|
Volume 22 — Issue 44 | November 3, 2022 |
|
|
Crash Responder Safety Week (CRSW) will take place November 14-18 and this year’s theme is “Respect Our Roadside Heroes.”
The week is a time to educate the public about the importance of staying alert, slowing down, and moving over when passing a roadway incident as well as providing critical traffic incident management (TIM) training to all stakeholders involved in TIM. These stakeholders in the emergency services include firefighters, EMS providers, rescue workers, law enforcement, emergency managers, who often coordinate with other disciplines such as towing and recovery operators or transportation officials.
The National Operations Center of Excellence (NOCoE) leads the annual CRSW initiative, with support from the Federal Highway Administration (FHWA). NOCoE has provided a CRSW Daily Calendar to help agencies align their promotion, press outreach, and social media engagement with hundreds of other organizations during the week.
The CRSW Daily Calendar is organized around daily themes:
Each day of the Calendar provides sample social media messages you can use or customize for your agency. Use #RoadsideHeroes when posting on social media.
Join NOCoE’s Kick-off webinar on Nov. 14 from 1 to 2 p.m. EST to learn about the actions that response leaders and every responder can take to advance the safety of incident responders and road users.
Many agencies have partnered with NOCoE to promote CRSW in 2022. The following agencies are offering additional awareness campaign materials and free training for responders:
- The Emergency Responder Safety Institute (ERSI) is a one-stop shop for public education materials as well as information and training for all first responders with a role in traffic incident management. Visit ERSI’s website, ResponderSafety.com, to access these resources.
- The National Volunteer Fire Council (NVFC) hosted a webinar on Nov. 2, focusing on traffic incident management considerations, tools, and ways to ensure responders stay safe on the roadways. The webinar recording will be available soon in the NVFC Virtual Classroom.
- The International Association of Firefighters (IAFF) provides a social media toolkit and educational materials to promote the event.
(Sources: NOCoE, FHWA, ERSI, IAFF, NVFC)
|
|
|
Earlier this month, the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Office for Bombing Prevention (OBP) reached a major milestone during the delivery of its Surveillance Detection Course in Louisville, Kentucky, by training its 150,000th person. Interest in OBP training has steadily increased since its inception, training 25,000 in the first twelve years and 125,000 in the last seven.
Noah Cole, an officer in the Louisville Metro Police Department, was proud to be named the 150,000th trainee. “Taking the surveillance detection class was eye opening as a law enforcement officer,” he said. “I learned more than I expected and was able to take away valuable training to be able to use within my career. I’d highly recommend it to anyone in a law enforcement operational and/or support role.” The course provides trainees with the fundamental knowledge and skills to recognize and respond appropriately to hostile surveillance at facilities and events.
OBP continues to expand its training footprint through international engagements, which enable OBP to collaborate with international security and law enforcement officials to deliver tailored trainings and resources. Recently, OBP worked with the Department of State to train officials in Mexico, Canada, and the United Nations, among others. Through OBP’s Empowered Trainer program, OBP has expanded its Counter-IED mission capabilities by developing and sustaining a training cadre at the federal, state, local, tribal, and private sector levels by providing trainers essential knowledge and support required to effectively deliver OBP's accredited counter-IED and risk mitigation training curriculum.
“This milestone represents years of hard work, dedication, and commitment to securing communities at home and abroad,” said the Cybersecurity and Infrastructure Security Agency’s Executive Assistant Director for Infrastructure Security, Dr. David Mussington. “As the global threat landscape has continued to evolve, OBP has done a remarkable job in adapting to those changes to provide training and resources tailored to the needs of those working to keep us safe.”
OBP’s success can be attributed in large part to the steps it has implemented to enhance its curriculum and restructure its program to reach multiple stakeholders through various modalities. This includes free C-IED trainings both virtually and in-person. To request OBP counter-IED products or contact the team, please email the Office for Bombing Prevention.
(Source: CISA OBP)
Experts from the National Institute of Standards and Technology (NIST), other federal agencies, private industry and local governments have developed a first-of-its-kind ASTM standard that could help communities improve their ability to withstand and recover from disasters.
