Critical Infrastructure Protection: Agencies Need to Assess Adoption of Cybersecurity Guidance

Federal agencies with a lead role to assist and protect one or more of the nation's 16 critical infrastructures are referred to as sector risk management agencies (SRMAs). The SRMAs for three of the 16 have determined the extent of their sector's adoption of the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity (framework). In doing so, lead agencies took actions such as developing sector surveys and conducting technical assessments mapped to framework elements. SRMAs for four sectors have taken initial steps to determine adoption (see figure). However, lead agencies for nine sectors have not taken steps to determine framework adoption.

Status of Framework Adoption by Critical Infrastructure Sector

Regarding improvements resulting from sector-wide use, five of the 16 critical infrastructure sectors' SRMAs have identified or taken steps to identify sector-wide improvements from framework use, as GAO previously recommended. For example, the Environmental Protection Agency identified an approximately 32 percent overall increase in the use of framework-recommended cybersecurity controls among the 146 water utilities that requested and received voluntary technical assessments. In addition, SRMAs for the government facilities sector identified improvements in cybersecurity performance metrics and information standardization resulting from federal agencies' use of the framework. However, SRMAs for the remaining 11 sectors did not identify improvements and were not able to describe potential successes from their sectors' use of the framework.

SRMAs reported various challenges to determining framework adoption and identifying sector-wide improvements. For example, they noted limitations in knowledge and skills to implement the framework, the voluntary nature of the framework, other priorities that may take precedence over framework adoption, and the difficulty of developing precise measurements of improvement were challenges to measuring adoption and improvements. To help address challenges, NIST launched an information security measurement program in September 2020 and the Department of Homeland Security has an information network that enables sectors to share best practices. Implementing GAO's prior recommendations on framework adoption and improvements are key factors that can lead to sectors pursuing further protection against cybersecurity threats.

The U.S. has 16 critical infrastructure sectors that provide clean water, gas, banking, and other essential services. To help protect them, in 2014 the National Institute of Standards and Technology developed cybersecurity standards and procedures that organizations within these sectors may voluntarily use. Federal agencies are charged with leading efforts to improve sector security.

The GAO have found agencies have measured the adoption of these standards and procedures for 3 of 16 sectors and have identified improvements across 2 sectors. For example, the EPA found a 32% increase in the use of recommended cybersecurity controls at 146 water utilities.

Alliance for National & Community Resilience Awards First Resilience Designation to Martinsville, Virginia

The Alliance for National & Community Resilience (ANCR) issued its first community resilience designation to Martinsville, Virginia, at a meeting of the City Council. Martinsville was selected as the initial pilot city for ANCR’s Community Resilience Benchmarks (CRB) for buildings and housing. The city was awarded an Essential designation for its building-related activities and an Enhanced designation for its housing-related initiatives.
“We were particularly impressed with the involvement of city staff and their transparency and thoroughness as we worked through the benchmarking process. Their commitment to the process will be invaluable in supporting improvements in the CRB process and help enhance the resilience of other communities,” said Evan Reis, ANCR Board Chair and Executive Director of the U.S. Resiliency Council.
The benchmarking process was led by Kris Bridges, Martinsville’s Building Official and Mark McCaskill, Martinsville’s Community Development Director. Jeremy Sigmon of Planet Sigmon served as the community’s ANCR Mentor, guiding them through the benchmarking process.
“The Martinsville City Council commends the work of our Inspections and Community Development Departments for their work with ANCR in improving the city’s resiliency and setting the standard for other communities to follow,” said Kathy Lawson, Mayor, Martinsville, Virginia. “The City of Martinsville is committed to the development of benchmarks such as the CRB as having the proper protocols in place will not only give us the needed information to maintain critical facilities and infrastructure during disaster events, but also allow us to reap the financial benefits, improve resiliency across our community and show our commitment to our community and citizens.”
Based on the feedback from Martinsville, ANCR will finalize its benchmarking process and begin work on developing additional benchmarks. The Buildings and Housing Benchmarks represent the first two benchmarks developed under the CRB. ANCR identified 19 community functions covering the social, organizational and infrastructural aspects of communities that influence their resilience and is developing benchmarks for each of them. The Water Benchmark was completed in 2020 and is currently being piloted along with the Buildings and Housing Benchmark in Oakland Park, Florida.

