Thinking Smarter About Security

If you work in any facet of public safety and you aren’t thinking about how you secure public and event spaces, you haven’t been paying attention.  Our complacency is the greatest gift we can give to terrorists and criminals.  I certainly acknowledge that the most difficult aspect of dealing with criminal intent versus natural hazards is their determination to circumvent our own protective measures and systems, but we often make it easy for them because it’s too difficult for us to change. Is that really the excuse you want to give to the board, the media, or the families of those killed in a criminal act?

While I will never claim to be a security expert, I try to look at things with a critical eye and take the advice of those who are experts in the field.  Here are a few examples of things I’ve encountered.

Several years ago I was part of a team supporting preparedness at a major sporting venue.  The organization who had exclusive rights to the venue requested support in planning, training, and exercise activities.  I provided incident management training and was the lead on exercises.  As preparation for a tabletop exercise, I coordinated with the organization to observe security procedures during a major event.  The security screeners at the entrances to the venue did a reasonable job with most patrons, although consistently faulted with one type of patron – persons in wheelchairs.  Anyone who came to the door in a wheelchair was waved through ALL security screening without so much as a bag check.  This became the gap that I exploited for the exercise, much to the objection of their head of security who insisted that personnel were trained in how to screen patrons in wheelchairs.  While they may have been trained, it is something they consistently failed in doing and I never observed a supervisor correct the behavior.  Perhaps they weren’t trained at all, or the training wasn’t effective, or it was too uncomfortable or inconvenient for them to do.  Regardless, this is a significant gap that I’ve continued to see at other locations through the years.

Earlier this year I attended a large convention that drew tens of thousands of patrons in a large convention center over a long weekend.  I was an attendee and not working in any official capacity.  Security at the venue was laughable.  Security personnel had three main activities – bag checks, credential checks, and metal detector operation.  Metal detector operation was only performed the first day, utilizing walk through detectors as well as wands.  The personnel clearly had no idea how to operate either (I was among dozens if not hundreds of people who were directed to go through a walk through detector – which I noticed was unplugged).  On the occasion that a walk through alerted (one that was plugged in…), I observed security personnel waiving the wand around people too quickly and too far away from their bodies.  For bag checks, we were asked to open all bags for security inspection.  The ‘inspection’ I observed on each day usually consisted of someone saying thank you and waving you through as they looked around the room or chatted with a co-worker, certainly not actually looking into the bags.  As for checking credentials, every patron was provided with a lanyard and a pass to be attached to said lanyard.  Security personnel were supposed to be checking passes as people entered doors to the main exhibit hall and other areas.  I noted some security personnel did this better than others – some of which didn’t check at all.  I actually managed to keep my pass in my pocket through the entire event, only being challenged by security once.  I was so alarmed by some of the practices that on separate occasions I introduced myself to a county sheriff’s deputy and a fire marshal to point out some of the more egregious issues.

My work has brought me to a number of secure facilities owned by various levels of government and private entities.  One federal facility I’ve frequently visited through the years usually screens vehicles.  As expected, this includes the opening of doors and the trunk of the car.  Not once, in the many years and visits to this facility has anyone ever moved a seat or checked a bag or package.

My last anecdote comes from a few years ago spending some down time in a small park in an area of DC where there a number of embassies.  One embassy seemed to have regular traffic in and out for visitors as well as some light construction work being performed on their grounds.  As one guard would check identification and presumably verify the need of the visitor to be there, another guard would walk around the vehicle with an inspection mirror (the type at the end of a pole with which to inspect the underside of a vehicle).  It was evident that the guard was either not trained in its proper use or the importance of this protocol, as every time he walked around a vehicle holding the mirror, but never actually putting it in position to view under the vehicle, much less ever looking down at the mirror.  He simply took a casual stroll around the vehicle.

The things I’ve noted here are just a few that happened to come to mind as I crafted this article.  There are dozens more, and I’m sure each of you can come up with a list of poor practices as well.  Keep your eyes open when you go to a public space to see how security is handled.  Look at things through the lenses of potential adversaries.  How could someone gain entry?  Are there recognized security patterns they can circumvent?  What vulnerabilities exist?  If you are responsible for security for a facility, have a security audit performed.  While formal security audits are valuable, often the most meaningful ones are casual and unannounced, with someone the front-line security personnel don’t know trying to gain entrance to the facility.  Are they challenged appropriately? Are they screened effectively?

The mitigation, prevention, and protection against security threats is something that many take too lightly – clearly even those whose job it is to focus on those matters.  Highly effective training programs are available – but we need to ensure that people take these courses and implement what they’ve learned in accordance with documented organizational practices.  Supervisors must be present and constantly maintain quality control.  This is a good matter of practice, but even more important when most non-sworn security personnel have a high rate of turn over or may be part time or temporary employees, or even volunteers.  For large events, proper just-in-time training must be performed for supplemental security staff who are not certified or otherwise professionally qualified security personnel.

