Carnegie Mellon Assesses Cyber Risk Management

May 17, 2012 by Leave a comment

Carnegie Mellon University’s CyLab has just released results from its third biennial survey on how boards of directors and senior management are governing the security of their organizations’ information, applications, and networks (digital assets).  The surveys are intended to measure the extent to which cyber governance is improving.

In general, the report finds that, “Although there have been some measurable improvements since the 2008 and 2010 surveys, boards still are not undertaking key oversight activities related to cyber risks, such as reviewing budgets, security program assessments, and top-level policies; assigning roles and responsibilities for privacy and security; and receiving regular reports on breaches.”

While much of the report focuses on corporate and private sector efforts, most of the following recommendations can be adapted and applied to water utilities as well.  Cyber is a key component of a water system’s overall security posture and must be addressed.

RECOMMENDATIONS

 The survey revealed that governance of enterprise security is still lacking in most corporations, with gaps in critical areas. If boards and senior management take the following 12 actions, they could significantly improve their organizations’ security posture and reduce risk:

1. Establish a board Risk Committee separate from the Audit Committee and assign it responsibility for enterprise risks, including IT risks. Recruit directors with security and IT governance and cyber risk expertise.

2. Ensure that privacy and security roles within the organization are separated and that responsibilities are appropriately assigned. The CIO, CISO/CSO, and CPO should report independently to senior management.

3. Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues. This team should include senior management from human resources, public relations, legal, and procurement, as well as the CFO, the CIO, CISO/CSO, CRO, the CPO, and business line executives.

4. Review existing top-level policies to create a culture of security and respect for privacy. Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing it as a corporate social responsibility.

5. Review assessments of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, breach notification, disaster recovery, and crisis communications plans.

6. Ensure that privacy and security requirements for vendors (including cloud and software-as-a-service providers) are based upon key aspects of the organization’s security program, including annual audits and control requirements. Carefully review notification procedures in the event of a breach or security incident.

7. Conduct an annual audit of the organization’s enterprise security program, to be reviewed by the Audit Committee.

8. Conduct an annual review of the enterprise security program and effectiveness of controls, to be reviewed by the board Risk Committee, and ensure that identified gaps or weaknesses are addressed.

9. Require regular reports from senior management on privacy and security risks.

10. Require annual board review of budgets for privacy and security risk management.

11. Conduct annual privacy compliance audits and review incident response, breach notification, disaster recovery, and crisis communication plans.

12. Assess cyber risks and potential loss valuations and review adequacy of cyber insurance coverage.

To read or download a copy of the full report, please go to:

http://www.rsa.com/innovation/docs/CMU-GOVERNANCE-RPT-2012-FINAL.pdf

Filed under All Hazards, Communication/Outreach, Cyber, Emergency Planning, Plans/Planning, Risk Assessment/Analysis

NATIONAL PREPAREDNESS REPORT IS PUBLISHED

May 9, 2012 by Leave a comment

On May 3rd, FEMA released the 2012 National Preparedness Report (NPR) that identifies significant progress made in increasing the Nation’s preparedness, not only from external threats, but also from the natural and technological hazards.  The Report was developed to meet the requirements of Presidential Policy Directive 8 (PPD-8): National Preparedness.  PPD-8 is aimed at strengthening the security and resilience of the United States through systematic preparation against the threats that pose the greatest risk to the security of the Nation, including acts of terrorism, cyber attacks, pandemics, and catastrophic natural disasters.

Overall, the NPR found that the Nation has made significant progress in enhancing preparedness and identifies several significant areas of national strength.  For example, the Nation has built the foundation for an integrated, all-hazards planning architecture that considers routine emergencies and catastrophic events.  Operational coordination has also improved with the adoption of the National Incident Management System (NIMS), which provides a common doctrine for incident management.  In addition, intelligence and information-sharing capabilities are stronger thanks to a national network of fusion centers and Joint Terrorism Task Forces that bring together Federal, State, and local law enforcement, Intelligence Community resources, and other public safety officials and private sector partners.  Furthermore, the Report highlighted opportunities for national improvement in cybersecurity, long-term recovery, and integrating individuals with access and functional needs into preparedness activities.

