Tag critical infrastructure

8 Predicted Changes to Emergency Management Post-Pandemic

Tim Riecker, The Contrarian Emergency Manager Leave a comment

In public safety we learn from every incident we deal with.  Some incidents bring about more change than others.  This change comes not just from lessons learned, but an effort to apply change based upon those lessons. In recent history, we’ve seen significant changes in emergency management practice come from disasters like the 9/11 terrorist attacks and Hurricane Katrina, with many of the changes so significant that they are actually codified and have led to new doctrine and new practices at the highest levels.  What changes can we expect from the Coronavirus pandemic?

Of course, it’s difficult to predict the future.  We’re also still in the middle of this, so my thoughts may change a month or two into the future.  Any speculation will begin with idealism, but this must be balanced with pragmatism.  Given that, the items I discuss here are perhaps more along the lines of changes I would like to see which I think have a decent chance of actually happening. 

  1. Legislation.  Similar to the aforementioned major disasters, this too will spawn legislation from which doctrine and programs will be derived.  We are always hopeful that it’s not politicians who pen the actual legislation, but subject matter experts and visionaries with no political agendas other than advancing public health preparedness and related matters. 
  2. More public health resources. This one, I think, is pretty obvious.  We need more resources to support public health preparedness, prevention, and detection efforts.  Of course, this begins with funding which will typically be spawned from the legislation mentioned previous.  Public health preparedness is an investment, though like most preparedness efforts, it’s an investment that will dwindle over time if it’s not properly maintained and advanced to address emerging threats and best practices.  Funding must address needs, programs to address those needs, and the resources to implement those programs. 
  3. Further integration of public health into emergency management.  Emergency management is a team sport.  Regardless of the hazard or the primary agencies involved, disasters impact everyone and many organizations and practices are stakeholders in its resolution and can contribute resources to support the resolution of primary impacts and cascading effects.  Despite some gains following 9/11, public health preparedness has still been treated like an acquaintance from another neighborhood. The legislation, doctrine, programs, and resources that we see MUST support an integrated and comprehensive response.  No longer can we allow public health to be such an unfamiliar entity to the rest of the emergency management community (to be clear – the fault to date lies with everyone). 
  4. Improved emergency management preparedness.  Pulling back to look at emergency management as a whole, we have certainly identified gaps in preparedness comprehensively.  Plans that were lacking or didn’t exist at all.  Equipment and systems that were lacking or didn’t exist at all.  People who didn’t know what to do.  Organizations that weren’t flexible or responsible enough.  Processes that took too long.  Poor assumptions on what impacts would be. We can and must do better.
  5. An increase in operational continuity preparedness.  We’ve been preaching continuity of operations/government for decades, yet so few have listened. The Coronavirus pandemic has shown us so many organizations jumping through their asses as they figure it all out for the first time.  By necessity they have figured it out, some better than others.  My hope here is that they learned from their experience and will embrace the concepts of operational continuity and identify a need to leverage what they have learned and use that as a basis for planning, training, exercises, and other preparedness efforts to support future continuity events. 
  6. Further expansion of understanding of community lifelines and interdependencies of critical infrastructure.  This pandemic gave us real world demonstrations of how connected we are, how vulnerable some of our critical infrastructure is, and what metrics (essential elements of information) we should be monitoring when a disaster strikes.  I expect we will see some updated documents from DHS and FEMA addressing much of this. 
  7. More/better public-private partnerships.  The private sector stepped up in this disaster more than they previously ever had. Sure, some mistakes were made, but the private sector has been incredibly responsive and they continue to do so.  They have supported their communities, customers, and governments to address needs they identified independently as well as responding to requests from government.  They changed production.  Increased capacity.  Distributed crisis messages.  Changed operations to address safety matters.  Some were stretched to capacity, despite having to change their business models.  Many companies have also been providing free or discounted products to organizations, professionals, and the public.  We need to continue seeing this kind of awareness and responsiveness.  I also don’t want to dismiss those businesses, and their employees, that took a severe financial hit.  Economic stabilization will be a big issue to address in recovery from this disaster, and I’m hopeful that our collective efforts can help mitigate this in the future. 
  8. An improved preparedness mindset for individuals and families.  Despite the panic buying we saw, much of the public has finally seemed to grasp the preparedness messaging we have been pushing out for decades.  These are lessons I hope they don’t forget. Emergency management, collectively, absolutely must capitalize on the shared experience of the public to encourage (proper) preparedness efforts moving forward and to keep it regularly in their minds. 

