Title: Blue Cascades II and Purple Crescent II Infrastructure Interdependencies Exercises Case Studies on F
1Blue Cascades II and Purple Crescent II
Infrastructure Interdependencies ExercisesCase
Studies on Fostering Disaster Resilience
- Paula Scalingi
- The Scalingi Group
- ITSecurity Infrastructure Protection
Conference - February 9, 2005
2Growing Focus on Regional Approach to Securing
Infrastructures
- Recognition of importance of infrastructure
interdependencies, comprehensive preparedness - Interdependencies Exercises Integral element in
development of public-private collaborationsPacif
ic Northwest and Gulf Coast Partnerships, others
in Iowa, California, Canada - Earlier exercises focused largely on physical
events recent highlighting of cyber attacks,
disruptions and associated interdependencies
challenges - Recognition of need to integrate cyber and
physical in security and emergency management
planning
3Growing Focus on Regional Approach, cont.
- Blue Cascades II
- Held Sept. 8, 2004 in Seattle, Washington
- Hosted by the Pacific Northwest Partnership for
Regional Infrastructure Security funded by King
County and the U.S. Department of Homeland
Security (DHS)/National Cyber Security Division - Sponsored by the Pacific Northwest Economic
Region, King County, Microsoft, Puget Sound
Energy, and Pacific Gas and Electric Company - Core stakeholder group also included Bonneville
Power Administration, telecommunications
entities, water systems, SAFECO Field, Port of
Seattle, City of Seattle, counties/state
agencies, Bank of America/other financial
institutions
4Growing Focus on Regional Approach, cont.
- Purple Crescent II
- Held October 27, 2004 in New Orleans, LA
- Co-chaired by the City of New Orleans Homeland
Security Office and Greater New Orleans, Inc.
(New Orleans Regional Chamber of Commerce and
MetroVision Economic Development Partnership)
funded by DHS/NCSD - Core stakeholders included Bell South, Cox
Communications, Entergy, Chemical Sector, U.S.
Coast Guard, regional Naval facilities, Federal
Bureau of Investigation, New Orleans Sewerage and
Water Board, Strategic Petroleum Reserve, major
financial and healthcare institutions, parish and
state agencies, among many others, including
Microsoft
5Growing Focus on Regional Approach, cont.
- Both events attended by around 200
representatives from all infrastructure sectors
city, county, state, federal civilian and defense
entities commercial enterprises, including
tourism, academe and community organizations - Technical advice provided by National Laboratory
experts through DHS/Science and Technology/
Critical Infrastructure Protection Program and by
the U.S. CERT - Scenarios involved a terrorist-initiated cyber
attacks with widespread regional impacts that
complicated/exacerbated response and recovery to
major physical events
6Exercise Goals
- Raise awareness of interconnections among the
regions critical infrastructures and
organizations and associated vulnerabilities in a
trusted environment - Examine cyber threats/vulnerabilities that could
affect operations, business practices, response/
recovery - Identify ways to make organizations aware of the
extent/duration of disruptions and resulting
impacts - Bring emergency managers, physical/cyber security
personnel together to foster interaction/integrati
on
7Scenario Development
- Developed by the stakeholders themselves based on
their biggest concerns, both cyber and physical - Designed to explore vulnerabilities and
disruptions, as well as regional capabilities to
deal with threats, cascading impacts and incident
response - Stakeholder involvement in constructing the
scenario provided them with a means to begin to
develop a dialogue on interdependencies, to
challenge assumptions and gain new insights
8Exercise Format
- A workshop format was used to facilitate
discussion participants were seated at tables by
organization to enable them to discuss their
responses - Participants were instructed that the exercise
was not testing anything or exploring
mitigation options, but rather was a tool to
generate dialogue and begin identifying
interdependencies and preparedness gaps - Members of the Scenario Design Team
knowledgeable about operational aspects of a
particular scenario event facilitated that
inject
9Evaluation Criteria
- There were a large number of findings and
recommendations many were provided by
participants in their evaluations of the exercise
and by a team of independent evaluators - Criteria used to determine findings and
recommendations included - Awareness/understanding of interdependencies
- Understanding of cyber security threats/impacts
- Extent of stakeholder cooperation/coordination
- Level of communication/information sharing
- Clarity of roles and responsibilities
- Resource management capabilities
- Effectiveness of public information
10Overview of Findings from the Exercises
- General Observations
- In both the Puget Sound and New Orleans regions,
progress has been made by local governments and
some larger utilities and businesses in
addressing physical vulnerabilities and related
preparedness needs, but much remains to be done - In the Seattle area, an information sharing and
notification system called Northwest Warning,
Alert and Response Network (NW-WARN) has been
established to link regional stakeholders - In the New Orleans region, substantial work has
been done to improve hurricane preparedness
11Overview of Findings, cont.