Standards exist to ensure that individual buildings and infrastructure systems stand up to hurricanes, earthquakes, fires or other hazards, but until now, there has not been a consensus-based standard that considers their impact on social systems and services on a community scale.
How do different structures depend on each other to provide essential services like health care, education and housing? How should we prioritize those buildings and infrastructure systems at a community level? The new standard, based on NIST’s Community Resilience Planning Guide, can help local governments answer these questions and many more.
The new guide offers a step-by-step process for developing resilience plans and goals for recovery that can be tailored to the needs of individual communities and used without expert assistance.
Access the new ASTM Standard Guide for Community Resilience Planning for Buildings and Infrastructure (ASTM E3350-22) on ASTM International’s website. For more on NIST’s community resilience efforts, visit nist.gov/community-resilience.
(Source: NIST)
The Federal Emergency Management Agency’s (FEMA’s) Emergency Management Institute (EMI) has just released its fiscal year 2023 course schedule for the Emergency Operations Center (EOC) Skillset Curriculum.
The EOC Skillset courses assist individuals and jurisdictions who desire to develop or improve their EOCs. By the end of each course, students will be able to demonstrate, through activities and a Final Exam, the skillset roles of the modern-day EOC. Courses focus on actions and products generated in an EOC before, during, and after an event.
Courses in the curriculum include:
- K2300 Intermediate EOC Functions.
- K2302 EOC Leaders Skillset.
- K2304 EOC Planning Support Skillset.
- K2306 EOC Resource Support Skillset.
- K2308 EOC Ops and SA Support Skillset.
Courses in the EOC Skillset curriculum in the “K” series are all hosted virtually by EMI. Each course is offered multiple times throughout the year.
For more information on this training opportunity and how to register, see EMI’s EMIGram. For announcements of all upcoming training opportunities from EMI, see EMI’s website.
(Source: FEMA)
|
|
DHS announces new cybersecurity performance goals for critical infrastructure
On Oct. 27, the Department of Homeland Security (DHS) released a set of cross-sector Cybersecurity Performance Goals (CPGs), voluntary practices that outline the highest-priority baseline measures businesses and critical infrastructure owners of all sizes can take to protect themselves against cyber threats. The CPGs were developed by DHS, through CISA, at the direction of the White House.
The CPGs provide voluntary guidance to critical infrastructure partners to help them prioritize security investments toward areas that will have the greatest impact on their cybersecurity, and they are developed to be implemented in concert with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Every organization should use the NIST Cybersecurity Framework to develop a rigorous, comprehensive cybersecurity program. The CPGs prescribe an abridged subset of actions – a kind of “QuickStart guide” – for the NIST CSF to help organizations prioritize their investments.
Along with the CPGs themselves, CISA is releasing an accompanying Checklist that prioritizes each Goal by Cost, Impact, and Complexity.
In the months ahead, CISA will actively seek feedback on the CPGs from partners across the critical infrastructure community and has established a Discussions webpage to receive this input. CISA will also begin working directly with individual critical infrastructure sectors as it builds out sector-specific CPGs in the coming months.
To access these new CPGs or provide feedback, visit CISA.gov/cpg.
(Sources: DHS, CISA)
|
|
ESF partners, NSA, and CISA release Software Supply Chain Guidance for Suppliers
Recent cyberattacks such as those executed against SolarWinds and its customers and exploits that take advantage of vulnerabilities such as Log4j highlight weaknesses within software supply chains.
The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and Office of the Director of National Intelligence (ODNI) released Securing the Software Supply Chain: Recommended Practices Guide for Suppliers on Oct. 31. This guidance has been created by the Critical Infrastructure Partnership Advisory Council (CIPAC) Cross Sector Enduring Security Framework (ESF) Working Group—a public-private working group that provides cybersecurity guidance addressing high-priority cyber threats to the nation’s critical infrastructure.
This guidance for suppliers is the second in a three-part series on “Securing the Software Supply Chain.” In September, the first part for developers was published; the third and final segment will be for software customers, such as those who acquire software for the federal government. The series can be found on NSA’s website.
