The latest issue of Critical Infrastructure Protection & Resilience News has arrived

Download your copy now at www.cip-association.org/CIPRNews
Please find here your downloadable copy of the Summer 2024 issue of Critical Infrastructure Protection & Resilience News, the official magazine of the International Association of CIP Professionals (IACIPP), for the latest views, features and news, including a Preview of the upcoming Critical Infrastructure Protection & Resilience Europe conference, Part of CIP Week in Europe in Madrid, Spain.
Critical Infrastructure Protection & Resilience News in this issue:
- CrowdStrike Outage: A Faulty Update Causes Worldwide Problems
- Perspective: Artificial Intelligence
- As cyberattacks increase, physical security should remain a top priority
- Solving the Puzzle of Protection
- Fortifying the frontline – why Zero Trust is key to national security
- Solar storms: Are we ready for another Carrington Event?
- The Secure SatCom Hub for All-Missions
- UN cybersecurity report assesses global progress in providing a safe and secure digital future for all
- An Interview with E.DSO
- Protecting electric grid health with drone-based power line inspection
- CIP Week in Europe, CIPRE and EU-CIP Preview
- Agency News
- Industry News
Download your copy at www.cip-association.org/CIPRNews

CISA Releases Plan to Align Operational Cybersecurity Priorities for Federal Agencies

The Cybersecurity and Infrastructure Security Agency (CISA) has published the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan. As the operational lead for federal cybersecurity, CISA uses this plan to guide coordinated support and services to agencies, drive progress on a targeted set of priorities, and align collective operational defense capabilities. The end result is reducing the risk to more than 100 FCEB agencies.
Each FCEB agency has a unique mission, and thus have independent networks and system architectures to advance their critical work. This independence means that agencies have different cyber risk tolerance and strategies. However, a collective approach to cybersecurity reduces risk across the interagency generally and at each agency specifically, and the FOCAL Plan outlines this will occur. CISA developed this plan in collaboration with FCEB agencies to provide standard, essential components of enterprise operational cybersecurity and align collective operational defense capabilities across the federal enterprise.
“Federal government data and systems interconnect and are always a target for our adversaries. FCEB agencies need to confront this threat in a unified manner and reduce risk proactively,” said CISA Executive Assistant Director for Cybersecurity, Jeff Greene. “The actions in the FOCAL plan orient and guide FCEB agencies toward effective and collaborative operational cybersecurity and will build resilience. In collaboration with our partner agencies, CISA is modernizing federal agency cybersecurity.”
The FOCAL plan is organized into five priority areas that align with agencies’ metrics and reporting requirements. Each priority has goals ranging from addressing universal cybersecurity challenges such as managing the attack surface of internet-accessible assets and bolstering cloud security to long-rage efforts including building a defensible architecture that is resilient in the face of evolving security incidents. The priority areas for FCEB agencies are:
- Asset Management – fully understand the cyber environment, including the operational terrain and interconnected assets.
- Vulnerability Management – proactively protect enterprise attack surface and assess defensive capabilities.
- Defensible Architecture – design cyber infrastructure with an understanding that security incidents will happen, and that resilience is essential.
- Cyber Supply Chain Risk Management (C-SCRM) - quickly identify and mitigate risks, including from third parties, posed to federal IT environments.
- Incident Detection and Response - improve the ability of Security Operations Centers (SOCs) to detect, respond to, and limit the impact of security incidents.
The FOCAL Plan was developed for FCEB agencies, but public and private sector organizations should find it useful as a roadmap to establish their own plan to bolster coordination of their enterprise security capabilities.
The Plan is not intended to provide a comprehensive or exhaustive list that an agency or CISA must accomplish. Rather, it is designed to focus resources on actions that substantively advance operational cybersecurity improvements and alignment goals.

Hurricane Beryl Causes Havoc for State of Texas, 2.3m without power

Hurricane Beryl made landfall along the Texas coast as a Category 1 storm, unleashing a barrage of severe weather as it moved inland before weakening into a tropical storm, yet still cable of widespread damage.
Beryl had sustained winds of over 80 mph as it made landfall, as it battered communities and infrastructure, with more than 2.3 million people are without power in Texas, according to poweroutage.us.
The storm prompted closures or vessel traffic restrictions at multiple ports in cities from Houston to Corpus Christi. The ports of Corpus Christi, Houston, Galveston, Freeport, and Texas City said they closed after condition "Zulu" was set by U.S. Coast Guard captains.
Disruption was also caused to transport where road closures and high-water locations in Houston and Texas City caused problems.
Acting Governor Dan Patrick urged Texans to make final preparations and announced that 121 counties were added to the state’s Hurricane Beryl Disaster Declaration, as storm forecasts shifted the expected landfall north and east of previous projections.
The Texas Division of Emergency Management (TDEM) increased its readiness level of the State Emergency Operations Center and Texas Emergency Management Council agencies worked 24-hour operations, while continuing to preposition state emergency response resources that were readied for deployment by Governor Greg Abbott.

