IT Preparedness: At Long Last, a Major DHS Priority

Last year, just before Thanksgiving, the Curran-Gardner Public Water Plant in Springfield, Illinois, experienced a troubling event. A computer operated in a foreign country somehow gained control of the plant’s Supervisory Control and Data Acquisition (SCADA) system, repeatedly turning a single pump off and on until the pump failed, causing disruption of the city’s water system. Even though initial reports of malicious intent turned out to be proven false, news reports describing a foreign terrorist gaining control of a public utility infrastructure system spread like wildfire. The Springfield event underscores the increasingly ostensible threat that an intentional or accidental failure of an information technology (IT, or cyber) system poses to the nation’s critical infrastructure.

The foundation of every jurisdiction’s emergency preparedness program is threat or hazard identification, including the calculation of risk – as measured both in monetary cost and in the loss of human life. This fundamental public safety practice – also known as “THIRA” (Threat/Hazard Identification and Risk Assessment) – examines the comprehensive picture of natural, manmade, and technological hazards that have the potential to cause an emergency incident or disaster.

Common THIRA practice across the United States focuses on hazards that public safety officials can readily identify through historic occurrences and potential vulnerability. An often overlooked threat or hazard – for which considerable resources are just now becoming available to respond to and mitigate against – is an IT disruption.

Understanding Criticality and Vulnerability

Emergency preparedness geared specifically toward mitigating the consequences of an IT disruption requires a forward-looking and comprehensive understanding of what that type of disruption might mean in terms of criticality and vulnerability. In recent years, IT systems have become ubiquitous, and affect all aspects of the daily lives of everyday citizens, business owners, government managers, and public safety officials. There is a reliance on IT systems of some sort for powering offices, communicating with others, controlling critical infrastructure, and maintaining situational awareness in the event of emergency. In 2012, one would be hard pressed to identify a single facet of daily life in which IT systems do not play a critical role.

IT systems have experienced an almost unhindered expansion into the most vital processes of the nation’s infrastructure, becoming an interconnected network that today literally reaches around the globe. A disruption of these systems may cause direct damage to computer networks that support a jurisdiction’s vital services for its residents, as well as its local critical infrastructure – e.g., traffic systems, power and other utilities, and communications systems.

When one considers that a high percentage of the nation’s critical infrastructures run on SCADA systems, it becomes obvious that an IT disruption to any of the aforementioned computer networks could be catastrophic, and would have major implications for not only a local jurisdiction but also for many other jurisdictions, entire states, and the federal government.

The Federal Approach: Increased Funding, an R&D Roadmap, NLE 2012

Over the last several years, the federal government has recognized the need for national cyber contingency capabilities by increasing this portion of the Department of Homeland Security (DHS) budget to $443 million–$80 million over the previous fiscal year’s appropriation. The Quadrennial Homeland Security Review (QHSR) identified DHS as one of the components of the national homeland security enterprise that “possesses unique capabilities and, hence, responsibilities.” DHS was built on the foundation of the National Response Framework’s Cyber Terrorism Annex and now functions as the federal government’s penultimate department for coordinating IT disruption activities. In late 2011, to help guide the federal cyber-security apparatus, DHS released two strategic documents outlining the cyber-security mission, and provided a roadmap for the expenditure of research and development funds.

DHS’s National Cyber Security Division (NCSD) operates four key components of the federal government’s IT response program. The department’s newly created National Cybersecurity and Communications Integration Center (NCCIC) serves as a 24-hour watch center (similar to the National Response Coordination Center) for all IT-related incidents. When an incident is identified and authenticated, an alert is published through the National Cyber Alert System. Such alerts are typically issued for potential terrorist activity and for sharing information with IT managers on potential security vulnerabilities in common software packages.

The operational arm of the NCSD is the United States Computer Emergency Readiness Team (US-CERT), which ensures the federal government’s situational awareness to IT-related threats through constant vigilance, and the coordination of the federal government’s IT emergency response. The National Cyber Response Coordination Group (NCRCG) serves as the overarching body that: (a) shares IT-related incident information with agencies throughout the federal government, and with state and local governments; and (b) coordinates the federal interagency response across all sectors and disciplines. Finally, the NCSD Cyber Cop Portal coordinates the intelligence gathering and prosecution of cyber crime and malicious cyber activity.

