such as blasting caps, detonation cords, and military or commercial explosives.

To promote first responder and public safety, the EMR-ISAC excerpted the author’s following suggested actions if a possible IED is found anytime and anywhere:

• Call out to personnel to stop moving.
• Stop and look around for other suspicious items.
• Do not touch or move anything.
• Do not operate light or power switches.
• Keep other responders from coming to look or photo the object.
• Retrace your steps to move out of the area.
• Conduct personnel accountability.
• Isolate and secure the area.
• Contact and wait for the designated bomb squad.

More information about improvised explosive devices can be seen at Mr. Vernon’s First Responder IED Awareness Card (PDF, 57.6 KB)

Physical Security Guidance

Recognizing the interdependent relationship between critical infrastructure protection, resilience, and physical security, the Emergency Management and Response—Information Sharing and Analysis Center (EMR-ISAC) examined the basic measures of a time-efficient, cost-effective, and common sense approach to bolster physical security by Emergency Services Sector (ESS) department and agencies. The following physical security guidance for ESS leaders responsible for any type of physical location was summarized from a Department of Homeland Security (DHS) poster (PDF, 1 MB). (NOTE: This particular poster is the third in a series of four security posters at the hyperlink.)

• Monitor and control everyone entering the workplace.
• Check personal identification of non-employees and ascertain the purpose of the visit.
• Repair broken doors, windows, and locks as soon as possible.
• Make back-up copies of sensitive information and databases.
• Observe and report to local law enforcement any suspicious activity in or near the workplace.
• Report suspicious packages to local police without opening or touching.
• Shred or destroy sensitive documents or information no longer needed.
• Maintain an updated inventory of critical equipment, hardware, and software.
• Lock personal items such as wallets and purses when not actively attended.
• Ensure keys, access cards, uniforms, badges, and vehicles are frequently inventoried and locked when not in use.

The EMR-ISAC located additional guidance for improving the physical security of emergency facilities and equipment at a 2009 DHS document: Physical Security Performance Measures (PDF, 631 Kb).

2010 Chemical Security Seminar and Exercise

In cooperation with the Department of Homeland Security (DHS) Office of Infrastructure Protection, the Emergency Management and Response—Information Sharing and Analysis Center (EMR-ISAC) is pleased to announce the 2010 Chemical Security Seminar and Exercise (PDF, 2.5 MB), which will be conducted at Barberton, Ohio, on 31 August 2010.

According to the Ohio Chemistry Technology Council (OCTC), Chemical Sector owners and operators should consider having an incident management plan for an active-shooter event or hostage taking at their facility. OCTC, with the support of DHS, will address this need at its latest Chemical Security Seminar and Exercise on the last day of August.

The one-day program will be aimed at fostering effective communication between facilities and their local emergency response teams during active-shooter or hostage-taking incidents. It will also focus on first responder and chemical facility coordination, interoperability, communications protocols, best practices, and integration of local assets. Familiarization and accountability between chemical facilities and their local Emergency Services Sector departments and agencies will be emphasized.

There is a registration fee of $100 for non-OCTC attendees. The registration form can be sent by facsimile to OCTC at 614-224-5168. For more information, the EMR-ISAC suggests visiting the OCTC website or sending email to ChemicalSector@dhs.gov.