In all, we want to see lasting changes – a new normal, not just knee-jerk reactions or short-lived programs, that will see us eventually sliding backwards.  I’m sure I’ll add more to this list as time goes on, but these are the big items that I am confident can and (hopefully) will happen.  I’m interested in your take on these and what you might add to the list.

Be smart, stay safe, stay healthy, and be good to each other. 

© 2020 Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

A New National Response Framework

Tim Riecker, The Contrarian Emergency Manager 4 Comments

Yesterday FEMA announced the release of an updated National Response Framework (the fourth edition).  The most notable changes in this version of the NRF are the inclusion of Community Lifelines and a change to Emergency Support Function (ESF) #14.  Previously, ESF #14 was Long-Term Community Recovery.  With efforts to further engage and coordinate with the private sector in disaster response, ESF #14 has been changed to Cross-Sector Business and Infrastructure.

So what of Long-Term Community Recovery?  The National Disaster Recovery Framework (2016) outlines Recovery Support Functions (RSFs), which, at the federal level, are organized as coordinating structures along with the ESFs.  There are six RSFs, which generally align with the Core Capabilities for the Recovery Mission Area.  For anyone who has worked with FEMA in disaster recovery operations, you know these can be massive organizations, so why create an even large organization?  This structure should support the ESFs in focusing on immediate needs, while the RSFs can address long-term recovery.  When the Federal disaster response organization is initially set up for a disaster, the ESFs are immediately put to work to support state and local emergency needs.  In this phase, the RSFs are able to organize, gather data, and plan for eventually being the lead players as response transitions to recovery.  Recovery is very much a data-driven operation.  As this transition occurs, with the RSFs taking over, many of the ESF resources can be demobilized or tasked to the RSFs.

What does this mean for states and locals?  Fundamentally, nothing.  States simply need to have an appropriate interface with the new ESF #14.  Do states and locals need to mirror this organization?  No, and in fact most of the time when I see an organization centered around ESFs, I tend to cringe.  The ESF/RSF system works for the federal government because of the multitude of federal agencies that have responsibility or involvement in any given function.  Fundamentally, ESFs/RSFs are task forces.  Recall the ICS definition of a task force, being a combination of resources of varying kind and type.

Certainly, most local governments, aside from perhaps the largest of cities, simply don’t have this measure of complexity and bureaucracy.  It can work for some state governments, but for many it may not make sense.  Let’s consider ESF #1 – Transportation.  How many state agencies do you have that have responsibility and assets related to transportation?  In some states, like New York, there are many, ranging from State DOT, NYS Parks, the Thruway Authority, and the multitude of other bridge, road, and transit authorities in the State. Smaller states may only have a State DOT.  One agency doesn’t make a task force.  There are other options for how you organize your emergency operations plan and your EOC that can make more sense and be far more effective.  Essentially what I’m saying is to not mirror the way the feds organize because you think you have to.  All plans must be customized to YOUR needs.

On to the integration of community lifelines.  The goal of the new ESF #14 is to not only engage the private sector, but also coordinate cross-sector operations for stabilizing community lifelines.  I’m interested to see how this plays out, since the community lifelines are already addressed by other ESFs, so I suspect that once the new framework is tested, there may be some supplemental materials that come out to balance this.  That said, the integration of community lifelines is a good thing and I’m glad to see this gaining more traction and truly being integrated rather than existing as a good idea that’s never actually tasked.  Integration of community lifelines is something that every state and local government can at least track, if not take action on, depending on their capability and resources.  The updated NRF added some additional context to community lifelines, with information that supports integrating this concept into planning, response, and recovery.  I happen to appreciate this community lifeline focused timeline that is in the NRF.

While the focus of the NRF is on how the federal government will response, it is intended to be reflective of a whole community response.  It doesn’t necessarily provide guidance (nor should it) on planning, but it certainly serves as a reference.  Since it seems the feds are going all in on the community lifeline concept, I urge state, local, tribal, and territorial governments to examine how they can integrate them into your operations.  That all starts with planning.  It may begin as a function of situational awareness, but then what actions should a jurisdiction take when lifelines are impacted?  Even if a jurisdiction doesn’t have the capabilities to address the root cause, they still need to address the affects.

What thoughts do you have on the NRF update?