- Understanding Interdependencies and Cyber Issues
- Many organizations are aware of interdependencies
and their importance and see the need to develop
a comprehensive regional preparedness strategy - Organizations are less knowledgeable about
interdependencies that could impact service
providers on which they are dependent and the
extent/duration of service disruptions - Cyber threats, vulnerabilities, and disruption
impacts are not well understood by most
organizations, which tend to overestimate the
technical capabilities of their networks to
withstand attacks and recover quickly
12Overview of Findings, cont.
- Few organizations, particularly small and
medium-sized, have cyber incident response plans
or procedures for those that do, these plans are
rarely tested - Organizations often shut off Internet access
during a suspected attack some resort to manual
operations, although they may not be able to
sustain such procedures beyond a limited time and
may require additional manpower, equipment and
transportation to affected sitesdifficult in a
regional disaster - Impacts of rolling blackouts and prolonged
outages on interdependent infrastructures are not
well understood organizations want more data on
effects on continuity of operations/business
processes
13Overview of Findings, cont.
- Integration of emergency management, physical
security and cyber security remain rare within
organizations due to terminology/cultural
differences - Emergency Operations Centers (EOCs) lack
procedures to determine when to activate for a
cyber event there are no threshold criteria to
gauge a significant attack is underway and no
means to secure necessary data from affected
organizations to judge disruption extent/impacts - There tends to be minimal cross-organizational
communication or interaction on
interdependencies coordination across
stovepipes seldom occurs and smaller
organizations are not involved
14Overview of Findings, cont.
- Cooperation and Coordination
- There is increasing involvement by private sector
organizations in regional preparedness planning,
but the level of this involvement is still quite
low - Utilities with a tradition of involvement in
mutual assistance agreements showed the most
advanced levels of cooperation for emergency
response - Private sector organizations are reluctant to
contact government agencies, because of concerns
that their information could be subject to public
disclosure, which could impact their market value
15Overview of Findings, cont.
- There are no criteria for what constitutes a
cyber threat or attack that can provide guidance
to stakeholders as to what should be reported to
government authorities - Organizations do not know how and to whom they
should report a cyber attack, what would
constitute a crime scene, or what information
should be preserved for evidence
16Overview of Findings, cont.
- Organizations do not commonly share information
about security issues or disruptions with others,
making it difficult to gauge the magnitude of
threats, the cause of a disruption, and if indeed
an attack, the extent of the damage done - In the Seattle exercise, U.S.-Canada cross-border
issues were not meaningfully addressed, e.g.,
interdependencies and associated challenges in
the areas of communication/information sharing,
coordination, and roles and responsibilities - In the New Orleans Exercise, there was no real
effort to look at interdependencies beyond the
immediate region (the municipal area and adjacent
parishes)
17Overview of Findings, cont.
- Communications and Information Sharing
- Although some larger organizations demonstrated
they have redundant communications in place,
exercise participants did not seriously consider
the impact on communications of prolonged power
and telecommunications outages - It is unclear how Emergency Operation Centers
(EOCs) would be activated or communicate with law
enforcement or first responders if both cell and
wired communication systems were down and the 800
MHz system was also down - There is a need to more fully understand the
impact of Voice over Internet Protocol (VOIP),
its inherent vulnerabilities and consequent
security/emergency preparedness implications
18Overview of Findings, cont.