The NPR is the next step in implementing PPD-8.  Since the directive was signed by the President in March 2011, FEMA and its partners have released the first edition of the National Preparedness Goal, the National Preparedness System description, and the working drafts of the National Planning Frameworks.  This link national_preparedness_report_fact_sheet_final_5_3_2012 (3) will take you to a downloadable copy of a Fact Sheet about the NPR.  For more information on PPD-8 and to download the complete Report, visit www.fema.gov/ppd8.

Questions?  Contact the PPD-8 Program Office at: PPD8-NationalPreparedness@dhs.gov.

Filed under Plans/Planning, All Hazards, DHS, FEMA, Cyber, Emergency Planning, Natural Disasters, Communication/Outreach, Malicious Acts

The Great Utah ShakeOut 2012 Exercise

May 8, 2012 by Leave a comment

According to a report from the Homeland Security Information Network (HSIN) Advocate, a new electronic newsletter, FEMA and Utah state officials reported that the Great Utah ‘ShakeOut’ on April 17-19, 2012, was the largest scale earthquake drill in state history. The ShakeOut enlisted 945,068 participants to react as they would in an actual earthquake emergency situation.

More than 150 government officials from FEMA, Department of Defense, Utah, Wyoming, and Colorado relied on HSIN as the primary operational information sharing and reporting platform utilized during this multi-state exercise. Mission Advocate, Rick Eaton, was on duty to provide hands-on training and guidance on how to use HSIN for reporting and tracking throughout the three-day exercise.

Visit http://www.shakeout.org/utah/ to learn more about the results from the Great Utah ShakeOut exercise.

 

Filed under All Hazards, Communication/Outreach, FEMA, Natural Disasters, Partners, Resiliency, Training

EPA Publishes Risk Communication Study Results

May 7, 2012 by Leave a comment

EPA’s National Homeland Security Research Center (NHSRC) has just published a new guide – Need to Know: Anticipating the Public’s Questions during a Water Emergency. The document is the culmination of numerous interviews with drinking water professionals and focus group discussions with the public about what they consider to be “practical information” that should be shared if/when there has been a contamination incident and what methods and messages should be used to disseminate that information.  Interestingly, both groups generally agreed that the following elements should be including as part of an effective risk communication strategy:

  •   Identification of the contaminant
  •   Expected duration of water service disruption
  •   Specific description of the affected area
  •   Possibility and consequences of exposure to the contaminant
  •   Possible uses of tap water
  •   Availability and logistics associated with alternative water supplies and
  •   Regularly updated information.

The groups also agreed that, “Following an attack and remediation, convincing the public that their water supply is again usable poses substantial challenges…Testing procedures are poorly understood by the public, and the use of many test descriptions and numbers could engender confusion.”

To learn more about the questions asked, their relevancy rankings by the public and the water professionals, and issues thought most likely to be misunderstood by the public, you can download a PDF copy of the report HERE  (click the document title under the “URL/Download” banner) or order hard copies from EPA using the document number EPA/600/R-12/020, 2012.

 

Filed under All Hazards, Communication/Outreach, Emergency Planning, EPA, Plans/Planning, Resiliency

How Vulnerable is SCADA?

April 27, 2012 by Leave a comment

Very few of us have a good understanding of what “cybersecurity” should mean in terms of drinking water protection. It doesn’t come with SDWA regulations; it isn’t precisely a traditional public health issue. However, we all know someone (maybe even us) who has had an email account “hacked” or we have read about “viruses” and “worms” infiltrating computer systems and compromising their ability to perform. Just because “cybersecurity” doesn’t isn’t part of our comfort zone doesn’t mean we can ignore it. We all need to learn more about this as an issue that we need to deal with in drinking water. Still think that it probably wouldn’t happen to a water system in your state? Do they have adequate SCADA protections in place? Would you know if they did or didn’t? Just look at what’s been going on at the Federal level…it’s only a matter of time before cyberthreats and compromised SCADA systems come to a water system near you…

Cyberattacks on U.S. Federal IT System Soared 680% in Five Years (from the DHS Open Source Report – April 27, 2012) Cyberattacks on the federal government’s IT systems skyrocketed 680 percent in 5 years, an official from the Government Accountability Office (GAO) testified the week of April 23 on Capitol Hill. Federal agencies reported 42,887 cybersecurity incidents in 2011, compared with just 5,503 in 2006, the director of information issues for the GAO told a House Homeland Security Committee panel.