© 2019 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Preparedness: Integrating Community Lifeline Considerations

Tim Riecker, The Contrarian Emergency Manager 2 Comments

Much of preparedness is about getting us ready to conduct situational assessment and prioritization of actions.  We train people and develop resources, such as drones, field-deployed apps, and geographic information systems (GIS) to support situational assessment.  The information we obtain from these assessments help in the development and maintenance of situational awareness and, when shared across disciplines, agencies, and jurisdictions, a common operating picture.  Based upon this information, leaders at all levels make decisions.  These decisions often involve the prioritization of our response and recovery actions.  Ideally, we should have plans in place that establish standards for how we collect, analyze, and share information, and also to support the decision making we must do in prioritizing our actions.  Exercises, of course, help us to validate those plans and practice associated tasks.

One significant hurdle for us is how overwhelming disasters can be.  With just slight increases in the complexity of a disaster, we experience factors such as large geography, extensive damages, high numbers of lives at risk, hazardous materials, and others.  Certainly, we know from Incident Command System training that our broad priorities are life safety, incident stabilization, and property conservation – but with all that’s happening, where do we start?

One thing that can help us both assessment and prioritization are community lifelines.  From FEMA: “Community lifelines reframe incident information to provide decision-makers with impact statements and root causes.”  By changing how we frame our data collection, analysis, thinking, and decision-making, we can maximize the effectiveness of our efforts.  This shouldn’t necessitate a change in our processes, but we should incorporate community lifelines into our preparedness activities.

The community lifelines, as identified by FEMA, are:

  • Safety and Security
  • Food, Water, and Sheltering
  • Health and Medical
  • Energy
  • Communications
  • Transportation
  • Hazardous Materials

If this is your first time looking at community lifelines, they certainly shouldn’t be so foreign to you.  In many ways, these are identified components of our critical infrastructure.  By focusing our attention on this list of items, we can affect a more concerted response and recovery.

FEMA guidance goes on to identify essential elements of information (EEI) we should be examining for each community lifeline.  For example, the lifeline of Health and Medical includes the EEIs of:

  • Medical Care
  • Patient Movement
  • Public Health
  • Fatality Management
  • Health Care Supply Chain

Of course, you can dig even deeper when analyzing any of these EEIs to identify the status and root cause of failure, which will then support the prioritization of actions to address the identified failures.  First we seek to stabilize, then restore.  For example, within just the EEI of Fatality Management, you can examine components such as:

  • Mortuary and post-mortuary services
  • Transportation, storage, and disposal resources
  • Body recovery and processing
  • Family assistance

The organization of situation reports, particularly those shared with the media, public, and other external partners might benefit from being organized by community lifelines.  These are concepts that are generally tangible to many people, and highlight many of the top factors we examine in emergency management.

Back in March of this year, FEMA released the Community Lifelines Implementation Toolkit, which provides some great information on the lifelines and some information on how to integrate them into your preparedness.  These can go a long way, but I’d also like to see some more direct application as an addendum to CPG-101 to demonstrate how community lifelines can be integrated into planning.  Further, while I understanding that FEMA is using the community lifeline concept for its own assessments and reporting, the community aspect of these should be better emphasized, and as such identifying some of the very FEMA- and IMAT-centric materials on this page as being mostly for federal application.

Has your jurisdiction already integrated community lifelines into your preparedness?  What best practices have you identified?

© 2019 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC℠®

10 Considerations for Your EOC

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Many jurisdictions, agencies, and organizations have emergency operations centers (EOCs) identified in their emergency plans to support incident response and recovery operations.  Through my career, I’ve seen all manner of EOCs, used to support entire incidents or just specific missions, ranging in size from just a handful of people to well over 100 people, various organizational models, and even varying degrees of successful implementation.  I’ve also seen many different locations for EOCs.

An EOC can be established anywhere, but just like any broad statement, there are a number of caveats to that.  Here are 10 things to consider in identifying a location for your EOC:

  1. Out of harm’s way

While it’s difficult to determine where an incident will strike, most jurisdictions have areas that may be less susceptible than others.  While it’s certainly convenient to have your EOC off a major highway, consider that a significant accident on that highway will impact access to your facility.  Locating your EOC near an industrial district or in a flood plain is just asking for trouble.  Be smart about where you locate your EOC relative to your geographic risk profile.

