Critical Infrastructure Protection Committee (CIPC)

Transcription

1 Critical Infrastructure Protection Committee (CIPC) Westin Buckhead Atlanta Atlanta, GA December 15-16, 2015

2 Safety and Security Westin Buckhead Atlanta Staff will inform the CIPC concerning Fire and Evacuation Procedures for your safety 2 RELIABILITY ACCOUNTABILITY

3 CIPC Voting Members and Attendees Wireless access is available: Network: WESTIN-MEETING Password: NERC2015WB Please sign and pass the Attendance Sheets 3 RELIABILITY ACCOUNTABILITY

4 Securing Our Assets 16,000 Transmission Substations 7098 Transmission Lines 1057 GW of Generation 334 million customers 4 RELIABILITY ACCOUNTABILITY

5 Antitrust Guidelines I. General It is NERC s policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers or any other activity that unreasonably restrains competition. It is the responsibility of every NERC participant and employee who may in any way affect NERC s compliance with the antitrust laws to carry out this commitment. Antitrust laws are complex and subject to court interpretation that can vary over time and from one court to another. The purpose of these guidelines is to alert NERC participants and employees to potential antitrust problems and to set forth policies to be followed with respect to activities that may involve antitrust considerations. In some instances, the NERC policy contained in these guidelines is stricter than the applicable antitrust laws. Any NERC participant or employee who is uncertain about the legal ramifications of a particular course of conduct or who has doubts or concerns about whether NERC s antitrust compliance policy is implicated in any situation should consult NERC s General Counsel immediately. II. Prohibited Activities Participants in NERC activities (including those of its committees and subgroups) should refrain from the following when acting in their capacity as participants in NERC activities (e.g., at NERC meetings, conference calls and in informal discussions): Discussions involving pricing information, especially margin (profit) and internal cost information and participants expectations as to their future prices or internal costs. Discussions of a participant s marketing strategies. Discussions regarding how customers and geographical areas are to be divided among competitors. Discussions concerning the exclusion of competitors from markets. Discussions concerning boycotting or group refusals to deal with competitors, vendors or suppliers. Any other matters that do not clearly fall within these guidelines should be reviewed with NERC s General Counsel before being discussed. 5 RELIABILITY ACCOUNTABILITY

6 Membership Expectations Our CIPC Charter Section 3 states the following Voting members of the CIPC are expected to: 1. Bring subject matter expertise to the CIPC 2. Be knowledgeable about physical and cyber security practices and challenges in the electricity sector 3. Attend and participate in all CIPC meetings 4. Express their own opinions at committee meetings but also represent the interests of their Regions 5. Discuss and debate interests rather than positions 6. Complete assigned Committee, Task Force, and Working Group assignments 7. Maintain, at a minimum, a Secret Clearance, or to the extent not already obtained, apply for a Secret Clearance 6 RELIABILITY ACCOUNTABILITY

7 Conduct of the Meeting Parliamentary Procedures: In the absence of specific provisions in NERC s Rules of Procedure, all committee meetings shall be conducted in accordance with the most recent edition of Robert s Rules of Order, Newly Revised in all cases to which they are applicable. 7 RELIABILITY ACCOUNTABILITY

8 Critical Infrastructure Protection Committee Executive Committee David Revill, NRECA Chuck Abell, Chair, Ameren Melanie Seader, EEI David Grubbs, ERCOT Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSA Ross Johnson, CEA Jim Brenton, Vice Chair, ERCOT Marc Child, Great River Sam Chanoski, Secretary Physical Security Subcommittee (David Grubbs) Cybersecurity Subcommittee (Marc Child) Operating Security Subcommittee (Jim Brenton) Policy Subcommittee (Nathan Mitchell) Physical Security WG (Ross Johnson) Control Systems Security WG (Mikhail Falkovich) Grid Exercise WG (Tim Conway) BES Security Metrics WG (VACANT) Physical Security Guidelines WG (John Breckenridge) Security Training WG (William Whitney) Business Continuity Guideline TF (Darren Myers) Physical Security Standard WG (Allan Wick) Compliance and Enforcement Input WG (Paul Crist) September RELIABILITY ACCOUNTABILITY

9 CIPC Primary Voting Members Org Name Company Discipline TRE David Grubbs Executive Committee City of Garland Operations TRE Jim Brenton, Vice Chair ERCOT Cyber TRE Darrell Klimitchek STEC Physical FRCC Paul McClay TECO Cyber FRCC Carter Manucy Fla Municipal Physical FRCC Joe Garmon Seminole Operations MRO Marc Child Executive Committee Great River Cyber MRO Paul Crist LES Physical MRO (vacant) Operations NPCC John Galloway ISO-NE Operations NPCC Greg Goodrich NYISO Cyber NPCC David Cadregari Iberdrola USA Networks Physical RFC Larry Bugh RFC Cyber RFC Kent Kujala Detroit Operations RFC Jeff Fuller DPL Physical SERC Chuck Abell, Chair Ameren Operations SERC Cynthia Hill-Watson TVA Cyber SERC Bruce Martin Duke Energy Physical SPP John Breckenridge KCPL Physical SPP Allen Klassen Westar Operations SPP Eric Ervin Westar Cyber WECC Allan Wick Tri-State Physical WECC Mike Mertz PNM Cyber WECC Lisa Carrington Arizona Public Service Operations APPA Scott Smith Bryan TX Utilities Physical APPA Nathan Mitchell, Vice Chair APPA Policy CEA Francis Bradley CEA Physical CEA Ross Johnson Executive Committee Capital Power Physical CEA David Dunn IESO Policy NRECA Robert Richhart Hoosier Policy NRECA David Revill Executive Committee Georgia Trans Policy 9 RELIABILITY ACCOUNTABILITY

10 Proxies Received and Quorum Thanks to all proxies attending today and serving as a proxy for your primary voting member! Proxies received for this meeting: FRCC Pat Boody representing Paul McClay NPCC Brian Hogue representing David Cadregari MRO Damon Ounsworth representing vacancy left by Joe Mayfield NRECA Richie Field representing Robert Richhart 10 RELIABILITY ACCOUNTABILITY

11 Proxies Received and Quorum Announcement of CIPC Quorum of Voting Members: Based on the voting members in attendance, including the proxies received, we have achieved quorum for conducting CIPC business. 11 RELIABILITY ACCOUNTABILITY

12 CIPC Roster Changes New Voting Members WECC Lisa Carrington Arizona Public Service Nomination was approved by NERC Board of Trustees, November 2015 Vacancies of Voting Members: MRO vacancy is due to Joe Mayfield s departure from WAPA Thank you for your service to CIPC! 12 RELIABILITY ACCOUNTABILITY

13 Chair s Remarks by Chuck Abell

14 NERC CIPC Chair Report Chuck Abell December 15, 2015

15 December 2015 Update Grid Security Conference Philadelphia, PA DHS Classified Briefing CIPC Meeting Highlights Nominating Committee EC Slate GridEx III Report out CIP V5 Update Next NERC CIPC Meeting Louisville, KY March 7-9, 2016 Thank You! 2 RELIABILITY ACCOUNTABILITY

16 Nominating Subcommittee Report Mike Mertz, Chair NERC Critical Infrastructure Protection Committee December 15-16, 2015

17 Subcommittee Assignment As per the CIPC Charter (Section 8-2), the Nominating Subcommittee Chair was appointed at the June 2015 CIPC to form a subcommittee of 5 members to prepare a slate of candidates for election as follows: September 2015 CIPC Meeting: Chair Vice-Chairs (2) December 2015 CIPC Meeting: Physical Security SME Cyber Security SME Operations SME Policy SME 2 RELIABILITY ACCOUNTABILITY

18 Subcommittee Members The Nominating Subcommittee Members are: Mike Mertz, Chair o PNM Resources / WECC / Cyber Paul Crist o Lincoln Electric System / MRO / Physical Larry Bugh o ReliabilityFirst / RFC / Cyber Joe Mayfield o Western Area Power Administration / MRO / Operations John Breckenridge o Kansas City Power & Light / SPP / Physical 3 RELIABILITY ACCOUNTABILITY

19 Subcommittee Meetings The Nominating Subcommittee held multiple conference calls to develop a list of candidates The nominating subcommittee members contacted all candidates to validate interest and availability to fulfill the role Nominating subcommittee finalized the ballot via 4 RELIABILITY ACCOUNTABILITY

20 Election Process The Nominating Subcommittee presents its slate of candidates. The Secretary will open the floor for additional nominations. Upon the close of nominations, elections will be held as follows: The first ballot will be composed of the Nominating Subcommittee s slate of candidates. If the slate is approved with a 2/3 majority, the slate is elected and the election is closed. If the slate fails, subsequent paper ballots will be distributed with the names of all candidates listed in the order in which they were nominated. Each ballot will be tallied and any candidate receiving a 2/3 majority shall be deemed elected 5 RELIABILITY ACCOUNTABILITY

21 CIPC Nominee Slate For the Subject Matter Expert positions, the Subcommittee recommends the following: Physical Security SME David Grubbs, City of Garland Cyber Security SME Joe Garmon, Seminole Electric Cooperative Operations SME John Galloway, ISO New England Policy SME Ross Johnson, Capital Power Corporation 6 RELIABILITY ACCOUNTABILITY

22 7 RELIABILITY ACCOUNTABILITY

23 E-ISAC Update and Physical Security Program Bob Canada, Manager of Physical Security and Analysis December 15, 2015

24 Beyond Mandatory Reporting! Physical Security & Analysis Team Activities & Projects Initiatives Physical Security Advisory Group DBT Workshop Sept 1st-3rd o DBT final research completed. o DoE DBT comparison completed o Final draft by PSAG Enhanced Background Investigation Screening Topics Covered o Nov 6th meeting (FBI, DHS, DoE, NRC, Dominion, Entergy, Kansas City Power & Light, and FP&L in attendance) o ESCC approval to form a smaller group o Next meeting in January

25 Topics Covered Mission to provide industry leadership and expertise to guide and support the E-ISAC Overseen by, and reports to, ESCC Responsible for providing ESCC oversight of E-ISAC Acknowledges management role of NERC s CEO and SVP/CSO Must duly consider the effects of E-ISAC actions on legal, financial, and other risks borne by NERC Activities Develop and institute short and long term strategic visions Define and maintain business strategy for products and services Set goals for operation, capabilities, and controls Provide industry leadership and guidance 3

26 What is the Status of Physical Security for the BES? Over 55,000 substations over 100kv! 4

27 Beyond Mandatory Reporting for Information Sharing 5

28 Preface The E-ISAC is charged with: Capturing, understanding, reporting and disseminating physical security incidents that occur to sector members and the Bulk Power System (BPS) Reports to fellow E-ISAC members, law enforcement, and governmental bodies. Identify, prioritize, and coordinate the protection of critical power services, infrastructure service, and key resources This information, when captured, is only disseminated in a non-attributed format both internally and externally and can be extremely valuable in ongoing situational awareness, detection, and prevention of similar incidents. 6

29 Greater Risk to BES! Isolation of Informed Entities! Lack of Actionable Information! Redundancies of Information Gathering! Wasted Resources and Funding! Delay of Pre-Attack Prevention Opportunities! Potential loss of life and BES Reliability! Impacts of Weak Information Sharing 7

30 8 Sharing Partnerships

31 Benefits of Information Sharing Dynamic sharing among members can mitigate the rise of threats to BES Electricity Sector is at the forefront vulnerability of U.S. economic stability Reporting critical and timely information can help protect the BES Strengthens existing partnership between private and public sector Question? Have you shared information with the E-ISAC? 9

32 10 From the ESISTF Report

33 E-ISAC Projects and Initiatives PS Bulletins June Unmanned Aircraft Systems - Posted July Incident Reporting Guide - Posted Aug Suspicious Activity and Surveillance Detection - Posted Aug Update to June bulletin on Unmanned Aircraft Systems- Posted Sept Suspicious Activity and Surveillance Detection Activity Reporting Posted Oct Tabletop Exercise Template for Industry to use for Law Enforcement training-posted Nov Terrorism Trends Overseas - Posted Design Basis Threat (DBT) Electric Sector Survivability Project for components. Enhanced Background Investigation Screening Collaborate on DoE s DBT under development 11

34 What we are seeing from your reports sources? 12

35 What s getting reported? Shooting Incidents 230kV insulators 115kV gang switch Control building 69/12kV transformer regulator 13

36 What s getting reported? Break Ins Undisclosed facility type. Cut barbed wire, nothing stolen Substation, cut fences, grounds stolen Undisclosed facility type. Cut gate lock, tools stolen from pickup truck. Substation control house. Lock missing, copper stolen. Undisclosed facility type. Remote location, video confirmed there was unauthorized access. 14

37 What s getting reported? Suspicious Activity Photography of a substation Photography of a generating station (2 separate incidents) Photography of an LNG facility Threatening phone call 15

38 16 Unmanned Aircraft Systems - UAS

39 17 Reports to E-ISAC from Mid-Year Report

40 18 Our 1 st Monthly Report!

41 20 Reports from Entities

42 Physical Security Advisory Group (PSAG) 21

43 PSAG Members 1. Ross Johnson, Capital Power 2. Allan Wick, Tri-State G & T 3. John Breckenridge, KCP&L 4. David Godfrey, Garland P&L 5. William Whitney III, Garland P&L 6. Jim McGlone, DoE Liaison 7. Bob Canada, Manager, Physical Security & Analysis E-ISAC 8. Travis Moran, Sr. Security Specialist- E-ISAC 9. Max Spector, Security Specialist, E- ISAC 10.Brian Harrell (Navigant) 10.Dan Jenkins, Dominion 11.Ben Mayo, DHS (ES-Liaison) 12.John Large, FP&L (EEI Security Committee) 13.Mike Hagee (SERC) 14.Michael Lynch, DTE 15.Darren Myers, Duke 16.Jim Spracklen, PNNL 17.Tim Reagan, Ameren 18.Barry Page, C4S2 Global 19.Louie Dabdoub, Entergy 20.Marc Sachs, Sr. VP and CSO, E-ISAC 22

44 PSAG Projects 1. Design Basis Threat (DBT) 2. Enhanced Background Investigation Screening 23

45 PROJECT # 1 Design Basis Threat (DBT) Another Tool for Industry Use! 24

46 25 Project Progress

47 What is a Design Basis Threat? The DBT is used to determine the level of appropriate and cost effective physical protection measures required to protect against malicious acts i.e. theft / sabotage It is based on conservative assumptions that establish the magnitude of adversary force that the site s protective systems should be designed to defeat, expressed in terms of numbers of adversaries and their capabilities 26

48 Answers the question: What are we protecting against? Development of potential adversary scenarios Analysis of physical protection system (PPS) to determine effectiveness Identifying vulnerabilities of the PPS Improving the system and prioritizing upgrades Assessing risk and the cost-benefit tradeoffs 27

49 The DBT uses a graded threat approach (protect pencils like pencils and gold like gold). This takes into account factors such as: Attractiveness & Consequence of loss of the asset. Are there redundancies or ways to work around the loss? Assets are identified and then prioritized into Asset Protection Levels Reach consensus on realistic and credible threats against US power grid (consistent approach) Critical HV transformers Other critical nodes / infrastructure 28

50 NEXT STEPS? 1. Resolve outstanding discussion around the following: a. Insider Threat being in or out of DBT b. DoE Explosive Guidance 2. Review DoE s DBT for comparison purposes to resolve differences 3. Seek opportunities for webinars and workshops 4. Schedule annual review by Physical Security Advisory Group 29

51 Project # 2 Enhanced Background Investigation Screening 30

52 Project Progress 1. Born from Initial Discussions with PSAG Members, FBI and E- ISAC s PSAT. 2. Nov 6th meeting (FBI, DHS, DoE, NRC, Dominion, Entergy, Kansas City Power & Light, and FP&L in attendance). 3. ESCC gave its approval to form a smaller group. 4. Next meeting in January 2016 to come back with recommendations and project planning strategy. 31

53 First Steps /Progress Discussions began months ago with FBI, DoE and DHS about concerns about background screening for critical positions. Reps from DoE, DHS, NRC, FBI Headquarters, FBI WMD Unit, FBI Legal and FBI Legislative Affairs have met on Nov 6th with NERC and PSAG members and very supportive. PSAG members have provided jobs which could be considered critical operationally or by access to critical functions or equipment. ESCC approved to move forward. 32

54 Possible Impact 1. FBI could conduct additional screening measures against additional terrorism databases 2. Incorporate the enhanced screening of new employees 3. Incorporate a refresher background every 3-5 years 4. Incorporating an Insider Threat Mitigation strategy across the industry. 5. Incorporating additional screening across other sectors (i.e. telecommunication, water & finance) 33

55 Challenges Ahead 1. Awareness of and Acceptance of NERC Code of Conduct. 2. Moving past corporate fear of regulatory avoidance strategies with regard to voluntary reporting. 3. Fostering relationships amongst hesitant partners through personal relationships 4. Go beyond the mandatory reporting paradigm 5. Embrace larger threat perspective and how you fit into it 6. Understand that every little piece of intelligence helps! 7. Entrusting partners to share their resources Resource Strengths Knowledge Of Threats Best Information Sharing Practices 34

56 Does your company s Physical and Cyber SMEs have an E-ISAC Membership? If Not, Why Not? Register a user account on the portal today at: General Contact: esisac@nerc.com 24 hour hotline: (404)

57 36

58 Physical Security Reliability Standard Implementation Carl Herron, Principal CIP- Security Advisor (NERC) CIPC December 15-16, 2015 Atlanta, Georgia

59 R2 3 rd Party Verification Requirement R2 mandates that an unaffiliated third-party verify the result of the risk assessment performed under Requirement R1. The third-party for Requirement R2 must be either: A registered Planning Coordinator, Transmission Planner, or Reliability Coordinator; or An entity that has transmission planning or analysis experience. 2 RELIABILITY ACCOUNTABILITY

60 R2 3 rd Party Verifier Characteristics Registered entity with applicable planning and reliability functions. Experience in power system studies and planning. The third-party s understanding of the MOD standards, TPL standards, and facility ratings as they pertain to planning studies. The third-party s familiarity with the Interconnection within which the Transmission Owner (TO) is located. 3 RELIABILITY ACCOUNTABILITY

61 Compliance Expectations TO s must demonstrate the appropriate rigor and analysis when performing R1 and R2. Consider how the following questions can be answered: Why certain stations or substations are identified to meet the criteria in Requirement R1 Similarly, why certain stations or substations were not identified by Requirement R1 What are defining characteristics of stations and substations identified by Requirement R1 How the third party verifying the risk assessment meets the qualifications in Requirement R2 and the means the third party used to ensure effective verification 4 RELIABILITY ACCOUNTABILITY

