Emergency Management perspective on the cascading impacts and interconnectedness that cyber brings between infrastructure sectors and ways that emergency managers can help identify and address gaps in preparedness and response capability.
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Cascading Effects of Cybersecurity
1. Cascading Effects of Cyber
Security on Ohio
Patrick Sheehan, Plans Branch Chief (Interim)
Ohio Emergency Management Agency
September 19, 2012
2. Today’s Cyber Threat
• Cyber threats to critical infrastructure continue to evolve:
– Foreign nationalists
– Criminals
– Hackers
– Disgruntled employees
• Attacks on government have increased 680% over the past five years
– Cyber incidents happen every day
– Negative impact to both economic and national security
– Loss of classified information and intellectual property worth millions
The “cyber threat is one of the most serious economic and national security
challenges we face as a nation…America’s economic prosperity in the 21st
century will depend on cyber security.” – President Barack Obama
3.
4. Planning Efforts
• Cyber response requires a rapid response, which is highly
dependent upon the development of trusted relationships
between the public and private sector
• May 2009 – Federal Cyberspace Policy Review document
recommends development of cyber security incident
response plans, but agencies have been slow to react
• September 2010 – National Cyber Incident Response Plan
(NCIRP) is developed by DHS, providing a federal strategy for
coordinating operational response activities among all forms
of government; however…
• 85% of infrastructure is owned by the private sector
No single agency has authority over cyberspace.
5. Critical Infrastructure Sectors
• 17 sectors federally identified by Homeland Security
Presidential Directive-7 (HSPD-7) in 2003
– An 18th sector, Critical Manufacturing, was added in 2008
• Similar to Emergency Support Functions within EMA, each
sector is managed by a lead or Sector-Specific Agency (SSA)
• In accordance with the National Infrastructure Protection Plan
(NIPP), each SSA is responsible for:
– Developing and implementing a Sector-Specific Plan (SSP)
– Encouraging the development of appropriate information-
sharing and analysis mechanisms throughout the sector
6. Critical Infrastructure Sectors
• Food and Agriculture
• Banking and Finance
• Chemical Facilities
• Commercial Facilities
• Communications
• Critical Manufacturing
• Dams
• Defense Industrial Base
• Emergency Services
• Energy
• Government Facilities
• Healthcare and Public
Health
• Information Technology
• National Monuments and
Icons*
• Nuclear Reactors, Materials,
and Waste
• Postal and Shipping
• Transportation Systems
• Water
*Not applicable to Ohio
8. Food and Agriculture
• Critical interdependencies with Water, Transportation, Energy,
Banking and Finance, Chemical, Dams
• Sector accounts for 1/5th of the nation's economic activity
• 75,000 mostly privately owned farms in Ohio
• Contributes $93 billion to state’s economy and 33.5K jobs
• Ohio’s diagnostic labs play a vital role in health and human
safety:
– Reducing food-borne illness by 10% would keep about 5
million Americans from getting sick each year
– Preventing a single fatal case of E. coli O157 infection saves
an estimated $7 million
• More farms with automated systems “on-line”
9. Banking and Finance
• Critical interdependencies with Energy, Information
Technology, Transportation Systems, and Communications
Sectors
• Especially vulnerable to large-scale power outages, echoing
effects of natural disasters, and cyber attacks demonstrate the
wide range of potential risks facing the sector
• SSA – Ohio Department of Commerce
• More than 4.5K Ohio-based financial institutions move money
throughout and beyond the state and country
• Public-private partnerships already in place – Financial
Services-Information Sharing and Analysis Center (FS-ISAC
• Highly-automated industry
10. Chemical Facilities
• Dependent on, depended upon by, and interdependent with
Communications, Critical Manufacturing, Emergency Services,
Energy, Food and Agriculture, Healthcare and Public Health,
Information Technology, Transportation Systems, and Water
Sectors
• Majority of industry is privately owned
• Employs nearly 46K Ohioans; contributes $20 billion to state
• Products are used in thousands of applications, including
medical devices, food processing, construction materials,
paints, paper, plastics, pharmaceuticals, electronics, water
treatment, and clothing.
