The International Organization for Migration’s (IOM) Regional Office for the Middle East and North Africa (MENA) has joined the MCR2030 initiative as a supporting entity. MCR2030 is UNDRR’s flagship program, building on the achievement of the Making Cities Resilient Campaign that began in 2010. It welcomes cities, local governments, and all parties who wish to support cities along the resilience roadmap.
The IOM Regional Office for the MENA region has developed the Urban Diagnostic Toolkit to map gaps in migrants’ integration in urban settings, aimed at increasing urban resilience of migrants, refugees, displaced persons, host societies and local governments by strengthening migrants’ social cohesion in the spatial, institutional, economic, climate and resilience city systems.
Increasingly, IOM and UNDRR collaborate across a range of workstreams from high level policy engagement related to the Sendai Framework for DRR’s Midterm Review process, the Global Platform for DRR and Regional DRR Platforms, and more recently on the Early Warning for All Initiative, COP27 and the Center of Excellence for Disaster and Climate Resilience, which IOM recently joined as a member of the Steering Committee. Partnership also extends to technical cooperation on the implementation of the annual workplan of the Senior Leadership Group for DRR for Resilience inclusive of work to mainstream DRR into humanitarian action. IOM is also supporting UNDRR’s leadership on the development and roll out of Risk Information Exchange and the creation of a second-generation disaster loss accounting platform to replace DesInventar. The latter was recently dialogued under the leadership of UNDRR-UNDP-WMO at the Bonn Technical Expert Forum meeting in late November.
This is the beginning of a new collaboration between the two UN agencies. UNDRR warmly welcomes the new MCR partner to work jointly on paving the road for increasing migrants’ resilience in urban contexts.
MRC2030 is a unique cross-stakeholder initiative for improving local resilience through advocacy, sharing knowledge and experiences, establishing mutually reinforcing city-to-city learning networks, injecting technical expertise, connecting multiple layers of government, and building partnerships. Through delivering a clear roadmap to urban resilience, providing tools, access to knowledge, and monitoring and reporting tools, MCR2030 will support cities on their journey to reduce risk and build resilience.
Cyber resilience is a challenge for organizations globally and for the electricity industry in particular. Power systems are among the most complex and critical of all infrastructure types and act as the backbone of economic activity.
Large-scale incidents such as blackouts can have socio-economic ramifications for households, businesses and vital institutions. For example, a six-hour winter blackout in mainland France could result in damages totalling over €1.5 billion ($1.7 billion).
In 2018, the World Economic Forum Centre for Cybersecurity and the Platform for Shaping the Future of Energy, Materials and Infrastructure launched the Cyber Resilience in the Electricity Industry initiative to improve the cyber resilience of global electricity infrastructure. This initiative brought together leaders from more than 50 businesses, governments, civil society and academia to collaborate and develop a clear and coherent cybersecurity vision for protecting the power infrastructure.
Building on the first phase of the initiative, the Forum is now developing a unique exchange platform for cybersecurity leaders across the electricity industry in collaboration with Dragos, EDP, Enel, Hitachi Energy, Iberdrola, Naturgy, Ørsted, Schneider Electric, Siemens Energy, Southern and Vestas. This new platform serves as a central hub where industry experts can exchange knowledge, ideas and best practices to improve cyber resilience as a whole.
By bringing together the leading minds in cybersecurity worldwide, the initiative is fostering collaboration and innovation in this critical field, with the ultimate goal of enhancing the security and reliability of the electricity infrastructure that powers the modern world.
What are the challenges of cybersecurity in the energy industry?
The unprecedented pace of technological change driven by the Fourth Industrial Revolution means that health, transport, communication, production and distribution systems will demand rapidly increasing energy resources to support global digitalization and the advancement of interconnected devices.
Digitalization is driving growth and innovation in the electricity industry and has tremendous potential to deliver shareholder, customer and environmental value. However, new technologies and business models affecting operating assets present both opportunities and risks.
In the past, managing these risks had only meant dealing with issues such as component failure or weather damages, while today’s resilience plans must consider cybersecurity-related threats.
