Adfero Group HSPI

In an era of diminished budgets and vanishing security grants, a recent break in at the Carters Lake Water Treatment Plant in Georgia highlights how the federal government is leaving small water systems, and the communities they serve, hanging in the wind. I’m not suggesting DHS throw obscene amounts of money at rural water systems, but I would argue that these systems can make major strides with small amounts of money.

The American Society of Civil Engineers (ASCE) has released its latest report card on U.S. infrastructure, and the country again received poor marks across the board. Here is a piece I wrote for Defense Media Network about the continuing problems plaguing America’s infrastructure.

The images from Hurricane Sandy are jaw dropping. From flooded subway stations, waterfalls into the Ground Zero area, destroyed piers, boardwalks and homes, Hurricane Sandy – “The Frankenstorm” – was a big one that Mid-Atlantic States, New Jersey and NYC have long feared. Right now, we don’t know the full costs in lost lives or destroyed infrastructure and homes, but we do know this – it’s going to take some time to get things back to any sense of normal in the affected regions.

On the day before the Labor Day weekend, the White House released the President’s latest “National Preparedness Month” Proclamation. Like last year’s, the proclamation employs the term “resilience.” Yet, the White House remains unwilling to act to establish resilience as the nation’s preparedness objective and daily operating condition. Rhetoric is not results.

In a recent op-ed, Christine Todd Whitman, the former head of the EPA, proposed greater regulation of the U.S. chemical sector because the current regulations aren’t working. Gov. Whitman is right on one thing: the current system isn’t working, but it is not because of a lack of regulation. Chemical companies have tried, but DHS isn’t keeping up

Yesterday, the New York Times ran an editorial by Christine Todd Whitman, titled “The Chemical Threat to America.” In the op-ed, the author calls on the Administration to expand and implement chemical security regulations in the water sector as a means to protect America. She advocates that the federal government should be able to mandate chemical processes and force water systems to use so-called Inherently Safer Technologies. Ms. Whitman is smart and capable, but on this issue she is wrong, wrong, wrong.

With the recent heat waves and storms that have impacted millions of people throughout the United States, much is being written about the nation’s inability to prevent and recover quickly from destructive events. I am not yet ready to start placing blame – there are lots of things I should have done to be prepared. Individual responsibility leads to community preparedness. Here are some thoughts the disruptions bring to mind.

A week ago, with a heat wave bearing down on the eastern United States, heavy storms left millions of homes without power, mine being one of them. Homeland security has morphed from being just about protecting the homeland from madmen to something more like civil defense, which includes protecting critical infrastructure. While we seem to be doing OK against the most egregious threats, our vulnerability to infrastructure disruption remains a problem. We need no more excuses about how bad the thunderstorms were; we have a problem that makes us vulnerable.

Once again, America is officially under attack. According to multiple reports, including an “incident response” report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), U.S. natural gas pipeline companies are at the center of a major cyber attack campaign. While I’m certain that some in Congress will use this latest cyber attack campaign as fodder to further their cyber security legislation, I do not believe we can legislate our way out of this problem.

It is always difficult to fully absorb the lessons from wide-scale crises in the wake of the catastrophe. Information is often incomplete or contradictory, or still evolving. Learning these lessons, however, provides an opportunity to address the shortfalls of catastrophic disaster response.

The EPA was set to disregard the counsel of the Department of Justice, water system owners/operators and security experts by posting the non-Off-site Consequence Analysis (non-OCA) sections of the water sector’s RMPs this summer. Amid industry outcry, the EPA changed course and decided to postpone re-establishing public Internet access for certain highly security sensitive categories of information collected by its Risk Management Plan (RMP) Program. Irwin Fletcher said, “It takes a big man to admit when he’s wrong. I am NOT a big man.” Such is the case with the EPA.

Ten years from now, global water shortages are likely to threaten U.S. security interests. Ask the Director of National Intelligence, the Defense Intelligence Agency or someone from the Central Intelligence Agency; better yet, read the most recent National Intelligence Estimate. According to a senior U.S. intelligence official who briefed reporters on this issue (on condition of anonymity), there is an increasing likelihood that water will be “potentially used as a weapon, where one state denies access to another.”

Major disasters are relatively rare in Cyprus. Other than a magnitude 6.8 earthquake in 1996 that did not result in any casualties (but was the largest since 1953), annual wildfires and droughts, the island nation has generally avoided the brunt of manmade or natural disasters. But alas, tranquillity breeds complacency. In 2011, 98 containers of improperly stored explosives exploded in Cyprus with devastating impacts on human life, infrastructure and the Cypriot economy. Now is the time for Cyprus to address the hazards it faces.

There comes a time when sharing too much information is a dangerous thing, and this is what the Environmental Protection Agency is about to do. In June, the EPA plans to establish Internet access for the public to view the non-Off-site Consequence Analysis (non-OCA) sections of the water sector’s Risk Management Plans (RMPs). The announcement from the Office of Emergency Management cites burdens associated with Freedom of Information Act requests and a need from the FBI and others for greater access to non-OCA data. Here are my two biggest problems with what EPA plans to do.

The two distinctly different Senate Cyber-Security bills currently making their way through the US Congress respond to the ever-increasing cyber assaults on the US, and particularly the CIKR sectors. It is clear that action must be taken to further harden our IT systems from these asymmetrical and often successful attacks. But remember cyber-security is a balancing act based on the risk tolerance of corporations and agencies. We have enough regulations already in place. What we need is more information sharing on a two-way street.

Today’s reality is the Internet is the repository of a huge and growing amount of code (including malware) whose origin and ultimate purpose are unknown. Yet, well-intentioned, repeated government calls for action have not and will not fix a problem enabled by globally deployed technologies. There has been (and continues to be) a great deal of rhetoric and staff activity on the subject, rhetoric is not results and activity is not accomplishment. The current approach to ensuring the operation of America’s critical infrastructures can only be characterized as lessons-observed because we have failed to change our behavior.

By Michael Balboni
In an op-ed for Newsday, I examined Secretary Napolitano’s announcement of a National Strategy for Supply Chain Security, noting that it only mentioned the importance of physical security. Surprisingly, cyber threats were left completely off the table, though it is crucial to recognize that both these threats are actually inexorably intertwined.

By Doug Doan
For anyone who needed a reminder of just how botched and dysfunctional it is to build or improve a border crossing, take a look at the toxic debate over the Keystone Pipeline. Fierce politics, nasty in-fighting, delay, distortion and misdirection all become standard fare. The Presidential Permit process was supposed to bring order and discipline to building anything across the border linking the United States, Canada and Mexico. But what a mess it has become. Every new idea must navigate an increasingly complicated bureaucratic gauntlet.

Following the recent attention given to the water sector’s vulnerability to cyber intrusion, there’s been a lot of talk about what went wrong, whose fault it was and why changes need to be made in the sector. However, the challenge in addressing the water sector’s cyber security posture isn’t in outlining existing problems, but rather in generating realistic, affordable and timely solutions to mitigate them. My concern is that we may just keep talking about the problem without actually doing anything about it.

Since news broke last week about a suspected cyber attack on an Illinois water utility, media, government and industry have probed the ramifications for U.S. critical infrastructure protection (CIP). Though DHS and FBI later found no attack had occurred, the incident does highlight vulnerabilities in the way utilities are secured against cyber threats. To understand these complex issues, reporters turned to water security expert, Catalyst Partners principal and Security Debrief contributor Vance Taylor.