Friday, October 30, 2015

Taking Infrastructure Seriously

Remember the 2013 infrastructure grade report from the American Society of Civil Engineers (ASCE)?  A snapshot of the 2013 grades for the US were quite damning and are posted in the picture below:

My immediate response is WOW followed by an emoticon of sadness :-(

These grades are two years old and I suspect they have not improved and perhaps have gotten even worse.

Maybe with a new Speaker of the House perhaps some new attention on this national crisis will happen (?) -- I certainly hope so.

In the World Economic Forum AGENDA, there is an article by the Honorable Gordon Brown (former Prime Minister of the United Kingdom) with the headline GORDON BROWN:  IT'S TIME TO TAKE INFRASTRUCTURE SERIOUSLY.

Mr. Brown's article offers a very critical and less than optimistic view of the world's current infrastructure crisis that prompted me to write this blog.  He offers some of the following facts:

  • There is a $20 Trillion backlog in infrastructure maintenance/upgrade requirements running to 2030
  • 18% of the world's citizens are left without electricity
  • 11% of the world's citizens are left without clean water
  • 20% are deprived of basic healthcare
  • 58M children denied primary schooling
Gordon continues to observe that without action on improving this blight in infrastructure eradicating extreme poverty cannot not be achieved.

Ideas Needed

Yes, infrastructure capital projects -- new and upgrades -- are expensive and may be risky; however, interest rates are low and there is new emphasis on public-private partnerships to take necessary actions to at least improve the current situation.  Unfortunately, we are so far behind in the US let alone the other parts of the economically advanced nations that paying attention to the less developed countries may be obscured by the problems we face.

Leadership is needed tackle this issue in conjunction with climate change....they are both intertwined and I'd like to commend Mr. Brown and the World Economic Forum for raising awareness on this daunting issue.


Tuesday, October 6, 2015

FEMA Damage Assessment Operating Manual - Comments Requested

The FEMA Damage Assessment Operations Manual is part of a greater effort to provide a user-friendly, streamlined post-disaster damage assessment process that builds on the existing knowledge and expertise of State or Tribe and local partners to identify damage after a natural or man-made disaster. Eligible Tribes and U.S. territories are considered the same as States for application of FEMA programs; the Manual is aimed at clarifying FEMA damage assessment guidance, promoting standardized information collection, and assisting in the development of requests for federal disaster assistance. 

The U.S. Department of Homeland Security’s Federal Emergency Management Agency (FEMA) is seeking comments from state, local, tribal, and territorial emergency management practitioners on the draft FEMA Damage Assessment Operating Manual. The manual establishes national damage assessment standards developed from historic lessons learned and best-practices already in use by state, local, tribal and federal emergency management agencies. The manual is built using a framework that encourages local information collection, state or tribal verification, and federal validation. Previous versions of such manuals have focused exclusively on the federal role. This document better highlights and provides guidance to state, local, and tribal governments on their role in the assessment. The draft manual is posted here. Comments should be added to the comment matrix, and submitted by Nov. 14, 2015.

The document appears to provide a very thorough user guide for handling disaster assessments. The book is 160 pages long and includes the following (from the Table of Contents):

  • Introduction
  • Concept of Operations
  • Roles and Responsibilities
  • Evaluating Damage and Impact for FEMA Public Assistance
  • Evaluating Damage and Impact for FEMA Individual Assistance
  • Damage Assessment Methods
  • Integration of Geospatial Analysis and Technology
  • Integration of Mobile Technology
  • Appendices A, C, D = Checklists
  • Appendices E, F = Matrices
  • Appendix H = Process Charts
Overall the document is a useful starting place; however, it does appear to have some gaps in chapter content, formatting, etc. But, then again, the document is out for review and comment.

This could be a useful tool for the student of Disaster Assessment and Recovery due to the checklists and discussions about the more contemporary use of GIS and cellphones for data gathering.