(Sources: NSA, CISA)
CISA releases guidance on phishing-resistant and numbers matching multifactor authentication
CISA has released two fact sheets to highlight threats against accounts and systems using certain forms of multifactor authentication (MFA). CISA strongly urges all organizations to implement phishing-resistant MFA to protect against phishing and other known cyber threats. If an organization using mobile push-notification-based MFA is unable to implement phishing-resistant MFA, CISA recommends using number matching to mitigate MFA fatigue. Although number matching is not as strong as phishing-resistant MFA, it is one of best interim mitigations for organizations who may not immediately be able to implement phishing-resistant MFA.
CISA recommends users and organizations see CISA fact sheets Implementing Phishing-Resistant MFA and Implementing Number Matching in MFA Applications. Visit CISA.gov/MFA for more information on MFA, including an infographic of the hierarchy of MFA options.
(Source: CISA)
Joint CISA FBI MS-ISAC guide on responding to DDoS Attacks and DDoS guidance for federal agencies
CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released Understanding and Responding to Distributed Denial-of-Service Attacks to provide organizations proactive steps to reduce the likelihood and impact of distributed denial-of-service (DDoS) attacks. The guidance is for both network defenders and leaders to help them understand and respond to DDoS attacks, which can cost an organization time, money, and reputational damage.
Concurrently, CISA has released Capacity Enhancement Guide (CEG): Additional DDoS Guidance for Federal Agencies, which provides federal civilian executive branch (FCEB) agencies additional DDoS guidance, including recommended FCEB contract vehicles and services that provide DDoS protection and mitigations.
CISA encourages all network defenders and leaders to review the Joint Guide, CEP and additional tips, which are all accessible within CISA’s bulletin, Security Tip (ST04-015): Understanding Denial-of-Service Attacks.
(Source: CISA)
Critical OpenSSL vulnerability will require action by healthcare organizations
A software library called OpenSSL – used with many of the most common operating systems and applications for secure communications – is going to receive an important update on Tuesday, November 1, 2022. OpenSSL is deployed across industries ubiquitously, including the health sector. HC3 highly recommends all public and private health sector organizations identify all instances of OpenSSL in their infrastructure and prepare to test and deploy the patch as soon as it is released.
Read the full Sector Alert from the Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3).
(Source: HHS HC3)
Ransomware gangs ramp up industrial attacks in US
Ransomware gangs are hitting the industrial sector hard — and especially manufacturing companies, with significant spikes in cyberattack activity against US organizations spotted in the third quarter. Meanwhile, emerging ransomware groups are bursting onto the scene, threatening to push the rate of attacks up even higher.
According to a Dragos Q3 analysis of ransomware attacks on industrial organizations, 36% of the recorded cases globally hit North America (46 incidents). This is a significant 10% increase over last quarter, when a quarter of cases affected the region.
However, the analysis also found that the rate of attacks globally remained flat quarter over quarter — 128 incidents for Q3 vs. 125 in Q2.
The majority (68%) of observed incidents were aimed at the manufacturing sector.
(Source: Dark Reading)
|
|
The InfoGram is distributed weekly to provide members of the Emergency Services Sector with information concerning the protection of their critical infrastructures. |
|
|
Fair Use Notice:
This InfoGram may contain copyrighted material that was not specifically authorized by the copyright owner. The EMR-ISAC believes this constitutes “fair use” of copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use copyrighted material contained within this document for your own purposes that go beyond “fair use,” you must obtain permission from the copyright owner.
Linking Policy and Disclaimer of Endorsement:
The appearance of external hyperlinks does not constitute endorsement of the linked websites, or the information, products or services contained therein. We provide these links and pointers solely for your information and convenience. When you select a link to an outside website, remember that you are subject to the privacy and security policies of the owners/sponsors of the outside website. To view information and resources on the policies that govern FEMA web content visit FEMA Website Information.
Section 504 Notice:
Section 504 of the Rehabilitation Act requires that FEMA grantees provide access to information for people with disabilities. If you need assistance accessing information or have any concerns about access, please contact FEMAWebTeam@fema.dhs.gov.
|
|
|
|
|
