Category: Industry News

Industry News

Are we getting the deserved return-on-investment from the EU research on critical infrastructure resilience?

Cyber Security CII sector, Industry News
By October 17, 2024, the EU member states were supposed to notify the European Commission that the transposition of the Critical Entities Resilience (CER) Directive into respective national laws had been accomplished. Only two (out of 27) member states managed to meet that deadline.
Could the EU research projects in the area of critical infrastructure/entities (CI/CE) resilience have helped more to mitigate this delay? Could that mitigation be part of a more optimal return on investment (RoI)? Was the investment in recent years (e.g., over 4.5 b€ in digital transformation initiatives, or 450 M€ for cybersecurity projects and civil security ) not adequate? Could it have produced more convincing answers to claims like “Europe’s critical infrastructure is becoming dangerously vulnerable” ? Especially in the context of new and evolving challenges or the “European CIs under continuous attacks” ?
There is a general agreement about the need to reach better RoI or, in the same context, Return on Research Investment (RoRI). But the agreement about how to do it practically is still to be achieved. Leaving the extreme positions aside, like “the only real RoI is the commercially measurable use of project results”, on one side, and “any use of project results represents RoI”, on the other side, one can opt for the middle ground and assume that “an evident use leading to tangible benefits represents an RoI”. For the CI/CE-related research, that can include, e.g., resilience standards, broadly adopted guidelines or evidence provided as inputs for the new EU and national policies. Applying such a definition, however, when searching for RoI-relevant results in the repositories of the EU project results such as CORDIS, Innovation Radar, or Dealflow, yields hardly any convincing evidence. The reported RoI-relevant results are often only vaguely described, not quantified, often out of date, and almost regularly lacking examples of real use or quantified benefits. As an example, the search for the results mentioning the CER Directive in the EU Dealflow tool provides no entries (January 2025). Similarly, the search for “resilience and infrastructure” among approx. 14,000 entries in the EU Innovation Radar, yields only 44 matches.
The reasons for the above can be numerous. E.g., the difficulty in aligning the needs and interests of industrial security and openness required by public research. Or, the lack of full-scale industry involvement (e.g., not participating with departments directly involved in production or marketing). Or, in the area of standardization, the rules and timing of standardization bodies being incompatible with the rules and timing of the EU projects. Or, the project results are simply not reported in the tools. Or, the main motivation of the researchers in the projects being to get new, follow-up projects, not necessarily to exploit the results of the finished ones. Many of these reasons are mentioned and explained in the recommendations of the evaluation reports made during the transition from one EU Framework Programme (FP) to another  , but less often implemented afterward. The fact that EU projects legally and practically do not exist after their final date, certainly also does not contribute to the sustainability of accessibility to project results and achieving good RoI.
In addition, imposing a too broad spectrum of (sometimes contradictory) goals, or the need to balance between breakthrough technology research and market success, on one side, and political constraints on the other side, can be very challenging for a good RoI. The latter is especially true and applicable to the area of CI/CE resilience, nowadays at the very top of the EU priorities . Their final results in many cases “never cross the chasm to the market, even if they achieved technological goals set in the project proposal”   (exceptions available, of course). Even worse, on the researchers’ side, the difficulties of meeting too many different or too highly set goals can lead to unrealistic or deceiving reporting, nowadays potentially worsened by the possible indiscriminate and unreported use of AI. On the EU side, limiting resources for monitoring the achievement of multiple goals, lower the threshold to clientelism.
How could the situation be improved? Generic, top-down, solutions suggested so far are generally well-aligned and present in the recommendations: strengthening and leveraging existing platforms (ERNCIP, Hubs, Radars…), better integration of research with industry and standardization, introducing mechanisms that support project continuity beyond formal completion, strong involvement of industry stakeholders, rewarding genuine success and penalizing exploitative practices, promoting monitoring and accountability, to mention just some of them. But, looking at the past decades of EU research, it seems that many suggested solutions have not been implemented as recommended.
Hence, the bottom-up solutions should be tried. Among them, establishing measurable indicators of success and robust evaluation systems is certainly at the top of the priority list. The data collection for the indicators such as those in the EUR 27314 EN should become mandatory and the indicators better known and understood, possibly including also the non-self-declared indicators of successful exploitation (which could be used for monitoring and stress-testing, too – e.g., in combination with standards like DIN 91461). The key research-to-market transfer RoI indicators, quantifying effectiveness, efficiency, and transformation are generally available, but not used because data are missing, and the mandates and obligations are not well defined, especially not at the EU level. The prerequisite for such a system is a joint EU strategy, e.g., similar to the recent US strategy documents  specifying both the overall framework and the need to “prioritize measurement”. A future extension of the CER Directive?
To conclude, the EU research on critical infrastructure resilience and researchers should be further encouraged and incentivized to deliver more tangible RoI, including results directly usable and useful for the application of the CER Directive and the overall EU resilience, thus helping in meeting both the deadlines like the “October 17, 2024” one and the top level goals like the ones declared by the EU7. The push should include also the readiness and courage to openly name and address the real issues, avoid the “newspeak”, and undertake efficiently the actions needed.
A. Jovanovi, Steinbeis European Risk & Resilience Institute, Germany
Leave a comment

Indra leads the European SMAUG Project to improve underwater threat detection at ports and maritime borders

Industry News, Transport sector

With the aim of improving and reinforcing the security of ports and their entry routes, Indra has launched the European SMAUG (Smart Maritime and Underwater Guardian) RDI project, as part of the European Union’s Horizon Europe program. The company heads the consortium of entities from seven European countries that will work together to improve the underwater detection of threats and illicit trafficking.
Over 80% of world trade is conducted by sea, and the continuous movement of vessels requires port security processes to be robust and effective, especially for monitoring and detecting legal and illegal activities at ports, in coastal areas and on borders. Geopolitical tensions are also turning the bottom of the oceans into sensitive terrain that needs to be protected.

Within this context, the SMAUG project seeks to detect, track and monitor potentially illegal and harmful movements and products entering EU ports and coasts by means of an integrated system based on Indra’s iSIM solution, which combines security management, advanced underwater detection systems and surveillance vessels.

More specifically, underwater threats are detected and located using four main methods. The first method is acoustic detection, in which a series of hydrophones listen for sounds emitted by small autonomous underwater vehicles. Secondly, a sonar performs a quick scan of the hull and the bottom of the harbor. The third method of underwater detection is high-resolution sonar inspection, which is used to inspect objects in water with poor visibility. Finally, collective autonomous location is employed, whereby a coordinated swarm of autonomous underwater vehicles act cooperatively.

These systems, supported by artificial intelligence, can more effectively detect unlawful and dangerous goods and/or threats hidden beneath the surface of the water. SMAUG will thus make a significant contribution to maritime security by improving the protection of infrastructures and vessels and the detection of vessels, including narco-submarines, suspected of conducting illegal or potentially dangerous activities.

As the leader of the SMAUG project, Indra brings its expertise in developing advanced algorithms for processing underwater sound and images, applying artificial intelligence for early detection of objects and threats. Additionally, it contributes its capabilities in the field of security for port infrastructure and maritime transport, providing solutions that enhance protection in complex maritime environments.

Its iSIM solution acts as a core for integration and analysis, unifying and processing data from physical security systems such as hydrophones, underwater scanners, drone swarms, and autonomous vehicles, along with satellite surveillance systems. It also takes information from port management systems, enabling a global and interoperable view that optimizes security, operational efficiency, and real-time decision-making.

International cooperation

Juan Román Martínez, the head of Indra’s SMAUG project, emphasized that ”this project means significant progress in maritime security, as it reinforces safety and promotes international cooperation in the fight against illicit activities in the maritime environment”.

