Friday, June 9, 2017

WannaCry Ransomware and Industrial Control Systems

The following article was posted on my LinkedIn account and was prepared by me with assistance from several of my colleagues at my employer, BBA (  
The actual article can be located at this LINK.
There’s been substantial discussion in the media and on the interwebs about the ransomware called “WannaCry”. This malicious software (malware), which blocks access to data until a ransom is paid, has been destructive. It’s caused financial consequences as well as extreme inconveniences for critical businesses across the globe, such as the National Healthcare Service in the United Kingdom, which was one of the first and most significant victims of the attack (a total of 300,000 computers in 150 countries had been locked by WannaCry as of the end of May 2017).


Ransomware is a type of malicious software that carries out the cryptoviral extortion attack from a cyber program that blocks access to data until a ransom is paid. It displays a message requesting payment to unlock the data.
Where did ransomware originate? The first documented case appeared in 2005 in the United States, but quickly spread around the world.
How does it affect a computer? The software is normally contained within an attachment to an email that masquerades as something innocent.
How much are victims expected to pay? The ransom demanded varies. Victims of a 2014 attack in the UK were charged $864. However, there’s no guarantee that paying will get your data back.
How did WannaCry operate? It appears to have used a flaw in Microsoft's software, discovered by the National Security Agency and leaked by hackers, to spread rapidly across networks locking away files.


However, it appears that the ransomware was focused on the Enterprise IT systems and not the Operations Technology (OT), also known as Industrial Controls Systems (ICS), although a small number of U.S. critical infrastructure operators were reportedly affected. In any case, understanding the difference between these two types of systems is crucial to ensure the cybersecurity of your plant or facility… and whether or not ransomware like WannaCry can affect them.
The above figure illustrates the typical separation between Enterprise Information Technology (IT) and Operational Technology (OT), also known as ICS. Enterprise IT is composed of systems used to run a business: emails, time sheet reporting, finance, expense reporting, purchasing, etc. These systems are normally Windows-based, including Windows Servers and Windows operating systems.
On the OT side of the business, most of the “computers” are small and specialized machines, such as programmable logic computers (PLCs), distributed control systems (DCSs), engineering work stations, historians (basically focused, real-time databases), etc. Some Windows operating systems are used on the OT side, but there are also many other types of industrial communications protocols for data exchanges beyond normal TCP/IP.
Most importantly, Enterprise IT networks are usually connected to the Internet, while OT networks tend to be separated from the world wide web. There’s normally no direct communication links between IT and OT networks. That’s why WannaCry ransomware is affecting applications and data on Enterprise IT systems more than on the OT systems.
To date, a handful of cases where ICS were infected were reported. Nonetheless, “the news should put all companies that rely on industrial control systems (ICS) on high alert because the choices available to protect the systems within an industrial process facility are much more limited than those in corporate IT”, explained PAS Global CEO this week. Indeed, there are opportunities for WannaCry to locate and encrypt an unpatched Windows system in any ICS.
As of this time, there are no verified examples where WannaCry attacked and “bricked” a human machine interface (HMI) on a factory floor or caused an industrial system to fail quietly or catastrophically. But the opportunities are present wherever Windows operating systems are installed in the ICS in such places as HMIs, ICS engineering workstations, etc. ICS components of a plant are not patched or updated as often as IT systems components for a simple reason: reboot activities and software uploads require a production shutdown or the production lines must be in “safe mode” to avoid undesirable consequences on the production systems.


Here are four basic recommendations to ensure that ransomware, such as WannaCry, doesn’t endanger your production line and operations:
  1. Make sure the ICS is separated from the Enterprise Information Technology (IT) network and from the Internet where the WannaCry malware could migrate.
  2.  ICS operators/engineers/security personnel should make it a high priority to patch the Windows systems as soon as practical to reduce the risk and impact of the WannaCry malware.
  3. ICS operators should ensure that any portable media (e.g., USB drives) and/or laptops/test equipment capable of “carrying” the WannaCry malware (or any malware in all cases) is checked for known malware before the portable media even comes into contact with the ICS and its components.
  4. ICS operators, engineers and security personnel should make it a point to closely monitor the US ICS-CERT alerts and advisories or subscribe to their mail alert.


