September 14, 2006 Infogram

This INFOGRAM will be distributed weekly to provide members of the Emergency Services Sector with information concerning the protection of their critical infrastructures. For further information, contact the Emergency Management and Response - Information Sharing and Analysis Center (EMR-ISAC) at (301) 447-1325 or by e-mail at emr-isac@dhs.gov.

Critical Infrastructure: The Human Element

Emergency Services Sector (ESS) leaders who are relatively new to the discipline of critical infrastructure protection readily recognize physical assets, communication systems, and cyber networks as valid components of their organization's internal critical infrastructures. However, a few individuals occasionally express concern about the appropriateness of including department or agency personnel as another in-house critical infrastructure.

The matter of personnel as the most essential part of an organization's critical infrastructures has been the subject of numerous INFOGRAM articles by the Emergency Management and Response - Information Sharing and Analysis Center (EMR-ISAC). Stated differently than before, the EMR-ISAC submits that physical and communication/cyber infrastructures need the human element. Without the intelligent and innovative attributes of ESS personnel, other internal infrastructures would be unsustainable, faulty, and undependable. In other words, an organization's infrastructures are completely dependent upon the people within the organization.

It is also correct to write that the human component of an ESS department or agency depends on the physical assets and communication/cyber systems of internal critical infrastructures. Therefore, there must be a close linkage between responders and their equipment and apparatus. When all the components of an organization's critical infrastructures are intact and operational, there is a synergistic effect that greatly enhances response-ability and mission accomplishment. But this is not possible without the human element. Properly trained and equipped first responders are always at the core of every successful emergency entity.

Additional Security Guidelines

As a reminder for the leaders, owners, and operators of the Emergency Services Sector, the Emergency Management and Response - Information Sharing and Analysis Center (EMR-ISAC) offers a summary of additional security guidelines recently extracted from open-source documents published by credible security and infrastructure protection specialists:

Make security practices an active part of the organization's culture for all personnel.
Ascertain the threats to and vulnerabilities of internal critical infrastructures.
Consider all forms of security when planning new facilities or modifications to existing ones.
Install appropriate physical security measures such as locks, alarms, CCTV surveillance, etc.
Ensure the operational condition of existing physical security measures.
Reduce access points to a minimum or as much as possible.
Inspect interior and exterior of facilities, HVAC, energy and communications feeds, etc.
Protect proprietary information from those who do not have need to know.
Adjust mail-handling procedures to guarantee the safety of all personnel.
Scrutinize the identity and background of potential employees and new contractors.
Account for all sensitive materials, equipment, and apparatus.
Update and test continuity and response plans.

ESS Family Well-Being - Additional Resource

The Emergency Management and Response - Information Sharing and Analysis Center (EMR-ISAC) has learned about another resource regarding the personal critical infrastructure (i.e., families) of Emergency Services Sector (ESS) personnel before, during, and after disasters.

The new resource offers a simple, dependable means for responders and their families to check each other's status. Launched in July, the American Red Cross (ARC) Safe and Well List Web site accommodates the exchange of welfare status information with family members and friends in the immediate aftermath of a disaster.

When using the website, disaster victims and responders, inside or outside the disaster area, select and post standard messages for family and friends that indicate their status. Those worried about the safety of a victim or responder can access the site, enter victim's or responder's name and telephone number, or name and complete address, and view the victim's or responder's "safe and well" messages. For privacy reasons, no actual victim or responder disaster locations are shared.

The EMR-ISAC notes that the website also offers resources to connect family members during emergencies. These services include free personalized telephone numbers with voicemail capability, and free voice messaging service, accessible from any telephone.

A December 2005 INFOGRAM included the article Family Well-Being: A CIP Issue that discussed the importance of family welfare checks during disasters. An April 2006 INFOGRAM included the article Getting Ready for Disaster - One Family's Experience. Both articles encouraged ESS members to explore various avenues (e.g., call-in telephone numbers, Internet messaging, etc.) for keeping in touch with loved ones.

Critical Asset and Risk Analysis Tool

Emergency managers attempting low-cost solutions to identify private sector critical infrastructures may experience delays and complications. Historically, private sector companies and utilities have been concerned about their data sensitivity and, therefore, hesitant to share it. To deal with this dilemma, the Maryland Emergency Management Agency (MEMA) developed the Critical Asset and Portfolio Risk Analysis (CAPRA) tool to prioritize the key components of critical infrastructure facilities and make decisions on how to spend limited funds more efficiently to protect them.

In speaking with the program administrator, the Emergency Management and Response - Information Sharing and Analysis Center (EMR-ISAC) learned that the CAPRA tool was developed to assist in the protection of critical infrastructures in any jurisdiction or critical infrastructure sector. CAPRA enables users to collect cross-sector data and build a robust database.

According to University of Maryland Professor Bilal Ayyub, director of the CAPRA project, the tool can support numerous decisions, e.g., identify each "critical" asset and assess its risk and threat probability under a variety of threat scenarios, as well as the costs of various mitigation options. Professor Ayyub stated: "By using the tool, facility managers, city administrators, and public officials will be able to identify and take action to protect buildings, roads, bridges, tunnels, and other assets that may be targeted by terrorists or threatened by natural disasters."

Interested emergency managers should contact Daniel Green, Program Administrator, Office of Domestic Preparedness and Law Enforcement Liaison, MEMA at 410-517-5110 or dgreen@mema.state.md.us. Alternatively, contact Project Director Professor Ayyub, Center for Technology and Systems Management, University of Maryland at 301-405-1956 or ba@umd.edu.

FAIR USE NOTICE

This INFOGRAM may contain copyrighted material that was not specifically authorized by the copyright owner. EMR-ISAC personnel believe this constitutes "fair use" of copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use copyrighted material contained within this document for your own purposes that go beyond "fair use," you must obtain permission from the copyright owner.

Reporting Notice

DHS and the FBI encourage recipients of this document to report information concerning suspicious or criminal activity to DHS and/or the FBI. The DHS National Operation Center (NOC) can be reached by telephone at 202-282-9685 or by e-mail at NOC.Fusion@dhs.gov.

The FBI regional phone numbers can be found online at www.fbi.gov/contact/fo/fo.htm

For information affecting the private sector and critical infrastructure, contact the National Infrastructure Coordinating Center (NICC), a sub-element of the NOC. The NICC can be reached by telephone at 202-282-9201 or by e-mail at NICC@dhs.gov.

When available, each report submitted should include the date, time, location, type of activity, number of people and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact.

Weekly INFOGRAM's are now available as an RSS Feed. More Information »