IAEA and FAO Help Burkina Faso and Algeria to Enhance Food Safety & Security

The IAEA and the Food and Agriculture Organization of the United Nations (FAO) cooperate in supporting food safety and food quality programmes around the world to address food hazards, food fraud and advise countries on food irradiation. Among the beneficiaries of this programme have been Burkina Faso and Algeria. To celebrate World Food Safety Day, we are drawing attention to the importance of nuclear techniques in monitoring food safety. “Safe food today for a healthy tomorrow” – this year’s theme – recognizes how safe food contributes to a healthy life, economy, planet and future.
Enhanced food safety capabilities in Burkina Faso
Tiny but oil- and vitamin-rich sesame seeds have become a staple of Burkina Faso’s economy – creating jobs and generating income. After cotton, the edible seeds that grow in pods have become the West African country’s second most exported agricultural product. This sprouting success in the last decade has been sustained with the help of Burkina Faso’s National Public Health Laboratory (LNSP), supported by the IAEA and FAO, through their Joint Cenre on Nuclear Techniques in Food and Agriculture.
Enhancing food safety analytical capabilities in Algeria
Laboratories in Algeria have received the support to enhance their analytical capabilities for the detection of chemical hazards, including antimicrobial and pesticide residues in a range of food, from poultry and eggs to dates and honey. Algeria was the world’s sixth leading exporter of dates, worth approximately US $129 million in 2020.
Through the IAEA’s technical cooperation programme and in partnership with FAO, staff of the Algerian National Institute for Agronomic Research (INRAA) and the National Institute of Veterinary Medicine (INMV) have been trained in methods of analysis and supported with the required analytical equipment. These institutions are now equipped to contribute towards consumer protection and the trade of agricultural products.

International Code Council resources help prepare for safety and recovery as Atlantic hurricane season begins

The International Code Council is committed to helping communities stay safe in the midst of hurricanes and tropical cyclones as June marks the beginning of the 2021 Atlantic hurricane season and preparing for natural disaster safety and recovery is a top priority.
All levels of government and the private sector must work together to ensure communities are safe and resilient from devastating natural disasters. Throughout hurricane season, the International Code Council is dedicated to helping communities stay safe in their homes, workplaces and neighborhoods.
The Code Council and its members are ready to help through the Disaster Response Alliance. Local and state jurisdictions in the U.S. as well as federal agencies may also contact the Disaster Response Alliance for help to reach skilled professionals who volunteer to assist jurisdictions that request aid with building damage assessment, building inspections and other code-related functions in disaster areas. Code Council members also assist devastated communities with post-disaster building plans reviews, inspections and permit operations through the Emergency Management Assistance Compact (EMAC).
“The momentum and awareness we’ve raised during Building Safety Month about the importance of disaster mitigation and building code adoption continues as we enter this year’s hurricane season,” said Code Council CEO Dominic Sims, CBO. “Code officials play an integral role in preparing communities for natural disasters and in navigating recovery after a devastating event. The Code Council and its members are ready to help protect our communities.”
The Code Council, the Federal Emergency Management Agency (FEMA), and state and local officials will host a webinar on the implementation of FEMA’s new disaster recovery policy for code enforcement and administration. This new policy offers building officials and communities an effective way to access many of the resources needed to effectively administer and enforce building codes and floodplain management ordinances for up to 180 days following a major disaster declaration. Register for this free webinar to learn about more about this important new policy, including what activities are eligible and how to apply for reimbursement.
Resources to help prepare for hurricane season:
- Seasonal Hurricane Predictions
- FEMA: Hurricane Safety
- Building Safety Month Week 4: Disaster Preparedness
- Visit the Code Council’s Hurricane Safety & Recovery page to access more useful links and resources to help prepare for hurricane season.