With a budget of almost six million euros, the SMAUG RDI project involves a highly experienced consortium made up of 22 partners, including universities, research centers, SMEs, law enforcement agencies, public authorities, coast and border guards and private organizations from seven EU countries (Estonia, France, Germany, Greece, Italy, Norway and Spain).

Among its capabilities, SMAUG is being prepared to achieve interoperability with the Common Information Sharing Environment (CISE), in order to help create a political, cultural, legal and technical environment that allows exchanges of information between the surveillance systems of the member States of the European Union (EU) and the European Economic Area (EEA). Thus, all of the authorities from the different sectors involved in port and maritime settings could have access to any additional classified and unclassified information required to perform missions at sea.

Indra will continue to drive a more secure, connected and sustainable future with this project, placing technology at the service of the safety and well-being of citizens in keeping with its motto:'Tech for Trust'. With innovation at the core of its business and unique experience going back over 30 years, the company boasts a comprehensive portfolio of pioneering solutions designed on an ad hoc basis to address all kinds of citizen security threats that have been implemented in countries all around the world.

Leave a comment

The US Defense Industrial Base Risks & Opportunities

Industry News, Transport sector
In this article, we examine how supply chain disruptions in minerals, electronics, and skilled labor are creating risks and opportunities in the US Defense Industrial Base (USDIB). 

Minerals: Rare Earth Elements

The USDIB relies on Rare Earth Elements (REEs).  REEs, loosely defined, are a set of 17 nearly indistinguishable lustrous silvery-white soft heavy metals. The term 'rare-earth' is misleading because they are not actually scarce. REEs are common throughout the Earth's crust.  However, because of their geochemical properties, most REEs are highly dispersed as trace elements. Geological regions with relatively high concentrations of REE are rare and even in these rare instances, obtaining usable quantities of pure REEs requires processing enormous amounts of raw material at great expense.

REE is mined by first removing rock from the ground that contains the REE.  Most rare-earth ores are mined by conventional open-pit methods in which rock is broken by blasting, loaded onto trucks with large shovels, and hauled to a concentration facility. Concentration is by physical separation of the REE-bearing minerals from all other minerals in the rock. The ore is crushed and ground in multiple stages until most of the rare-earth minerals interlocked with the other minerals are broken free. Next, in a method known as froth flotation, the rare-earth minerals are coated with a chemical that repels water and allows them to float to the surface attached to air bubbles in agitated tanks, where they are skimmed off as a concentrate. The remaining minerals are disposed of as waste and the REE concentrate is then ready for leaching.

The REE concentrate is then leached with an acid and the resulting REE-rich solution is then processed through sequential steps to recover individual REEs. For example, Cerium can be recovered by the addition of sodium hydroxide, which causes the cerium to drop out of solution as an oxide or hydroxide. The other REEs are typically separated by solvent extraction, a process in which an organic chemical specially designed to extract a particular REE is forced countercurrent to the REE-bearing leach solution.   Mining and concentration of REE ores presents conventional problems of concentrate waste disposal. For every ton of REEs produced, the process yields an estimated 75 cubic meters of wastewater and one ton of radioactive residue.

From the mid-1960s to the early 1990s, the United States was the world’s largest REE-producing country, with production coming entirely from the Mountain Pass mine in southeastern California. The mine was discovered in 1949 by a uranium prospector. The mine is located in San Bernardino County, California, on the south flank of the Clark Mountain Range. The mine has been active since 1952, with production expanding in the 1960s.  In 2020, the mine supplied 15.8% of the world's rare-earth production.   Today the mine is owned by MP Materials Corp (NYSE: MP). At this time, MP Materials Corp. is the largest producer of rare earth materials in the Western Hemisphere. The company recently raised $1B to expand its capacity.  The Mountain Pass mine is currently the only active REE mine in the United States.

In the late 1980s, China began mining their in-country REE deposits, processing their ore and extracting and separating the individual REEs for use in products, which they also manufactured. China quickly gained control of global REE production, providing 95 percent of the global market of processed REE by 2011.  Between 2011 and 2017, China produced approximately 84 percent of the world’s REEs.

China was able to establish dominance over the REE industry in large part because of its lower environmental regulations. Low cost, high pollution extraction methods enabled China to outpace competitors and create a strong foothold in the international REE market.  The largest REE mine in the world at this time is the Bayan-Obo mine in China. At this mine, there are an estimated 70,000 tons of radioactive thorium waste in storage ponds in the area. These waste ponds are not far from the Yellow River and there is concern that they could eventually leach into the river, which is a key source of drinking water for a substantial population.  To maintain its dominance in REEs, China is also in the process of expanding its REE mining operations outside of mainland China.  China has obtained rights to the REE deposits in a handful of African countries in return for infrastructure investment, including but not limited to the Democratic Republic of the Congo in return for building national roads, highways, and hospitals. China has obtained commercial licenses for REE mines in Kenya by agreeing to build a $600+ million data center.

President Trump’s recent comments that he wants the US to “purchase Greenland” have made international headlines. While we will not comment on the politics of this, we are glad to comment on one of the reasons why he said this. One reason was the Kvanefjeld deposit in Greenland is estimated by scientists to be one of the largest known REE deposits on earth. China has been in discussions with Greenland since 2017 about gaining rights to mine Kvanefjeld. To date, Greenland has rejected China’s offers regarding Kvanefjeld.  Given that much of the Island has not yet been fully explored for REEs, many scientists believe that Greenland may hold substantial REE deposits. Furthermore, with receding Artic Ice (due to global warming), the costs of extracting REEs from Greenland are expected to decline significantly.

Electronics: Computer Chips
Semiconductors and advanced electronics form the technological backbone of modern defense systems, powering communications, surveillance, and weapons guidance. However, the semiconductor industry has been plagued by significant supply disruptions. A global chip shortage that began with the COVID – 19 pandemic in 2020 has persisted, driven by surging demand, throughput constraints, and an overreliance on semiconductor fabs in Taiwan. Furthermore, China has made the leadership in the semiconductor industry a national strategic objective. According to the US based Semiconductor Industry Association, China has plans to invest more than $150 Billion in the sector between 2014 and 2030.

The U.S. government responded in 2022 with the Creating Helpful Incentives to Produce Semiconductors Act (CHIPS), which authorized $280 Billion to boost domestic research and manufacturing in the semiconductor industry in the US. In addition to this substantial amount of funding, the CHIPS Act also authorized Department of Commerce (DOC), Department of Defense (DoD), and Department of State (DOS) the authority to waive certain regulations to expedite the development of onshore domestic manufacturing of semiconductors critical to U.S. competitiveness and national security. The Act also includes safeguards to ensure that companies that receive Federal funds from the Act cannot use those funds to build advanced semiconductor production facilities in countries that present a national security threat to the US.  When announcing the Act, congress noted that only 12% of chips are currently manufactured domestically, compared to 37% in the 1990s.

Other specific provisions of the Act included:
• $39 billion in immediate financial assistance to build, expand, or modernize domestic facilities and equipment for semiconductor fabrication
• $11 billion for DOC research and development.
• $2 billion for the DoD to implement the Microelectronics Commons, a national network for onshore, university-based prototyping, lab-to-fab transition of semiconductor technologies
• Waivers of certain environmental and other regulatory requirements necessary to construct and operate new semiconductor fabrication facilities

Skilled Labor 
While supplies of REEs and advanced semiconductors are crucial to the USDIB, a skilled workforce in manufacturing remains the most essential component of the defense supply chain. The USDIB is experiencing a severe shortage of qualified manufacturing professionals, from engineers to machinists. Several factors contribute to this challenge, including an aging workforce and insufficient training pipelines for specialized defense roles. This talent gap not only hampers production schedules but also slows innovation.