Our approach to strengthening cybersecurity in the energy industry
The Cyber Resilience in the Electricity Industry programme focuses on three main pillars:
- Developing scenarios and use cases that industry executives and boards can use to create a culture of cyber resilience and good governance in the electricity sector.
- Improving the implementation of cyber resilience regulations by fostering dialogue between policy-makers and businesses.
- Improving supply chain resilience by establishing standards for cybersecurity roles and responsibilities across all stakeholders involved to ensure that every entity is taking appropriate steps to protect against cyberthreats.
The initiative has published a series of reports to guide chief executives and board members in meeting the unique challenges of managing cyber risks:
- Cyber Resilience in the Electricity Ecosystem: Principles and Guidance for Boards
- Cyber Resilience in the Electricity Ecosystem: Playbook for Boards and Cybersecurity Officers
- Cyber Resilience in the Electricity Ecosystem: Securing the Value Chain
In 2021, following a request from the European Commission (EC) Energy Directorate, the initiative also developed a collection of 15 lessons learned and recommendations for improvement on the new EC Cybersecurity Directive considering the implications of supply chain attacks and other systemic risks for cybersecurity in the energy industry.
A new portable Gunshot Detection System can provide critical information about outdoor shooting incidents almost instantaneously to first responders. The system, called SDS Outdoor, was developed in collaboration between the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and Shooter Detection Systems (SDS) of Rowley, MA.
“Many U.S. gunshot detection technologies are not easily deployed in the field or at temporary locations,” said Dr. Dimitri Kusnezov, DHS Under Secretary for Science and Technology. “This new system can be moved by one or two officers without the need for technicians to transport and set up. This mobile capability will help responders approach gun violence incidents with greater awareness, reducing response times and increasing responder safety.”
The portable system is an enhancement to the current commercial, off-the-shelf Guardian Indoor Active Shooter Detection System. SDS Outdoor uses two factors—the sound and flash of the gunshot—to detect and validate each gunshot, drastically reducing false positives. Most other systems rely principally on sound, which can have higher false positive rates. Moreover, SDS Outdoor can be deployed for temporary events in locations where infrastructure support is not available, such as open-field concerts or pop-up rallies.
Delivery of this mobile system comes after almost two years of development. Prototype testing started in January 2022, and SDS provided a real-time demonstration to a user advisory group in May. It was then tested by S&T’s National Urban Security Technology Laboratory and the First Responder Technology Program team in an Operational Field Assessment at Fort Dix, New Jersey, in November. Feedback from participating law enforcement agencies who participated in the evaluations helped make the system more effective in detecting and alerting responders to gunshots.
“We’ve now transitioned the system to SDS to commercialize the technology and make it available to law enforcement agencies and first responders nationwide,” said Anthony Caracciolo, S&T First Responder Technology program manager. “The new system fills a gap identified by the First Responder Resource Group by extending gunshot detection capabilities to locations that do not support fixed deployments.”
SDS Outdoor also complements other S&T-developed detection and tracking technologies, such as MappedIn Response and Detection of Presence of Life through Walls, giving first responders a more holistic view of what they are dealing with so they can coordinate their responses accordingly.
Please find here your downloadable copy of the Winter 2022-23 issue of Critical Infrastructure Protection & Resilience News for the latest views and news at www.cip-association.org/CIPRNews.
- A Standard to help protect Critical Infrastructure
- Government and Industry Cooperation: More Important Than Ever for Cybersecurity Awareness
- Help2Protect: an eLearning program to counter Insider Threats
- Testing Environments Help S&T and CISA Secure Transportation Infrastructure
- Can responsible AI guidelines keep up with the technology?
- Infrastructure Resilience Planning Framework (IRPF)
- An Interview with Port of New Orleans
- Critical Infrastructure Protection & Resilience North America Preview
- Industry and Agency Reports and News
Critical Infrastructure Protection and Resilience News is the official magazine of the International Association of Critical Infrastructure Protection Professionals (IACIPP), a non-profit organisation that provides a platform for sharing good practices, innovation and insights from Industry leaders and operators alongside academia and government and law enforcement agencies.
