Emergency Preparedness and Response for Equipment and Infrastructure Failure
Infrastructure failure is the destruction of, or interruption of services provided by, critical infrastructure. The Cybersecurity and Infrastructure Security Agency (CISA) defines critical infrastructure as:
“the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.”
Equipment and infrastructure failure can be localized — affecting one organization or facility, for example — or widespread, affecting multiple infrastructure sectors throughout the community. Infrastructure sectors are highly interdependent, so an emergency or disaster that affects one sector will likely affect another sector.
The impact of equipment and infrastructure failure may be greater for rural communities compared to urban. Rural areas are more likely to experience infrastructure failures, such as power outages, and it may take longer to repair, rebuild, and maintain infrastructure in rural areas.
Types of Infrastructure Failures
CISA identifies 16 critical infrastructure sectors. Rural communities rely on many of these infrastructure sectors, and a failure in one or more of these sectors may result in an emergency. A subset of these sectors, for which rural-specific examples are available, are described below.
Critical Manufacturing Sector – represents manufacturing industries vital to the economy. This sector produces electrical equipment, appliances, metal, machinery, engines, rail cars, and more. In 2015, 14% of rural private non-farming jobs were in the manufacturing sector, compared to 7% for urban, and the share of earnings in this sector is even higher. An emergency at a manufacturing facility endangers lives as well as local rural economies. Risks that this sector is vulnerable to include terrorism, natural disasters, and cyberattacks.
Dams Sector – includes levees, dams, hydropower plants, hurricane barriers, and more that provide water retention and control services for municipal, industrial, agricultural, and recreational purposes. Failure in this sector can result in casualties, property and agricultural damage, loss of drinking water, health and environmental harm, and flooding. Risks that this sector is vulnerable to include natural disasters, aging infrastructure, and population growth and development. In 2020, the failure of the Edenville Dam in rural Michigan resulted in millions of dollars in losses and forced the evacuation of thousands of people.
Energy Sector – includes the production, refining, storage, and distribution of natural gas, oil, and electricity, not including hydroelectric and nuclear power. Risks that this sector is vulnerable to include accidents, aging infrastructure, cyber and physical security threats, and natural disasters. In rural areas, a power grid failure would disrupt care within healthcare facilities, as electronic health records and equipment rely on electricity to operate. The Centers for Medicare and Medicaid Services (CMS) have specific emergency preparedness regulations related to power for Rural Health Clinics (RHCs) and Federally Qualified Health Centers (FQHCs). Hospitals also have regulations about having backup power supplies, such as generators, in case of a power outage. In addition, people on oxygen or with other medical needs, such as medication that needs to be refrigerated, are at increased vulnerability in power outages. Rural healthcare facilities are often isolated and serve large geographic areas, which can make them more vulnerable to power outages.
Food and Agriculture Sector – includes the production, processing, storing, and delivery systems related to food and agriculture, including farms, restaurants, and facilities that manufacture, process, and store food. Risks that this sector is vulnerable to include intentional or accidental food contamination, severe weather events, diseases and pests, and cybersecurity. Agriculture is an important aspect of rural socioeconomic systems, and its disruption affects local rural economies and overall well-being.
Information Technology Sector – includes software, hardware, and IT systems, products, and services. This sector connects people, business, and governments around the world. This sector is vulnerable to cyberattacks and natural disasters. Critical Access Hospitals and other rural hospitals had vulnerable IT systems before the pandemic and, since the start of the pandemic, there has been an increase in cyberattacks against healthcare organizations. Rural hospitals and healthcare organizations can protect themselves by maintaining appropriate HIPAA policies and practices, including risk assessments, incident response, and system monitoring; regularly backing up data; training staff on cybersecurity; installing and maintaining anti-malware software; and more.