The incidents reported by the agencies included unauthorized access to systems, improper use of computing resources, and the installation of malicious software, among others. The GAO official said the sources of the cyberthreats included criminal groups, hackers, terrorists, organizational insiders, and foreign nations. “The magnitude of the threat is compounded by the ever-increasing sophistication of cyber attack techniques, such as attacks that may combine multiple techniques. Using these techniques, threat actors may target individuals, businesses, critical infrastructures, or government organizations,” he testified. The federal government’s IT systems continue to suffer from “significant weaknesses” in information security controls, he said. Eighteen of 24 major federal agencies have reported inadequate information security controls for financial reporting for fiscal year 2011, and inspectors general at 22 of these agencies identified information security as a major management challenge for their agency, he told the House panel. ”Reported attacks and unintentional incidents involving federal, private, and infrastructure systems demonstrate that the impact of a serious attack could be significant, including loss of personal or sensitive information, disruption or destruction of critical infrastructure, and damage to national and economic security,” he warned.

Filed under Communication/Outreach, Cyber, Resiliency, Risk Assessment/Analysis, Training

EPA Offers TTX Training Webinars

April 24, 2012 by Leave a comment

EPA has uploaded two training webinars about more effective use of their Tabletop Exercise Tool for Water Systems: Emergency Preparedness, Response, and Climate Resiliency (also known as the TTX Tool).  If you are a trainer or work with communities that want to (or need to) improve their security preparedness and resilience through use of a tabletop exercise, then this is for you!

As you may recall, the TTX Tool assists in planning, designing, conducting, and evaluating a tabletop exercise on 15 different all-hazards scenarios. These two training modules (recordings of previously aired webinars) are designed to provide more detailed guidance on how to effectively use the materials on the TTX Tool at a drinking water or wastewater utility:

  • Webinar 1 is a 60-minute webinar recording that provides a basic overview of the functionality and content of the TTX Tool.
  • Webinar 2 is a 90-minute webinar recording that provides more information on how to use and customize the materials contained on the TTX Tool to design your own tabletop exercise, along with useful tips for facilitating an exercise.

Interested?  Want to know more?  Both the TTX Tool and the training webinars can be found at http://water.epa.gov/infrastructure/watersecurity/techtools/ttx.cfm.  Due to the large file size of these webinars, please be patient as they may take a few moments to load in your web browser.

Please contact ttxtool@epa.gov with any questions or to offer feedback about the TTX or the training webinars.

 

Filed under All Hazards, Climate Change, Emergency Planning, EPA, Malicious Acts, Natural Disasters, Plans/Planning, Resiliency, Tools, Training

APHL Launches New Listserv

April 23, 2012 by Leave a comment

The Association of Public Health Laboratories announces the launch of a new listserv called the APHL-PEL for use by water sector laboratories and invites all public environmental health labs to subscribe.

Often water laboratories are the first line of defense in detecting drinking water contamination and preventing exposure to harmful levels of contaminants (the attached article explores the relationship between public utility laboratories and public health protection).

This new listserv offers a forum to exchange information relevant to water laboratory practice and policy. We encourage members to post technical questions, requests on policy issues, common management concerns, and related topics.  This fact sheet link EHL article Fall 2011  offers more information about the listserv.

 Note that this listerv remains open to the public in that anyone can subscribe and that it is not secure. Also note that any “reply” will go to everyone on the listserv.

Here’s how to sign-up.   To start receiving messages, send the following message:

—————————–

To: lyris@lists.aphl.org

Subject:  (leave blank)

join aphl-pel first name_last name

—————————–

OR

————————————-

To: lyris@lists.aphl.org

Subject:  (leave blank)

subscribe aphl-pel first name_last name

————————————-

Once you are approved, further instructions and group rules will be sent to you.

If you have any questions, please contact Michael Heintz, Senior Specialist, Environmental Laboratories at 240-485-2786, or via e-mail atmichael.heintz@aphl.org.

