Blue Cascades II and Purple Crescent II Infrastructure Interdependencies Exercises Case Studies on F

1
Blue Cascades II and Purple Crescent II
Infrastructure Interdependencies ExercisesCase
Studies on Fostering Disaster Resilience

• Paula Scalingi
• The Scalingi Group
• ITSecurity Infrastructure Protection
  Conference
• February 9, 2005

2
Growing Focus on Regional Approach to Securing
Infrastructures

• Recognition of importance of infrastructure
  interdependencies, comprehensive preparedness
• Interdependencies Exercises Integral element in
  development of public-private collaborationsPacif
  ic Northwest and Gulf Coast Partnerships, others
  in Iowa, California, Canada
• Earlier exercises focused largely on physical
  events recent highlighting of cyber attacks,
  disruptions and associated interdependencies
  challenges
• Recognition of need to integrate cyber and
  physical in security and emergency management
  planning

3
Growing Focus on Regional Approach, cont.

• Blue Cascades II
• Held Sept. 8, 2004 in Seattle, Washington
• Hosted by the Pacific Northwest Partnership for
  Regional Infrastructure Security funded by King
  County and the U.S. Department of Homeland
  Security (DHS)/National Cyber Security Division
• Sponsored by the Pacific Northwest Economic
  Region, King County, Microsoft, Puget Sound
  Energy, and Pacific Gas and Electric Company
• Core stakeholder group also included Bonneville
  Power Administration, telecommunications
  entities, water systems, SAFECO Field, Port of
  Seattle, City of Seattle, counties/state
  agencies, Bank of America/other financial
  institutions

4
Growing Focus on Regional Approach, cont.

• Purple Crescent II
• Held October 27, 2004 in New Orleans, LA
• Co-chaired by the City of New Orleans Homeland
  Security Office and Greater New Orleans, Inc.
  (New Orleans Regional Chamber of Commerce and
  MetroVision Economic Development Partnership)
  funded by DHS/NCSD
• Core stakeholders included Bell South, Cox
  Communications, Entergy, Chemical Sector, U.S.
  Coast Guard, regional Naval facilities, Federal
  Bureau of Investigation, New Orleans Sewerage and
  Water Board, Strategic Petroleum Reserve, major
  financial and healthcare institutions, parish and
  state agencies, among many others, including
  Microsoft

5
Growing Focus on Regional Approach, cont.

• Both events attended by around 200
  representatives from all infrastructure sectors
  city, county, state, federal civilian and defense
  entities commercial enterprises, including
  tourism, academe and community organizations
• Technical advice provided by National Laboratory
  experts through DHS/Science and Technology/
  Critical Infrastructure Protection Program and by
  the U.S. CERT
• Scenarios involved a terrorist-initiated cyber
  attacks with widespread regional impacts that
  complicated/exacerbated response and recovery to
  major physical events

6
Exercise Goals

• Raise awareness of interconnections among the
  regions critical infrastructures and
  organizations and associated vulnerabilities in a
  trusted environment
• Examine cyber threats/vulnerabilities that could
  affect operations, business practices, response/
  recovery
• Identify ways to make organizations aware of the
  extent/duration of disruptions and resulting
  impacts
• Bring emergency managers, physical/cyber security
  personnel together to foster interaction/integrati
  on

7
Scenario Development

• Developed by the stakeholders themselves based on
  their biggest concerns, both cyber and physical
• Designed to explore vulnerabilities and
  disruptions, as well as regional capabilities to
  deal with threats, cascading impacts and incident
  response
• Stakeholder involvement in constructing the
  scenario provided them with a means to begin to
  develop a dialogue on interdependencies, to
  challenge assumptions and gain new insights

8
Exercise Format

• A workshop format was used to facilitate
  discussion participants were seated at tables by
  organization to enable them to discuss their
  responses
• Participants were instructed that the exercise
  was not testing anything or exploring
  mitigation options, but rather was a tool to
  generate dialogue and begin identifying
  interdependencies and preparedness gaps
• Members of the Scenario Design Team
  knowledgeable about operational aspects of a
  particular scenario event facilitated that
  inject

9
Evaluation Criteria

• There were a large number of findings and
  recommendations many were provided by
  participants in their evaluations of the exercise
  and by a team of independent evaluators
• Criteria used to determine findings and
  recommendations included
• Awareness/understanding of interdependencies
• Understanding of cyber security threats/impacts
• Extent of stakeholder cooperation/coordination
• Level of communication/information sharing
• Clarity of roles and responsibilities
• Resource management capabilities
• Effectiveness of public information