Hybrid threats: Council paves the way for deploying Hybrid Rapid Response Teams

The European Council has approved the guiding framework for the practical establishment of the EU Hybrid Rapid Response Teams. This paves the way for such teams to be deployed upon request, to prepare against and counter hybrid threats and campaigns.
Hybrid Rapid Response Teams are one of the key instruments to support EU member states and partner countries in countering hybrid threats as part of the EU Hybrid Toolbox. As one of the key deliverables of the Strategic Compass, they will provide tailored and targeted short-term assistance to member states, Common Security and Defence Policy missions and operations, and partner countries in countering hybrid threats and campaigns.
In a deteriorating security environment, with increasing disinformation, cyber-attacks, attacks on critical infrastructure, instrumentalised migration, and election interference by malign actors, the Hybrid Rapid Response Teams will be an important new capability of the EU to counter new and emerging threats.

Your latest issue of Critical Infrastructure Protection & Resilience News has arrived

Download your copy now at www.cip-association.org/CIPRNews
Please find here your downloadable copy of the Spring 2024 issue of Critical Infrastructure Protection & Resilience News, the official magazine of the International Association of CIP Professionals (IACIPP), for the latest views, features and news, including a Review of the recent Critical Infrastructure Protection & Resilience North America conference and exhibition in Lake Charles, LA.
Critical Infrastructure Protection & Resilience News in this issue:
- Protecting Life - Securing Agriculture
- Protect our Electric Grid – Before it’s Too Late
- Connecting Unrelated Industries Strengthens All Sectors
- Why Airspace Awareness Matters for Critical Infrastructure Security
- Critical Infrastructure Resilience: Are we addressing the real challenges? In the right way?
- Break down cyber and physical security silos to improve protection and operations
- An Interview with CITGO
- Is Cybersecurity As Enchanted as Sleeping Beauty?
- CIPRE Review
- Agency News
- Industry News
Download your copy at www.cip-association.org/CIPRNews

CISA Unveils New Public Service Announcement – We Can Secure Our World

Cybersecurity and Infrastructure Security Agency (CISA) has launched We Can Secure Our World, the second PSA in its Secure Our World cybersecurity public awareness program. The PSA will be promoted widely across the U.S. on television, radio, digital ads, retail centers, social media platforms, and billboards throughout 2024. We Can Secure Our World builds on the success of CISA’s first ever public service announcement (PSA) which launched in September 2023.
A Pew Research Center survey conducted last year shows that 95% of American adults use the internet, 90% have a smartphone and 80% subscribe to high-speed internet at home. Additionally, the survey also reported nearly 70% of children and adolescents have been exposed to at least one cyber risk in the past year. With cyber threats increasing among Americans of all ages, CISA is working to empower all Americans to protect themselves from hackers getting into their devices through easy steps that anyone can do anywhere and anytime.
The Secure Our World cybersecurity public awareness program, initially launched in September 2023, with its first PSA receiving nearly 20,000 views on YouTube, and educational materials including “How to” videos and tip sheets, were downloaded approximately 50,000 times. CISA also had a video that aired at the NFL Experience in the week leading up to the Super Bowl. CISA had a Super Bowl-related social media campaign that garnered more than 200,000 views and reached audiences spanning America’s diverse population.
The Secure Our World program is designed to educate and empower individuals to take proactive steps in safeguarding their digital lives. Tapping into the nostalgia of beloved musical cartoon series from the 1970s and 1980s, the new PSA features lovable character Max from the first PSA and introduces “Joan the Phone” who teaches us how to stay safe online. Through engaging messaging encouraging simple steps to protect ourselves online, the program aims to raise awareness about the importance of cybersecurity and empower individuals to adopt best practices to mitigate online risks.
“Basic cyber hygiene prevents 98% of cyber attacks—why we’re on a mission to make cyber hygiene as common as brushing our teeth and washing our hands. BUT(!) “cyber” anything can seem overly technical and complicated to the vast majority of Americans from K through Gray—why we’re also on a mission to make such information more accessible,” said CISA Director Jen Easterly. “As someone who grew up with Saturday morning cartoons, I am super excited about what we’ve done with our new Secure Our World PSA to leverage a recognizable educational medium to promote cybersecurity best practices. We’re really excited to take public awareness of cyber safety to a whole new level of creativity.”