Simply stated, WannaCry can impact ICSs and susceptible components; it takes hard work and constant, 24/7 due-diligence to stay on top of the security of your ICS. Assuming the risks of a breach or successful attack should be a mantra and should always be at the top of everyone’s minds.

Monday, January 9, 2017

DHS Designates Election Infrastructure as a Critical Infrastructure Subsector

On Friday, January 6, 2017, Secretary of the US Department of Homeland Security announced that DHS has designated the US Election System as "CRITICAL INFRASTRUCTURE."

In the press release, Johnson noted that "Given the vital role elections play in our country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure."

According to the press release, "Election Infrastructure" is defined as:

  • Storage facilities
  • Polling places
  • Centralized vote tabulation locations
  • Information and communications technology to include:
    • Voter registration databases
    • Voting machines
    • Other systems to manage the election process and report and display results on behalf of state and local governments

Johnson reiterated that this designation does not mean a federal takeover, regulation or oversight or intrusion concerning elections in the US.  The designation does not change the roles state and local governments have in administering and running elections.

However, the designation as Critical Infrastructure does mean that election infrastructure does become a priority within the National Infrastructure Protection Plan (NIPP).


Saturday, October 22, 2016

US Elections System as Critical Infrastructure?

What is "Critical Infrastructure?"

According to the US Department of Homeland Security "Critical Infrastructure" includes those assets, systems, and networks whether physical or virtual, that are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

Presidential Policy Directive-21 (PPD-21), "Critical Infrastructure Security and Resilience," identifies 16 critical infrastructure sectors.  These sectors include:

  • Chemical Sector
  • Commercial Facilities Sector
  • Communications Sector
  • Critical Manufacturing Sector
  • Dams Sector
  • Defense Industrial Base
  • Emergency Services Sector
  • Energy Sector
  • Financial Services Sector
  • Food and Agriculture Sector
  • Government Facilities Sector
  • Healthcare and Public Health Sector
  • Information Technology Sector
  • Nuclear Reactors, Materials, and Waste Sector
  • Transportation Sector, and 
  • Water and Wastewater Sector

What About the US Elections System/Sector?

In the news these past six weeks there has been an elevated discussion regarding the US election system and whether or not it should be identified as "Critical Infrastructure" and thus protected in the same way and means as the other 16 identified infrastructures.  This is aggravated by Mr. Trump questioning the integrity of the US election system and elevated concerns raised by the media that our country's enemies may take action to negatively impact the results of the voting on Tuesday, November 8th.

In early August, Secretary of the Department of Homeland Security, Jeh Johnson, observed:

"There's a vital national interest in our election process, so I do think we need to consider whether it should be considered by my department and others as critical infrastructure."  However ... 
 "There's no one federal election system. There are some 9,000 jurisdictions involved in the election process," Johnson said. (Link)

So, Johnson's perception is that there is no single "Election Infrastructure Sector" per se and it may be challenging to quickly and effectively identify it as "Critical Infrastructure."

I even heard of this issue at a recent conference held by the North American Electric Reliability Corporation (NERC) where a "new" critical infrastructure sector could be the US election system.

With some investigation by this writer, an article published on September 13, 2016, in Fedscoop, was located noting DHS Assistant Secretary for Cybersecurity, Andy Ozment, said that DHS will not classify election systems as critical infrastructure before the November 2016 presidential election.

Ozment's quote continued:

"This is not something we're looking to in the near future.  This is a conversation we're having in the long term with state and local government, who are responsible for voting infrastructure.  We're focused right now on what we can usefully offer that local and state government will find valuable.

"From our perspective, it gives us more ability to help.  It does not put DHS in charge."

It will be fascinating to see how this conversation progresses -- especially if Mr. Trump's noisy questioning of the integrity of the voting process continues through and after the presidential election.

At a minimum, perhaps the "Election System Sector" could be included under the auspices of the "Government Sector" Critical Infrastructure designation rather than adding "Number 17."


