Tuesday, January 28, 2014

2014 World Economic Forum Risk Report - High and Low Lights...

Each year I look forward to reading the annual World Economic Forum (WEF) Risk Report.  The WEF has been publishing these very compelling reports for the past 9 years.  The 2014 Risk Report was published on December 31, 203 and can be found at this LINK.

This year's report maps 31 global risks according to the level of concern, likelihood and impact, and interconnections among them.  Of these risks they identify the Top 10 Risks of Highest Concern and they have also included a fascinating discussion on what they call "Digital Disintegration" which examines cyberspace and its future for the globe.

The graphic below shows the 31 global risks and their categories including how the Top 10 Risks are detailed.

Infrastructure Risks

Of course as I look at the 31 risks, I am very interested in the "critical infrastructure-centric" issues that the WEF survey participants highlighted.  My own personal "Top 10" list includes the following from the list of 31:

  • Economic: Failure/shortfall of critical infrastructure
  • Environmental:  Greater incidence of extreme weather events
  • Environmental:  Greater incidence of natural catastrophes
  • Environmental:  Greater incidence of  man-made environmental catastrophes
  • Environmental:  Water Crises
  • Geopolitical:  Large-scale terrorist attack
  • Societal:  Mismanaged urbanization (inadequate infrastructure and supply chains)
  • Technological:  Breakdown of critical information infrastructure and networks
  • Technological:  Escalation of large-scale cyber attacks
  • Technological:  Massive incident of data fraud/theft
Risks in Terms of Likelihood and Impact

On page 17 of this 60-page report there are two tables showing the evolving global risk landscape from 2007 to 2014 based on the World Economic Forum Global Risk Reports.  The referenced table shows a fascinating movement of risk likelihood and impact moving from economic/technological issues to more geopolitical and environmental issues.  Comparisons are shown in the graphic below:

I've starred the two of concern for both likelihood and impact -- that is in the area of cyber -- both attacks and information infrastructure breakdown.  So, in spite of the list of 31 and the top 10 risks shown above, please consider that our digital arena is at risk among the top 5 of 31 risks.

Report Section 2.4: Digital Disintegration

A quote from the report:

While cyberspace has proved largely resilient to attacks and other disruptions so far, its underlying dynamic has always been such that attackers have an easier time than defenders.  There are reasons to believe that resilience is gradually being undermined, allowing this dynamic of vulnerability to become more impactful."

Unfortunately, this quote is consistent with my past writings on "Assumption of Breach" and that the attackers have it easier than the defenders -- just remember my kitchen sieve model where the CISO needs to cover every hole with one hand yet the attackers only need one opening...ugh!

So, as noted in the WEF report cyber risks can be summarized through the acronym CHEW -- crime, hactivists, espionage and war.  However, the WEF report also notes that a large cloud provider could suffer an "...Enron- or Lehman-style failure virtually overnight."  

The report continues to note that environmental triggers could easily play a role in disintegrating our digital backbone through such events as an earthquake devastating Silicon Valley (e.g., San Andreas fault) or a solar super storm could cause major outages of national electric grids, satellites, avionics or signals from global navigation satellite systems.

Hence, our ever expanding reliance on the digital highways and systems may increase the risks to our global economy.

Finally, the WEF report goes on to note:

Increasingly, there is recognition that the growing role of cyberspace is not only a technical and geopolitical concern but also presents serious risks to economic well-being.  While failure of critical online infrastructure represents a systemic risk that could impact global growth, so does a large-scale loss of trust in the Internet.  ... Effective methods for measuring and pricing cyber risks may even lead to new market-based risk management structures, which would help in understanding the systemic interdependencies...that now depend on cyberspace.


As usual, the 60-page report from the World Economic Forum is full of interesting perspectives on the economic, environmental, geopolitical, societal, and technological arenas surrounding global commerce and society.  I would highly suggest you take a minute to download the report and at least page through the many points of discussion in the report and gain a perspective a bit different from your normal cable news channel.  Of course I focused on the infrastructure and cyber issues in this blog; however, I also believe you will gain some very interesting perspectives on the challenges facing our children and the "teetering" issues in our increasingly multipolar world.