What the security industry does now will be judged by the CBRN professionals, the health community and the public

The CBRN (chemical, biological, radiological or nuclear warfare) sector are mostly made up of academics and professional practitioners that research and consider the above- mentioned threats.
For nature disasters, the governmental related body has their academics and manpower that takes full responsibility for servicing security, medical, the feeding and housing the population because they are paid for it through taxes.

For Biological Threats, the governments for specific reason use the military and police function on a macro level will be involved in managing specific protocols on the ground. However, it is the private security industry which is way larger than the military and police in some countries that will play its part on the ground.

Actually, the two bodies that play an important role is the health community that set protocols (infection testing, social interactions and hygiene) for biological threats and it is the security industry that rolls the health protocols out besides manages the implementation on the ground.

However, the security industry does more. The security industry adds security protocols to the mix because there are issues relating to tools (technology and equipment) that are used, the behaviour of the people and the crime related to the threats, being the threat itself and the outcome of the threat being the economic meltdown.

It is virtually impossible for the military and police to manage the health protocols, investigate the amount of crime and type of new crime in this scenario besides managing the numbers of people involved.

The CBRN community comprehend the fact that there are millions of private security practitioners on the ground that are actually doing the job of taking temperatures, managing the flow of people and ensuring hygiene criteria are met. Therefore, they realize that it is the private security industry (psi) is the largest force on the ground to limit the collateral damage, as it is, the psi that also has the equipment and skilled manpower to do such.

This current mutating biological threat has taught some lessons to some that bothered to be present and relevant, and the flip side, is that some in the security industry that do not realize that they are actually doing biological threat security.

Now based on the recent experiences, the private security industry has researched the issues related to this pandemic and thoroughly investigated specifics taking into consideration various issues.

When 911 happened, the security exhibitions grew huge in size because of two reasons. Firstly, at the same time the IP (Internet Protocol) technology began to display their wares and all technologies ran onto the market with their solutions, be it biometrics, IP access control and IP driven CCTV, etc., which was mostly geared towards counter terror.

When COVID-19 began, once again the manufacturers ran onto the market with thermal imaging technologies which some did not comply with the department of the health criteria. Yes, the health community have got protocols relating to taking the temperature of people and have also explored the criteria for using thermal imaging. Unfortunately, there are brands that do not confirm to the standards out of ignorance to the factual criteria and also there are some that provide misinformation about their capabilities.

But - it is the security industry that went through this scenario before during 911 which brought about laboratories to test brand performance of emerging technologies and equipment. This means that the protocols for managing a biological threat and using technology or equipment must confirm to the health department besides labs that check brand performance.

The health community has set protocols for social distancing but has not realized that the population are not sheep. The security industry knows that the behaviour of people can be extremely aggressive and volatile. Having said such there are security practitioners that themselves have not acknowledged that their team on the ground are on ground zero where the staff are more at risk than medical teams such as nurses or doctors.

In a hospital the medical teams know who is sick and who is not. They then have protocols to dress according to the threat and apply the 'dress-code' using specific protocols. They have been trained in such. On the ground, the security practitioners have no idea of who is sick and who is not sick. They handle people that are shouting and perhaps pushing others around without out any form of medical grade protection or the full complement of protection gear that is used by ICU wards.

The protocols for the managing people in security is by layering specific staff with certain character traits or skillsets to ensure a safe environment for the public and themselves. Security companies that are not using protocols place their client's customers at risk besides their own staff. When customers avoid going to a site, then the client loses revenue. This is not about loss prevention but more so profit protection. Furthermore, new crime and increased numbers of criminals erodes the profits of a site, besides impacting once again the profits of a site.

