Power to the people: because of an innovative partnership for regional infrastructure security, the U.S. Northwest is better prepared for disaster.
One example of such a successful partnership is the Pacific Northwest Partnership for Regional Infrastructure Security. The Pacific Northwest Economic Region (PNWER), a public-private statutory organization chartered by five states (Oregon, Washington, Idaho, Montana, and Alaska) and three Canadian provinces (British Columbia, Alberta, and the Yukon Territory), spearheaded the partnership in 2001 when the Enron-related energy crisis was causing brownouts in the West because of commercial pressure. After 9-11, concerns about critical infrastructure protection led PNWER to create the regional multistate, cross-border civilian-defense cooperative initiative, that became the Pacific Northwest Partnership.
The partnership drew on the work on interdependencies accomplished during preparations for the 2002 Winter Olympics in Salt Lake City, Utah, when private and public organizations banded together in a regional infrastructure assurance committee. More than 150 stakeholders held the first infrastructure interdependencies exercise, code-named "Black Ice," in which the group imagined that a major prolonged snow storm occurred during the Olympics, shutting down the Salt Lake region for days.
The exercise revealed significant shortcomings, such as a limited understanding of the region's infrastructure interdependencies, a lack of coordination of various response and recovery plans and of regional information sharing and communications capabilities, and the limited availability of resources to combat a regional crisis. Lessons learned from Black Ice were analyzed, and recommendations from the exercise were incorporated into security planning for the Winter Olympics, which was staged without incident.
Momentum. At a kick-off workshop in Spokane, Washington, in November 2001, PNWER brought together the core partnership members, including the major utilities providers from both sides of the U.S. and Canadian border (the electrical grid is completely integrated between the U.S. Pacific Northwest and British Columbia), state and local emergency managers, first responders, and government leaders, as well as representatives from the U.S. Navy's regional command in the Pacific Northwest, the U.S. Coast Guard, and the various ports.
The workshop was designed to raise awareness of participants to infrastructure security issues and to encourage them to discuss their concerns and specific needs. The agenda also included presentations from the deputy director of the U.S. Federal Emergency Management Agency (FEMA) Region 10 and from Canada's Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP). Also included were overviews from regional utilities describing their organizations' service areas and interdependencies.
During the first session, participants were assigned to tables according to their infrastructure or organization. After hearing the presentations, attendees were seated in mixed breakout groups, and each discussed the expected and unexpected effects of interdependencies on their organizations during such incidents as extreme weather or Y2K readiness testing. Participants then heard reports from each breakout group. Among the observations was that while there was heightened awareness of and increased security for critical assets and industrial sites, more in-depth vulnerability assessments and information on interdependencies were needed so that realistic contingency plans could be devised. The most frequently cited critical interdependencies were electrical, telecommunications, communications, transportation, and financial linkages.
Participants were then regrouped by geographical location and asked to discuss how best to create private-public partnerships in their region. They were also asked to choose: the co-chairs for similar initiatives in each PNWER member jurisdiction, which organizations should be on a steering committee, and the timing for their own kickoff workshop. The meeting concluded with a briefing on a proposed interdependency tabletop exercise.
Feedback and participants' recommendations were gleaned by the use of worksheets and a participant evaluation form. Many participants raised the same issues: Industry wanted supplemental funding for vulnerability assessments and cited the need to establish a risk-based approach to identifying critical facilities and vulnerabilities. They wrote of the need for balancing confidentiality and openness when addressing interdependencies and associated vulnerabilities.
While participants stressed that business and government collaboration was essential, private stakeholders had concerns about sharing proprietary information with government agencies unless assured that such sensitive information would be secure from competitors and from the Freedom of Information Act. Participants from more remote areas (where many of the region's critical infrastructures are located) noted that their constituents were having a difficult time relating to the threat of terrorism and preparing for something that, to them, seemed a remote threat.
Before closing the meeting, participants agreed on a date for another meeting in the early spring of 2002 and pledged to begin organizing their own statewide and provincewide meetings. Last, participants agreed that a tabletop exercise would be a useful way to gain a high-level appreciation of preparedness needs associated with infrastructure interdependencies.
