This article discusses some ongoing programs in the Emergency Services Sector (ESS) that can help your agency to identify its cyber footing.
.
Protecting and ensuring the continuity and resilience of the critical infrastructure and key resources (CIKR) of the United States are essential to the Nation’s security, public health and safety, economic vitality, and way of life. To that end, Homeland Security Presidential Directive 7 (HSPD-7) has identified the Emergency Services Sector (ESS) as one of the Nation’s 18 Critical Infrastructure and Key Resources (CIKR) Sectors. CIKRs are the assets, systems, and networks sufficiently vital to the United States so that the incapacity or destruction of any of the elements would have a debilitating impact on security, national economic security, public health or safety. CIKR assets, systems, and networks can be physical, virtual, public, or private. Each has its own strengths, weaknesses, and access points. i
.
Another DHS website states the ESS is representative of the following first-responder disciplines: emergency management, emergency medical services, fire, hazardous material, law enforcement, bomb squads, tactical operations/special weapons assault teams, and search and rescue. All first-responders within the ESS are individuals possessing specialized training from one or more of these disciplines. The ESS has numerous interdependencies within all CIKR sectors. Most significantly, it is the primary protector for all other CIKRs, including nuclear reactors, chemical plants, and dams. All other CIKR facilities depend on the ESS to assist with planning, prevention, mitigation activities, and responses to day-to-day incidents and catastrophic situations. ii
.
Given these risks and the recent spike in news coverage on cyber-security topics, emergency service agencies (or sector partners) need to review their agencies’ cyber security protections. Smaller agencies should begin by reviewing their own or their parent organization’s Information Technology (IT) department and its IT security policies. A brief self-consultation will help reveal the level of concern the agency shows for cyber security. Once completed, the agency must weigh its risks and decide upon the level of risk they willing to accept. Action must then be taken to mitigate those key risks. If an agency has not done these things it must also decide whether to spend money on private security firms or seek assistance from federally sponsored programs.
.
One of the latter programs is the Cyber Resiliency Review from the National Cyber Security Division (NCSD) of DHS. Here, an agency can contact the Infrastructure Protection section of DHS within the ESS and schedule a cyber resiliency review.iii The process is fairly painless, there is no cost to the agency for the review and it’s done at the agency’s locale. The agency will have to set people down with the NCSD for a few days and be open and free with answers. The results of the review are exclusively owned by the agency and, as with any other DHS review, covered by security documents and protocol to keep the outcome private. The review gives a better understanding of the agency’s IT department roles and needs. My experience shows this to be a truly eye-opening experience.
.
Sources: