The New, Improved Maslow's Hierarcy of Needs

########## NEWS FLASH!! ##########

In his seminal work A Theory of Human Motivation, Abraham Maslow introduced the world to his model depicting the hierarchy of needs required by humans.  However, after substantial analysis, re-analysis, and re-re-analysis a new foundational layer has been added to his model that is even more fundamental than a human's basic need for physiological elements such as air, water, etc.  

A new model has been developed and shown with the new foundational level below:

So, the next time you are surrounded by groups of humans you will almost always see them searching for the fundamental requirement of life....Wi Fi!

Merry Christmas and Happy New Year!

Taking Infrastructure Seriously

Remember the 2013 infrastructure grade report from the American Society of Civil Engineers (ASCE)?  A snapshot of the 2013 grades for the US were quite damning and are posted in the picture below:

My immediate response is WOW followed by an emoticon of sadness :-(

These grades are two years old and I suspect they have not improved and perhaps have gotten even worse.

Maybe with a new Speaker of the House perhaps some new attention on this national crisis will happen (?) -- I certainly hope so.

In the World Economic Forum AGENDA, there is an article by the Honorable Gordon Brown (former Prime Minister of the United Kingdom) with the headline GORDON BROWN:  IT'S TIME TO TAKE INFRASTRUCTURE SERIOUSLY.

Mr. Brown's article offers a very critical and less than optimistic view of the world's current infrastructure crisis that prompted me to write this blog.  He offers some of the following facts:

• There is a $20 Trillion backlog in infrastructure maintenance/upgrade requirements running to 2030
• 18% of the world's citizens are left without electricity
• 11% of the world's citizens are left without clean water
• 20% are deprived of basic healthcare
• 58M children denied primary schooling

Gordon continues to observe that without action on improving this blight in infrastructure eradicating extreme poverty cannot not be achieved.

Ideas Needed

Yes, infrastructure capital projects -- new and upgrades -- are expensive and may be risky; however, interest rates are low and there is new emphasis on public-private partnerships to take necessary actions to at least improve the current situation.  Unfortunately, we are so far behind in the US let alone the other parts of the economically advanced nations that paying attention to the less developed countries may be obscured by the problems we face.

Leadership is needed tackle this issue in conjunction with climate change....they are both intertwined and I'd like to commend Mr. Brown and the World Economic Forum for raising awareness on this daunting issue.

###

FEMA Damage Assessment Operating Manual - Comments Requested

The FEMA Damage Assessment Operations Manual is part of a greater effort to provide a user-friendly, streamlined post-disaster damage assessment process that builds on the existing knowledge and expertise of State or Tribe and local partners to identify damage after a natural or man-made disaster. Eligible Tribes and U.S. territories are considered the same as States for application of FEMA programs; the Manual is aimed at clarifying FEMA damage assessment guidance, promoting standardized information collection, and assisting in the development of requests for federal disaster assistance. 

The U.S. Department of Homeland Security’s Federal Emergency Management Agency (FEMA) is seeking comments from state, local, tribal, and territorial emergency management practitioners on the draft FEMA Damage Assessment Operating Manual. The manual establishes national damage assessment standards developed from historic lessons learned and best-practices already in use by state, local, tribal and federal emergency management agencies. The manual is built using a framework that encourages local information collection, state or tribal verification, and federal validation. Previous versions of such manuals have focused exclusively on the federal role. This document better highlights and provides guidance to state, local, and tribal governments on their role in the assessment. The draft manual is posted here. Comments should be added to the comment matrix, and submitted by Nov. 14, 2015.

The document appears to provide a very thorough user guide for handling disaster assessments. The book is 160 pages long and includes the following (from the Table of Contents):

• Introduction
• Concept of Operations
• Roles and Responsibilities
• Evaluating Damage and Impact for FEMA Public Assistance
• Evaluating Damage and Impact for FEMA Individual Assistance
• Damage Assessment Methods
• Integration of Geospatial Analysis and Technology
• Integration of Mobile Technology
• Appendices A, C, D = Checklists
• Appendices E, F = Matrices
• Appendix H = Process Charts

Overall the document is a useful starting place; however, it does appear to have some gaps in chapter content, formatting, etc. But, then again, the document is out for review and comment.

