Your latest issue of Critical Infrastructure Protection & Resilience News has arrived

Please find here your downloadable copy of the Winter 2022-23 issue of Critical Infrastructure Protection & Resilience News for the latest views and news at www.cip-association.org/CIPRNews.

- A Standard to help protect Critical Infrastructure
- Government and Industry Cooperation: More Important Than Ever for Cybersecurity Awareness
- Help2Protect: an eLearning program to counter Insider Threats
- Testing Environments Help S&T and CISA Secure Transportation Infrastructure
- Can responsible AI guidelines keep up with the technology?
- Infrastructure Resilience Planning Framework (IRPF)
- An Interview with Port of New Orleans
- Critical Infrastructure Protection & Resilience North America Preview
- Industry and Agency Reports and News

Download your Critical Infrastructure Protection & Resilience News at www.cip-association.org/CIPRNews

Critical Infrastructure Protection and Resilience News is the official magazine of the International Association of Critical Infrastructure Protection Professionals (IACIPP), a non-profit organisation that provides a platform for sharing good practices, innovation and insights from Industry leaders and operators alongside academia and government and law enforcement agencies.

#CriticalInfrastructureProtection #CriticalInfrastructure #cybersecurity #help2protect #cisa #ciprna #resilience #cooperation

Enforcement Agencies Should Better Leverage Information to Target Efforts Involving U.S. Universities

Over 2 million foreign students and scholars studied at U.S. universities in 2019, in many cases contributing to U.S. research. The U.S. government implements export controls to, among other things, mitigate the risk of foreign students' and scholars' obtaining controlled and sensitive information that could benefit foreign adversaries.

GAO was asked to review agencies' efforts to address risks associated with foreign students and scholars who may seek to evade export control regulations. This report examines the extent to which agencies are assessing universities' risk of unauthorized deemed exports to prioritize outreach.

GAO reviewed related laws and regulations; analyzed agency data; and interviewed agency officials in Washington, D.C., and 15 U.S. field offices. GAO based its selection of these offices on their proximity to research universities, their geographic dispersion, and other agencies' field office locations.

This is a public version of a sensitive report issued in March 2022 that included additional information on (1) challenges agencies face in efforts to enforce export control regulations, particularly for deemed exports at universities, and (2) the extent to which agencies coordinate their efforts and share information. Information that agencies deemed sensitive has been removed.

According to U.S. government agencies, foreign entities are targeting sensitive research conducted by U.S. universities and other institutions. Releases or other transfers of certain sensitive information to foreign persons in the United States are subject to U.S. export control regulations. Such releases or transfers, which are considered to be exports, are commonly referred to as deemed exports. A U.S. Assistant Secretary of State wrote in 2020 that greater attention needed to be paid to deemed exports. He noted that these transfers, including the “know how” of cutting-edge science and its applications, are what China's military–civil fusion strategy seeks in its attempts to mine and exploit U.S. academia's open knowledge system.

Agencies involved in enforcing export control regulations—the Departments of Commerce and Homeland Security (DHS) and the Federal Bureau of Investigation (FBI)—conduct outreach to universities to strengthen efforts to prevent sensitive technology transfers, including unauthorized deemed exports. According to officials, outreach increases awareness of threats to research security and builds stronger two-way relationships with university officials. The agencies identified this outreach as a key enforcement mechanism.

However, additional information about universities' risks could enhance the agencies' outreach efforts. For example, Commerce does not base its outreach on analysis of universities' risk levels and has not identified any risk factors to guide its outreach priorities. DHS has ranked roughly 150 U.S. universities for outreach, and FBI provides information to all of its field offices to guide their outreach priorities; however, both agencies base these efforts on only one risk factor. Identifying and analyzing any additional relevant risk factors could provide a more complete understanding of universities' risk levels and could further inform Commerce's, DHS's, and FBI's efforts to target limited resources for outreach to at-risk universities.

How Parliamentarians can L.A.B.O.R. for disaster resilience

While hazards may be natural, disasters are not. The choices we make can either increase or decrease risk. As the planet slowly warms, parliamentarians can help. Indeed, they can L.A.B.O.R. for resilience.

The global pandemic caused by Covid-19 has been a wake-up call for the whole world. Appalling losses of life, economic devastation and ripples of insecurity have touched every corner of the planet. No one has been immune and the power (or lack thereof) of the state to prevent, prepare and respond has been severely tested. While there’s no way to guess how the pandemic would have unfolded had the world been more prepared, research repeatedly shows that disaster risk reduction and preparedness mitigate losses by large margins. Just 24 hours warning of a coming storm or heat wave can cut the ensuing damage by 30 percent.