Security is a challenging environment to work in.  We must constantly be recognizing threats and trying to out-think potential adversaries.  We must strive to keep passive and active security practices up to par, meeting or exceeding standards without becoming predictable to an observer.  How do you assess security in your facility?  What best practices have you identified?

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Awareness of Public Health Preparedness Requirements – CMS

Emergency management and homeland security are collaborative spaces.  Think of these areas a Venn diagram, with overlapping rings.  Some of the related professions overlap with each other separately, but all of them overlap in the center.  This overlap represents the emergency management and homeland security space.  What’s important in this representation is the recognition that emergency managers and homeland security professionals, regardless of what specific agency they may work for, need to have awareness of that shared space and the areas of responsibility of each contributing profession.  One of the biggest players in this shared space is public health.Presentation1

For nearly a year, public health professionals have been talking about new requirements from CMS, which stands for The Centers for Medicare and Medicaid Services.  How does Medicare and Medicaid impact emergency management?  CMS, part of the Department of Health and Human Services (HHS) covers over 100 million people across the US – far more than any private insurer.  As an arm of HHS and a significant funding stream within public health, they set standards.

The most relevant standard to us is the Final Rule on Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers.  The rule establishes consistent emergency preparedness requirements across healthcare providers participating in Medicare and Medicaid with the goal of increasing patient safety during emergencies and establishing a more coordinated response to disasters.

The CMS rule incorporates a number of requirements, which include:

  • Emergency planning
  • Policies and procedures
  • Communications planning with external partners
  • Training and exercises

These are all things we would expect from any emergency management standard.  Given the different types of facilities and providers, however, the implementation of the CMS rule can be complex.  A new publication released by the HHS ASPR (Office of the Assistant Secretary for Preparedness and Response) through their TRACIE program (Technical Resources, Assistance Center, and Information Exchange), provides some streamlined references to the CMS rule.  It’s a good document to study up on and keep on hand to help keep you aware of the requirements of one of our biggest partners.

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Emergency Alerting – A Case Study

Two days ago, much of the northeast was subject to a powerful storm front, which brought high winds, torrential rains, lightning, and several yet to be confirmed tornadoes.  Corresponding with these threats, areas saw a variety of National Weather Service warnings and watches.  Needless to say, when this emergency alert came up on my phone in the midst of these storms, I assumed the shelter in place order was weather related.  Well, you know what they say about assuming things… and of course I should have known better.

While the area of the alert didn’t impact me, Whitestown is just a couple of towns over, so after a few minutes I figured I should do a bit of research to see if whatever prompted the alert might eventually impact my area.  Unfortunately, ‘pressing for more’, as the alert message indicates, gave no further information.  News media in my area is notoriously slow and uninformative for a period of time, something that held true with this event as well.  Approximately 20 minutes later, a local news outlet Tweeted a message about law enforcement activity in that area related to an armed suspect.

Public information and warning is a big deal.  When we don’t communicate clearly and concisely with the public, we can suffer unintended consequences. While I’m not aware of any severe unintended consequences from the lack of any additional information from this emergency alert, officials must understand that the public (and other public safety professionals) want additional information.  They may also need it so they can make better decisions.

This particular example certainly should have included some brief context as to why the alert was issued.  Given the standing tornado watch which was in place at the time, I’m sure there were plenty of others who assumed this was for a tornado or other storm activity.  Such an occurrence would give me cause to gather my family in the basement for safety, rather than locking my doors, closing my blinds, and ensure that no family members left the house.  Shelter in place can mean a lot of things to different people and adding context could have assisted with ensuring better public safety.  There was also no follow up to this alert lifting the shelter in place message.  (Note: the ‘No longer in effect’ tag is my own, as an effort to be responsible with the image)

While I applaud the use of public alerting tools, issues such as this are seen far too often.  Jurisdictions should have public information and warning components to their emergency operations plans, with specific procedures outlined for not only how to activate an alert, but the proper messaging which should be included to maximize message effectiveness.  Sure, you do it, but do you do it well?

What do you do to ensure effectiveness of your messaging?

