Hybrid threats: Council paves the way for deploying Hybrid Rapid Response Teams

The European Council has approved the guiding framework for the practical establishment of the EU Hybrid Rapid Response Teams. This paves the way for such teams to be deployed upon request, to prepare against and counter hybrid threats and campaigns.
Hybrid Rapid Response Teams are one of the key instruments to support EU member states and partner countries in countering hybrid threats as part of the EU Hybrid Toolbox. As one of the key deliverables of the Strategic Compass, they will provide tailored and targeted short-term assistance to member states, Common Security and Defence Policy missions and operations, and partner countries in countering hybrid threats and campaigns.
In a deteriorating security environment, with increasing disinformation, cyber-attacks, attacks on critical infrastructure, instrumentalised migration, and election interference by malign actors, the Hybrid Rapid Response Teams will be an important new capability of the EU to counter new and emerging threats.

Your latest issue of Critical Infrastructure Protection & Resilience News has arrived

Download your copy now at www.cip-association.org/CIPRNews
Please find here your downloadable copy of the Spring 2024 issue of Critical Infrastructure Protection & Resilience News, the official magazine of the International Association of CIP Professionals (IACIPP), for the latest views, features and news, including a Review of the recent Critical Infrastructure Protection & Resilience North America conference and exhibition in Lake Charles, LA.
Critical Infrastructure Protection & Resilience News in this issue:
- Protecting Life - Securing Agriculture
- Protect our Electric Grid – Before it’s Too Late
- Connecting Unrelated Industries Strengthens All Sectors
- Why Airspace Awareness Matters for Critical Infrastructure Security
- Critical Infrastructure Resilience: Are we addressing the real challenges? In the right way?
- Break down cyber and physical security silos to improve protection and operations
- An Interview with CITGO
- Is Cybersecurity As Enchanted as Sleeping Beauty?
- CIPRE Review
- Agency News
- Industry News
Download your copy at www.cip-association.org/CIPRNews

CISA Unveils New Public Service Announcement – We Can Secure Our World

Cybersecurity and Infrastructure Security Agency (CISA) has launched We Can Secure Our World, the second PSA in its Secure Our World cybersecurity public awareness program. The PSA will be promoted widely across the U.S. on television, radio, digital ads, retail centers, social media platforms, and billboards throughout 2024. We Can Secure Our World builds on the success of CISA’s first ever public service announcement (PSA) which launched in September 2023.
A Pew Research Center survey conducted last year shows that 95% of American adults use the internet, 90% have a smartphone and 80% subscribe to high-speed internet at home. Additionally, the survey also reported nearly 70% of children and adolescents have been exposed to at least one cyber risk in the past year. With cyber threats increasing among Americans of all ages, CISA is working to empower all Americans to protect themselves from hackers getting into their devices through easy steps that anyone can do anywhere and anytime.
The Secure Our World cybersecurity public awareness program, initially launched in September 2023, with its first PSA receiving nearly 20,000 views on YouTube, and educational materials including “How to” videos and tip sheets, were downloaded approximately 50,000 times. CISA also had a video that aired at the NFL Experience in the week leading up to the Super Bowl. CISA had a Super Bowl-related social media campaign that garnered more than 200,000 views and reached audiences spanning America’s diverse population.
The Secure Our World program is designed to educate and empower individuals to take proactive steps in safeguarding their digital lives. Tapping into the nostalgia of beloved musical cartoon series from the 1970s and 1980s, the new PSA features lovable character Max from the first PSA and introduces “Joan the Phone” who teaches us how to stay safe online. Through engaging messaging encouraging simple steps to protect ourselves online, the program aims to raise awareness about the importance of cybersecurity and empower individuals to adopt best practices to mitigate online risks.
“Basic cyber hygiene prevents 98% of cyber attacks—why we’re on a mission to make cyber hygiene as common as brushing our teeth and washing our hands. BUT(!) “cyber” anything can seem overly technical and complicated to the vast majority of Americans from K through Gray—why we’re also on a mission to make such information more accessible,” said CISA Director Jen Easterly. “As someone who grew up with Saturday morning cartoons, I am super excited about what we’ve done with our new Secure Our World PSA to leverage a recognizable educational medium to promote cybersecurity best practices. We’re really excited to take public awareness of cyber safety to a whole new level of creativity.”