Blue Cascades. The exercise, named "Blue Cascades," took place in Welches, Oregon, on June 12, 2002, and was attended by more than 150 representatives from 70 private- and public-sector organizations. Blue Cascades was designed to help stakeholders assess their current state of preparedness. It also was aimed at identifying needs, priorities, and resource requirements for incorporation into a disaster action plan for the PNWER jurisdictions.
Sponsors included the U.S. Navy Critical Infrastructure Protection Program, FEMA, and OCIPEP. Funding for the event came from contributions by the U.S. Navy, OCIPEP, and industrial partners.
The Blue Cascades tabletop exercise was designed by a scenario design group that included representatives from the Bonneville Power Administration, British Columbia Gas, British Columbia Hydro, Boeing, Duke Energy, Pacific Gas and Electric, Williams Gas Pipeline, Puget Sound Energy, the Port of Seattle, the Idaho Bureau of Disaster Services, the U.S. Navy, the National Infrastructure Protection Center, Telus, Verizon, Qwest, FEMA, the British Columbia Provincial Emergency Program, and OCIPEP.
The scenario incorporated the threat that the participants were most concerned about: a disruption to the regions electric power causing regional outages that spread to other Western jurisdictions. There were additional terrorist and nonterrorist disruptions of the region's telecommunications and natural gas distribution means, as well as threats to a major municipal water system and to regional ports.
During the role playing, the disruptions of these critical services and related response and recovery actions affected other interdependent infrastructures, including transportation, emergency services, hospitals, law enforcement, and cross-border cooperation.
The Blue Cascades scenario provided the impetus for participants to discuss infrastructure interdependencies and protection, mitigation, response, and recovery requirements across government agencies and the private sector. Participants grappled with the technical details of how a complete disruption or service curtailment in one infrastructure would cascade to another infrastructure and how these interdependencies could exacerbate restoration efforts.
Evaluators from participating and independent organizations provided immediate feedback to participants and later submitted detailed comments on the regional interdependencies' strengths and shortfalls as identified during the exercise. These observations, as well as feedback from the participant evaluation forms, formed the basis of the group report on the exercise's findings and recommendations.
Key findings. Evaluators concluded that the organizations demonstrated a low-level understanding of interdependencies and little knowledge of the critical assets of other infrastructures, potential vulnerabilities, and the operational dynamics of these regional interconnections, particularly during longer-term disruptions.
According to the report, many participants initially assumed that their organization's contingency plans for addressing natural disasters and isolated emergencies would be adequate in responding to significant terrorist attacks, disruptions, and multiple events. However, they came to realize that interdependencies could void or negate those assumptions.
There was little recognition of the overwhelming dependency on IT-related resources to continue business operations and execute recovery plans or of the need for contingency plans in the event of loss or damage to electronic systems.
Evaluators also concluded that there was minimal coordination of activities and little understanding of other organizations' interests, response plans, or restoration priorities, as well as no regionwide strategy to strengthen security, enhance preparedness, or coordinate emergency response within and across sector and jurisdictional lines.
Law enforcement and industry/private-sector cooperation and coordination were limited, with no forum to bring together key law enforcement and security personnel to share information and discuss matters of mutual concern. U.S. and Canadian cooperation was seen as limited in the areas of law enforcement, response and recovery, and information sharing; at the same time, there was a lack of understanding about what little cooperation did exist. The range of services that national-level civilian and defense agencies could provide during regional emergencies was not clear. Also, information was lacking on how regional national defense facilities, with significant dependency on commercial infrastructures, would coordinate with these infrastructures in an emergency.
Communications. Participants had difficulty envisioning a situation in which they would lose telephonic and Internet communication and had failed to develop contingency plans to work around the problem, the evaluators concluded. Although many organizations had radio backup, it was unclear how often these systems were tested. Based on exercise discussions, there would be little, if any, interoperability with other stakeholder communications systems.
Additionally, law enforcement lacked an effective way to disseminate and receive threat-related information from private-sector organizations and utilities, and there were no established protocols or networks to facilitate rapid and reliable dissemination of outage-related information to community organizations and infrastructures.
Resources. All sectors faced resource constraints to various degrees, including a lack of critical components and equipment and skilled personnel for recovery activities. Participants did not take into account the demand they would be placing on other organizations and businesses in securing scarce additional backup power generation, including fuel for generators. They also did not appreciate the need to prioritize those demands.