  1. Plenty of parking and accessibility

Few things are more frustrating than arriving to an EOC and not having a place to park.  That’s simply a silly problem to have and reflects greatly on shortsightedness.  If you are stuck in a certain location, plan for an overflow lot, signage, and a shuttle.  Also make sure your building is accessible.  I’ve seen far too many EOCs located either in basements or upper floors without any elevators or other ability for access for people with disabilities.

  1. Utility services and communications with redundancies

It practically goes without saying in our current age of technology, but we need to ensure full utility service in our EOCs.  This includes the basics like electricity, HVAC, and water, but also internet, terrestrial telephone, cellular service, television service (either cable or satellite), and radio communications.  The best facilities will have redundancies in these services to the greatest extent possible.  Generators (with fuel) are rather essential.  Engage your IT staff to ensure maximum flexibility and connectivity with wifi and wireless printing, while still maintaining secure networks.  Each work space should also be able to easily access outlets without running an excess of extension cords (but always have some on hand!).

  1. Meal and break rooms

Constant engagement fuels stress and exhaustion which leads to degradation of our ability to perform.  While work in an EOC may not be so physically strenuous, it can be mentally draining and having respite locations are important.  Both for respite and the sake of keeping work spaces clean, you want to have a separate dining area that can accommodate seating for everyone (at least in shifts), a place to wash hands, refrigeration of food and beverages, potable water and coffee/tea, and space for prepared food to be delivered and maintained within safe temperatures.

  1. Seating and tables

It seems odd to have to say this, but adequate seating is quite important.  I’ve been in EOCs that simply didn’t have it.  While I appreciate the ability of a jurisdiction to set up an ad-hoc EOC, a single six foot table and a few folding chairs aren’t likely to meet your needs.  If you don’t have a dedicated EOC (not everyone needs one!), meeting and conference rooms may have plenty of seating, though if they are too small, you will be extremely limited.  Thankfully folding tables and chairs are reasonably inexpensive and easy to store.  Consider the functional spaces you need to accommodate your EOC’s organization, be it ICS-based, Incident Support Model-based, or Emergency Support Function-based.  Functional groups should have their own work spaces and the arrangement and workspaces they need to accommodate and facilitate their functions.  Always plan for more people than you expect!

  1. Away from distractions

Your EOC shouldn’t be in a space that other wise will receive a lot of foot traffic.  While co-location of facilities can seem like a great idea before an incident, having your EOC in the same building as a shelter or your fire department is probably a bad idea.  It’s not only distracting, but also infringes on utility and communication usage, and even security.

  1. Security

Speaking of security, ensure that access to your EOC is limited only to those who should be there.  Generally, personnel not working in or serving the EOC should not have access to it.  It’s a pain to have civilians, the media, or other random persons wandering into an EOC, especially when they want immediate answers to complicated questions or feel their needs should be addressed first.  Along with ensuring access controls, security procedures should be in place, including a staffed reception desk and sign-in.  Personally, I also prefer armed security (law enforcement) for most EOCs.

  1. Meeting and briefing space

Meetings and briefings are a necessity in incident management.  It’s a way in which we share information, work through problems, and make decisions.  Of course there is always the danger of personnel getting stuck in a perpetual meeting, but that’s a topic for another blog post.  Ideally, your EOC should have adequate breakout space for these meetings and briefings.  An open space with a podium may be necessary for media briefings, and meeting rooms with conference call and video conference capabilities may also be required.  Having a separate space allows a meeting to take place without distraction from the general EOC activity while also being able to discuss sensitive information.

  1. Display space

One of the hottest commodities in an EOC is display space.  Space to project with an LCD projector, hang chart paper or maps, and write on with a dry-erase marker is pretty essential to helping ensure that people are informed and information is tracked.  Higher-tech EOCs may elect to have flat screen monitors mounted on the wall, as well.  Easel stands and portable white boards can augment this and make your space more flexible as well.

  1. A good backup site

One of the best tips I can provide about having a great space for an EOC is to have two!  You will be thankful you have that second space identified and planned for in a continuity situation.  If you don’t need it, it can always be used for something else, but if you do need and don’t have it, you will be scrambling to find a location, get your personnel there, and ensure you have supplies, equipment, and other needs addressed.

 

There are certainly a number of other considerations for EOCs, but paying heed to these ten will get you far.  Your EOC doesn’t need to be a dedicated facility.  It can be any reasonably flexible open space, such as town hall, a large meeting space, a training facility, a hotel conference space, or even a warehouse – your needs should determine your space.  Once you have identified your space, make it functional and ensure that you have an EOC plan and procedures. Train staff, develop job aids to support their tasks, and exercise your plans regularly!