As public tolerance for risk is decreasing; citizens around the world are increasingly exposed to growing and compounded risks, with losses now reaching between $250 and $300 billion annually, up from about $50 billion in the 1980s. Climate change interacts with other hazards - technological, biological, chemical and geopolitical, among others – which creates greater risk complexity. The impacts of disaster know no bounds, but those living in more vulnerable circumstances tend to be the hardest hit, with poorer countries registering the highest post-disaster mortality rates.

While hazards may be natural, disasters are not

Flood, earthquakes, landslides or storms become disasters because of the exposure and vulnerability of people and places. The choices we make can either increase or decrease risk. Therefore, each stakeholder has a role in reducing disaster risk. Parliamentarians are uniquely situated to help societies weather all kind of disasters with more resilience and preparation. Last year, the United Nations Office for Disaster Risk Reduction (UNDRR) and the Inter-Parliamentary Union (IPU) launched a toolkit for parliamentarians detailing how they can help build resilience for their communities. The guidance features ten recommendations grouped into five categories: Legislate; Advocate; Budget; Oversee; Represent (L.A.B.O.R.).

Read below for a snapshot of how parliamentarians can L.A.B.O.R. for their constituency’s resilience.

Legislate
Creating legislation is one of parliamentarians’ key jobs. In this regard, using risk and vulnerability assessments, they can create both DRR (disaster risk reduction) legislation, as well as amend existing legislation to reflect and support international DRR commitments.

Advocate
Parliamentarians can advocate for governments to shift from their current event-centered, response and recovery approach to DRR to a multi-hazard approach that considers vulnerability. They can also advocate for the use of data, expertise and experience from national and international institutions, as well as from other countries, to inform their own DRR frameworks and strategies. Finally, parliamentarians can advocate for DRR to be integrated into climate change plans and initiatives.

Budget (and finance)
Determining budget allocation is another vital task for parliamentarians and here they can focus on funding long-term DRR initiatives – including allocating funds for the oversight of data collection, reporting purposes and regulation enforcement – at all levels of government. Parliamentarians can also integrate and mainstream DRR into public and private investment decisions, ensuring that investments are risk-informed.

Oversee
Accountability is an important aspect of any government investment decision. Parliamentarians can use their oversight role to evaluate government performance, effectiveness and spending for DRR initiatives, thus demonstrating their effectiveness. They can also make people aware of the impacts of regulation, enforcement and penalties. In order to support ease of use and to compare different initiatives, parliamentarians can ensure information is provided in standardized, consistent formats.

Represent
Finally, as elected officials, parliamentarians are responsible for representing all of their constituents and ensuring that DRR policies and plans meet their specific needs. This all-of-society approach must include those most vulnerable in disasters: the poor, women, girls, ethnic minorities and persons with disabilities. Parliaments can ensure that DRR strategies and commitments are durable and will survive electoral changes by using a non-partisan, holistic approach to developing DRR plans.

Using the L.A.B.O.R. framework, parliamentarians can help create disaster-ready communities, both saving lives and protecting economic resources.

[Source: UNDRR]