The USA's 16 critical infrastructure sectors rely on internet-connected devices and systems to deliver essential services, such as electricity and health care. These sectors face increasing cybersecurity threats—an issue on our High Risk list.
Federal agencies that have leadership roles in 3 sectors we reviewed have taken some steps to manage the cybersecurity risks posed by internet-connected devices and systems. But they've not assessed risks to the sectors as a whole. Without a holistic assessment, the agencies can't know what additional cybersecurity protections might be needed.
Cyber threats to critical infrastructure IoT and OT represent a significant national security challenge. Recent incidents—such as the ransomware attacks targeting health care and essential services during the COVID-19 pandemic—illustrate the cyber threats facing the nation's critical infrastructure. Congress included provisions in the IoT Cybersecurity Improvement Act of 2020 for GAO to report on IoT and OT cybersecurity efforts.
This report (1) describes overall federal IoT and OT cybersecurity initiatives; (2) assesses actions of selected federal agencies with a lead sector responsibility for enhancing IoT and OT cybersecurity; and (3) identifies leading guidance for addressing IoT cybersecurity and determines the status of OMB's process for waiving cybersecurity requirements for IoT devices. To describe overall initiatives, GAO analyzed pertinent guidance and related documentation from several federal agencies.
To assess lead agency actions, GAO first identified the six critical infrastructure sectors considered to have the greatest risk of cyber compromise. From these six, GAO then selected for review three sectors that had extensive use of IoT and OT devices and systems. The three sectors were energy, healthcare and public health, and transportation systems. For each of these, GAO analyzed documentation, interviewed sector officials, and compared lead agency actions to federal requirements.
GAO also analyzed documentation, interviewed officials from the selected sectors, and compared those sector's cybersecurity efforts to federal requirements. GAO also interviewed OMB officials on the status of the mandated waiver process.
The nation's critical infrastructure sectors rely on electronic systems, including Internet of Things (IoT) and operational technology (OT) devices and systems. IoT generally refers to the technologies and devices that allow for the network connection and interaction of a wide array of “things,” throughout such places as buildings, transportation infrastructure, or homes. OT are programmable systems or devices that interact with the physical environment, such as building automation systems that control machines to regulate and monitor temperature.
Figure: Overview of Connected IT, Internet of Things (IoT), and Operational Technology
To help federal agencies and private entities manage the cybersecurity risks associated with IoT and OT, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have issued guidance and provided resources. Specifically, CISA has published guidance, initiated programs, issued alerts and advisories on vulnerabilities affecting IoT and OT devices, and established working groups on OT. NIST has published several guidance documents on IoT and OT, maintained a center of cybersecurity excellence, and established numerous working groups. In addition, the Federal Acquisition Regulatory Council is considering updates to the Federal Acquisition Regulation to better manage IoT and OT cybersecurity risks.
Selected federal agencies with a lead role have reported various cybersecurity initiatives to help protect three critical infrastructure sectors with extensive use of IoT or OT devices and systems.
Title: Sector Lead Agencies' Internet of Things (IoT) or Operational Technology (OT) Cybersecurity Initiatives
Sector (Lead Federal Agency)
Examples of IoT or OT Initiatives
Energy (Department of Energy)
Considerations for OT Cybersecurity Monitoring Technologies guidance provides suggested evaluation considerations for technologies to monitor OT cybersecurity of systems that, for example, distribute electricity through the grid.
Cybersecurity for the Operational Technology Environment methodology aims to enhance energy sector threat detection of anomalous behavior in OT networks, such as electricity distribution networks.
Healthcare and public health (Department of Health and Human Services)
Pre-market Guidance for Management of Cybersecurity identifies issues related to cybersecurity for manufacturers to consider in the design and development of their medical devices, such as diagnostic equipment.
Post-market Management of Cybersecurity in Medical Devices provides recommendations for managing cybersecurity vulnerabilities for marketed and distributed medical devices, such as infusion pumps.
Transportation systems (Departments of Homeland Security and Transportation)
Surface Transportation Cybersecurity Toolkit is designed to provide informative cyber risk management tools and resources for control systems that, for example, function on the mechanics of the vessel.