There is also crime related to the threat that causes issues, such as, theft of oxygen bottles or the reselling of oxygen using old bottles (organized crime, gang crime or entrepreneurial street venders) that could contain black fungus in the tubes or valves that is responsible for a 50 percent mortality rate. Never-the-less the lack of oxygen simply causes ciaos which could increase infection rates because of people fighting over oxygen or mass 'hysterical' riots when people fear that they will not obtain oxygen. The private security industry is involved in all aspects as one can fathom from the above, and the list of high-risk targets and motivations that drive issues are far too numbersome to list in this article.

The CBRN teams may suggest in the future certain steps to take but at the end of the day - it will be the private security industry that will roll it out and manage it on the ground.

If the Security Industry does not stand together and use the same protocols that fit standards and compliance criteria - then it will not be able to limit the level of collateral damage as it should with a mutating biological threat.

When the security industry does take action then it will earn the trust and respect from the CBRN community, the Health Community and the Public at Large.

ISIO |International Security Industry Organization & CAPSI (Central Association of Private Security Industry) representing +7 million practitioners) call on all stakeholders to participate alongside on mission.

Recommendations for measures to prevent hospital fires

The European Commission’s Joint Research Centre (JRC) issued a series of recommendations to help prevent the hospital fires associated with medical oxygen needed for Covid-19 severely ill patients, from electrical maintenance to administrative measures and largely spread training and guidance on prevention and risk management strategies for oxygen hazards.

Since the outbreak of the pandemic in March 2020, at least 36 incidents of hospital fires associated with intense oxygen use have been found to have occurred in various countries around the world, causing the deaths of over 200 people and injuring many more.

The majority of the dead and injured were patients extremely ill with the novel Coronavirus and others were their health care providers. Most deaths resulted directly from the fire but there were also several deaths from patients deprived of oxygen because of the event.

In comparison, up until 2020, the media shows an average of just over one such event per year since 2011.

According to the JRC recommendations, the strategies to prevent and mitigate the fire risk in intensive care units should evolve around three main elements:

• Guidance on oxygen therapy for Covid-19 and other diseases needs to identify specific prevention measures that can reduce the risk of oxygen-enriched environments in these settings;

• All hospitals should establish a risk management strategy for oxygen hazards led by hospital management, involving all staff, including healthcare workers, maintenance, housekeeping and administration;

• As part of this policy, all hospitals should track the number of patients having medical gas treatment and, when elevated, an appropriate fire risk management policy should be applied.

The hospitals should use as examples strategies developed for chemical process safety to manage flammable and explosive atmospheres. The management procedures should involve medical and non-medical staff, and prevention and emergency preparedness should take into account potential intensive care unit fires.

Governments call for more public and private investment in disaster prevention and risk reduction

Member States gathered virtually to adopt the Outcome Document of the 2021 Economic and Social Council (ECOSOC) Forum on Financing for Development. This year’s outcome document provides indispensable intergovernmental policy guidance to countries on financing for disaster risk reduction and risk-informed investing.
For the first time at the ECOSOC Forum on Financing for Development, Governments recognise the systemic nature of risk and the need to strengthen the understanding of risk in economic and financial planning across all sectors and at all levels. There is a clear call to redress the balance from investing in response towards investing in prevention and risk reduction. Risk-sensitive public investment planning; the consideration of risk in land use planning; risk-sharing mechanisms that create an enabling environment for public-private partnerships; and diagnostics for infrastructure investments that include resilience and climate change adaptation are some of the policy options identified to accelerate financing for disaster risk reduction.
To support these efforts, national and regional development banks and international financial institutions are invited to integrate disaster risk reduction and resilience into COVID-19 economic recovery strategies. The outcome document also breaks new ground in recognizing the need to strengthen the resilience of the financial system through systematically integrating climate, environmental and disaster risks into global risk monitoring to inform future decision making.
Application of this intergovernmental policy guidance at national level will undoubtedly bring significant benefit to the implementation of national and disaster risk reduction strategies. It can also support coherence between financing for disaster risk reduction and climate change adaptation and ensure that the financing for the Sustainable Development Goals and COVID-19 socioeconomic recovery strategies build resilience and reduce the risk of future disasters.
Deliberations at the Forum, which ran from 12 to 15 April, were guided by the 2021 Financing for Sustainable Development Report. This year’s report includes a dedicated chapter that provides guidance to ministries of finance and planning to integrate disaster risk reduction into their policy decisions. During the forum, UNDRR, in partnership with UNDESA and the Co-Chairs of the Group of Friends for Disaster Risk Reduction, organized a side event titled “Financing for Disaster Risk Reduction and a Risk-Informed Approach to Investing Across the SDGs”. The event brought together a variety of development finance practitioners from government and the private sector to discuss the comprehensive approach needed to finance disaster risk reduction and capitalize on public sector policy-setting and private sector innovation.
In her opening remarks, Ms. Mami Mizutori, Special Representative of the Secretary-General for Disaster Risk Reduction, stated that “the current approach to funding disaster risk reduction is not keeping pace with the exponential rise of disaster risk” and called for “a paradigm shift in political attitudes towards financing for disaster risk reduction especially in places that are largely unprotected from the ravages of the climate emergency and the threat of biological hazards”. Mr. Shaun Tarbuk, Chief Executive of the International Cooperative and Mutual Insurance Federation, announced an upcoming report with UNDRR titled “From protection to prevention: the role of cooperative and mutual insurance in disaster risk reduction”.

