What is the Top Sector at Risk for Cyberattacks?

3D Electric powerlines over sunrise

According to this article in the Insurance Business America magazine, it’s the energy sector.  This is no surprise, even without the statistics provided in the article; although the statistics are pretty staggering.  The article states that according to DHS “more than 50% of investigated cyber incidents from October 2012 to May 2013 occurred within the energy sector”.  The advice in the article is pretty sound and coincides well with what I’ve suggested many times in this blog… be prepared!  Not only do power utilities need to have their own cybersecurity experts and the policies, plans, and infrastructure to prevent cyberattacks, they also need to be prepared for the potential success of the attackers.  They need to know who to notify (and how), and what actions to take.  Further, those that depend on electricity should have an alternate means of obtaining electricity to meet essential needs.

Threats to our infrastructure show just how interconnected we are and how interconnected our critical infrastructure is.  This is the primary reason why our energy infrastructure, which touches every other sector, is so essential.  We must ensure that we have in place prevention and protection plans, such as cybersecurity plans; hazard mitigation plans to lessen the impacts; response plans to address critical issues; and recovery plans to return to operations.  Business continuity is also an essential component of this – even if you are an NGO or government entity (continuity of government).

Along with proper planning, training, and exercises, we need to continue to promote legislation which requires measures for cybersecurity and protection of our critical infrastructure.

What are your major critical infrastructure concerns?

© 2015 – Timothy Riecker



Adapting to the Cyber Threat – Who Holds Liability?

Over the past year or so, even the past few months, we have seen a huge increase in high visibility hacks and cyber attacks.  Among the highest profile attacks are:

  • Target department stores suffered the theft of credit card holder data
  • the US government had a huge theft of information of government employees as well as theft of tax payer data from the IRS
  • and just recently the theft and subsequent public release of information of Ashley Madison account holders.

While cyber attacks and hacking didn’t just start occurring recently, our society, laws, and policies have yet to grow to truly keep up with prevention, mitigation, protection, response, and recovery from these incidents.  This is a familiar place we find ourselves in with other human-caused incidents such as mass shootings.  We have recently seen some insurance companies offering cybersecurity policies.  I’m not knowledgeable of the terms and conditions of these policies, but I’m hopeful policy holders are required to have cybersecurity policies and programs in place to help prevent and mitigate against the impacts of a cyber attack.  Presumably, the insurance  policy covers financial losses to the company and perhaps even litigation.  Consumers have a variety of protections available for identity theft offered through banks and credit cards.

With the recently announced class action lawsuit against Ashley Madison, I began thinking about where the real liability for a cyber attack lies.  Certainly those individuals whose personal information was stolen (moral issues aside) may suffer some measure of financial loss.  The same can be held true for those whose data was stolen from the Target and US government hacks.  Those individuals trusted and were generally assured that their personal and financial information would be protected.  These assurances place a liability on the entity that holds their information.  However, we tend to treat liability differently for disasters and acts of terrorism where entities, so long as they made reasonable and prudent efforts to avoid impacts, are held harmless; or in the event of a criminal act, we see liability shifted to the perpetrators of the criminal act.

I’m convinced that any system can eventually be hacked and suffer either data loss or data theft.  Unlike a natural disaster, intentional human-caused incidents include the factor of persistence.  Persistence is a unique element which requires constant and concerted efforts on the part of other humans to prevent, protect, and mitigate against criminal acts.  Given the law of averages and the constant need for cybersecurity experts to keep up with all tactics used by criminals, the good guys are bound to lose a battle once in a while.  While I don’t disagree that those who have their personal information stolen through no fault of their own may be deserving of financial compensation for their losses, I’m left wondering about the real liability of those entities who make reasonable and prudent efforts to protect that data.

Certainly the perpetrators, when found guilty, are at fault and hold the ultimate responsibility, but we have difficulty in identifying and persecuting these attackers.  Even if the perpetrators are found and convicted, is there still a shared liability among other parties?