Today, the manufacturing sector is not a top choice for the newest generation of workers. Just 14% of Gen Zers say they would consider a career in manufacturing, because of expectations of: low pay and dangerous work conditions. Their disinterest has resulted in a rapidly aging workforce. About 51% of manufacturing jobs are held by employees ages 45-65 or older (Clear Company, manufacturing-workforce-trends-development-strategies, 2025).

There are some near-term solutions to this problem. Employers can establish apprenticeship programs in collaboration with local technical schools to build a pipeline of future talent. These programs are increasingly recognized as critical for addressing the workforce shortages in defense manufacturing. The Department of Defense's Manufacturing Education and Workforce Development (M-EWD) Program, for instance, collaborates with industry stakeholders to create skilled professionals who are equipped to meet the demands of advanced manufacturing. This initiative focuses on bridging the gap between educational systems and real-world manufacturing needs.  Also, ensuring that workers are prepared for the technology-driven advancements in defense sectors such as artificial intelligence, robotics, and advanced materials. This proactive approach not only helps close the skills gap but also strengthens the pipeline of human capital for middle market defense companies by providing students with valuable, career-oriented training in high-demand fields. Employers can partner with higher education institutions to create specialized training initiatives tailored to defense sector needs. Such partnerships are essential for ensuring that the talent entering the defense industry has the precise skills required for the evolving technological landscape. The Aerospace Industries Association (AIA) plays a leading role in advocating for the development of specialized training, reskilling, and educational programs that align with the needs of the defense industry. By working with colleges and universities, defense companies can ensure that curricula are closely aligned with current and future technological demands, such as cybersecurity, artificial intelligence, and aerospace engineering. These initiatives also help cultivate a more adaptable workforce, equipped to handle the rapid pace of innovation in the sector.

Weapons Manufacturing Capacity
In 2024, the Center for Strategic & International Studies (CSIS) reported that China’s defense industrial base is operating on a wartime footing, while the U.S. defense industrial base is largely operating on a peacetime footing. The report went on to state that “the U.S. defense industrial ecosystem lacks the capacity, responsiveness, flexibility, and surge capability to meet the U.S. military’s production and warfighting needs.” Unless there are urgent changes, the United States risks weakening deterrence and undermining its warfighting capabilities. China is heavily investing in munitions and acquiring high-end weapons systems and equipment five to six times faster than the United States. China is also the world’s largest shipbuilder and has a shipbuilding capacity that is roughly 200 times larger than the United States. According to the CSIS 2024 report, China’s largest shipyard, Jiangnan, has more capacity than all U.S. shipyards combined.

While the pandemic was not the only cause of this problem, it was certainly a catalyst. Lockdowns and business closures set off supply chain disruptions that led to a 43% decline in all US manufacturing output and a 38% drop in hours worked, the largest since World War II, and manufacturers were forced to lay off their employees. Some of the 1.4 million workers across all sectors, who lost their jobs left permanently, whether they retired early, began working in a different industry, or left the workforce for other reasons.

In the years since, US manufacturing has had an impressive recovery. The industry has added nearly 800,000 jobs since 2021. According to the National Association of Manufacturers (NAM) Manufacturers’ Outlook Survey, companies’ optimism about their future is rising. Even with growth, manufacturing still anticipates a long struggle with the talent shortage. Despite the addition of so many jobs, almost 550,000 are currently vacant, and research from Deloitte and The Manufacturing Institute indicates that this number will increase. An estimated four million manufacturing employees will be needed by 2030 in the US.

What This Means for Middle-Market Defense Contractors
From our vantage point as M&A bankers in the middle market of the aerospace & defense industry, we have a unique view.  We can see what is happening in real-time in the supply chain.  We hear from the owners of these companies - what keeps them up at night.  And we hear from the buyers of these companies - what opportunities they see and why they are making substantial investments.

The Risks
There are three risks facing the middle market of the USDIB that we keep hearing:
• First, China is the biggest single threat to the US, not just terms of the risk of kinetic attack, but moreover in terms of non-kinetic warfare, including but not limited to the disruption of critical supply chains.
• Second, behind ‘China Risk’, is the risk of an aging USDIB manufacturing workforce
• Third, is the lack of investment into USDIB manufacturing infrastructure for decades

The Opportunity
While the risks facing the USDIB are substantial, the opportunity facing the middle market of the USDIB is even greater.  Today, we are hearing repeatedly and loudly, especially from active buyers in the sector, the following:
• Manufacturing throughout the USDIB will experience a significant resurgence over the next 3-5 years, in terms of demand from the Department of Defense, the influx of new workers, and the flow of investment capital.

By Bruce Andrews, Partner and Troy Medeiros, Vice President, Alderman And Company
Leave a comment

CISA Partners with ASD’s ACSC, CCCS, NCSC-UK, and Other International and US Organizations to Release Guidance on Edge Devices

Agency News, Cyber Security CII sector, Industry News
CISA—in partnership with international and U.S. organizations—released guidance to help organizations protect their network edge devices and appliances, such as firewalls, routers, virtual private networks (VPN) gateways, Internet of Things (IoT) devices, internet-facing servers, and internet-facing operational technology (OT) systems.
The published guidance is as follows:
- “Security Considerations for Edge Devices,” led by the Canadian Centre for Cyber Security (CCCS), a part of the Communications Security Establishment Canada.
- “Digital Forensics Monitoring Specifications for Products of Network Devices and Applications,” led by the United Kingdom’s National Cyber Security Centre (NCSC-UK).
- “Mitigation Strategies for Edge Devices: Executive Guidance” and “Mitigation Strategies for Edge Devices: Practitioner Guidance,” two separate guides led by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC).
Foreign adversaries routinely exploit software vulnerabilities in network edge devices to infiltrate critical infrastructure networks and systems. The damage can be expensive, time-consuming, and reputationally catastrophic for public and private sector organizations. These guidance documents detail various considerations and strategies for a more secure and resilient network both before and after a compromise.
CISA and partner agencies urge device manufacturers and critical infrastructure owners and operators to review and implement the recommended actions and mitigations in the publications. Device manufacturers, please visit CISA’s Secure by Design page for more information on how to align development processes with the goal of reducing the prevalence of vulnerabilities in devices. Critical infrastructure owners and operators, please see Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products for guidance on procuring secure products.
Leave a comment

Groundbreaking Framework for the Safe and Secure Deployment of AI in Critical Infrastructure Unveiled by Department of Homeland Security

Industry News
The Department of Homeland Security (DHS) has released a set of recommendations for the safe and secure development and deployment of Artificial Intelligence (AI) in critical infrastructure, the “Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure” (“Framework”). This first-of-its kind resource was developed by and for entities at each layer of the AI supply chain: cloud and compute providers, AI developers, and critical infrastructure owners and operators – as well as the civil society and public sector entities that protect and advocate for consumers. The Artificial Intelligence Safety and Security Board (“Board”), a public-private advisory committee established by DHS Secretary Alejandro N. Mayorkas, identified the need for clear guidance on how each layer of the AI supply chain can do their part to ensure that AI is deployed safely and securely in U.S. critical infrastructure. This product is the culmination of considerable dialogue and debate among the Board, composed of AI leaders representing industry, academia, civil society, and the public sector. The report complements other work carried out by the Administration on AI safety, such as the guidance from the AI Safety Institute, on managing a wide range of misuse and accident risks.
America’s critical infrastructure – the systems that power our homes and businesses, deliver clean water, allow us to travel safely, facilitate the digital networks that connect us, and much more – is vital to domestic and global safety and stability. These sectors are increasingly deploying AI to improve the services they provide, build resilience, and counter threats. AI is, for example, helping to quickly detect earthquakes and predict aftershocks, prevent blackouts and other electric-service interruptions, and sort and distribute mail to American households. These uses do not come without risk, and vulnerabilities introduced by the implementation of this technology may expose critical systems to failures or manipulation by nefarious actors. Given the increasingly interconnected nature of these systems, their disruption can have devastating consequences for homeland security.
“AI offers a once-in-a-generation opportunity to improve the strength and resilience of U.S. critical infrastructure, and we must seize it while minimizing its potential harms. The Framework, if widely adopted, will go a long way to better ensure the safety and security of critical services that deliver clean water, consistent power, internet access, and more,” said Secretary Alejandro N. Mayorkas. “The choices organizations and individuals involved in creating AI make today will determine the impact this technology will have in our critical infrastructure tomorrow. I am grateful for the diverse expertise of the Artificial Intelligence Safety and Security Board and its members, each of whom informed these guidelines with their own real-world experiences developing, deploying, and promoting the responsible use of this extraordinary technology. I urge every executive, developer, and elected official to adopt and use this Framework to help build a safer future for all.”
If adopted and implemented by the stakeholders involved in the development, use, and deployment of AI in U.S. critical infrastructure, this voluntary Framework will enhance the harmonization of and help operationalize safety and security practices, improve the delivery of critical services, enhance trust and transparency among entities, protect civil rights and civil liberties, and advance AI safety and security research that will further enable critical infrastructure to deploy emerging technology responsibly. Despite the growing importance of this technology to critical infrastructure, no comprehensive regulation currently exists.
DHS identified three primary categories of AI safety and security vulnerabilities in critical infrastructure: attacks using AI, attacks targeting AI systems, and design and implementation failures. To address these vulnerabilities, the Framework recommends actions directed to each of the key stakeholders supporting the development and deployment of AI in U.S. critical infrastructure as follows:
• Cloud and compute infrastructure providers play an important role in securing the environments used to develop and deploy AI in critical infrastructure, from vetting hardware and software suppliers to instituting strong access management and protecting the physical security of data centers powering AI systems. The Framework encourages them to support customers and processes further downstream of AI development by monitoring for anomalous activity and establishing clear pathways to report suspicious and harmful activities.
• AI developers develop, train, and/or enable critical infrastructure to access AI models, often through software tools or specific applications. The Framework recommends that AI developers adopt a Secure by Design approach, evaluate dangerous capabilities of AI models, and ensure model alignment with human-centric values. The Framework further encourages AI developers to implement strong privacy practices; conduct evaluations that test for possible biases, failure modes, and vulnerabilities; and support independent assessments for models that present heightened risks to critical infrastructure systems and their consumers.
• Critical infrastructure owners and operators manage the secure operations and maintenance of key systems, which increasingly rely on AI to reduce costs, improve reliability and boost efficiency. They are looking to procure, configure, and deploy AI in a manner that protects the safety and security of their systems. The Framework recommends a number of practices focused on the deployment-level of AI systems, to include maintaining strong cybersecurity practices that account for AI-related risks, protecting customer data when fine-tuning AI products, and providing meaningful transparency regarding their use of AI to provide goods, services, or benefits to the public. The Framework encourages critical infrastructure entities to play an active role in monitoring the performance of these AI systems and share results with AI developers and researchers to help them better understand the relationship between model behavior and real-world outcomes.
• Civil society, including universities, research institutions, and consumer advocates engaged on issues of AI safety and security, are critical to measuring and improving the impact of AI on individuals and communities. The Framework encourages civil society’s continued engagement on standards development alongside government and industry, as well as research on AI evaluations that considers critical infrastructure use cases. The Framework envisions an active role for civil society in informing the values and safeguards that will shape AI system development and deployment in essential services.
• Public sector entities, including federal, state, local, tribal, and territorial governments, are essential to the responsible adoption of AI in critical infrastructure, from supporting the use of this technology to improve public services to advancing standards of practice for AI safety and security through statutory and regulatory action. The United States is a world leader in AI; accordingly, the Framework encourages continued cooperation between the federal government and international partners to protect all global citizens, as well as collaboration across all levels of government to fund and support efforts to advance foundational research on AI safety and security.
President Biden directed Secretary Mayorkas to establish the Board to advise the Secretary, the critical infrastructure community, other private sector stakeholders, and the broader public on the safe and secure development and deployment of AI technology in our nation’s critical infrastructure. Secretary Mayorkas convened the Board for the first time in May 2024, and Board Members identified a number of issues impacting the safe use and deployment of this technology, including: the lack of common approaches for the deployment of AI, physical security flaws, and a reluctance to share information within industries.
The Framework is designed to help address these concerns and complements and advances existing guidance and analysis from the White House, the AI Safety Institute, the Cybersecurity and Infrastructure Security Agency, and other federal partners.
“Ensuring the safe, secure, and trustworthy development and use of AI is vital to the future of American innovation and critical to our national security. This new Framework will complement the work we’re doing at the Department of Commerce to help ensure AI is responsibly deployed across our critical infrastructure to help protect our fellow Americans and secure the future of the American economy.” – Secretary of Commerce, Gina Raimondo
“The Framework correctly identifies that AI systems may present both opportunities and challenges for critical infrastructure. Its developer-focused provisions highlight the importance of evaluating model capabilities, performing security testing, and building secure internal systems. These are key areas for continued analysis and discussion as our understanding of AI capabilities and their implications for critical infrastructure continues to evolve.” – Dario Amodei, CEO and Co-Founder, Anthropic
