Monday, February 8, 2016


As I began writing this blog post the World Economic Forum (WEF) annual meeting in Davos, Switzerland is in progress.  In conjunction with this major meeting the WEF also produces its Global Risks Report.  One section of the report – shown below – is entitled “Global Risks of Highest Concern for Doing Business.”

As you look at this list, the eighth most important risk of concern is “Failure of Critical Infrastructure.” 

Wow, that is very disconcerting and it is important that critical infrastructure issues be addressed to help mitigate and alleviate these risks.  But even as you think about it, global infrastructure is strained even with issues #1 through #7 (and #9, of course).

But how?

Masters of Infrastructure Planning and Management

In August 2015 I successfully completed the Master’s Degree in Infrastructure Planning and Management at the University of Washington, Seattle, Washington USA.  This program – entirely online, so you can take classes literally around the globe in various time zones – provided fantastic exposure to me as an infrastructure security professional on ways to manage and protect vital infrastructure systems from natural and man made threats.  The program curriculum is included below.

Figure 2

And as you can observe, the courses train the students on such fundamental topics as risk management, geographic information systems (GIS), and strategic planning.  The core courses include “soup to nuts” reviews of different infrastructure sectors such as energy, water, food, transportation, emergency management and public health.

At the end of the two-year program I believe you can be an adept contributor to critical infrastructure planning and management at the local, regional, national or international level.

By the way, the instructors are also accomplished, practical professionals in their areas.  For instance the infrastructure finance professor studied under Nobel Laureates at the University of California.  The instructors teaching the energy courses work for the regional utility in Seattle, and the public health professor is a physician with almost 40 year’s experience in international public health management.

Overall, the instructors “…really know their stuff…” from a practical, hand-on perspective and after a quarter with each one of them you have not only learned the details of the sector but you also know where to look for more information – a key value to me as a critical infrastructure protection professional.

Graduates and their Stories

Some of my fellow classmates have done very well with their MIPM credentials.  One grad continued in the Business Continuity/Planning space for a major health insurance provider and is now the Global Emergency Preparedness manager for a major, US West Coast university.  Another classmate continues as a Lieutenant Colonel in the Army with expanded awareness of global infrastructure issues.  A third classmate is in a local city public utility doing planning work.

How Can I Get More Information?  Where Do I Sign Up?

If you want more details I’d first suggest you visit the University of Washington Master in Infrastructure Planning and Management web page.

Be sure to review the Admissions requirements and the Costs/Financial Aid page.  Overall, you’ll see that the entrance requirements are certainly those of a Top Tier University but within reason for the working professional.  Some of my classmates had their tuition covered by the GI Bill and my company reimbursed me for my courses.

Of note, each cohort starts at the end of September each year and the Application Deadline is June 1st.

Unique Training – Unique Opportunity

As the faculty and students can attest, this is one of the very few programs in the world offering Masters-level training on infrastructure planning and management.  And, it is ONLINE so you don’t need to attend classes and – as a working professional – I can tell you that class assignments can be completed even if you are on the road multiple time zones away from Seattle.

So, here are the key Links…..and remember, the Application Deadline is June 1st.


·         CURRICULUM:        

·         FACULTY:                  

·         ADMISSIONS:          

·         FINANCES:                



Tuesday, February 2, 2016

Plan of Attack: Studying for the ASIS Physical Security Professional (PSP) Certification Test

I recently sat for the ASIS Physical Security Professional (PSP) certification exam.  The test is about 125 questions and you are allotted about three hours to complete the test at a testing facility (e.g., Prometrics).

This Blog is intended to offer a Plan of Attack on how to study for the exam; however, according to the rules of engagement, I am not permitted to offer example/actual questions, answers, etc.  Instead, this Blog is really a "How To" prepare for the test using a process I developed after searching the Internet and reviewing any ASIS resources that could offer ideas.

Be sure you take a look at the ASIS Board Certification Handbook as you prepare for this journey.


Collect/assemble all your resources to study for the test.  The first set of resources is listed on the ASIS site here.

These documents include:

* One book not listed but is HIGHLY RECOMMENDED is the ASIS book, Protection of Assets - Physical Security.  Yes, the PSP Reference does contain some repetitive information from the actual POA -- and you need the PSP Reference due to the chapter on high rise security -- the actual POA is and imperative read as you prepare for the test.