Building Trust in the Digital Era: ENISA boosts the uptake of the eIDAS regulation

The European Union Agency for Cybersecurity issues technical guidance and recommendations on Electronic Identification and Trust Services helping Member States to implement the eIDAS regulation.
The European Union Agency for Cybersecurity (ENISA) completed a package of five reports in order to boost the implementation of the eIDAS regulation and promote the uptake of Electronic Identification and Trust Services. This work falls under the scope of the EU Cybersecurity strategy for the Digital Decade.
ENISA has been in the forefront of the developments on eIDAS since 2013 and with the Cybersecurity Act, established in 2019, the Agency has an extended mandate to support and assist the European Commission and the Member States in the area of electronic identification.
In this challenging period, the “EU digital ID scheme for online transactions across Europe” initiative will drive the revision of the eIDAS and will promote digital identities for all Europeans. ENISA in order to support the Commission has undertaken activities to explore the security considerations for trust service providers and remote identity proofing.
Four of the reports on trust services form an update of ENISA’s guidelines for qualified trust service providers. They represent a voluntary toolset designed to help those trust service providers comply with eIDAS. Specifically, they include:
- technical guidance on the security framework for Qualified Trust Service Providers (QTSP) and for the non-Qualified ones;
- security recommendations for Qualified Trust Service Providers based on Standards;
- guidelines on Conformity Assessment of Trust Service Providers.
A fifth report includes an analysis of the methods used to carry out identity proofing remotely and exploring security considerations. Remote identification allows customers to have their identification information collected and validated without the need for physical presence to the premises of the operator. This has become crucial during the COVID-19 pandemic as it allows access to cross-border online services offered by Member States.
Technical Guidelines on Trust Services
ENISA issued the reports in order to update existing recommendations and guidelines issued in 2017 for qualified trust services. The purpose of these reports is therefore to focus on the requirements set by the eIDAS regulation and the emergence of new standards and new TSP services.
The new guidelines are presented in four different reports according to the following topics:
- trust service providers (qualified or not) looking for guidance on how to meet the requirements of the eIDAS Regulation;
- service providers seeking to clarify whether they qualify as a trust service provider according to the provisions under the eIDAS regulation;
- relying parties seeking to evaluate to what extent their trust service provider complies with the eIDAS requirements.
As a result, the set of recommendations include:
- Security Framework for Qualified Trust Service Providers and for Non-Qualified Trust Service Providers. These guidelines consider the greater potential variety encountered in non-qualified trust service providers;
- Security Recommendations for Qualified Trust Service Providers based on Standards, and Guidelines on Conformity Assessment of Trust Service Providers.
These guidelines have been consulted with and validated by experts in the eIDAS field from various sectors.