10
Overview of Findings from the Exercises

• General Observations
• In both the Puget Sound and New Orleans regions,
  progress has been made by local governments and
  some larger utilities and businesses in
  addressing physical vulnerabilities and related
  preparedness needs, but much remains to be done
• In the Seattle area, an information sharing and
  notification system called Northwest Warning,
  Alert and Response Network (NW-WARN) has been
  established to link regional stakeholders
• In the New Orleans region, substantial work has
  been done to improve hurricane preparedness

11
Overview of Findings, cont.

• Understanding Interdependencies and Cyber Issues
• Many organizations are aware of interdependencies
  and their importance and see the need to develop
  a comprehensive regional preparedness strategy
• Organizations are less knowledgeable about
  interdependencies that could impact service
  providers on which they are dependent and the
  extent/duration of service disruptions
• Cyber threats, vulnerabilities, and disruption
  impacts are not well understood by most
  organizations, which tend to overestimate the
  technical capabilities of their networks to
  withstand attacks and recover quickly

12
Overview of Findings, cont.

• Few organizations, particularly small and
  medium-sized, have cyber incident response plans
  or procedures for those that do, these plans are
  rarely tested
• Organizations often shut off Internet access
  during a suspected attack some resort to manual
  operations, although they may not be able to
  sustain such procedures beyond a limited time and
  may require additional manpower, equipment and
  transportation to affected sitesdifficult in a
  regional disaster
• Impacts of rolling blackouts and prolonged
  outages on interdependent infrastructures are not
  well understood organizations want more data on
  effects on continuity of operations/business
  processes

13
Overview of Findings, cont.

• Integration of emergency management, physical
  security and cyber security remain rare within
  organizations due to terminology/cultural
  differences
• Emergency Operations Centers (EOCs) lack
  procedures to determine when to activate for a
  cyber event there are no threshold criteria to
  gauge a significant attack is underway and no
  means to secure necessary data from affected
  organizations to judge disruption extent/impacts
• There tends to be minimal cross-organizational
  communication or interaction on
  interdependencies coordination across
  stovepipes seldom occurs and smaller
  organizations are not involved

14
Overview of Findings, cont.

• Cooperation and Coordination
• There is increasing involvement by private sector
  organizations in regional preparedness planning,
  but the level of this involvement is still quite
  low
• Utilities with a tradition of involvement in
  mutual assistance agreements showed the most
  advanced levels of cooperation for emergency
  response
• Private sector organizations are reluctant to
  contact government agencies, because of concerns
  that their information could be subject to public
  disclosure, which could impact their market value

15
Overview of Findings, cont.

• There are no criteria for what constitutes a
  cyber threat or attack that can provide guidance
  to stakeholders as to what should be reported to
  government authorities
• Organizations do not know how and to whom they
  should report a cyber attack, what would
  constitute a crime scene, or what information
  should be preserved for evidence

16
Overview of Findings, cont.

• Organizations do not commonly share information
  about security issues or disruptions with others,
  making it difficult to gauge the magnitude of
  threats, the cause of a disruption, and if indeed
  an attack, the extent of the damage done
• In the Seattle exercise, U.S.-Canada cross-border
  issues were not meaningfully addressed, e.g.,
  interdependencies and associated challenges in
  the areas of communication/information sharing,
  coordination, and roles and responsibilities
• In the New Orleans Exercise, there was no real
  effort to look at interdependencies beyond the
  immediate region (the municipal area and adjacent
  parishes)

17
Overview of Findings, cont.

• Communications and Information Sharing
• Although some larger organizations demonstrated
  they have redundant communications in place,
  exercise participants did not seriously consider
  the impact on communications of prolonged power
  and telecommunications outages
• It is unclear how Emergency Operation Centers
  (EOCs) would be activated or communicate with law
  enforcement or first responders if both cell and
  wired communication systems were down and the 800
  MHz system was also down
• There is a need to more fully understand the
  impact of Voice over Internet Protocol (VOIP),
  its inherent vulnerabilities and consequent
  security/emergency preparedness implications