62 Self-Certification ERO Enterprise-wide self-certification for CIP-014 requirements for identification of critical assets Conducted by each Regional Entity Supports monitoring of effective implementation Tailored and limited: Is the standard applicable? If so, did the registered entity complete the risk assessment/verification requirements? Did the risk assessment result in critical assets? If so, how many? Was notice to a Transmission Operator (TOP) required for a primary control center? 5 RELIABILITY ACCOUNTABILITY

63 Timing and Approach Self-certification timing November 2015: Communicated in CMEP Implementation Plan March 15, 2016: Notice to all TOs, including request for answers to the limited questions May 1, 2016: Information due from all TOs FERC Audits in 2016In coordination with the ERO Enterprise Minimize duplication of efforts 6 RELIABILITY ACCOUNTABILITY

64 Timing and Approach: Security Plans Informal registered entity site visits to share progress Already underway: NERC and Regional Entity coordination Focused on security plan effectiveness 7 RELIABILITY ACCOUNTABILITY

65 8 RELIABILITY ACCOUNTABILITY

66 CIP Standards and Compliance Update: 2016 Plan Tobias Whitney, Manager of CIP Compliance, NERC December 2015

67 Key Dates Enforcement date (High and Medium Impact): April 1, 2016 Risk-based compliance monitoring plan for 2016 for High and Medium Impact requirements Concerted outreach on Low Impact requirements for 2017 and RELIABILITY ACCOUNTABILITY

68 2016 Compliance Monitoring Approach Confirm effective CIP-002 identifications based on impact rating criteria (high and medium focus) Focused Audits in 2016 ROP required 3 year audits for RC, BA, and TOPs Coordination with FERC on certain audits Risk-based approach to timing, scope 3 RELIABILITY ACCOUNTABILITY

69 Highlights Risk-Based approach to timing and scope Scheduled for 2016 FERC coordination CIP-002 Identifications: the foundation 4 RELIABILITY ACCOUNTABILITY

70 Goals of 2016 approach Understand program effectiveness and support transition Registered entity approaches Program and general controls discussions Limited sampling or testing for effectiveness based on risk Identify successes and challenges Focus on Risk Identification 5 RELIABILITY ACCOUNTABILITY

71 All Registered Entities Subject to CIP Standards ERO Enterprise CIP-002 Self Cert Timing o November 2015: NERC will include approach in CMEP IP Document o February 1, 2016: Notice to all applicable entities including the table that required to be filled out by each Registered Entity o May 1, 2016: Information due from all entities Purpose o Understand identification of each registered entity s high, medium and low impact facilities Based on CIP-002 Attachment A (Impact Rating Criteria) o Shape and inform future areas of focus 6 RELIABILITY ACCOUNTABILITY

72 2016 ERO Monitoring Scheduled audits and risk-based, spot-checks in 2016 Tailored scope based on risk (identified in 2016 CMEP Implementation Plan (IP)) CIP-002 R1 and R2 CIP-005 R1 and R2 CIP-006 R1, R2 and R3 CIP-007 R1, R2, R3 and R5 Scope may be modified based on the entity s IRA 7 RELIABILITY ACCOUNTABILITY

73 Risk Elements 2016 CIP Risk Elements System Downtime Unauthorized Access Corruption of Operational Data Similar to the InfoSec Risk Triad Confidentiality Integrity Availability Unauthorized Access System Downtime CIP V5 Corruption of Operational Data 8 RELIABILITY ACCOUNTABILITY

74 Transition to 2017 Compliance Monitoring Approach Risk-based and considers the type of entity (Type 1, 2 or 3) 2016 activities support identification of entity-specific risk Type 1 New High and Medium Control Centers Substations Generation Type 2 Limited V3-V5 Scope Change Primarily Control Centers Type 3 Large Entity with High, Med, Low Control Centers Substations Generation Type 4 Small Entity w/low Small Substation & Gen Mix No V3 compliance history Significant V3 History Significant V3 History No V3 Compliance History <40 Entities <50 Entities <50 Entities >1000 Entities 9 RELIABILITY ACCOUNTABILITY

75 Low Impact Requirements Effective in 2017 and 2018 Outreach informed by 2015 transition program and 2016 compliance monitoring activities, focused on Type 4 registered entities and risk Small Group Advisory Sessions Workshops, webinars, and other education 10 RELIABILITY ACCOUNTABILITY

76 2016 Key Activities January - Supply Chain Technical Conference (Possible) FERC Order and New Directives Industry initiated standards development January Webinar Project Plan o TO Control Center o BES Cyber Assets/Programmable Devices o Virtualization o External Routable Connectivity o Other considerations Interpretations FERC Audits NERC oversight 11 RELIABILITY ACCOUNTABILITY

77 Resources Transition Program Page Implementation-Study.aspx CIP Curriculum %20of% )_AD.pdf 12 RELIABILITY ACCOUNTABILITY

78 13 RELIABILITY ACCOUNTABILITY

79 CIP v5 Transition Project Survey Dr. Joseph B. Baugh PMP, CISA, CISSP, CISM, CRISC Senior Compliance Auditor, Cyber Security CIPC Meetings, Atlanta GA December 15, 2015 W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

80 2 Speaker Introduction Electrical Utility Experience (42 years) Senior Compliance Auditor, Cyber Security IT Manager & Power Trading/Scheduling Manager IT Program Manager & Project Manager PMP, CISSP, CISA, CRISC, CISM, NSA-IAM/IEM certs NERC Certified System Operator Barehand Qualified Transmission Lineman Educational Experience Degrees earned: Ph.D., MBA, BS-Computer Science Academic & Technical Course Teaching Experience (20 years) PMP, CISA, CISSP, CISM, ITIL, & Cisco exam preparation Business Strategy, Leadership, and Management Information Technology and IT Security Project Management W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

81 3 Agenda Discuss Survey Review Quantitative Data (specific questions) Demographic Questions Time on Task Review Qualitative Data (open-ended questions) Top Three Challenges Top Three Organizational Culture Issues Anything Else to Add? (wrap-up question) Address Questions W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

82 4 Why Do A Survey? Several common issues were observed by CIP Team during WECC CIP v5 Outreach and Audits Registered Entities CIP v5 compliance concerns Increasing flow of entity CIP v5 questions Desire to gain a better understanding of CIP v5 issues in the WECC region What do the entities need/think/expect/fear during the CIP v5 Transition period? How can WECC CIP Team tailor effective outreach? Share results with WECC, NERC, and other regions. W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

83 5 Survey Design Examined CIP v5 issues in three key segments: Registered Entities ERO members Consultants Skip logic examined perspectives on: Challenges Cultural Issues Time on Task W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

84 6 Survey Data Collection Used SurveyMonkey to develop and deliver the survey online Sent initial survey request to June 2015 CIPUG Attendee list Developed additional snowball sampling by requesting recipients forward common link to other interested parties Collected data anonymously via common URL ed directly to initial sampling and as forwarded to others W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

85 7 Establishing the Survey s Validity Ran pilot study to test the data collection instrument (July 30 August 3, 2015) Small groups from each of the three categories Generated minor changes in some questions Validated skip logic flow Deleted all pilot study test data prior to survey Go-Live ed initial live survey link to targeted sampling of Compliance personnel in WECC region (August 4, 2015) 345 Registered Entities in WECC (NERC, 2015 August 14) Initial distribution list from July CIPUG (367 individuals) ed two reminders (August 10 & 13, 2015) Requested snowball sampling in the three s Closed the survey as scheduled (August 14, 2015) W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

86 8 Establishing the Survey s Validity Survey targeted response rate goals to achieve a ± 5 Confidence Interval [CI] at the 95% Confidence Level [CL] for Quantitative responses Needed 188 responses from initial distribution list (367) to achieve the desired CI value at a 95% CL Obtained 204 responses and achieved CI and CL goals Source: Creative Research Systems W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

87 9 Establishing the Survey s Validity Two reminders boosted response rates Obtained 204 responses (55.6% response rate) by close of survey Achieved 95% CL goal, Exceeded CI goal (CI of ± 4.58 %) Survey Development Pilot Study (test results deleted) Live Survey Data Collection Quantitative and Qualitative Data Analysis Present Data W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

88 10 Data Analysis Processes Quantitative data Demographic data, and Data relative to time and personnel on task Charts derived from SurveyMonkey data sets Calculations in Excel for MAC 2011 (v14.5.3) Qualitative data Challenges and organizational culture issues Analyzed with HyperRESEARCH Qualitative Data Analysis Software [QDAS] package (v3.0.3) Examined for emerging themes and patterns Conclusions drawn from aggregated data across all three survey categories W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

89 11 Demographic Questions Applied to entire sampling Set the context for segmented skip logic and subsequent data analyses How long have you worked in the Electric Industry? Which Electric Industry segment do you currently support? How long have you worked in your current segment? How many employees does your organization employ? What is your primary role in the Electric Industry relative to CIP compliance? W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

90 12 Industry Tenure Fairly even distribution of electrical industry experience. Smallest segment: years (10.8%) Largest segments: 0-5 years (25%) 20+ years (27%) W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

91 13 Industry Segment Expected overload on Compliance segment (43.6%) Good distribution across remaining segments Ten Other responses addressed entityspecific roles W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

92 14 Segment Tenure Many compliance personnel move into area near end of career, thus 0-5 years tenure is not surprising Good distribution across remaining segments W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

93 Organization Size Overload on large entities (54.4%) reflective of larger CIP v5 effort Good distribution across remaining segments 15 W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

94 16 Primary Role Expected large percentage of Registered Entities (78.9%) First instance of skip logic provides three paths through survey to target specific role responses W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

95 ERO Time on Task CIP Auditors and Enforcement personnel CIP v5 Transition outreach includes preparing for and presenting formal outreach sessions and responses to entity questions Represents a major component of weekly WECC CIP team workflow W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L 17

96 Work on CIP v5 Transition Project? Applied separately to Registered Entity & Consultant categories Second instances of skip logic (1 per category) Yes response continued down category branch; No response ended survey No (7.5%) 3 No (11.5%) 148 Yes (92.5%) 23 Yes (88.5%) Registered Entities (160) Consultants (26) W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

97 19 Work with Consultant? Applied to Registered Entity category only Third instance of skip logic Yes response applies consultant level of involvement question No response skips consultant level question Data indicates numerous WECC entities are using consultants on the CIP v5 Transition Are you currently working with or have previously worked with a Consultant, Contractor, or Vendor on your CIP v5 Transition Project? 61 No (41%) 87 Yes (59%) W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

98 Consultant Involvement Applied to Registered Entity category only Estimates consultant level of involvement in Registered Entity CIP v5 Transition Project Data indicates consultants are generally supporting CIP v5 Transition Projects, but not leading them W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L 20

99 21 Consultant Involvement 15 Consultants responded to this question Consultants working on 287 Entity projects across all regions Average of 19 clients with CIP v5 projects per consultant Qualitative Data indicates consultant resources and/or availability may be limited W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

100 22 Registered Entity FTEs on Task 111 RE participants responded to this question Total of 1400 RE FTEs working on CIP v5 projects Average of 13 FTE on each CIP v5 project W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

101 23 Time on Task All Project Members Optional question at end of survey Applied to all three categories 140 Participants Represents a major component of weekly project team workflow W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

102 24 Qualitative Data Analysis Open-ended questions posed to each category Similar questions that probe into the Registered Entity experience from three different perspectives ERO Members: Describe the top three challenges or obstacles to the transition that you have observed at entities during CIP v5 outreach and transition audit activities. Describe up to three organizational cultural issues related you have observed during your interactions with Registered Entities in your ERO group. Generated 93 coded segments W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

103 25 Qualitative Data Analysis Registered Entities: Describe the top three challenges or obstacles to the transition that you have observed during your CIP v5 transition activities. Describe up to three organizational cultural issues you have observed during your CIP v5 Transition project. What external and/or internal CIP v5 resources are available or what resources should be made available to you during the CIP v5 transition project? Generated 949 coded segments W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

104 26 Qualitative Data Analysis Consultants: Describe the top three challenges or obstacles to the transition that you have observed at your client(s) during your CIP v5 transition activities. Describe up to three organizational cultural issues you have observed during your client(s) CIP v5 Transition project. Generated 119 coded segments Final Optional Wrap-up Question asked of all Participants: Is there anything else you would like to add to help us better understand issues related to the CIP v5 transition? Response segments coded concurrently with other questions W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

105 Identifying Key Themes 27 Coded open-ended responses 1161 coded segments Identified top challenges and cultural issues Grouped coded segments into major themes W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

106 28 Top Three Challenge Themes Confusion (302) Unclear ERO Guidance, Uncertainty, and Technical Issues The Triple Constraints (192) Resource, Time, and Cost Management Organizational Issues (117) Business Silos and Low Management Support W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

107 29 Confusion: Unclear ERO Expectations Unclear Expectations Inconsistent information concerning Standards. A lack of industry-wide consensus or consistency about key terms. Not enough direction on how or what the bar really is to meet compliance. Lack of clarity in the CIP V5 Standards creating an atmosphere of paralysis on what to do. It appears the requirements are not fully developed or changing and it's hard to hit a moving target. W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

108 30 Triple Constraints: Scope & Resources Handling the transition as a managed project, preferably as an IT project following PMI standards. Determining front burner vs. back burner issues Managing expectations Getting to a common understanding of project needs with CIP SMEs and common prioritization of deliverables. Changing/increasing scope creates change management issues Required External Resources Project team has limited knowledge of detailed operations and equipment Setting up CIP v5 project leadership, structure, and organization, outside of the regular operational work group organizations. Our organization has brought in additional external resources W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

109 31 Triple Constraints: Time Resource time constraints; Not enough time! Approximately 900 documents requiring revision Lack of staff hours to complete all the documentation required Time was difficult to accurately project. Employee time to complete required changes while performing other job duties; No increase in FTEs. Time constraints; NERC-imposed (4/1/16) and self-imposed (too late on beginning implementation process). Between day-to-day operations, multiple projects and CIP v5 readiness preparation, we get pulled in too many directions; Not enough time to focus and dedicate as much time to our CIP V5 transition Project. W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

110 32 Triple Constraints: Cost Budget Constraints Human and capital costs of implementation Funding for new hardware and systems The process for maintaining compliance evidence adds significant overhead Keeping costs in check; getting enough money The extreme high cost of compliance associated with a Medium Impact designation coupled with last minute ill devised compliance clarifications necessitates compliance program development delay. Medium Impact compliance cost is debilitating for this small entity. W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

111 33 Organizational Issues: Business Silos There are some entrenched fiefdoms and business unit leaders are not willing to give up operational "turf" to Compliance Silos are hindering entities in progress to CIP v5 Silos within organizations often create barriers With the increase of facilities in scope, more business units need to work together and not work in silos Entities duplicating efforts (but not necessarily results) by dividing the same CIP V5 requirements among different (and disassociated) business groups W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

112 Organizational Issues: Poor Management Support CEO/Executive [poor] understanding of CIP requirements Reluctance to transition to v5 early. Legal department feels it could be unfavorable Management resistance to necessary investments Internal management misunderstanding of the v3 to v5 transition requirements Convincing management money should be spent on upgrading physical security and network security No physical security department and having to get the C-level to agree to create one Changing direction makes harder to garner the support of our senior management when we have to tell them a different story each time we stand in front of them. 34 W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

113 35 Top Three Cultural Themes Change (157) Cultural Changes, Resistance to Change, Poor Buy-in, and Change Management Business Silos also appeared as a cultural change issue, but were aggregated under the Organizational Issues theme Education (80) Training, Learning Curves, and Collaboration Emotional Factors (23) Fear, Anxiety, Frustration, and Internal Conflict W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

114 36 Cultural Issues: Change Culture shock with compliance requirements Moving from nothing to version 5 Substation personnel now dealing with CIP for first time, as substations come into scope [Medium and Low-impact] Newness of CIP and buy-in with many work groups Bringing operations into scope and the massive culture shift Up to 2014, there was no cyber security policy in place in our site Standardizing processes across a large geographical area Appreciating that V3 to V5 may require thorough house cleaning Obsession in using existing V3 evidence, perhaps with minor changes W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

115 37 Cultural Issues: Resistance to Change Desire to maintain status quo Not done that way before, why do I have to change now That's not the way we do it; that's not a good way to do it; or "Not invented here! Egos are always an issue - especially some with more than 10 years of experiences. Keeping things the same rather than look at changes that could provide future benefits or simplify compliance Lack of understanding of why new areas now have to comply with CIP Poor buy-in with field personnel new to CIP W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

116 38 Cultural Issues: Education Learning Curves Having previously been a "Null" list entity, steep learning curve to figure out which devices may be cyber assets in Low-impact BES Assets. We did not have Critical Assets under version 3, so many of our IT staff were not involved in compliance activities, it s a major learning curve Lack of IT training for currently staffed field technicians Inspiring SME's to really dig into the changes early Educating all personnel on more stringent CIPv5 requirements Training 1000's to meet new reporting requirements W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

117 39 Cultural Issues: Emotional Factors Frustration If you are registered as a TOP but don t impact the reliable operation of the BES, where is the impact? Getting everyone on the same page No one wants to know more than what they need for their job they are all in information overload. Fear & Trust Issues Lack of trust that transition period will be viewed upon by ERO as a period where we may not have met either version due to the changing state. Maintaining compliance during the transition This is obviously due to a lack of trust, although I think WECC has done a good job trying to address that W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

118 40 Summary The survey was received with interest, response rates were excellent, results may be generalized (± 16) across the WECC population of 345 Registered Entities Participants were generally appreciative of WECC CIP v5 outreach and accessibility for entity questions Time and resources are huge concerns for all entities, as the clock is ticking inexorably down to April 1, 2016 W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

119 41 Conclusions from RE Perspective The CIP v5 transition has been a large undertaking The CIPv5 transition represents a massive organizational change initiative effort for all entities, both technically and culturally Frustration and exasperation exist due to enormity of required changes, lack of resources, and associated costs It is a very difficult task for smaller entities Be merciful, I am doing the best I can to be fully compliant... W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

120 42 References Creative Research Systems. (n.d.). The Survey System: Sample Size Calculator. Retrieved from NERC. (2015 Aug 14). NERC_Compliance_Registry_Matrix_Excel xls. Retrieved from n-and-certification.aspx W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

121 43 Speaker Contact Information Joseph B. Baugh, Ph.D. PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor - Cyber Security Western Electricity Coordinating Council (WECC) jbaugh (at) wecc (dot) biz (C) (O) W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