Filed under Bacteria/Viruses/Biological Agents, Chemicals, Communication/Outreach, Emergency Planning, Labs, Malicious Acts, Partners, Security, Tools

EPA National Homeland Security Research Center Updates

April 19, 2012 by Leave a comment

PRODUCTS THAT SUPPORT THE DETECTION OF CONTAMINANTS IN WATER

Comparison of Ultrafiltration Techniques for Recovering Biothreat Agents in Water:  Report

Intentional contamination of drinking water supplies is a concern for water utilities and federal, state, and local agencies tasked with protecting human health and the environment. Because relatively low levels of biothreat agents can cause human health effects, sensitive detection of these agents in drinking water is needed. Most rapid response analytical techniques assay small sample volumes or require high concentrations of analytes; therefore, to enable sensitive detection of biothreat agents large volumes of water should be collected and concentrated. Alternative large-volume water sampling techniques have been published for viruses, bacteria, and parasites, but the effectiveness of these methods are generally optimized for particular microbes types. However, in the event of a biological attack on a drinking water system, the biothreat agent may not be known with certainty and deployment of multiple sampling techniques would be a logistical challenge and resource intensive. For this reason, the U.S. EPA and U.S. CDC have worked together to investigate methods to enable rapid and sensitive analysis of water samples for diverse, unidentified biothreat agents. This is the final report for the EPA and CDC Biological Sample Preparation Collaboration Project to compare EPA and CDC ultrafiltration techniques for recovering biothreat agents in water.

PRODUCTS THAT SUPPORT THE DECONTAMINATION OF WATER INFRASTRUCTURE

Development and Testing of Methods to Decontaminate a Building’s Plumbing System Impacted by Water Contamination Event: Decontamination of Bacillus Spores:  Report

This report describes the work on decontamination of bacillus spores in building water systems done at NIST (Gaithersburg, MD). The focus is on Bacillus anthracis (BA) spores and the use of a simulant species B. thuringiensis (BT). Simulated water systems were developed using either commercial biofilm reactors or pipe section reactors. The adhesion and disinfection of BT and BA spores adhered to the biofilm-conditioned pipe materials by chlorine and monochloramine was measured in under different conditions including low flow and high flow.

PRODUCTS THAT SUPPORT DETECTION OF CONTAMINATION IN BUILDING OR OUTDOORS

Technical Brief – Rapid Viability PCR Method for Detection of Live Bacillus anthracis Spores:  Summary

The EPA developed Rapid Viability PCR (RV-PCR) method determines the presence or absence of live B. anthracis spores, which is a key analytical requirement during the cleanup phase of a response. This method can be more sensitive than the traditional culture-based method because RV-PCR uses the whole sample for analysis. RV-PCR is relatively rapid and cost-effective.

A Performance-Based Approach to the Use of Swipe Samples in Response to a Radiological or Nuclear Incident :  Report

This document describes the various swipe techniques that may be used to sample surfaces contaminated by radioactive materials following an incident such as the detonation of an improvised nuclear device (IND) or a radiological dispersal device (RDD) (“dirty bomb”). While simple in concept, procedures used to take a swipe sample may vary considerably in practice. A standard method or technique for taking swipe samples does not exist. This means the fraction of the total removable radioactive surface contamination transferred to the swipe will also vary depending on the technique used. It is anticipated that a large number of swipes will be taken, so it is essential that the data generated are accurate so that they will be useful for the decisions that need to be made. While some may be counted in the field, others will be sent to laboratories for analysis. This document was developed to provide guidance to those radioanalytical laboratories that will support EPA’s response and recovery actions following a radiological or nuclear incident.

Assessment of Liquid and Physical Decontamination Methods for Environmental Surfaces Contaminated with Bacterial Spores: Development and Evaluation of the Decontamination Procedural Steps :  Report

This report supports priorities established by the U.S. Environmental Protection Agency (EPA) National Homeland Security Research Center (NHSRC), to provide scientific expertise and evaluation on readily available, “low tech” decontamination methods which could be used to remediate and restore areas contaminated by biological threat agents such as Bacillus anthracis spores.

Bio-response Operational Testing and Evaluation (BOTE) Project :  Summary

The Bio-response Operational Testing and Evaluation (BOTE) Project is a multi-agency effort designed to operationally test and evaluate biological incident (anthrax release) response from health/law enforcement response through environmental remediation.

PRODUCTS THAT SUPPORT RISK ASSESSMENT

Acute Low Dose Bacillus anthracis Ames Inhalation Exposures in the Rabbit :  Report

Credible dose-response relationships are needed to more accurately assess the risk posed by exposure to low-level Bacillus anthracis contamination during or following a release. The objective of this study was to evaluate physiological responses following an acute exposure to low doses of B. anthracis Ames spores.