Like climate change, we struggled for many years fighting the inevitable and thinking we could stop or reverse its effects.  We are finally shifting to a new philosophy of adaptation.  While we do what we can to slow the speed of climate change, many have accepted that climate change, and thus its impacts, are an inevitability.  This leads me to suggest that we need to take the same stance with all disasters, including those caused by humans.  Incidents will occur.  While we MUST do what we can to prevent, protect, and mitigate against them, we need to shift the thinking of society to response, recovery, and adaptation for when, inevitably, it does occur.

While I’m no attorney or expert in liability and litigation, it seems to be a fairly unexplored area in terms of cybersecurity.  I welcome your thoughts and ideas on this.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC


When is Consolidation of Public Safety Agencies a Good Idea?

A recent effort for the consolidation of three fire departments near our office in Central New York failed.  The consolidation, discussed in earnest for nearly a year with positions both for and against, narrowly lost in a public referendum.  News article here: http://www.uticaod.com/article/20150818/NEWS/150819437.

Having worked in public safety for nearly 20 years, I’ve seen quite a few consolidation efforts.  Some successful, most voted down before they even had a chance.  Most efforts have been related to fire departments, some with EMS agencies, and a few related to law enforcement.  While I’ve seen some early in my career, it seems there has been an increase in consolidation proposals in recent years.  Why?

It seems the most significant factor in these proposals is economic.  Despite the slow upturn in the economy, government budgets are still struggling.  The need to spread the burden of common administrative costs, like insurance; ensure appropriate staffing coverage; and to address equipment issues, such as standardization for interoperability; are the top items of discussion.  In some cases there is also a need to reduce the personnel costs through consolidation by reducing the overall number of executive-level officers and support staff, and to reduce real estate costs by reducing the number of stations.  While not all of these reasons are applied all the time, these are quite commonly identified as reasons for consolidation.  The bottom line for consolidation is that it saves money while, ideally, not increasing response times or public access to services.

As for the reasons against consolidation… there are many who don’t seem to trust the promise of savings.  Certainly there have been a great number of failed attempts by government or other organizations to restructure in the name of cost savings and come nowhere near reaching their target.  Others are afraid of the loss of jobs and access to services.  Some, in my opinion, are just being territorial.

Obviously consolidation, or any change in government structure or services, needs to be carefully studied, reviewed, and if decided upon, implemented in accordance with a carefully designed plan and a watchful eye.  This especially holds true for public safety.  Just like any idea out there, it can work if carefully implemented, but it may not be suitable for everyone.

Where do you stand on public safety consolidations?  What success stories do you have?  How about failures?

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC


Crowdsourced Weather

Now this is cool… Back in July, AccuWeather’s iOS app incorporated a crowdsourcing feature called AccuCast which allows users to report weather and weather related hazards where they are.  This data is then available as an option in the weather map displays accessible in the app.

Screen images included below.  More information available from http://www.accuweather.com/en/press/50601069.

AccuWeather AccuCast Screen Shots

AccuWeather AccuCast Screen Shots



Firearms in Emergency Kits?

Cannon Beach, Oregon, a community in the Cascadia subduction zone, has an interesting program in which they store the preparedness kits of residents for them.  A link to the city’s program is here: http://ci.cannon-beach.or.us/community/cachecontainer.html.  In summary, the city provides the opportunity for residents (for a small fee) to store containers (provided by the city) of emergency supplies within city-owned cache locations.  They offer 5 gallon pails (with lids), 30 gallon drums, and 55 gallon drums.  These kits are stored securely in shipping containers at the predesignated locations.

I’m a bit ambivalent about the concept.  While it certainly encourages and enables people and families to have kits that perhaps otherwise wouldn’t, it does remove these kits from their possession.  Not having the kits in your possession limits the ability to add to/maintain the kit and certainly makes them ineffective during a shelter in place scenario.  I, for one, would rather have my kit readily available to me and all family members without having to address:

1) potentially unsafe travel,

2) the ability to access the container (will someone be there to let me in?),

3) a potential state of unrest in the vicinity of the container,

4) will the container still be there (we’ve seen these things easily moved by mother nature).

