Homeland Security and Emergency Preparedness, Third Edition
CRC Press – 2013 – 283 pages
Since the initial inception of this book, there have been significant strides to safeguard the operations of our world’s infrastructures. In recent years, there has also been a shift to more fluid postures associated with resilience and the establishment of redundant infrastructure. In keeping with the fast-changing nature of this field, Critical Infrastructure: Homeland Security and Emergency Preparedness, Third Edition has been revised and updated to reflect this shift in focus and to incorporate the latest developments.
The book begins with the historical background of critical infrastructure and why it is important to society. It then explores the current trend in understanding the infrastructure’s sensitivity to impacts that flow through its networked environment. Embracing an "all-hazards approach" to homeland security, critical infrastructure protection and assurance, and emergency management, the authors examine:
In the final chapters, the book discusses current information sharing and analysis centers (ISACs), distributed control systems, and supervisory control and data acquisition (SCADA) systems and their challenges. It concludes by exploring current challenges associated with establishing a trusted network across various sectors—demonstrating how models of information can be categorized and communicated within trusted communities to better assure the public-private relationship.
Introduction to Critical Infrastructure Assurance and Protection
What Is Critical Infrastructure?
What Is the Private Sector?
What Is the Public Sector?
What Is CIP?
What Is CIA?
What Are Public-Private Partnerships?
Critical Infrastructure Functions
Evolution of Critical Infrastructure
Demand, Capacity, Fragility, and the Emergence of Networks
What Are We Trying to Protect? The Concept of Capacity
Demand: The Reason for Capacity
At the Regional (Small System) Level
Dissolution and Convergence: An Emerging Risk
Marking the Journey
Beyond National Frameworks
Meeting the Dragons on the Map
Who Owns the Treasure?
Applying the NRF to National Response Efforts
How Does the NRF Tie in with Local Activities?
Areas of Potential Risk or Concern
What Is a Public-Private Partnership (P)?
The P Spectrum
Establishment of New Capacity
Maintenance of Existing Capacity
Networked User Fees and the Need for Oversight
Other Forms of Public-Private Cooperation and the Erosion of Governance
The Reinvention of Information Sharing and Intelligence
Data vs Information vs Intelligence
The Importance of Background to Context
Context Affecting Sensitivity
Enter the Cloud
The Cloud as an Amplifier
Clouds and Concealed Conduits
Linking the Trusted Computing Base and User Communities
Barriers to Information Sharing
The Rise of Open Sources
Open-Source Information and Intelligence
An Approach to Information Sharing—The Consequence-Benefit Ratio
Emergency Preparedness and Readiness
The Rise of Core Offices
First Responder Classifications
Example: North American Emergency Response Guidebook
Operational Levels Defined
Level A: Operations Level
Level B: Technician Level
Know Protocols to Secure, Mitigate, and Remove HAZMAT
Additional Protective Measures
Understand the Development of the IAP
Know and Follow Procedures for Protecting a Potential Crime Scene
Know Department Protocols for Medical Response Personnel
National Fire Prevention Association
OSHA Hazardous Waste Operations and Emergency Response
Skilled Support Personnel
DOT HAZMAT Classifications
Importance of Implementing an Emergency Response Plan
Security Vulnerability Assessment
What Is a Risk Assessment?
Methods of Assessing Risk
Threat Risk Equations
Comparison of Quantitative vs Qualitative Risk Assessments
Challenges Associated with Assessing Risk
Other Factors to Consider When Assessing Risk
What Is an SVA?
Reasons for Having an SVA
What Is a Threat?
What Is Vulnerability?
Vulnerability Assessment Framework
Reasons for Using the VAF
Federal Information Systems Control Auditing Manual
General Methodologies of FISCAM Auditing
What Are General Controls?
What Are Application Controls?
Caveats with Using an SVA
How the SVA Is Used
Audience of an SVA
Initial SVA Plan
Necessary Steps of an SVA
Critical Success Factors
Initial Steps of the VAF
VAF Step 1: Establish the Organization MEI
VAF Step 2: Gather Data to Identify MEI Vulnerabilities
VAF Step 3: Analyze, Classify, and Prioritize Vulnerabilities
The Role of Oversight
The Effect of Globalization
Conventions, Laws, and Regulations
Guidance and Best Practices
Prescriptive vs Performance Based
Impact on Criminal, Administrative, and Civil Law
Potential Abuses of Authority and Credibility
Government vs Industry Self-Regulation
Knowledge Gaps Arising from Performance-Based Regulation
Predictability in Prescriptive Systems: A Systemic Vulnerability
Information Sharing and Analysis Centers
What Is a Critical Infrastructure Asset?