18
Overview of Findings, cont.

• There is a need to develop ways to share
  accurate, real-time information to understand
  interdependencies and how to respond/recover from
  regional disasters at the same time, the private
  sector is adverse for proprietary and legal
  reasons to share necessary data
• There are impediments associated with sharing
  classified information with private sector
  organizations while security clearances are
  available to personnel with a need to know
  through the FBI and other federal government
  agencies, such clearances are difficult to obtain
  in a timely manner, if at all

19
Overview of Findings, cont.

• Roles and Responsibilities
• Many participants in both exercises described
  cyber incident management as confused or not
  apparent
• The federal government has a number of
  organizations that have missions to respond to
  cyber incidents and there are also state and
  private sector response organizations and vendors
  
• Despite good briefings on capabilities by federal
  participants, it was not clear what role DHS
  elements, including U.S. CERT and other federal
  agencies would play in a regional terrorist
  attack, particularly in cyber incidents, and how
  regional stakeholders should interact with them

20
Overview of Findings, cont.

• Resource Management
• Participants sought resources based on existing
  plans and procedures, but when forced to look
  outside their organizations were unaware of where
  to go for help if they did know where resources
  might be, they did not know how to access them
• There is no resource inventory that could be
  utilized in a regional emergency or a resource
  management plan to set priorities and oversee
  allocation
• In both exercises, it was not apparent how
  evacuation procedures could effectively be
  carried out given the impact of interdependencies
  (e.g., transportation, power, and
  telecommunications disruptions plus public panic)

21
Overview of Findings, cont.

• Regional cyber incident response procedures have
  yet to be developed to address resource
  management challenges, including shortage or
  unavailability of technical expertise for
  organizations that do not have in-house
  information security staffs
• There is a need to address prolonged disruptions
  of just-in-time deliveries and supply chains that
  could result from cyber attacks, and the impacts
  on response and recovery

22
Overview of Findings, cont.

• The private sector has resources and expertise
  that could be used in disasters and regional
  cyber events that could be incorporated into
  regional preparedness planning legal and
  liability issues should be worked out in advance
  through mutual aid and other agreements and teams
  of experts set up to assist smaller organizations
  that lack capabilities
• It is unclear what DOD assets could be available
  for use in a regional emergency and how such
  assets would be integrated into response and
  recovery efforts

23
Overview of Findings, cont.

• Public Information and Education
• Both scenarios raised many questions,
  particularly regarding cyber attacks, including
  when should the public be informed, what
  information is provided and how is this
  information disseminated and by what
  organization(s)?
• Private and public sector employees, including
  those of community institutions, lack education
  and training on what they need to do in major
  emergencies and on state and local plans and
  requirements
• There is no yellow pages of points-of-contact
  who are responsible for interfacing with other
  POCs of regional organizations on disaster
  planning

24
Overview of Recommendations

• Encourage organizations to integrate their
  emergency management, physical and cyber security
  and incident response activities and personnel to
  provide comprehensive preparedness
• Develop tutorials on impacts of electric power
  outages, rolling blackouts and power surges, and
  other types of outages
• Develop a collaborative initiative to identify
  regional interdependencies and develop the
  analysis systems that can assess linkages and
  impacts of disruptions, ascertain preparedness
  gaps and determine cost-effective
  protection/mitigation decisions

25
Overview of Recommendations, cont.

• Develop criteria to enable stakeholders to better
  determine a significant cyber attack is underway
• Create regional Cyber Security Councils to foster
  collaboration and to establish cyber emergency
  response and recovery protocols
• Develop a regional cyber emergency
  response/recovery plan that includes notification
  and threshold criteria for standing up EOCs for
  cyber attacks
• Develop a regional cyber incident management plan

26
Overview of Recommendations, cont.

• Develop a region-wide yellow-pages of
  points-of-contact for disaster preparedness for
  stakeholders and determine means to keep it
  up-to-date
• Provide a model continuity of operations plan for
  small and medium organizations that focuses on
  interdependencies and cyber disruptions
• Develop guidelines that take into account legal
  and proprietary issues to instruct organizations
  on when, how, and whom to notify regarding cyber
  threats/attacks

27
Overview of Recommendations, cont.

• Undertake cyber vulnerability assessments of
  regional EOCs and other emergency response
  centers that can help identify cost-effective
  mitigation strategies to improve survivability
  and redundancy of IT and communication systems
• Conduct a series of seminars/ workshops to expand
  general knowledge of cyber threats, attacks,
  disruptions, impacts and response and recovery
• Hold targeted exercises to further explore
  regional interdependencies, including those that
  go beyond state/national borders use to test
  current practices, including resorting to manual
  operations