Note that the informational material on their website does encourage people to also have go-bags for a combination approach, which is a good idea.

Now that I’ve warmed you up with some background – off to the main topic…  I was first alerted to Cannon Beach’s concept via a news article about someone storing a firearm in their kit.  http://www.opb.org/news/article/should-your-emergency-preparedness-kit-include-a-firearm/.  The article states that an individual kept a firearm in their kit, which was stored by the city in a storage container which was broken into and stolen.  Firearms, by the way, are not permitted per the city’s guidance.  But should firearms (Cannon Beach’s program aside) be included in emergency kits?

Up front, I’d never recommend that firearms be kept in an emergency kit simply based upon liability.  That said, it’s an individual decision but could be a good idea.  Certainly anyone who chooses to do so should ensure that it is done legally and safely.  One must also consider why they want to have a firearm in their kit.  Is it for personal protection or for hunting?  Or both?  In the case of the article I referenced, it was a handgun, which could really only be used effectively for personal protection.

While we see very limited violence and looting during disasters, it certainly could be possible.  I would never suggest that someone not have the ability to protect themselves or their family.  I would suggest, however, that anything in your kit should have as many purposes as possible.  A handgun is less than ideal for hunting.  However, including a firearm for hunting (rifle or shotgun) will likely exceeded the physical space of your kit, so this needs to be considered.

I would also suggest that, again just like anything else in your kit, you be proficient in using it. Among the few who keep and maintain preparedness kits, many buy things and just stick them in there.  They never read the instructions or become familiar with their use.  Consider a water purifier for example.  Any brand that I’m familiar with needs to be submerged and backwashed prior to use to remove smaller particulates from the carbon filter.  If someone is keeping something as dangerous as a firearm, they had better be proficient in its use!

The bottom line is that we are not likely to see a scenario out of The Walking Dead.  While we have seen some devastating incidents, such as Hurricane Katrina, which had limited the effectiveness of law enforcement for a time, this is not the norm within disasters.  Some may be considering an extreme, perhaps apocalyptic, scenario, and wanting to protect themselves, which is fine.  Just be smart about it.

What are your thoughts on firearms in emergency kits?  How about the municipal storage of kits like Cannon Beach’s program?

Lots of food for thought…

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC


Deadly Explosions

By now I’m sure you’ve all heard of the two horrible explosions that took place over the last 24 hours – one in Tianjin, China; the other in Baghdad, Iraq.  The explosion in the port city of Tianjin occurred soon after fellow consultant Ralph Fisk and I had both separately published posts about the dangers of human caused disasters.  The explosion in Baghdad, the result of a terror attack, occurred less than 12 hours ago.

The explosions in Tianjin occurred in the port area of the city and originated as fires among shipping containers.  The origin of the fires is yet unknown or released to the public by the Chinese government.  Chemicals and explosives were within some of the containers, with reports of chemical odors still lingering there hours after the explosions occurred.  At this point, according to CNN, 50 persons are confirmed dead with more than 500 hospitalized.  Among the dead are 12 firefighters.  Many more people are missing, including dozens more firefighters.  If you’ve not seen any of video of the explosions, it is grimly spectacular.  CNN has obtained several videos from people who were recording the fire turned explosion.  http://www.cnn.com/2015/08/13/asia/china-tianjin-explosions/index.html.  This will certainly be a continuing story to keep an eye on.

In Baghdad, ISIS has reportedly claimed responsibility for a truck bomb which was detonated in in a busy market, killing dozens and injuring nearly 100 people.  Sadly we have become practically desensitized to occurrences of violence in the Middle East.  While each of them is horrible, this incident is particularly tragic with the loss of this many lives.