“I would like to thank the Board for their leadership in developing this important Framework and appreciate the opportunity to provide input that reflects critical infrastructure needs. AI holds the promise to create significant opportunities for our world, but we must ensure the technology is deployed thoughtfully and responsibly. The Framework, developed through countless hours of collaboration and negotiation, provides a foundation for how business, government, and all segments of our society can work together to enhance accountability, integration, and cooperation. I’m looking forward to continued work with our partners in this effort.” – Ed Bastian, CEO, Delta Air Lines
“The AI Roles and Responsibilities Framework promotes collaboration among all key stakeholders with a goal of establishing clear guidelines that prioritize trust, transparency and accountability — all essential elements in harnessing AI’s enormous potential for innovation while safeguarding critical services. Salesforce is committed to humans and AI working together to advance critical infrastructure industries in the U.S. We support this framework as a vital step toward shaping the future of AI in a safe and sustainable manner.” – Marc Benioff, Chair and CEO, Salesforce
“Humane Intelligence fully endorses the ‘Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure,’ developed by the AI Safety and Security Board. This comprehensive framework offers essential guidance for the responsible and secure use of AI across the United States. As an organization dedicated to advancing safe and ethical AI practices, we believe the voluntary responsibilities outlined are crucial steps toward enhancing the safety, security, and trustworthiness of AI systems. By addressing five key roles – cloud and compute infrastructure providers, AI developers, critical infrastructure owners and operators, civil society, and the public sector – the Framework thoughtfully recognizes the diverse stakeholders involved in safeguarding our nation’s critical infrastructure. The emphasis on securing environments, driving responsible model and system design, implementing data governance, ensuring safe and secure deployment, and monitoring performance and impact aligns closely with our mission. We commend the AI Safety and Security Board for providing clear technical and process recommendations that will help ensure AI systems not only function effectively but also serve the public good in a safe and ethical manner. Humane Intelligence is committed to supporting these principles and will continue working with partners across sectors to promote the responsible development and deployment of AI in critical infrastructure.” – Dr. Rumman Chowdhury, CEO & Co-founder, Humane Intelligence
“This Framework recognizes that proper governance of AI in the critical infrastructure ecosystem is a multistakeholder endeavor. If companies, governments, and NGOs embrace the voluntary roles and responsibilities this Framework envisions, deployment of AI in critical infrastructure is more likely to protect security, privacy, civil rights, and civil liberties than would otherwise be the case.” – Alexandra Reeve Givens, President and CEO, Center for Democracy & Technology
“Artificial intelligence has incredible potential to create efficiencies and innovations, and this Framework takes a thoughtful approach to balancing those opportunities with the risks and challenges it creates. Partnership and collaboration between the public and private sectors will be critical as we work to incorporate these advances into infrastructure and services while also taking steps to mitigate potential harm. This Framework represents an important step towards fostering accountability, safety, and security while embracing this technology and the future.” – Bruce Harrell, Mayor of Seattle
“We are pleased that the Roles and Responsibilities Framework prioritizes civil rights to ensure the equitable deployment of AI. The Framework reflects an understanding that in order for our nation’s critical infrastructure to be best protected, AI must first be safe and effective. That starts with ensuring that all applications of AI both defend and promote equal opportunity. The DHS Framework makes significant progress toward meeting those goals.” – Damon Hewitt, President and Executive Director, Lawyers’ Committee for Civil Rights Under Law
“We are proud to be part of the U.S. Department of Homeland Security’s AI Safety and Security Board to develop a Framework that will help encourage the responsible use of AI in the energy industry while ensuring critical infrastructure is protected from cyber threats. With our companywide focus on safety, resilience, and driving innovation, we plan to adopt the Framework in the relevant aspects of our business to promote the further integration of advanced AI technologies in support of sustainable energy development.” – Vicki Hollub, President and CEO, Occidental Petroleum
“As we move into the AI era, our foremost responsibility is ensuring these technologies are safe and beneficial. The DHS AI Framework provides guiding principles that will help us safeguard society, and we support this effort.” – Jensen Huang, Founder and CEO, NVIDIA
“The DHS Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure is a powerful tool to help guide the responsible deployment of AI across America’s critical infrastructure and IBM is proud to support its development. We look forward to continuing to work with the Department to promote shared and individual responsibilities in the advancement of trusted AI systems.” – Arvind Krishna, Chairman and CEO, IBM
“Academia and civil society are vital to deploying AI in critical infrastructure safely. This is a crucial, nonpartisan issue with profound impacts on the nation’s well-being. This Framework reaffirms the commitment to security, transparency, and public trust. Through rigorous research and cross-sector collaboration, we can help create a resilient AI ecosystem that prioritizes the public good.” – Fei-Fei Li, Ph.D., Co-Director, Stanford Human-centered Artificial Intelligence Institute
“Artificial Intelligence technology is already here. The only question is whether we choose to be proactive or reactive when it comes to leveraging the benefits of AI and guarding against vulnerabilities. I applaud the Biden-Harris Administration and the work of the U.S. Department of Homeland Security’s AI Safety and Security Board for their commitment to seizing this moment and putting forth a responsible Framework that will benefit the American people. In partnership, Maryland will continue to work with federal leaders to unlock the power of innovation so we can deliver real results for our communities.” – Wes Moore, Governor of Maryland
“Technology must be built on a foundation of integrity at the highest levels, and DHS’s Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure will ensure the public and private sectors work closely together to enable AI solutions that are secure, reliable, and trustworthy. As a leader in networking and security that will connect and protect the responsible AI revolution, Cisco is proud to have contributed to the Framework alongside important government, industry, and civil society partners. We look forward to supporting the efforts by Secretary Mayorkas and the Department of Homeland Security.” – Chuck Robbins, Chair and CEO, Cisco; Chair, Business Roundtable
“The collaboration between government, industry, and civil society organizations proved beneficial in establishing the DHS ‘Roles and Responsibilities Framework for AI in Critical Infrastructure’ to protect the nation’s assets. The Framework lays out principles for safe and secure AI that averts anticipated and unforeseen risks, and places equal importance on the preservation of civil and human rights for the people and communities impacted by emerging technologies. The Board’s intention to harmonize these goals is a promising first step in the future application and adherence to the Framework.” – Nicol Turner Lee, Ph.D., Senior Fellow and Director of the Center for Technology Innovation, Brookings Institution
“The use of AI in critical infrastructure merits strong measures to prevent harm and ensure everyone has equal access to information, goods, and services. DHS’s outlining of stakeholders’ roles and responsibilities is an important first step to protecting everyone in the U.S. from discrimination in the deployment of AI systems in our nation’s infrastructure.” – Maya Wiley, President and CEO, The Leadership Conference on Civil and Human Rights
DHS is responsible for the overall security and resilience of the nation’s critical infrastructure, which hundreds of millions of Americans rely on every day to light their homes, conduct business, exchange information, and put food on the table. In the 2025 Homeland Threat Assessment, the Department advised that domestic and foreign adversaries will continue to threaten the integrity of our nation’s critical infrastructure due to the cascading impacts on U.S. industries and our standard of living. These threats range from, but are not limited to, the use of AI to span or scale physical attacks; targeted attacks on AI systems supporting critical infrastructure; and failures in AI design and implementation that affect critical infrastructure operations.
Leave a comment