Transportation Systems Sector – includes infrastructure to support the movement of people and supplies via airplanes, cars, trucks, trains, and other vehicles. This sector is vulnerable to natural disasters, cyber threats, terrorism, and accidents. Roads, highways, and bridges are critical infrastructure that connect rural communities to healthcare, food, and employment. Some rural communities have experienced population decline in the last few years, leading to a decrease in road usage. Rural roads, which account for 71% of national road mileage, may be susceptible to infrastructure failure because states may struggle to maintain lesser-used roads while simultaneously meeting the road usage needs of growing rural and urban areas.
Water and Wastewater Systems Sector – includes drinking water and wastewater systems. This sector is vulnerable to natural disasters, aging infrastructure, and a variety of attacks including physical, cyber, and bioterrorist attacks, such as intentional contamination. Some rural areas may be limited to one source of water, making it difficult to access potable water during an emergency. Small communities usually get their drinking water from underground aquifers. Other water sources include wells, springs, and cisterns.
Planning, Response, and Recovery Considerations
Preparedness planning for infrastructure focuses on increasing security and resiliency. The 2013 National Infrastructure Protection Plan (NIPP) uses a public-private risk management approach to increase infrastructure security and resiliency on the national, regional, state, and local levels. To implement this framework, it is important to identify the physical, human, and cyber elements of infrastructure to incorporate them throughout preparedness planning. In addition, the framework highlights the importance of information sharing between private and public partners throughout each step of the approach. The steps of the framework are:
- Set goals and objectives
- Identify infrastructure
- Assess and analyze risks
- Implement risk management activities
- Measure effectiveness
Since the disruption of services provided by infrastructure could have devastating health and security effects, it is important to create continuity plans to facilitate the continuation of essential infrastructure services in an emergency. According to FEMA, continuity planning includes “identify[ing] the resources, space requirements, costs, interdependencies, work flow processes, and support functions that ensure the continued performance of the organization's EFs [essential functions].” For more information, see Continuity Planning in Module 2.
While the common infrastructure sectors are often viewed individually, most of them are linked in multiple ways. Additionally, infrastructure is present at the national, state, and local levels. Failure can be widespread or localized, and response will vary depending on the scope of the failure. For example, if a power outage affects your town, you may seek help from or evacuate to nearby towns. If a power outage affects the entire state, response will be different. Rural planning, response, and recovery should consider the interdependencies that exist between and across sectors and the geographic scope of the failure.
Infrastructure failure can be caused by aging infrastructure, human error, and intentional attacks. It is important to keep in mind that natural disasters and other extreme weather events can also cause infrastructure failure in one or more sectors, creating a co-disaster. Functioning of critical infrastructure is commonly threatened by other emergencies and disasters including extreme weather, such as floods, tornadoes, and fires; biological threats, such as pandemics and bioterrorism and chemical emergencies.
Critical infrastructure resilience is defined as “the level of internal preparedness of critical infrastructure [sectors] for emergencies or the ability of these [sectors] to perform and maintain their functions when negatively affected by internal and/or external factors.” Like preparedness, resiliency is a cyclical process that continually strengthens sectors to minimize vulnerability to disasters, emergencies, and failures. The phases of critical infrastructure resilience are:
- Prevention – the overall preparedness and protection of each sector before an emergency occurs
- Absorption – a sector's ability to absorb the effects of an emergency
- Recovery – the capacity of a sector to recover functionality following an emergency
- Adaption – a sector's ability to adapt to any long-lasting effects an emergency may have
Emergency Preparedness and Response Case Studies
Unseen Threat Actor Attacks a Critical Access Hospital's Digital Network in Sandusky, Michigan
In March 2022, McKenzie Health System, a Critical Access Hospital in Sandusky, Michigan, fell victim to an unseen actor that threatened to release personal health information if a ransom was not paid. The attack was discovered 24 hours after it was launched, and the suspected source was a phishing email. The hospital responded by determining what was happening, where the attack was coming from, and who was responsible as well as quickly shutting down the online system to minimize the attack. Since McKenzie Health staff had previous experience with digital interruptions, they were able to smoothly transition to a fully offline system following the discovery of the attack. Fortunately, McKenzie Health had prepared to respond to such an attack. IT security measures included staff education, a firewall, and an offsite backup system that helped recover processes and information. The hospital carried cybersecurity insurance, which included access to law firms, risk assessment, and a threat actor negotiator. McKenzie Health had also engaged a disaster recovery organization that was still supporting recovery efforts four months after the attack.