• Highly-regulated and increasingly web-based processes
11. Commercial Facilities
• Further sub-divided into:
– Public assembly, sports league, gaming, lodging, outdoor
events, entertainment and media, real estate, and retail
venues
• More vulnerable to cyber attacks because the general public
can move freely throughout venues without the deterrent of
highly visible security barriers
• Majority of facilities are privately owned and operated, with
minimal interaction with the Federal government and other
regulatory entities.
• Work closely with local law enforcement
12. Communications
• Critical interdependencies with:
– Energy, Information Technology, Banking and Finance,
Emergency Services, and Postal and Shipping Sectors
• Underlying backbone for all day-to-day operations –
public sector, private sector, and non-profit
• Providers routinely share facilities and technology to
ensure interoperability, leading to shared cyber
vulnerabilities
• Again, the private sector are owners and operators of the
majority of communications infrastructure
• Public safety HIGHLY dependent upon this sector!
13. Critical Manufacturing
• Added as a critical sector in 2008
• Critical interdependencies with all other sectors
• Subdivided into Metal, Machinery, Electrical, and
Transportation Manufacturing
• Highly-automated, computerized manufacturing processes
– More than $12.5 million recently approved for innovation
in manufacturing technology through “Third Frontier
Initiative”
• Home to one of two “centroid” cities in the country (Dayton)
– Within a one-day drive of 50% of North America’s
population and near 70% of manufacturing capacity
– Numerous seaports along Lake Erie
14. Dams
• Critical interdependencies with Emergency Services, Energy,
Food and Agriculture, Transportation Systems, and Water
• More than 1550 dams in Ohio, from temporary to Class 4
(small to large)
• More than half (65%) are privately owned; 85% regulated
• Increasingly computerized systems provide economic,
environmental, and social benefits including:
– Hydroelectric power, river navigation, water supply,
wildlife habitat, waste management, flood control, and
recreation
15. Defense Industrial Base
• Critical interdependencies with all other Sectors
– Government is highly dependent upon this sector
• Especially vulnerable to cyber attack due to nature of sector
(military weapons manufacturing, research, & development)
• Ohio is home to many bases, manufacturers, and research
and development companies
– GE Aviation, Joint Systems Manufacturing Center, Timken, Goodrich,
Boeing, Honeywell, L3 Communications, Lockheed Martin, Armor
Holdings
• Dayton is designated as a national aerospace hub, ranking 5th
in U.S. in production
– Aircraft engine manufacturing accounts for nearly 75%
– Wright-Patterson Air Force Base contributes $5.1 million to economy
16. Emergency Services
• Critical interdependencies with Communications, Information
Technology, and Transportation Systems
• All other sectors depend upon the ESS for protection
– Presents unique challenges in protecting the ESS itself
• SSA – Ohio Department of Public Safety
• Broken down into subcategories of:
– Law Enforcement, Fire and Emergency Services, Emergency
Management, Emergency Medical Services, and Public Works
• Complex and dispersed nature of the sector makes it difficult
to disable the entire nationwide system; HOWEVER, this
presents challenges in coordinating emergency responses
across disciplines, regions, and levels of government
17. Energy
• Critical interdependencies with Transportation Systems
– Highlighted by heavy reliance on pipelines to distribute products
– All other sectors dependent upon Energy Sector for power and fuel
• 80% privately owned
• Many owners and operators have extensive experience
abroad with infrastructure protection and have more recently
focused their attention on strengthening industry cyber
security
• Ohio, or “The Solar Valley, is #2 in solar manufacturing
• Home to Columbia Gas, Marathon, and AEP
• 5th largest consumer of electricity in U.S.