122 NATF Security Practices Group Activity Update Jim Rowan, NATF Program Program Manager - Security NERC CIPC Meeting December 15-16, 2015

123 How you feel after one more change to what you have been working on!!

124 Discussion Topics Brief NATF Overview Resiliency Project Security Practices Group Projects EO Awareness Projects Other Activities 3

125 NATF Membership Membership open to companies that own/operate 50 circuit miles 100 kv transmission or, operate 24/7 control center Organization types (75 Members) Investor-owned State/Municipal Cooperative Federal/Provincial ISO/RTO Expertise 3600 subject-matter experts Coverage (North America Wide) 85% Peak Demand 75% 100kV and higher circuits 4

126 NATF SPG Monthly Calls Security Practices Group Held on 4 th Thursday of every month from 3:00 5:00 PM EST Changes by exception Topic Areas Peer Reviews/Assist Visit Report Out Project(s) Update Operational Exchange Lessons Learned Survey Discussions Hot Topics Principles of Excellence of the Month Open Mic 5

127 NATF SPG Monthly Calls Physical Working Group Held on 3rd Tuesday of every month from 11:00 12:00 AM EST Changes by exception Topic Areas Project(s) Update Operational Exchange Lessons Learned Hot Topics Open Mic 6

128 Discussion Topics Brief NATF Overview Resiliency Project Security Practices Group Projects EO Awareness Projects Other Activities 7

129 Resiliency Project Series of White Papers Joint effort with EPRI Background focus of efforts that began in 2015 Resiliency Summit at EPRI Charlotte March 1-2

130 Discussion Topics Brief NATF Overview Physical Security Work Group Project: CIP R4 and R5 Practice Guides Resiliency Project Security Practices Group Projects EO Awareness Projects Other Activities 9

131 Projects for 2015 Practices for Cyber Asset Categorization Practices for Protecting Unused Physical Ports Against Use Device Security Capability Management Practices for Security Metrics Central Security Control Center & Job Description Practices Document (CONOPS)

132 Projects for 2016 (So far) Practices for Cyber Asset Categorization Practices for Security Metrics Implementation Security Assist Visits Cyber and Physical Security Exercise implementation as requested V5 Sustainability Issues Central Security Control Center & Job Description Practices Document (CONOPS)

133 Discussion Topics Brief NATF Overview Physical Security Work Group Project: CIP R4 and R5 Practice Guides Resiliency Project Security Practices Group Projects EO Awareness Projects Other Activities 12

134 EO Awareness Projects EO Awareness Articles Over 400 articles in library Distribution list approaching 200 Cyber and Physical security articles from throughout the world Distributed on Monday afternoons FLASH reports issued for immediate concerns Members only - Must opt-in by to jrowan@natf.net Other activities as requested ASIS DefCon

135 Discussion Topics Brief NATF Overview Physical Security Work Group Project: CIP R4 and R5 Practice Guides Resiliency Project Security Practices Group Projects EO Awareness Projects Other Activities 14

136 Other Activities For NATF Members Only Peer reviews now include physical security element Assist visit modules for cyber and physical security Internal Control Design and Effectiveness Testing Practice document

137 Other Activities For NATF Members Only Development of risk and controls Illustrative examples for security applications Workshops May Joint Compliance and Security Workshop Nov 1-2 Security Workshop

138 Questions?

139 Legislative Update Critical Infrastructure Protection Committee December 15, 2015 Nathan Mitchell, American Public Power Association

140 Energy Legislation - Highway Bill Grid security provisions added to House highway bill (H.R. 22) -- included in final bill. Passed by House (359 to 65), then Senate (83-16) on Dec. 3. President Obama signed into law on Dec. 4, Resolves conflicts between environmental and grid reliability requirements Gives Secretary of Energy broader authority to address grid security emergencies Requires DOE to draft plan for creation of strategic transformer reserve. 2 RELIABILITY ACCOUNTABILITY

141 Grid Security - CISA House H.R. 1560, the Protecting Cyber Networks Act o Approved by Permanent Select Committee on Intelligence, then passed by House on April 22, H.R. 1731, the National Cybersecurity Advancement Act of 2015 o Approved by Committee on Homeland Security, then passed by House on April 23, Senate S. 754, the Cybersecurity Information Sharing Act of 2015 o Approved by Senate Intelligence Committee, then passed by Senate on Oct. 28, House-Senate Negotiations Both include liability protection. Congressional leaders predict long road ahead for talks. 3 RELIABILITY ACCOUNTABILITY

142 4 RELIABILITY ACCOUNTABILITY

143 Electricity Sector Coordinating Council (ESCC) Critical Infrastructure Protection Committee December 15, 2015 Nathan Mitchell, American Public Power Association

144 ESCC Electricity Subsector Coordinating Council (ESCC) Information Sharing E-ISAC Member Executive Committee CRISP Government Industry Coordination Grid Ex III ESCC Table Top Exercise ESCC Playbook Version 5.0 Transformer Reserve Leveraging R&D/Tools & Technologies 2 RELIABILITY ACCOUNTABILITY

145 ESCC Cross-Sector Coordination Water Sector Downstream Natural Gas Telecommunications Financial Services Transportation Senior Executive Working Group ESCC Summary of Conclusions 3 RELIABILITY ACCOUNTABILITY

146 SEWG Summary of Conclusions Enhanced Background Investigation Screening for Critical Employees (EBISCE) Working Group Owners: DOE, DHS, FBI, ESCC, and the E-ISAC. EMP Partnership Owners: DOE, DHS, ESCC, EPRI DHS Cybersecurity Insurance Initiative: Owner: DHS Supply Chain Working Group: Owners: DOE, DHS, ESCC, and other relevant sectors 4 RELIABILITY ACCOUNTABILITY

147 SEWG Summary of Conclusions Exercises (2016 DOE Clear Path and Cascadia Rising) Owner: DOE Messaging Opportunities: Owner: ESCC, DOE, DHS Grid Cybersecurity Innovation Investment Initiative: Owner: DOE with input from DHS Cybersecurity Risk Information Sharing Program (CRISP) Next Steps Owner: E-ISAC and ESCC, with support from DOE and National Labs 5 RELIABILITY ACCOUNTABILITY

148 SEWG Summary of Conclusions Developing Cyber Mutual Assistance Concept Owner: ESCC with support from trade associations and E-ISAC Measuring ESCC Progress Owner: ESCC 6 RELIABILITY ACCOUNTABILITY

149 7 RELIABILITY ACCOUNTABILITY

150 GridEx III CIPC Update Atlanta, GA December, 2015

151 Since Your Last Brief Weekly Core Planning Team Calls Bi-Weekly GEWG Calls Provided inject planning master worksheet for entities Finalized a downloadable package of injects Provided a package of templates for each inject Series of inject tests and communications tests RC to RC coordination and planning calls RC to Entity coordination and planning calls Exercise portal training videos available for planners and players Continued work with National Labs on injects and exercise tools 2 RELIABILITY ACCOUNTABILITY

152 And we ran an exercise Organizations 4,000 + Players 3 RELIABILITY ACCOUNTABILITY

153 Jax Atlanta DC Timeline 2015 Conference Dates December January 23 March June Sept 3 Nov Q GridEx Working Group GEWG Reform Initial Planning Phase Mid-term Planning Phase Final Planning Phase GridEx III After Action Establish Working Group Members Establish Mail list GridEx Awareness Confirm objectives Establish boundaries Confirm tools Confirm exercise infrastructure Finalize attack vectors and impacts Work on scenario narrative Finalize baseline MSEL Develop Controller and Player materials Draft After Action Survey Finalize custom injects with RCs Distribute materials Conduct training Set up venue and logistics Send injects and oversee player actions Capture player actions and findings Facilitate Executive Tabletop Distribute survey Analyze findings and lessons learned Draft Final Report Reliability Coordinator Planning Activities 4 RCs identify Active Organizations in their control area RCs establish and participate in RCto-RC and RC-to- Entity coordination calls RCs and entities understand and develop customized injects RELIABILITY ACCOUNTABILITY

154 Before Your Next Brief Collect and Review summary results Collect and Review Lessons Learned Contribute to and Review initial Draft After Action Publish After Action Report Previous After Action Reports Close out the GEWG for GridEx III 5 RELIABILITY ACCOUNTABILITY

155 General Thoughts on GridExIII The industry is growing in capability and maturity Likewise the planning and execution of GridEx needed to grow in capability and maturity. From a Planning perspective - The GEWG was critical in enabling early development and completion of the scenario narrative, the MSEL, Inject artifacts, and templates for distribution of the injects. From an exercise execution perspective - exercise specific tools (E-ISAC, Simulation Deck, Social media components, news reports, training elements, etc..) provided a rich exercise environment for organizations to utilize. 6 RELIABILITY ACCOUNTABILITY

156 Call to Action! & Next Steps Participants need to perform two tasks: Fill out the survey send Bill Lawrence an Complete the Lessons Learned documents Same Bill Lawrence At the next CIPC we will cover key Lessons Learned items within the After Action Report In prep for GridEx IV we will typically have a call for volunteers in the Q3 CIPC meeting By the Q CIPC meeting we will have an initial GEWG IV established and ready for the IPC 7 RELIABILITY ACCOUNTABILITY

157 8 RELIABILITY ACCOUNTABILITY

158 Physical Security Working Group Ross Johnson, CPP Capital Power

159 Progress Contributed to the PSAG's Design Basis Threat DBT will be complete this week Q we will host monthly PSRG teleconferences explaining the DBT, and how to use it in a threat vulnerability assessment

160 Progress We have begun discussions within the PSRG on the development of a security management program template for the electricity sector We waited until November to see a DHS-approved document for something similar for the Dams CI sector I intend to push ahead in Q and ask for writing assistance

161 Progress I will be facilitating a webinar for ASIS International in April on the protection of the North American interconnected grid Will include Brian Harrell, Bob Canada, Darren Nielsen, and Louie Dabdoub Started with Brian and Bob's successful ASIS International seminar on the subject at Anaheim in the end of September it was rated as one of the top ten of the week by the attendees

162 Questions?

163 Threat & Incident Reporting Guideline (TF) Update - December 2015 John Breckenridge, CPP

164 How we fit in! CIP Committee Structure CIPC Executive Committee Physical Security Subcommittee David Grubbs Cyber Security Subcommittee Mark Child Operating Security Subcommittee Carl Eng Policy Subcommittee Nathan Mitchell Protecting Sensitive Information TF Control System Security WG Information Sharing TF BES Security Metrics WG Physical Security Guideline TF Cyber Attack Tree TF HILF Implementation TF Personnel Security Clearance TF Physical Security Ev Analysis WG Joint w/ OC & PC Cyber Security Analysis WG Joint w/ OC & PC Grid Exercise WG Compliance & Enforcement WG Physical Security Training WG Cyber Security Training WG 2 RELIABILITY ACCOUNTABILITY

165 Activity Highlights Changes made reference to E-ISAC Threat & Incident Reporting Guideline TF Input from Orlando Stephenson (some quick fixes to update links) Sam Chanoski participating w/ comments Team/Task Force starting to be formed Need to get a new Charter o Review and Revise Conference Calls/ s to team Plan to have finished product (TBD) Ensure no conflicts w/other reporting requirements OE-417, RCIS, etc. Any comments or willingness to participate Contact Randy Duncan/ Randy.Duncan@kcpl.com 3 RELIABILITY ACCOUNTABILITY

166 4 RELIABILITY ACCOUNTABILITY

167 BES Security Metrics WG CIPC Progress Report Nathan Mitchell, Interim-Chair December 15, 2015

168 Security Metrics Development Roadmap 2015 and Beyond We are here 2 RELIABILITY ACCOUNTABILITY

169 BESSMWG Activities June 2015 CIPC Update NERC State of Reliability Report including new Security Metrics chapter approved by NERC Board of Trustees on May 14, 2015 Drafted strawman Security Metrics Development Roadmap to plan future BESSMWG activities June 9, 2015, BESSMWG met to review Roadmap and define future direction Activities Since June 2015 Conducted 2 conference calls to accept the Roadmap and to review/assess the relative value of over 150 metrics from the universe of security metrics Met F2F Sept 15, 2015, to further define the proposed next set of security metrics and potentially enhance the existing metrics 3 RELIABILITY ACCOUNTABILITY

170 Results of BESSMWG Assessment BESSMWG Assessment Number of Metrics Suitable for near-term development (during 2015) 0 Suitable for mid-term development (by end-2016) 4 Suitable for long-term development (2017 and later) 27 Unsuitable 26 Unsuitable as the data is already available through NERC s compliance monitoring and enforcement program 97 Total considered RELIABILITY ACCOUNTABILITY

171 Potential Enhancements to Existing Metrics Metric Reportable Cyber Security Incidents Reportable Physical Security Incidents ES-ISAC Membership Industry-Sourced Information Sharing Global Cyber Vulnerabilities Potential Enhancement Further breakdown of the reported data as a sub-metric Further breakdown of the reported data as a sub-metric Develop a more meaningful sub-metric based on demographic data Develop a measure of the value of information shared as a sub-metric Replace with a sector-based future threat trending metric 5 RELIABILITY ACCOUNTABILITY

172 Timeline Establish Roadmap direction and timeline (completed) Present Roadmap to CIPC (completed) Consider and prioritize proposed new metrics from the universe of security metrics (completed) Draft definitions for development during 2016 (Pending committee meeting) Enhance the approved metrics (February 2016) Finalize detailed definitions for new metrics, including data sources (February 2016) Consider pilot program to field test new metrics If necessary, prepare NERC data request to collect data for new metrics Obtain approval and roll-out new/updated metrics and security chapter for 2016 State of Reliability Report (March 2016) 6 RELIABILITY ACCOUNTABILITY

173 Request from CIPC Need members to participate and keep the momentum Need a volunteer to take on a leadership role and Chair the Committee Next Face to Face meeting Wednesday December 16 from 1:00-4:30pm at NERC s offices February meeting possibly after the NERC BOT meeting in Sarasota Florida. 7 RELIABILITY ACCOUNTABILITY

174 8 RELIABILITY ACCOUNTABILITY

175 NERC CIPC Compliance and Enforcement Input Working Group NERC CIPC Update December 15-16th, 2015 Paul Crist

176 NERC CIPC Compliance and Enforcement Input Working Group Update CEIWG Conference Calls - November 12 th, 2015

177 NERC CIPC Compliance and Enforcement Input Working Group Update Agenda Items: Lessons Learned Updates Communications to BES Cyber Systems and BES Cyber Assets Approved by Standards Committee and Posted on NERC website Transmission Owner Control Centers Comment period closed on 11/6/15 Reviewing Comments Vendor Access Management Approved by Standards Committee and Posted on NERC website

178 NERC CIPC Compliance and Enforcement Input Working Group Update Meetings Next Conference Call January 14 th, 2016 at 1:00 CST 2 nd Thursday of the Month at 1:00 CST (Let me know if you need the call-in information) Questions?

179 Physical Security Standard WG Progress Report Allan Wick, Chair Toni Linenberger, Vice-Chair Brian Harrell, Vice Chair December 16, 2015

180 Team Members Chair Vice-Chair EC Sponsor NERC Staff Team Members Allan Wick Toni Linenberger Brian Harrell Nathan Mitchell Laura Brown Kurt Aikman Bruce W. Barnes Tim Basch Richard Bouchey John Breckenridge Bob Canada Mark L. Comer Steen J. Fjalstad Mike Hagee Ross Johnson Mike Ketchens Craig P. Lawrence Chris McColm Leslie (Les) Morton Barry Page Bobby Parker Peter Scalici Matt Stryker Douglas G. Williams 2 RELIABILITY ACCOUNTABILITY

181 Progress Past quarter CIP-014 implementation survey Mike Hagee team lead o Posted October 20, 2015 o Cancelled November 4, 2015 Response to industry feedback Survey responses destroyed without consideration Next quarter TBD 3 RELIABILITY ACCOUNTABILITY

182 4 RELIABILITY ACCOUNTABILITY

183 DOE Report at NERC CIPC Classified brief feedback: Sector Specific Plan very close to being online Transformer Reserve Development of the plan EMP INL study available early 2016 Space Weather Establish benchmarks Clear Path / Cascadia Rising virtual meeting today at 1pm Dial Conference Number: DOE/OE International Efforts on GMD September 2013

184 Sector Outreach and Programs Division (SOPD) Resource Guide National Protection and Programs Directorate Office of Infrastructure Protection October 2015

185 This page intentionally left blank SOPD RESOURCE GUIDE OCTOBER 2015 ii

186 TABLE OF CONTENTS Introduction... 1 Cross-Sector Resources... 1 Planning and Security... 1 Training... 2 Foundational Courses... 3 Security Awareness Series... 4 Exercise Programming... 6 Information Sharing... 7 Policy... 9 Higher Education Chemical Sector Resources Commercial Facilities Sector Resources Critical Manufacturing Sector Resources Dams Sector Resources Emergency Services Sector Resources Nuclear Sector Resources SOPD RESOURCE GUIDE OCTOBER 2015 iii

187 This page intentionally left blank SOPD RESOURCE GUIDE OCTOBER 2015 iv

188 Introduction The Office of Infrastructure Protection, Sector Outreach and Programs Division (SOPD) is committed to improving the security and resilience of our Nation s critical infrastructure by strengthening our relationship with public and private sector stakeholders; and providing cross-sector and sector-specific tools, training, and materials. This guide is a comprehensive catalog of SOPD resources, many of which were created in collaboration with our partners to ensure they are useful and reflective of the evolving security landscape. More information about the division can be found at Cross-Sector Resources Planning and Security Active Shooter Preparedness Resources Preparedness resources include a desk reference guide; a poster; and a pocket-size reference card to address how employees, managers, training staff, and human resources personnel can mitigate the risk of and appropriately react in the event of an active shooter situation. Access to all these resources can be found on the Active Shooter Preparedness Webpage ( Materials are also available in Spanish. For more information, please contact ASworkshop@hq.dhs.gov. Business Continuity Planning Suite User-friendly and scalable for optimal organizational use, the Suite is designed to reduce the potential impact of a disruption to business. The Suite includes business continuity planning training, business continuity and disaster recovery plan generators, and a business continuity plan validation. The planning suite can be downloaded at DHS YouTube Critical Infrastructure Videos A number of short video Webisodes are available on the DHS YouTube Channel. Related Webisode titles include Joint Operations Centers, Critical Infrastructure Interdependencies, Special Event Preparedness, Critical Infrastructure Protection, and Reducing Vulnerabilities. Watch the critical infrastructure videos in the Counterterrorism playlist on the DHS YouTube Channel ( Suspicious Activity Reporting for Critical Infrastructure Tool This tool is a standardized means by which critical infrastructure stakeholders can report suspicious or unusual activities to the government via sector portals on the Homeland Security Information Network Critical Infrastructure (HSIN-CI). Reports submitted via the tool are reviewed by the National Infrastructure Coordinating Center (NICC), shared with appropriate government recipients, redacted, and then posted to HSIN-CI. To request access to HSIN-CI, please contact HSINCI@hq.dhs.gov. SOPD RESOURCE GUIDE OCTOBER