28
Overview of Recommendations, cont.

• Explore ways to provide expedited federal
  security clearances to enable dissemination of
  threat and classified information to those in key
  stakeholder organizations who have a
  need-to-know
• Develop a dictionary of terms and acronyms that
  includes cyber terminology to begin building a
  common language all stakeholders can understand
• Explore establishing a regional Information
  Sharing and Analysis Center to enable key
  stakeholders to better exchange and assess
  physical and cyber threat-related information in
  a trusted environment

29
Overview of Recommendations, cont.

• Develop a better understanding among stakeholders
  of the National Response Plan and the National
  Incident Management (NIMS) System and how private
  sector organizations are incorporated into
  incident response planning
• Encourage states to take the lead in working with
  local/federal agencies and other organizations in
  developing a roadmap of roles and
  responsibilities and what emergency services they
  offer

30
Selected Recommendations, cont.

• Leverage existing efforts to develop a regional
  resource management plan that includes oversight
  of prioritization and allocation of equipment,
  supplies, and mission essential personnel
• Develop a certification program for maintenance,
  medical, and other critical private sector
  personnel who will need to provide essential
  services in a regional emergency to enable them
  to travel unimpeded through security roadblocks
  or into other jurisdictions
• Investigate how defense assets could be employed
  in a regional disaster and incorporate these
  assets into regional preparedness planning

31
Selected Recommendations, cont.

• Establish a Web-based information resource for
  regional stakeholders that can be used to provide
  useful data for stakeholders and to function as a
  coordination and scheduling mechanism for
  exercises, seminars, conferences
• Develop a training course for private and public
  sector employees, including community
  institutions, on what they need to do in major
  emergencies and familiarize them with state and
  local plans
• Develop a training course for public information
  officers and media on physical and cyber threats
  and impacts and include these individuals in
  workshops and exercises

32
Final Step in the Exercise Process Action Plan

• Blue Cascades II participants reconvened November
  12 to discuss their exercise results and develop
  a set of activities and pilot projects (an Action
  Plan) to improve regional readiness
• Purple Crescent II stakeholders did the same on
  December 10
• The results were Action Plans comprised of
  short-term, low-cost solutions and mid and
  longer-term actionsmany of them similar
• In both cases, the aim was to build on already
  existing plans and technologies

33
Final Step Action Plan, cont.

• Both the new Puget Sound Partnership and Gulf
  Coast Partnership members are addressing setting
  up governance structures and defining
  requirements for the more important projects,
  including establishing project leads, oversight
  procedures, funding needs/sources of support
• Early Examples
• Regional Cyber Security Council
• Creation of a regional Yellow Pages
• Interdependencies analysis/decision support
  system database and identification template
• Planning additional targeted interdependencies
  exercises and workshops

34
Summary Partnering for PreparednessSeven-Step
Process

• Bring the core stakeholders together and create
  an interdependencies initiative or partnership
• Hold an interactive pre-exercise training seminar
• Set up a Scenario Design Team from the core
  stakeholder group and other interested
  organizations and develop a script to address
  their most important interdependency concerns
• Conduct the exercise, enlisting Scenario Design
  Team members to facilitate their respective
  injects hold a hot wash at the conclusion

35
Partnering for Preparedness Process, cont.

• Produce an exercise report with findings and
  recommendations that has been coordinated with
  the core stakeholder group
• Hold an Action Planning Workshop with the
  exercise participants to develop specific
  projects to meet the exercise report
  recommendations
• Produce an Action Plan comprised of these
  projects that can be incorporated into regional
  and organizational preparedness plans

36
Requirements for Success

• Leadership at the municipal, county, and state
  level is essential to the successful
  implementation of the Action Plan
• Particularly important will be the encouragement
  and support at the national levelof DHS and
  other relevant federal agencies
• Bottom line lessening interdependency-related
  preparedness gaps and achieving disaster
  resilience depends on regional stakeholders
• Taking action and sustaining momentum
• Abandoning assumptions and insular thinking and
  demonstrating willingness to do things
  differently, share information, and work together

37
Contact Information

• Dr. Paula Scalingi
• The Scalingi Group, LLC
• 8000 Towers Crescent Dr., Suite 1350
• Tysons Corner
• Vienna, VA 22182-6211
• Phone 703-760-7847
• Cell 703-201-9236
• Fax 703-821-7422
• Email scalingigroup_at_cox.net