Thursday, December 11, 2014

History of Industrial Controls Cybersecurity -- White Paper

Several months ago Mike Assante -- SANS project lead for Industrial Control
System (ICS) and Supervisory Control and Data Acquisition (SCADA) security -- and I were talking about some ideas for SANS Analyst white papers and an idea surfaced to prepare a white paper introducing the SANS reader to elementary industrial controls theory and to the chronology of ICS cybersecurity.

The paper has finally been posted at SANS and the link is: 

Overall it was a fun paper to research and write with some good stories about the first Programmable Logic Controllers (PLCs).  Also, the chronology built by Mike Assante and Tim Conway and included in the paper is a great way to get oriented to the challenges in this domain which are broader than Stuxnet.



Sunday, November 30, 2014

Hazards of Decommissioned Equipment

In my global travels while performing inspections of power plants, factories and other critical infrastructure I often see equipment that is "decommissioned."  It is understandable that the cost of removing large, heavy equipment is expensive; however, I have often wondered aloud why the factory managers do not tag or identify the equipment as decommissioned.

One idea I've proposed is to place a large hot orange/hot pink tag on the decommissioned equipment so that personnel will recognize its status.  Even the occasional auditor or inspector may even declare it as a "Good Practice."

In the November 2014 issue of Control Engineering magazine J. B. Titus wrote a short but useful article about the "12 hazards of unused machinery." (Page 24)

J. B. notes the following:

"Even though a machine may no longer be active in the production process, this does not mean that the machine has been rendered hazard free..."

J. B. continues to observe that a decommissioned machine may pose one or more of the following hazards:

  1. Live electrical connections
  2. Compressed gases or fluids
  3. Charged tie rods
  4. Compressed springs
  5. Gravity
  6. Hazardous materials
  7. Rust
  8. Flammable or combustible material
  9. Abandoned conduit as a route for hazardous vapors
  10. Leakage
  11. Blocking emergency access
  12. Other machine, application, or environmental considerations 

I heartily agree with JP and wished I had his article handy during my previous inspections where I've highlighted concerns about decommissioned equipment and the hazards posed. The plant or factory management needs to recognize the risks with these "turned off pieces of equipment" and mitigation actions taken.

Thanks to J. P. Titus for the brief article and thanks for giving more support for my arguements that decommissioned equipment is not a trivial issue.

### END ###

Wednesday, September 10, 2014

Fundamental Skills for Any Security Practitioner

As a consultant, teacher and author I am often asked about the key knowledge, skills and certifications required to be a "successful" CISO or security professional.  The questions are usually around such issues as "Should I get my CISSP or CISM?" etc.

My usual response is often focused on having the "fundamentals" down pat such as understanding the business and having strong communication skills -- especially with upper management and the groups you are supporting.

This past quarter in my Masters of Infrastructure Planning and Management at the University of Washington one of our assigned readings was in my Comprehensive Emergency Planning course (IPM501).  The reading was entitled, "Report of the 2013 Disciplinary Purview Focus Group: Scholarship and Research to Ground the Emerging Discipline of Emergency Management."

Sounds dull, doesn't it?

The report was written by a group of scholars studying the field of emergency management.  Their focus "...was to identify the body of scholarship and research related to emergency management's purview that could ground the discipline, particularly as it relates to the education of students."

The report had some interesting perspectives on the subject; however, my key takeaway -- and worthy of me spending time on this blog -- is Appendix J: Skills Emergency Management Students Should be Able to Demonstrate upon Graduation.

This Appendix lists the following skills -- of which I think any security professional should also have competence:

  • Verbal Communication
  • Written Communication
  • Interpersonal Communication
  • Group Communication
  • Network Building and Stakeholder Engagement
  • Analytical Thinking
  • Application of Research in Practice
  • Problem Solving
  • Decision Making
  • Leadership
So, to my friends, students and colleagues who ask me "What skills do I need to possess to be successful in the security field?"  The list to follow is above.....then work on your technical skills such as a CISSP, etc.

