As part of Critical Infrastructure Security and Resilience Month, WaterISAC is highlighting CISA’s four recommended best practices/strategies that infrastructure organizations can implement to help make them more secure and resilient. Today’s best practice is Measure Progress to Continuously Improve.
Training and exercises are critical for water and wastewater utilities to build resilience and to ensure their security practices are appropriate for today’s complex threat landscape. Today’s, and the last, best practice for Critical Infrastructure Security and Resilience Month is highlighting the importance of measuring progress through training and exercises.
According to CISA, a key task for all organizations is to exercise incident response and recovery plans under realistic conditions and periodically evaluate and update strategic plans. An organization’s ability to proactively prepare for and adapt to changing risk conditions starts with fostering a culture of continuous improvement, based on lessons learned from exercises and real-world incidents, which includes conducting awareness training. To help critical infrastructure organizations with this effort, EPA, CISA, and FEMA have a variety of free resources to leverage.
Measure Progress to Continuously Improve
EPA
EPA has a whole website to help utilities design and conduct tabletop exercises (TTX). According to EPA, its TTX tool provides users with the resources to plan, conduct and evaluate tabletop exercises. It offers multiple threat scenarios stemming from hazards across the all-hazards threat environment, such as cyber attacks, flooding, earthquakes, acts of vandalism, and more. Access EPA’s TTX tool page here.
EPA also offers general resilience training, such as its All-hazards Boot Camp Training, which is a self-paced training course that provides an overview of how water and wastewater systems can build resilience to all-hazards. In addition, utilities can access topic specific resilience training and review guidance documents on developing your own training courses. Access EPA’s resilience training here.
CISA
CISA has created Tabletop Exercise Packages (CTEPs) to assist stakeholders in conducting their own exercises. Utilities can use CTEPs to initiate discussions within their organizations about their ability to address a variety of threat scenarios.
According to CISA, “each package is customizable and includes template exercise objectives, scenarios, and discussion questions as well as a collection of references and resources. Available scenarios cover a broad array of physical security and cybersecurity topics, such as natural disasters, pandemics, civil disturbances, industrial control systems, election security, ransomware, vehicle ramming, insider threats, active assailants, and unmanned aerial systems.” CTEPs also offer scenario and module questions to discuss pre-incident information and intelligence sharing, incident response, and post-incident recovery. Access the CTEP resources here.
In addition, CISA offers countless free training courses – which can be accessed here.
FEMA
FEMA offers exercise starter kits that can help with planning, design, scenario development, conduct, and evaluation. The Exercise Starter Kits are designed to provide a set of sample materials and templates that can be customized to create a discussion-based exercise to help organizations validate their plans and policies. Each kit contains a sample exercise facilitator and evaluator guide, sample conduct slides, a sample situation manual, and a customizable placemat.
The exercise kits are available in the Emergency Management Toolkit section of FEMA’s Preparedness Toolkit website. This online portal provides stakeholders across the community with multiple tools for implementing preparedness and resilience efforts. Access the exercise starter kits here.
Lastly, FEMA recently announced it is expanding the Emergency Management Institute (EMI) into a newly created university in order to deliver an expanded curriculum, the National Disaster & Emergency Management University, or NDEMU – which can be accessed here.
For more information on CISA’s Critical Infrastructure Security and Resilience Month, visit CISA’s dedicated website.