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

EMS is in Trouble

If you’ve worked in or with Emergency Medical Services (EMS) over the past couple of decades, you probably know it’s in trouble in many areas around the nation.  As with many organizations, finances are the culprit.  Many EMS organizations simply can’t make ends meet.  Costs for equipment, insurance, fuel, training, and facilities often can’t be balanced in the black against recovered income.  It’s not to say it can’t be done – some are doing it, and successfully.  But many are having a difficult time.  Staffing is another problem.  Volunteer services must constantly recruit and work to retain staff.  Volunteer fire services are experiencing similar recruitment and retention problems.  Even with diligent efforts, day time coverage in some areas is a challenge while many of these volunteers are working at their primary jobs.  Paid services struggle with staffing as well.  It’s no mystery that EMTs and Paramedics don’t get into this business to make good money.  According to a study posted by Monster, the highest paid states provide pay in the $20-$35/hour range, but it slides quickly, with not only the lowest paying states paying in the teens, but the average also sitting in the teens.  Yep, you could be out saving lives and someone working at McDonald’s makes more money than you do.  It’s a rather depressing valuation.

When you couple these two big factors – volunteer staffing and finances – it gets even more difficult.  Paid and volunteer services alike are kicking calls over to mutual aid providers because of being short staffed, which means they miss revenue, which continues to make matters worse.  Many volunteer EMS services, as well as volunteer fire services, are hiring day-shift staff so they can continue to meet needs in their communities during these more difficult timeframes.  For those of you keeping score at home, that’s more cash out.  It might pay off for a busier provider, but certainly not for a provider whose call volume doesn’t balance the checkbook.  Yes, it continues to provide a service to the community, but it’s not sustainable in the long run.

How are the private paid services doing?  Many aren’t doing so well, either.  We see service areas shrinking all around the nation, with paid services seeing diminishing revenues from less dense population areas.  Quite a few paid services make ends meet from interfacility transfers, which are low cost but require volume to make reasonable revenue.

Municipal services are another category which generally have a poor income statement.  I think it’s great that some municipalities provide EMS transport services.  Financially, these services are underwritten by tax payers, with some cost recovery possible through billing insurance companies.  The costs of most municipal services, however, are generally higher, as EMTs and paramedics are government employees, often unionized, and with benefits.  It’s great for them, but not good for the municipal comptroller.  That said, it’s one of the most sustainable models since the underlying financing is spread across all the jurisdiction’s tax payers.  Still a challenge, though, when you consider the tough financial constraints many jurisdictions are facing.

So what’s to be done?  We will eventually need to see a shift in how EMS is provided across the nation.  It is an absolutely necessary service, just as important as roads, fire protection, or law enforcement.  While we won’t see a sudden change, I believe the way forward will be municipal services, or municipally-funded services (those being private or volunteer, but under contract with one or more municipalities).  EMS, similar to other disciplines in public safety, is a public service, and foundationally will need to be publicly funded in order to sustain.  This is nothing new, as there are a number of EMS providers already following this model – that being the maintenance of a contract with one or more municipalities to provide EMS services, for a fee, while also gaining revenue from third party billing, as well as fees for stand-by services for sporting events and other mass gatherings.

What trends do you see in EMS organizational models where you are?  Are the current models sustainable?  Do you view EMS as a public safety endeavor similar to law enforcement and the fire service?

© 2016 – Timothy M. Riecker, CEDP

Emergency Preparedness Solutions, LLCYour Partner in Preparedness

 

 

When is Consolidation of Public Safety Agencies a Good Idea?

A recent effort for the consolidation of three fire departments near our office in Central New York failed.  The consolidation, discussed in earnest for nearly a year with positions both for and against, narrowly lost in a public referendum.  News article here: http://www.uticaod.com/article/20150818/NEWS/150819437.

Having worked in public safety for nearly 20 years, I’ve seen quite a few consolidation efforts.  Some successful, most voted down before they even had a chance.  Most efforts have been related to fire departments, some with EMS agencies, and a few related to law enforcement.  While I’ve seen some early in my career, it seems there has been an increase in consolidation proposals in recent years.  Why?

It seems the most significant factor in these proposals is economic.  Despite the slow upturn in the economy, government budgets are still struggling.  The need to spread the burden of common administrative costs, like insurance; ensure appropriate staffing coverage; and to address equipment issues, such as standardization for interoperability; are the top items of discussion.  In some cases there is also a need to reduce the personnel costs through consolidation by reducing the overall number of executive-level officers and support staff, and to reduce real estate costs by reducing the number of stations.  While not all of these reasons are applied all the time, these are quite commonly identified as reasons for consolidation.  The bottom line for consolidation is that it saves money while, ideally, not increasing response times or public access to services.

As for the reasons against consolidation… there are many who don’t seem to trust the promise of savings.  Certainly there have been a great number of failed attempts by government or other organizations to restructure in the name of cost savings and come nowhere near reaching their target.  Others are afraid of the loss of jobs and access to services.  Some, in my opinion, are just being territorial.