Department of Homeland Security's Transportation Security Administration's Enhancing Rail Cybersecurity Directive requires actions, such as conducting a cybersecurity vulnerability assessment and developing of cybersecurity incident response plans for higher risk railroads.
Source: GAO analysis of agency documentation │ GAO-23-105327
However, none of the selected lead agencies had developed metrics to assess the effectiveness of their efforts. Further, the agencies had not conducted IoT and OT cybersecurity risk assessments. Both of these activities are best practices. Lead agency officials noted difficulty assessing program effectiveness when relying on voluntary information from sector entities. Nevertheless, without attempts to measure effectiveness and assess risks of IoT and OT, the success of initiatives intended to mitigate risks is unknown.
The Internet of Things Cybersecurity Improvement Act of 2020 generally prohibits agencies from procuring or using an IoT device after December 4, 2022, if that device is considered non-compliant with NIST-developed standards. Pursuant to the act, in June 2021 NIST issued a draft guidance document that, among other things, provides information for agencies, companies and industry to receive reported vulnerabilities and for organizations to report found vulnerabilities. The act also requires the Office of Management and Budget (OMB) to establish a standardized process for federal agencies to waive the prohibition on procuring or using non-compliant IoT devices if waiver criteria detailed in the act are met.
As of November 22, 2022, OMB had not yet developed the mandated process for waiving the prohibition on procuring or using non-compliant IoT devices. OMB officials noted that the waiver process requires coordination and data gathering with other entities. According to OMB, it is targeting November 2022 for the release of guidance on the waiver process. Given the act's restrictions on agency use of non-compliant IoT devices beginning in December 2022, the lack of a uniform waiver process could result in a range of inconsistent actions across agencies.
FEMA has obligated $10.28 million in flood resilience projects through the Flood Mitigation Assistance Swift Current initiative. This is the first FEMA initiative funded through President Biden’s Infrastructure Investment and Jobs Act, also known as the Bipartisan Infrastructure Law.
The initiative allocates a total of $60 million to Louisiana, Mississippi, New Jersey and Pennsylvania—all states affected by Hurricane Ida—to equitably expedite mitigation grants to disaster survivors with repetitively flooded homes. The application period opened April 1, and by Aug. 1, the funding requested exceeded the amount made available through the Swift Current Initiative by over $9 million. FEMA continues to review all other subapplications submitted to the Flood Mitigation Assistance Swift Current initiative and will announce further selections in the upcoming months.
Selections include acquiring 31 flood-prone properties in New Jersey and converting land to open space while two properties in Louisiana will be reconstructed to better withstand flooding. More information about these and other selections is available on FEMA.gov.
Swift Current seeks to substantially speed up the award of Flood Mitigation Assistance funding after a flooding event and reduce the complexity of the application process. Its goal is to obligate flood mitigation dollars for repetitively and substantially flood damaged properties insured through the National Flood Insurance Program as quickly and equitably as possible after a disaster event.
The program recognizes the growing flood hazards associated with climate change, and of the need for flood hazard risk mitigation activities that promote climate adaptation, equity and resilience to flooding. These hazards are expected to increase in frequency and intensity.
The devastating impact of chemical weapons and explosives used in acts of terrorism continues to affect civilian populations and is well known for its destructive and long-term harm.
Last year over 1,000 improvised explosive device (IED) attacks were conducted by non-state actors, injuring over 7,150 people in more than 40 countries. Many attacks come from chemicals that criminals acquired through weak points in the supply chain – from manufacturing to storage and retail– and made into weapons.
To counter this threat, some 220 chemical security practitioners from more than 70 countries met at INTERPOL’s 3rd Global Congress on Chemical Security and Emerging Threats to find ways of reducing vulnerabilities by enhancing multisector cooperation and collaboration.
With a focus on acquisition, transportation, physical and cyber security of chemical materials, the meeting highlighted a range of security issues, such as detecting cross-border movements of regulated material and implementing regulatory frameworks.
Terrorists’ misuse of e-commerce and new technologies
The Global Congress also explored ways to counter emerging threats including terrorists’ misuse of e-commerce and new technologies to acquire toxic and precursor chemicals.