© 2019 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC®℠

Airport Emergency Planning

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Through my career I’ve had the opportunity to work with a number of airports on preparedness efforts.  In the past couple of years, that interaction has been greatly amplified through a contract my company successfully completed involving the development of exercises for airports.  As part of this effort, we designed, conducted, and evaluated exercises at ten airports of varying sizes across the nation, from Georgia to Alaska, Massachusetts to California.  Since the primary intent of exercises is to validate plans, we of course requested and reviewed airport emergency plans (AEPs) from each location as part of our preparation for each exercise.

For those not in the know, the requirement for AEPs originates with Federal Aviation Regulation 14 CFR Part 139, which wholly establishes the standards for the certification of airports.  The requirements for AEPs are further refined in DOT/FAA Advisory Circular 150-5200-31C published in May of 2010.   The Advisory Circular is largely implementation guidance.  It’s quite comprehensive and outlines a planning structure, references emergency management doctrine and standards of practice such as NIMS and the National Response Framework, and models a planning process, which mirrors that of CPG-101.  The NFPA also provides guidance in NFPA 424: Guide for Airport/Community Emergency Planning, which reflects on all these as well.

Just like any community emergency operations plan (EOP), AEPs I’ve reviewed run the full spectrum of quality.  Some plans are thorough and comprehensive, while other plans are so focused on meeting the letter of the regulation that they fall short of meeting real needs and being implementation-ready, even though they technically meet the requirements set forth in §139.325.  Regulated industries, which airports largely are, often have a challenge when it comes to emergency planning.  We see this same challenge in radiological emergency plans as well.  The laws and regulations seem to provide so much structure that it is perceived that local variables and subjective analysis aren’t allowed.  As an example, §139.325 states:

“the plan must contain instructions for response to:

  1. Aircraft incident and accidents
  2. Bomb incidents, including designation of parking areas for the aircraft involved
  3. Structural fires
  4. Fires at fuel farms or fuel storage areas
  5. Natural disaster
  6. Hazardous materials/dangerous goods incidents
  7. Sabotage, hijack, or other unlawful interference with operations
  8. Failure of power for movement area lighting
  9. Water rescue situations (as appropriate)”

While the planning process isn’t prescribed in §139.325, nor does it specify if other hazards can be included in the AEP, the Advisory Circular (AC) does expound on this and prescribes a planning process, including a hazard analysis.  The AC states “Through the hazards analysis program, guidance has been provided to assist in the identification of those hazards and disasters specific to an airport that warrant planning attention”.  That phrasing indicates that airports should be planning for hazards beyond what is required by §139.325, yet I’ve seen many that do not.

Obviously ‘natural disaster’ covers a considerable amount of proverbial territory.  Jurisdictions undergo extensive hazard analysis and hazard mitigation planning to identify the breadth and scope of these hazards (which should include all hazards, not just natural disasters).   Many jurisdictions develop very comprehensive EOPs and annexes to address the response needs of each of their primary hazards.  I saw this as a significantly missing component in many AEPs, which treated ‘natural disasters’ as a single hazard.  Further, as many airports stick to the minimum requirement for planning, they fail to address other hazards which could impact them, ranging from dam failure, and nuclear power facility incidents, to currently hot topics such as active shooter/hostile event response (ASHER) and communicable diseases.

Some airports have thankfully recognized the need for expanding beyond the required hazards and have developed plans that better address all of their needs.  On the unfortunate side, again as a regulated industry, I’ve also seen some airports having two sets of plans… one that meets regulation and the other that they feel is more practical for implementation.  Clearly this isn’t the way to go either.  A single, consolidated plan can be developed that meets all needs.

Airports are an interesting animal.  Regardless of governance structure, they are part of the communities which surround them.  Larger airports are also communities of their own, having significant capability, sometimes more than the surrounding jurisdictions.  Airport emergency planning should acknowledge and involve their community relationships and must address all hazards, not just the ones required by Part 139.  Just as with any other type of emergency plan, they must be implementation-ready.  To do so typically requires the added development of standard operating guidelines (SOGs) and job aids, such as check lists and forms.  Plans should also be developed to address recovery issues and business continuity, not just response.  An airport, regardless of governance structure, operates like a business, with many other stakeholders dependent upon their stability and ability to address and rapidly recover from incidents.  They are also obviously transportation hubs, dealing with large volumes of people and significant dollar figures in freight and commerce.