CISA and US and International Partners Publish Guidance on Priority Considerations in Product Selection for OT Owners and Operators

Agency News, Cyber Security CII sector, Industry News
CISA—along with U.S. and international partners—released joint guidance Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products. As part of CISA’s Secure by Demand series, this guidance focuses on helping customers identify manufacturers dedicated to continuous improvement and achieving a better cost balance, as well as how Operational Technology (OT) owners and operators should integrate secure by design elements into their procurement process.
Critical infrastructure and industrial control systems are prime targets for cyberattacks. The authoring agencies warn that threat actors, when compromising OT components, target specific OT products rather than specific organizations. Many OT products are not designed and developed with Secure by Design principles and often have easily exploited weaknesses. When procuring products, OT owners and operators should select products from manufacturers who prioritize security elements identified in this guidance.
For more information on questions to consider during procurement discussions, see CISA’s Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem. To learn more about secure by design principles and practices, visit Secure by Design.
Leave a comment

Improving Interoperability for EU Joint Civil Protection Actions

Industry News
TIEMS team in the FIRE – RES EU project has developed an Opinion Paper on “Improving Interoperability for EU Joint Civil Protection Actions”.
This Opinion Paper aims to initiate discussions to improve interoperability among EU Civil Protection organizations. By leveraging insights from the experience of TIEMS members, previous TIEMS projects, and initial findings from the FIRE-RES project, this presentation highlights the need for a comprehensive approach to enhancing coordination, communication, and collaboration across national borders in Europe.
Interoperability among EU Civil Protection organizations is essential for effective disaster response and resilience. The ability of different national systems to work together seamlessly ensures timely and coordinated efforts during emergencies, ultimately saving lives and resources. While each nation has developed its own protocols and structures, the growing frequency and complexity of cross-border emergencies necessitate a more integrated approach.
The EU Host Nation Support (HNS) guidelines provide a precedent for discussing command and control interoperability. These guidelines have established a framework for receiving and providing assistance during disasters, highlighting the importance of standardized procedures and cooperation among EU member states (UCP Knowledge Network). Similarly, this opinion paper advocates for a framework to enhance interoperability in civil protection, with a focus on command and control, leveraging insights from various EU Projects, TIEMS research and experience, and recent efforts such as FIRE-RES.
Objective: The primary objective of this opinion paper is to emphasize the need for a comprehensive roadmap to enhance command and control interoperability among EU Civil Protection organizations. While not a direct deliverable of the FIRE-RES project, the findings and experiences from FIRE-RES are highly applicable to this initiative and further support the previous research and projects by TIEMS. By identifying key issues and presenting relevant research and project findings, this paper aims to:
• Highlight the importance of interoperability in civil protection.
• Identify the challenges and opportunities related to interoperability.
• Propose the development of a detailed roadmap to address these challenges and leverage opportunities.
A next step would be the creation of a project under the EU framework that tackles interoperability through in-depth analysis and collaborative efforts, much like the development of the HNS guidelines. This approach would focus on the people, systems, and structures surrounding civil protection response, ensuring a robust and coordinated effort across the EU.
Insights from FIRE-RES
b The FIRE-RES project, funded under the European Union’s Horizon 2020 research and innovation program, aims to develop innovative solutions for creating fire-resilient territories across Europe. The project addresses extreme wildfire events (EWEs), which pose significant environmental, economic, and social threats. FIRE-RES integrates research, technology, civil protection, policy, and governance to innovate processes, methods, and tools for effective fire management.
Key Findings: The insights from the FIRE-RES project highlight several critical aspects that are relevant to developing command and control interoperability within EU Civil Protection systems:
• Multi-Actor Collaboration: Effective disaster management requires collaboration among multiple actors across different levels and sectors. FIRE-RES demonstrated the importance of engaging diverse stakeholders in planning and implementing fire management strategies. This involves fostering partnerships between public and private entities, enhancing the role of local communities, and ensuring that all relevant actors are equipped with the necessary knowledge and resources. Translating this to command and control interoperability, it is essential to establish clear communication channels and collaborative frameworks that include all relevant stakeholders in emergency response planning and execution.
• Capacity Building and Knowledge Sharing: One of the significant achievements of FIRE-RES is its emphasis on capacity building and knowledge sharing. By raising awareness and promoting education on wildfire risk prevention, preparedness, and response, the project enhances the overall capacity of involved stakeholders. Applying this to command and control systems, ongoing training programs, workshops, and the development of best practices are crucial for building a common understanding and operational proficiency among different national and regional command centers.
• Human Capital Development: The FIRE-RES training event in Valabre (April 2024) highlighted that, on a human capital level, nations have personnel capable of greater integration into command and control structures but lack the experience and opportunity to do so. For command and control interoperability, it is vital to develop the skills and experiences necessary for personnel to integrate seamlessly into broader, multi-national command frameworks. This includes creating opportunities for joint exercises and shared experiences that build trust and operational coherence.
These insights from the FIRE-RES project underscore the importance of a comprehensive approach to interoperability that includes not just technical solutions, but also organizational, procedural, and community-based strategies. They provide a valuable foundation for developing a roadmap aimed at improving interoperability among EU Civil Protection organizations.
Challenges and Opportunities
Identified Challenges: The FIRE-RES project has uncovered several significant challenges to achieving interoperability among EU Civil Protection organizations. These challenges highlight the complexities and barriers that need to be addressed to enhance cross-border cooperation effectively.
• Communication Barriers: Different communication protocols and languages used by various national civil protection agencies create significant barriers to effective collaboration. These differences can lead to misunderstandings and delays in response efforts during emergencies.
• Coordination Difficulties: Variations in command structures and decision-making processes across countries pose challenges to unified operations. Each country has its own established procedures and hierarchies, which can complicate efforts to coordinate a cohesive response during transnational emergencies.
• Administrative and Procedural Incompatibilities: Diverse administrative practices and procedural norms among EU member states further hinder interoperability. These incompatibilities can result in inefficiencies and slow down the mobilization of resources and personnel across borders, hampering overall command and control integration in the host nation.
Opportunities: Despite these challenges, there are numerous opportunities to enhance interoperability, as demonstrated by the FIRE-RES project and other EU, TIEMS, and research initiatives.
• Standardizing Procedures: Developing common procedures and protocols for emergency response can significantly enhance interoperability, while still appreciating the national structures and legislation. Standardization efforts could include creating unified guidelines for communication, resource allocation, and operational coordination, similar to the EU Host Nation Support (HNS) guidelines. In fact the EU Host Nation Support guidelines provide a good example of development of format of command and control guidelines (UCP Knowledge Network).
• Improving Communication Frameworks: Establishing robust communication frameworks that support multiple languages and protocols can bridge communication gaps. This could involve adopting interoperable communication technologies and platforms that enable real-time information sharing among different agencies (FIRE RES) (FIRE RES) (Research EU).
• Enhancing Collaborative Training Programs: Joint training programs and exercises are crucial for building trust and operational familiarity among different national teams. These programs can simulate cross-border emergency scenarios, but focus on command and control interoperability, allowing agencies to practice and refine their coordination and communication strategies (Research EU) (European Research Executive Agency). For example, the practicing of personnel exchange in command and control systems and simulations to address functional aspects of command and control interoperability.
• Promoting Capacity Building and Partnership Brokerage: Capacity building initiatives, such as training and educational programs, can equip stakeholders with the skills and knowledge needed for effective collaboration. Additionally, fostering partnerships between civil protection organizations with a focus on command and control, enhances overall preparedness and response capabilities.
By addressing these challenges and leveraging the opportunities identified, EU Civil Protection organizations can significantly improve their command and control interoperability at a functional level in personnel and systems. This will not only enhance their ability to respond to cross-border emergencies but also strengthen overall disaster resilience across the region, while not forcing investment in equipment, new technologies, or infrastructure.
Elements of Command and Control Interoperability
Overview: Command and Control Interoperability in the context of EU Civil Protection organizations encompasses various potential elements that enable different national systems to work together effectively during emergencies. These characteristics are well-documented globally and offer a foundation for developing interoperability frameworks tailored to the EU’s unique architecture and needs.
• Span of Control: Effective management and coordination of resources during emergencies require a clear span of control. This principle ensures that each supervisor oversees a manageable number of subordinates, facilitating efficient decision-making and communication. Adopting a standardized span of control can streamline operations and enhance response capabilities during large-scale emergencies.
• Unified Command: A unified command structure is essential for coordinated decision-making during emergencies. This structure allows multiple agencies to operate under a single, cohesive command, ensuring that all efforts are aligned, and resources are utilized efficiently. Unified command helps eliminate confusion and duplication of efforts, which is particularly important in cross-border emergency scenarios.
• Joint Training and Exercises: Regular, collaborative training programs and exercises are crucial for building trust and operational familiarity among different national teams. These activities allow agencies to practice and refine their coordination and communication strategies in simulated emergency scenarios. Joint training helps identify and address potential interoperability issues before they arise in real-world situations.
• Common Terminology and Procedures: Standardized language and procedures ensure clarity and consistency in communication and operations. By adopting common terminology and standardized procedures, EU Civil Protection agencies can reduce misunderstandings and enhance their ability to work together seamlessly. This element is particularly important for ensuring that all agencies understand each other’s roles, responsibilities, and actions during emergencies.
• Resource Sharing and Mutual Aid: Agreements and mechanisms for sharing resources across borders are vital for effective emergency response. These arrangements allow countries to provide and receive assistance quickly, ensuring that critical resources are available where and when they are needed. Resource sharing and mutual aid agreements enhance the collective capacity of EU Civil Protection organizations to manage large-scale emergencies.