Recognizing the potential damage an IT disruption may cause, the Federal Emergency Management Agency (FEMA) selected the National Level Exercise (NLE) 2012 to focus on identifying the current planning, organization, equipment, and training gaps in emergency preparedness to respond to a cyber incident in New England. Responding to a cyber incident with national significance requires coordination not only across a broad spectrum of federal agencies, but also through several vertical levels of government, managing the consequences of such an event on local towns and municipalities.

Strengthening Emergency Preparedness at State and Local Levels

The addition of a potential IT disruption on a state or local jurisdiction’s critical infrastructure presents a new challenge in emergency preparedness at the ground level due to the threat’s physical invisibility, and its potential to be just as disruptive and deadly as any traditional intentional threat or natural hazard. Emergency preparedness in response to an IT disruption requires a jurisdiction to take the steps required to enhance its contingency planning efforts to meet the needs of its residences and businesses as well as the community as a whole.

There are many players involved in the response to an IT disruption. Engaging these stakeholders through seminars, workshops, or public meetings well prior to a potential incident is critical to improving collaboration during an actual emergency. Either individually, or through stakeholder working groups, public safety agencies must meet with officials from surrounding jurisdictions, critical infrastructure providers, and other pre-identified organizations and agencies to form a collaborative team that can work to identify issues that might require a potential emergency response, either initiated or exacerbated by an IT disruption, and to develop solutions to those concerns.

Securing a universal stakeholder buy-in is essential if public safety response operations are going to be successful. In addition to developing an appropriate response, state and local law enforcement agencies must be tied in to the national network of homeland security fusion centers to ensure the proper reporting of suspicious activities – specifically including suspicious or malicious IT activity. This critical tool for prevention of traditional terrorist activity is equally applicable to the IT realm.

With an understanding of the criticality and vulnerability posed by an IT disruption, public safety agencies can begin to develop incident-specific and functional support annexes to their Emergency Operations Plans (EOPs). An IT Disruption Annex (titled Cyber Incident Annex by the National Response Framework) outlines the concept of operations, policies, and roles and responsibilities for agencies that have primary or supporting roles in identifying, responding to, and remediating the consequences of a malicious or unintentional disruption: (1) of a jurisdiction’s computer networks; or (2) the computer networks of critical infrastructure providers within a specific jurisdiction.

The Overwhelming Consequences of a Major Disruption

Because IT is often viewed as a component of communications, an IT Disruption Annex may stand as an attachment to a traditional Emergency Support Function #2 Annex (or communications Incident Command System unit) dealing with a jurisdiction’s communications infrastructure. Where ESF #2 deals with the continuity of communications infrastructure critical for emergency response, that infrastructure (if privately administered through an IT communications provider) may become intentionally or unintentionally affected by an IT disruption incident.

Large-scale IT incidents may overwhelm a local or state government emergency response organization’s resources by disrupting the internet, taxing critical infrastructure information systems, and/or infecting critical infrastructure information systems. In a widespread IT-related incident, DHS will activate its resources to coordinate the federal response. In order to ensure proper coordination between local and federal agencies, a local or state government’s IT Disruption Annex would prepare nonfederal agencies to coordinate more effectively with DHS. Many state and local governments have chosen to develop, adopt, and exercise similar plans with great success.

NLE 2012 will involve members of the DHS-funded Boston Area Regional Catastrophic Preparedness Grant Program (RCPGP) multi-jurisdictional catastrophic planning group. The Boston Area Region chose, among other contingency planning efforts, to develop a Regional Cyber Disruption Annex to the Region’s Catastrophic Emergency Coordination Plan (RCCP). In addition, RCPGP funds were used to develop corresponding Cyber Disruption Annexes for the individual states within the Boston Area Region. NLE 2012 will test this regional cyber response coordination model to determine the “best practices” – in planning and operational tactics – needed to mitigate the consequences of IT-related emergencies.

Although the consequences for Springfield’s Curran-Gardner Public Water Plant may not have been catastrophic, they did highlight the increasing threat that IT disruptions pose to the government and private sector at all levels. This new lexicon of IT-specific emergency management components is becoming increasingly relevant. Today, although the federal government seems to have developed at least a preliminary strategy for organization and implementation of an effective IT emergency response program, many state and local homeland security and emergency management agencies are only just beginning their own planning processes.

____________

Click below for additional information on: The 2009 DHS “A Roadmap for Cybersecurity Research”

The 2011 DHS “Blueprint for a Secure Cyber Future”