Tuesday, October 6, 2015

FEMA Damage Assessment Operating Manual - Comments Requested

The FEMA Damage Assessment Operations Manual is part of a greater effort to provide a user-friendly, streamlined post-disaster damage assessment process that builds on the existing knowledge and expertise of State or Tribe and local partners to identify damage after a natural or man-made disaster. Eligible Tribes and U.S. territories are considered the same as States for application of FEMA programs; the Manual is aimed at clarifying FEMA damage assessment guidance, promoting standardized information collection, and assisting in the development of requests for federal disaster assistance. 

The U.S. Department of Homeland Security’s Federal Emergency Management Agency (FEMA) is seeking comments from state, local, tribal, and territorial emergency management practitioners on the draft FEMA Damage Assessment Operating Manual. The manual establishes national damage assessment standards developed from historic lessons learned and best-practices already in use by state, local, tribal and federal emergency management agencies. The manual is built using a framework that encourages local information collection, state or tribal verification, and federal validation. Previous versions of such manuals have focused exclusively on the federal role. This document better highlights and provides guidance to state, local, and tribal governments on their role in the assessment. The draft manual is posted here. Comments should be added to the comment matrix, and submitted by Nov. 14, 2015.

The document appears to provide a very thorough user guide for handling disaster assessments. The book is 160 pages long and includes the following (from the Table of Contents):

  • Introduction
  • Concept of Operations
  • Roles and Responsibilities
  • Evaluating Damage and Impact for FEMA Public Assistance
  • Evaluating Damage and Impact for FEMA Individual Assistance
  • Damage Assessment Methods
  • Integration of Geospatial Analysis and Technology
  • Integration of Mobile Technology
  • Appendices A, C, D = Checklists
  • Appendices E, F = Matrices
  • Appendix H = Process Charts
Overall the document is a useful starting place; however, it does appear to have some gaps in chapter content, formatting, etc. But, then again, the document is out for review and comment.

This could be a useful tool for the student of Disaster Assessment and Recovery due to the checklists and discussions about the more contemporary use of GIS and cellphones for data gathering.

You are encouraged to take time and at least page through this document and offer your thoughts, ideas and feedback. Perhaps someday you will be using this manual for your own disaster assessments.


Friday, October 2, 2015

FEMA Bits and Pieces

For those of us in the "infrastructure community" we seem to be drawn to issues involving different critical infrastructure sectors along with broader issues such as emergency preparedness, disaster response and business continuity, government financing, climate change impacts, etc.

A useful resource is FEMA's Higher Education Program Bits and Pieces newsletter published by Barbara Johnson at the FEMA National Emergency Training Center, Emmitsburg, Maryland.  

The newsletter - often produced weekly on Fridays - not only includes information on FEMA training opportunities but it also weaves in timely  "bits and pieces" of information on emergency planning, critical infrastructure protection, etc.  The report also highlights any recently issued Congressional Research Service reports that may be of interest to the emergency planning/critical infrastructure protection professional.

Instructions on how to sign up for the email subscription service are below:

Sign Up email subscription iconSign up via our free e-mail subscription service to receive notifications when new information is available from the Higher Education Program and FEMA.gov.
You will receive Activity Reports and other pertinent information concerning professional development. You also have the option of signing up for additional e-mail updates from FEMA and EMI. Visit the subscriber settings page to sign up for additional e-mail notices. Once there, you can also receive e-mail updates targeted to your geographic area by clicking on “subscriber preferences” and inserting your state and ZIP Code where requested.
The links above will guide you through various aspects of the Higher Education Program. If you have any questions, please contact Barbara L. Johnson at Barbara.Johnson3@fema.dhs.gov.

Please note: Some of the websites linked from the Higher Ed courses, documents, presentations are not Federal government websites and may not necessarily operate under the same laws, regulations and policies as Federal websites.

Many thanks to Barbara for this useful service!  Well done!


A Time for Ethics

Normally my blog posts are focused on news and facts but this article will be a bit of a diversion.  Thanks for bearing with me!

As I listen to the news about the VW emissions scandal, and hear about deflated footballs I am disappointed that honesty is being pushed aside.  I mentioned this to an aquaintance and their response was, "If you're not cheating you're not playing the game."