Sunday, January 12, 2014

Water, Electric Generation and Climate Change

Note:  The following is a paper I've prepared for my Masters in Infrastructure Planning and Management at the University of Washington, Seattle.  I think you may find this interesting in light of today's concerns about water for thermal power plants.



I have been associated with electricity generation in one form or other as part of my profession since 1974.  I have operated nuclear power plants and been associated with hydroelectric generation, combustion turbine generation, coal-fired generation and even wind/solar and distributed generation such as diesel generators.  During this time I've learned that water is a very critical and foundational service for the thermal plants in particular.  Unfortunately as time progresses we are witnessing more issues relative to reduced availability and quantity of water for these plants.  Additionally there are challenges with climate change causing the water temperatures to rise and thus make it more difficult to efficiently generate power at some nuclear and coal-fired plants.

Key Aspects of Water and Electricity Generation

As noted above the key aspects of water supply and thermal energy generation is the quantity used and the maximum temperature permitted for plant operation. In the table below, you can see that water use for thermal/non-hydro generation can be substantial:


Not only is a substantial quantity of water required for electricity generation but you should also consider that the discharge from the plant could contribute to increasing the temperature of the regional water supply which has impacts on fisheries, algae blooms, etc.

For some added statistics, the amount of water the nation's 19,000 power generating units consume is approximately 100 billion gallons a day -- three times what cascades over Niagara Falls in the same time frame. (Spiegel 2012)


Case Examples

Some case examples where water quantity/volume and temperature have played key roles in the ability of the plants to generate or not are as follows:

Millstone Nuclear Plant, Connecticut, 2012

In August 2012 the Millstone Nuclear Power Station near New London, Connecticut, was shut down for 12 days because the seawater used to cool the plant’s Unit 2 generating plant became too warm.  It was the first time any US nuclear plant was shut down because of intake water thermal limits.  The source of the cooling water is Long Island Sound. Of note and since 1975 when the plant started up, plant scientists have noted that Long Island Sound’s temperature rise about 0.7 degrees F a decade for about 2.8 degrees total.  This increase is attributed to ocean temperature rise due to climate change. (Spiegel 2012)

Browns Ferry Nuclear Plant, Alabama, 2011

The Browns Ferry Nuclear Plant in Alabama had to shut down more than once the summer of 2011 because the Tennessee River's water was too warm to use it for cooling. (Koch 2012)

North Texas Power Plant, 2011

One North Texas power plant (name unknown) had to reduce its generation output because the water level in its cooling reservoir had fallen substantially. (Fowler 2011)

Corette Power Plant, Montana, 2001

The 160-megawatt Corette Power Plant, located along the Yellowstone River in Billings, Montana, depends on a once-through cooling system, diverting 54-million gallons of water from the Yellowstone River each day. The plant’s water intake pumps work only if the river flow stays above 1,500 cubic feet per second. In recent years, this threshold was not met for several days at a time, forcing the plant to shut down.   In this case water flow rates affect the ability of the plant to operate or not. (Clean Air Task Force 2003)

Some Conclusions

According to a study commissioned by the European Commission and entitled “Vulnerability of US and European Electricity Supply to Climate Change,” projects that the next 50 years of warmer water and lower water flows will lead to more power generation disruptions.  The authors project that thermoelectric power generating capacity from 2031 to 2060 will drop by 4 and 16 percent in the US and 6 and 19 percent in Europe due to lack of cooling water.  They also go on to note that the likelihood of extreme drops in power generation – complete or total shutdowns – is projected to almost triple. (van Vliet, et al. 2012)

This report goes on to note that reduced water availability and warmer water – caused by increasing air temperature associated with climate change – will result in higher electricity costs and reduced reliability.  Those plants that rely on once-through cooing are the most vulnerable versus those that recycle their cooing water via cooling towers.

