Over the past 16 months, federal, state, and local emergency managers have undertaken one of the most demanding periods in recent history. They have been immersed in a highly political and complex public health event that has presented new challenges daily. As a result, the occurrence and trend of concerning threat incidents has gone relatively overlooked. Emergency managers and homeland security officials should be concerned with the rapid and evolving nature of recent events; the frequency and magnitude of these incidents hinder jurisdictions’ ability to keep up with lessons learned and adapting protocols to better prepare for future emergencies.
Additionally, American infrastructure is fragile. The American Society for Civil Engineers recently upgraded the nation’s overall infrastructure rating from a D+ to a C-. While this shows some progress has been made, there is plenty of work left to be done. Given the current state of American infrastructure, the number of real-world incidents should be a wake-up call to public and private entities alike. So, what might have you missed while we were focused on COVID-19? Here are a few major infrastructure-related challenges that have occurred in the past few months:
SolarWinds – In December 2020, the United States experienced what some have called the worst cybersecurity attack in its history. After gaining access through SolarWinds, some 18,000 organizations were impacted. This included Fortune 500 companies and U.S. government (Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, etc.). It is assumed that access may have persisted for as long as nine months and impact mitigation will be a major undertaking.
Nashville Bombing – On Christmas 2020, a man in downtown Nashville set off an explosion at an AT&T communications hub. The hub was a central, far-reaching one that provided services across multiple states, including internet, cellular, and television. The effects of the destruction struck everything from hospitals and law enforcement agencies to the Nashville airport, businesses, and individuals; some major effects included grounded flights, hospital communications disruption, and 911 service being temporarily unavailable. This highlights how interconnected we are and the negative impacts on critical infrastructure when just one hub is taken out. Moreover, it begs the question, what other privately owned infrastructure is vulnerable to this type of attack in our communities, and what are we doing about it?
Texas Winter Storm Uri Mass Power Failure – In February 2021, Winter Storm Uri brought freezing temperatures and widespread hardship for over a week through frozen pipes, hazardous driving conditions, and a breakdown of multiple critical infrastructure components due to the cascading impacts of state-wide power disruption. A combination of Texas’ self-contained power grid, frozen back-up energy sources such as wind turbines, gas pipelines, and coal piles, and the dramatic increase in demand from the winter storm caused Texas power companies to shut off power to millions of Texans and businesses to prevent an overload of the system. The cut-off from power for an extended period impacted other critical infrastructure sectors, such as telecommunications –companies with backup generators had to cease services when they ran out of fuel, or when fuel consistency changed because of the cold temperatures, as the winter storm conditions made the delivery of more fuel difficult. Additionally, natural gas and water/wastewater treatment plants, pumps, and pipeline system components cannot run without electricity, which further impacted additional power suppliers such as thermoelectric power plants (nuclear, gas-fired, or coal-fired) that rely on water for cooling. This incident highlighted the truly interconnective nature of critical infrastructure sectors and the devastating cascading impacts an outage of just one can cause on other sectors and the people who live within the affected area and beyond.
Colonial Pipeline Cyberattack – In early May 2021, a ransomware attack by Russian hacker group DarkSide on Colonial Pipeline’s corporate IT networks caused an operational shutdown and disrupted fuel distribution across the eastern coast of the U.S. The attack – cited as the most disruptive cyberattack on energy infrastructure in U.S. history – and subsequent shutdown caused 17 states across four Federal Emergency Management Agency (FEMA) regions to declare states of emergency due to fuel shortages, most acutely within southeastern states. Shortages were then exacerbated by individuals panic-buying gas in massive quantities. The event highlighted both the challenges associated with responding to petroleum shortages and the importance of coordination across regions, states, and private-sector entities before, during, and after shortage incidents.
JBS Meat Processor Plants Cyberattack – In late May 2021, a ransomware attack on the computer networks of JBS, the world’s largest meat-processing company, by Russian hacker group REvil led to multiple meat plants shutting down throughout the United States, Canada, and Australia, including all nine beef plants in the U.S. The shutdown could have disrupted food supply chains throughout the U.S., which in turn creates a hardship on restaurants and grocery stores, as they are unable to meet the demand for products such as beef, pork, and poultry. This shortage would have caused these companies to raise prices and cause an inflation. This incident and the Colonial Pipeline attack combined highlight how a cyberattack on one major company can create a ripple effect on a wide range of services and critical infrastructure as well as a need to boost cybersecurity measures to prevent such attacks from being successfully carried out. While these recent, large-scale cyber-attacks garnered national attention, numerous attacks are carried out daily.
These emerging threats are increasing in both complexity and scale, and no one is spared – they are impacting both the public and private sectors, with an increasing emphasis on the convergence of technological and physical systems. These incidents, especially those with cascading impacts, require broad participation of stakeholders to adequately address the hazard and manage its consequences. Secondary stakeholders and private-sector partners must be included, though diverse priorities and systems often make this a challenge. Bridging gaps in understanding and facilitating information sharing is essential.
These events should also serve as a wake-up call for Congress and the Department of Homeland Security to adapt existing legislation that would clearly define the types and breadth of services and support that the federal government can provide state, local, and tribal governments, and private sector entities that control critical infrastructure and supply chains. In addition to legislative changes, the influence of technology is something that requires emergency management to reengage in a programmatic approach to preparedness for an emerging and continually changing threat. The Cybersecurity and Infrastructure Security Agency’s (CISA’s) National Critical Functions and FEMA’s Community Lifelines frameworks provide the foundation on which to enhance cybersecurity in jurisdictions of all types and sizes and guide toward all-hazards cybersecurity planning. Despite these frameworks, the federal government must clearly define what emergency declarations, funding, services, support, and technical assistance it can render when attacks occur that greatly impact a community’s ability to sustain life and routine.
In closing, as we look to a period where COVID-19 moves from our primary focus to a secondary one, we need to take a hard look at what hazards we are focusing on and how we are structuring our planning, training, and exercise programs. There are large sums of federal funding that are backlogged through various grant programs such as the Urban Area Security Initiative (UASI), Emergency Management Preparedness Grant (EMPG), Hazard Mitigation Grant Program (HMGP), and the Regional Catastrophic Preparedness Grant Program (RCPGP). Moreover, nationwide preparedness activities, especially for emerging threats, have been delayed due to the impacts of COVID-19. We need to get back to the basics – ensuring we are learning from various events and coordinating with diverse stakeholders who sometimes have competing priorities. This is an area where emergency managers excel and, considering this series of highly complex incidents, it could not be more important.