UNDRR ROAMC: Investment in education creates more resilient societies

Investments in safe schools provide economic returns for society and also contribute to economic recovery, according to the latest evidence. They represent a clear way to finance risk reduction initiatives in the education sector and are a direct contribution to the creation of more resilient societies.
The suspension of classes for more than a year, due to the pandemic, has not been duly dimensioned.  Until now. Education may well be one of the most affected sectors by the COVID-19 crisis. According to different analyses, students affected by school closures will obtain 3% less income during their professional lives, which will mean an approximate GDP loss of 1.5% over the remainder of the century. The pandemic will also increase school desertion and will have a profound effect on learning processes for an entire generation, without taking into account systemic effects from school closures, such as increased malnutrition, mental health effects, and other vulnerabilities.
These are devastating figures that demonstrate the need for schools and their safety to be a fundamental part of national budgetary preparations. 3 out of 5 students who did not go to school last year live in Latin America and the Caribbean.  This was emphasized during the Virtual Caribbean Safe School Initiative Pre-Ministerial Forum, held between the 15th to the 26th of last March, which was oriented towards the promotion of safety in Caribbean schools, and which is the regional mechanism for putting into practice a relationship between education and resilience.
The sixth session of the Pre-forum: School safety investment as a Key Element of Economic Recovery showed the importance of integrating into recuperation processes all the lessons learnt during this crisis.
“We should invest in gathering and use of information for observation and mapping of precise interventions, while at the same time modernizing our technological infrastructure, not only to be able to face disasters, but also in regards to contemporary realities,” stated Fayval Willams, Minister of Education, Youth, and Information of Jamaica.
According to João Pedro Azevedo, World Bank economist, the educational system must prepare its teachers to confront lower learning levels and higher inequality levels. That is to say, to prepare them for the consequences of the pandemic. “Vulnerable sectors have been those most affected by the closures during the pandemic since they have no access to the necessary technology,” added Cynthia Hobbs, an education specialist from the Interamerican Development Bank.
Andrew A. Fahie, Prime Minister of the British Virgin Islands, stated that reconstruction of the school system after the pandemic must consider technology. “Inaction cannot be an action,” he stated.
FUNDING PRIORITY
Kamal Ahmed, an international disaster risk finance consultant for the United Nations Office for Disaster Risk Reduction (UNDRR), elaborated further on the importance of investing in all aspects of school safety. “A school structure that collapses or closes interrupts nutritional programs, for example, which are a key element in social programs of many countries, and which at times are the only access to nutrition for many vulnerable children. In the case of the pandemic, if the child stays at home, and the father or mother must also stay, it reduces participation of that home in the labour market and therefore, their income,” stated Ahmed. “Investment in education produces amazing results, but also a lack of investment leaves surprising consequences.”
According to Ahmed, governments should develop a comprehensive evaluation of schools, identifying strengths and capacities, in addition to creating a matrix with safe and resilient school strategies, fragile and marginal school programs, and most vulnerable school projects. A plan must be created to compensate for learning losses.
From the financial point of view, added Ahmed, investment must be made in such a way as to reduce economic, social, environmental, physical, and lack of governance vulnerabilities. The Ministry of Education must be the priority in national budget preparation, with projections not only for costs but also for emergency funds.
Raúl Salazar, chief of UNDRR - Regional Office for the Americas and the Caribbean, stated that “loss of education increases gaps and inequality in the school system, and therefore social vulnerabilities. The disappearance of a large sector of the school population from the educational system will create significant effects on all social systems, including the economic systems.”    This clearly underlines the dimensions of systemic risk by its characteristics and requires us to confront them with a holistic and comprehensive vision.
Fahie, Prime Minister of the British Virgin Islands, specified that 20% of the 7% tax collection is applied to financial services for the improvement of schools structure. In this case, risk reduction forms a permanent part of state expenditures.
The Sendai Framework for Disaster Risk Reduction (2015-2030) is clear on this subject: “disaster risk reduction should be strengthened by providing adequate resources through various funding mechanisms, including increased, timely, stable and predictable contributions to the United Nations Trust Fund for Disaster Reduction and by enhancing the role of the Trust Fund in relation to the implementation of the present Framework”.
The world initiative for Safe Schools was accepted by the States during the signing of the Sendai Framework, which has been in effect for six years as of the 18th of March.
“In order to go forward, we must do it together, in a comprehensive way, with inter-institutional and inter-sectorial effort that would employ the disaster management abilities of various sectors which will put in motion well developed plans and strategies, financed and coherent with other large agencies, such as the Sustainable Development Objectives, and the Paris Agreement,” stated Mami Mizutori, the Special Representative of the Secretary General for Disaster Risk Reduction, during the opening day of the Pre-Ministerial Forum.

IACIPP and Capitol Sign Agreement to Advance Worldwide Critical Infrastructure Awareness and Knowledge