189 Vehicle Inspection Guide and Video The DHS Vehicle Inspection Guide and Video serves as a reference for public and private sector partners on how to mitigate risk from vehicle-borne improvised explosive devices (VBIED) and how to strengthen security of critical infrastructure by providing a step-by-step explanation of how to conduct a thorough vehicle inspection systematically, efficiently, and safely. The video covers an interview of vehicle occupants with a focus on indicators of suspicious behavior. The video also presents a detailed, systematic vehicle inspection that highlights potential indicators to recognize during an inspection. The guide provides vital knowledge of hot spots and IED indicators for multiple types of vehicles. For more information, please contact the Chemical Sector-Specific Agency at ChemicalSector@hq.dhs.gov or the IP Protective Security Coordination Division, Office for Bombing Prevention at OBP@hq.dhs.gov. Critical Infrastructure Learning Series The Critical Infrastructure Learning Series provides one-hour, Web-based seminars conducted by senior critical infrastructure experts on the tools, trends, issues, and best practices for infrastructure security and resilience. Recent learning series Webinar topics include Insider Threat, Active Shooter, and Conducting Security Assessments - A Guide for Schools and Houses of Worship. Series offerings are available at no cost and are highly recommended for government officials and private sector partners responsible for critical infrastructure risk management, security, and emergency management functions. To view these and other pre-recorded Webinars, or to register for updates, go to Joint Critical Infrastructure Partnership (JCIP) Webinars Series The Sector Outreach and Programs Division (SOPD), in partnership with the Regional Consortium Coordinating Council (RC3) and InfraGard, produces one-hour interactive sessions designed to assist critical infrastructure owners and operators, physical security and information security professionals, Chief Information Officers, risk managers, business continuity planners, information technology directors, and local homeland security and emergency management staff in their efforts to enhance the preparation, security, and resilience of communities and their critical infrastructure assets. All materials (PowerPoint slides, etc.) presented during these Webinars can be accessed via HSIN at Training DHS.gov Webpage: Critical Infrastructure Training The Webpage provides links to a wide variety of no-cost, cross-sector, and sector-specific training programs and resources which are available to public and private sector partners. The classroom and Web-based courses provide government officials and critical infrastructure owners and operators with the knowledge and skills needed to implement critical infrastructure security and resilience activities. View the list of trainings at SOPD RESOURCE GUIDE OCTOBER

190 Independent Online Study Courses Developed by SOPD The following courses are available through the Federal Emergency Management Agency s Emergency Management Institute (EMI) independent study program. Foundational Courses IS-821.A: Critical Infrastructure Support Annex The National Response Framework (NRF) presents the guiding principles that enable all response partners to prepare for and provide a unified national response to disasters and emergencies from the smallest incident to the largest catastrophe. As part of the NRF, Support Annexes describe how Federal departments and agencies, the private sector, volunteer organizations, and nongovernmental organizations (NGOs) coordinate and execute the common support processes and administrative tasks required during an incident. The actions described in the Support Annexes are not limited to particular types of events, but are overarching in nature and applicable to nearly every type of incident. This course provides an introduction to the Critical Infrastructure Support Annex to the NRF. The training may be accessed on the Federal Emergency Management Agency (FEMA) Emergency Management Institute (EMI) Website at IS-860.C: Introduction to the National Infrastructure Protection Plan The security and resilience of the Nation s critical infrastructure is essential to the Nation s security, public health and safety, economic vitality, and way of life. The purpose of this course is to present an overview of the National Infrastructure Protection Plan 2013: Partnering for Critical Infrastructure Security and Resilience (NIPP 2013), which provides the unifying framework for the integration of existing and future critical infrastructure security and resilience efforts into a single national program. Updated to include Presidential Policy Directive 21: Critical Infrastructure Security and Resilience policy, the training may be accessed on the FEMA EMI Website at IS-913.A: Achieving Results through Critical Infrastructure Partnership and Collaboration The purpose of this course is to introduce the skills and tools to effectively achieve results for critical infrastructure security and resilience through partnership and collaboration. At the end of this course, the participants will be able to 1) Explain the value of partnerships for infrastructure security and resilience, 2) Identify strategies to build successful critical infrastructure partnerships, 3) Describe methods to work effectively in a critical infrastructure partnership, 4) Identify processes and techniques used to sustain critical infrastructure partnerships, and 5) Identify strategies and methods for achieving results through critical infrastructure partnerships. The training may be accessed on the FEMA EMI Website at IS-921.A: Implementing Critical Infrastructure Security and Resilience Programs This course introduces those with critical infrastructure duties and responsibilities at the State, local, tribal, and territorial levels to the information they need and the resources available to secure and SOPD RESOURCE GUIDE OCTOBER

191 improve resilience of the Nation s critical infrastructure. At the end of this course, the participants will be able to 1) Summarize critical infrastructure responsibilities; 2) Identify the range of critical infrastructure protection government and private-sector partners at the Federal, State, local, tribal, territorial, and regional levels; 3) Describe processes for effective information sharing with critical infrastructure partners; and 4) Identify various methods for assessing and validating information. The training may be accessed on the FEMA EMI Website at Security Awareness Series IS-906: Workplace Security Awareness This Security Awareness Series course provides guidance to individuals and organizations across all 16 critical infrastructure sectors on how to improve security in the workplace. The course is self-paced and takes about an hour to complete. The comprehensive cross-sector training, which is appropriate for a broad audience regardless of knowledge and skill level, uses innovative multimedia scenarios and modules to illustrate potential security threats. Threat scenarios include Access & Security Control, Criminal & Suspicious Activities, Workplace Violence, and Cyber Threats. The course also features interactive knowledge reviews, employee tools, and additional resources. A certificate is given to participants who complete the entire course. The training may be accessed on the FEMA EMI Website at IS-907: Active Shooter: What You Can Do This Security Awareness Series course provides guidance to individuals, including managers and employees, on preparing to respond to an active shooter situation. The course is self-paced and takes about 45 minutes to complete. This comprehensive cross-sector training, which is appropriate for a broad audience regardless of knowledge and skill level, uses interactive scenarios and videos to illustrate how individuals who become involved in an active shooter situation should react. Topics within the course include 1) Actions one should take when confronted with an active shooter and responding law enforcement officials, 2) How to recognize potential indicators of workplace violence, 3) Actions one should take to prevent and prepare for potential active shooter incidents, and 4) How to manage an active shooter incident. This course also features interactive knowledge reviews, a final exam, and additional resources. A certificate is given to participants who complete the entire course. The training may be accessed on the FEMA EMI Website at IS-912: Retail Security Awareness: Understanding the Hidden Hazards The purpose of this Security Awareness Series course is to make persons involved in commercial retail operations aware of the actions they can take to identify and report suspicious purchases or thefts of products that actors could use in terrorist or other criminal activities. The course provides an overview of steps to identify and monitor high-risk product inventories and report suspicious activities to law enforcement agencies. The course is designed for retail managers, loss prevention specialists, risk management specialists, product managers, sales associates, and others involved in retail operations. The training may be accessed on the FEMA EMI Website at SOPD RESOURCE GUIDE OCTOBER

192 IS-914: Surveillance Awareness: What You Can Do The purpose of this Security Awareness Series course is to make critical infrastructure employees and service providers aware of actions they can take to detect and report suspicious activities associated with adversarial surveillance. At the end of this course, participants will be able to 1) Identify potential targets of adversarial surveillance; 2) Describe the information obtained by surveillance that is of interest to adversaries; 3) Recognize indicators of surveillance within the everyday environment; 4) Identify actions that you can take to detect potential adversarial surveillance incidents; 5) Describe the importance of identifying and reporting suspicious activities associated with adversarial surveillance; and 6) Specify actions you can take to report potential incidents of adversarial surveillance. The training may be accessed on the FEMA EMI Website at IS-915: Protecting Critical Infrastructure Against Insider Threat This Security Awareness Series course provides guidance to critical infrastructure employees and service providers on how to identify and take action against insider threats to critical infrastructure. At the end of the course, the participants will be able to 1) Describe the threat that malicious insiders pose to critical infrastructure, 2) Identify common characteristics and indicators associated with malicious insiders, and 3) Identify actions that can be taken against insider threats. The training may be accessed on the FEMA EMI Website at IS-916: Critical Infrastructure Security: Theft and Diversion What You Can Do - This Security Awareness Series course introduces critical infrastructure personnel to the information they need and the resources available to identify threats and vulnerabilities to critical infrastructure from the theft and diversion of critical resources, raw materials, and products that can be used for criminal or terrorist activities. At the end of this course, participants will be able to: 1) Describe the threat that theft and diversion pose to critical infrastructure protection and resilience; 2) Recognize which of your resources, raw materials, products, or technologies are vulnerable to theft and diversion; 3) Identify commonly used theft and diversion methods and schemes; 4) Recognize suspicious behaviors and activities associated with theft and diversion; and 5) Identify measures for protecting against theft and diversion. The training may be accessed on the FEMA EMI Website at For more information about critical infrastructure security and resilience training courses from the Office of Infrastructure Protection, please contact IP_Education@hq.dhs.gov. SOPD RESOURCE GUIDE OCTOBER

193 Texas A&M Engineering Extension Service Developed in partnership with SOPD, the Texas A&M Engineering Extension Service delivers these Critical Infrastructure Security and Resilience courses at the State, local, and regional levels. Infrastructure Protection AWR-213: Basic Critical Infrastructure Protection This critical infrastructure awareness course provides public and private critical infrastructure partners with essential knowledge and awareness necessary to understand and follow the guiding principles, roles, and responsibilities that underlie the Nation s collaborative strategy for critical infrastructure protection. Topics covered in this one-day course include 1) Objectives in achieving critical infrastructure protection efforts through the implementation of the NIPP, 2) Roles and responsibilities of critical infrastructure partners, 3) The risk management framework process, 4) Critical infrastructure partnering mechanisms, 5) Critical infrastructure information sharing network, and 6) Exploration of critical infrastructure collaborative efforts in the jurisdiction. Register at +Resources+Awareness+Course MGT-414 Advanced Critical infrastructure Protection Classroom Course This management-level course is intended for critical infrastructure owners, operators, and managers; State, local, tribal, and territorial government senior officials and managers; DHS infrastructure protection personnel; Sector-Specific Agency personnel; and other Federal agency managerial personnel. The purpose of the course is to extend the knowledge, skills, and abilities developed in the awareness level course (AWR-213) and to formulate considerations for the resilience of jurisdictional assets leveraging cross-sector partnerships. Topics covered in this one-day course include critical infrastructure review, cross-sector consequences, local jurisdiction next steps, national and community resilience, and resilience concepts. Register at ucture+protection For more information about these courses, please contact IP_Education@hq.dhs.gov. Exercise Programming Cross-Sector Active Shooter Security Seminar and Exercise Workshop This is a one-day workshop designed to be applicable to any sector for general awareness of how to respond to an active shooter incident. The workshop will enhance awareness of an active shooter event by educating participants on the history of active shooter events and describing common behaviors, conditions, and situations associated with active shooters. The intent of the program is to foster communication between critical infrastructure owners and operators, and local emergency response teams through discussions on interoperability; communications; and best practices for planning, preparedness, and response. For more information, or to obtain a list of scheduled events, please contact the Sector Outreach and Programs Division at ASworkshop@hq.dhs.gov. SOPD RESOURCE GUIDE OCTOBER

194 Dealing with Workplace Violence Tabletop Exercise (TTX) The Office of Infrastructure Protection s Sector Outreach and Programs Division developed the exercise to address workplace violence situations. The TTX is in three modules: the pre-incident phase, to include recognizing potential warning signs of workplace violence; the incident and response phase; and the assessment phase. The TTX will focus discussions on how to limit escalation and reduce the threat of violent behavior. In the event that an incident does occur, it also addresses how facilities can work with their employees and public/private partners to ensure they are prepared and able to quickly recover from an event. For more information, please contact the Sector Outreach and Programs Division at ip.exercise@hq.dhs.gov. Regional Resiliency Assessment Program (RRAP) Discussion-Based Exercises These exercises are offered to those jurisdictions participating in the RRAP. The core component of these efforts will be a capstone Tabletop Exercise (TTX) delivered approximately oneyear after completion of the assessment. The core objective of this TTX will be to determine changes to a jurisdiction s or sector s overall baseline resilience as a result of the implementation of protective measures suggested by the RRAP process. In the intervening year, the SOPD Stakeholder Readiness and Exercise team coordinates with the RRAP exercise planning team to deliver other requested preparatory activities such as workshops to help shape the capstone TTX. For more information, please contact the Sector Outreach and Programs Division at ip.exercise@hq.dhs.gov. Stakeholder Readiness & Exercises (SRE) Program Stakeholder Readiness and Exercises works with critical infrastructure stakeholders to plan, develop, and facilitate a wide range of exercises to test plans and procedures; identify gaps; and recognize lessons learned and best practices. By working with these partners, SRE develops scenarios and exercise plans that directly address the most salient threats to their communities, enhancing their ability to respond to and recover from all-hazards events. For more information about SRE, or to request an exercise, please ip.exercise@hq.dhs.gov. Sector-Specific Tabletop Exercise Program (SSTEP) The SSTEP is a risk management tool tailored for critical infrastructure sectors and partners to assess and update existing plans, policies, and procedures. The SSTEP allows users to leverage pre-built exercise templates and tailor them to their community s specific needs. SSTEP materials include a model exercise and support documentation that can be refined and further developed to exercise and evaluate specific areas of concern for critical infrastructure owners and operators. For more information, please contact the Sector Outreach and Programs Division at ip.exercise@hq.dhs.gov. Information Sharing Homeland Security Information Network (HSIN) Communities of Interest (COI) HSIN is a Web-based knowledge management tool designed to provide a reliable and secure system for information sharing and to increase collaboration between Federal, State, local, tribal, territorial, private sector, and international entities engaged in the homeland security mission. HSIN is composed of many diverse compartments called Communities of Interest (COI), each of which is designed and maintained by its own administrators. HSIN is a secure system, and access to compartments is granted by invitation only. A single user may be invited to multiple SOPD RESOURCE GUIDE OCTOBER

195 COIs, depending on their need to access that information. For more information, visit or contact the HSIN Help Desk at or Homeland Security Information Network - Critical Infrastructure (HSIN-CI) HSIN-CI is the primary information sharing platform between the critical infrastructure sector stakeholders and government. With a library of products that increases nearly every two hours, HSIN-CI enables Federal, State, local, and private sector critical infrastructure owners and operators to communicate, coordinate, and share sensitive and sector-relevant information to protect their critical assets, systems, functions, and networks at no charge to sector stakeholders. To request access to HSIN-CI, please contact hsinci@hq.dhs.gov. When requesting access, indicate the critical infrastructure sector to which the company belongs and include name, company, official address, and supervisor s name and phone number. Critical Infrastructure Training Portal The portal is located on the HSIN-CI page and offers a single point of entry for relevant training, guidance documents, presentations, brochures, instructional videos, and links to external educational resources. The portal is available to HSIN-CI users only. For more information about HSIN-CI, go to Information Sharing Snapshot This two-page snapshot describes the Information Sharing Environment (ISE), which is designed to improve the overall effectiveness of information sharing between and among Federal, State, local, tribal, and territorial governments and the private sector. To enable the protection of critical infrastructure, the U.S. Department of Homeland Security established an information-sharing network that is guided primarily by the National Infrastructure Protection Plan (NIPP) and works in coordination with the efforts of the Federal ISE. For more information, CI-ISE@hq.dhs.gov or see Open Source Infrastructure Report (OSIR) This report is IP s flagship report, produced five days a week, and is distributed as a monthly newsletter that summarizes and highlights key stories derived from open sources. The report provides event summaries and links to the full content for the reader s convenience. The report is widely read and received by over 40,000 partners. The collected information is also used to provide content (i.e., sector intel reports that include cyber threat and analysis) for our 20+ sector/partner specific portals. For more information, please CI-ISE@hq.dhs.gov. The Partnership Bulletin The Partnership Bulletin is designed as a quick reference guide for widest distribution to public and private sector stakeholders to provide upcoming cross-sector training opportunities and exercises, along with critical infrastructure events and key announcements. To receive this bulletin directly, send your request to sector.partnership@hq.dhs.gov. The Partnership Quarterly The Partnership Quarterly newsletter includes critical infrastructure security and resilience articles, highlights cross-sector initiatives, provides training and exercise opportunities, new tools, and resources available to public and private sector stakeholders. To subscribe or submit story ideas, sector.partnership@hq.dhs.gov with Partnership Quarterly in the subject line. SOPD RESOURCE GUIDE OCTOBER

196 Policy National Infrastructure Advisory Council (NIAC) The NIAC provides advice to the President, through the Secretary of the U.S. Department of Homeland Security, on the security of the critical infrastructure sectors and their information systems. The Council is composed of a maximum of 30 members appointed by the President from private industry, academia, and State and local government. For more information, see or contact niac@hq.dhs.gov. National Infrastructure Protection Plan (NIPP) 2013 The NIPP provides the unifying structure for the integration of a wide-range of efforts for the enhanced protection and resilience of the Nation s critical infrastructure into a single national program. For more information, see or to request materials contact NIPP@hq.dhs.gov. National Infrastructure Protection Plan (NIPP) Sector Partnership The partnership is intended to improve the protection and resilience of the Nation s critical infrastructure sectors. It provides a forum for 16 designated critical sectors to engage with the Federal Government regularly on national planning, risk mitigation, program identification and implementation, and information sharing. Additional information for private sector owners and operators of critical infrastructure may be found at or contact the Sector Outreach and Programs Division at sector.partnership@hq.dhs.gov. Regional Consortium Coordinating Council (RC3) Member and Mission Landscape Study The RC3 completed its Member and Mission Landscape Study utilizing opensource research and interviews with executive directors and leaders of the Council s member organizations to examine five key regional partnership areas: the value the RC3 provides its membership, the composition and reach of RC3 s member organizations, member organization missions, critical infrastructure security and resilience activities, and member challenges and requirements for continued partnership sustainment. This research is aimed to ultimately determine initiatives and priorities, as well as document best practices, for the council and regional coalitions to enhance the awareness and delivery of security and resilience tools and communications to public-private partnerships. The Member and Mission Landscape Study can be accessed at or request a copy at sector.partnership@hq.dhs.gov. Sector-Specific Plans The plans represent collaboration between government and private sector partners to develop, update, and maintain Sector-Specific Plans (SSP) for all 16 sectors. SSPs support the National Infrastructure Protection Plan (NIPP) by establishing a coordinated approach to national priorities, goals, and requirements for critical infrastructure protection. Each SSP provides the means by which the NIPP is implemented for each sector, as well as a national framework to address the sector s unique characteristics and risk landscape. SSPs for each critical infrastructure can be located at The NIPP framework can be located at For more information, please contact the Sector Outreach and Programs Division at SOPDExecSec@hq.dhs.gov. SOPD RESOURCE GUIDE OCTOBER

