CISA Guide to Pandemic Response: Critical Infrastructure Operations Centers and Control Rooms

The Cybersecurity and Infrastructure Security Agency (CISA) has released a guide, Critical Infrastructure Operations Centers and Control Rooms Guide for Pandemic Response, geared towards all 16 critical infrastructure sectors. The guide provides considerations and mitigation measures for operation centers and control rooms, but can be applied further to any critical node that is required to continue functioning in a pandemic environment.

According to CISA, operations centers and control rooms often operate 24/7, depend on unique equipment, and require specially trained staff who are difficult to replace. As a result, specialized equipment and long lead times required to train personnel mean there is a higher risk to sustaining reliable operations, says the guide. Fortunately, operations centers and control rooms are generally isolated and physically secure, and may be more conducive to the sequestration of on-site staff if needed.

COORDINATION WITH FEDERAL, STATE, AND OTHER AUTHORITIES

Engage with relevant Federal, State, local, and/or industry authorities to develop appropriate solutions for operations center and control room personnel in your jurisdiction(s)
Prioritize testing for asymptomatic personnel by medical professionals
Develop a mechanism (e.g., badging, letter) to allow for identification and free movement of mission-essential
personnel when a quarantine/curfew or other travel restriction is in place
Consider temporarily waiving, relaxing, or suspending certification or other regulatory requirements
Authorize priority supply of sanitizing supplies and personal protective equipment (PPE)
Empower non-medical professionals (e.g., control center managers and supervisors) to administer health questionnaires and temperature checks using appropriate PPE while following the U.S. Equal Employment Opportunity Commission (EEOC) and Occupational Safety and Health Administration (OSHA) guidelines

COMMUNICATION AND INFORMATION SHARING

Involve union leadership, if applicable, in discussions around possible mitigation strategies from the beginning to ensure transparency and collaboration
Develop compensation, attendance, reliability, and other related policies that will apply during these conditions
Reinforce importance of staying home when sick or symptomatic
Reinforce the importance of social distancing at work and on personal time and utility of cloth face masks
Provide clear symptom-reporting guidance to employees for at-home, self-administered wellness checks and/or observations while on-shift, thereby encouraging robust open, frequent, and rapid communications
Build the Centers for Disease Control and Prevention’s (CDC) current travel and self-quarantine advisories into event planning and travel arrangements, and introduce practices to increase awareness of employees’ personal travel plans to high-risk areas or where there are active advisories
Establish protocols for reporting cases and any resulting quarantine, facility shutdown, and cleaning actions

KEY MITIGATION MEASURES – PROTECTING PERSONNEL

Identify a dedicated, physically separated building entrance for mission-essential personnel where possible
Pre-Screen: measure the employee’s temperature and assess symptoms prior to them starting work, ideally before the individual enters the facility
Increase handwashing stations, sanitizing supplies and PPE; post CDC and state health department safetyhygiene information at the entrance to operations centers and control rooms
Increase cleaning frequency of common areas for critical personnel (e.g., kitchens, locker rooms, bathrooms)
Create greater physical separation of operations center and control room operator workstations, increase ventilation or utilize adjacent rooms where possible, and reduce or eliminate interactions across shifts
Limit non-essential personnel from entering the area of the operations center and control room (e.g., no outside visitors, non-essential meetings in rooms in near proximity)
Limit the hazard from essential personnel such as VIPs, field operators, and contractors/vendors and limit access to critical activities (e.g., health screening before being allowed onsite for visits, deliveries, repairs, etc.)

KEY MITIGATION MEASURES – PROTECTING EQUIPMENT

Provide individually assigned peripheral equipment (e.g., mice/keyboards/handsets/headsets/chairs)
Increase frequency and extent of cleaning and disinfecting surfaces and equipment that come into routine contact with multiple people (CDC Cleaning and Disinfection Guidance), and use a wipeable cover where possible
Anticipate and prepare for pandemic-themed opportunistic social engineering attacks and take steps to ensure continued visibility, patching, and maintenance of cyber assets in the event of staffing disruptions

KEY MITIGATION MEASURES – WORKFORCE PLANNING

Divide essential teams into shifts, cutting hours to ensure that no two groups of employees overlap
Segregate crews on shift work and split system operators (days/nights or split individual shifts) between primary, backup, and contingency (reserve) operations centers and control rooms. Operating shifts in different locations should provide a 12-hour window to sanitize equipment
Sequester and maintain a completely healthy shift or “reserve force” taken out of normal rotation who can step in when minimum staffing levels cannot be met
Develop a supplemental staffing plan for potential use of retirees, supervisors, managers, and engineers with the requisite skills to backfill operations center and control room personnel and support staff, as required
Request and provide mutual assistance and sharing of operators with other similar organizations
Make available employee assistance programs and other professional services

KEY MITIGATION MEASURES – IN THE EVENT OF EXPOSURE

Personnel: Consult Implementing Safety Practices for Critical Infrastructure Workers Who May Have Had Exposure to a Person with Suspected or Confirmed COVID-19

Quarantine staff on shift with impacted operator(s) – may require extending work hours of non-impacted shifts
Reduce operations where possible to decrease the workload of operations center and control room staff
Implement a supplemental staffing plan – may include refresher training and simulations offered for supervisors, managers, engineers, and retirees with the requisite skills to backfill control room staff
Temporarily sequester non-impacted shifts onsite and increase access to onsite medical services if available

Equipment

Clean porous (soft) surfaces near workstation(s) (e.g., cloth, leather, and faux leather seats within manufacturers guidelines)
Clean non-porous (hard) surfaces near work-stations (e.g., desk, communication devices, chairs, etc.) with disinfectant products expected to be effective against the virus that causes COVID-19 (SARS-CoV2) ensuring these products are compatible with surfaces/components and used according to instructions
Clean lavatories used by the symptomatic employee, including door handle, locking device, toilet seat(s), faucet(s), washbasin(s), adjacent walls, and counter(s)

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.