Battery Fire and Community Financial Support in Grundy County, Illinois
Approximately 3,000 residents in Grundy County, Illinois, were forced to evacuate after an industrial fire burned thousands of pounds of lithium batteries in the summer of 2021. The community and response agents were prepared for the disaster since it was the fifth major disaster in eight years. The Community Foundation of Grundy County was instrumental in response efforts. The Community Foundation receives donations from private citizens even when there is not an active disaster to build up a fund for when an emergency strikes. This local organization was able to support evacuees by providing cash assistance and connecting individuals to small community nonprofits that the foundation had previous connections with.
Fire Power Outage Impacts San Luis Valley Health Regional Medical Center
In late December 2021, the San Luis Valley Regional Medical Center, a rural hospital in Alamosa, Colorado, experienced a power outage. The Marshall fire, taking place in Boulder County, threatened a utility provider's energy infrastructure, so the company preventively shut power down in various counties outside of the fire area. The hospital had an emergency action plan designed for a 2-hour power outage, which was the estimated amount of time they would be without power. However, the outage turned out to be 4.5 hours long. Although the generators were able to manage, the hospital found problems with the steam pumps and food coolers. These issues were mitigated through quick problem-solving and, by implementing the emergency action plan, the hospital survived the power outage without any casualties or health-related patient issues.
Resources to Learn More
Incident Annex to the Response and Recovery Federal Interagency Operational Plans: Managing the Cascading
Impacts from a Long-Term Power Outage
Power outage response and recovery guidance for federal departments and agencies supporting local, state, tribal, and territorial officials in their emergency management response to long-term power outages. Covers the roles and responsibilities of the private and public sector in coordinating power restoration.
Organization(s): Federal Emergency Management Agency (FEMA)
Offers information and resources about the National Dam Safety Program and its role in reducing the risk to human life, property, and environment by encouraging and promoting federal and state dam safety. Provides training and technical assistance opportunities, identifies funding opportunities, and includes a national inventory of dams.
Organization(s): Federal Emergency Management Agency (FEMA)
Briefing Series: Rural Communities, Climate, and COVID-19
A series of three online videos on the challenges rural communities face due to the impact of climate change and COVID-19 recovery. Discusses the implementation of energy-efficient programs, the role of biofuels in the rural economy, options for reducing greenhouse gases, the low investment in infrastructure, and solutions developed to overcome the challenges of disasters.
Organization(s): Environmental and Energy Study Institute (EESI)
Security and Risk Assessments for Rural Hospitals
Provides information on cybersecurity threats and risks faced by rural hospitals as well as the procedures used to protect them. Discusses care delivery reform, health information technology, and types of health information security affecting patient care.
Organization(s): Center for Optimizing Rural Health
Planning for Power
Outages: A Guide for Hospitals and Healthcare Facilities
Discusses the impacts of a hospital and healthcare facility power outages and asks questions to assist in the development of a preparedness strategy, which includes a relationship with local electric utilities.
Organization(s): Healthcare & Public Health Sector Coordinating Councils
Facilities and Power Outages: Guidance for State, Local, Tribal, Territorial, and Private Sector
Offers advice and resources for state, local, tribal, territorial, and private sector partners to increase the resilience of healthcare facilities when experiencing power outages. Covers preparedness standards and challenges, methods to integrate emergency preparedness in a community, and techniques for prioritizing assistance to various healthcare facilities during power outages.
Organization(s): Federal Emergency Management Agency (FEMA), Administration for Strategic Preparedness and Response (ASPR)