Discharging water at elevated temperatures causes yet another problem: downstream thermal pollution which can affect life cycles of affected aquatic flora and fauna.  Also, this higher temperature could be an added impact on downstream power generation using the same water for cooling.

Overall, this appears to be a very interesting area to pursue further research and review of the current issues with water, electricity generation and climate change.


Clean Air Task Force. "The Last Straw: Water Use by Power Plants in the Arid West." The Last Straw: Water Use by Power Plants in the Arid West. April 2003. http://www.westernresourceadvocates.org/media/pdf/laststraw2009.pdf (accessed January 12, 2014).
Fowler, Tom. More power plant woes likely if Texas drought drags into winter. August 24, 2011. http://fuelfix.com/blog/2011/08/24/more-power-plant-woes-likely-if-texas-drought-drags-into-winter/ (accessed January 12, 2014).
Hickey, Hanna. Nuclear and coal-fired electrical plants vulnerable to climate change. June 3, 2012. http://www.eurekalert.org/pub_releases/2012-06/uow-nac053112.php (accessed January 12, 2014).
Koch, Wendy. Climate change causes nuclear, coal plant shutdowns. June 5, 2012. http://content.usatoday.com/communities/greenhouse/post/2012/06/climate-change-makes-nuclear-coal-power-plants-vulnerable/1#.UtLevfRDua8 (accessed January 12, 2014).
Spiegel, Jan Ellen. Millstone shutdown is a sign of broader power problem caused by climate change. September 24, 2012. http://www.ctmirror.org/story/2012/09/19/millstone-shutdown-sign-broader-power-problem-caused-climate-change (accessed January 12, 2014).
van Vliet, Michelle T. H., John R. Yearsley, Fulco Ludwig, Stefan Vögele, Dennis P. Lettenmaier, and Pavel Kabat. "Vulnerability of US and European electricity supply to climate change." Nature Climate Change (Macmillan Publishers Limited), June 2012: 1-6.
Western Resource Advocates. Water Use for Energy. n.d. http://www.westernresourceadvocates.org/water/waterenergy.php (accessed January 12, 2014).

Friday, January 10, 2014

SANS White Paper -- Cybersecurity Response to Physical Breaches of Unmanned Critical Infrastructure Sites

Our friend Mike Assante -- formerly of Idaho National Labs/National SCADA Test Bed, NERC, and now with SANS -- has coauthored an interesting and informative white paper on responses to physical breaches of unmanned critical infrastructure sites. The cover is shown below.

The whitepaper can be located at: http://tinyurl.com/ldfnzxq

One of the most interesting graphics in the paper (Appendix A, Page 12) is a collection of photos showing the ways/means of the miscreants to tap into the systems with such tools as keystroke loggers, etc.  The page is shown below to whet your appetite for this paper.

Nicely done and "attaboys" to Mike Assante, Scott D. Swartz and the SANS ICS team!

Also, my good friend Andy Bochman wrote about this at his Smart Grid Security Blog.  Thanks, Andy!!


Thursday, January 2, 2014

National Infrastructure Protection Plan (NIPP) - Released Dec 2013

On December 20, 2013, the newly revised National Infrastructure Protection Plan (NIPP) was issued by the US Department of Homeland Security.  NIPP 2013: Partnering for Critical Infrastructure Security and Resilience is available on the DHS Web site along with a Fact Sheet.    

President Obama's February 2013 Presidential Policy Directive 21 (PPD-21) regarding needed improvements in critical infrastructure security and resilience called for an update to the NIPP which was originally issued in 2006 and revised in 2009.  PPD-21, Critical Infrastructure Security and Resilience, explicitly calls for the development of an updated national plan. The directive builds on the work done to date to protect critical infrastructure, and describes a national policy to 1) share threat information, 2) reduce vulnerabilities, 3) minimize consequences, and 4) hasten response and recovery efforts related to critical infrastructure. It also identifies 16 critical infrastructure sectors, listed in the box below:


The document is 57 pages long and includes some history on the evolution of the NIPP.  There are a few useful graphics regarding the new threats to critical infrastructure (page 8) and how the NIPP 2013 elements help sustain improved security of the critical assets (page 6).