Thanks to my professor, Robert Schneider Ed. D. and Director of Emergency Management for Grant County, Washington for this reading requirement...Appendix J made it worth the read.


Tuesday, July 29, 2014

Mr. Gisli Olafsson -- A True and Proven Crisis Leader

I am currently a student in the University of Washington Masters of Infrastructure Planning and Management (IPM) program.  This quarter I am taking IPM501, Comprehensive Emergency Management.  As part of this course one of our required readings is an excellent crisis leadership book by Mr. Gisli Olafsson entitled The Crisis Leader.

We were very fortunate to "virtually meet" Mr. Olafsson on an Adobe Connect lecture on July 29th where Mr. Olafsson took 90 minutes to highlight his experiences as an urban search and rescue leader including his experience as a team leader for Iceland's International Urban Search and Rescue team (ICE-SAR) immediately after the tragic earthquake hit Haiti in 2010.

Overall, Mr. Olafsson is a very compelling and experienced emergency response manager and leader with some excellent -- albeit tragic -- stories from his experiences responding to disasters around the world.  In his lecture he raised some excellent comments and ideas about the role of leadership during a crisis.  Some of the key ideas and comments he raised are captured below:

CL = Y + T + R

The equation above is one way Mr. Olafsson tried to explain what crisis leadership includes and entails.  The terms are first interpreted as:

CL = Crisis Leadership
Y = You
T = Team
R = Response

In summary he used this equation as a way to help capture some key aspects of personal leadership.

Y = You

You need to know yourself -- you need to know how you react under times of stress and crisis and how you deal with events -- including those events with substantial amounts of death and destruction.  You need to understand your emotions, fears and how to deal with these psychological arrows so you can be an effective leader.

Mr. Olafsson pointed out that key to the "You" aspect is to realize that you need to trust your team and their capabilities in order to control and even block your fear.  You need to be prepared for the task at hand by knowing your own strengths and weaknesses.  You also need to be physically and psychologically fit to endure the long hours and stressful conditions.

T = Team

Paramount elements for leadership success includes being resilient (also referred to as "Semper Gumby" as a reference to the very flexible cartoon character).  Secondly, you need to always be preparing through planning and exercising.. 

Mr. Olafsson noted that as a rule of thumb from a World Bank document on Natural Hazards Unnatural Disasters that for every hour or preparation spent you can expect to save six hours of effort; similarly for every dollar spent you can expect to save six dollars.

You want to build your team so that you are a "...leader of leaders..." where the team members are empowered to not only do their job but also to fill the role as a leader as required for the situation and based on their technical specialties/expertise.  Don't be a micromanager but lead your "leaders" so they are effective and the job gets done.

R = Respond

Response to a crisis is a key reason why you are at the disaster.  But, you are surrounded by many challenges ranging from the disaster itself to the weather to the debris field to the emotional survivors and even to the smell.  First you need to focus -- block the external stimuli and do your task at hand.  Secondly, take advantage of the intelligence and help that can be provided by the local population affected by the disaster.  Apparently FEMA in the U.S. refers to this concept as "Survivor-centric Response."

Responding requires a team with solid morale.  As noted in Chapter 25, "Team Morale," Mr. Olafsson states, "No matter which way it starts out , one of your crucial roles as a leader is to ensure that you keep morale high, even during the most difficult times.  Your ability to do that depends on a number of things including:
  • Your rapport with team members...
  • Your ability to read others...
  • Your ability to understand how the situation is affecting people..."


If you are a leader of any sort -- but especially one placed -- or potentially placed -- into an emergency situation or worse yet a disaster, I would highly recommend you take time to read, digest and contemplate the excellent and field-proven advice offered in this book by Mr. Olafsson.  As a 40+ year leader myself, I found his advice to be "...right on..." and useful for my professional and personal leadership roles.

Mr. Olafsson's website is: and he can be followed on Twitter @gislio


Tuesday, July 22, 2014

FERC Requires Changes to NERC CIP-014 - Physical Security of Substations

On Thursday, July 17, 2014, the Federal Energy Regulatory Commission (FERC) published a Notice of Proposed Rulemaking (NOPR)  that proposed to approve CIP-014-1, Physical Security (PDF), with two modifications.

