Emergency Preparedness and Response for Equipment and Infrastructure Failure
Infrastructure failure is the destruction of, or interruption of services provided by, critical infrastructure.
The Cybersecurity and Infrastructure Security Agency (CISA) defines critical
“the physical and cyber systems and assets that are so vital to the United States that their
incapacity or destruction would have a debilitating impact on our physical or economic security or public health
Equipment and infrastructure failure can be localized — affecting one organization or facility, for
example — or widespread, affecting multiple infrastructure sectors throughout the community.
Infrastructure sectors are highly interdependent, so an emergency or disaster that affects one sector will
likely affect another sector.
The impact of equipment and infrastructure failure may be greater for rural communities compared to urban. Rural
areas are more likely to experience infrastructure failures, such as power outages, and it may take longer to
repair, rebuild, and maintain infrastructure in rural areas.
Types of Infrastructure Failures
CISA identifies 16 critical
infrastructure sectors. Rural communities rely on many of these infrastructure sectors, and a failure in
one or more of these sectors may result in an emergency. A subset of these sectors, for which rural-specific
examples are available, are described below.
Manufacturing Sector – represents manufacturing industries vital to the economy. This
sector produces electrical equipment, appliances, metal, machinery, engines, rail cars, and more. In 2015,
14% of rural private non-farming jobs were in the manufacturing sector, compared to 7% for urban, and the share
of earnings in this sector is even higher. An emergency at a manufacturing facility endangers lives as well as
local rural economies. Risks that this sector is vulnerable to include terrorism, natural disasters, and
Sector – includes levees, dams, hydropower plants, hurricane barriers, and more that
provide water retention and control services for municipal, industrial, agricultural, and recreational purposes.
Failure in this sector can result in casualties, property and agricultural damage, loss of drinking water,
health and environmental harm, and flooding. Risks that this sector is vulnerable to include natural disasters,
aging infrastructure, and population growth and development. In 2020, the failure of the Edenville Dam in rural
Michigan resulted in millions of dollars in losses and forced the evacuation of thousands of people.
Sector – includes the production, refining, storage, and distribution of natural gas,
oil, and electricity, not including hydroelectric and nuclear power. Risks that this sector is vulnerable to
include accidents, aging infrastructure, cyber and physical security threats, and natural disasters. In rural
areas, a power grid failure would disrupt care within healthcare
facilities, as electronic health records and equipment rely on electricity to operate. The Centers for
Medicare and Medicaid Services (CMS) have specific emergency preparedness regulations related to power for Rural
Health Clinics (RHCs) and Federally Qualified Health Centers (FQHCs). Hospitals also have regulations about
having backup power supplies, such as generators, in case of a power outage. In addition, people on oxygen or
with other medical needs, such as medication that needs to be refrigerated, are at increased vulnerability in
power outages. Rural healthcare facilities are often isolated and serve large geographic areas, which can make
them more vulnerable to power outages.
and Agriculture Sector – includes the production, processing, storing, and delivery
systems related to food and agriculture, including farms, restaurants, and facilities that manufacture, process,
and store food. Risks that this sector is vulnerable to include intentional or accidental food contamination,
severe weather events, diseases and pests, and cybersecurity. Agriculture is an important aspect of rural
socioeconomic systems, and its disruption affects local rural economies and overall well-being.
Technology Sector – includes software, hardware, and IT systems, products, and
services. This sector connects people, business, and governments around the world. This sector is vulnerable to
cyberattacks and natural disasters. Critical Access Hospitals and other rural hospitals had vulnerable IT
systems before the pandemic and, since the start of the pandemic, there has been an increase in cyberattacks
against healthcare organizations. Rural hospitals and healthcare organizations can protect
themselves by maintaining appropriate HIPAA policies and practices, including risk assessments, incident
response, and system monitoring; regularly backing up data; training staff on cybersecurity; installing and
maintaining anti-malware software; and more.