In-Office Dispersion and Exposure to Contaminants Originating From an Unfolded Letter:  Book Chapter

This chapter seeks to begin to quantify and study the fluid and aerosol dynamic processes of exposures resulting from dust lying on the surface of a letter being resuspended by room eddies

Review and Design of Low Dose Bacillus anthracis Inhalation Exposures, Meeting Report:  Report

In July 2011, EPA NHSRC sponsored a Review and Design of Low-Dose Bacillus anthracis Inhalation Exposures meeting to review the research done to date and to identify gaps that future research should address regarding low-dose exposures. This effort brought together many organizations across the country, including EPA’s program offices, federal government agencies and laboratories, academia, and the private sector. Participants of the conference shared knowledge, explored differing opinions, and expanded understanding of the current state of research for low-dose exposure and future research needs. This report represents a summary of the presentations and discussions during the meeting.

PRODUCTS THAT SUPPORT WASTE TREATMENT OR DISPOSAL 

Thermal inactivation of viable bacillus anthracis surrogate in a bench scale enclosed landfill gas flare:  Journal article

A bench-scale landfill flare system was designed and built to test the potential for landfilled biological spores that migrate from the waste into the landfill gas to pass through the flare and exit into the environment as viable. The residence times and temperatures of the flare were characterized and compared to full-scale systems. Geobacillus stearothermophilus and Bacillus atrophaeus, nonpathogenic spores that serve as surrogates for Bacillus anthracis, the causative agent for anthrax, were investigated to determine whether these organisms would be inactivated or exhibit growth (i.e., remain viable) after passing through a simulated landfill flare.

EPA’s Incident Waste Assessment & Tonnage Estimator (I-WASTE):  Summary

The I-WASTE tool has been developed by EPA’s Homeland Security Research Program to address waste management information gaps. I-WASTE provides information on types and volumes of waste materials and potential contaminants generated during an incident, location and contact information for potential treatment/disposal facilities, as well as health and safety information to ensure public and worker safety during the removal, transport, treatment, and disposal of contaminated waste and debris.

Filed under All Hazards, Bacteria/Viruses/Biological Agents, EPA, Radiological Issues, Research, Risk Assessment/Analysis

EPA Releases Community-Based Water Resiliency Electronic Tool Update

April 13, 2012 by Leave a comment

EPA has just announced the release of version 1.1 of the Community-Based Water Resiliency (CBWR) Tool.  This updated version of the CBWR Tool includes more than 400 tools and resources to enhance a community’s resiliency to water service disruptions.

A main component of the tool is the self assessment, which provides users with questions tailored to their stakeholder group and culminates in a self-assessment summary report. The report details the strengths and weaknesses of the users' community's resiliency and recommends tools and resources that can be used to enhance resiliency. Users can then navigate to the CBWR toolbox, where they can find more information about the recommended tools and resources.

To download the new version of the Tool, please visit http://water.epa.gov/infrastructure/watersecurity/communities/

Filed under All Hazards, Communication/Outreach, Emergency Planning, EPA, Resiliency, Tools

National Environmental Laboratory Professionals Week April 23–27

April 11, 2012 by Leave a comment

The Association of Public Health Laboratories (APHL) wants to say “thanks!” to all of the environmental laboratories “…for the work you do every day to protect people from environmental threats!  You are an important part of the public health system.”  APHL has proposed establishing a National Environmental Laboratory Professionals Week on April 23-27 to promote the training and professional development of environmental laboratorians.  This, not coincidentally, is the same week that celebrates the efforts of National Medical Laboratory Professionals.

APHL has developed supplemental materials for environmental laboratorians to use to celebrate that week.  Suggested activities range from participating in training webinars and undertaking “green” activities to holding contests (lab poetry?) or inviting special guest speakers to talk about a regional environmental project or topic.  Click the link for a more detailed list of activities POTENTIAL ACTIVITIES

State drinking water programs are encouraged to share these materials and participate, as appropriate…and show support for their state labs.  As an extra incentive, APHL is offering “prize packs” that can be distributred to staff for the first ten laboratories expressing interest in holding celebration events.  Send your “interest” to Megan Latshaw at APHL megan.latshaw@aphl.org

Filed under All Hazards, Bacteria/Viruses/Biological Agents, Communication/Outreach, Partners, Plans/Planning, Tools

Older posts