197 SLTTGCC Summary of Regional Reports: Critical Infrastructure Programs In 2011, the State, Local, Tribal, and Territorial Government Coordinating Council (SLTTGCC) launched a multiyear effort to study the composition, activities, and needs of State and local critical infrastructure protection (CIP) programs in each of the 10 Federal regions. This document consolidates summaries of the 10 reports into a quick reference guide of the major themes. The report can be accessed through HSIN-CI at 0Regional%20Reports%20Summary%20FINAL%20July% pdf. To request access to HSIN-CI, please contact HSINCI@hq.dhs.gov. Higher Education Critical Infrastructure Security and Resilience Higher Education Initiative The SOPD Stakeholder Education and Training Section and the George Mason University School of Business, Center for Infrastructure Protection and Homeland Security (CIP/HS) develop graduate course prototype syllabi, case studies, and classroom exercises in critical infrastructure security and resilience. These courses cover topics in critical infrastructure security and resilience, such as partnerships, risk management, information sharing, systems analysis, policies and strategies, and cybersecurity. The courses are intended to foster critical infrastructure education programs that produce and sustain the leaders and workforce required for the government and the private sector to effectively protect critical infrastructure. As critical infrastructure security and resilience spans numerous fields of study, including computer science, criminal justice, engineering, homeland security, global security, and public policy, the prototype syllabi and related materials are publicly available to the higher education community to provide a foundation for critical infrastructure education. These courses may be incorporated into the curriculum of any program and used by any institution of higher learning. The materials can be downloaded at: Graduate Level Curricula These courses can be used as stand-alone classes or part of a graduate degree or concentration. Introduction to Critical Infrastructure Security and Resilience Information Sharing for Critical Infrastructure Security and Resilience Critical Infrastructure Security and Resilience Capstone Critical Infrastructure Security and Resilience: Sector Approaches and Cross-Sector Interdependencies SOPD RESOURCE GUIDE OCTOBER

198 Critical Infrastructure Security and Resilience: The Cyber Dimension Critical Infrastructure Security and Resilience: The International Dimension Risk Management for Critical Infrastructure Security and Resilience Critical Infrastructure Security and Resilience Systems Analysis Methods, Policies, and Strategies Critical Infrastructure Security and Resilience: Identifying, Assessing, and Addressing Emergent Threats Designing Resilient Infrastructure Critical Infrastructure Security Graduate/Professional Certificate The five courses below can be used to create a concentration or certificate in critical infrastructure. Foundations of Critical Infrastructure Security and Resilience Advanced Topics in Critical Infrastructure Security and Resilience Assessing and Managing Risk to Critical Infrastructure Systems Critical Infrastructure Security, Resilience, and Cybersecurity Partnering and Information Sharing for Critical Infrastructure Security and Resilience Master s in Public Administration (MPA): Critical Infrastructure Concentration Courses The prototype syllabi have been modified to fit into MPA programs with a critical infrastructure focus. Critical Infrastructure: Emergency Planning and Response Federal Budgeting and Critical Infrastructure Infrastructure Protection and Emergency Response: Interagency Communication and Coordination Organization Theory and Behavior: Organizing for Critical Infrastructure Program Evaluation Project Management The Public Policy Process and Critical Infrastructure/Domestic Security Policy Third Party Governance and Critical Infrastructure Protection Case Studies and Classroom Exercises The case studies and exercises can be used on their own or in addition to the course syllabi. Blackout: A Case Study of the 2003 North American Power Outage and Exercise On August 14, 2003, large portions of Ohio, Michigan, Pennsylvania, Massachusetts, New York, Connecticut, New Jersey, and Ontario, Canada, went dark in a matter of seconds. The loss of electricity not only caused the lights to go out, but also shut down airports, subways, trains, and tunnels. The exercise centers on strategy and planning activities in an interdependency-rich environment. SOPD RESOURCE GUIDE OCTOBER

199 Collapse: A Case Study of the Minneapolis I-35W Bridge Disaster and Exercises On August 1, 2007, the city s fire department was dispatched to the I-35W Bridge just after 6:00 p.m. at the peak of rush hour. The entire eight-lane span had fallen into the Mississippi River, taking with it more than 100 vehicles. This case highlights the challenges of planning and response in a highly-vulnerable, multi-threat environment that is a nexus of multiple infrastructure modes. Derailed: A Case Study of the 2001 Howard Street Tunnel Fire with Exercises On July 18, 2001, civil defense sirens wailed in Baltimore, Maryland, to alert citizens of a fire below the city. Thick, black smoke billowed from both ends of the 1.7 mile Howard Street Tunnel that crossed the city s downtown area. In addition to the fire, a forty-inch wide water main ruptured above the tunnel and water seeped into the tunnel and flooded the streets and surrounding businesses. About 1,200 customers lost power, and Internet service from Washington, D.C., to New York City slowed. The 2001 Howard Street Tunnel freight train derailment in Baltimore is a compelling case study that illustrates the central role that information sharing has in critical infrastructure security and resilience. The multi-modal and multi-sector consequences present a rich opportunity for participants to think critically about how information sharing strategies can be developed and implemented to mitigate risks and improve response. Expansion of Lifeline Services in Colorado Springs, CO This exercise describes and assesses the current state of three lifeline infrastructures in Colorado Springs. The case study can be adapted to any city or metropolitan area ACME Amazium Refinery All-Hazards Performance Profile Exercise This is an exercise in writing an all-hazards performance profile for a fictitious facility in Memphis, Tenn., using the U.S. Department of Homeland Security s Threat and Hazard Identification and Risk Assessment (THIRA) process (U.S. Department of Homeland Security, 2013). For more information about the Higher Education Initiative, please contact IP_Education@hq.dhs.gov. SOPD RESOURCE GUIDE OCTOBER

200 Chemical Sector Resources Chemical Facility Security: Best Practices Guide for an Active Shooter Incident This booklet draws upon best practices and findings from tabletop exercises to present key guidance for chemical facility planning and training, and poses specific questions that an effective active shooter response and recovery plan will answer. For more information, please contact the Chemical Sector-Specific Agency (SSA) at Chemical Sector Classified Briefing The Chemical SSA sponsors a classified briefing for cleared industry representatives as needed. The intelligence community provides briefings on both physical and cyber threats, as well as other topics of interest for chemical supply chain professionals. For more information contact the Chemical SSA at ChemicalSector@hq.dhs.gov. Chemical Sector Industrial Control Systems (ICS) Security Resource DVD - The chemical industry, in partnership with DHS, has collected a wealth of cybersecurity information to assist owners and operators in addressing ICS security. The DVD contains a wide-range of useful information, including ICS training resources, existing standards, reporting guidelines, cybersecurity tabletop exercises, and the National Cyber Security Division s Cyber Security Evaluation Tool. The DVD is available for free upon request. For more information, or to obtain a copy of the DVD, please contact the Chemical SSA at ChemicalSector@hq.dhs.gov. Chemical Sector Portal on the Homeland Security Information Network - Critical Infrastructure (HSIN-CI) The Homeland Security Information Network - Critical Infrastructure (HSIN-CI) is a secure information-sharing platform for the critical infrastructure community and includes the HSIN-CI Chemical portal. The HSIN-CI Chemical portal is available to both public and private Chemical Sector stakeholders as a key tool for security and incident preparedness and response information. HSIN-CI Chemical users can communicate, collaborate, and receive general and threat information impacting Chemical Sector stakeholders during operationally significant situations For example, during a hurricane, the portal regularly provides alerts and incident bulletins. To gain access to HSIN-CI and the Chemical Sector portal, interested individuals should HSINCI@hq.dhs.gov with a request for nomination to the Chemical Sector portal that includes their name, company, work address, and title/position description. addresses must match the company name. Chemical Sector PS-PREP Framework Guide As part of the Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep ), DHS and the Chemical Sector Coordinating Council have developed the Chemical Sector PS-Prep Framework Guide for use by sector partners. The Chemical Sector PS-Prep Framework Guide provides a data set that includes extensive lists of laws, regulations, programs, and practices relevant to preparedness, and worksheets that align industry regulations and practices to individual elements of the standards for a defined scope. For more information, please contact the Chemical SSA at ChemicalSector@hq.dhs.gov. Chemical Sector Security Awareness Guide The purpose of this document is to assist owners and operators in their efforts to improve security at their chemical facility and to provide information on the security threats presented by explosive devices and cyber SOPD RESOURCE GUIDE OCTOBER

201 vulnerabilities. For more information, please contact the Chemical SSA at Chemical Sector Security Summit The Chemical SSA annually co-sponsors the Chemical Sector Security Summit (Summit) with the Chemical Sector Coordinating Council (SCC). The Summit consists of workshops, presentations, and discussions covering current security regulations, industry best practices, and tools for the Chemical Sector. In addition, the event is designed for industry professionals throughout the Chemical Sector to provide participants a broad representation from the chemical stakeholder community, senior DHS and other government officials, and congressional staff. For information on the Summit, please visit Chemical Sector-Specific Tabletop Exercise Program (SSTEP), Cyber Tabletop Exercise (TTX) This tabletop exercise is designed to allow participants the opportunity to address key issues, threats, gaps, and concerns affecting the Chemical Sector through a series of facilitated discussions. Focusing on information sharing and coordination activities during incidents, this TTX offers chemical stakeholders the opportunity to assess existing capabilities to respond to and recover from a cybersecurity incident triggered by a terrorist attack. For more information, please contact the Chemical SSA at ChemicalSector@hq.dhs.gov. Chemical Sector Training Resources Guide - The guide contains a list of free or low-cost training, Web-based classes, seminars, and documents that are routinely available through one of several component agencies within DHS. The list was compiled to assist facility security officers in training their employees on industry best practices, physical and cybersecurity awareness, and emergency management and response. For more information, please contact the Chemical SSA at ChemicalSector@hq.dhs.gov. Infrastructure Protection Sector-Specific Tabletop Exercise Program (IP-SSTEP), Chemical Sector Tabletop Exercise (TTX) - The IP-SSTEP Chemical Sector TTX is an unclassified and adaptable exercise developed to create an opportunity for public and private critical infrastructure stakeholders and their public safety partners to address gaps, threats, issues, and concerns identified in previous exercises and their after-action review processes. The TTX allows participants an opportunity to gain an understanding of issues faced prior to, during, and after a terrorist threat/attack and the need to coordinate with other entities, both private and government, regarding their facility. It also includes the tools for companies or facilities to conduct a Homeland Security Exercise and Evaluation Program (HSEEP) compliant TTX. For more information, please contact the Chemical SSA at ChemicalSector@hq.dhs.gov. Playbook for an Effective All Hazards Response This handbook provides a Standard Operating Procedure (SOP) to assist the chemical sector with preparing for, responding to, and recovering from an all-hazards emergency. The intended audience for this SOP is the Chemical Sector Coordinating Council (SCC) membership and the Chemical SSA. It defines the respective roles and responsibilities of the Chemical SCC and Chemical SSA as well as their interaction in support of a coordinated public-private sector response to an all-hazards emergency. Please contact ChemicalSector@hq.dhs.gov for requests and more information. SOPD RESOURCE GUIDE OCTOBER

202 Roadmap to Secure Control Systems in the Chemical Sector The Chemical SSA, in coordination with public and private sector members of the Chemical Sector Roadmap Working Group, created a plan for voluntarily improving cybersecurity in the Chemical Sector. This Roadmap brings together Chemical Sector stakeholders, government agencies, and asset owners and operators with a common set of goals and objectives. It also provides milestones to focus specific efforts and activities for achieving the goals, while addressing the Chemical Sector s most urgent challenges, long-term needs, and practices to reduce the cybersecurity risk to industrial control systems (ICS). This document will be supplemented by the Chemical Sector- Specific NIST Framework Implementation Guide in FY16. Please contact ChemicalSector@hq.dhs.gov for requests. Security Seminar & Workshop Series for Chemical Industry Stakeholders The Chemical SSA supports requests from state chemical industry councils, industry associations, and emergency management agencies for presentations, training, exhibits, and exercises which improve the security and resilience of the chemical industry by soliciting the appropriate subject matter experts and regional representatives throughout the U.S. Department of Homeland Security (DHS) Office of Infrastructure Protection and other agencies. DHS representatives provide presentations and tabletop exercises on a variety of topics, including active shooter, vehicle-borne improvise explosive devices, and cybersecurity. Participation in events is subject to budget and travel restrictions. Please contact ChemicalSector@hq.dhs.gov for requests and more information. Threat and Suspicious Activity Reporting Teleconference The Chemical SSA hosts a monthly unclassified threat briefing and suspicious activity reporting teleconference for chemical facility owners, operators, and supply-chain professionals. To participate, apply for access to HSIN-CI where call-in information is posted to the Chemical portal. This briefing is scheduled monthly at 11 a.m. ET. For more information, please contact the Chemical SSA at ChemicalSector@hq.dhs.gov. Who s Who in the Chemical Sector The U.S. Department of Homeland Security has multiple components, directorates, offices, and divisions many of whom interact with the private sector on a consistent basis. This guide was created by the Chemical SSA to clarify roles and responsibilities and to enhance sector stakeholders understanding of Who Is Who. Please contact ChemicalSector@hq.dhs.gov for requests and more information. SOPD RESOURCE GUIDE OCTOBER

203 Commercial Facilities Sector Resources Active Threat Recognition for Retail Security Officers This 85-minute presentation discusses signs of criminal and terrorist activity, types of surveillance, and suspicious behavioral indicators. To access the presentation, please register at After submitting the short registration form and setting a password of your choice, you will receive an confirmation with instructions for logging in to view the material and corresponding fact sheet. For more information, please contact the Commercial Facilities Sector-Specific Agency (SSA) at CFSTeam@dhs.gov. Commercial Facilities Sector Pandemic Planning Documents Public assembly venue owners and operators use these pandemic influenza planning documents to enhance pandemic operational response planning. These guides provide key steps and activities for managers of public assembly venues to consider when operating their facilities during pandemic situations. These guides are used in connection with the worksheet which displays the status of operational activities that venues should use to respond to the influenza's impact on venues and surrounding areas. A checklist outlines the various activities that should be considered by public assembly venues when developing a pandemic response plan. Planning documents can be accessed at DHS Lodging Video: No Reservations: Suspicious Behavior in Hotels The video is designed to raise hotel employee awareness of suspicious behavior by highlighting the indicators of suspicious activity. It also provides information to help employees identify and report suspicious activities and threats in a timely manner. The video can be viewed at It is also available in Spanish. For more information, please contact the Commercial Facilities SSA at CFSTeam@dhs.gov. DHS Retail Video: "What's in Store - Ordinary People/Extraordinary Events" This video is for retail employees of commercial shopping venues to alert them of the signs of suspicious behavior in the workplace that might lead to a catastrophic act. The video is intended to both highlight suspicious behavior, as well as encourage staff to take action when suspicious behavior is identified. The video can be viewed at It is also available in Spanish. For more information, please contact the Commercial Facilities SSA at CFSTeam@dhs.gov. DHS Sports Leagues/Public Assembly Video: Check It! How to Check a Bag The video is designed to raise frontline facility employee awareness by highlighting the indicators of suspicious activity. It also provides information to help employees properly search bags in order to protect venues and patrons across the country. View the Check It! video at For more information, please contact the Commercial Facilities SSA at CFSTeam@dhs.gov. SOPD RESOURCE GUIDE OCTOBER

204 Evacuation Planning Guide for Stadiums This product is intended to assist stadium owners and operators with developing an evacuation plan and determining when and how to evacuate, conduct shelter-in-place operations, or relocate stadium spectators and participants. The guide is available at For more information, please contact the Commercial Facilities SSA Hotel and Lodging Advisory Poster This poster was created for all U.S. lodging industry staff to increase awareness of a lodging property s potential for being used for illicit purposes and suspicious behavior. The poster also outlines appropriate actions for employees to take if they notice suspicious activity. It was designed in tandem with the Commercial Facilities Sector Coordinating Council and the Lodging Subsector, and is available at For more information, please contact the Commercial Facilities SSA at CFSTeam@dhs.gov. Infrastructure Protection Sector-Specific Table Top Exercise Program (SSTEP) for the Commercial Facilities Sector The SSTEP allows users to leverage pre-built exercise templates and tailor them to their community s specific needs in order to assess, develop, and update plans, programs, policies, and procedures within an incident management functional area. The SSTEP is an all-hazards risk management tool designed for use by critical infrastructure owners and operators that focuses on information sharing and coordination between sector-specific entities, the facility or venue, first responders, and other relevant stakeholders. The SSTEP materials provide a model exercise and support documentation that can be refined and further developed to exercise and evaluate specific areas of concern. The ability for public and private sector organizations to plan and execute Homeland Security Tabletop Exercise and Evaluation Program (HSEEP)-based exercises will continue to enhance security and resilience by enabling these organizations to identify strengths and areas for improvement within their operating plans, techniques, and procedures. These identified issues are then developed into an improvement plan that clearly outlines those measures necessary to improve on current concepts. For more information, please contact the Commercial Facilities SSA at CFSTeam@dhs.gov. Mountain Resorts and Outdoor Events Protective Measures Guides These guides are a compilation of materials shared by industry leaders which are intended for reference and guidance purposes only. They provide an overview of protective measures that can be implemented to assist owners and operators of commercial facilities in planning and managing security at their facilities or events, as well as examples of successful planning, organizing, coordinating, training, communications, and operational activities. For more information, please contact the Commercial Facilities SSA at CFSTeam@dhs.gov. Protective Measures Guide for the U.S. Lodging Industry Produced in collaboration with the American Hotel & Lodging Association, the Protective Measures Guide for the U.S. Lodging Industry offers options for hotels to consider when implementing protective measures. This guide provides an overview of threat, vulnerability, and protective measures designed to assist hotel owners and operators in planning and managing security at their facilities. For more information, please contact the Commercial Facilities SSA at CFSteam@hq.dhs.gov. SOPD RESOURCE GUIDE OCTOBER