National Security Memorandum on Critical Infrastructure Security and Resilience

On April 30, 2024, the White House National Security Council (NSC) published the National Security Memorandum (NSM) on Critical Infrastructure Security and Resilience. This memo builds on the important work that the Cybersecurity and Infrastructure Security Agency (CISA) and agencies across the federal government have been undertaking in partnership with America’s critical infrastructure communities for more than a decade. It also replaces Presidential Policy Directive 21 (PPD-21) on Critical Infrastructure Security and Resilience, which was issued more than a decade ago to establish national policy on critical infrastructure security and resilience.
Why Now?
Image of infrastructure-related icons over glowing, streaks of blue and white  lights
The threat environment has significantly changed since PPD-21 was issued, shifting from counterterrorism to strategic competition, advances in technology like Artificial Intelligence, malicious cyber activity from nation-state actors, and the need for increased international coordination. This change in the threat landscape, along with increased federal investment in U.S. critical infrastructure, prompted the need to update PPD-21 and issue the new memo.
The NSM will help ensure U.S. critical infrastructure can provide the nation a strong and innovative economy, protect American families, and enhance our collective resilience to disasters before they happen, strengthening the nation for generations to come. This NSM specifically:
- Empowers the Department of Homeland Security to lead a whole-of-government effort to secure U.S. critical infrastructure, with CISA acting as the National Coordinator for the Security and Resilience of U.S. Critical Infrastructure. The Secretary of Homeland Security will be required to submit to the President a biennial National Risk Management Plan that summarizes U.S. government efforts to mitigate risk to the nation’s critical infrastructure.
- Reaffirms the designation of 16 critical infrastructure sectors and establishes a federal department or agency responsible for managing risk within each of these sectors.
- Elevates the importance of minimum security and resilience requirements within and across critical infrastructure sectors, consistent with the National Cyber Strategy, which recognizes the limits of a voluntary approach to risk management in the current threat environment.
PPD-21 pre-dates the establishment of CISA. CISA actively engaged in updating the framework established by PPD-21 to detail how the U.S. government secures and protects critical infrastructure from cyber and physical threats.
CISA has already been working toward the goals of the NSM. We have already re-established the Federal Senior Leadership Council, which has made impressive strides through the FSLC’s robust collaboration model toward meeting our shared goals. When the FSLC was re-chartered, the group not only took on new authorities, but a heavy lift to inform how we define, modernize, and protect our critical infrastructure sectors.

