IAEM Disaster Zone Column, April 2022
Dialing In a Cybersecurity Focus
How conversant are you with issues related to cybersecurity? To what degree do your disaster plans incorporate the issue of cybersecurity? What is the status of your own government’s preparations for information security within your agency and the entire government as a whole? For a cybersecurity event, who do you want responding to the Emergency Operations Center (EOC)? These and many others are all very appropriate questions that need to be addressed.
Cybersecurity is one of the “unnatural hazards” that has been added to the emergency managers list of things to be concerned about. I think it is too easy to say that we only deal with the consequences of a cybersecurity attack. That type of thinking goes like this, “winter storm or a cyber-attack” to the power grid, we’ll handle it as we do for any other hazard. We’ll focus on the consequences, since we do consequence management.
However, don’t we get involved in the restoration of power when the power lines are down and we facilitate the movement of repair trucks and their actions out in the field to get the power back on? It is more of a “physical type of work” but if the electricity is not flowing and it is a cyber-attack, what is it we should be doing, or planning to do when the lights go out?
One of the bigger concerns is about cyber-attacks on our critical infrastructures. The power grid, fuel pipelines, transportation, water and wastewater systems, etc. Since it is estimated that 86% of all critical infrastructure are in the private sector, this places a demand on us to have good relationships and prior planning in place with our counterparts in the private sector. If nothing else, the situational awareness that can be gained can be tremendously helpful in how we respond to the consequences.
What can we do in advance of a cyber-attack to become better prepared? Here’s a short list:
- Understand the risks and look at what a failure of an infrastructure system looks like. The previous Colonial Pipeline hack should give all of us pause.
- If you don’t know what SCADA is, find out!
- Investigate what the interdependencies are between critical infrastructures. For instance, all these IT centers with hundreds of servers need not only electrical power, they need water for their cooling systems.
- Make sure your own information technology systems are locked down and that all security patches are being installed as soon as they become available.
- Get to know the IT leadership in your government. You need to know them and they need to know you and what value add you can bring to the table.
- Look at the status of employee training within your government and agency as it pertains to cybersecurity. Annual, one time training is not enough. The training needs to be repetitive and consistent across the entire employee base. If their hands touch a keyboard, mouse or iPad, cell phone, people need to have good cyber hygiene drummed into them.
- Look at your plans and procedures. How is cybersecurity addressed? Is there an annex or chapter for cybersecurity in your all-hazards plan?
- Review you procedures for how you might operate when you own emergency management technical systems are down. What is your fallback warning system when your contracted phone notification system is nonfunctional?
- New federal cybersecurity grants may require communities/agencies to have an “Information Security Plan.” When those grants are announced, look to see what you must do to become compliant and eligible for grant funding.
- What are the mitigation measures that can be taken to prevent or lessen an attack? Training, mentioned above is one. Cyber-insurance is another. Are there redundancies within operating systems that can be capitalized on at the time of an incident?
Saying you don’t have the staff or time to address these challenges won’t make them go away or make your level of preparedness improve. Look at what you can do and then begin, one step at a time. Then use national and international high profile cyber-attacks to motivate others to come on board and join the team.
###
by Eric E. Holdeman, Senior Fellow, Emergency Management Magazine
He blogs at www.disaster-zone.com. His Podcast is at Disaster Zone.