I rarely post about current disasters or incidents as there is plenty of commentary already out there from the media and quasi-media.  The tragedy of these, however, underscores our need to be aware of the potential for these incidents to occur and what we need to do to prepare for and respond to them.  We also need to be prepared to address the cascading impacts of these incidents – mass care, mass casualty, and mass fatality issues are certainly paramount, but we also need to consider matters such as business and government continuity.

Foundationally, it helps to know something about explosives.  For my readers who are US citizens, be sure to check out the first responder training available from the New Mexico Tech Energetic Materials Research and Testing Center (EMRTC).  They run DHS sponsored training programs such as Incident Response to Terrorist Bombings (IRTB).  These courses are intensive and greatly valuable, diving into the physics and chemistry of different explosive types and classes, terrorist methodologies, and plenty of show and tell in their range.  The course gives a solid appreciation for what explosives can do and gives you a relative awareness of how much explosive it takes to cause a certain amount of damage.  For those who are not US citizens, I believe they do work with the US State Department to review applications on a case by case basis.  I’m curious as to what type of similar training is available in other countries to domestic responders.

We are truly lucky to not suffer incidents such as these as often as other nations do.  Understand, though, that this is only due to safety and security measures that we have in place.  Accidents, however, are inevitable, as are the successful efforts of those who wish to do us harm.  We must continue to do what we can to prevent these types of incidents but also be ready for when they do occur.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC


Are You Really Considering All Hazards?

Natural hazards, such as flooding, tornados, wildfire, and earthquakes, bring about the greatest losses, calculated in nearly every metric possible, as compared to human-caused incidents.  Human-caused incidents, either accidental or intentional, still bring tremendous impact to communities world-wide on a daily basis.  While working to prepare for, mitigate, respond to, and recover from natural hazards will always continue to be important, it seems that many still often forget about human-caused incidents despite all the conversations out there.

Human-caused incidents include a variety of hazards such as infrastructure failure, transportation accidents, hazardous materials incidents, and intentional attacks.  These are all things which we can fit into our traditional model of Prepare, Mitigate, Respond, and Recover.  The National Planning Goal introduced the model of the five Mission Areas – Prevention, Protection, Mitigation, Response, and Recovery – to help address our many of our major functions (Core Capabilities) for human-caused incidents (note that Preparedness is now a higher level concept that applies to all Mission Areas).  While this Mission Area model has helped bring these key activities into the greater fold of what we do, it has also kept them largely isolated through the thought that many human-caused incidents are only addressed through Prevention and Protection Mission Area activities.

Nowhere, it seems, do we see this more than in the area of hazard mitigation.  The vast majority of hazard mitigation plans which exist only address natural hazards (even at the state level).  Since many readers view this blog for my opinion, here it is – this is archaic and dangerous thinking!  We have all seen hazard mitigation plans which claim they are ‘all hazards’, yet only list natural hazards.  That’s fine, if by some unbelievable circumstance, your jurisdiction is only impacted by natural hazards.  This is a circumstance which I am highly doubtful of.  Some mitigation plans get a little more realistic and will address human-caused hazards such as dam failure and/or hazardous materials release, which were likely the greatest human-caused threats they may have been vulnerable to in the previous century.  In today’s world this still doesn’t quite get us to where we need to be.  There are a great many mitigation activities which we can leverage against human-caused incidents.

How do we fix this?  It’s easy – start with conducting a hazard analysis.  A hazard analysis, be it as a stand-alone activity or part of the THIRA process, should review all possible hazards which your jurisdiction, company, or organization is vulnerable to.  It should be comprehensive, not just limited to the set of natural hazards.  Along with infrastructure failure and hazardous materials incidents (both in-transit and fixed site), consider hazards such as active shooters, cyber attacks, improvised explosives, and civil unrest.  This may require bringing some additional subject matter experts into the room for your hazard analysis – like your IT director.  In a hazard analysis, each hazard is ranked (at a minimum) by its likelihood to occur and its severity of impact should it occur.