Tuesday, October 18, 2016

Review - WEF Global Competitiveness Report

This September 2016 the World Economic Forum (WEF) published its annual Global Competitiveness Report 2016-17.  This report is almost 400 pages of a fairly comprehensive analysis of each country in the world and its relative competitiveness based on 12 separate factors (shown below):

And based on these 12 factors, the factors themselves are broken down into key elements for:

  • Factor-Driven Economies
  • Efficiency-Driven Economies, and
  • Innovation-Driven Economies
For instance Institutions and Infrastructure are key "Basic" requirements necessary for an economy to thrive and compete.

The WEF analysis then used these factors to ascertain the competitiveness of a country relative to the rest of the world as well as to its geographic region in many cases.  For instance, the top 10 most competitive countries using this methodology are:

And the bottom 10 are:

Infrastructure Factor

The elements reviewed to calculate each factor are listed in the "Technical Notes and Sources" section at the end of the report.  Since this blog is focused on infrastructure there is interest on the elements included in this calculation.  These include the following:

  • Quality of overall infrastructure
  • Quality of roads
  • Quality of railroad infrastructure
  • Quality of port infrastructure
  • Quality of air transport infrastructure
  • Available airline seat kilometers
  • Quality of electricity supply
  • Mobile-cellular telephone subscriptions
  • Fixed telephone lines
At first glance, this list is missing such elements as fresh/potable water supply, food availability and distribution, etc.  However, the "Technological Readiness" factors include the following that could be considered part of the strength of a country's infrastructure:

  • Availability of latest technologies
  • Firm-level technology absorption
  • Foreign Direct Investment and technology transfer
  • Internet users
  • Fixed broadband Internet users
  • Internet bandwidth
  • Mobile broadband subscriptions


As usual, the quality and content of this report are very good.  It is compelling and interesting and a useful reference for country policy development.


Friday, July 29, 2016


In early July the U.S. Department of Homeland Security (DHS)/Office of Cyber and Infrastructure Analysis (OCIA) published an analysis entitled Impact of Population Shifts on Critical Infrastructure.  The report is a very compelling and interesting read and gives you a sense of how hard it is to augment infrastructure when the population is increasing (such as in the areas where fracking is in progress) and, how difficult it is to maintain current infrastructure when your tax base -- i.e., population -- is leaving as in the Rust Belt of the US.

To give the reader a sense of those areas in the continental US where population increase and decline may contribute to stresses on installation and maintenance of critical infrastructure is shown in a map shown below:

The map does reflect population shifts from the Northeast and Midwest to the South and West -- especially Texas, Georgia and Arizona/Nevada. According to the report, the new growth is in part because of high-technology magnet areas in the West and South, energy development of shale gas and shale oil in rural areas throughout the country, and regrowth in cities in the South and West with housing-led reversals. This growth is also partially because of lower costs of living, potentially including lower tax rates.

Rapidly increasing populations result in:

  • Increased demand for services
  • Increased infrastructure use
  • Increased rural roadway use requiring expensive reconstruction and repair
  • Reduced available downtime for infrastructure maintenance and repairs
  • Challenges in funding immediately needed infrastructure upgrades since available money may be delayed due to tax and revenue stream deferrals to later years.
  • Increased frequency and severity of disruptions to water and wastewater systems
Reduced populations result in:
  • Reduced tax base resulting in funding shortfalls for infrastructure maintenance and repairs
  • Uneven population densities within metro areas


The report does offer some approaches to address bot increasing and declining populations and the impacts on critical infrastructure.  The key recommendations for both cases are:
  1. Strategic Planning -- For rapidly increasing population growth, strategic planning is critical for meeting increases in demand -- especially because of the lead-time needed for financing; designing and planning projects; obtaining regulatory approvals; siting and constructing the infrastructure.
  2. Public-Private Partnerships -- These partnerships and their collective approach can be useful for infrastructure planning/development/maintenance during times of population growth or decline.  Don't forget, most of the critical infrastructure in the US is privately owned.  And because these private entities rely on state/local government approval to deploy large infrastructure projects their partnership and cooperation is critical.