Systems Sector – includes infrastructure to support the movement of people and
supplies via airplanes, cars, trucks, trains, and other vehicles. This sector is vulnerable to natural
disasters, cyber threats, terrorism, and accidents. Roads, highways, and bridges are critical infrastructure
that connect rural communities to healthcare, food, and employment. Some rural communities have experienced
population decline in the last few years, leading to a decrease in road usage. Rural roads, which account for
71% of national road mileage, may be susceptible to infrastructure failure because states may struggle to
maintain lesser-used roads while simultaneously meeting the road usage needs of growing rural and urban areas.
and Wastewater Systems Sector – includes drinking water and wastewater systems. This
sector is vulnerable to natural disasters, aging infrastructure, and a variety of attacks including physical,
cyber, and bioterrorist attacks, such as intentional contamination. Some rural areas may be limited to one
source of water, making it difficult to access potable water during an emergency. Small communities usually get
their drinking water from underground aquifers. Other water sources include wells, springs, and cisterns.
Planning, Response, and Recovery Considerations
Preparedness planning for infrastructure focuses on increasing security and resiliency. The 2013
National Infrastructure Protection Plan (NIPP) uses a public-private risk management approach to
increase infrastructure security and resiliency on the national, regional, state, and local levels. To implement
this framework, it is important to identify the physical, human, and cyber elements of infrastructure to
incorporate them throughout preparedness planning. In addition, the framework highlights the importance of
information sharing between private and public partners throughout each step of the approach. The steps of the
- Set goals and objectives
- Identify infrastructure
- Assess and analyze risks
- Implement risk management activities
- Measure effectiveness
Since the disruption of services provided by infrastructure could have devastating health and security effects,
it is important to create continuity plans to facilitate the continuation of essential infrastructure services
in an emergency. According to FEMA, continuity
planning includes “identify[ing] the resources, space requirements, costs, interdependencies, work
flow processes, and support functions that ensure the continued performance of the organization's EFs [essential
functions].” For more information, see Continuity Planning in
While the common infrastructure sectors are often viewed individually, most of them are linked in multiple ways.
Additionally, infrastructure is present at the national, state, and local levels. Failure can be widespread or
localized, and response will vary depending on the scope of the failure. For example, if a power outage affects
your town, you may seek help from or evacuate to nearby towns. If a power outage affects the entire state,
response will be different. Rural planning, response, and recovery should consider the interdependencies that
exist between and across sectors and the geographic scope of the failure.
Infrastructure failure can be caused by aging infrastructure, human error, and intentional attacks. It is
important to keep in mind that natural disasters and other extreme weather events can also cause infrastructure
failure in one or more sectors, creating a co-disaster. Functioning of critical infrastructure is commonly
threatened by other emergencies and disasters including extreme weather, such as floods, tornadoes, and
fires; biological threats, such as pandemics and bioterrorism and chemical emergencies.
Critical infrastructure resilience is defined as “the
level of internal preparedness of critical infrastructure [sectors] for emergencies or the ability of these
[sectors] to perform and maintain their functions when negatively affected by internal and/or external factors.”
Like preparedness, resiliency is a cyclical process that continually strengthens sectors to minimize
vulnerability to disasters, emergencies, and failures. The phases of critical infrastructure resilience are:
- Prevention – the overall preparedness and protection of each sector before an emergency occurs
- Absorption – a sector's ability to absorb the effects of an emergency
- Recovery – the capacity of a sector to recover functionality following an emergency
- Adaption – a sector's ability to adapt to any long-lasting effects an emergency may have
Emergency Preparedness and Response Case Studies
Unseen Threat Actor Attacks a Critical Access Hospital's Digital Network in Sandusky, Michigan
In March 2022, McKenzie Health System, a Critical Access Hospital in Sandusky, Michigan, fell victim to an
unseen actor that threatened to release personal health information if a ransom was not paid. The attack was
discovered 24 hours after it was launched, and the suspected source was a phishing email. The hospital responded
by determining what was happening, where the attack was coming from, and who was responsible as well as quickly
shutting down the online system to minimize the attack. Since McKenzie Health staff had previous experience with
digital interruptions, they were able to smoothly transition to a fully offline system following the discovery
of the attack. Fortunately, McKenzie Health had prepared to respond to such an attack. IT security measures
included staff education, a firewall, and an offsite backup system that helped recover processes and
information. The hospital carried cybersecurity insurance, which included access to law firms, risk assessment,
and a threat actor negotiator. McKenzie Health had also engaged a disaster recovery organization that was still
supporting recovery efforts four months after the attack.