• “Shale Rush” (frocking) in last two years
18. Government Facilities
• SSA – Ohio Department of Administrative Services
• More vulnerable to cyber attacks because many facilities are
open to the public for business activities, commercial
transactions, or recreational activities; while others contain
highly sensitive information, materials, processes, and
equipment
• In addition to physical structures, the sector includes cyber
elements that contribute to the protection of assets
• Education Facilities Subsector – pre-K through 12th grade
schools, higher education, business and trade schools
– Recent rise in “cyber charter” schools presenting their own
set of concerns
19. Healthcare and Public Health
• Critical interdependencies with Communications, Emergency
Services, Energy, Food and Agriculture, Information
Technology, Transportation Systems, and Water Sectors
• SSA – Ohio Department of Health
• Protects all sectors from hazards such as terrorism, infectious
disease outbreaks, and other natural disasters
• Collaboration and information sharing between the public and
private sectors is essential to increasing resilience of the
nation's HPH critical infrastructure.
• Plays significant role in response and recovery across all other
sectors in the event of disaster
• Many medical manufacturers, pharmaceutical companies, and
universities
20. Information Technology
• Critical interdependencies with the Communications Sector,
first and foremost (the internet); although all other sectors,
and even the general public, are highly dependent upon the
sector itself
• SSA – Ohio Department of Administrative Services, OIT
• Complex and dynamic environment makes identifying threats
and assessing vulnerabilities difficult and requires that tasks
be addressed in a collaborative and creative fashion
• Operated by a combination of owners, operators, and
associations that maintain and reconstitute networks
• Ohio Supercomputer Center in Columbus is largest in country
• Blurring of the lines between communications & IT providers
21. National Monuments & Icons
• Not particularly applicable to Ohio, as our state has no
nationally-recognized national monuments or icons located in
or near it
• Of more importance to national identity, as the sector is
essentially composed of physical structures which are of
greater vulnerability to intentional attacks.
• While the public nature of the sector limits the range of
protective measures available, there are minimal cyber issues
associated with national monuments due to the nature of the
mainly federally-owned assets
22. Nuclear Reactors, Materials,
and Wastes
• Critical interdependencies with Chemical, Energy, Healthcare
and Public Health, and Transportation Systems Sectors
• Highly regulated sector
– Cyber security of sector is of utmost importance due to the nature of
the sector
– Cyber Systems Security Roadmap
• Two nuclear power plants, both located along Lake Erie and
owned by FirstEnergy:
– Davis-Besse Nuclear Power Plant in Oak Harbor, pressurized water
reactor, license expiring in 2017
– Perry Nuclear Power Plant in North Perry, one of largest boiling water
plants in the country, license expiring in 2026
23. Postal and Shipping
• Critical interdependencies with all sectors, in particular:
– Banking and Finance, Commercial Facilities, Government Facilities,
Healthcare and Public Health, Communications, Energy, Information
Technology, and Transportation Systems Sectors
• Highly regulated and concentrated sector, with only a handful
of providers holding 90% of the market share
• Assets include over 400 high-volume automated processing
facilities, 40K local delivery units, 50K transport vehicles, and
dedicated information and communications networks
• Vulnerable to cyber attacks because the sector delivers to
virtually all state, national, and international ports
24. Transportation Systems
• Critical interdependencies with all sectors
• Six key subsectors, or modes:
– Aviation, Highway Infrastructure and Motor Carrier, Maritime
Transportation Systems, Mass Transit and Passenger Rail, Pipeline
Systems, Freight Rail
• Many national transportation companies and 99 airports
• Increasing cyber concerns, as automated public transit has
seen a 4%-10% increase (depending upon metro area) in
recent years, due to rising fuel costs
25. Water
• Critical interdependencies with all sectors, specifically:
– Energy, Food and Agriculture, Transportation Systems, Emergency
Services, Healthcare and Public Health
• Includes both drinking water and wastewater utilities
• Approximately 84% of the U.S. population receives their
potable water from drinking water systems; 75% have their
sanitary sewerage treated by wastewater systems
– Roughly 5,000 facilities service 10.8 million Ohioans
• Vulnerable to cyber attacks due to high automation.
Disruptions could result in illness, casualties, or denial of
service that would impact public health and economic vitality.
26.