You are encouraged to take time and at least page through this document and offer your thoughts, ideas and feedback. Perhaps someday you will be using this manual for your own disaster assessments.


Friday, October 2, 2015

FEMA Bits and Pieces

For those of us in the "infrastructure community" we seem to be drawn to issues involving different critical infrastructure sectors along with broader issues such as emergency preparedness, disaster response and business continuity, government financing, climate change impacts, etc.

A useful resource is FEMA's Higher Education Program Bits and Pieces newsletter published by Barbara Johnson at the FEMA National Emergency Training Center, Emmitsburg, Maryland.  

The newsletter - often produced weekly on Fridays - not only includes information on FEMA training opportunities but it also weaves in timely  "bits and pieces" of information on emergency planning, critical infrastructure protection, etc.  The report also highlights any recently issued Congressional Research Service reports that may be of interest to the emergency planning/critical infrastructure protection professional.

Instructions on how to sign up for the email subscription service are below:

Sign Up email subscription iconSign up via our free e-mail subscription service to receive notifications when new information is available from the Higher Education Program and
You will receive Activity Reports and other pertinent information concerning professional development. You also have the option of signing up for additional e-mail updates from FEMA and EMI. Visit the subscriber settings page to sign up for additional e-mail notices. Once there, you can also receive e-mail updates targeted to your geographic area by clicking on “subscriber preferences” and inserting your state and ZIP Code where requested.
The links above will guide you through various aspects of the Higher Education Program. If you have any questions, please contact Barbara L. Johnson at

Please note: Some of the websites linked from the Higher Ed courses, documents, presentations are not Federal government websites and may not necessarily operate under the same laws, regulations and policies as Federal websites.

Many thanks to Barbara for this useful service!  Well done!


A Time for Ethics

Normally my blog posts are focused on news and facts but this article will be a bit of a diversion.  Thanks for bearing with me!

As I listen to the news about the VW emissions scandal, and hear about deflated footballs I am disappointed that honesty is being pushed aside.  I mentioned this to an aquaintance and their response was, "If you're not cheating you're not playing the game."

Well, I was frankly stunned at that the point that I asked if they had a CISSP certification (CISSP = Certified Information Systems Security Professional issued by ISC2).  Fortunatey they didn't; however, the reason why I asked is because the CISSP Code of Ethics is a strong foundation for honestly dealing with your peers, customers, and employers -- as well as families, friends and fellow citizens.

The CISSP Code of Ethics includes a Preamble and Canons.  They are repeated below:

Code of Ethics Preamble

Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.  Therefore, strict adherence to this doce is a condition of certification.

Code of Ethics Canons

*  Protect society, the commonwealth, and the infrastructure
*  Act honorably, honestly, justly, responsibly, and leagally
*  Provide diligent and competent service to principals
*  Advance and protect the profession

So, if you are not aware of the CISSP Code of Ethics, you may want to consider it for your future decisions.  If you possess a CISSP then these should not be a surprise.

As my dear friend and mentor Mr. Kirk Bailey (CISO, University of Washington) has offered, whenever you are presented with a problem, "....always do the right and ethical thing..."

May you make the "right and ethical" decisions!


Friday, September 4, 2015

NIST Cybersecurity Practice Guide - Identity & Access Management for Electric Utilities

In late August 2015, the National Cybersecurity Center of  Excellence (NCCoE) at the US National Institute of Standards and Technology (NIST) developed and released a set of draft documents entitled Identity and Access Management for Electric Utilities.  A "snapshot view" of the covers of these three documents is shown below. 

The NCCoE collaborated with experts from the energy sector to develop a use-case scenario based on day-to-day operations and worked with technology vendors to develop example solutions demonstrating a centralized identity and access management system that would make changing or revoking privileges simple and quick.