Best Practice Example:
• Joint Drills and Integrated Response Scenarios: The FIRE-RES project has highlighted the importance of joint drills and integrated response scenarios. These activities allow agencies to test and improve their interoperability in realistic settings, identifying strengths and areas for improvement. In terms of command-and-control interoperability, this would be an ideal point to integrate personnel in functional areas in order to create interoperability at the individual level within a command and control structure. Exemplified by the training event in Valabre, France where integrated response scenarios integrated personal from different civil protection structures. The training event provided a platform for the exchange of personnel between civil protection system, fostering realistic learning and collaboration against the backdrop of an integrated response scenario.
Tailoring to the EU Architecture: It is important to note that while these elements and best practices are globally recognized, it is crucial to define and adapt them to fit the specific needs and architecture of the EU. The diversity of administrative structures, legal frameworks, and operational procedures across EU member states necessitates a tailored approach to interoperability. Developing a detailed roadmap and project focused on these tailored solutions will ensure that interoperability efforts are practical, effective, and sustainable within the EU context.
By understanding and implementing these potential elements, and customizing them to the EU’s unique context, EU Civil Protection organizations can significantly enhance their interoperability, ensuring a more coordinated and effective response to emergencies across national borders.
Potential Framework for Harmonization and Interoperability
Strategic Approach: To enhance command and control interoperability across EU Civil Protection systems, a strategic and collaborative approach is essential. Drawing lessons from existing initiatives like the EU Host Nation Support (HNS) guidelines, there is significant potential to develop a framework that aligns the diverse structures and processes of EU member states, enhancing cooperation and coordination.
Role of Interoperability: Interoperability is crucial for effective disaster response, enabling different national systems to work together seamlessly. It enhances the capacity to respond to cross-border emergencies, reduces redundancy, and maximizes resource use. A coordinated response ensures timely and efficient actions, ultimately saving lives and minimizing damage. Interoperability is being addressed through various initiatives, such as FIRE-RES, however command and control interoperability remains extant.
Pathways for Developing a Framework: Several pathways can be considered for developing a potential framework for interoperability:
• Command and Control Guidelines (Best Practices): Mirroring the EU HNS Guidelines effort, there is a need to develop and adopt a set of “best practices” or guidelines for command and control during response that all EU member states can follow. This includes understanding functional areas, aspects of incident management, resource allocation processes, and operational coordination mechanisms. Such standardization would facilitate smoother cooperation during cross-border emergencies, and specifically drive interoperability at depth to the personnel level.
• Interoperable Communication Systems: Establishing interoperable communication systems is vital for real-time information sharing among different agencies. This could involve adopting compatible technologies and platforms that support multiple languages and communication protocols, ensuring that all parties remain informed and coordinated during an emergency.
• Joint Training and Exercises: Implementing joint training programs and exercises that involve multiple national teams is crucial. These activities help build trust, operational familiarity, and a better understanding of each other’s capabilities and procedures. Regular exercises will also identify potential interoperability issues and allow for the development of solutions in a controlled environment.
• Legislative and Policy Alignment: Where applicable, harmonizing laws and policies related to civil protection and emergency management across the EU will provide a consistent legal framework that supports standardized procedures and facilitates cross-border cooperation. Legislative alignment ensures that all member states have compatible policies for resource sharing, mutual aid, and operational coordination.
Example: The development of the EU HNS guidelines serves as an exemplary model for the potential to create a framework for interoperability. Just as the HNS guidelines standardized procedures for receiving and providing assistance during disasters, a similar framework could outline standardized procedures and policies to enhance coordination and cooperation in civil protection efforts.
By pursuing these pathways and aligning them with the specific needs and contexts of EU member states, there is substantial potential to develop a framework that enables more effective and coordinated disaster response efforts. This strategic approach will ensure that EU Civil Protection organizations can work together seamlessly, enhancing resilience and reducing the impact of emergencies across the region.
What’s Next? Develop a Conceptual Way Ahead (Initial Roadmap)
To begin the conversation about developing command and control operability, an initial roadmap can be developed that can frame the problem and way ahead. However, a full comprehensive roadmap is required to understand the full complexity of the interoperability issue. A full and comprehensive roadmap requires funding and personnel to develop properly, and EU endorsement to provide the appropriate authority. A comprehensive roadmap will serve as a strategic guide, outlining the necessary steps, milestones, and resources required to create a framework that fosters coordination, communication, and collaboration across national borders.
Developing a detailed roadmap is essential for several reasons. First, a roadmap clarifies the role of command and control interoperability, creating a unified strategy that addresses common challenges and goals. By developing a roadmap towards command and control interoperability, there are opportunities to reduce redundancy and identify commonality amongst other EU projects. Second, a roadmap maximizes the use of available resources by identifying and prioritizing critical areas for development. This helps to ensure that funds and efforts are directed towards the most impactful initiatives, enhancing the overall effectiveness of a project to develop command and control interoperability.
A full roadmap also establishes clear milestones and performance indicators to track progress and ensure accountability throughout the implementation process. Clear milestones provide a timeline for achieving specific goals, making it easier to measure success and make adjustments as needed. Additionally, engaging all relevant stakeholders in the development and implementation process ensures broad support and participation. By involving stakeholders from the beginning, the roadmap can reflect a wide range of perspectives and expertise, enhancing its relevance and effectiveness.
A comprehensive roadmap would include several critical components. It would begin with a comprehensive assessment of current interoperability capabilities, aligning with international standards and best practices. This initial phase would involve engaging stakeholders through consultations and workshops to gather input and ensure alignment with national priorities. By understanding the current state and desired outcomes, the roadmap can be tailored to address specific needs and challenges to achieve command and control interoperability.
By committing to the development and implementation of this roadmap, EU Civil Protection organizations can ensure they are better equipped to respond to emergencies in a coordinated and effective manner. This strategic approach will lead to the creation of a robust and resilient civil protection framework that can effectively address the complexities of modern disaster response. The roadmap will provide a shared vision and actionable plan, fostering collaboration and enhancing the collective capacity to manage cross-border emergencies.
After the Roadmap
The next phase would involve developing non-binding guidelines that outline standardized procedures and protocols for interoperability. These guidelines would be customized to address the specific needs and contexts of EU member states, ensuring relevance and applicability. Additionally, training programs would be developed to support the implementation of these guidelines, providing civil protection agencies with the knowledge and skills needed to effectively collaborate across borders and effectively integrate into other command and control structures.
The development of the EU Host Nation Support (HNS) guidelines serves as an exemplary model for creating a framework for interoperability. Just as the HNS guidelines standardized procedures for receiving and providing assistance during disasters, an interoperability roadmap would outline standardized procedures and policies to enhance coordination and cooperation in civil protection efforts.
Pilot projects would be implemented to test the proposed solutions and frameworks in real-world scenarios. These pilot projects would provide valuable insights into the effectiveness of the guidelines and training programs, allowing for data collection and feedback to refine and improve the approach. By evaluating the success of these pilots, adjustments can be made to ensure the framework is robust and effective.
Following the pilot phase, the interoperability framework would be rolled out across all EU member states. This full-scale implementation would involve providing ongoing support and resources to facilitate adoption and ensure success. A feedback mechanism would be established to gather input from the field, allowing for continuous improvement of the framework based on real-world experiences.
Ensuring the long-term commitment to interoperability would require securing funding and resources to support ongoing efforts. Integrating the interoperability framework with other relevant EU initiatives and international organizations would ensure alignment and synergy, enhancing the overall impact of the efforts.
Conclusion
Interoperability among EU Civil Protection organizations is not just a desirable goal but an essential requirement for effective disaster response and resilience. As cross-border emergencies become increasingly frequent and complex, the ability of different national systems to work together seamlessly is crucial. The insights from TIEMS and findings from the FIRE-RES project highlight significant challenges and opportunities in achieving command and control interoperability, emphasizing the need for a coordinated and strategic approach.
The proposed development of a comprehensive roadmap represents a vital step towards enhancing interoperability. This roadmap will serve as a strategic guide, outlining the necessary steps, milestones, and resources required to foster coordination, communication, and collaboration across national borders. By aligning strategies, maximizing resources, establishing clear milestones, and engaging stakeholders, the roadmap will provide a structured and effective approach to achieving interoperability.
Key components of the roadmap will include a comprehensive assessment of current capabilities, the development of non-binding guidelines and customized training programs, the implementation and evaluation of pilot projects, and the full-scale rollout of the interoperability framework. Ensuring long-term commitment and integrating the framework with other relevant initiatives will be crucial for sustained success.
The development of the EU Host Nation Support (HNS) guidelines serves as an exemplary model for creating a framework for interoperability. Just as the HNS guidelines standardized procedures for receiving and providing assistance during disasters, a command and control interoperability roadmap would outline standardized procedures and policies to enhance coordination and cooperation in civil protection effort.
By committing to the development and implementation of this roadmap, EU Civil Protection organizations can significantly enhance their ability to respond to emergencies in a coordinated and effective manner. This strategic approach will lead to the creation of a robust and resilient civil protection framework that can effectively address the complexities of modern disaster response. The roadmap will provide a shared vision and actionable plan, fostering collaboration and enhancing the collective capacity to manage cross-border emergencies.
In conclusion, the journey towards command and control interoperability requires a collective effort, informed by research, guided by strategic planning, and sustained by continuous improvement. By initiating this discussion and committing to the development of a comprehensive roadmap, we can pave the way for a more resilient and cooperative future for EU Civil Protection organizations.
Leave a comment

