Saturday, January 31, 2015

World Economic Forum - Global Risks 2015

Each January the World Economic Forum (WEF) has a grand meeting in Davos, Switzerland.  This meeting brings together the major decision makers and influencers in the world to review the current state of the world and its risks.

As part of this annual event the WEF compiles and publishes its Global Risks assessment.  The 10th Edition was published this for assessing the global risks for 2015.  A picture of the report's cover is below.  The report can be downloaded at: 

As a student of infrastructure and security I find this report to offer tremendous insight into the challenges faced by society today.  Also, the report includes some excellent graphics to help the reader get a better sense of the interplay between the various risks and what they refer to as "risk constellations."

The authors have first established five categories of risk including economic, environmental, geopolitical, societal and technological.  Then, for each category there are a collection of different risks that are graded and assessed.  The individual risks are then evaluated on a quadrant (below) assessing the risk's Impact and Likelihood.

Then, based on the above mapping/assessment the top 10 risks are determined by Likelihood and Impact as shown in the next graphic.

Finally, an aspect I normally consider with these lists are those risks listed in both columns.  These include:

  • Water Crises
  • Unemployment or Underemployment
  • Failure of Climate Change Adaptation
Even though this is a short list, please consider how they are interrelated and how the water crises are aggravated by failure of climate change adaptation which can result in job loss thus unemployment.

Overall, I would highly recommend that you review the report and especially get a sense of the risk themes raised and how they impact your profession and personal life.



Tuesday, January 27, 2015

ENISA Publishes Cyber Threat Analysis of 2014

Our friends at the European Union Agency for Network and Information Security (ENISA) has published the ENISA Threat Landscape 2014 on 27 January 2015.  The report includes some details on developments made in 2014 relative to the top cyber threats and emerging threat trends - mainly in the cyber arena.

You can download a copy of the report (Free) at:

From the Executive Summary of the report, below are some of the "positives and negatives" of today's cyber threat landscape from ENISA's point of view.

Many of the changes in the top threats can be attributed to successful law enforcement operations and mobilisation of the cyber-security community (bolding by Ernie Hayden):

  • The take down of GameOver Zeus botnet has almost immediately stopped infection campaigns and Command and Control communication with infected machines.
  • Last year’s arrest of the developers of Blackhole has shown its effect in 2014 when use of the exploit kit has been massively reduced.
  • NTP-based reflection within DDoS attacks are declining as a result of a reduction of infected servers. This in turn was due to awareness raising efforts within the security community.
  • SQL injection, one of the main tools used to compromise web sites, is on the decline due to a broader understanding of the issue in the web development community.
  • Taking off-line Silk Road 2 and another 400 hidden services in the dark net has created a shock in TOR community, both at the attackers and TOR users ends.

But there is a dark side of the threat landscape of 2014:

  • SSL and TLS, the core security protocols of the internet have been under massive stress, after a number of incidents have unveiled significant flaws in their implementation .
  • 2014 can be called the year of data breach. The massive data breaches that have been identified demonstrate how effectively cyber threat agents abuse security weaknesses of businesses and governments.
  • A vulnerability found in the BASH shell may have a long term impact on a large number of components using older versions, often implemented as embedded software.
  • Privacy violations, revealed through media reports on surveillance practices have weakened the trust of users in the internet and e-services in general.
  • Increased sophistication and advances in targeted campaigns have demonstrated new qualities of attacks, thus increasing efficiency and evasion through security defences.
The report does include a summary table of trends (Page 4) that the reader may find useful.  A copy of the table is shown below with some highlights on the areas declining and a note about ransomware.

Lastly, one area the report raises as a new focus is "Cyber-Physical Systems."  These are engineered systems that interact with computing equipment and integrated to control, manage and optimize physical processes.  The areas they mention of concern are power supply, medical systems/healthcare, industrial systems and manufacturing, transportation, telecommunication, etc.  The report includes a table (below) of the Top Emerging (Preliminary) Threats to CPS (Page 67):

Overall, the report is of excellent quality and is a useful summary of the cyber issues of 2014.


Thursday, December 11, 2014

History of Industrial Controls Cybersecurity -- White Paper

Several months ago Mike Assante -- SANS project lead for Industrial Control
System (ICS) and Supervisory Control and Data Acquisition (SCADA) security -- and I were talking about some ideas for SANS Analyst white papers and an idea surfaced to prepare a white paper introducing the SANS reader to elementary industrial controls theory and to the chronology of ICS cybersecurity.

The paper has finally been posted at SANS and the link is: 

Overall it was a fun paper to research and write with some good stories about the first Programmable Logic Controllers (PLCs).  Also, the chronology built by Mike Assante and Tim Conway and included in the paper is a great way to get oriented to the challenges in this domain which are broader than Stuxnet.



Sunday, November 30, 2014

Hazards of Decommissioned Equipment

In my global travels while performing inspections of power plants, factories and other critical infrastructure I often see equipment that is "decommissioned."  It is understandable that the cost of removing large, heavy equipment is expensive; however, I have often wondered aloud why the factory managers do not tag or identify the equipment as decommissioned.