- There is a need to develop ways to share
accurate, real-time information to understand
interdependencies and how to respond/recover from
regional disasters at the same time, the private
sector is adverse for proprietary and legal
reasons to share necessary data - There are impediments associated with sharing
classified information with private sector
organizations while security clearances are
available to personnel with a need to know
through the FBI and other federal government
agencies, such clearances are difficult to obtain
in a timely manner, if at all
19Overview of Findings, cont.
- Roles and Responsibilities
- Many participants in both exercises described
cyber incident management as confused or not
apparent - The federal government has a number of
organizations that have missions to respond to
cyber incidents and there are also state and
private sector response organizations and vendors
- Despite good briefings on capabilities by federal
participants, it was not clear what role DHS
elements, including U.S. CERT and other federal
agencies would play in a regional terrorist
attack, particularly in cyber incidents, and how
regional stakeholders should interact with them
20Overview of Findings, cont.
- Resource Management
- Participants sought resources based on existing
plans and procedures, but when forced to look
outside their organizations were unaware of where
to go for help if they did know where resources
might be, they did not know how to access them - There is no resource inventory that could be
utilized in a regional emergency or a resource
management plan to set priorities and oversee
allocation - In both exercises, it was not apparent how
evacuation procedures could effectively be
carried out given the impact of interdependencies
(e.g., transportation, power, and
telecommunications disruptions plus public panic)
21Overview of Findings, cont.
- Regional cyber incident response procedures have
yet to be developed to address resource
management challenges, including shortage or
unavailability of technical expertise for
organizations that do not have in-house
information security staffs - There is a need to address prolonged disruptions
of just-in-time deliveries and supply chains that
could result from cyber attacks, and the impacts
on response and recovery
22Overview of Findings, cont.
- The private sector has resources and expertise
that could be used in disasters and regional
cyber events that could be incorporated into
regional preparedness planning legal and
liability issues should be worked out in advance
through mutual aid and other agreements and teams
of experts set up to assist smaller organizations
that lack capabilities - It is unclear what DOD assets could be available
for use in a regional emergency and how such
assets would be integrated into response and
recovery efforts
23Overview of Findings, cont.
- Public Information and Education
- Both scenarios raised many questions,
particularly regarding cyber attacks, including
when should the public be informed, what
information is provided and how is this
information disseminated and by what
organization(s)? - Private and public sector employees, including
those of community institutions, lack education
and training on what they need to do in major
emergencies and on state and local plans and
requirements - There is no yellow pages of points-of-contact
who are responsible for interfacing with other
POCs of regional organizations on disaster
planning
24Overview of Recommendations
- Encourage organizations to integrate their
emergency management, physical and cyber security
and incident response activities and personnel to
provide comprehensive preparedness - Develop tutorials on impacts of electric power
outages, rolling blackouts and power surges, and
other types of outages - Develop a collaborative initiative to identify
regional interdependencies and develop the
analysis systems that can assess linkages and
impacts of disruptions, ascertain preparedness
gaps and determine cost-effective
protection/mitigation decisions
25Overview of Recommendations, cont.
- Develop criteria to enable stakeholders to better
determine a significant cyber attack is underway - Create regional Cyber Security Councils to foster
collaboration and to establish cyber emergency
response and recovery protocols - Develop a regional cyber emergency
response/recovery plan that includes notification
and threshold criteria for standing up EOCs for
cyber attacks - Develop a regional cyber incident management plan
26Overview of Recommendations, cont.
- Develop a region-wide yellow-pages of
points-of-contact for disaster preparedness for
stakeholders and determine means to keep it
up-to-date - Provide a model continuity of operations plan for
small and medium organizations that focuses on
interdependencies and cyber disruptions - Develop guidelines that take into account legal
and proprietary issues to instruct organizations
on when, how, and whom to notify regarding cyber
threats/attacks
27Overview of Recommendations, cont.
- Undertake cyber vulnerability assessments of
regional EOCs and other emergency response
centers that can help identify cost-effective
mitigation strategies to improve survivability
and redundancy of IT and communication systems - Conduct a series of seminars/ workshops to expand
general knowledge of cyber threats, attacks,
disruptions, impacts and response and recovery - Hold targeted exercises to further explore
regional interdependencies, including those that
go beyond state/national borders use to test
current practices, including resorting to manual
operations
28Overview of Recommendations, cont.