27. Implications on Infrastructure
• Increased Online Control = Greater Vulnerability
– Electrical power grids
– Water and transportation systems
– Oil pipelines
– Refineries
– Power-generation plants
– Water/Wastewater plants
• Aging infrastructure is more vulnerable to
sophisticated cyber crime
28. Implications on Infrastructure
“When transformers fail, so too will water
distribution, waste management,
transportation, communications, and many
emergency and government services…Given the
average of twelve month lead that is require to
replace a damaged transformer today with a
new one the economic and society disruption
would be enormous.”
–Dr. Stephen Flynn, Northeastern University
29. Connecting Ohio’s Infrastructure
• Strengthening our cyber security is imperative because of the
delicate balance between critical infrastructure sectors. A cyber
attack on one sector can have cascading effects across all 18
infrastructure sectors.
• More public-private partnerships in the following sectors:
– Banking and Finance
– Commercial Facilities
– Critical Manufacturing
– Defense Industrial Base
– Energy
– Information Technology
– Postal and Shipping
• Interdependencies among the critical sectors have been
identified; however, a means to strengthen them must be
developed
30. Moving Forward
• Cyber security will play a greater role on emergency in the foreseeable
future as cyber attacks continue to grow in numbers and sophistication
• Consider societal, technological, and environmental changes in planning
• Understand the impacts of new technology and how best to implement it
• Incorporate cyber security into governance and response plans
• Seek technologically-savvy employees who can model data, run analytics,
and track mission effectiveness to enhance decision-making
• Build interdependent information technology capabilities with
redundancies
• Incorporate technologies based on simulation into exercises
It is imperative that we all work together – government, private sector, non-
profit, and the public
31. Questions?
Patrick Sheehan, Plans Branch Chief (Interim)
Ohio Emergency Management Agency
(614) 799-3693 Office
pcsheehan@dps.state.oh.us
Thank You
Editor's Notes
Presentation made by FEMA to the Northeast Disaster Recovery Information X-Change (NEDRIX) re: NLE 2012
March 14, 2012
According to InfoSec (http://www.infosecisland.com/blogview/21131-GAO-680-Percent-Increase-in-Government-Cyber-Attacks.html), cyber attacks on government have increase 680% over the past half decade.
Quote from President Obama found in following article, no reference given (http://mccaul.house.gov/press-releases/house-passes-mccaullipinski-cybersecurity-enhancement-act-to-secure-federal-networks-critical-infrastructure-and-americas-competitive-edge/)
Presentation made by FEMA to the Northeast Disaster Recovery Information X-Change (NEDRIX) re: NLE 2012
March 14, 2012
NCIRP is not enough! According to the U.S. Government Accountability Office, 85% of infrastructure is owned by the private sector, so security must start there. This figure can be found in the US. GAO’s report to congressional requestors on Critical Infrastructure Protection: Progress Coordinating Government and Private Sector Efforts, released in 2006. http://www.gao.gov/assets/260/252603.pdf
Cyberspace Policy Review http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf
NCIRP available at http://www.federalnewsradio.com/pdfs/NCIRP_Interim_Version_September_2010.pdf
From DHS critical infrastructure website: http://www.dhs.gov/critical-infrastructure
The 18 federally identified critical infrastructure sectors. The National Monuments and Icons sector is not Ohio-specific, as our State has no federally-identified monuments or icons.
Ohio’s critical infrastructure is so interconnected that only by working together can government and business be successful in securing our state. The delicate balance of interdependency between sectors can cause cascading effects: when an event impacts one, it may affect other sectors as well.
The link between Ohio’s infrastructure and national security is profound, as Ohio’s economy is the 8th largest in the country. Protecting Ohio’s infrastructure is a means to ensure the continuity of our way of life and mitigate money lost through criminal acts such as cyber crime, through either attacks on virtual or physical structures. Investment in cyber security can help all of our critical infrastructure sectors become more secure and resilient, since infrastructure is a system of systems where disruption in one sector seriously impacts another or potentially causes a delay in recovery, causing an escalation of impact. Today’s businesses utilize just-in-time inventories
and disruption would have significant consequences. In all critical sectors, protective plans, procedures, and policies should be in place to enhance physical deterrence, cyber security, assess geographic effects, and understand financial impact of techniques to reduce vulnerability, not just within a single sector, but across the system of critical sectors.