Well, I was frankly stunned at that response...to the point that I asked if they had a CISSP certification (CISSP = Certified Information Systems Security Professional issued by ISC2).  Fortunatey they didn't; however, the reason why I asked is because the CISSP Code of Ethics is a strong foundation for honestly dealing with your peers, customers, and employers -- as well as families, friends and fellow citizens.

The CISSP Code of Ethics includes a Preamble and Canons.  They are repeated below:

Code of Ethics Preamble

Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.  Therefore, strict adherence to this doce is a condition of certification.

Code of Ethics Canons

*  Protect society, the commonwealth, and the infrastructure
*  Act honorably, honestly, justly, responsibly, and leagally
*  Provide diligent and competent service to principals
*  Advance and protect the profession

So, if you are not aware of the CISSP Code of Ethics, you may want to consider it for your future decisions.  If you possess a CISSP then these should not be a surprise.

As my dear friend and mentor Mr. Kirk Bailey (CISO, University of Washington) has offered, whenever you are presented with a problem, "....always do the right and ethical thing..."

May you make the "right and ethical" decisions!


Friday, September 4, 2015

NIST Cybersecurity Practice Guide - Identity & Access Management for Electric Utilities

In late August 2015, the National Cybersecurity Center of  Excellence (NCCoE) at the US National Institute of Standards and Technology (NIST) developed and released a set of draft documents entitled Identity and Access Management for Electric Utilities.  A "snapshot view" of the covers of these three documents is shown below.


The NCCoE collaborated with experts from the energy sector to develop a use-case scenario based on day-to-day operations and worked with technology vendors to develop example solutions demonstrating a centralized identity and access management system that would make changing or revoking privileges simple and quick.

The practice guide provides instructions on how to achieve a centralized identity and access management system and includes examples of all the necessary components and installation, configuration, and integration. The guide, which is modular and suitable for organizations of all sizes, also maps security characteristics to guidance and best practices from NIST and other standards organizations, and to North American Electric Reliability Corporation’s Critical Infrastructure Protection(NERC CIP) standards.

The guide offered:
  • maps security characteristics to guidance and best practices from NIST and other standards organizations, and to NERC CIP standards
  • provides:
    • a detailed example solution with capabilities that address security controls
    • a demonstrated approach using multiple products that achieve the same result
    • instructions for implementers and security engineers, including examples of all the necessary components and installation, configuration, and integration
  • uses products that are readily available and interoperable with your existing information technology infrastructure and investments
  • is modular and suitable for organizations of all sizes, including corporate and regional business offices, power generation plants, and substations
The documents can be found and downloaded at the URL listed above in the caption.  

Call to Action

NIST and the NCCoE are asking for comments on these documents.  The comment period closes October 23, 2015. You can submit comments through the Web form via this link.

Tuesday, August 11, 2015

Self-Development for Cyber Warriors

Because of my 15+ years in cyber security and roles in cyber security management I am often asked about career development and ideas on ways to advance their positions to CISO-level jobs.  I often suggest looking at certifications and experience as being the best starting points; however, I recently came across a really useful document from the Small Wars Journal written by Gregory Conti, James Caroland, Thomas cook and Howard Taylor.


In 2011, Conti, et al wrote Self-Development for Cyber Warriors (screen shot above).  You can download the full article at http://smallwarsjournal.com/sites/default/files/893-conti.pdf .

Although this is intended for current military personnel advancing in the US Cyber Command there are many good -- no, EXCELLENT -- ideas written down to guide someone to becoming a smarter and more valuable cyber security professional.

Some key elements of this 34-page document include:

  • Key Categories of Cyber Expertise
  • Professional Reading (Books, Sci-fi)
  • Technology News, Magazines and Blogs
  • Cyber Warfare Journal and Magazine Articles
  • Doctrine and Policy
  • Professional Societies and Local Gatherings
  • Academic, Military, Government and Hacker Conferences
  • Videos and Podcasts
  • Movies
  • Training, Education, Certification and Self-Study
Starting on page 26 the authors provide five different "Self-Development Roadmaps" for military officers and NCOs in different stages of their cyber careers.  Regardless of the focus on the military career elements, the Roadmaps offer some great ideas for the new cyber student up to the more seasoned cyber expert.  You may want to look over the Roadmaps for ideas and then build your own.