Reporting and analysis. The report noted that there was no common, continentwide alert system with threat levels that have a corresponding set of actions required. The report ,also noted that the color-coded alert system established by what was then the White House's Office of Homeland Security was little understood and conflicted with infrastructure-sector threat levels. It also stated that there was no mechanism between the United States and Canada for cross-border sharing of threat-level information or a common color-coded terrorist alert system.
The report also found that there were few regional or industry-sector clearinghouses for threat or incident-related information that could be used for planning and response and no dedicated communication channels for infrastructure stakeholders to report information to federal, state or provincial, and local government agencies. Also, modeling and simulation capabilities did not yet exist to help assess economic and other damage from prolonged regional disruptions.
Command and control. The evaluators found that the roles and missions of the various government authorities at all levels were unclear in a large-scale regional terrorist attack or disruption. Participants expressed concern over whether law enforcement should take precedence over restoration, citing the designation of critical assets as crime scenes and the failure to take into account economic impacts of counterterrorism actions.
They also stated that there was a general lack of guidelines on the preservation of evidence within private-sector organizations and that lines of authority were unclear among the FBI and other U.S. and Canadian federal, state or provincial, and local law enforcement entities, including the role of national defense. This was seen as particularly problematic in regard to port security.
Public information. The coordination and dissemination of public information emerged as one of the greatest challenges in a regional infrastructure disaster that involved terrorism. The report noted that not enough attention was paid to basic human reactions-such as that people will panic and believe rumors in the absence of accurate, instructive information.
Action plan. Stakeholders reconvened on October 23, 2002, to address the recommendations and to develop an action plan. Participants joined one or more of seven working groups on port security and maritime transportation; infrastructure interdependencies; regional cooperation, coordination, and communications; command/control and resources; radiological emergency preparedness; information sharing; and a Pacific Northwest Homeland Security Technology Consortium. Participants also were asked to identify organizations to take the lead within their respective groups to further flesh out requirements for each activity and determine funding needs.
The partnership members identified several projects to pursue in each of these categories. Among these were exploring specific cooperative mechanisms to improve regional and crossborder preparedness; convening a meeting for public- and private-sector organizations to brief others on their emergency response plans; and creating a regional, cross-border, interoperable communications and information-sharing mechanism. Other identified projects included ascertaining potential resource shortfalls (of both manpower and equipment) in regional and cross-border emergencies and developing resource-sharing and other contingency plans, including coordinated stockpiling of equipment.
Developing an inventory of federal services that could be provided in major emergency situations was an additional goal. The group also planned a pilot project to identify legal and policy barriers, as well as requirements for effective cross-border, cross-jurisdictional command and control.
In the area of interdependencies, projects included holding additional exercises, identifying interdependencies through the development of a template for stakeholders, and conducting further workshops and education sessions for businesses and the general public.
On port security and maritime transportation, the action plan included projects to develop a comprehensive list of key facilities and assets in commercial ports and maritime transportation and to fashion a prioritization system for the movement of cargo during prolonged disruptions. Radiological incident-response projects included the creation of a central clearinghouse for radiological preparedness, response, and recovery information and the development of a regional radiological preparedness plan.
Currently, funding is being sought for these priority actions. In the meantime, meetings have been held to define requirements for one of the most pressing projects--the creation of a regional information-sharing mechanism. A technical working group has been formed to create an emergency response network to link all critical infrastructures, emergency management agencies, public health networks, first responders, and law enforcement agencies in an automatic communication and information-sharing system. The U.S. Department of Homeland Security has agreed to fund this pilot project, which is planned to be operational by the end of 2003.
Sowing seeds. The Pacific Northwest Partnership has broken ground for additional regional partnerships and accrued valuable information that can help these new cooperative entities grow and flourish.
The partnership overcame significant challenges. It discovered that there must be some regional mechanism with the influence, mandate, membership base, and interest sufficient to facilitate a regional infrastructure security initiative. Otherwise, it means working with local government and private-sector leaders to create one.
That done, good outreach skills, combined with knowledge of infrastructure, business, operational, and security concerns, are necessary to convince busy, skeptical stakeholders with their own equities and interests to join and contribute.