205 Protective Measures Guide for U.S. Sports Leagues This protective measures guide provides an overview of best practices and protective measures designed to assist sports teams and owners/operators of sporting event venues with planning and managing security at their facility. The guide also provides examples of successful planning, organizing, coordinating, training, communications, and operational activities that result in a safe sporting event experience. For more information, please contact the Commercial Facilities SSA at CFSteam@hq.dhs.gov. Retail and Shopping Center Advisory Poster This awareness poster is intended to help train retail employees on the recognition of suspicious behavior that could indicate bombmaking activities, provides specific details on what may be considered suspicious, and encourages reporting of suspicious behavior. For more information, please contact the Commercial Facilities SSA at CFSTeam@dhs.gov. Sports Venue Bag Search Procedures Guide This guide provides suggestions for developing and implementing bag search procedures at sporting event venues that host major sporting events. The purpose for establishing bag search procedures is to control items which are hand-carried into the sports venue. The bag search procedures should be a part of the venue s overall security plan and should be tested and evaluated as outlined in the security plan. The actual implementation of bag search procedures and the level of search detail will depend upon the threat to the venue as determined by the venue s security manager. For more information, please contact the Commercial Facilities SSA at CFSTeam@dhs.gov. Sports Venue Credentialing Guide This guide provides suggestions for developing and implementing credentialing procedures at sporting event venues that host professional sporting events. The purpose for establishing a credentialing program is to control and restrict access to a sports venue, and provide venue management with information on those who have access. Credentialing can also be used to control and restrict vehicle movement within a venue. For more information, please contact the Commercial Facilities SSA at CFSTeam@dhs.gov. Threat Detection & Reaction for Retail & Shopping Center Staff This 20-minute presentation is intended for point-of-sale staff, but is applicable to all employees of a shopping center, mall, or retail facility. It uses case studies and best practices to explain suspicious behavior and items, how to reduce the vulnerability to an active shooter threat, and the appropriate actions to take if employees notice suspicious activity. The presentation can be viewed on the HSIN-CI Commercial Facilities portal at For more information, please contact the Commercial Facilities SSA at CFSTeam@dhs.gov. Webinar: Cybersecurity in the Retail Sector This Webinar will provide retail employees and managers with an overview of the cyber threats and vulnerabilities facing the industry. Participants will gain a heightened sense of the importance for strengthening cybersecurity in the retail workplace. The Webinar reviews the types of cyber systems and infrastructure used by the retail industry and steps that retail personnel can take to address the unique vulnerabilities to those cyber resources. The Webinar is available on HSIN-CI at For more information, please contact the Commercial Facilities SSA at CFSTeam@dhs.gov. SOPD RESOURCE GUIDE OCTOBER

206 Critical Manufacturing Sector Resources Critical Manufacturing Cybersecurity Tabletop Exercise In partnership with Critical Manufacturing Sector Coordinating Council members and the DHS National Cyber Security Division (NCSD) exercise program, the Critical Manufacturing SSA has developed a cybersecurity tabletop exercise to highlight potential cybersecurity vulnerabilities. This exercise is divided into two modules that focus on threats to business and industrial control systems. This unclassified tabletop exercise is easily deployable and can be administered by an organization s IT personnel. For more information, please contact the Critical Manufacturing Sector-Specific Agency (SSA) at CriticalManufacturing@hq.dhs.gov. Critical Manufacturing Partnership Road Show This program provides Critical Manufacturing Sector members an opportunity to participate in onsite visits to various DHS locations. The visits include briefings on current threats to the United States, including the Critical Manufacturing Sector, and related infrastructure. For more information, contact the Critical Manufacturing SSA at CriticalManufacturing@dhs.gov. Critical Manufacturing Portal on The Homeland Security Information Network Critical Infrastructure (HSIN-CI) HSIN-CI is the primary information-sharing platform for the Critical Manufacturing Sector. The portal is available to both public and private Critical Manufacturing Sector stakeholders and is a key tool for security information awareness. Access enhances the ability of users to receive information and communicate during operationally significant situations. For example, during a hurricane, the portal provides alerts and regularly posted incident bulletins. Interested individuals should contact HSINCI@hq.dhs.gov with a request for nomination that includes name, company, and address. addresses must match the company name. Once nominated, registrants will receive an electronic link to an application for completion. Critical Manufacturing Security Conference The Critical Manufacturing Security Conference features various vendors and presenters pertinent to the manufacturing arena. Designed for industry professionals throughout the sector, this event provides an important opportunity for Critical Manufacturing Sector security partners to engage in meaningful dialogue and share ideas to enhance sector security. For more information, contact the Critical Manufacturing SSA at CriticalManufacturing@dhs.gov. SOPD RESOURCE GUIDE OCTOBER

207 Dams Sector Resources Consequence Assessment for Dam Failure Course (E261) This course provides dam owners; professional staff of the dam safety programs; emergency managers at the Federal, State, local, tribal, and territorial levels; and private sector dam safety, security, and incident management personnel with information needed to define and estimate consequences for dam failure scenarios. The objectives of this course are to assist participants with the concepts of how the consequence assessment is an important part of risk management strategies, how to establish initial priorities using consequence data, and how consequence estimation plays an important role in emergency preparedness efforts. For more information, please contact the Dams Sector-Specific Agency (SSA) at Consequence-Based Top Screen Fact Sheet This fact sheet provides information pertaining to the Consequence-Based Top Screen (CTS) methodology, including how it was developed, its primary purpose, and a description of the Web-based tool. For more information, please contact the Dams SSA atdams@hq.dhs.gov. Dam Security and Protection Technical Seminar (E260) This seminar provides owners/operators, State dam safety officials, and other sector stakeholders with information pertaining to security, protection, and crisis management issues in order to improve understanding of dam-related security and protection concepts. The goals of this seminar are to help integrate security, protection, and resilience strategies into stakeholders respective risk management strategies, and leverage existing Dams Sector reference materials to provide the depth and breadth of dam security and resilience expertise and knowledge. For more information, please contact the Dams SSA at Dams@hq.dhs.gov. Dams and Energy Sector Interdependency Study This study examines the interdependencies between two critical infrastructure sectors Dams and Energy with a particular emphasis on the variability of weather patterns and competing demands for water, which determine the amount of water available for hydroelectric power generation. For more information, please contact the Dams SSA at Dams@hq.dhs.gov. Dams Sector Active and Passive Vehicle Barriers Guide This guide assists dam owners and operators in understanding the need for vehicle barriers as part of an overall security plan, and helps familiarize security personnel with the various types of active and passive vehicle barriers. The guide also provides a very cursory level of technical information regarding barriers and includes references to assist owners and operators in properly designing and selecting vehicle barriers and their appurtenant safety and security systems. For more information, please contact the Dams SSA at Dams@hq.dhs.gov. Dams Sector Consequence-Based Top Screen (CTS) This methodology allows for the identification of critical facilities within the Dams Sector (i.e., those high-consequence facilities whose failure or disruption could be potentially associated with the highest possible impact among Dams Sector assets). This methodology which considers a worst reasonable case scenario, serves as an effective all-hazards criticality screening tool for a consequencebased approach. For more information, please contact the Dams SSA at Dams@hq.dhs.gov. SOPD RESOURCE GUIDE OCTOBER

208 Dams Sector Consequence-Based Top Screen (CTS) Reference Guide This guide provides users with information pertaining to the Top Screen methodology, how it was developed, its primary purpose, and a description of the Web-based tool. For more information, please contact the Dams SSA at Dams@hq.dhs.gov. Dams Sector Crisis Management Handbook This handbook provides an introduction to crisis management measures for dam owners and explains how such measures are an important component of an overall risk management program. In addition, it describes major components of crisis management and provides a template and guidelines that might be useful in developing these components for other dams. For more information, please contact the Dams SSA at Dams@hq.dhs.gov. Dams Sector Information Sharing Drill This drill identifies the sector s capability to receive, share, and respond to security-related information; tests information sharing processes and procedures currently in place; and identifies and addresses information sharing gaps, issues, and concerns that could affect the sector during heightened threat conditions. For more information, please contact the Dams SSA at Dams@hq.dhs.gov. Dams Sector Personnel Screening Guide for Owners and Operators This guide assists non-federal owners and operators of dams, locks, and levees with developing and implementing personnel screening protocols appropriate for their facilities. An effective screening protocol for potential employees and contractor support can contribute to enhanced facility security by ensuring that untrustworthy individuals do not gain employment or access to sensitive facilities or information. For more information, please contact the Dams SSA at Dams@hq.dhs.gov. Dams Sector Roadmap to Secure Control Systems This handbook describes a plan and strategic vision for voluntary improvement of the cybersecurity posture of control systems within the Dams Sector. Designing, operating, and maintaining a facility to meet essential reliability, safety, and security needs requires careful evaluation and analysis of physical, cyber, and human risk factors. The interaction of both internal and external processes and business systems must also be considered. A cyber event, whether caused by an external adversary, an insider threat, or inadequate policies and procedures, can initiate a loss of system control resulting in negative consequences. This Roadmap recognizes this interconnectivity, but restricts its scope by addressing the cyber issues of control systems. For more information, please contact the Dams SSA at Dams@hq.dhs.gov. Dams Sector Security Awareness Guide Levees This guide assists levee owners in identifying security concerns, coordinating proper response, and establishing effective partnerships with local law enforcement and first responder communities. For more information, please contact the Dams SSA at Dams@hq.dhs.gov. Dams Sector Security Awareness Guide This is a non-fouo version of the Dams Sector Security Awareness Handbook to allow for wider distribution to owners and operators. For more information, please contact the Dams SSA at Dams@hq.dhs.gov. SOPD RESOURCE GUIDE OCTOBER

209 Dams Sector Security Guidelines This handbook consolidates effective industry security practices into a framework for owners and operators to select and implement security activities and measures that promote the protection of personnel, public health, public safety, and public confidence. For more information, please contact the Dams SSA at Dams@hq.dhs.gov. Dams Sector Suspicious Activity Reporting Fact Sheet This fact sheet provides information regarding the online Suspicious Activity Reporting tool within the HSIN-CI Dams Portal. This online tool was established to provide sector stakeholders with the capability to report and retrieve information pertaining to suspicious activities. For more information, please contact the Dams SSA at Dams@hq.dhs.gov. Dams Sector Suspicious Activity Reporting Tool This is an online reporting tool within the HSIN-CI Dams Portal that was established to provide sector stakeholders with the capability to report and retrieve information pertaining to suspicious activities that may potentially be associated with pre-incident surveillance, and those activities related to the exploration or targeting of a specific critical infrastructure facility or system. For more information, please contact the Dams SSA atdams@hq.dhs.gov. Dams Sector Tabletop Exercise Toolbox (DSTET) This exercise toolbox provides dam owners and operators with exercise planning resources to address sector-specific threats, issues, and concerns related to the protection of dams. DSTET allows exercise participants to address key issues through a series of facilitated discussions both with physical and cyber scenarios. The intent of the toolbox is to enhance effective information sharing and coordination between owners and operators, first responders, and relevant stakeholders during various threat and incident phases as detailed in the corresponding scenarios. For more information, please contact the Dams SSA at Dams@hq.dhs.gov. Dams Sector Waterside Barriers Guide This guide was developed to assist dam owners and operators in understanding the possible need for waterside barriers as part of their overall security plan. It provides owners, operators, and security personnel with a very cursory level of information on barriers and their use, maintenance, and effectiveness elements that must be carefully taken into account when selecting waterside barriers. For more information, please contact the Dams SSA at Dams@hq.dhs.gov. Emergency Preparedness Guidelines for Levees: A Guide for Owners and Operators This document aims to assist public and private stakeholders that have responsibilities as owners or operators in managing levees, floodwalls, pumping stations, and any other components of flood risk management systems. The intent of the document is to provide guidance in preparing for and responding to potential natural and manmade incidents at levees. For more information, please contact the Dams SSA at Dams@hq.dhs.gov. Estimating Economic Consequences for Dam Failure Scenarios This document provides information describing the economic consequence estimation approaches most commonly used in the United States and discusses the advantages and limitations of each approach. For more information, please contact the Dams SSA atdams@hq.dhs.gov. SOPD RESOURCE GUIDE OCTOBER

210 Estimating Loss-of-Life for Dam Failure Scenarios This document provides information describing loss-of-life estimation approaches most commonly used in the United States and Canada, and discusses the advantages and limitations of each approach. For more information, please contact the Dams SSA IS-870.A: Dams Sector: Crisis Management This online training course addresses crisis management activities as an important component of an overall risk management program and provides dam and levee stakeholders with recommendations to assist in the development of various plans focused on enhancing preparedness, protection, recovery, and resilience capabilities. The training course describes the purpose and basic elements of emergency action plans, recovery plans, and continuity plans; and addresses the basic elements of an effective exercise program. Access to this course can be found at For more information, please contact the Dams SSA at IS 871.A: Dams Sector: Security Awareness (FOUO) This online training course provides information to enhance the ability to identify security concerns, coordinate proper response, and establish effective partnerships with local law enforcement and first responder communities. The training course describes common security vulnerabilities, potential indicators of threats, surveillance detection, and reporting of incidents and suspicious activities. Access to this course can be found at For more information, please contact the Dams SSA at IS 872.A: Dams Sector: Protective Measures (FOUO) This online training course addresses protective measures related to physical, cyber, and human elements; and describes the importance of these measures as components of an overall risk management program. The training course describes the basic elements of the risk management model and discusses the steps required to develop and implement an effective protective program. Access to this course can be found at For more information, please contact the Dams SSA Physical Security Measures for Levees Fact Sheet Provides information on physical security measures that a levee owner could employ and the factors affecting the selection of those measures. For more information, please contact the Dams SSA at Dams@hq.dhs.gov. Protective Measures Handbook (FOUO) This handbook provides an introduction to protective measures for dam owners. It assists in selecting protective measures addressing the physical, cyber, and human elements, and includes recommendations for developing site security plans. For more information, contact the Dams SSA at Dams@hq.dhs.gov. Security Awareness Handbook (FOUO) This handbook assists in identifying security concerns, coordinating proper response, and establishing effective partnerships with local law enforcement and first responder communities. For more information, contact the Dams SSA at Dams@hq.dhs.gov. SOPD RESOURCE GUIDE OCTOBER

211 Emergency Services Sector Resources Continuity Planning for First Responders Brochure The Continuity Planning for First Responders brochure was developed by the Emergency Services Sector (ESS) and FEMA Continuity of Operations Division. The brochure was designed to further educate first responders on continuity of operations planning (COOP), the goal of continuity, how to manage your COOP, the National Continuity Programs (NCP), the role of ESS, and the partnership between NCP and ESS. For access and more information, contact the Emergency Services Sector at Emergency Services Information Sharing Bulletin (ESS-ISB) The ESS-ISB is a monthly security and resilience focused bulletin which provides access to current information for sector stakeholders. With a goal of focusing on process and products which address the requirements of the ESS stakeholders, the ESS-ISB provides information that is vital to the security and resilience of the sector s stakeholders, including current and new sector-focused tools, tactics, and training. For access and more information, contact the Emergency Services Sector at ESSTeam@hq.dhs.gov. Emergency Services Personal Readiness Guide for Responders and Their Families This trifold handout provides a description of the Ready Campaign, the Emergency Services Sector- Specific Agency (SSA), a list of Website resources, and instructions on family preparedness that include suggestions on developing an emergency kit and family emergency plan. For more information, please contact the Emergency Services SSA at ESSTeam@hq.dhs.gov. Emergency Services Sector-Cyber Risk Assessment (ESS-CRA) The 2012 ESS-CRA is the first ESS-wide cyber risk assessment tool that analyzes strategic cyber risks to ESS infrastructure. The ESS-CRA process provided a national risk profile that ESS partners can use to prioritize how they spend resources and where to focus training, education, equipment investments, grant requests, and those areas requiring further study. Cyber risks to each discipline are ranked from high to low in terms of likelihood and consequence. The assessment approach is not intended to be guidance for individual entity s risk management activities. Instead, by increasing the awareness of risks across the public and private sector domains, the ESS-CRA serves as a foundation for ongoing national-level collaboration to enhance the security and resilience of ESS disciplines. If you have any further questions about the Emergency Services Sector-Cyber Risk Assessment, please send an to ESSTeam@hq.dhs.gov. Emergency Services Sector Cybersecurity Initiative The Emergency Services Sector Cybersecurity Initiative is an ongoing effort to enable ESS to better understand and manage cyber risks and to coordinate the sharing of cyber information and tools between subject matter experts (both inside and outside the Federal government) and the ESS disciplines. Additional information can be found at SOPD RESOURCE GUIDE OCTOBER

212 Emergency Services Sector Resilience Development Project The Emergency Services Sector Resilience Development Project is a suite of existing resources and best practices that are specifically tailored to meet the unique resilience needs of the first responder community. For more information, please contact ESSTeam@hq.dhs.gov. Emergency Services Sector Roadmap to Secure Voice and Data Systems To address the cyber risks identified in the ESS-CRA, the Emergency Services Sector Roadmap to Secure Voice and Data Systems (Roadmap) was developed. The Roadmap identifies and discusses several measures to address cyber risk and includes justification for the response, sector context, barriers to implementation, and suggestions for implementation. The Roadmap is intended to serve as a guide and reference document for ESS personnel as they adapt to the growing prevalence of and reliance upon digital technologies and other cyber infrastructure in the sector. If you have any questions about the Roadmap, please send an to ESSTeam@hq.dhs.gov. Emergency Services Sector-Specific Tabletop Exercise Program (ES-SSTEP) The ES SSTEP tool allows critical emergency services personnel to develop interactive, discussionbased exercises for their communities of interest at both the sector or facility level. The ES SSTEP affords the opportunity for public and private critical infrastructure stakeholders and their public safety partners to exercise incident management plans, programs, policies, and procedures in order to address potential gaps, vulnerabilities, and other pertinent issues. Additional information can be found at or contact the Emergency Services Sector at ESSTeam@hq.dhs.gov. Safety and Security of Emergency Response Vehicles Brochure This brochure outlines and recommends how to keep emergency response vehicles and equipment safe from theft incidents. Emergency responders will learn how to prevent the loss of property by actively enforcing effective theft prevention measures. For more information, please contact the Emergency Services SSA at ESSTeam@hq.dhs.gov. The Emergency Services Sector Cybersecurity Initiative In accordance with Executive Order 13636, the ESS Cybersecurity initiative is intended to enhance the security and resilience of the Emergency Services Sector and to maintain a cyber-environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, confidentiality, privacy, and civil liberties. The Cybersecurity Initiative assists the ESS organizations by providing the full range of cybersecurity-related resources provided by the U.S. Department of Homeland Security. For access and more information, contact the Emergency Services Sector at ESSTeam@hq.dhs.gov. The Emergency Services Sector Resilience Development Webinar Series (ESS-RDWS) The ESS-RDWS will be an ongoing resilience-focused Webinar series concentrated on the first responder, focusing on education and awareness, capacity building, and knowledge validation. For access and more information, contact the Emergency Services Sector at ESSTeam@hq.dhs.gov. Training Video: First Responders Go Kit This video is designed to demonstrate step-bystep content first responders should have in their personal and family emergency kits. For access and more information, contact the Emergency Services Sector at ESSTeam@hq.dhs.gov. SOPD RESOURCE GUIDE OCTOBER

