Infogram

March 22, 2001

NOTE: This INFOGRAM will be distributed weekly to provide members of the emergency services sector with news and information concerning the protection of their critical infrastructures. For further information please contact the U.S. Fire Administration's Critical Infrastructure Protection Information Center at (301) 447-1325 or e-mail at usfacipc@dhs.gov.

Internal Security Formula

Recent issues of this INFOGRAM focused on cyber security as an essential ingredient of critical infrastructure protection for the fire and emergency community. This issue introduces an internal security formula that embraces computer security, but addresses procedures for the protection of all critical infrastructures. Although the internal security operations of every fire and emergency service department must be unique to be effective, the following elements adapted from a report in the March issue of CIO Magazine are common for departments throughout the community:

  1. Establish Accountability. Responsibility for ownership and/or oversight of the department's critical infrastructure protection must not be relegated to junior officers. It is and needs to be the exclusive business of senior decision makers.
  2. Promote Awareness. The lack of awareness is a major barrier to implementing security. Senior leaders need to raise internal security awareness through ongoing programs. As people are the weakest link in the security chain, ensure all department personnel are well educated about applicable security procedures.
  3. Protect Assets. Identify and protect the department's crucial assets. These are the "show stoppers," which will prevent mission accomplishment if not operational. They are the things that comprise the critical infrastructure.
  4. Maintain Vigilance. The security of critical infrastructure is a never-ending process. Senior leaders must conduct regular vulnerability and risk assessments to maintain adequate protection in this very dynamic and constantly changing threat environment.
  5. Spend Carefully. Security decisions are usually made in haste after news of an attack or debilitating event. Rather than throwing dollars at a perceived security weakness, senior leaders should study the weakness to determine the most cost efficient means to obtain the required protection.
  6. Analyze the Threat. The threat against a department's critical infrastructure must be meticulously analyzed to acquire an understanding of existing dangers. The results of the analysis should be considered for careful and cost restrained spending.
  7. Mitigate Risk. Leaders need reliable comprehension of the risks of not protecting one or more critical assets against a known or perceived threat. They must make decisions regarding how much performance degradation is and is not acceptable. Such decisions will influence personnel resources as well as drive the security budget.
  8. Embrace Risk. Approach security as risk management, rather than threat avoidance. It is usually reasonable and prudent to embrace or accept low risk. Conversely, it is probably unwise to tolerate high risk to any critical infrastructure.
  9. Plan Comprehensively. Do not rely solely on information technology solutions. An efficient security plan will include an excellent variety of physical, electronic, and process security measures. Process measures are the policies and procedures that individual departments follow.
  10. Detect Continuously. Uninterrupted detection actions by alert personnel are the most productive and powerful methods of preventing any reduction or denial of department operations. Detection must become a "state-of-mind" that provides for consistently outstanding security habits.

Rolling Blackouts

The managers of California's power grid ordered rolling blackouts on 19 March. The state's two biggest utility companies were ordered to cut 500 megawatts of electricity, which is enough power for roughly 500,000 homes. Hospitals and airports were exempt, but not the fire and emergency services. California officials stopped the rolling blackouts on the afternoon of 20 March, warning that further outages were inevitable without tremendous conservation efforts. Energy experts predict that this summer will witness power shortages and outages in several more states. Vice President Dick Cheney also warned that the U.S. must generate more of its own energy or the country risks national power shortages. "It's very important we get on with this business of making certain we've got enough energy in the future or we will find that the problems in California today are in fact national in scope and affect all parts of the country."

Infrastructure Vulnerability to Cyber-Attack

Ronald L. Dick, the new Director of the National Infrastructure Protection Center (NIPC), warned that federal facilities, electric power plants, and other portions of the nation's critical infrastructure are highly vulnerable to potential cyber-attacks from terrorist groups, rogue nations, disgruntled employees, and hackers. "We are picking up signs that terrorist organizations are looking at the use of technology to disrupt the flow of goods and services," he said, adding that the potential for future economic disruption is significant. Mr. Dick further indicated that the biggest immediate problem facing those who deliver services is the disgruntled or mischievous employee who can do tremendous damage. Those involved in the emergency and rescue services are not impervious to these incapacitating attacks and should plan accordingly.

Cyber-Worm Infestation

Are you aware of the current cyber-worm infestation? Computer worms are not ordinary viruses. Their ability to spread quickly across the Internet has made worms the weapon of choice for malicious vandals to spread their latest creations. Furthermore, the programs can be easily copied and changed, and point-and-click tools to create complex worms are readily available, increasing their popularity. According to Robert Lemos, ZDNet News, the many worms created can vary from benign mass mailers that clog e-mail gateways to vicious code that is the equivalent of the Ebola virus to computers. What differentiates these two extremes is what the author throws into the mix. Ken Dunham, senior analyst for SecurityPortal, said that no matter the payload, worms deliver quickly. He also said worms proliferate extremely fast through a network. "This is especially true when one considers the fact that the average user knows very little about computer technology and commonly practices unsafe computing methods."

USFACIPC Weekly Lexicon: Access Control

(adapted from the Critical Infrastructure Glossary of Terms by the Critical Infrastructure Assurance Office)

The procedures and controls that limit access to critical assets (e.g., information systems) to authorized personnel, programs, or processes, thereby protecting these resources against loss of availability, performance, integrity, or confidentiality.

FAIR USE NOTICE

This INFOGRAM may contain copyrighted material that was not specifically authorized by the copyright owner. EMR-ISAC personnel believe this constitutes "fair use" of copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use copyrighted material contained within this document for your own purposes that go beyond "fair use," you must obtain permission from the copyright owner.

Reporting Notice

DHS and the FBI encourage recipients of this document to report information concerning suspicious or criminal activity to DHS and/or the FBI. The DHS National Operation Center (NOC) can be reached by telephone at 202-282-9685 or by e-mail at NOC.Fusion@dhs.gov.

The FBI regional phone numbers can be found online at www.fbi.gov/contact/fo/fo.htm

For information affecting the private sector and critical infrastructure, contact the National Infrastructure Coordinating Center (NICC), a sub-element of the NOC. The NICC can be reached by telephone at 202-282-9201 or by e-mail at NICC@dhs.gov.

When available, each report submitted should include the date, time, location, type of activity, number of people and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact.

RSS FeedWeekly INFOGRAM's are now available as an RSS Feed. More Information »