Ohio Homeland Security Look Back to Move Forward, released on the 10th anniversary of 9/11
http://www.publicsafety.ohio.gov/links/LBtMF.pdf
Sector overview from DHS’s website: http://www.dhs.gov/food-and-agriculture-sector. Specific Ohio facts from the Ohio Department of Agriculture. Quick sheet: http://www.agclassroom.org/kids/stats/ohio.pdf and 2010 annual report.
Sector overview from DHS’s website. Specific Ohio facts from the Ohio Department of Commerce, Division of Financial Institutions.
Sector overview from DHS’s website. Specific Ohio facts from the Ohio Chemistry Technology Council: http://www.ohiochemistry.org/aws/OCTC/pt/sp/home_page
Sector overview from DHS’s website.
Sector overview from DHS’s website.
Sector overview from DHS’s website. Ohio-specific facts from the Ohio Department of Development’s website:
Sector overview from DHS’s website. Ohio-specific facts from the Ohio Department of Natural Resources.
Sector overview from DHS’s website, Ohio Department of Development
Sector overview from DHS’s website, Ohio Department of Development
Sector overview from DHS’s website, Ohio specific facts from Energy Industries of Ohio
Sector overview from DHS’s website, DAS’s website
Sector overview from DHS’s website, Ohio Department of Health
Sector overview from DHS’s website, DAS’s website
Sector overview from DHS’s website
Sector overview from DHS’s website, Ohio specific facts from FirstEnergy’s website
Sector overview from DHS’s website
Sector overview from DHS’s website, Ohio Department of Transportation
Sector overview from DHS’s website, Ohio EPA, and Ohio WARN
Our country’s greatest vulnerability is in the security of privately owned infrastructure. All of the examples listed are interconnected, which will be explained in the following slides.
Comments by Dr. Flynn in testimony to Congress, on April 24, 2012, urging for the passage of four bills scheduled for vote, including the Cyber security Enhancement Act.
http://mccaul.house.gov/hidden-section/cascading-effect-of-cyber-attack-could-cost-lives-devastate-economy/
Testimony available on YouTube
Our country’s greatest vulnerability is in the security of privately owned infrastructure. All of the examples listed are interconnected, which will be explained in the following slides.
Comments by Dr. Flynn in testimony to Congress, on April 24, 2012, urging for the passage of four bills scheduled for vote, including the Cyber security Enhancement Act.
http://mccaul.house.gov/hidden-section/cascading-effect-of-cyber-attack-could-cost-lives-devastate-economy/
Testimony available on YouTube
Ohio Homeland Security Look Back to Move Froward
Cyber security will continue into and may even play a greater role on emergency management in the foreseeable future. Assessing future factors challenging our State includes considering the societal, technological, and environmental changes as well as reasonable threats and hazards Ohio may face. To ensure we learn from the past, it is imperative that we continuously update our plans so that our state is well prepared to confront future threats, risks, and hazards. Global economic conditions are fragile, and recent events have caused us to focus on necessity – whether at home or in our operations. In an uncertain environment, it is imperative that we all work together – government, private sector, non-profit, and the public. The echoing effects of 9/11 on the emergency and first responder community may have originated with the threat of a major terrorist attack launched by al Qaeda from overseas, but homegrown cyber criminals such as “hactivists” or identity thieves, are growing in numbers. We must understand the impacts of new technology and how best to implement it to respond to and recover from events. One way to accomplish this is by seeking out a new generation of technologically-savvy employees who can model data, run analytics, and track mission effectiveness to enhance decision-making. We will need to build interdependent information technology capabilities with redundancies, while incorporating cyber security into governance, plans, policies, and procedures. Technologies incorporating simulation will lead to improved participation in exercises and increased responsiveness. The essentials of emergency management – communication, coordination, collaboration – will not and should not change, but the tactics, techniques, and procedures affected by the factors listed above will significantly test Ohio’s ability to respond and protect infrastructure that is integrated into every aspect of the life of an Ohioan.
Ohio Homeland Security Look Back to Move Forward