Battery Fire and Community Financial Support in Grundy County, Illinois
Approximately 3,000 residents in Grundy County, Illinois, were forced to evacuate after an industrial fire
burned thousands of pounds of lithium batteries in the summer of 2021. The community and response agents were
prepared for the disaster since it was the fifth major disaster in eight years. The Community Foundation of
Grundy County was instrumental in response efforts. The Community Foundation receives donations from private
citizens even when there is not an active disaster to build up a fund for when an emergency strikes. This local
organization was able to support evacuees by providing cash assistance and connecting individuals to small
community nonprofits that the foundation had previous connections with.
Fire Power Outage Impacts San Luis Valley Health Regional Medical Center
In late December 2021, the San Luis Valley Regional Medical Center, a rural hospital in Alamosa, Colorado,
experienced a power outage. The Marshall fire, taking place in Boulder County, threatened a utility provider's
energy infrastructure, so the company preventively shut power down in various counties outside of the fire area.
The hospital had an emergency action plan designed for a 2-hour power outage, which was the estimated amount of
time they would be without power. However, the outage turned out to be 4.5 hours long. Although the generators
were able to manage, the hospital found problems with the steam pumps and food coolers. These issues were
mitigated through quick problem-solving and, by implementing the emergency action plan, the hospital survived
the power outage without any casualties or health-related patient issues.
Resources to Learn More
Incident Annex to the Response and Recovery Federal Interagency Operational Plans: Managing the Cascading
Impacts from a Long-Term Power Outage
Power outage response and recovery guidance for federal departments and agencies supporting local, state,
tribal, and territorial officials in their emergency management response to long-term power outages. Covers the
roles and responsibilities of the private and public sector in coordinating power restoration.
Organization(s): Federal Emergency Management Agency (FEMA)
Offers information and resources about the National Dam Safety Program and its role in reducing the risk to
human life, property, and environment by encouraging and promoting federal and state dam safety. Provides
training and technical assistance opportunities, identifies funding opportunities, and includes a national
inventory of dams.
Organization(s): Federal Emergency Management Agency (FEMA)
Briefing Series: Rural Communities, Climate, and COVID-19
A series of three online videos on the challenges rural communities face due to the impact of climate change and
COVID-19 recovery. Discusses the implementation of energy-efficient programs, the role of biofuels in the rural
economy, options for reducing greenhouse gases, the low investment in infrastructure, and solutions developed to
overcome the challenges of disasters.
Organization(s): Environmental and Energy Study Institute (EESI)
Security and Risk Assessments for Rural Hospitals
Provides information on cybersecurity threats and risks faced by rural hospitals as well as the procedures used
to protect them. Discusses care delivery reform, health information technology, and types of health information
security affecting patient care.
Organization(s): Center for Optimizing Rural Health
Planning for Power
Outages: A Guide for Hospitals and Healthcare Facilities
Discusses the impacts of a hospital and healthcare facility power outages and asks questions to assist in the
development of a preparedness strategy, which includes a relationship with local electric utilities.
Organization(s): Healthcare & Public Health Sector Coordinating Councils
Facilities and Power Outages: Guidance for State, Local, Tribal, Territorial, and Private Sector
Offers advice and resources for state, local, tribal, territorial, and private sector partners to increase the
resilience of healthcare facilities when experiencing power outages. Covers preparedness standards and
challenges, methods to integrate emergency preparedness in a community, and techniques for prioritizing
assistance to various healthcare facilities during power outages.
Organization(s): Federal Emergency Management Agency (FEMA), Administration for Strategic
Preparedness and Response (ASPR)