The NOPR did find that the proposed CIP-014-1 standard "...largely satisfies the directives in the (March 7, 2014 FERC) order.  However, the Commission proposes to direct NERC to develop a modification that would specifically allow governmental authorities, including FERC or another appropriate federal or provincial authority, to add or subtract facilities from an entity's list of critical facilities."

FERC does note in their announcement that they only expect the addition/subtraction of substations to be exercised only "rarely."

The second proposed modification from FERC directs NERC " revise wording that it believes could narrow the scope and number of identified critical facilities.  Specifically the NOPR seeks comment on the Commission's concern that NERC's use of the phrase 'widespread instability' rather than 'instability,' as stated in the March order, could create ambiguity since the term 'widespread' is not defined."

The NOPR also requests NERC submit two informational reports.  The first report would have NERC analyze whether CIP-014-1 should be applicable to additional types of facilities beyond substations.  The second report would have NERC provide analysis on grid resiliency exploring what can be done beyond CIP-014-1 to maintain reliable operation of the Bulk Power System when faced with the loss or degradation of critical facilities.

Crescendo of Activities Focused on Physical Security of Substations

In addition to the quick response by FERC when Pacific Gas & Electric's Metcalf substation was physically attacked in California on April 16, 2013, there have been several meetings and analyses produced examining how the industry should respond to physical attacks on critical substations.  For instance at the National Association of Regulatory Utility Commissioners (NARUC) summer meeting in Dallas on July 16, 2014, they passed a resolution on physical security of electric grid (PDF).

Overall, an excellent summary of the current situation regarding physical security concerns for the electric grid is the June 17, 2014 Congressional Research Service (CRS) report Physical Security of the U.S. Power Grid: High-Voltage Transformer Substations (PDF) .  This report is an encyclopedic review of the current state of physical security concerns and issues related to the larger transformers and substations.

A parenthetical observation from this report is on page 8 of the report regarding physical movement of the large transformers in an emergency.  The paragraph noted is cited below:

Within the United States, transportation of HV transformers is difficult. Due to their size and
weight, most HV transformers are transported on special railcars, each with up to 36 axles to
distribute the load. There are fewer than 20 of these railcars in the Unites States rated to carry 500 tons or more, which can present a logistical problem if they are needed in a transformer emergency. Some specialized flatbed trucks can also carry heavy transformer loads over public roadways, but the few such trucks that exist have less carrying capacity and greater route restrictions than the railcars because HV transformers may exceed highway weight limits.

Expect More Discussion in the Future

With the recent announcement from FERC, the very recent resolutions from NARUC, the tragic events associated with current wars in Europe and the Middle East, it would not surprise me if there are more conversations regarding the physical protection of the electric and gas grids.  


Friday, June 20, 2014

Must Read for CyberWar Students and Spectators

I've just returned from an interesting and exhausting ICS security trip to Nigeria, Egypt and Dubai --- and as I was catching up on my reading I came across an excellent and well-written article regarding nation-state attacks on our critical infrastructure.  Kudos to Mike Riley and Jordan Robertson of Bloomberg!

The article in Bloomberg is UglyGorilla Hack of U.S. Utility Exposes Cyberwar Threat.

Rather than resummarize the article I'd strongly suggest you read it and think about the implications of the content.

It is pretty ugly.

Anyone who thinks we are ahead of the cyber attackers/criminals is sadly mistaken.

As noted by Representative Mike Rogers, R-Michigan: "This is as big a national security threat as I have ever seen in the history of this country that we are not prepared for."

Read and ponder....


Wednesday, June 11, 2014

OPINION: Does the NIPP Account for Infrastructure Neglect? Climate Change?

I am currently a candidate for a Masters in Infrastructure Planning and Management (IPM) at the University of Washington.  In my recent class on Transportation Infrastructure we prepared a response to a question regarding the Department of Homeland Security's (DHS) National Infrastructure Protection Plan (NIPP).

The question posed is in the box below....however, to answer the question a brief history of the NIPP and its development post 9/11 is summarized.