213 Webinar: Cybersecurity in the Emergency Services Sector The one-hour course provides an overview of the types of cyber systems and infrastructure that the Emergency Services Sector utilizes and the types of threats and vulnerabilities associated with those IT resources. The Webinar is available on the Homeland Security Information Sharing - Critical Infrastructure (HSIN-CI) Emergency Services Sector portal. For access and more information, contact the Emergency Services Sector at ESSTeam@hq.dhs.gov. Webinar: The Ready Responder Program for the Emergency Services Sector The onehour Web-based seminar focuses on first responder preparedness and best practices and how the Ready Responder program contributes to a safer, more secure, and more resilient America. The Webinar is available on the Homeland Security Information Sharing Critical Infrastructure (HSIN-CI) Emergency Services Sector portal. For access and more information, contact the Emergency Services Sector at ESSTeam@hq.dhs.gov. SOPD RESOURCE GUIDE OCTOBER

214 Nuclear Sector Resources Nuclear Sector Classified Threat Briefing The Nuclear SSA coordinates both regularly scheduled and incident-specific classified briefings for cleared sector partners. For more information, please contact the Nuclear Sector-Specific Agency (SSA) at Nuclear Sector Information Sharing Standard Operating Procedure (SOP) This document is designed to enhance the effectiveness of voluntary information coordination and distribution among members of the Nuclear Sector Information Sharing Environment. The information-sharing processes are developed as suggested practices and must be used in conjunction with, and subordinate to, legal, regulatory, and industry standard processes that are established within and recognized by the Nuclear Sector and its industry and government members. For more information, please contact the Nuclear SSA at Nuclear Sector Integrated Response Exercises DHS, the Federal Bureau of Investigation (FBI), the Nuclear Regulatory Commission (NRC), the Nuclear Energy Institute (NEI), and the nuclear power industry coordinate exercises to enhance the capabilities of responders to integrate with onsite security personnel in response to a security incident at a nuclear power plant site. Both tabletop and full-scale exercises culminate at a site. For more information, please contact the Nuclear SSA at NuclearSSA@hq.dhs.gov. Nuclear Sector Security Awareness Guide This document will assist Nuclear Sector owners and operators in their efforts to improve security at their facility, reaffirm awareness of the security risks to the sector, and provide a list of activities or actions that can be taken to reduce that risk. For more information, please contact the Nuclear SSA at NuclearSSA@hq.dhs.gov. Nuclear SSA Monthly Unclassified Threat Briefing The Nuclear SSA holds an unclassified security teleconference for nuclear facility owners and operators, plant managers, and security professionals on the first Wednesday of every month. The teleconference provides the opportunity for both the Office of Intelligence and Analysis and Office for Bombing Prevention of the U.S. Department of Homeland Security to brief the Nuclear Sector on significant changes to the threat environment, results of recent terrorism investigations, and other reported suspicious incidents. The Industrial Control Systems Cyber Emergency Response Team (ICS CERT) also briefs the Nuclear Sector on recent cyber alerts and advisories. For more information, please contact the Nuclear SSA at NuclearSSA@hq.dhs.gov. Roadmap to Enhance Cyber Systems Security in the Nuclear Sector The Roadmap to Enhance Cyber Systems Security in the Nuclear Sector describes coordinated activities to improve cyber systems security in the Nuclear Sector. It provides nuclear control and cyber systems vendors, asset owners and operators, and relevant government agencies with common vision, goals, and objectives for cyber systems security in the sector and milestones to focus specific efforts and activities for achieving these vision, goals, and objectives over the next 10 to 15 years, addressing the Nuclear Sector s most urgent challenges, as well as its longer term needs to reduce the cybersecurity risk to nuclear power plant cyber systems. For more information, please contact the Nuclear SSA at NuclearSSA@hq.dhs.gov. SOPD RESOURCE GUIDE OCTOBER

215

216 Catalog of Federally Sponsored Counter-IED Training and Education Resources for Private Sector Partners National Protection and Programs Directorate (NPPD) Office of Infrastructure Protection (IP) Office for Bombing Prevention (OBP) October 2015 Homeland Security I

217 This product was developed in coordination with the Joint Program Office for Countering Improvised Explosive Devices (JPO C-IEDs)

218 Introduction The Catalog of Federally Sponsored Counter-IED Training and Education Resources for Private Sector Partners lists explosives and improvised explosive devices (IED)-related Federal resources of value to the private sector. The Catalog was developed by the Department of Homeland Security (DHS) Office for Bombing Prevention (OBP) in collaboration with Federal interagency partners through the Joint Program Office for Countering Improvised Explosive Devices (JPO C-IED). The JPO C-IED is responsible for coordinating the implementation of the recently updated U.S. Policy for Countering IEDs. The resources in this Catalog support goals and capabilities outlined in the revised policy and are intended to enhance the effectiveness of U.S. counter-ied efforts, including: Enhancing the ability to deter, detect, and prevent IEDs before threats become imminent. Ensuring that protection and response efforts effectively neutralize or mitigate the consequences of attacks that do occur. Leveraging and integrating a whole-of-government approach across law enforcement, diplomatic, homeland security, and military disciplines. Promoting and enhancing information sharing and cooperation between all levels of government and the private sector. The Catalog identifies training and education resources that are provided directly by the Federal Government or are federally sponsored, but delivered by a partner organization, such as the National Domestic Preparedness Consortium. These resources may also be listed in other catalogs maintained by individual Federal agencies or partner organizations. Courses included within this Catalog will be periodically updated to ensure accuracy and applicability. Organization The resources in this Catalog are organized by course level, following the format of Federal Emergency Management Agency (FEMA) National Training and Education Division (NTED) course catalogs. Courses are listed at the awareness, performance, and management levels to accommodate different job functions within the stakeholder community. Awareness-level courses are designed for stakeholders who require the skills to recognize and report a potential IED incident or who are likely to witness or investigate an event involving the use of hazardous and/or explosive devices. Performance-level courses are designed for stakeholders who perform tasks during the initial response to an IED event. Management-level courses are designed for resource managers and/or decision-makers who develop plans and coordinate the prevention of, or response to, an IED event. Within each course level, the resources are organized alphabetically. I

219 Core Capabilities The Catalog s holdings align with the five mission areas and corresponding core capabilities outlined within the National Preparedness Goal. The chart below illustrates the mission areas and core capabilities, including the three core capabilities common to all mission areas. Prevention Protection Mitigation Response Recovery Planning Planning Planning Planning Planning Public Information and Warning Operational Coordination Intelligence and Information Sharing Interdiction and Disruption Screening, Search, and Detection Forensics and Attribution Public Information and Warning Operational Coordination Intelligence and Information Sharing Interdiction and Disruption Screening, Search, and Detection Access Control and Identity Verification Cybersecurity Physical Protective Measures Risk Management for Protection Programs and Activities Public Information and Warning Operational Coordination Community Resilience Long-term Vulnerability Reduction Risk and Disaster Resilience Assessment Threat and Hazard Identification Public Information and Warning Operational Coordination Critical Transportation Environmental Response/ Health and Safety Fatality Management Services Infrastructure Systems Mass Care Services Mass Search and Rescue Operations On-scene Security and Protection Operational Communications Public and Private Services and Resources Public Information and Warning Operational Coordination Economic Recovery Health and Social Services Housing Infrastructure Systems Natural and Cultural Resources Supply Chain Integrity and Security Public Health and Medical Services Situational Assessment Training and Resource Delivery Method of delivery for the training and resources identified in the Catalog follow a model adapted from the FEMA NTED course catalogs. Training is delivered to qualified participants in four ways: II

220 1. Document: Training and/or guidance is provided in a document resource. 2. Residential: Training and/or guidance occurs at the training provider's facility. 3. Mobile: Training and/or guidance occurs at or near the location of the agency that requests the training. 4. Web-Based: Training and/or guidance is self-paced and delivered via computer and Internet connection. Cost/Funding Source for Resources There are three options for paying for resources: 1. Federally Funded: There is no cost to the requesting organization; providers pay all costs. 2. Homeland Security Grant Program: The requesting organization must pay for its participants costs, but costs are allowable using authorized Homeland Security Grants. 3. Participant Fee: The requesting organization pays for its participants costs. Participants should contact the training or resource provider with any questions about funding. Catalog Updates or Questions Please contact U.S. Department of Homeland Security (DHS) Office for Bombing Prevention (OBP) at OBP@hq.dhs.gov should you have any questions, revisions, or course updates related to this catalog. III

221 Course Listings Course Name Course Provider Page Awareness-Level Courses Active Threat Recognition for Retail Security Officers Federal Emergency Management Agency, Emergency Management Institute 1 Blast Injury Fact Sheets Centers for Disease Control and Prevention 1 "Check It!" U.S. Department of Homeland Security, Office of Infrastructure Protection 1 IED Counterterrorism Workshop U.S. Department of Homeland Security, Office of Infrastructure Protection, Office for Bombing Prevention 1 Improvised Explosive Device Threat Awareness and Detection U.S. Department of Homeland Security, Office of Infrastructure Protection, Office for Bombing Prevention 2 Improvised Explosive Devices, Package Inspection and Mail Room Procedures State of New Jersey 2 "No Reservations: Suspicious Behavior in Hotels" U.S. Department of Homeland Security, Office of Infrastructure Protection 3 Retail Security Awareness - Understanding the Hidden Hazards Federal Emergency Management Agency, Emergency Management Institute 3 Safeguarding Hotels from the Threat of Terrorism U.S. Department of Homeland Security, Office of Infrastructure Protection 3 Surveillance Awareness: What You Can Do Federal Emergency Management Agency, Emergency Management Institute 4 Surveillance Detection Awareness on the Job U.S. Department of Homeland Security, Office of Infrastructure Protection 4 Threat Detection & Reaction for Retail & Shopping Center Staff Understanding and Planning for School Bomb Incidents (UPSBI), AWR-132-W - Web-Based "What's in Store: Ordinary People/Extraordinary Events" U.S. Department of Homeland Security, Office of Infrastructure Protection 4 New Mexico Institute of Mining and Technology 5 U.S. Department of Homeland Security, Office of Infrastructure Protection 5 Workplace Security Awareness Federal Emergency Management Agency, Emergency Management Institute 5 IV

222 Performance-Level Courses Bomb Threat Management Workshop U.S. Department of Homeland Security, Office of Infrastructure Protection, Office for Bombing Prevention 6 Bombings: Injury Patterns and Care Centers for Disease Control and Prevention 6 IED Protective Measures Course U.S. Department of Homeland Security, Office of Infrastructure Protection, Office for Bombing Prevention 6 IED Search Procedures Workshop U.S. Department of Homeland Security, Office of Infrastructure Protection, Office for Bombing Prevention 7 Land Transportation Antiterrorism Training Program (LTATP) Federal Law Enforcement Training Center 7 Medical Management of CBRNE Events Texas A&M Engineering Extension Service 7 A Prepared Jurisdiction: Integrated Response to a CBRNE Incident Louisiana State University 8 Sports Venue Bag Search Procedures Guide U.S. Department of Homeland Security, Office of Infrastructure Protection 8 Surveillance Detection Course for Law Enforcement & Security Professionals U.S. Department of Homeland Security, Office of Infrastructure Protection, Office for Bombing Prevention 8 Vehicle-Borne IED (VBIED) Detection Course U.S. Department of Homeland Security, Office of Infrastructure Protection, Office for Bombing Prevention 8 Management-Level Courses Protective Measures Guide for Mountain Resorts (FOUO) U.S. Department of Homeland Security, Office of Infrastructure Protection 9 Protective Measures Guide for Outdoor Venues (FOUO) U.S. Department of Homeland Security, Office of Infrastructure Protection 9 Protective Measures Guide for the U.S. Lodging Industry (FOUO) U.S. Department of Homeland Security, Office of Infrastructure Protection 10 Protective Measures Guide for U.S. Sports Leagues (FOUO) U.S. Department of Homeland Security, Office of Infrastructure Protection 10 V

223 Course Details Awareness-Level Courses Active Threat Recognition for Retail Security Officers An 85-minute presentation discussing signs of criminal and terrorist activity, types of surveillance, and suspicious behavioral indicators. Mission Area: Prevention; Protection Core Capability: Public Information and Warning Course Level: Awareness Targeted Audience: All private sector and public sector employees Course Provider: FEMA EMI Delivery Mechanism: Web-based Cost/Funding Source: Federally funded Prerequisites: None Course Length: 1 hour To Schedule: Blast Injury Fact Sheets The Center for Disease Control and Prevention (CDC), in collaboration with the Terrorism Injuries: Information, Dissemination and Exchange (TIIDE) partners and with leadership from America Trauma Society, has developed 17 topic-specific fact sheets on the treatment of blast injuries. Fact sheet topics range from blast lung and blast abdomen to the treatment of pediatric and older adult populations. The fact sheets have been disseminated both nationally and internationally as part of mass casualty response efforts. Mission Area: Response Core Capability: Mass Care Services Course Level: Awareness Targeted Audience: Emergency medical services and health care providers Course Provider: CDC Delivery Mechanism: Web-based Cost/Funding Source: American College of Emergency Physicians (ACEP) 1 Prerequisites: None Course Length: N/A To Schedule: "Check It!" Designed to raise the level of awareness for front-line facility employees by highlighting the indicators of suspicious activity, this video provides information to help employees properly search bags in order to protect venues and patrons across the country. Mission Area: Prevention; Protection Core Capability: Public Information and Warning; Screening, Search, and Detection Course Level: Awareness Targeted Audience: Private sector Course Provider: DHS/IP Delivery Mechanism: Web-based Cost/Funding Source: Federally funded Prerequisites: None Course Length: 8 minutes To View: eck_ wmv IED Counterterrorism Workshop This workshop enhances the participant s understanding of the IED threat, surveillance detection methods, and soft target awareness. The workshop also covers awareness and prevention measures, as well as collaborative information-sharing resources to enable first responders and critical infrastructure owners, operators, and security staff to deter, prevent, detect, and protect against the illicit and terrorist use of explosives in the United States. Mission Area: Prevention Core Capability: Screening, Search, and Detection Course Level: Awareness Targeted Audience: SLTT first responders and public and private sector critical infrastructure owners, operators, and security personnel

224 Course Provider: DHS/IP/OBP Delivery Mechanism: Mobile Cost/Funding Source: DHS Prerequisites: None Course Length: 8 hours For More Information: Counterterrorism To Schedule: Contact local Protective Security Advisor (PSA) ( or send an to OBPtraining@hq.dhs.gov. Improvised Explosive Device Threat Awareness and Detection This course focuses on identifying IEDs. The training provides awareness-level information for staff, management, and security to recognize, report, and react to unusual activities and threats in a timely manner. Mission Area: Prevention; Protection Core Capability: Public Information and Warning Course Level: Awareness Targeted Audience: Private sector Course Provider: DHS/IP/OBP Delivery Mechanism: Virtual (instructor-led) Cost/Funding Source: Federally funded Prerequisites: None Course Length: 1 hour To Schedule: Contact local Protective Security Advisor (PSA) ( or send an to OBPtraining@hq.dhs.gov. Improvised Explosive Devices, Package Inspection and Mail Room Procedures This course was designed to be delivered in four configurations and can be delivered in a one-, two-, or three-day course based upon the needs of the course participant. Section one can also be a standalone course delivered in one day. 2 The first section provides emergency responders and private sector security professionals with a basic knowledge of explosives, IEDs, and booby traps; how to recognize them; and what to do when they encounter them. In addition, responders and security professionals are taught how to recognize suspicious packages, package and mail handling procedures, and what to do when they encounter a suspicious package. Lastly, they are taught about bomb threats, from receipt, to clearing the bomb threat. Section one is a prerequisite to both section two and section three. The second section of the course focuses on Vehicle-Borne Improvised Explosive Devices (VBIED) and relies upon the basic concepts taught during the first section of the course. This section provides case studies of VBIEDs, including the attack on the Alfred P. Murrah Building in Oklahoma City; VBIED construction and indicators; vehicle search techniques and procedures; and a practical exercise. The third section of the course, also reliant upon the concepts taught during the first section, focuses on using x-ray technology to recognize suspicious items and improvised explosive devices. This section provides an overview of x- ray technology; images produced by x-ray; recognition of typical construction of items that will commonly be x-rayed, such as laptop computers, cell phones, cameras, GPS, and music players; and images that suggest indicators of an IED. Several practical exercises using the participant's x-ray technology, when the course is held onsite, or slides, when held in a facility that does not have access to x-ray technology, are also included. Mission Area: Prevention Core Capability: Screening, Search, and Detection Course Level: Awareness Targeted Audience: Emergency management agency, emergency medical services, fire service, governmental administrative, hazardous material, health care providers, law enforcement, public health, public safety communications, public works, and other private sector representatives Course Provider: State of New Jersey