Airport emergency managers have many of the same challenges as the emergency managers of any other community.  Staffing and funding rarely line up with requirements and other priority matters.  I encourage community emergency managers to reach out to their local airports and coordinate, as many hands make easier work for everyone.  Of course, if any airports are seeking assistance in enhancing their preparedness, please contact us as we would love to work with you!

© 2018 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC™

 

 

7 Emergency Management Priorities for the Next Administration

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Heritage.org recently published a piece outlining the top four homeland security priorities for the next administration, which can be found here.  It’s a thought provoking article that certainly identifies some important issues.  In the same spirit, I’d like to offer what I think are the emergency management priorities for the next administration.

1) Support an Effective FEMA Organizational Model

The Heritage.org model pointed out several issues with the DHS organization that need to be addressed sooner rather than later.  I’d like to add some FEMA-specific items to their suggestions, regardless of if FEMA is kept within DHS or not (honestly, I think that ship has sailed and FEMA is there to stay).

In building a bit of background for this article, I took a look at FEMA’s current strategic plan, knowing that the document already identifies some of their priorities.  Within in that list of priorities, they mention mission and program delivery, becoming an expeditionary organization, posturing and building capability for catastrophic disasters, and strengthening their organizational foundation.  To me, these four all directly relate to their organizational model.

Along with having a strong central administration of programs, FEMA needs to have agility in their program delivery.  This is best accomplished through the FEMA regional offices, which act as an extension of the ‘central administration’ by coordinating directly with states and neighboring regions to apply those programs in the best possible manner within the guidelines of the program.  While this is currently performed, it is not performed to the greatest extent possible.  John Fass Morton provides some great perspective on this approach in his book ‘Next-Generation Homeland Security’.  Info on the book can be found here.

2) Bolster Risk Reduction Programs

I write often about preparedness, as that has always been a focus of my career.  Risk reduction, however, is essential to eliminating or reducing the impacts of hazards on communities.  Risk reduction includes all aspects of hazard mitigation and resilience, which are ideally applied at the local level but supported by state and federal programs, policies, and resources.

While the National Weather Service has implemented and promoted the StormReady program, which encourages community resilience, the best program we have ever had in our field is Project Impact.  I’d love to see a revival of Project Impact (call it that or something else – I don’t really care), incorporating the concepts of StormReady as well as other best practices in risk reduction.  A big part of this program MUST be incentivization, especially access to funds that can be applied for in the present for hazard mitigation activities.

3) Build a Better Cybersecurity Program

This item was added to the list by a colleague of mine.  It’s also found on the Heritage.org list.  It must be pretty important, then.

Yes, there are a LOT of initiatives right now involving cybersecurity, but I think there can be more.  Jon, the same colleague who suggested this for my list has also stated repeatedly that cybersecurity is really a Core Capability that cuts across all mission areas – Prevention, Protection, Response, Mitigation, and Recovery.  The recent update of the National Preparedness Goal suggests this, but sadly doesn’t commit.

What do we need in regard to cybersecurity?  First of all, we need to demystify it.  There are plenty of people out there who have just enough tech savvy to turn on their computer, send some email, and post to Facebook.  While that may work for them, they are likely intimidated by talk of cybersecurity, hackers, and the like.  We need to continue programs in plain speak that will help to inform the average consumer about how to protect themselves.

Better coordination with the private sector will pay off heavily when it comes to cybersecurity.  Not only is the private sector generally better at it, they also have a tendency to attract experts through better incentives than the government can offer, such as higher pay.  Cybersecurity also impacts everyone.  We’ve seen attacks of all types of systems.  The only way to stop a common enemy is to work together.  Let’s think of it as a virtual whole-community approach.

4) Prepare for Complex Coordinated Attack

Another of Jon’s suggestions.  While terrorism is often quickly shoved into the category of homeland security, there is a lot that emergency management can assist with.  These types of attacks (think Mumbai or Paris) have a significant impact on a community.  They require a multi-faceted approach to all mission areas – again, Prevention, Protection, Response, Mitigation, and Recovery.  While law enforcement is clearly a lead, they must be strongly supported by emergency management as part of a whole-community approach to be successful. Preparedness across all these mission areas must be defined and supported by federal programs.