This first step will help you to gain a broad view of where your studying will take you.  By simply reading the Guidelines and outlining the various sections -- even just handwriting down the different sections/subsections in order -- you'll get a chance to see the flow of the organization of what is included in Physical Security.

In my case I did my outline in Microsoft PowerPoint with the slides highlighting the key concepts for each section/subsection.  (NOTE:  These outline PPT decks will be useful for review).

From these Guidelines I'd suggest you memorize the Business Continuity process flow first shown on page 10 of the ASIS Business Continuity Guideline and shown below:

BCP Process flow


This is now where the real work starts.  But, with the background you already have with the above outlining efforts and your own professional experience, this will be time-consuming but not daunting.

There is no right/wrong way to proceed but I essentially did the following steps on my reading:

If you have little or no practical field experience in the Physical Security space, take time to read and outline Introduction to Security,  This is the first thing you'll need to do to get a solid foundation for your studying.  Otherwise, if you have considerable physical and cyber security experience you can "jump into the pool" and start with the reading/studying list below:

Page 4, Design and Evaluation of Physical Protection Systems

  • Fourth:  Read and study Implementing Physical Protection Systems: A Practical Guide,  Be sure you understand the six phases of PPS life cycle planning and what goes into each one of the phases.  Overall this is a very helpful book in your future life as a security project manager and the words of wisdom offered by David Peterson are very helpful.
  • Fifth:  Read and study Effective Physical Security,  Each chapter offers a wealth of information on various technical topics you've already learned in the POA above and in Mary Lynn Garcia's work.  This book is also great for quick reference when you need a few more details when studying on such topics as locks, lighting, etc.
  • Sixth:  Read the remaining references in any order.  


Now comes the truly hard work.  Each of us have our own way of learning, but below I'll offer my own approach.

Each one of the books above I outlined the chapters using PowerPoint -- the same way I outlined the Guidelines.

Some people prefer to use Flash Cards; however, a wonderful and FREE system you can use is an online application called Quizlet.  Be sure to set up a FREE account and then conduct a search for any Quizes prepared for the PSP.  I located about four and also built a few myself -- which is great! 


You can use Quizlet to display Flashcards, develop tests (multiple choice, fill in the blank, match) and even play games using "Scatter" and "Gravity."  

Quizlet really helped me with Flashcard preparation (yes, you can print them) and took the boredom out of the review process.


Be sure to check the ASIS website and your own local chapter to see if they are offering any PSP study groups.  Unfortunately, I was not able to participate in any.


Here are some general guidelines to consider when preparing for the test:

1) Don't CRAM and expect to pass the test.  There is too much information.

2) Draw every diagram you see at least once.
3) Prepare a plan (like the above) and build upon what you are learning.  For instance, when reading a specific topic in the Protection of Assets - Physical Security -- e.g., Lighting -- then also read the section on Lighting in the Effective Physical Security, to complement and augment what you just learned.

4) Know your terms but also know the contents of the practical discussions in Garcia's and Fennelly's books -- as well as both POA references.

5) Get a good night's rest the night before the exam.  Review your outlines the day of the test and go for it!


Wednesday, January 27, 2016

CRS Report - Vulnerability of Concentrated Critical Infrastructure

I was recently writing an article for the Hazar Strateji Enstitüsü / Caspian Strategy Institute (HASEN) on the subject of physical security of critical electric infrastructure.  During my research I came across a very interesting -- and I believe timely -- Congressional Research Service (CRS) Report entitled Vulnerability of Concentrated Critical Infrastructure: Background and Policy Options.  The report was prepared by Paul W. Parfomak and updated on September 12, 2008. 

(Hat tip to the Federation of American Scientists for posting this document in their publically available CRS library!)

I found this report to be an exceptional analysis of the vulnerabilities posed to the US with critical infrastructure concentrated in geographic areas.  Such concentration increases the vulnerability to events like natural disasters, epidemics, certain kinds of terrorist attacks, etc.

The report defines "Geographic Concentration" of critical infrastructure as:

"...the physical location of critical assets in sufficient proximity to each other that they are vulnerable to disruption by the same, or successive, regional events."