Universal Health Services lost $67m to ransomware attack

UHS was among the first hit with the coordinated ransomware wave that targeted the healthcare sector last year. On September 29 last year, Universal Health Services announced in a press release that due to an IT security incident that took place two days earlier, it had to suspend user access to its IT applications related to operations located in the United States.
In the early hours of September 27, UHS clinicians and staff members took to Reddit to determine if other UHS employees across the country were experiencing similar computer and phone outages.
The thread detailed internet and data center outages, with one employee attributing the incident to a ransomware attack after seeing ransom messages from the Ryuk hacking group displayed on some computer screens.
Upon discovery, the IT team took all systems offline to prevent further propagation. The following day, UHS officials confirmed the event as an IT disruption, before reporting as a malware infection several days later.
The disruption caused by the ransomware attack was immense, considering UHS is among the largest providers of hospital and healthcare services in the US, featuring among Fortune 500 companies in 2019 with annual revenue of $11.4 billion and also ranking #330 in Forbes list of U.S.' Largest Public Companies.
The company employs around 90,000 people across 26 acute care hospitals, 330 behavioral health facilities, 41 outpatient facilities, and a number of ambulatory care access points and a network of physicians. Aside from the US, Universal Health Services also operates in Puerto Rico and the United Kingdom.
UHS said that it immediately implemented extensive IT security protocols and was working with security partners to restore the affected IT services as soon as possible. The incident caused temporary disruption to some clinical and financial operations, forcing acute care and behavioural health facilities to rely on offline documentation efforts to deliver round-the-clock patient care.

How artificial intelligence can help transform Europe’s health sector

A high-standard health system, rich health data and a strong research and innovation ecosystem are Europe’s key assets that can help transform its health sector and make the EU a global leader in health-related artificial intelligence applications.
The use of artificial intelligence (AI) applications in healthcare is increasing rapidly.
Before the COVID-19 pandemic, challenges linked to our ageing populations and shortages of healthcare professionals were already driving up the adoption of AI technologies in healthcare.
The pandemic has all but accelerated this trend. Real-time contact tracing apps are just one example of the many AI applications used to monitor the spread of the virus and to reinforce the public health response to it.
AI and robotics are also key for the development and manufacturing of new vaccines against COVID-19.
A fresh JRC analysis shows that European biotech companies relying on AI have been strong partners in the global race to deliver a COVID-19 vaccine.
Based on this experience, the analysis highlights the EU’s strengths in the “AI in health” domain and identifies the challenges it still has to overcome to become a global leader.
High standard health system safeguards reliability of AI health applications
Europe’s high standard health system provides a strong foundation for the roll out of AI technologies.
Its high quality standards will ensure that AI-enabled health innovations maximise benefits and minimise risks.
The JRC study suggests that, similarly to the General Data Protection Regulation (GDPR), which is now considered a global reference, the EU is in a position to set the benchmark for global standards of AI in health in terms of safety, trustworthiness, transparency and liability.
The European Commission is currently preparing a comprehensive package of measures to address issues posed by the introduction of AI, including a European legal framework for AI to address fundamental rights and safety risks specific to the AI systems, as well as rules on liability related to new technologies.
Strong European research ecosystem supported by EU funding
At the moment, the EU is already well positioned in the application of AI in the healthcare domain - slightly behind China but on par with the US.
But judging from the EU’s research capacities, there is more potential.
The JRC analysis notes the strong investment of European biotech companies in research: in the EU, almost two thirds of all medical AI players are involved in research, against approximately one-third in China.
Consequently, Europe has a strong and diversified research and innovation ecosystem in the area of AI in health.
European companies are particularly strong in health diagnostics, health technology assessment, medical devices and pharmaceuticals.
The EU’s research framework programmes play an important role in the European research and innovation landscape in this domain.
A JRC report published in 2020 indicates that 146 projects linked to AI in health have been launched under the Horizon 2020 framework programme.
The funding of AI in health related projects has been increasing over time, reaching over €100 million in 2020.
1 2 3