Thursday, June 23, 2016


My full-time job is that of a security consultant, but I am also a hobbyist student of geopolitics.  My favorite (or is that favourite) publication in this regard is The Economist published weekly.  Unfortunately due to my consulting work along with other personal and professional obligations I often don't have the opportunity to really "read" the magazine from cover-to-cover.  But, rather than place the magazine on my notorious "to be read" stack, I have established a technique I'd like to share on how I can take some quality time to glean the contents of the magazine and at least add quickly to my geopolitical knowledge.
When I receive the magazine the first section I turn to is Contents.  Here I read the different titles of the articles but I'm especially sure to read the side-boxes (see below) since they offer a good sense of the themes covered in this week's issue.
Figure 1 - Read the Boxes
This is the most interesting and most effective part of my time with The Economist.  On these three pages, I get to view and digest the weekly cartoon and then get a good flavor of the world's news that I certainly don't obtain from the US television or newspapers.  For instance, in this week's issue, there is news from Nigeria, Kenya, Ethiopia, Bahrain, Indonesia, Bangladesh besides the "normal" news sources of the US political scene, China, Paris and of course the UK.
PHASE III: LEADERS (~ Pages 13-17)
This part of the magazine is my favorite.  Here you can gain a sense of the pros/cons, plusses/minuses of the issues raised by the editors of the magazine.  I especially like the coverage of these editorial comments since they cover most of the world and, again, are not focused on the US.  Yes, there are comments on US politics (e.g., the 2016 election, Orlando, etc.) but the other editorial coverage is in areas that I am not familiar or often exposed.  
Finally, during my 15 minutes of quality time with the magazine, I'll skim through the different sections usually pausing on some of the editorials, reviewing any graphics/maps, and speeding through the different text boxes.
Of course, if I'm ready to get on a plane or have some added time then I'll be sure to read the magazine in more depth but my focal points will generally begin with my four phases above.
If you don't already subscribe to The EconomistI'd highly recommend you do.  You'll find that the view offered is so much more superior than US television and is more portable than my other favorite reads The New York Times or Washington Post.

Monday, May 23, 2016

Earthquake Risk and US Highway Infrastructure

Thanks to our friends at the Federation of American Scientists (FAS) a recent Congressional Research Service report entitled Earthquake Risk and U.S. Highway Infrastructure: Frequently Asked Questions was posted.  This 11-page report is an excellent overview of the current state of natural and man-made (read - "Fracking") earthquake impact on the US highway system.

Two figures in the report are very telling as to the concentration of earthquakes and implications on "Shaking expected for Tall Structures Like Bridges" (below)...

as well as a graphic showing the chance of human-induced and natural earthquakes.  (Look at the concentration around Oklahoma presumably due to Fracking.)

Key Comments in the Report

The report approaches these issues in a FAQ, here are some quick highlights:

Q:  What Are the Components of Seismic Risk?

A:  Seismic risk to a highway system is determined by three factors:

  • Likelihood of seismic events of varying magnitudes, and related physical events, often referred to as the hazard;
  • Vulnerability of highway structures to damage from such events; and
  • Potential consequences of that vulnerability (e.g., lives lost, economic disruption, etc.)
Q: How Vulnerable Is the U.S. Highway System?

A:  "No national database exists on the seismic design and retrofit status of highway system components; thus, a perspective on vulnerability at the national level is unavailable.  However, many states with large seismic hazards have compiled data on the vulnerability of highway components within their borders..."

Q:  How Vulnerable are Highway Bridges?

A: Basically many of the most vulnerable older bridges -- particularly in the West Coast States -- have been retrofitted to improve seismic resilience; however, many older bridges (around 13,000) in the New Madrid seismic zone (AR, IL, IN, KY, MO, MS, TN) have not been retrofitted.

Q: How Costly is Retrofitting Highway Infrastructure?

A:  Because no national data exist on the status of retrofitting existing highway bridges or other infrastructure (e.g.,tunnels, highway systems), no national estimates exist.  


If you are involved in transportation policy or a student of infrastructure, this is a useful starting point to give you a sense of the daunting task of improving the resilience of highway structures against earthquakes.