IACIPP Announces Launch of ‘CIP WEEK’ in Europe

The International Association of Critical Infrastructure Protection Professionals (IACIPP) has announced the launch of ‘Critical Infrastructure Protection Week’ in Europe as part of an initiative focused towards enhancing collaboration and cooperation amongst the industry.
With the imminent implementation of The Critical Entities Resilience Directive (CER Directive), which lays down obligations on EU Member States to take specific measures to ensure that essential services and infrastructures, for the maintenance of vital societal functions or economic activities, are provided in an unobstructed manner in the internal market. The deadline of 17th October 2024 is set for when Member States shall adopt and publish the measures necessary to comply with this Directive.
The NIS2 Directive, also known as the Network and Information Security Directive, is also a significant piece of legislation being implemented by 17th October 2024, aimed at improving cyber security and protecting critical infrastructure across the European Union (EU).
It builds upon the previous NIS Directive, addressing its shortcomings and expanding its scope to enhance security requirements, reporting obligations, and crisis management capabilities.
Compliance with the CER Directive and NIS2 Directive are crucial for businesses operating in the EU to safeguard their systems, mitigate threats, and ensure resilience. Penalties are enforceable on agencies and operators for non-compliance.
In light of the forthcoming challenges with the Directives, and the ever increasing threats against European critical infrastructures, IACIPP is launching ‘CIP Week’ in Europe to help raise awareness and promote greater collaboration amongst operators, agencies and the CI security community.
The first ‘Critical Infrastructure Protection Week’ will take place in Madrid Spain and will see IACIPP host the ‘Critical Infrastructure Protection & Resilience Europe’ conference and exhibition and ‘EU-CIP Horizon Project’ conference as the first two events as part of the initiative. Additional events are expected to be announced as part of the CIP Week in due course.
John Donlon QPM, Chairman of The International Association of Critical Infrastructure Protection Professionals, said, “IACIPP is delighted to be announcing this new initiative in Europe, with the important aim of encouraging greater information sharing, collaboration and co-operation within the industry.”
“The CER and NIS2 Directives are two of the most important pieces of legislation to arrive in Europe in recent years, and IACIPP along with other professional bodies have a degree of concern over the lack of preparation of some of the operators and agencies for the October deadline, and believe more needs to be done to ensure these minimum standards are met, and indeed exceeded in subsequent years.”
“We are delighted the ‘Critical Infrastructure Protection & Resilience Europe’ conference and exhibition and ‘EU-CIP Horizon Europe Project’ conference are the first two events to contribute towards CIP Week, which we aim to be an annual event. Madrid is an excellent location for the launch of this program, with the CN-PIC driving Spain’s efforts to meet the Directives’ deadlines and be prepared.” Added Mr Donlon.
Critical Infrastructure Protection & Resilience Europe (CIPRE) is the premier conference in Europe to discuss the operational threats and challenges, delivering though leadership and strategies for operators and agencies to plan security and resilience to their operations and assets.
The EU-CIP Horizon Europe Project* is set up to establish a novel pan European knowledge network for Resilient Infrastructures, which will enable policy makers to shape and produce data-driven evidence-based policies, while boosting the innovation capacity of Critical Infrastructures (CI) operators, authorities, and innovators (including SMEs).
Emilia Gugliandolo, Project Coordinator of EU-CIP, said, “The EU-CIP Project is delighted to be invited as part of the CIP Week initiative, enabling greater opportunities for the industry to explore the challenges and opportunities for bringing about synergetic, emerging disruptive solutions to security issues via cross-projects collaboration and innovation. We look forward to successful collaborations between the sectors and professionals in achieving the overall goals for the industry.”
IACIPP is an international association of practitioners and professionals involved in the security, resilience and safety of critical infrastructure, both physical and information infrastructure, open to critical infrastructure operators and government agencies, including site managers, security officers, government agency officials, policy makers, research & academia. The Association also aims to share ideas, information, experiences, technology and best practise to enhance these objectives.
IACIPP is inviting the industry to join in CIP Week in Madrid on 12th-14th November 2024.

CISA Issues Request For Information on Secure by Design Software Whitepaper

The Cybersecurity and Infrastructure Security Agency (CISA) has published a Request for Information from all interested parties on secure by design software practices, including the Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software whitepaper, as part of its ongoing, collective secure by design campaign across the globe.

To better inform CISA’s Secure by Design campaign, CISA and its partners seek information on a wide range of topics, including the following:

- Incorporating security early into the software development life cycle (SDLC): What changes are needed to allow software manufacturers to build and maintain software that is secure by design, including smaller software manufacturers? How do companies measure the dollar cost of defects in their SDLC?
- Security is often relegated to be an elective in education: What are some examples of higher education incorporating foundational security knowledge into their computer science curricula; When new graduates look for jobs, do companies evaluate security skills, knowledge, and experience during the hiring stage, or are employees reskilled after being hired?
- Recurring vulnerabilities: What are barriers to eliminating recurring classes of vulnerability; how can we lead more companies to identify and invest in eliminating recurring vulnerabilities; how could the common vulnerabilities and exposures (CVE) and common weakness enumeration (CWE) programs help?
- Operational technology (OT): What incentives would likely lead customers to increase their demand for security features; Which OT products or companies have implemented some of the core tenants of secure by design engineering?
- Economics of secure by design: What are the costs to implement secure by design and default principles and tactics, and how do these compare to costs responding to incidents and breaches?

“While we have already received a wide range of feedback on our secure by design campaign, we need to incorporate the broadest possible range of perspectives,” said CISA Director Jen Easterly. Our goal to drive toward a future where technology is safe and secure by design requires action by every technology manufacturer and clear demand by every customer, which in turn requires us to rigorously seek and incorporate input. The President’s National Cybersecurity Strategy calls for a fundamental shift in responsibility for security from the customer to software manufacturers, and input from this RFI will help us define our path ahead, including updates to our joint seal Secure by Design whitepaper.