- Explore ways to provide expedited federal
security clearances to enable dissemination of
threat and classified information to those in key
stakeholder organizations who have a
need-to-know - Develop a dictionary of terms and acronyms that
includes cyber terminology to begin building a
common language all stakeholders can understand - Explore establishing a regional Information
Sharing and Analysis Center to enable key
stakeholders to better exchange and assess
physical and cyber threat-related information in
a trusted environment
29Overview of Recommendations, cont.
- Develop a better understanding among stakeholders
of the National Response Plan and the National
Incident Management (NIMS) System and how private
sector organizations are incorporated into
incident response planning - Encourage states to take the lead in working with
local/federal agencies and other organizations in
developing a roadmap of roles and
responsibilities and what emergency services they
offer
30Selected Recommendations, cont.
- Leverage existing efforts to develop a regional
resource management plan that includes oversight
of prioritization and allocation of equipment,
supplies, and mission essential personnel - Develop a certification program for maintenance,
medical, and other critical private sector
personnel who will need to provide essential
services in a regional emergency to enable them
to travel unimpeded through security roadblocks
or into other jurisdictions - Investigate how defense assets could be employed
in a regional disaster and incorporate these
assets into regional preparedness planning
31Selected Recommendations, cont.
- Establish a Web-based information resource for
regional stakeholders that can be used to provide
useful data for stakeholders and to function as a
coordination and scheduling mechanism for
exercises, seminars, conferences - Develop a training course for private and public
sector employees, including community
institutions, on what they need to do in major
emergencies and familiarize them with state and
local plans - Develop a training course for public information
officers and media on physical and cyber threats
and impacts and include these individuals in
workshops and exercises
32Final Step in the Exercise Process Action Plan
- Blue Cascades II participants reconvened November
12 to discuss their exercise results and develop
a set of activities and pilot projects (an Action
Plan) to improve regional readiness - Purple Crescent II stakeholders did the same on
December 10 - The results were Action Plans comprised of
short-term, low-cost solutions and mid and
longer-term actionsmany of them similar - In both cases, the aim was to build on already
existing plans and technologies
33Final Step Action Plan, cont.
- Both the new Puget Sound Partnership and Gulf
Coast Partnership members are addressing setting
up governance structures and defining
requirements for the more important projects,
including establishing project leads, oversight
procedures, funding needs/sources of support - Early Examples
- Regional Cyber Security Council
- Creation of a regional Yellow Pages
- Interdependencies analysis/decision support
system database and identification template - Planning additional targeted interdependencies
exercises and workshops
34Summary Partnering for PreparednessSeven-Step
Process
- Bring the core stakeholders together and create
an interdependencies initiative or partnership - Hold an interactive pre-exercise training seminar
- Set up a Scenario Design Team from the core
stakeholder group and other interested
organizations and develop a script to address
their most important interdependency concerns - Conduct the exercise, enlisting Scenario Design
Team members to facilitate their respective
injects hold a hot wash at the conclusion
35Partnering for Preparedness Process, cont.
- Produce an exercise report with findings and
recommendations that has been coordinated with
the core stakeholder group - Hold an Action Planning Workshop with the
exercise participants to develop specific
projects to meet the exercise report
recommendations - Produce an Action Plan comprised of these
projects that can be incorporated into regional
and organizational preparedness plans
36Requirements for Success
- Leadership at the municipal, county, and state
level is essential to the successful
implementation of the Action Plan - Particularly important will be the encouragement
and support at the national levelof DHS and
other relevant federal agencies - Bottom line lessening interdependency-related
preparedness gaps and achieving disaster
resilience depends on regional stakeholders - Taking action and sustaining momentum
- Abandoning assumptions and insular thinking and
demonstrating willingness to do things
differently, share information, and work together
37Contact Information
- Dr. Paula Scalingi
- The Scalingi Group, LLC
- 8000 Towers Crescent Dr., Suite 1350
- Tysons Corner
- Vienna, VA 22182-6211
- Phone 703-760-7847
- Cell 703-201-9236
- Fax 703-821-7422
- Email scalingigroup_at_cox.net