I think you will find this an interesting read and may make you wonder about the true value of the NIPP in today's environment.




Assigned Question

Do you think that the infrastructure protection plan as proposed by the Department of Homeland Security accounts for infrastructure neglect? Should it? Could this lack of maintenance of transportation infrastructure potentially be a much greater concern than terrorist attack or climate change? Would our national resources be better spent on maintenance activities as opposed to protection or adaption?


The question posed above is one that requires some background history and assimilation prior to finally offering a view.  Therefore, this discussion first highlights the history of the National Infrastructure Protection Plan (NIPP) – its genesis and modification.  Then at the end of the discussion responses to the questions posed above for this assignment are provided.

Genesis of National Infrastructure Protection Plan

On December 17, 2003, Homeland Security Presidential Directive - 7 (HSPD -7)[1] was issued by President George H. W. Bush.  The stated purpose of this Directive was:

1.  This directive establishes a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks.

Similarly in the Policy portion of HSPD-7 the emphasis again was on protecting critical assets from terrorist attack.  Paragraph 7 notes:

Later in HSPD-7 regarding implementation of the HSPD, Paragraph 27 notes that the Secretary of Homeland Security is to “…produce a comprehensive, integrated National Plan for Critical Infrastructure and Key Resources Protection…  The remaining implementation requirements are shown below:

In summary, HSPD was originally focused on protecting critical infrastructure from terrorist attacks with assigned responsibilities to the Secretary of Homeland Security.  The implementation directive was not specific to terrorist threats; however, it was inferred in the purpose of the HSPD and ultimate implementation mandates.

In 2006 the first issue of the National Infrastructure Protection Plan (NIPP) was issued by Department of Homeland Security (DHS) Chertoff.  The specific goal of the NIPP was noted below from Page 1 of the document.  As the reader can observe the focus is intended to prevent, deter, neutralize, or mitigate effects…by terrorists…That is the key emphasis of this plan and in this writer’s opinion.  But, it is agreed that there is some parenthetical response to “…natural disasters and other emergency.”

The theme of Secretary Chertoff’s Preface in the first NIPP was still primarily focused on terrorist threats although there was some discussion about protection of CI/KR from natural disasters.  Overall, however, the term “Attacks” was used repeatedly throughout the document (I stopped counting at 20 instances) and not once was there reference to climate or climate change – only “natural disasters.” And upon a quick survey the term “natural disasters” was almost always used in the same sentence with “terrorist.”
The conclusion of the 2006 NIPP is that it was issued in response to the terrorist threat which was in keeping with HSPD-7 issued in 2003 following the terrorist events of 9/11.

2009 NIPP

A new version of the NIPP was promulgated in 2009.  The goal of the NIPP remained the same as the 2003 edition except it showed the evolution of the programs and processes first introduced in 2006 and was developed collaboratively with the CI/KR partners of all levels of government and private sector.
Again the emphasis still appears to be focused on terrorist attacks with minimal inclusion of references to natural disasters and no references to climate change.
On a statistical note the term “Attack” is used 114 times; “terrorist” is used 157 times; and “natural disaster” is used 37 times, and “climate change” is not used at all in the 2009 NIPP.

NIPP 2013 Partnering for Critical Infrastructure Security and Resilience

In February 2013, President Obama issued Presidential Policy Directive 21 (PPD-21), Critical Infrastructure Security and Resilience[2], which explicitly calls for an update to the NIPP. As noted by the 2013 NIPP, this update is informed by significant evolution in the critical infrastructure risk, policy, and operating environments, as well as experience gained and lessons learned since the NIPP was last issued in 2009.  The revised NIPP expands the view of the threats to critical infrastructure as depicted in the graphic (Figure 2) from page 8 of the NIPP.

As the reader can observe the focus on terrorist attacks has been substantially reduced to a more balanced perspective along with extreme weather, accidents, cyber-attacks, etc.
Also, as a comparison, the term “terrorist” is only used six times in the 2013 NIPP thus demonstrating a more balanced approach to protection of critical infrastructure.