Co-sealed by 18 U.S. and international agencies, our recent Secure by Design guidance strongly encourages every software manufacturer to build products in a way that reduces the burden of cybersecurity on customers. More recently, CISA launched a new series of Secure by Design Alerts outlining the real-world harms that result from technology products that are not secure by design.

With its partners, CISA encourages technology manufacturers and all interested stakeholders to review the Request for Information and provide written comment on or before 20 February 2024. Instructions for submitting comment are available in the Request for Information. The feedback on current analysis or approaches will help inform future iterations of the whitepaper and our collaborative work with the global community.

Most populous city in Philippines leads by example in inclusive DRR

Reducing disaster risk is seemingly never-ending in a country like the Philippines, which is exposed to a multitude of natural hazards.

Increasing urbanization also increases the risk of disasters in cities. New patterns of hazards, exposure and vulnerability are emerging. In this context, local authorities play a dual role. They are the first responders to disasters but are also instrumental in disaster risk reduction (DRR).

Persons with disabilities are often the most affected by natural hazards. Little progress has been made over the past decade in including them in DRR, according to a survey conducted by the United Nations Office for Disaster Risk Reduction (UNDRR) in 2023. Persons with disabilities often do not have access to information about disaster risk and are not included in decision-making related to DRR in communities, and few DRR plans consider the specific needs of persons with disabilities. This is the case in the Philippines as in most countries around the world.
A push in the right direction

The Midterm Review of the Sendai Framework for Disaster Risk Reduction 2015-2030, which concluded in 2023, emphasized that more needs to be done to engage the whole of society in DRR, especially the people and communities most at-risk, and that DRR at the local level is of great importance if we want to implement the Sendai Framework by 2030.

Despite the ambitious agenda to localize DRR and the progress that the Philippines has made in increasing capacities and resources and developing regulations at the smallest government units (barangay), its voluntary national report for the Sendai Framework Midterm Review highlights the need to further strengthen local DRR as a priority area.
A chain of learning

On 28 and 29 November 2023, UNDRR provided a training on urban resilience and disability inclusion in DRR in Quezon City, which is the most populous city in the Philippines and belongs to the Metro Manila region. Representatives from different city departments attended, alongside organizations of persons with disabilities.

A key element of the UNDRR-led initiative Making Cities Resilient 2030 (MCR2030) is connecting cities and facilitating peer learning on resilience. A representative from Baguio City in the northern Philippines co-facilitated the training in Quezon City and shared experiences from the inclusion of persons with disabilities in DRR in a context that is familiar to Quezon. In 2022, officials from Baguio City were trained by the MCR2030 Resilience Hub Makati City, which is also part of Metro Manila. Quezon City is thus the third city in this learning chain.
An assessment, an action plan, a platform and lots of commitment

During the training in Quezon City, participants learned how to use the Disaster Resilience Scorecard for Cities and its annex for the inclusion of persons with disabilities in DRR to evaluate disaster risk management practices.

Based on this assessment, they developed an initial action plan on the inclusion of persons with disabilities in institutional capacities, infrastructure resilience, and recovery, including “Building Back Better”.

The aim of the training was not only to increase knowledge about inclusive DRR and risk assessment capacities, but also to build a platform where local authorities and persons with disabilities come together to discuss DRR and where persons with disabilities are involved in risk assessments and decision-making on DRR.

For many representatives from organizations of persons with disabilities, this training was the first time they had been included in discussions about DRR. “We appreciate the opportunity to have a seat at the table and contribute to decisions that concern us”, one representative said.

Together, the city officials and the organizations of persons with disabilities committed to making DRR in Quezon City more inclusive and to transfer their knowledge and lessons learnt to other cities.
Support for local DRR from the national authorities

With the Department of the Interior and Local Governments (DILG) and the Office for Civil Defense (OCD), national authorities were also represented at the workshop.

An official from the OCD highlighted that the inclusion of persons with disabilities is an issue that needs to be further considered in policies and frameworks, at the local and national levels. “The training helped to understand that local planning needs to be more inclusive and also take into account the needs and perspectives of persons with disabilities to build resilience”, he said.

The engagement of national authorities in MCR2030 builds capacity for urban resilience also at the national level, helping to ensure that cities are more resilient to future disasters and the most at-risk are protected.

[Source: Making Cities Resilient 2030 (MCR2030) United Nations Office for Disaster Risk Reduction - Regional Office for Asia and Pacific]
1 2 3 11