The practice guide provides instructions on how to achieve a centralized identity and access management system and includes examples of all the necessary components and installation, configuration, and integration. The guide, which is modular and suitable for organizations of all sizes, also maps security characteristics to guidance and best practices from NIST and other standards organizations, and to North American Electric Reliability Corporation’s Critical Infrastructure Protection(NERC CIP) standards.

The guide offered:
  • maps security characteristics to guidance and best practices from NIST and other standards organizations, and to NERC CIP standards
  • provides:
    • a detailed example solution with capabilities that address security controls
    • a demonstrated approach using multiple products that achieve the same result
    • instructions for implementers and security engineers, including examples of all the necessary components and installation, configuration, and integration
  • uses products that are readily available and interoperable with your existing information technology infrastructure and investments
  • is modular and suitable for organizations of all sizes, including corporate and regional business offices, power generation plants, and substations
The documents can be found and downloaded at the URL listed above in the caption.  

Call to Action

NIST and the NCCoE are asking for comments on these documents.  The comment period closes October 23, 2015. You can submit comments through the Web form via this link.

Tuesday, August 11, 2015

Self-Development for Cyber Warriors

Because of my 15+ years in cyber security and roles in cyber security management I am often asked about career development and ideas on ways to advance their positions to CISO-level jobs.  I often suggest looking at certifications and experience as being the best starting points; however, I recently came across a really useful document from the Small Wars Journal written by Gregory Conti, James Caroland, Thomas cook and Howard Taylor.

In 2011, Conti, et al wrote Self-Development for Cyber Warriors (screen shot above).  You can download the full article at .

Although this is intended for current military personnel advancing in the US Cyber Command there are many good -- no, EXCELLENT -- ideas written down to guide someone to becoming a smarter and more valuable cyber security professional.

Some key elements of this 34-page document include:

  • Key Categories of Cyber Expertise
  • Professional Reading (Books, Sci-fi)
  • Technology News, Magazines and Blogs
  • Cyber Warfare Journal and Magazine Articles
  • Doctrine and Policy
  • Professional Societies and Local Gatherings
  • Academic, Military, Government and Hacker Conferences
  • Videos and Podcasts
  • Movies
  • Training, Education, Certification and Self-Study
Starting on page 26 the authors provide five different "Self-Development Roadmaps" for military officers and NCOs in different stages of their cyber careers.  Regardless of the focus on the military career elements, the Roadmaps offer some great ideas for the new cyber student up to the more seasoned cyber expert.  You may want to look over the Roadmaps for ideas and then build your own.

Lastly, Table 12 offers a "heat map" if you will of various topics and based on which Cyber Workforce you are in (or want to be in) you can gauge the importance of various sectors and areas of specialization.  An excerpt of the table is included below:

Overall, I wish I had this resource when I was just starting out in the field.  And, even though this was written in 2011, the guidance is timeless and can provide a super foundation for your and your cyber-co-workers' career growth.

Well done to Messrs. Conti, Caroland, Cook and Taylor!  Thanks for the contribution to the cyber society!


Monday, August 10, 2015

Pervasive Sensing and Risk Implications

For the past four years I have been talking one class a quarter towards a Masters in Infrastructure Planning and Management offered by the College of Built Environments at the University of Washington in Seattle.

This program is very unique, the classes are entirely online, and I've not seen one like it in my global travels.  It is a fantastic program covering a broad range of critical infrastructure issues (e.g., transportation, water systems, emergency management, etc.) and also offers supporting training in areas such as capital budgeting/finance for government.  Overall I was very impressed with the faculty and level of education.

Well, the end is in sight!  The final assignment due this week is to submit the final Capstone and also prepare a summary presentation on YouTube the  Capstone contents (in 10 minutes!).

The title of my Capstone is: Pervasive Sensing and Industrial Control System Risk Implications.

The YouTube link for the 10-minute narrated PowerPoint is at:

I hope you will find this presentation informative and though-provoking.

Lastly, apologies to those of you made aware of this presentation via a separate Twitter and LinkedIN announcement a few days ago.