5) Infrastructure Maintenance

We have roads, bridges, rail, pipes, and other infrastructure that MUST be maintained.  Maintenance (or replacement) will not only prevent failure of the infrastructure as a disaster itself, but will also make it more resilient to impacts from other disasters.  Yes, these are projects with huge price tags, but what alternative do we have?

6) Continuity of Existing Model Programs

There are few things more infuriating than a new administration wiping the slate clean of all predecessor programs to make room for their own.  While every administration is entitled to make their own mark, getting rid of what has been proven to work is not the way to do that.  Eliminating or replacing programs has a significant impact all the way down the line, from the federal program administrators, to the state program people, to the local emergency managers who are often understaffed and underfunded to begin with.

Changing gears is not as simple as using a different form tomorrow, it requires research and training on the new program and costs time to re-tool.  While I would never say there is nothing new under the emergency management sun, as I believe we are still innovating, I’m pretty skeptical of some new appointee walking into their job and making wholesale changes.  While improvements can certainly be made, summary execution of successful programs does no one any good.  Let’s not make change simply for the sake of change.

Related to this, I fully support the efforts of FEMA in the last few years to gain comprehensive input on changes to documents and doctrine through the formation of committees and public comment periods.  This approach works!

7) Pull Together Preparedness Programs

NIMS, HSEEP, NPG, THIRA, etc… While each of these programs have their own purpose and goals, more  can be done to bring them together.  I’m not suggesting a merger of programs – that would simply make a huge mess.  What I’m suggesting is to find the connections between the programs, where one leads to another or informs another, and highlight those.  Things like better application of the Core Capabilities within HSEEP exercises to have a more effective evaluation of NIMS capabilities (I suggested this while being interviewed for a GAO report), or referencing the THIRA when building a multi-year training and exercise plan.  While some jurisdictions may already do this, these are best practices that should be embraced, promoted, and indoctrinated.  These links typically don’t add work, in fact they capitalize on work already done, allowing one project/program/process to be informed or supported by another, creating efficiencies and supporting a synchronization of efforts and outcomes.

There is my list of seven.  What are your thoughts on the list?  There are certainly plenty of other ideas out there.  If you had the ear of the next President, what would you suggest be their administration’s emergency management priorities?

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLCYour Partner in Preparedness

What is the Top Sector at Risk for Cyberattacks?

Tim Riecker, The Contrarian Emergency Manager 1 Comment

3D Electric powerlines over sunrise

According to this article in the Insurance Business America magazine, it’s the energy sector.  This is no surprise, even without the statistics provided in the article; although the statistics are pretty staggering.  The article states that according to DHS “more than 50% of investigated cyber incidents from October 2012 to May 2013 occurred within the energy sector”.  The advice in the article is pretty sound and coincides well with what I’ve suggested many times in this blog… be prepared!  Not only do power utilities need to have their own cybersecurity experts and the policies, plans, and infrastructure to prevent cyberattacks, they also need to be prepared for the potential success of the attackers.  They need to know who to notify (and how), and what actions to take.  Further, those that depend on electricity should have an alternate means of obtaining electricity to meet essential needs.

Threats to our infrastructure show just how interconnected we are and how interconnected our critical infrastructure is.  This is the primary reason why our energy infrastructure, which touches every other sector, is so essential.  We must ensure that we have in place prevention and protection plans, such as cybersecurity plans; hazard mitigation plans to lessen the impacts; response plans to address critical issues; and recovery plans to return to operations.  Business continuity is also an essential component of this – even if you are an NGO or government entity (continuity of government).

Along with proper planning, training, and exercises, we need to continue to promote legislation which requires measures for cybersecurity and protection of our critical infrastructure.

What are your major critical infrastructure concerns?

© 2015 – Timothy Riecker

EMERGENCY PREPAREDNESS SOLUTIONS, LLC

WWW.EPSLLC.BIZ

Are You Really Considering All Hazards?

Tim Riecker, The Contrarian Emergency Manager 1 Comment

Natural hazards, such as flooding, tornados, wildfire, and earthquakes, bring about the greatest losses, calculated in nearly every metric possible, as compared to human-caused incidents.  Human-caused incidents, either accidental or intentional, still bring tremendous impact to communities world-wide on a daily basis.  While working to prepare for, mitigate, respond to, and recover from natural hazards will always continue to be important, it seems that many still often forget about human-caused incidents despite all the conversations out there.