To give the reader a sense of the degree of geographic concentration (in 2008) here is an interesting list:
  • Energy (Refining) -- Approximately 43% of total US oil refining capacity is clustered along the Texas and Louisiana coasts
  • Banking and Finance (Securities Market) -- Almost 39% of US securities and options are traded on the floors of the NY and American Stock Exchanges in lower Manhattan
  • Chemicals (Chlorine) -- Over 38% of US chlorine production is located in coastal Louisiana
  • Transportation (Rail) -- Over 37% of US freight railcars pass through Illinois, primarily around Chicago.  Over 27% of freight railcars pass primarily through St. Louis
  • Transportation (Marine Cargo) -- Over 33% of US waterborne container shipments pass through the ports of Long Beach and Los Angeles in Southern California (Note: a major tsunami in Southern California could close the Ports of Long Beach/Los Angeles for two months and cost $60B in economic losses)

  • Defense Industrial Base (Shipyards) -- Over 31% of US naval shipbuilding and repair capacity is in and around Norfolk, Virginia
  • Agriculture and Food (Livestock) -- Approximately 29% of US hog inventories are in Iowa; 15% in eastern North Carolina
  • Public Health and Healthcare (Pharmaceuticals) -- Approximately 25% of US pharmaceuticals are manufactured in Puerto Rico/San Juan metro area

In addition to the sobering numbers above, if you look at the combined geographical area of New York City and Northern New Jersey the US port capacity is 12% and airport capacity is 8%.


To the casual observer, geographic concentration of US critical infrastructure is nothing new.  For example, Chicago and Atlanta evolved from railroad hubs; Louisiana and the Coast of Texas are major players in oil and natural gas because that is where the natural resources are, etc.  However, there are some added influences cited by the CRS report.  They include:
  • Resource Location
  • Agglomeration Economies (i.e., spatial concentration itself creates favorable economic environment that supports further or continued concentration
  • Scale Economies (e.g., refineries, ports, etc. are growing larger and larger due to the driver of "economy of scale")
  • Community Preferences (this is more like the concentration of infrastructure in places where the local citizens are not opposed to such facilities)
  • Capital Efficiency (critical infrastructure is located where capital can be efficiently deployed)

Finally, for those who are planners or students of infrastructure planning and management here are some selected Federal policies to discourage geographic concentration:

  • Prescriptive Siting (e.g., In the early 1940s, the US Government financed a major steel plant in Utah as a precaution against shortages in the Western US in case of a Pacific Coast invasion by the Japanese or closure of the Panama Canal)
  • Economic Incentives
  • Environmental Regulation (e.g., Coastal Zone Management Act, Clean Air Act, etc.)
  • Economic Regulation
Finally the report highlights policy options to reduce infrastructure vulnerability that can include:

  • Eliminating Policies Encouraging Concentration
  • Encouraging Geographic Dispersion
  • Ensuring Infrastructure Survivability
  • Ensuring Infrastructure Recovery Capabilities


Overall this is an excellent and thought-provoking report on the strengths and vulnerabilities posed by the concentration of infrastructure in the US economy.  This document is a useful discussion for students focused on urban planning, critical infrastructure planning and management, and those interested in reducing infrastructure vulnerabilities.


Tuesday, January 26, 2016

Seven Strategies to Defend Industrial Control Systems (ICS)

In December 2015 the US National Cybersecurity and Communications Integration Center (NCCIC) -- often referred to as "EN-KICK" -- published a highly readable and brief white paper on Seven Strategies to Defend ICSs.  

This 7-page pdf offers a useful list of seven strategies a company can follow to better protect its industrial control systems.

Not only do they offer a quick, one or two paragraph description of the actions to be taken, but they also offer quick examples of events that could have been possibly prevented if the advice were followed.

The Seven Strategies include:

  1. Implement Application Whitelisting
  2. Ensure Proper Configuration/Patch Management
  3. Reduce Your Attack Surface Area
  4. Build a Dependable Environment
  5. Manage Authentication
  6. Implement Secure Remote Access
  7. Monitor and Respond


Thursday, January 14, 2016

Status of US Infrastructure - Infographic

Hat tip to Ms. Chrissy Gomez for passing along a link to a very interesting and in-depth Infographic discussing US infrastructure challenges and the impacts of the Infrastructure Bill.

The title of the article is The Infrastructure Bill: What it Means for Business and an excerpt of the Infographic is attached below. 

The Infographic does a nice job starting with a summary of the dismal and declining state of US infrastructure and then offers some scenarios of the impacts expected from the December 2015 Congressional Funding of $305B at $61B/year for the next 5 years.