Lastly, Table 12 offers a "heat map" if you will of various topics and based on which Cyber Workforce you are in (or want to be in) you can gauge the importance of various sectors and areas of specialization.  An excerpt of the table is included below:

Overall, I wish I had this resource when I was just starting out in the field.  And, even though this was written in 2011, the guidance is timeless and can provide a super foundation for your and your cyber-co-workers' career growth.

Well done to Messrs. Conti, Caroland, Cook and Taylor!  Thanks for the contribution to the cyber society!


Monday, August 10, 2015

Pervasive Sensing and Risk Implications

For the past four years I have been talking one class a quarter towards a Masters in Infrastructure Planning and Management offered by the College of Built Environments at the University of Washington in Seattle.

This program is very unique, the classes are entirely online, and I've not seen one like it in my global travels.  It is a fantastic program covering a broad range of critical infrastructure issues (e.g., transportation, water systems, emergency management, etc.) and also offers supporting training in areas such as capital budgeting/finance for government.  Overall I was very impressed with the faculty and level of education.

Well, the end is in sight!  The final assignment due this week is to submit the final Capstone and also prepare a summary presentation on YouTube the  Capstone contents (in 10 minutes!).

The title of my Capstone is: Pervasive Sensing and Industrial Control System Risk Implications.


The YouTube link for the 10-minute narrated PowerPoint is at:  https://www.youtube.com/watch?v=yyQbUBIVWIo

I hope you will find this presentation informative and though-provoking.

Lastly, apologies to those of you made aware of this presentation via a separate Twitter and LinkedIN announcement a few days ago.



Thursday, July 9, 2015

Insurance and a US Electric Grid Blackout - A Compelling Read

On July 8, 2015, Lloyd's of London published an excellent report Business Blackout - The insurance implications of a cyber attack on the US power grid.  

(The same day as the United Airlines, Wall Street Journal and New York Stock Exchange cyber events...hmmm, any coincidence?)

This 65-page report is an excellent analysis of the insurance and economic impact on the US following a theoretical cyber attack on the US Northeastern corridor affecting Boston to Washington, DC.  The report is a compelling read for anyone in the cyber security or critical infrastructure domains -- at a minimum the analysis by Lloyd's and the Cambridge Center for Risk Studies Team (University of Cambridge Judge Business School) causes you to take pause to a) better understand the interdependency of infrastructures and b) better learn ways to consider economic impacts of such events.

Key sections of the report include:

  • Executive Summary
  • Introduction to the Scenario
  • The Erebos Cyber Blackout Scenario
  • Direct Impacts to the Economy**
  • Macroeconomic Analysis**
  • Cyber as an Emerging Insurance Risk**
  • Insurance Industry Loss Estimation
  • Annex A:  Cyber Attacks Against Industrial Control Systems since 1999
  • Annex B:  The US Electricity Grid and Cyber Risk to Critical Infrastructure
  • Annex C:  Constructing the Scenario - Threats and Vulnerabilities
** = Focus your reading here...

For some key "bullets" on the report and the scenario, the following were extracted from the Lloyd's web page:

  1. The attackers are able to inflict physical damage on 50 electric generators which supply electrical power in the Northeastern USA, including New York City and Washington, DC.
  2. While the attack is relatively limited in scope (nearly 700 generators supply electricity across the region) it triggers wider blackouts which leaves 93 million people without power.
  3. The total impact to the US economy is estimated at $243B, rising to more than $1T in the most extreme version of the scenario.
  4. Insurance claims arise in over 30 lines of insurance.  The total insured losses are estimated at $21.4B, rising to $71.1B in the most extreme version of the scenario.
  5. A key requirement for an insurance response to cyber risks will be to enhance the quality of data available and to continue the development of probabilistic modelling.
  6. The sharing of cyber attack data is a complex issue, but could be an important element for enabling the insurance solutions required for this key emerging risk.

Hat tip to Eireann Leverett, Senior Risk Researcher and member of the ENISA ICS Security Stakeholders Group for passing along this analysis.


If you are involved with critical infrastructure -- especially the electric grid -- take time to read this report cover-to-cover.  If you are worried about the economic impacts of cyber on your business -- read this report to understand the interdependencies.