Human-caused incidents include a variety of hazards such as infrastructure failure, transportation accidents, hazardous materials incidents, and intentional attacks.  These are all things which we can fit into our traditional model of Prepare, Mitigate, Respond, and Recover.  The National Planning Goal introduced the model of the five Mission Areas – Prevention, Protection, Mitigation, Response, and Recovery – to help address our many of our major functions (Core Capabilities) for human-caused incidents (note that Preparedness is now a higher level concept that applies to all Mission Areas).  While this Mission Area model has helped bring these key activities into the greater fold of what we do, it has also kept them largely isolated through the thought that many human-caused incidents are only addressed through Prevention and Protection Mission Area activities.

Nowhere, it seems, do we see this more than in the area of hazard mitigation.  The vast majority of hazard mitigation plans which exist only address natural hazards (even at the state level).  Since many readers view this blog for my opinion, here it is – this is archaic and dangerous thinking!  We have all seen hazard mitigation plans which claim they are ‘all hazards’, yet only list natural hazards.  That’s fine, if by some unbelievable circumstance, your jurisdiction is only impacted by natural hazards.  This is a circumstance which I am highly doubtful of.  Some mitigation plans get a little more realistic and will address human-caused hazards such as dam failure and/or hazardous materials release, which were likely the greatest human-caused threats they may have been vulnerable to in the previous century.  In today’s world this still doesn’t quite get us to where we need to be.  There are a great many mitigation activities which we can leverage against human-caused incidents.

How do we fix this?  It’s easy – start with conducting a hazard analysis.  A hazard analysis, be it as a stand-alone activity or part of the THIRA process, should review all possible hazards which your jurisdiction, company, or organization is vulnerable to.  It should be comprehensive, not just limited to the set of natural hazards.  Along with infrastructure failure and hazardous materials incidents (both in-transit and fixed site), consider hazards such as active shooters, cyber attacks, improvised explosives, and civil unrest.  This may require bringing some additional subject matter experts into the room for your hazard analysis – like your IT director.  In a hazard analysis, each hazard is ranked (at a minimum) by its likelihood to occur and its severity of impact should it occur.

A well conducted hazard analysis provides the basis for everything we do in emergency management and homeland security.  It not only informs our activities such as planning, training, and exercises, it also helps assign priority to those hazards which require the greatest focus and allocation of resources.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ

Attacks on Electrical Infrastructure

Tim Riecker, The Contrarian Emergency Manager Leave a comment

A February 10, 2014 article in Emergency Management Magazine titled Attack on California Electric Grid Called Terrorism brings about some very interesting speculation on an incident that occurred at an electrical substation near San Jose last year.  Unfortunately the article saves some critical information for the end and left me with a poor initial impression (i.e. assuming that the weapons used were assault rifles).  My early impression of the article, particularly having grown up in the country, was that this was the result of ‘Billy-Bob and Joe decided after a bunch of brewskis they were going to shoot up a substation’, as stated by Mark Johnson, recently retired VP of Pacific Gas and Electric. 

Toward the end of the article, the author identifies information associated to the shooting of the transformers, including the removal of 75 lb manhole covers and the cutting of fiber optic lines.  With this and other information revealed in the article, it seems likely this was more than Billy-Bob and Joe.  It’s suggested by the author that this activity could have been a ‘dress rehearsal’ for terrorists.  While I’m no terrorism expert, I offer that it’s not likely to involve any major entities such as Al-Qaeda, who are, unfortunately, must more clandestine than this – just look at how long it took us to find Bin Laden.  My guess is that this was perpetrated by a local, semi-organized, domestic group.  They did some research, but were clearly sloppy and ultimately unsuccessful, if, in fact, their goal was to cause an outage.  Nonetheless, an act such as this should certainly be categorized as terrorism, despite the origin of the perpetrators and their cause. 

This scenario, however, provides some important food for thought.  I’ve posted previously on the vulnerability of our electrical system to both intentional acts as well as natural disasters.  There are some efforts under way to increase the redundancies of our system and to create micro-grids, which would isolate impacts, which are great mitigation strategies.  The occurrence of this intentional act should bring strong consideration to prevention and protection activities to heighten security and resiliency of this infrastructure.  We need to call on our law makers to work with emergency managers, regulators, and the industry itself to require a multi-faceted approach to include protection, prevention, and mitigation efforts.