One idea I've proposed is to place a large hot orange/hot pink tag on the decommissioned equipment so that personnel will recognize its status.  Even the occasional auditor or inspector may even declare it as a "Good Practice."

In the November 2014 issue of Control Engineering magazine J. B. Titus wrote a short but useful article about the "12 hazards of unused machinery." (Page 24)

J. B. notes the following:

"Even though a machine may no longer be active in the production process, this does not mean that the machine has been rendered hazard free..."

J. B. continues to observe that a decommissioned machine may pose one or more of the following hazards:

  1. Live electrical connections
  2. Compressed gases or fluids
  3. Charged tie rods
  4. Compressed springs
  5. Gravity
  6. Hazardous materials
  7. Rust
  8. Flammable or combustible material
  9. Abandoned conduit as a route for hazardous vapors
  10. Leakage
  11. Blocking emergency access
  12. Other machine, application, or environmental considerations 

I heartily agree with JP and wished I had his article handy during my previous inspections where I've highlighted concerns about decommissioned equipment and the hazards posed. The plant or factory management needs to recognize the risks with these "turned off pieces of equipment" and mitigation actions taken.

Thanks to J. P. Titus for the brief article and thanks for giving more support for my arguements that decommissioned equipment is not a trivial issue.

### END ###

Wednesday, September 10, 2014

Fundamental Skills for Any Security Practitioner

As a consultant, teacher and author I am often asked about the key knowledge, skills and certifications required to be a "successful" CISO or security professional.  The questions are usually around such issues as "Should I get my CISSP or CISM?" etc.

My usual response is often focused on having the "fundamentals" down pat such as understanding the business and having strong communication skills -- especially with upper management and the groups you are supporting.

This past quarter in my Masters of Infrastructure Planning and Management at the University of Washington one of our assigned readings was in my Comprehensive Emergency Planning course (IPM501).  The reading was entitled, "Report of the 2013 Disciplinary Purview Focus Group: Scholarship and Research to Ground the Emerging Discipline of Emergency Management."

Sounds dull, doesn't it?

The report was written by a group of scholars studying the field of emergency management.  Their focus "...was to identify the body of scholarship and research related to emergency management's purview that could ground the discipline, particularly as it relates to the education of students."

The report had some interesting perspectives on the subject; however, my key takeaway -- and worthy of me spending time on this blog -- is Appendix J: Skills Emergency Management Students Should be Able to Demonstrate upon Graduation.

This Appendix lists the following skills -- of which I think any security professional should also have competence:

  • Verbal Communication
  • Written Communication
  • Interpersonal Communication
  • Group Communication
  • Network Building and Stakeholder Engagement
  • Analytical Thinking
  • Application of Research in Practice
  • Problem Solving
  • Decision Making
  • Leadership
So, to my friends, students and colleagues who ask me "What skills do I need to possess to be successful in the security field?"  The list to follow is above.....then work on your technical skills such as a CISSP, etc.

Thanks to my professor, Robert Schneider Ed. D. and Director of Emergency Management for Grant County, Washington for this reading requirement...Appendix J made it worth the read.


Tuesday, July 29, 2014

Mr. Gisli Olafsson -- A True and Proven Crisis Leader

I am currently a student in the University of Washington Masters of Infrastructure Planning and Management (IPM) program.  This quarter I am taking IPM501, Comprehensive Emergency Management.  As part of this course one of our required readings is an excellent crisis leadership book by Mr. Gisli Olafsson entitled The Crisis Leader.

We were very fortunate to "virtually meet" Mr. Olafsson on an Adobe Connect lecture on July 29th where Mr. Olafsson took 90 minutes to highlight his experiences as an urban search and rescue leader including his experience as a team leader for Iceland's International Urban Search and Rescue team (ICE-SAR) immediately after the tragic earthquake hit Haiti in 2010.

Overall, Mr. Olafsson is a very compelling and experienced emergency response manager and leader with some excellent -- albeit tragic -- stories from his experiences responding to disasters around the world.  In his lecture he raised some excellent comments and ideas about the role of leadership during a crisis.  Some of the key ideas and comments he raised are captured below:

CL = Y + T + R

The equation above is one way Mr. Olafsson tried to explain what crisis leadership includes and entails.  The terms are first interpreted as:

CL = Crisis Leadership
Y = You
T = Team
R = Response

In summary he used this equation as a way to help capture some key aspects of personal leadership.

Y = You

You need to know yourself -- you need to know how you react under times of stress and crisis and how you deal with events -- including those events with substantial amounts of death and destruction.  You need to understand your emotions, fears and how to deal with these psychological arrows so you can be an effective leader.

Mr. Olafsson pointed out that key to the "You" aspect is to realize that you need to trust your team and their capabilities in order to control and even block your fear.  You need to be prepared for the task at hand by knowing your own strengths and weaknesses.  You also need to be physically and psychologically fit to endure the long hours and stressful conditions.