A useful table showing the different critical infrastructure sectors and the assigned Federal agency responsibilities is shown below (Table 1, Page 11).  This table gives you a good sense of the different sectors and how cross-coordination is intended to operate.

Finally the document includes a Call to Action that highlights 12 separate actions aimed at enhancing national critical infrastructure security and resilience.  A summary list of the actions are:

Build Upon Partnership Efforts
1)  Set National Focus through Jointly Developed Priorities
2)  Determine Collective Actions through Joint Planning Efforts
3)  Empower Local and Regional Partnerships to Build Capacity Nationally
4)  Leverage Incentives to Advance Security and Resilience

Innovate in Managing Risk
5)  Enable Risk-Informed Decision Making through Enhanced Situational Awareness
6)  Analyze Infrastructure Dependencies, Interdependencies, and Associated Cascading Effects
7)  Identify, Assess, and Respond to Unanticipated Infrastructure Cascading Effects During and Following Incidents
8)  Promote Infrastructure, Community, and Regional Recovery Following Incidents
9)  Strengthen Coordinated Development and Delivery of Technical Assistance, Training, and Education
10)  Improve Critical Infrastructure Security and Resilience by Advancing Research and Development Solutions

Focus on Outcomes
11)  Evaluate Progress toward the Achievement of Goals
12)  Learn and Adapt During and After Exercises and Incidents

Key Take-Aways

This document is a reference on understanding the background of the National Infrastructure Protection Plan and gives the reader a high-level sense of the policy and objectives for protecting our national critical infrastructure.  It is probably useful to know that this document exists but more specific details on how infrastructure is protected will be in sector-specific plans and plans developed by the infrastructure owners and operators.


2014 -- And What It Brings...

Happy New Year!  Welcome to 2014 and all the opportunities it brings!

Wow, 2013 has flown by!  For this year I will continue to focus this Blog on Critical Infrastructure issues and augment it with some discussions focused on some of the key questions and topics I think will affect all of us this year.

So, for a “bulletized” recap of the topical areas I’ll ponder please consider the following:

·         Critical Infrastructure Protection
o   What will happen with the NIST Cybersecurity Framework?
o   What news and events will surface for the 16 critical infrastructure areas designated by PDD-21?

o   How will the electric industry react to the new NERC CIP Version 5 mandates? And the NIST Cybersecurity Framework?

·         Industrial Controls Systems Security
o   This is a continuation of the areas reviewed last year including the SANS Global Industrial Cyber Security Professional (GICSP) certification activities and new ICS-security emphasis from other cyber-security agencies outside of the US ICS-CERT and even overseas with ENISA, etc.

·         Supply Chain Security
o   I find this a fascinating topic that is finally getting to the front pages of many business journals
o   Again, I will be examining ideas for both physical and cyber protection as well as new legislation impacting cyber defense and threat mitigation

·         Cyberwar
o   This area is particularly intriguing with continued stories about nation-state attacks and defenses
o   Added discussions about “hack-back” and “Active Defense” will be included

·         Cyber Risk Issues and Psychology of Security/Risk
o   The annual meeting in Davos for the WorldEconomic Forum surfaces some very interesting discussions about threats to the digital economy that are not part of the mainstream IT press

So, this should be an interesting year and one that keeps us all busy.  Overall, though, my objectives for this Blog are to a) educate, b) entertain and c) make you think about today’s new challenges to our security and critical infrastructure resilience.

Lastly, I’ll also be busy with Twitter forwarding news items that follow the themes above.  Feel free to follow me @ErnieHayden

I look forward to your comments, ideas and feedback and if you hear of some news items that fit into my list above, I’d love to hear about it at enhayden1321@gmail.com

Happy New Year and all the best!