Due to the substantial growth and access to the Internet in recent years, so too we have seen an increase in digital content produced and shared through platforms such as instant messaging, social networking, blogs and online portals. The misuse of technologies can be seen as a result of this rapid growth in content, and with it a rise in suspicious activities.
Law enforcement agencies provided examples of investigative techniques that could be used to identify and prosecute the illicit purchase or sale of chemicals on the Dark Net. These lessons provided delegates with solutions to address the use of sophisticated technologies for nefarious purposes.
"The concerted effort of global law enforcement, along with our partners, is key to combatting the use of explosive precursor chemicals and chemical weapons,” Mr Hinds added.
Dual-use and precursor chemicals have a wide legitimate function in the production of consumer goods such as pharmaceuticals, cleaning supplies and fertilizers. This raises significant challenges to prevent and monitor, and remains one of the inherent threats to chemical security worldwide.
INTERPOL awareness video - ‘The Watchmaker’
In this context, an INTERPOL-produced awareness video was premiered at the meeting to engage a broad spectrum of stakeholders in understanding the importance of individuals and companies to secure dangerous toxic chemicals, including equipment.
Entitled ‘The Watchmaker’, the video highlights the need for multisector cooperation to combat these threats and will be used in a series of INTERPOL capacity building workshops and other activities related to counter-terrorism and prevention.
“Multisector collaboration is essential for us to tackle the threats we face from criminals who gain access to dangerous chemicals with malevolent intentions. Morocco is committed to strengthening the engagement of these issues as part of our proactive approach to combating terrorism,” said Mr. Mohammed Dkhissi, Head of National Central Bureau, Rabat.
Other measures proposed by the Global Congress Network include:
- Advocating chemical security recommendations such as increased retail reporting on suspicious activity;
- Expanding the INTERPOL-hosted Global Knowledge Hub, which allows members to engage in interactive discussions and access good practice guidance;
- Strengthening the Global Congress Network through greater diversity of expertise and activities across regions and sectors;
- Promoting decision-making tools such as a customer database, which can flag areas of security concern.
Since its inception in 2018, the Global Congress has been jointly led by INTERPOL, the US Cybersecurity and Infrastructure Security Agency (CISA), the US Defense Threat Reduction Agency (DTRA) and the US Federal Bureau of Investigation (FBI), and implemented in cooperation with the G7 Global Partnership Against the Spread of Weapons and Materials of Mass Destruction.
The Department of Homeland Security released the Cybersecurity Performance Goals (CPGs), voluntary practices that outline the highest-priority baseline measures businesses and critical infrastructure owners of all sizes can take to protect themselves against cyber threats. The CPGs were developed by DHS, through the Cybersecurity and Infrastructure Security Agency (CISA), at the direction of the White House. Over the past year, CISA worked with hundreds of public and private sector partners and analyzed years of data to identify the key challenges that leave our nation at unacceptable risk. By clearly outlining measurable goals based on easily understandable criteria such as cost, complexity, and impact, the CPGs were designed to be applicable to organizations of all sizes. This effort is part of the Biden-Harris Administration’s ongoing work to ensure the security of the critical infrastructure and reduce our escalating national cyber risk.
“Organizations across the country increasingly understand that cybersecurity risk is not only a fundamental business challenge but also presents a threat to our national security and economic prosperity,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The new Cybersecurity Performance Goals will help organizations decide how to leverage their cybersecurity investments with confidence that the measures they take will make a material impact on protecting their business and safeguarding our country.”
CISA developed the CPGs in close partnership with the National Institute for Standards and Technology (NIST). The resulting CPGs are intended to be implemented in concert with the NIST Cybersecurity Framework. Every organization should use the NIST Cybersecurity Framework to develop a rigorous, comprehensive cybersecurity program. The CPGs prescribe an abridged subset of actions – a kind of “QuickStart guide” – for the NIST CSF to help organizations prioritize their security investments.
