Networking Emergency Response: Empowering Fema in the Age of Convergence and Cyber Critical Infrastructure

• Publication year: 2021
• Citation: Vol. 96

96 Nebraska L. Rev. 509. Networking Emergency Response: Empowering FEMA in the Age of Convergence and Cyber Critical Infrastructure

Networking Emergency Response: Empowering FEMA in the Age of Convergence and Cyber Critical Infrastructure(fn*)

Christopher M. Bailey

TABLE OF CONTENTS

I. Introduction .......................................... 510

II. Placing Cybersecurity in the Critical-Infrastructure Conversation .......................................... 514
A. What Makes Cybersecurity Critical to Critical Infrastructure? .................................... 514
1. Superstorm Sandy ............................. 518
2. Failure of the Taum Sauk Water Storage Dam . 519
B. PPD-21 and Recognition of Cyber in Critical Infrastructure ..................................... 522
C. PPD-41: Cybersecurity Has Its Day ................ 524

III. Empowering FEMA in the Age of Cybersecurity ....... 529
A. The Stafford Act in Practice ....................... 529
B. The Stafford Act's Current Approach to Cybersecurity ..................................... 531
C. Modernizing FEMA and the Stafford Act for a Networked World ................................. 532
1. Putting Cyber Incidents in Context by Definingthe Incident ................................... 533
2. Developing Cyber-Emergency-Preparedness Pacts Through FEMA Grant Funding .......... 534

1

3. Hazard Declarations Must Include Verificationof NIST Framework Adoption .................. 536

IV. Test Case: Hurricane Zoe Strikes Gulf of Mexico ....... 538
A. Applying the Modified Stafford Act to the Hypothetical Hurricane Zoe ....................... 539
B. Loss of Network Communications Between Southeast Texas Refineries, West Texas, and Electric Utilities ................................... 540
C. Cyber Attacks During Ensuing Hurricane Zoe Emergency Response .............................. 541

V. Conclusion ............................................ 543

I. INTRODUCTION

There were no signs anything was wrong. Workers and staff at the Baku-Tbilisi-Ceyhan (BTC) oil pipeline in eastern Turkey regularly reviewed the computer network's readouts on pipeline pressure, and there were no warning or distress signals.(fn1) The BTC pipeline, majority owned by British Petroleum (BP), was designed to be one of the most secure pipeline systems in the world.(fn2) The pipeline consisted of a total of 1099 miles and ran from the Caspian Sea to the Mediterranean Sea.(fn3) To maintain security, the pipeline was outfitted with dozens of sensors and cameras to monitor each section of the pipeline, including a sophisticated backup satellite system to send alerts back to the main control center if the nodes along the pipeline failed.(fn4) These protocols and safety measures, however, would prove useless in the face of a determined adversary.

On August 8, 2008, unidentified hackers launched a cyber attack by infiltrating the surveillance cameras through the cameras' wireless-connection feature and then using this access to connect to the pipeline's operating systems.(fn5) Once inside, the hackers manipulated the pressure along the pipeline by breaking into computer controls at several different valve stations along the line.(fn6) The hackers then tampered with the alarm systems to stop any alerts or warnings, including blocking the redundant satellite-warning-systems signals, so the

2

control center never detected the increase in pressure at any point along the pipeline.(fn7) The hackers triggered a massive explosion that destroyed significant sections of the pipeline, spilled over thirty thousand barrels of oil into an adjacent aquifer, inflicted five million dollars a day in closure costs on BP, and caused a one-billion-dollar loss for the Republic of Azerbaijan in export revenue.(fn8) In the aftermath, Turkish authorities claimed a system malfunction caused the blast, and it was not until six years later that it was conclusively proven the incident was a cyber act of terrorism.(fn9) While much of the coverage of the BTC pipeline event rightfully focused on whether the event was a new cyber war or new front in international terrorism,(fn10) the less obvious, but just as important, issue is: How should critical infrastructure be designed in order to be protected in an interconnected and wireless world?