Obviously consolidation, or any change in government structure or services, needs to be carefully studied, reviewed, and if decided upon, implemented in accordance with a carefully designed plan and a watchful eye.  This especially holds true for public safety.  Just like any idea out there, it can work if carefully implemented, but it may not be suitable for everyone.

Where do you stand on public safety consolidations?  What success stories do you have?  How about failures?

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ

Hackers Endanger Public Safety With Pranks

VMS Vulnerabilities Can Have Serious Consequences (Image from Slate.com)

VMS Vulnerabilities Can Have Serious Consequences (Image from Slate.com)

Over the past few years we’ve seen some prominent occurrences of hackers gaining access to public safety systems where they make changes which, while a bit humorous at first blush, are serious examples of the vulnerability of our systems.

This article describes a vulnerability in variable message signs (VMS), which can be programmed remotely to notify drivers of hazards or give other pertinent information.  In another occurrence, in February of 2013, hackers gained access to the Emergency Alert System, broadcasting messages about a zombie attack.

The favor these pranks do for us is to identify vulnerabilities in our systems.  Both articles mention that some vulnerabilities were exploited simply because the default passwords on these systems were never changed.  Agencies that maintain any kind of public messaging system (and yes, this should also include websites and social media accounts), should adhere to the guidance we all normally hear about passwords – create strong passwords including combinations of numbers, letters, and symbols (when possible), avoid patterns or predictable passwords, and change passwords regularly.  As a matter of information security, these passwords should only be known by a select few.

Why are these occurrences serious?  Obviously (to most of us) they are taken in jest, but these are public safety systems which should only be accessed by public safety professionals.  The information and instructions provided over these systems need to come from reliable sources to ensure that the public takes the messages seriously and follows the instructions given.  We should be thankful these instances were pranks, as someone with malicious intent could have provided information which could have endangered the public.

All levels of government and any other organizations which maintain public alerting systems, including colleges and universities and even highway construction firms need to make a thorough examination of their systems, identify potential vulnerabilities, and take steps to ensure they are protected.

What other systems offer vulnerabilities to hacking?

 

© 2014 Timothy Riecker

 

 

Progress with FAA with UAVs

Tuesday morning I attended a panel discussion hosted by the Greater Utica Chamber of Commerce focused on providing information to areas businesses about the FAA‘s selection of the former Griffiss Air Base/Oneida County Airport as one of six sites in the nation to test integration of Unmanned Aerial Vehicles (UAVs) into commercial airspace.  The presentations were excellent, with efforts centered around the NUAIR Alliance, a conglomerate of public, private, and educational entities working toward testing airspace integration technologies and protocols, as well as various uses and applications of UAVs, including those for agriculture, commercial enterprise, and public safety. 

Interestingly enough, as mentioned by the panelists, UAVs, or drones as they are often referred, have been in regular use in other nations for years.  Japan, for example, has been using UAVs for agricultural applications such as spraying crops, for the last 10 years.  France, too, has been using UAVs for various purposes.  Here in the US, we largely face matters of regulation as the barrier to utilizing UAVs for non-military applications.  The FAA, who would enact these regulations, is largely looking at matters of safety related to the integration of UAVs into commercial airspace.  Researching these matters and making recommendations to the FAA through real life application is the goal of NUAIR.  Amongst the partners of the NUAIR Alliance are private firms who wish to use UAV technology for agricultural and commercial applications.  These companies, smartly, are now in on the ground floor of this technology in the United States.

With most drones being relatively inexpensive, this technology is accessible for both small farmers and large companies.  Amazon, the online retain giant, has already expressed interest in using UAVs to deliver packages.  As for public safety applications (I’ve written before about this), the possibilities are practically endless.  Those who have privacy concerns have little ground for blocking development of these life saving tools.  Current privacy laws, up to and including the US Constitution, already address these concerns and provide the foundation for UAV applications in law enforcement.  The new Fox show, Almost Human, which is set in the future, brilliantly displays heavy use of drones to track suspects and serve other law enforcement purposes which are better served with smaller, more agile UAVs rather than the piloted helicopters we use today.  These are faster to deploy and minimize human risk.  Thus far, the show has not displayed any use of UAVs with the capability to use lethal force.  Law enforcement aside, there are numerous other public safety applications.  A recent article about massive boulders crushing a farm house in Italy displayed images and video, reportedly taken by UAVs.  Consider similar technology leveraged for a missing person search or to gather information on the extent of a wild fire or damages from a tornado. 

The future of UAVs is exciting and I’m thrilled for the test grounds to be practically in my own back yard.  I’m looking forward to the first UAV sighting near my property as the NUAIR partners conduct tests.  Technology certainly is exciting!