Lack of federal direction, attention, and funding remains a problem. The U.S. Department of Homeland Security is still organizing. While DHS voices support for private-public partnerships, the partnership found that there was no proactive support of existing partnerships or initiatives to foster new ones. Also, the partnership battled legal and proprietary concerns and was challenged to develop effective and safe integrated ways to share vulnerability and threat-related data.
The partnership learned that the process cannot be rushed but will evolve and bear fruit as the stakeholders wish. Last, it is difficult to obtain even the modest financial support necessary to initiate a regional partnership without a major sponsor.
The partnership found that none of these challenges are insurmountable, however, if the regional stakeholders wish to proceed. The required budget is around $150,000 to $200,000 to start a regional partnership from scratch through the creation of the prioritized action plan.
The success of the Pacific Northwest Partnership has led to partnering by other regions. Each of these initiatives reflects the interests, cultural norms, and political dynamics inherent in that area.
There are currently four other regional partnerships at different stages of development. Two are funded with seed money provided by the U.S. Navy Critical Infrastructure Protection Office, and the third by a private-sector association.
San Diego. The first of these is the San Diego Homeland Security Partnership. Like its Pacific Northwest counterpart, it focuses on commercial enterprises, tourism, port security, defense facilities, and cross-border issues--in this case, with Mexico. However, there is a strong focus on healthcare and broad commercial business participation through the San Diego Regional Chamber of Commerce, which chairs the region's Homeland Security Partnership Committee. The two main universities in the region, the University of California at San Diego and San Diego State University, also play lead roles through the San Diego Network for Regional Homeland Security, a solutions-focused consortium, and the region has a large military presence with major Navy and Marine Corps facilities.
The San Diego Partnership held its security kickoff workshop on April 28, and on May 29 it held the "Golden Matrix" infrastructure interdependencies exercise with a scenario designed by the various stakeholders. They are currently working on an action plan and discussing a governance structure for the partnership.
Gulf Coast. The Gulf Coast Regional Partnership for Infrastructure Security focuses on port security, tourism, and commercial enterprises. Centered in the New Orleans region, it is cochaired by the City of New Orleans and the New Orleans Regional Chamber of Commerce.
The partnership's kickoff workshop was held July 30, and the interdependencies exercise, "Purple Crescent," was held October 22.
Great Lakes. The Great Lakes Partnership, centered in Chicago and sponsored by the Chicago Manufacturing Center, is in the initial planning stages. It will focus on manufacturing and intermodal transportation and will include Canadian participation.
Iowa. Also in formation is the Iowa Partnership for Homeland Security, as part of an envisioned broader Midwest Partnership that would include other states in the region and Canada. The organizatioffs interdependencies exercise, "Amber Waves," will be held in early 2004.
In today's interconnected world, there is no way to develop and maintain the level of preparedness necessary to deal with threats to infrastructures without regional private-public partnering. This can be achieved by bringing together key stakeholders in a multistate or regional partnership, building awareness and trust through an interdependencies-focused workshop, and helping the stakeholders develop and conduct a tabletop exercise to identify readiness gaps and create and implement an action plan. The result is a much greater readiness when disaster strikes.
Dr. Paula L. Scalingi is president of The Scalingi Group, a consulting firm based in Vienna, Virginia, that assists government and industry to meet infrastructure security needs. She also is co-director of the Forum on Global Security for the State University of New York at Stony Brook. Scalingi is the founder and former director of the U.S. Department of Energy's Office of Critical Infrastructure Protection. Matt Morrison is executive director of the Pacific Northwest Economic Region, based in Seattle, and the organizer of the Pacific Northwest Partnership for Regional Infrastructure Security.
For more information on the Pacific Northwest Economic Region, the Pacific Northwest Partnership for Regional Infrastructure Security, and the Blue Cascades exercise, visit www.pnwer.org. For additional information on the other regional partnerships, e-mail: firstname.lastname@example.org.
|Printer friendly Cite/link Email Feedback|
|Author:||Scalingi, Paula L.; Morrison, Matt|
|Date:||Dec 1, 2003|
|Previous Article:||The spurious and the injurious: a look at the latest solutions in preventing and detecting documents fraud.|
|Next Article:||Save that parking space: one company tells how it drove home the need for parking security at its new headquarters.|