T = Team

Paramount elements for leadership success includes being resilient (also referred to as "Semper Gumby" as a reference to the very flexible cartoon character).  Secondly, you need to always be preparing through planning and exercising.. 

Mr. Olafsson noted that as a rule of thumb from a World Bank document on Natural Hazards Unnatural Disasters that for every hour or preparation spent you can expect to save six hours of effort; similarly for every dollar spent you can expect to save six dollars.

You want to build your team so that you are a "...leader of leaders..." where the team members are empowered to not only do their job but also to fill the role as a leader as required for the situation and based on their technical specialties/expertise.  Don't be a micromanager but lead your "leaders" so they are effective and the job gets done.

R = Respond

Response to a crisis is a key reason why you are at the disaster.  But, you are surrounded by many challenges ranging from the disaster itself to the weather to the debris field to the emotional survivors and even to the smell.  First you need to focus -- block the external stimuli and do your task at hand.  Secondly, take advantage of the intelligence and help that can be provided by the local population affected by the disaster.  Apparently FEMA in the U.S. refers to this concept as "Survivor-centric Response."

Responding requires a team with solid morale.  As noted in Chapter 25, "Team Morale," Mr. Olafsson states, "No matter which way it starts out , one of your crucial roles as a leader is to ensure that you keep morale high, even during the most difficult times.  Your ability to do that depends on a number of things including:
  • Your rapport with team members...
  • Your ability to read others...
  • Your ability to understand how the situation is affecting people..."


If you are a leader of any sort -- but especially one placed -- or potentially placed -- into an emergency situation or worse yet a disaster, I would highly recommend you take time to read, digest and contemplate the excellent and field-proven advice offered in this book by Mr. Olafsson.  As a 40+ year leader myself, I found his advice to be "...right on..." and useful for my professional and personal leadership roles.

Mr. Olafsson's website is: and he can be followed on Twitter @gislio


Tuesday, July 22, 2014

FERC Requires Changes to NERC CIP-014 - Physical Security of Substations

On Thursday, July 17, 2014, the Federal Energy Regulatory Commission (FERC) published a Notice of Proposed Rulemaking (NOPR)  that proposed to approve CIP-014-1, Physical Security (PDF), with two modifications.

The NOPR did find that the proposed CIP-014-1 standard "...largely satisfies the directives in the (March 7, 2014 FERC) order.  However, the Commission proposes to direct NERC to develop a modification that would specifically allow governmental authorities, including FERC or another appropriate federal or provincial authority, to add or subtract facilities from an entity's list of critical facilities."

FERC does note in their announcement that they only expect the addition/subtraction of substations to be exercised only "rarely."

The second proposed modification from FERC directs NERC " revise wording that it believes could narrow the scope and number of identified critical facilities.  Specifically the NOPR seeks comment on the Commission's concern that NERC's use of the phrase 'widespread instability' rather than 'instability,' as stated in the March order, could create ambiguity since the term 'widespread' is not defined."

The NOPR also requests NERC submit two informational reports.  The first report would have NERC analyze whether CIP-014-1 should be applicable to additional types of facilities beyond substations.  The second report would have NERC provide analysis on grid resiliency exploring what can be done beyond CIP-014-1 to maintain reliable operation of the Bulk Power System when faced with the loss or degradation of critical facilities.

Crescendo of Activities Focused on Physical Security of Substations

In addition to the quick response by FERC when Pacific Gas & Electric's Metcalf substation was physically attacked in California on April 16, 2013, there have been several meetings and analyses produced examining how the industry should respond to physical attacks on critical substations.  For instance at the National Association of Regulatory Utility Commissioners (NARUC) summer meeting in Dallas on July 16, 2014, they passed a resolution on physical security of electric grid (PDF).

Overall, an excellent summary of the current situation regarding physical security concerns for the electric grid is the June 17, 2014 Congressional Research Service (CRS) report Physical Security of the U.S. Power Grid: High-Voltage Transformer Substations (PDF) .  This report is an encyclopedic review of the current state of physical security concerns and issues related to the larger transformers and substations.

A parenthetical observation from this report is on page 8 of the report regarding physical movement of the large transformers in an emergency.  The paragraph noted is cited below:

Within the United States, transportation of HV transformers is difficult. Due to their size and
weight, most HV transformers are transported on special railcars, each with up to 36 axles to
distribute the load. There are fewer than 20 of these railcars in the Unites States rated to carry 500 tons or more, which can present a logistical problem if they are needed in a transformer emergency. Some specialized flatbed trucks can also carry heavy transformer loads over public roadways, but the few such trucks that exist have less carrying capacity and greater route restrictions than the railcars because HV transformers may exceed highway weight limits.

Expect More Discussion in the Future

With the recent announcement from FERC, the very recent resolutions from NARUC, the tragic events associated with current wars in Europe and the Middle East, it would not surprise me if there are more conversations regarding the physical protection of the electric and gas grids.