The 2013 NIPP also demonstrated a more balanced approach to critical infrastructure protection when it included the seven core tenants listed below:
  1. Risk should be identified and managed in a coordinated and comprehensive way across the critical infrastructure community to enable the effective allocation of security and resilience resources.
  2. Understanding and addressing risks from cross-sector dependencies and interdependencies is essential to enhancing critical infrastructure security and resilience.
  3.  Gaining knowledge of infrastructure risk and interdependencies requires information sharing across the critical infrastructure community.
  4. The partnership approach to critical infrastructure security and resilience recognizes the unique perspectives and comparative advantages of the diverse critical infrastructure community
  5. Regional and State, Local Tribal and Territorial (SLTT) partnerships are crucial to developing shared perspectives on gaps and actions to improve critical infrastructure security and resilience.
  6. Infrastructure critical to the United States transcends national boundaries, requiring cross-border collaboration, mutual assistance, and other cooperative agreements
  7.  Security and resilience should be considered during the design of assets, systems, and networks.

Overall, the NIPP from its inception in 2003 to the 2013 edition has evolved from one focused on terrorist attacks and defense to one of a more balanced, all-hazard approach.  The 2013 NIPP has also provided an updated approach to not only critical infrastructure security but also to resilience.

Responses to Discussion Questions

With the background history provided, my responses to the questions posed include the following:

·       Do you think that the infrastructure protection plan as proposed by the Department of Homeland Security accounts for infrastructure neglect?

o      Sadly, the NIPP of 2003 and 2009 were both very focused on terrorist attack and defense and as such infrastructure neglect was not even considered.  The 2013 NIPP does allude to a more holistic approach, especially in Tenant #7 that discusses “Security and resilience … considered during the design, of assets, systems and networks.” 

o      On page 18 of the 2013 NIPP there is a discussion focused on risk management that takes into consideration the following elements:

§  Identify, Deter, Detect, Disrupt, and Prepare for Threats and Hazards
§  Reduce Vulnerabilities
§  Mitigate Consequences

Of interest, the “Reduce Vulnerabilities” element includes a statement “Employ siting considerations when locating new infrastructure, such as avoiding floodplains, seismic zones, and other risk-prone locations.”  This appears to at least try to address some elements of extreme weather (possibly due to climate change) for new designs but again, I did not see any discussion specific to maintaining and upgrading current infrastructure.  That said, the “siting considerations” can be – and should be – included in current infrastructure maintenance and upgrades as well as for new critical infrastructure such as roads, etc.
Under the discussion “Mitigate Consequences” there is a bullet that also could be related to current infrastructure –Repair or replace damaged infrastructure with cost-effective designs that are more secure and resilient.”  Hence, there is a subtle element of support to improving infrastructure with “…designs that are more secure and resilient…” but only if they are damaged.  Not if they are currently usable but need upgrades for increased resilience.

·         Should it?

o      Yes, it makes sense that emphasis on infrastructure should be sustained as well as improved via such approaches as corrective and preventive maintenance, design upgrades and improvements, etc.  As a suggestion to the future editions of the NIPP there needs to be particular emphasis and focus on current assets as well as future ones.  Also, the future NIPP editions should allow for some means of assessment and prioritization of current assets for design upgrades and corrective/preventive maintenance regardless of whether the infrastructure has failed (yet) or not. 

o      As I prepared this discussion I was reminded of Professor Jan Whittington’s research report Making Room for the Future: Rebuilding California’s Infrastructure where her research along with David Dowall observed that “California has a deferred maintenance crisis in its hands…extensive deferred maintenance backlogs in…transportation facilities.”  Here was an example where there was no policy guidance in the state of California to perform maintenance on its key assets.  Hence, one could observe a parallel issue with the US NIPP and its failure to really emphasize performance of maintenance on critical assets such as roads and bridges.