“To reduce risk to the infrastructure and supply chains that Americans rely on every day, we must have a set of baseline cybersecurity goals that are consistent across all critical infrastructure sectors,” said CISA Director Jen Easterly. “CISA has created such a set of cybersecurity performance goals to address medium-to-high impact cybersecurity risks to our critical infrastructure. For months, we’ve been gathering input from our partners across the public and private sectors to put together a set of concrete actions that critical infrastructure owners can take to drive down risk to their systems, networks and data. We look forward to seeing these goals implemented over the coming years and to receiving additional feedback on how we can improve future versions to most effectively reduce cybersecurity risk to our country.”
“The Biden-Harris Administration has relentlessly focused on securing our Nation’s critical infrastructure since day one,” said Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger. “CISA has demonstrated tremendous leadership in strengthening our critical infrastructure’s cyber resilience over the last year. The Cyber Performance Goals build on these efforts, by setting a higher cybersecurity standard for sectors to meet.”
“Given the myriad serious cybersecurity risks our nation faces, NIST looks forward to continuing to work with industry and government organizations to help them achieve these performance goals,” said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio. “Our priority remains bringing together the right stakeholders to further develop standards, guidelines and practices to help manage and reduce cybersecurity risk.”
In the months ahead, CISA will actively seek feedback on the CPGs from partners across the critical infrastructure community and has established a Discussions webpage to receive this input. CISA will also begin working directly with individual critical infrastructure sectors as it builds out sector-specific CPGs in the coming months.
One disaster can knock out electric service to millions. A new study suggests that back-to-back disasters could cause catastrophic damage, but the research also identifies new ways to monitor and maintain power grids.
Researchers at The Ohio State University have developed a machine learning model for predicting how susceptible overhead transmission lines are to damage when natural hazards like hurricanes or earthquakes happen in quick succession.
An essential facet of modern infrastructure, steel transmission towers help send electricity across long distances by keeping overhead power lines far off the ground. After severe damage, failures in these systems can disrupt networks across affected communities, taking anywhere from a few weeks to months to fix.
The study, published in the journal Earthquake Engineering and Structural Dynamics, uses simulations to analyze what effect prior damage has on the performance of these towers once a second hazard strikes. Their findings suggest that previous damage has a considerable impact on the fragility and reliability of these networks if it can’t be repaired before the second hazard hits, said Abdollah Shafieezadeh, co-author of the study and an associate professor of civil, environmental and geodetic engineering.
“Our work aims to answer if it’s possible to design and manage systems in a way that not only minimizes their initial damage but enables them to recover faster,” said Shafieezadeh.
The machine learning model not only found that a combination of an earthquake and hurricane could be particularly devastating to the electrical grid, but that the order of the disasters may make a difference. The researchers found that the probability of a tower collapse is much higher in the event of an earthquake followed by a hurricane than the probability of failure when the hurricane comes first and is followed by an earthquake.
That means while communities would certainly suffer some setbacks in the event that a hurricane precedes an earthquake, a situation wherein an earthquake precedes a hurricane could devastate a region’s power grid. Such conclusions are why Shafieezadeh’s research has large implications for disaster recovery efforts.
“When large-scale power grid systems are spread over large geographic areas, it’s not possible to carefully inspect every inch of them very carefully,” said Shafieezadeh. ”Predictive models can help engineers or organizations see which towers have the greatest probability of failure and quickly move to improve those issues in the field.”
After training the model for numerous scenarios, the team created “fragility models” that tested how the structures would hold up under different characteristics and intensities of natural threats. With the help of these simulations, researchers concluded that tower failures due to a single hazardous event were vastly different from the pattern of failures caused by multi-hazard events. The study noted that many of these failings occurred in the leg elements of the structure, a segment of the tower that helps bolt the structure to the ground and prevents collapse.
Overall, Shafieezadeh said his research shows a need to focus on re-evaluating the entire design philosophy of these networks. Yet to accomplish such a task, much more support from utilities and government agencies is needed.
“Our work would be greatly beneficial in creating new infrastructure regulations in the field,” Shafieezadeh said. “This along with our other research shows that we can substantially improve the entire system’s performance with the same amount of resources that we spend today, just by optimizing their allocation.”
This work was supported by the Korea Institute of Energy Technology Evaluation and Planning (KETEP) and the Ministry of Trade, Industry & Energy of the Republic of Korea (MOTIE).