Take a moment to look over the Infographic at the MBA Central website -- this is great information for those worried about US infrastructure and Infrastructure Planning and Management professionals.

Monday, January 11, 2016

CRS Insight - Electric Grid Physical Security: Recent Legislation (US)

(Another Hat Tip to our friends at the Federation of American Scientists for posting this CRS document!)

Last week a two-page summary of recent US government legislation focused on electric grid physical security was prepared by Paul W. Parfomak of the Congressional Research Service (CRS).

The document is a quick read. Besides summarizing the Federal Energy Regulatory Commission (FERC)) / North American Electric Reliability corporation (NERC) efforts on the CIP-014, Physical Security Reliability Standard, the document summarizes some interesting electric grid physical security elements in the Fixing America's Surface Transportation (FAST) Act - P.L. 114-94 and the Energy Policy Modernization Act of 2015 - S. 2012.

Fixing America's Surface Transportation (FAST) Act - P.L. 114-94
  • Became law on December 4, 2015
  • Contains provisions in two sections to facilitate recovery during electric grid emergencies due to physical damage and other causes.
  • Critical Electric Infrastructure Security (§1104) -- This section provides the Secretary of Energy additional authority to order emergency measures to protect or restore the reliability of critical electric infrastructure or defense critical electric infrastructure during a grid security emergency.  The identification of such a grid emergency would be made by written notice from the President with a concurrent notification from Congress.  This section also allows a) grid owners to recover prudent costs incurred under such emergency measures through rates regulated by FERC, and b) increases protection of critical electrical infrastructure information.
  • Strategic Transformer Reserve (§1105) -- This section requires the Secretary of Energy -- in consultation with other agencies, the military, and the utility industry -- to submit to Congress within one year a plan for a Strategic Transformer Reserve.
  • Includes two sections primarily directed at electric grid cybersecurity but with potential impacts on physical asset protection or recovery.
  • Cybersecurity Threats (§2001) -- Would provide the Secretary of Energy additional authority to order emergency measures to avert or mitigate a cybersecurity threat upon receiving notice from the President that such a threat exists.  This section is also intended to increase protection of critical electrical infrastructure information.
  • Cybersecurity Threats (§2002) -- This section would designate the Department of Energy (DOE) as the lead Sector-Specific Agency under Presidential Policy Directive 21 for energy sector cybersecurity.  This bill would require a) DOE to develop a program for modeling and assessing energy infrastructure risks in the face of natural and human-made (physical and cyber) threats, b) DOE to explore alternative structures and funding mechanisms to expand industry participation in the Electricity Information Sharing and Analysis Center (E-ISAC).

Thanks again to Mr. Parfomak for this CRS Insight.


Wednesday, January 6, 2016

CRS Report - Data Security & Breach Notification Legislation: Selected Legal Issues

Thanks to our friends at the Federation of American Scientists, the recently issued Congressional Research Service (CRS) report entitled Data Security and Breach Notification Legislation: Selected Legal Issues has been made available.  (21 Pages)
This is a focused report providing a review of the following:

  • Proposed Legislation introduced in the 114th Congress on Data Security and Breach Notification
  • Discussion about State Data Breach Laws (very brief)
  • Legal Analysis of:
    • Preemption of State Laws, Regulations, and Claims should Federal Law(s) be Passed in this Area
    • Agency Enforcement of Data Security and Breach Notification Requirements
Some interesting takeaways from this report:

1) 47 US States, the District of Columbia, and three US territories (Guam, Puerto Rico, US Virgin Islands) have enacted data security laws.

2) Alabama, New Mexico, and South Dakota have not enacted breach notification laws.

3) Massachusetts has issued regulations requiring persons who own or license personal information about a Massachusetts resident to "...develop, implement, and maintain a comprehensive information security program..." (201 Mass. Code Regs. 17.03(1))  Such a program must be in writing and contain administrative, technical and physical safeguards appropriate to the size and type of business, available resources, and amount of stored data.  Businesses must also conduct an annual review of security measures.
4) (Excerpt on Federal Preemption of State Data Security Laws - Page 15 )

5) (Excerpt on Agency Enforcement - Page 19)

Overall, this is an interesting read on the implications of possible Federal legislation in the domain of data breach laws primarily addressed by US state laws.