National Security Memorandum on Critical Infrastructure Security and Resilience

On April 30, 2024, the White House National Security Council (NSC) published the National Security Memorandum (NSM) on Critical Infrastructure Security and Resilience. This memo builds on the important work that the Cybersecurity and Infrastructure Security Agency (CISA) and agencies across the federal government have been undertaking in partnership with America’s critical infrastructure communities for more than a decade. It also replaces Presidential Policy Directive 21 (PPD-21) on Critical Infrastructure Security and Resilience, which was issued more than a decade ago to establish national policy on critical infrastructure security and resilience.
Why Now?
Image of infrastructure-related icons over glowing, streaks of blue and white  lights
The threat environment has significantly changed since PPD-21 was issued, shifting from counterterrorism to strategic competition, advances in technology like Artificial Intelligence, malicious cyber activity from nation-state actors, and the need for increased international coordination. This change in the threat landscape, along with increased federal investment in U.S. critical infrastructure, prompted the need to update PPD-21 and issue the new memo.
The NSM will help ensure U.S. critical infrastructure can provide the nation a strong and innovative economy, protect American families, and enhance our collective resilience to disasters before they happen, strengthening the nation for generations to come. This NSM specifically:
- Empowers the Department of Homeland Security to lead a whole-of-government effort to secure U.S. critical infrastructure, with CISA acting as the National Coordinator for the Security and Resilience of U.S. Critical Infrastructure. The Secretary of Homeland Security will be required to submit to the President a biennial National Risk Management Plan that summarizes U.S. government efforts to mitigate risk to the nation’s critical infrastructure.
- Reaffirms the designation of 16 critical infrastructure sectors and establishes a federal department or agency responsible for managing risk within each of these sectors.
- Elevates the importance of minimum security and resilience requirements within and across critical infrastructure sectors, consistent with the National Cyber Strategy, which recognizes the limits of a voluntary approach to risk management in the current threat environment.
PPD-21 pre-dates the establishment of CISA. CISA actively engaged in updating the framework established by PPD-21 to detail how the U.S. government secures and protects critical infrastructure from cyber and physical threats.
CISA has already been working toward the goals of the NSM. We have already re-established the Federal Senior Leadership Council, which has made impressive strides through the FSLC’s robust collaboration model toward meeting our shared goals. When the FSLC was re-chartered, the group not only took on new authorities, but a heavy lift to inform how we define, modernize, and protect our critical infrastructure sectors.