225 Delivery Mechanism: Mobile Cost/Funding Source: Homeland Security Grant Prerequisites: None Course Length: 8-24 hours To Schedule: "No Reservations: Suspicious Behavior in Hotels" Designed to raise the level of awareness for hotel employees by highlighting the indicators of suspicious activity, this video provides information to help employees identify and report suspicious activities and threats in a timely manner. Also available in Spanish. Mission Area: Prevention; Protection Core Capability: Public Information and Warning Course Level: Awareness Targeted Audience: Private sector Course Provider: DHS/IP Delivery Mechanism: Web-based Cost/Funding Source: Federally funded Prerequisites: None Course Length: 9 minutes To View: Retail Security Awareness - Understanding the Hidden Hazards The purpose of this course is to make persons involved in commercial retail operations aware of the actions they can take to identify and report suspicious purchases or thefts of products that actors could use in terrorist or other criminal activities. To achieve this goal, the course provides an overview of prevention steps aimed at identifying and monitoring highrisk inventory products and reporting suspicious activities to law enforcement agencies. At the end of this course, the participants will be able to: 1) Identify steps they can take to help prevent their inventory from being used to manufacture or deploy home-made explosives; 2) Describe the importance of identifying and reporting suspicious purchases and activities in the retail sector; and 3) Specify additional 3 actions they can take to protect their inventory from misuse or theft. Mission Area: Prevention; Protection Core Capability: Screening, Search, and Detection Course Level: Awareness Targeted Audience: This course is designed for retail managers, loss prevention specialists, risk management specialists, product managers, sales associates, and others involved in retail operations. Course Provider: FEMA EMI Delivery Mechanism: Web-based Cost/Funding Source: N/A Prerequisites: None Course Length: 45 minutes To Schedule: iew.aspx?code=is-912 Safeguarding Hotels from the Threat of Terrorism Developed in collaboration with the American Hotel & Lodging Association, this training provides information on key terrorism topics with reference to actual events. The Webinar includes a high-level briefing on the threat climate for the hotel industry and specific protective measures, focusing on observing and reporting suspicious activity and items. The Webinar focuses on terrorism topics including, but not limited to, lessons learned from Mumbaistyle attacks, IED awareness and response, and active shooter scenarios. Mission Area: Prevention; Protection Core Capability: Public Information and Warning; Physical Protective Measures Course Level: Awareness Targeted Audience: Private sector Course Provider: DHS/IP Delivery Mechanism: Web-based Cost/Funding Source: Federally funded Prerequisites: None Course Length: 1 hour To View:

226 Surveillance Awareness: What You Can Do The purpose of this course is to make critical infrastructure employees and service providers aware of actions they can take to detect and report suspicious activities associated with adversarial surveillance. To achieve this goal, the course provides an overview of surveillance activities and the indicators associated with them, as well as the actions that employees and service providers can take to report potential surveillance incidents. At the end of this course, the participants will be able to identify potential targets of adversarial surveillance, describe the information obtained by surveillance that is of interest to adversaries, recognize indicators of surveillance within the everyday environment, identify actions that you can take to detect potential adversarial surveillance incidents, describe the importance of identifying and reporting suspicious activities associated with adversarial surveillance, and specify actions you can take to report potential incidents of adversarial surveillance. Mission Area: Prevention; Protection Core Capability: Screening, Search, and Detection Course Level: Awareness Targeted Audience: The course is designed for critical infrastructure owners and operators, employees, and service providers, as well as those with critical infrastructure protection duties and responsibilities at the State, local, tribal, and territorial levels. Course Provider: FEMA EMI Delivery Mechanism: Web-based Cost/Funding Source: Federally funded Prerequisites: None Course Length: 1 hour To Schedule: iew.aspx?code=is-914 Surveillance Detection Awareness on the Job Part of the Department s "If You See Something, Say Something " campaign to raise public awareness of potential indicators of terrorism, crime, and other threats and to emphasize the importance of reporting suspicious activity to law enforcement authorities. This free, online interactive session of video scenarios, commentary by a panel of experts, and questions and comments will better prepare participants to guard against surveillance activities. Mission Area: Prevention; Protection Core Capability: Public Information and Warning Course Level: Awareness Targeted Audience: Private sector Course Provider: DHS/IP Delivery Mechanism: Web-based Cost/Funding Source: Federally funded Prerequisites: None Course Length: 1 hour To View: Threat Detection & Reaction for Retail & Shopping Center Staff This course uses case studies and best practices to explain suspicious behavior and packages, how to reduce the vulnerability to an active shooter threat, and the appropriate actions to take if employees notice suspicious activity. Mission Area: Prevention; Protection Core Capability: Public Information and Warning Course Level: Awareness Targeted Audience: This presentation is intended for point-of-sale staff, but is applicable to all employees of a shopping center, mall, or retail facility. Course Provider: DHS/IP Delivery Mechanism: Web-based Cost/Funding Source: Federally funded Prerequisites: None Course Length: 1 hour To View: 4

227 Understanding and Planning for School Bomb Incidents (UPSBI), AWR-132-W - Web- Based UPSBI addresses the issues involved in school bomb threats and designing safe and effective response plans for school bomb incidents. In addition, UPSBI provides the tools and information needed to develop or assess an existing school bomb incident response plan. The course has numerous resources, which include full-text documents concerning school emergency management plans, the threat assessment process, planning a functional school training program, and links to FEMA online training for school administrators. Mission Area: Prevention; Protection Core Capability: Screening, Search, and Detection Course Level: Awareness Targeted Audience: Emergency medical services, fire service, and law enforcement Course Provider: New Mexico Institute of Mining and Technology Delivery Mechanism: Web-based Cost/Funding Source: Federally funded-fema Prerequisites: None Course Length: 4 hours To Schedule: "What's in Store: Ordinary People/Extraordinary Events" Designed to raise awareness for retail employees by highlighting the indicators of suspicious activity, this video provides information on identifying and reporting suspicious activity and threats at shopping centers and retail establishments. To View: Workplace Security Awareness This course provides guidance to individuals and organizations on how to improve the security in your workplace. No workplace be it an office building, construction site, factory floor, or retail store is immune from security threats that endanger the confidentiality, integrity, and security of your workplace, as well as your virtual workplace and computer systems. Employees are often the target of these threats as well as the organization's first line of defense against them. This course presents information on how employees can contribute to your organization's security. Upon completing this course, the participant will be able to: 1) Identify potential risks to workplace security; 2) Describe measures for improving workplace security; and 3) Determine the actions to take in response to a security situation. Mission Area: Protection Core Capability: Screening, Search, and Detection Course Level: Awareness Targeted Audience: All private sector and public sector employees Course Provider: FEMA EMI Delivery Mechanism: Web-based Cost/Funding Source: Federally funded Prerequisites: None Course Length: 1 hour To Schedule: iew.aspx?code=is-906 Mission Area: Prevention; Protection Core Capability: Public Information and Warning Course Level: Awareness Targeted Audience: Private sector Course Provider: DHS/IP Delivery Mechanism: Web-based Cost/Funding Source: Federally funded Prerequisites: None Course Length: 9 minutes 5

228 Performance-Level Courses Bomb Threat Management Workshop This workshop improves the ability of critical infrastructure owners, operators, and security personnel to manage IED threats by highlighting specific safety precautions associated with explosive incidents and bomb threats. The workshop reinforces an integrated approach that combines training, planning, and equipment acquisition to maximize available resources for bomb threat management. Public and private sector representatives knowledgeable in regional emergency management procedures are encouraged to attend. Mission Area: Prevention Core Capability: Interdiction and Disruption Course Level: Performance Targeted Audience: Public and private sector critical infrastructure owners, operators, and security personnel Course Provider: DHS/IP/OBP Delivery Mechanism: Mobile Cost/Funding Source: Federally funded Prerequisites: None Course Length: 32 hours For More Information: Threat To Schedule: Contact local Protective Security Advisor (PSA) ( or send an to Bombings: Injury Patterns and Care Bombings: Injury Patterns and Care is designed to provide the latest clinical information regarding blast-related injuries. Course Provider: CDC Delivery Mechanism: Web-based Cost/Funding Source: American College of Emergency Physicians (ACEP) Prerequisites: None Course Length: 4 hours To Schedule: ngs_injurycare.asp Course Provider: FEMA/CDP IED Protective Measures Course This course builds awareness and understanding of the IED threat, terrorist planning cycle, and indicators of suspicious activity. Participants learn about facility vulnerability analysis, counter-ied protective measures, and strategies which can be utilized to mitigate risk and reduce vulnerabilities within their unique sectors. Mission Area: Protection Core Capability: Physical Protective Measures Course Level: Performance Targeted Audience: SLTT first responders and public and private sector critical infrastructure owners, operators, and security personnel Course Provider: DHS/IP/OBP Delivery Mechanism: Mobile Cost/Funding Source: DHS Prerequisites: None Course Length: 16 hours For More Information: Measures To Schedule: Contact local Protective Security Advisor (PSA) ( or send an to OBPtraining@hq.dhs.gov. Mission Area: Response Core Capability: Mass Care Services Course Level: Performance Targeted Audience: Emergency medical services and health care providers 6

229 IED Search Procedures Workshop This workshop is designed to increase IED awareness and educate participants on bombing prevention measures and planning protocols to detect IEDs by reviewing specific search techniques. This workshop builds knowledge of counter-ied principles and techniques among first responders and public and private sector security partners tasked with IED search and response protocols. Mission Area: Protection Core Capability: Screening, Search, and Detection Course Level: Performance Targeted Audience: SLTT first responders and public and private sector security partners Course Provider: DHS/IP/OBP Delivery Mechanism: Mobile Cost/Funding Source: Federally funded Prerequisites: None Course Length: 8 hours For More Information: Search Procedures To Schedule: Contact local Protective Security Advisor (PSA) ( or send an to OBPtraining@hq.dhs.gov. Land Transportation Antiterrorism Training Program (LTATP) The LTATP is unique in its design, recognizing that security at most land transportation systems is accomplished by a cooperative effort of Federal, State, local, and contract personnel. This program was designed to protect the land transportation infrastructure to include rail, mass transit and bus operations, and, most importantly, passengers and employees. It will address the needs of all personnel charged with security responsibilities. Mission Area: Protection Core Capability: Operational Coordination; Physical Protective Measures Course Level: Performance 7 Targeted Audience: Federal, State, and local law enforcement; public and private security personnel; and military personnel involved in transportation Course Provider: FLETC Delivery Mechanism: Residential Cost/Funding Source: Homeland Security grant Program for Attendees Prerequisites: Applicants must be assigned to duties directly related to security and contingency planning of a land transportation system. Course Length: 40 hours To Schedule: Medical Management of CBRNE Events Participants completing this program will be able to properly perform patient triage, decontamination, treatment, and transportation in the event of exposure to chemical, biological, radiological, nuclear, and explosive (CBRNE) weapons. The course consists of facilitated discussions, small group exercises, hands-on activities, and task-oriented practical applications. Course participants will use both state-of-the-art adult and pediatric human patient simulators to promote critical thinking skills while utilizing the RAPID Care concept. Mission Area: Response Core Capability: Mass Care Services Course Level: Performance Targeted Audience: Emergency medical services, health care providers, and law enforcement Course Provider: Texas A&M Engineering Extension Service Delivery Mechanism: Mobile Cost/Funding Source: Federally funded-fema Prerequisites: None Course Length: 15 hours To Schedule: Med-Management-of-CBRNE-Events.pdf

230 A Prepared Jurisdiction: Integrated Response to a CBRNE Incident The goal of this course is to build relationships that result in effective multidisciplinary integration of emergency response assets, equipment, plans, and procedures during a chemical, biological, radiological, nuclear or explosive (CBRNE) incident or event. Using a whole community approach, the course provides an opportunity for participants to cross-train and recognize the capabilities of responder organizations in their jurisdiction. Using a realistic response scenario, participants will exercise and assess their ability to effectively integrate with other disciplines in their community. Mission Area: Response Core Capability: Operational Coordination Course Level: Performance Targeted Audience: Emergency management agency, emergency medical services, hazardous materials personnel, health care providers, and law enforcement Course Provider: Louisiana State University (LSU) Delivery Mechanism: Residential Cost/Funding Source: Federally funded-fema Prerequisites: None Course Length: 20 hours To Schedule: egratedresponse.aspx Sports Venue Bag Search Procedures Guide A joint DHS-private sector document that provides suggestions for developing and implementing bag search procedures at public assembly venues hosting major events. The bag search procedures delineated in this guide are for guidance purposes only; they are not a requirement under any regulation or legislation. Mission Area: Prevention; Protection Core Capability: Screening, Search, and Detection Course Level: Performance Targeted Audience: Private sector Course Provider: DHS/IP Delivery Mechanism: Document Cost/Funding Source: Federally funded Prerequisites: None Course Length: N/A To Access: To obtain this document, visit the Homeland Security Information Network (HSIN) page ( Non-HSIN users should contact HSIN.Outreach@hq.dhs.gov for an electronic PDF copy. Surveillance Detection Course for Law Enforcement & Security Professionals This course provides the participant instruction on how to detect hostile surveillance by exploring surveillance techniques, tactics, and procedures from a hostile perspective. These skills enhance counter-ied capabilities of law enforcement and security professionals to detect, prevent, protect against, and respond to IED threats. Mission Area: Response Core Capability: Situational Assessment Course Level: Performance Targeted Audience: Public and private sector security personnel Course Provider: DHS/IP/OBP Delivery Mechanism: Mobile Cost/Funding Source: DHS Prerequisites: FEMA EMI IS-914, Surveillance Awareness Course Length: 24 hours For More Information: Detection To Schedule: Contact local Protective Security Advisor (PSA) ( or send an to OBPtraining@hq.dhs.gov. Vehicle-Borne IED (VBIED) Detection Course This course improves the participant s ability to successfully inspect for, detect, identify, and respond to a VBIED. Instruction covers the VBIED threat, explosive effects, IEDs, and vehicle inspections, enabling participants to 8

231 detect, deter, and protect against the illicit use of explosives. The course is designed for first responders and public/private security staff tasked with inspecting vehicles for explosives, dangerous goods, or any contraband. Mission Area: Response Core Capability: Environmental Response/ Health and Safety Course Level: Performance Targeted Audience: SLTT first responders and public and private sector security personnel conducting vehicle inspections Course Provider: DHS/IP/OBP Delivery Mechanism: Mobile Cost/Funding Source: N/A Prerequisites: None Course Length: 8 hours For More Information: Detection To Schedule: Contact local Protective Security Advisor (PSA) ( or send an to OBPtraining@hq.dhs.gov. Management-Level Courses Protective Measures Guide for Mountain Resorts (FOUO) The Protective Measures Guides provide an overview of possible threats, vulnerabilities, and protective measures designed to assist facility owners and operators in planning and managing security specific to their venue to maintain a safer environment for guests and employees. Mission Area: Protection Core Capability: Physical Protective Measures Course Level: Management Targeted Audience: Private sector Course Provider: DHS/IP Delivery Mechanism: Document Cost/Funding Source: Federally funded Prerequisites: None Course Length: N/A For More Information: NIPP@hq.dhs.gov To obtain these For Official Use Only (FOUO)- designated documents, please visit the Commercial Facilities Publications Webpage ( and follow the instructions to gain access to the Commercial Facilities site on the Homeland Security Information Network - Critical Infrastructure. Protective Measures Guide for Outdoor Venues (FOUO) The Protective Measures Guides provide an overview of possible threats, vulnerabilities, and protective measures designed to assist facility owners and operators in planning and managing security specific to their venue to maintain a safer environment for guests and employees. Mission Area: Protection Core Capability: Physical Protective Measures Course Level: Management Targeted Audience: Private sector Course Provider: DHS/IP Delivery Mechanism: Document Cost/Funding Source: Federally funded Prerequisites: None Course Length: N/A For More Information: NIPP@hq.dhs.gov To obtain these For Official Use Only (FOUO)- designated documents, please visit the Commercial Facilities Publications Webpage ( and follow the instructions to gain access to the Commercial Facilities site on the Homeland Security Information Network - Critical Infrastructure. 9

232 Protective Measures Guide for the U.S. Lodging Industry (FOUO) The Protective Measures Guides provide an overview of possible threats, vulnerabilities, and protective measures designed to assist facility owners and operators in planning and managing security specific to their venue to maintain a safer environment for guests and employees. Mission Area: Protection Core Capability: Physical Protective Measures Course Level: Management Targeted Audience: Private sector Course Provider: DHS/IP Delivery Mechanism: Document Cost/Funding Source: Federally funded Prerequisites: None Course Length: N/A For More Information: NIPP@dhs.gov To obtain these For Official Use Only (FOUO)- designated documents, please visit the Commercial Facilities Publications Webpage ( and follow the instructions to gain access to the Commercial Facilities site on the Homeland Security Information Network - Critical Infrastructure. For More Information: NIPP@hq.dhs.gov To obtain these For Official Use Only (FOUO)- designated documents, please visit the Commercial Facilities Publications Webpage ( and follow the instructions to gain access to the Commercial Facilities site on the Homeland Security Information Network - Critical Infrastructure. Protective Measures Guide for U.S. Sports Leagues (FOUO) The Protective Measures Guides provide an overview of possible threats, vulnerabilities, and protective measures designed to assist facility owners and operators in planning and managing security specific to their venue to maintain a safer environment for guests and employees. Mission Area: Protection Core Capability: Physical Protective Measures Course Level: Management Targeted Audience: Private sector Course Provider: DHS/IP Delivery Mechanism: Document Cost/Funding Source: Federally funded Prerequisites: None Course Length: N/A 10

233 Acronym Appendix Acronym Definition ACEP CBRNE CDC CDP C-IED DHS/IP DHS/IP/OBP FBI FEMA FEMA EMI FLETC FOUO HAZMAT HSIN ICS IED JPO LSU LTATP NIMS NRF NTED OBP PSA SLTT TIIDE UPSBI VBIED American College of Emergency Physicians Chemical, Biological, Radiological, Nuclear, Explosive Centers for Disease Control and Prevention Center for Domestic Preparedness Counter Improvised Explosive Device U.S. Department of Homeland Security, Office of Infrastructure Protection U.S. Department of Homeland Security, Office of Infrastructure Protection, Office for Bombing Prevention Federal Bureau of Investigations Federal Emergency Management Agency Federal Emergency Management Agency Emergency Management Institute Federal Law Enforcement Training Centers For Official Use Only Hazardous Materials Homeland Security Information Network Incident Command System Improvised Explosive Device Joint Program Office Louisiana State University Land Transportation Antiterrorism Training Program National Incident Management System National Response Framework National Training and Education Division Office for Bombing Prevention Protective Security Advisor State, Local, Tribal, and Territorial Terrorism Injuries: Information, Dissemination and Exchange Understanding and Planning for School Bomb Incidents Vehicle-Borne Improvised Explosive Device 11

234 Catalog of Federally Sponsored Counter-IED Training and Education Resources for State, Local, Tribal, & Territorial Partners National Protection and Programs Directorate (NPPD) Office of Infrastructure Protection (IP) Office for Bombing Prevention (OBP) October 2015 Homeland Security

235 This product was developed in coordination with the Joint Program Office for Countering Improvised Explosive Devices (JPO C-IEDs)