A well conducted hazard analysis provides the basis for everything we do in emergency management and homeland security.  It not only informs our activities such as planning, training, and exercises, it also helps assign priority to those hazards which require the greatest focus and allocation of resources.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC


NIMS Alert – FEMA Seeks Feedback on Federal Interagency Operational Plans

Take some time to review and comment on these.  Be heard!  TR

<from press release>

FEMA is requesting stakeholder feedback on working drafts of four of the five Federal Interagency Operational Plans (FIOPs):  Protection, Mitigation, Response, and Recovery. The Prevention FIOP is Unclassified and For Official Use Only (FOUO)/Law Enforcement Sensitive (LES), Restricted Access and therefore available to appropriate personnel through separate and secure communication means. The FIOPs describe how the Federal government aligns resources and delivers core capabilities. Each FIOP outlines the concept of operations for integrating and synchronizing existing national-level Federal capabilities to support the whole community.

This update of the FIOPs focuses on discrete, critical content revisions, and confirming edits as a result of comments received on the National Preparedness Goal and National Planning Frameworks. Additional changes in the draft are the result of the lessons learned from implementing the FIOPs and recent events, as well as the findings of the National Preparedness Report.  The FIOPs and feedback submission forms may be found at http://www.fema.gov/ppd-8-news-updates-announcements.

To ensure all feedback is properly handled, reviewers are asked to use the provided feedback submission form to submit feedback and recommendations. Please provide any comments and recommendations, using the submission form, to PPD8-Engagement@fema.dhs.gov by Tuesday, September 2, 2015 at 5:00 PM EDT.

Well OF COURSE Drones Can Be Used As WEAPONS

It’s rather insane that it took this long for the US Department of Homeland Security to issue a warning to law enforcement about the potential use of drones/UAVs as weapons or to further the criminal enterprise.  If you’re not familiar with the DHS bulletin, see this CBS News story.

For those of you who have been steady readers of mine, you can probably tell that I’m pro-drone.  However, just like anything else, someone is bound to adapt the technology for their own malicious purposes.  While we are still getting our act together in figuring out how to apply UAV technology for myriad good and purposeful things, there have been those out there trying to figure out how to use the same technology for advancing criminal and terrorist agendas.

Amazon and others want to use UAVs to deliver packages.  Well guess what –drug cartels will certainly be using them to deliver packages of drugs.  The US military uses UAVs to strike at terrorists in unfriendly territory.  Terrorists, criminals, or even your run-of-the-mill stupid people, can do the same.  Have you seen this article about a teen who mounted a handgun to a UAV?  UAVs are great for providing a birds-eye view of any situation, but when operating in a disaster environment they can’t impede responders as they did in the recent wildfires in California.

I have no doubts that terrorists somewhere, foreign or domestic, are playing with UAV electronics and explosives to determine how best to deliver those deadly packages.  As inevitable as it is, do we ban the use of UAVs?  Well we haven’t banned cars or moving vans, and both have been used to transport explosives.  The good outweighs the bad, so we have to figure out how best to deal with it.

The fact of the matter is that all well intended technology can be used for not so good purposes.  Does this mean we do away with the technology?  No.  Does this mean we do away with innovation?  No.  It does mean that we have to stay a step ahead of those who have ill intent or practice in stupidity.  Prevention, protection, and mitigation against these things is a constant challenge.  We now need to be aware of a new threat and address it.  It’s something we’ve done through time.  People built walls around their towns to protect themselves and their property from people and animals who would do them harm.  Attackers innovated and approached walls with ladders, so defenders built taller walls and other defensive technologies.  Today we use physical barriers to prevent vehicles from getting too close to buildings, locked doors to prevent entry, and cameras to monitor.  Perhaps the threat of an attack from the air will require other measures.

Has your company or jurisdiction considered the threat UAVs may pose to your interests?  What are your thoughts on deterring attacks?

© 2015 – Timothy Riecker