IACIPP Announces Launch of ‘CIP WEEK’ in Europe

The International Association of Critical Infrastructure Protection Professionals (IACIPP) has announced the launch of ‘Critical Infrastructure Protection Week’ in Europe as part of an initiative focused towards enhancing collaboration and cooperation amongst the industry.
With the imminent implementation of The Critical Entities Resilience Directive (CER Directive), which lays down obligations on EU Member States to take specific measures to ensure that essential services and infrastructures, for the maintenance of vital societal functions or economic activities, are provided in an unobstructed manner in the internal market. The deadline of 17th October 2024 is set for when Member States shall adopt and publish the measures necessary to comply with this Directive.
The NIS2 Directive, also known as the Network and Information Security Directive, is also a significant piece of legislation being implemented by 17th October 2024, aimed at improving cyber security and protecting critical infrastructure across the European Union (EU).
It builds upon the previous NIS Directive, addressing its shortcomings and expanding its scope to enhance security requirements, reporting obligations, and crisis management capabilities.
Compliance with the CER Directive and NIS2 Directive are crucial for businesses operating in the EU to safeguard their systems, mitigate threats, and ensure resilience. Penalties are enforceable on agencies and operators for non-compliance.
In light of the forthcoming challenges with the Directives, and the ever increasing threats against European critical infrastructures, IACIPP is launching ‘CIP Week’ in Europe to help raise awareness and promote greater collaboration amongst operators, agencies and the CI security community.
The first ‘Critical Infrastructure Protection Week’ will take place in Madrid Spain and will see IACIPP host the ‘Critical Infrastructure Protection & Resilience Europe’ conference and exhibition and ‘EU-CIP Horizon Project’ conference as the first two events as part of the initiative. Additional events are expected to be announced as part of the CIP Week in due course.
John Donlon QPM, Chairman of The International Association of Critical Infrastructure Protection Professionals, said, “IACIPP is delighted to be announcing this new initiative in Europe, with the important aim of encouraging greater information sharing, collaboration and co-operation within the industry.”
“The CER and NIS2 Directives are two of the most important pieces of legislation to arrive in Europe in recent years, and IACIPP along with other professional bodies have a degree of concern over the lack of preparation of some of the operators and agencies for the October deadline, and believe more needs to be done to ensure these minimum standards are met, and indeed exceeded in subsequent years.”
“We are delighted the ‘Critical Infrastructure Protection & Resilience Europe’ conference and exhibition and ‘EU-CIP Horizon Europe Project’ conference are the first two events to contribute towards CIP Week, which we aim to be an annual event. Madrid is an excellent location for the launch of this program, with the CN-PIC driving Spain’s efforts to meet the Directives’ deadlines and be prepared.” Added Mr Donlon.
Critical Infrastructure Protection & Resilience Europe (CIPRE) is the premier conference in Europe to discuss the operational threats and challenges, delivering though leadership and strategies for operators and agencies to plan security and resilience to their operations and assets.
The EU-CIP Horizon Europe Project* is set up to establish a novel pan European knowledge network for Resilient Infrastructures, which will enable policy makers to shape and produce data-driven evidence-based policies, while boosting the innovation capacity of Critical Infrastructures (CI) operators, authorities, and innovators (including SMEs).
Emilia Gugliandolo, Project Coordinator of EU-CIP, said, “The EU-CIP Project is delighted to be invited as part of the CIP Week initiative, enabling greater opportunities for the industry to explore the challenges and opportunities for bringing about synergetic, emerging disruptive solutions to security issues via cross-projects collaboration and innovation. We look forward to successful collaborations between the sectors and professionals in achieving the overall goals for the industry.”
IACIPP is an international association of practitioners and professionals involved in the security, resilience and safety of critical infrastructure, both physical and information infrastructure, open to critical infrastructure operators and government agencies, including site managers, security officers, government agency officials, policy makers, research & academia. The Association also aims to share ideas, information, experiences, technology and best practise to enhance these objectives.
IACIPP is inviting the industry to join in CIP Week in Madrid on 12th-14th November 2024.

CISA Issues Request For Information on Secure by Design Software Whitepaper

The Cybersecurity and Infrastructure Security Agency (CISA) has published a Request for Information from all interested parties on secure by design software practices, including the Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software whitepaper, as part of its ongoing, collective secure by design campaign across the globe.

To better inform CISA’s Secure by Design campaign, CISA and its partners seek information on a wide range of topics, including the following:

- Incorporating security early into the software development life cycle (SDLC): What changes are needed to allow software manufacturers to build and maintain software that is secure by design, including smaller software manufacturers? How do companies measure the dollar cost of defects in their SDLC?
- Security is often relegated to be an elective in education: What are some examples of higher education incorporating foundational security knowledge into their computer science curricula; When new graduates look for jobs, do companies evaluate security skills, knowledge, and experience during the hiring stage, or are employees reskilled after being hired?
- Recurring vulnerabilities: What are barriers to eliminating recurring classes of vulnerability; how can we lead more companies to identify and invest in eliminating recurring vulnerabilities; how could the common vulnerabilities and exposures (CVE) and common weakness enumeration (CWE) programs help?
- Operational technology (OT): What incentives would likely lead customers to increase their demand for security features; Which OT products or companies have implemented some of the core tenants of secure by design engineering?
- Economics of secure by design: What are the costs to implement secure by design and default principles and tactics, and how do these compare to costs responding to incidents and breaches?