Artificial Intelligence: DHS Needs to Improve Risk Assessment Guidance for Critical Infrastructure Sectors

Agency News, Cyber Security CII sector, Industry News
Federal agencies with a lead role in protecting the nation's critical infrastructure sectors are referred to as sector risk management agencies. These agencies, in coordination with the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA), were required to develop and submit initial risk assessments for each of the critical infrastructure sectors to DHS by January 2024.
Although the agencies submitted the sector risk assessments to DHS as required, none fully addressed the six activities that establish a foundation for effective risk assessment and mitigation of potential artificial intelligence (AI) risks. For example, while all assessments identified AI use cases, such as monitoring and enhancing digital and physical surveillance, most did not fully identify potential risks, including the likelihood of a risk occurring. None of the assessments fully evaluated the level of risk in that they did not include a measurement that reflected both the magnitude of harm (level of impact) and the probability of an event occurring (likelihood of occurrence). Further, no agencies fully mapped mitigation strategies to risks because the level of risk was not evaluated.
Lead agencies provided several reasons for their mixed progress, including being provided only 90 days to complete their initial assessments. A key contributing factor was that DHS's initial guidance to agencies on preparing the risk assessments did not fully address all the above activities.
Artificial intelligence is complex and evolving. It could be used to improve the systems that operate critical infrastructure, like water and energy. But it could also make them more vulnerable to cyberattacks.
Federal agencies that protect critical infrastructure had to assess AI risks to infrastructure sectors. But the Department of Homeland Security's guidance for assessments didn't have agencies fully measure how much harm an attack could cause or the probability of attacks. This information would help agencies address risks and foster responsible AI use.
DHS and CISA have made various improvements, including issuing new guidance and a revised risk assessment template in August 2024. The template addresses some—but not all—of the gaps that GAO found. Specifically, the new template does not fully address the activities for identifying potential risks including the likelihood of a risk occurring. CISA officials stated that the agency plans to further update its guidance in November 2024 to address the remaining gaps. Doing so expeditiously would enable lead agencies to use the updated guidance for their required January 2025 AI risk assessments.
AI has the potential to introduce improvements and rapidly change many areas. However, deploying AI may make critical infrastructure systems that support the nation's essential functions, such as supplying water, generating electricity, and producing food, more vulnerable. In October 2023, the President issued Executive Order 14110 for the responsible development and use of AI. The order requires lead federal agencies to evaluate and, beginning in 2024, annually report to DHS on AI risks to critical infrastructure sectors.
GAO's report examines the extent to which lead agencies have evaluated potential risks related to the use of AI in critical infrastructure sectors and developed mitigation strategies to address the identified risks. To do so, GAO analyzed federal policies and guidance to identify activities and key factors for developing AI risk assessments. GAO analyzed lead agencies' 16 sector and one subsector risk assessments against these activities and key factors. GAO also interviewed officials to obtain information about the risk assessment process and plans for future templates and guidance.
Recommendations
GAO is recommending that DHS act quickly to update its guidance and template for AI risk assessments to address the remaining gaps identified in this report. DHS agreed with our recommendation and stated it plans to provide agencies with additional guidance that addresses gaps in the report including identifying potential risks and evaluating the level of risk.
Leave a comment

CISA and ONCD Release Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure

Agency News, Cyber Security CII sector, Industry News
CISA and the Office of the National Cyber Director (ONCD) published Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure to assist grant-making agencies to incorporate cybersecurity into their grant programs and assist grant-recipients to build cyber resilience into their grant-funded infrastructure projects.
This guide is for federal grant program managers, critical infrastructure owners and operators, and organizations such as state, local, tribal, and territorial governments who subaward grant program funds, and grant program recipients. The guide includes:
- Recommended actions to incorporate cybersecurity into grant programs throughout the grant management lifecycle.
- Model language for grant program managers and sub-awarding organizations to incorporate into Notices of Funding Opportunity (NOFOs) and Terms & Conditions.
- Templates for recipients to leverage when developing a Cyber Risk Assessment and Project Cybersecurity Plan.
- Comprehensive list of cybersecurity resources available to support grant recipient project execution.
CISA encourages organizations to review and apply recommended actions to secure the nation’s critical infrastructure and enhance resilience.
Leave a comment

Future of Cybersecurity: Leadership Needed to Fully Define Quantum Threat Mitigation Strategy

Agency News, Cyber Security CII sector, Industry News
Cryptography is a set of mathematical processes that can "lock," "unlock," or authenticate information. Agencies, banks, utilities, and others rely on cryptography—e.g., data encryption algorithms—to secure systems and data.
Experts predict that a quantum computer capable of breaking such cryptography may exist within 10-20 years.
Various federal entities have developed documents that inform a national strategy for addressing this threat. But the strategy lacks details and nobody's in charge of implementing it. We recommended the National Cyber Director coordinate the national strategy and use our guidelines for effective national strategies.
GAO was asked to examine the federal government’s strategy to address the threat that quantum computers pose to our nation’s cryptography. This report provides information on, among other things, how cryptographic methods protect systems and data, the threat quantum computers pose, and the extent to which the U.S. national quantum computing cybersecurity strategy addresses the desirable characteristics of a national strategy.
Federal agencies and the nation's critical infrastructure—such as energy, transportation systems, communications, and financial services—rely on cryptography (e.g., encryption) to protect sensitive data and systems. However, some experts predict that a quantum computer capable of breaking certain cryptography—referred to as a cryptographically relevant quantum computer (CRQC)—may be developed in the next 10 to 20 years, putting agency and critical infrastructure systems at risk. Quantum computers leverage the properties of a qubit (the quantum equivalent of classical computer bits) to solve selected problems significantly faster than classical computers.
To address this threat, various documents developed over the past eight years have contributed to an emerging U.S. national strategy. Based on its review of these documents, GAO identified three central goals.
The strategy partially addresses the desirable characteristics of a national strategy identified in prior GAO work. For example:
- Problem definition and risk assessment. Several documents defined the problem as the threat of a CRQC to cryptography, but did not fully define a CRQC. In addition, although the executive branch conducted a comprehensive risk assessment on systems with vulnerable cryptography supporting critical infrastructure, it has not conducted such an assessment for systems used by federal agencies.
- Purpose, scope, and methodology. Several documents identified purpose and scope. With regard to methodology, three post-quantum cryptography standards documents provided information on how they were developed. However, the remaining documents did not describe the methodology or process used to develop them for the other two goals.
- Objectives, activities, milestones, and performance measures. The strategy documents identified objectives and activities for the first two goals but did not do so for the third. In addition, the strategy documents did not fully identify milestones for the second and third goals and did not identify performance measures for any of the three goals.
These desirable characteristics have not been fully addressed, in part, because no single federal organization is responsible for coordinating the strategy. In January 2021, Congress established an organization that is well-positioned to lead these efforts: the Office of the National Cyber Director. If the office embraces this role and ensures that the strategy fully addresses the desirable characteristics, the nation will have a better-defined roadmap for allocating resources and holding participants accountable.
Leave a comment
1 2 3 4 5 56