What Is an ISAC?
Advantages of Belonging to an ISAC
Access to ISAC Information
Expanded ISAC Services
Surface Transportation ISAC
Supply Chain ISAC
Public Transit ISAC
American Public Transportation Association
Association of American Railroads
Transportation Technology Center, Inc
Association of State Drinking Water Administrators
Water Environment Research Foundation
Association of Metropolitan Water Agencies
Association of Metropolitan Sewage Agencies
National Association of Water Companies
American Water Works Association
AWWA Research Foundation
Financial Services ISAC
Science Applications International Corporation
Electricity Sector ISAC
Emergency Management and Response ISAC
Information Technology ISAC
National Coordinating Center for Telecommunications
Communications Resource Information Sharing
Government Emergency Telecommunications Service
Telecommunications Service Priority
Shared Resources High Frequency Radio Program
Network Reliability and Interoperability Council
National Security Telecommunications Advisory Committee
Wireless Priority Services
Alerting and Coordination Network
Energy Sector Security Consortium
Chemical Sector ISAC
Chemical Transportation Emergency Center (CHEMTREC®)
Healthcare Services ISAC
Cargo Theft Information Processing System
American Trucking Associations
Food and Agriculture ISAC
Food Marketing Institute
Real Estate ISAC
The Real Estate Roundtable
Research and Educational Networking ISAC
Biotechnology and Pharmaceutical ISAC
Maritime Security Council
Marine Transportation System National Advisory Council
Supervisory Control and Data Acquisition
What Are Control Systems?
Types of Control Systems
Components of Control Systems
Vulnerability Concerns about Control Systems
Adoption of Standardized Technologies with Known Vulnerabilities
Connectivity of Control Systems to Unsecured Networks
Implementation Constraints of Existing Security Technologies
Insecure Connectivity to Control Systems
Publicly Available Information about Control Systems
Control Systems May Be Vulnerable to Attack
Consequences Resulting from Control System Compromises
Threats Resulting from Control System Attacks
Issues in Securing Control Systems
Methods of Securing Control Systems
Technology Research Initiatives of Control Systems
Security Awareness and Information Sharing Initiatives
Process and Security Control Initiatives
Securing Control Systems
Implement Auditing Controls
Develop Policy Management and Control Mechanisms
Control Systems Architecture Development
Segment Networks between Control Systems and Corporate Enterprise
Develop Methodologies for Exception Tracking
Define an Incident Response Plan
Similarities between Sectors
US Computer Emergency Readiness Team CSSP
Control Systems Cyber Security Evaluation Tool (CSET)
SCADA Community Challenges
The Future of SCADA
Critical Infrastructure Information
What Is Critical Infrastructure Information?
How Does the Government Interpret CII?
Exemption 3 of the FOIA
Exemption 4 of the FOIA
Section 214 of the Homeland Security Act
Enforcement of Section 214 of the Homeland Security Act
What Does "Sensitive but Unclassified" Mean?
Information Handling Procedures
Freedom of Information Act
Need to Know
"For Official Use Only"
Enforcement of FOUO Information
Reviewing Web Site Content
Enforcement of Export-Controlled Information
Source Selection Data
Enforcement of Source Selection Data
Enforcement of Privacy Information
Unclassified Controlled Nuclear Information
Enforcement of UCNI
Critical Energy Infrastructure Information
Enforcement of CEII
Controlled Unclassified Information
Lessons Learned Programs
Sensitive Unclassified Nonsafeguards Information (SUNSI)
Safeguards Information (SGI)
Bob Radvanovsky is an active professional in the United States with knowledge in security, risk management, business continuity, disaster recovery planning, and remediation. He has significantly contributed to establishing several certification programs, specifically on the topics of critical infrastructure protection and critical infrastructure assurance. Bob has special interests and knowledge in matters of critical infrastructure, and has published a number of articles and white papers regarding this topic. He has worked with several professional accreditation and educational institutions, specifically on the topics of homeland security and critical infrastructure protection and assurance.
Allan McDougall is recognized as a technical expert in the corporate security management domain and has participated in a number of emerging endeavors, including the Strategic Leadership in Government Security and other courses. Within the private sector, his desire to look toward sound and innovative solutions has him involved in efforts to professionalize critical infrastructure protection, including the development of certification level training. He is certified as a Professional in Critical Infrastructure Protection, Certified Master Antiterrorism Specialist, and Certified Information Systems Security Professional. Allan’s primary focus is on the transportation sector, where he works within a number of communities.