“While we have already received a wide range of feedback on our secure by design campaign, we need to incorporate the broadest possible range of perspectives,” said CISA Director Jen Easterly. Our goal to drive toward a future where technology is safe and secure by design requires action by every technology manufacturer and clear demand by every customer, which in turn requires us to rigorously seek and incorporate input. The President’s National Cybersecurity Strategy calls for a fundamental shift in responsibility for security from the customer to software manufacturers, and input from this RFI will help us define our path ahead, including updates to our joint seal Secure by Design whitepaper.

Co-sealed by 18 U.S. and international agencies, our recent Secure by Design guidance strongly encourages every software manufacturer to build products in a way that reduces the burden of cybersecurity on customers. More recently, CISA launched a new series of Secure by Design Alerts outlining the real-world harms that result from technology products that are not secure by design.

With its partners, CISA encourages technology manufacturers and all interested stakeholders to review the Request for Information and provide written comment on or before 20 February 2024. Instructions for submitting comment are available in the Request for Information. The feedback on current analysis or approaches will help inform future iterations of the whitepaper and our collaborative work with the global community.

Most populous city in Philippines leads by example in inclusive DRR

Reducing disaster risk is seemingly never-ending in a country like the Philippines, which is exposed to a multitude of natural hazards.

Increasing urbanization also increases the risk of disasters in cities. New patterns of hazards, exposure and vulnerability are emerging. In this context, local authorities play a dual role. They are the first responders to disasters but are also instrumental in disaster risk reduction (DRR).

Persons with disabilities are often the most affected by natural hazards. Little progress has been made over the past decade in including them in DRR, according to a survey conducted by the United Nations Office for Disaster Risk Reduction (UNDRR) in 2023. Persons with disabilities often do not have access to information about disaster risk and are not included in decision-making related to DRR in communities, and few DRR plans consider the specific needs of persons with disabilities. This is the case in the Philippines as in most countries around the world.
A push in the right direction

The Midterm Review of the Sendai Framework for Disaster Risk Reduction 2015-2030, which concluded in 2023, emphasized that more needs to be done to engage the whole of society in DRR, especially the people and communities most at-risk, and that DRR at the local level is of great importance if we want to implement the Sendai Framework by 2030.

Despite the ambitious agenda to localize DRR and the progress that the Philippines has made in increasing capacities and resources and developing regulations at the smallest government units (barangay), its voluntary national report for the Sendai Framework Midterm Review highlights the need to further strengthen local DRR as a priority area.
A chain of learning

On 28 and 29 November 2023, UNDRR provided a training on urban resilience and disability inclusion in DRR in Quezon City, which is the most populous city in the Philippines and belongs to the Metro Manila region. Representatives from different city departments attended, alongside organizations of persons with disabilities.

A key element of the UNDRR-led initiative Making Cities Resilient 2030 (MCR2030) is connecting cities and facilitating peer learning on resilience. A representative from Baguio City in the northern Philippines co-facilitated the training in Quezon City and shared experiences from the inclusion of persons with disabilities in DRR in a context that is familiar to Quezon. In 2022, officials from Baguio City were trained by the MCR2030 Resilience Hub Makati City, which is also part of Metro Manila. Quezon City is thus the third city in this learning chain.
An assessment, an action plan, a platform and lots of commitment

During the training in Quezon City, participants learned how to use the Disaster Resilience Scorecard for Cities and its annex for the inclusion of persons with disabilities in DRR to evaluate disaster risk management practices.

Based on this assessment, they developed an initial action plan on the inclusion of persons with disabilities in institutional capacities, infrastructure resilience, and recovery, including “Building Back Better”.