Capitol Technology University and the International Association of Critical Infrastructure Protection Professionals (IACIPP) signed a Memorandum of Understanding (MOU) to develop a partnership that will extend efforts to improve the training and education of Critical Infrastructure Students and professionals. Both parties recognize a high demand for worldwide cooperation to increase the effectiveness of research, education, and activities in the critical infrastructure field of study. This MOU will facilitate the development of joint seminars, conferences, and training courses.
“As an Association we aim to deliver discussion and innovation— on many of the serious infrastructure, protection, management, and security challenges—facing both industry and governments. The ever changing and evolving nature of threats, whether natural through climate change or man-made through terrorism activities, either physical or cyber, means there is a continual need to review and update policies, practices, training, and technologies to meet these growing and changing demands,” said John Donlon QPM, Chairman IACIPP. “This partnership with Capitol Technology University enables both parties to develop and enhance objectives through education and training.”
A nation’s critical infrastructure provides the essential services that underpin a society. Proactive and coordinated efforts are necessary to strengthen and maintain secure, functioning, and resilient critical infrastructure— including assets, networks, and systems—that are vital to public confidence and a nation’s safety, prosperity, and well-being.
Critical infrastructure must be secure and able to withstand and rapidly recover from all hazards. Achieving this will require integration with the national preparedness system across prevention, protection, mitigation, response, and recovery.
The International Association of Critical Infrastructure Protection Professionals (IACIPP) is an international association of practitioners and professionals involved in the security, resilience and safety of critical infrastructure, both physical and information infrastructure.
The IACIPP is open to critical infrastructure operators and government agencies, including site managers, security officers, government agency officials, policy makers, research & academia. The Association also aims to share ideas, information, experiences, technology and best practices to enhance these objectives.
Capitol Technology University, located in Laurel, Maryland, is an independent institution that has focused on STEM education since 1927. Capitol Tech, the national winner of the 2020 SC Media Award for Best Cybersecurity Higher Education Program, offers hands-on courses taught by industry experts that lead to undergraduate and graduate degrees in emerging fields such as Mechatronics Engineering and Artificial Intelligence.

November is CIPR Month in US

Under leadership from the U.S. Department of Homeland Security's National Protection & Programs Directorate (NPPD) and partnership with InfraGardNCR, November is designated as National Critical Infrastructure Security and Resilience Month.
NCISRM builds awareness and appreciation of the importance of critical infrastructure and reaffirms the nationwide commitment to keep our critical infrastructure and our communities safe and secure. Securing the nation's infrastructure, which includes both the physical facilities that supply our communities with goods and services, like water, transportation, and fuel, and the communication and cyber technology that connects people and supports the critical infrastructure systems we rely on daily, is a national priority that requires planning and coordination across the whole community.​
In November, NCISRM efforts will focus on bringing stakeholders together to foster trusted relationships, providing timely and relevant resources to mitigate vulnerabilities, and raise awareness around the role of our supply chain in protecting critical infrastructure.

Australian Government launch consultation on protection of critical infrastructures

The Australian Government is committed to protecting the essential services all Australians rely on by uplifting the security and resilience of critical infrastructure.

The Government’s commitment to the continued prosperity of its economy and businesses is unwavering. The impacts of recent events only reinforce the need for collaboration between and across critical infrastructure sectors and Government to protect our economy, security and sovereignty.

At the same time, Government recognises the additional economic challenges facing many sectors and entities in the wake of the COVID-19 pandemic. The outcome it seek is clear - they want to work in partnership to develop proportionate requirements that strike a balance between uplifting security, and ensuring businesses remain viable and services remain sustainable, accessible and affordable. An uplift in security and resilience across critical infrastructure sectors will mean that all businesses will benefit from strengthened protections to the networks, systems and services we all depend on.

An enhanced critical infrastructure framework

The primary objective of the proposed enhanced framework is to protect Australia’s critical infrastructure from all hazards, including the dynamic and potentially catastrophic cascading threats enabled by cyber attacks.

The enhanced framework outlines a need for an uplift in security and resilience in all critical infrastructure sectors, combined with better identification and sharing of threats in order to make Australia’s critical infrastructure – whether industry or government owned and operated – more resilient and secure. This approach will prioritise acting ahead of an incident wherever possible.

Government has agreed that the proposed enhanced framework will apply to an expanded set of critical infrastructure sectors, comprising of three key elements:

  1. Positive Security Obligation, including:
    a. set and enforced baseline protections against all hazards for critical infrastructure and systems, implemented through sector-specific standards proportionate to risk.
  2. Enhanced cyber security obligations that establish:
    a. the ability for Government to request information to contribute to a near real-time national threat picture;
    b. owner and operator participation in preparatory activities with Government; and
    c. the co-development of a scenario based ‘playbook’ that sets out response arrangements.
  3. Government assistance for entities that are the target or victim of a cyber attack, through the establishment of a Government capability and authorities to disrupt and respond to threats in an emergency.

These three initiatives will be underpinned by an enhanced Government-industry partnership across all hazards.

The Government intends to consult with stakeholders during and after receiving submissions. This will also allow us to assess the impact of proposed reforms and refine the development of the enhanced framework.

Further details can be viewed at https://www.homeaffairs.gov.au/reports-and-pubs/files/protecting-critical-infrastructure-systems-consultation-paper.pdf