The BTC pipeline incident is a clear example of the challenges posed in a cyber-enabled world. This pipeline incident created significant public health risks in the immediate explosion, accompanying oil spill, contamination of an entire aquifer, substantial financial loss for a private company, and potentially disastrous foreign policy implications for Turkey and Azerbaijan.(fn11) The narrative of dark, shadowy hackers just a click away from Armageddon, while sensational and thrilling, makes it too easy for lawmakers and policy advocates to ignore the most important message that should be gleaned from this example and those like it: modern infrastructure is almost completely reliant on computer systems and networks, fundamentally changing how to prepare for and respond to catastrophes whether precipitated by a terrorist event or a natural disaster.

Cybersecurity is not a topic that should be addressed in a vacuum. Cyber is everything and everywhere in the modern world, but most individuals still think about infrastructure in a pre-computer-networked way.(fn12) Take for example a large power outage that could be caused by high temperatures, over use of electricity, or a squirrel chewing through transmission lines.(fn13) Prior to the advent of widespread computer networks and Internet-enabled communications, most businesses would have some sort of limited function without power and could wait until power was restored, but not in today's

3

world.(fn14) The cyber-enabled economy is powered by companies like Google, Apple, and Cisco that are entirely reliant on regular and consistent provision of electricity for powering servers and computer networks for customers.(fn15) A devastating real-world example was the immediate aftermath of Hurricane Katrina where overreliance on modern communications infrastructure proved disastrous. The near total collapse of landline, satellite, and cell-phone communications made it practically impossible for local law enforcement and the Louisiana National Guard to coordinate response efforts.(fn16) Cyber policy, regulation, and infrastructure affect private companies; private individuals; and local, state, and federal governments, both individually and collectively.(fn17) The true question posed by events like the BTC attack and the communication-infrastructure collapse during Hurricane Katrina is how policymakers encourage resiliency and security in cyber critical infrastructure and enable first responders to react timely when that infrastructure is under threat.

The United States has wrestled with how to promote both the development of cyberspace and maintain its security and redundancy for nearly two decades.(fn18) That tension, however, has largely missed the forest for the trees. By defining cybersecurity as something reserved to the national-security apparatus, key players in emergency management and response have largely seen cyber as outside of their expertise until the past several years.(fn19) Despite this reliance, the policy and legislative spheres suffer from tunnel vision and therefore largely only focus on terrorism or bad-actor threats to network-enabled infrastructure.(fn20) What is missed is the additional threat posed by simple human error, natural disaster, and ad hoc integration of these systems.

In order to address the current gaps in cybersecurity legislation, it is important to place the gaps and threats in context. Part II will address the vulnerabilities of our cyber-physical systems and the threats natural disasters and even simple human error pose to these systems. These vulnerabilities are uniquely highlighted in two recent events:

4

(1) the wide-scale power outage and degraded communications during Superstorm Sandy in 2012(fn21) and (2) the 2005 Taum Sauk Water Storage Dam failure in eastern Missouri triggered by the transmission of incorrect readings to an off-site monitoring-and-management facility in the Lake of the Ozarks, Missouri.(fn22) Each of these cases is symptomatic of three different types of cyber incidents that planners and emergency-response professionals must prepare for: (1) degradation of cyber infrastructure due to natural disaster, (2) human error in installation of infrastructure hardware, and (3) poor software design that was not discovered until after the system failure. Part II argues President Obama's Presidential Policy Directives (PPDs) 21 and 41 on United States Cyber Incident Coordination were good first steps toward creating an emergency-response framework but insufficient to push both states and private entities to develop truly resilient, redundant, integrated cyber infrastructure.

Part III addresses these cyber-related challenges by redesigning how the Robert T. Stafford Disaster Relief and Emergency Assistance Act (Stafford Act) operates in an event involving cyber systems.(fn23) The Stafford Act should be amended to explicitly address the unique nature of cyber-enabled critical infrastructure and give the Federal Emergency Management Agency (FEMA) authority to develop interstate emergency-response agreements explicitly identifying key cyber critical infrastructure.(fn24) Next, the FEMA Administrator, through her review authority under 42 U.S.C. §§ 5196-96f, should promote the creation of a three-tier incident-classification system for interstate compacts: (1) localized harm or destruction to physical computer hardware, (2) infected or destroyed network nodes that hinder or degrade independent systems from communicating, and (3) software or computer-logic degradation that effectively...