The aim of the training was not only to increase knowledge about inclusive DRR and risk assessment capacities, but also to build a platform where local authorities and persons with disabilities come together to discuss DRR and where persons with disabilities are involved in risk assessments and decision-making on DRR.

For many representatives from organizations of persons with disabilities, this training was the first time they had been included in discussions about DRR. “We appreciate the opportunity to have a seat at the table and contribute to decisions that concern us”, one representative said.

Together, the city officials and the organizations of persons with disabilities committed to making DRR in Quezon City more inclusive and to transfer their knowledge and lessons learnt to other cities.
Support for local DRR from the national authorities

With the Department of the Interior and Local Governments (DILG) and the Office for Civil Defense (OCD), national authorities were also represented at the workshop.

An official from the OCD highlighted that the inclusion of persons with disabilities is an issue that needs to be further considered in policies and frameworks, at the local and national levels. “The training helped to understand that local planning needs to be more inclusive and also take into account the needs and perspectives of persons with disabilities to build resilience”, he said.

The engagement of national authorities in MCR2030 builds capacity for urban resilience also at the national level, helping to ensure that cities are more resilient to future disasters and the most at-risk are protected.

[Source: Making Cities Resilient 2030 (MCR2030) United Nations Office for Disaster Risk Reduction - Regional Office for Asia and Pacific]

CIPRNA Announced Preliminary Conference Programme

Critical Infrastructure Protection & Resilience North America, taking place on 12th-14th March 2024 in Lake Charles, Louisiana, and co-hosted by IACIPP and Infragard Louisiana, has announced the Preliminary Conference Program for the 2024 conference and exhibition, and you can download the agenda at www.ciprna-expo.com/PSG.

The Guide provides you the outline program, excellent international expert speakers and schedule of events to help you plan your participation.

You can also register online today and save with the Early Bird delegate rates at www.ciprna-expo.com/register

Confirmed Speakers include:
– Dr David Mussington, Executive Assistant Director for Infrastructure Security, Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA)
- Brian Harrell, VP & Chief Security Officer, AVANGRID
- Michael Hill, Program Specialist, Cybersecurity and Infrastructure Security Agency
- Emilio Salabarria, Senior Program Manager for Cybersecurity, The Florida Center for Cybersecurity: Cyber Florida
- Dr. Srinivas Bhattiprolu, Global Head of Advanced Consulting Services, Nokia
- Ed Landgraf, Chairman, Coastal And Marine Operators
- Kimberly Heyne, ChemLock Program Manager, Cybersecurity and Infrastructure Security Agency (CISA)
- Dan Frazen, CO-CEM, Agriculture Emergency Coordinator (All-Hazards), Colorado Department of Agriculture
- Dr. Joshua Bergerson, Principal Infrastructure Analyst, Argonne National Laboratory
- Chris Essid, Sector Branch Chief, Cybersecurity and Infrastructure Security Agency (CISA)
- Budge Currier, Assistant Director Public Safety Communications, California Office of Emergency Services (Cal OES)
- Terrence Check, Senior Legal Council, CISA
- Rola Hariri, Defense Industrial Base Liaison, Cybersecurity and Infrastructure Security Agency (CISA)
- Lester Millet, President, Infragard Louisiana & Safety Risk Agency Manager, Port of South Louisiana
- Michael Finch, Technology Services Director, Lane County Department of Technology Services
- Richard Tenney, Senior Advisor, Cyber, Cybersecurity and Infrastructure Security Agency (CISA)
- Andrew A Bochman, Senior Grid Strategist-Defender, DOE / Idaho National Lab
- Jim Henderson, CEO, Insider Threat Defense Group

Full speaker list: www.ciprna-expo.com/speakers2024
Download Agenda: www.ciprna-expo.com/PSG
Schedule of Events/Agenda: www.ciprna-expo.com/schedule
List of Exhibitors: www.ciprna-expo.com/exhibition/exhibitors
Registration: www.ciprna-expo.com/register

Join the community in Lake Charles on 12th-14th March 2024 for some more great discussions on securing America's critical infrastructure and assets.