·        Could this lack of maintenance of transportation infrastructure potentially be a much greater concern than terrorist attack or climate change?

o       As you look at this issue across the entire United States and across all transportation infrastructure one could make a case that the concern should be greater than that of a terrorist attack or climate change primarily due to the probability of occurrence is high for most transportation infrastructure and the number of opportunities for failure are high – especially when considering the number of vehicles traveling on the roads and each vehicle can offer a potential “event” and harm to the infrastructure.  Compare this to the number of hurricanes per season where the frequency of events is lower but the impact his much, much higher.

o       For instance when you do a risk analysis of risk vs. consequence, the terrorist consequence can be very high but the probability or likelihood of the event is low.  Hence we have the classic low probability – high consequence event.  The same applies to climate change when you look at such events as Katrina or Super Storm Sandy.  However, when you look at the probability of a transportation infrastructure failure anywhere across the US on a daily – or even hourly basis – the probability is high but the consequences may be less than (in most but not all cases) than a terrorist or major storm event.  So, in all, the integral of the equation so to speak may reveal that the transportation failures occur more frequently than terrorist attacks/climate change effects which could lead to higher costs in dollars and human life over a one year time period than the results of a year’s worth of terrorist attacks and climate change events such as storms.

o      The Federal Highway Administration includes an “integrated risk assessment” approach as alluded to in the paragraph above where they discuss climate change vulnerability assessment pilots.[3]

o      Optimally it would useful to have a comparison of the number of terrorist attacks for a specific geographic area versus the number of transportation infrastructure failures (e.g., bridges) for the same period of time to get a sense of probabilities.  As part of this thought experiment the following graphics were located on the Internet to help give a sense of “direction” for this comparison.  However, it is agreed that they are not a true “apples to apples” comparison.

Here is a graphic showing bridge failures.

And here is a graphic showing terrorist attacks:

Unfortunately I could not locate any data for the same time period to do an honest comparison either by events per year or costs per year.

·        Would our national resources be better spent on maintenance activities as opposed to protection or adaption?

o      This is a balancing act that requires policies to help ensure the funds and resources are spent on the right things.  Again, as shown in Dr. Whittington’s study, the State of California is not tasked with anti-terrorism activities yet they still did not spend money on infrastructure maintenance due to population rapid growth and focus on new assets.  Also, with most infrastructure being covered by the states and local entities, you again have a conflict between anti-terrorism dollars (Federal), dollars for climate change remediation (unknown contributor – Federal or State), and dollars for infrastructure maintenance State and local).  However, it is important to note that with the minimal amount of funds being used to pay for infrastructure maintenance today, any increase in resources to improve current asset integrity and safety would be better than the status quo.  This is especially true since replacing all the assets with new, safer and more secure facilities is not financially reasonable or fiscally reasonable.  And, the added taxes for such efforts would not be accepted by the general population because they don’t have ready visibility to how bad the current circumstances are in spite of the studies from the American Society of Civil Engineers.


"Bridges 101 - What Causes a Bridge Failure." Because I Can. January 31, 2012. (accessed May 10, 2014).
Department of Homeland Security Science and Technology Center of Excellence, University of Maryland. "National Consortium for the Study of Terrorism and Responses to Terrorism: Annex of Statistical Information." US Department of State. April 2014. (accessed May 10, 2014).
Dowell, David E., and Jan Whittington. Making Room for the Future: Rebuilding California's Infrastructure. Research Publication, San Francisco: Public Policy Institute of California, 2003.
US Department of Homeland Security. "Homeland Security Presidential Directive - 7: Critical Infrastructure Identification, Prioritization, and Protection." US Department of Homeland Security. December 17, 2003. (accessed May 10, 2014).
US Department of Homeland Security. National Infrastructure Protection Plan (2006). Washington, D.C.: US Department of Homeland Security, 2006.
US Department of Homeland Security. National Infrastructure Protection Plan (2009). Washington, DC: US Department of Homeland Security, 2009.
US Department of Homeland Security. National Infrastructure Protection Plan 2013: Partnering for Critical Infrastructure Security and Resilience. Washington, D.C.: US Department of Homeland Security, 2013.
US Department of Transportation Federal Highway Administration. Climate Change Vulnerability Assessment Pilots. March 27, 2014. (accessed May 10, 2014).