Download latest Preliminary Conference Programme Guide for CIPRE

As someone responsible in your organisations for critical assets and/or infrastructure, Critical Infrastructure Protection and Resilience Europe is the leading conference that will keep you abreast of the changes in legislation, current threats and latest developments.

Download the Preliminary Conference Programme Guide at www.cipre-expo.com/guide.

What is the new directive on the Resilience of Critical Entities...

The Directive on the Resilience of Critical Entities entered into force on 16 January 2023. Member States have until 17 October 2024 to adopt national legislation to transpose the Directive.

The Directive aims to strengthen the resilience of critical entities against a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage, as well as public health emergencies.

Are you up to date on this legislation, and do you know what you need to do to be compliant?

Get updated on the NIS2 Directive and what it means to you...

An important discussion will centre around the EU cybersecurity rules introduced in 2016 and updated by the NIS2 Directive that came into force in 2023. It modernised the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape.

By expanding the scope of the cybersecurity rules to new sectors and entities, it further improves the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole.

Businesses identified by the Member States as operators of essential services in the above sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the Directive.

What will this mean for you and how can you meet the Directives goals?

Critical Infrastructure Protection and Resilience Europe is Europe's leading discussion that brings together leading stakeholders from industry, operators, agencies and governments to collaborate on securing Europe's critical infrastructures.
The conferences top quality programme looks at these developing themes and help create better understanding of the issues and the threats, to help facilitate the work to develop frameworks, good risk management, strategic planning and implementation.

The packed event themes include:

- Interdependencies and Cascading Effects
- Emerging Threats against CI
- Crisis Management, Coordination & Communication
- Power & Energy Sector Symposium
- Government, Defence & Space Sector Symposium
- Communications Sector Symposium
- Information Technology (CIIP) Sector Symposium
- Transport Sector Symposium
- CBRNE Sector Symposium
- Technologies to Detect and Protect
- Risk Mitigation and Management
- The Insider Threat
- Business Continuity Management
- EU Horizon Projects Overviews

You are invited to be a part of this program, where you can meet, network and learn from the experiences of over 40 expert international speakers, as well as industry colleagues who share the same challenges and goals.

Please join us and the CI industry in the beautiful city of Prague, on 3rd-5th October, for a great programme of discussions that can help you to deliver enhanced security and resilience for your organisation.

Visit www.cipre-expo.com for further details


Your latest issue of Critical Infrastructure Protection & Resilience News has arrived

Please find here your downloadable copy of the Summer 2023 issue of Critical Infrastructure Protection & Resilience News for the latest views and news at www.cip-association.org/CIPRNews.

- The CNI / Crowded Places Security Debate
- Beyond Physical Protection
- Hybrid Threats
– A Comprehensive Resilience Ecosystem
- Artificial Intelligence and Cybersecurity Research
- Resilience in action
- An Interview with EU-CIP Project
- IBM Report: Half of Breached Organizations Unwilling to Increase Security Spend Despite Soaring Breach Costs
- Using the EU Space Programme for disaster risk management in Hungary
- An Interview with TIEMS
- Critical Infrastructure Protection and Resilience Europe Preview
- Agency and Industry News

Download your Critical Infrastructure Protection & Resilience News at www.cip-association.org/CIPRNews

Critical Infrastructure Protection and Resilience News is the official magazine of the International Association of Critical Infrastructure Protection Professionals (IACIPP), a non-profit organisation that provides a platform for sharing good practices, innovation and insights from Industry leaders and operators alongside academia and government and law enforcement agencies.

#CriticalInfrastructureProtection #CriticalInfrastructure #cybersecurity #help2protect #cisa #ciprna #cipre #resilience #cooperation #emergencymanagement #emergencyresponse #crisismanagement #businesscontinuity #crisisresponse #mitigation

1 2 3 10