This could be a useful tool for the student of Disaster Assessment and Recovery due to the checklists and discussions about the more contemporary use of GIS and cellphones for data gathering.

You are encouraged to take time and at least page through this document and offer your thoughts, ideas and feedback. Perhaps someday you will be using this manual for your own disaster assessments.

###

FEMA Bits and Pieces

For those of us in the "infrastructure community" we seem to be drawn to issues involving different critical infrastructure sectors along with broader issues such as emergency preparedness, disaster response and business continuity, government financing, climate change impacts, etc.

A useful resource is FEMA's Higher Education Program Bits and Pieces newsletter published by Barbara Johnson at the FEMA National Emergency Training Center, Emmitsburg, Maryland.  

The newsletter - often produced weekly on Fridays - not only includes information on FEMA training opportunities but it also weaves in timely  "bits and pieces" of information on emergency planning, critical infrastructure protection, etc.  The report also highlights any recently issued Congressional Research Service reports that may be of interest to the emergency planning/critical infrastructure protection professional.

Instructions on how to sign up for the email subscription service are below:

Sign up via our free e-mail subscription service to receive notifications when new information is available from the Higher Education Program and FEMA.gov.

You will receive Activity Reports and other pertinent information concerning professional development. You also have the option of signing up for additional e-mail updates from FEMA and EMI. Visit the subscriber settings page to sign up for additional e-mail notices. Once there, you can also receive e-mail updates targeted to your geographic area by clicking on “subscriber preferences” and inserting your state and ZIP Code where requested.

The links above will guide you through various aspects of the Higher Education Program. If you have any questions, please contact Barbara L. Johnson at Barbara.Johnson3@fema.dhs.gov.

Please note: Some of the websites linked from the Higher Ed courses, documents, presentations are not Federal government websites and may not necessarily operate under the same laws, regulations and policies as Federal websites.

Many thanks to Barbara for this useful service!  Well done!

###

A Time for Ethics

Normally my blog posts are focused on news and facts but this article will be a bit of a diversion.  Thanks for bearing with me!

As I listen to the news about the VW emissions scandal, and hear about deflated footballs I am disappointed that honesty is being pushed aside.  I mentioned this to an aquaintance and their response was, "If you're not cheating you're not playing the game."

Well, I was frankly stunned at that response...to the point that I asked if they had a CISSP certification (CISSP = Certified Information Systems Security Professional issued by ISC2).  Fortunatey they didn't; however, the reason why I asked is because the CISSP Code of Ethics is a strong foundation for honestly dealing with your peers, customers, and employers -- as well as families, friends and fellow citizens.

The CISSP Code of Ethics includes a Preamble and Canons.  They are repeated below:

Code of Ethics Preamble

Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.  Therefore, strict adherence to this doce is a condition of certification.

Code of Ethics Canons

*  Protect society, the commonwealth, and the infrastructure

*  Act honorably, honestly, justly, responsibly, and leagally

*  Provide diligent and competent service to principals

*  Advance and protect the profession

So, if you are not aware of the CISSP Code of Ethics, you may want to consider it for your future decisions.  If you possess a CISSP then these should not be a surprise.

As my dear friend and mentor Mr. Kirk Bailey (CISO, University of Washington) has offered, whenever you are presented with a problem, "....always do the right and ethical thing..."

May you make the "right and ethical" decisions!

Cheers!

NIST Cybersecurity Practice Guide - Identity & Access Management for Electric Utilities

In late August 2015, the National Cybersecurity Center of  Excellence (NCCoE) at the US National Institute of Standards and Technology (NIST) developed and released a set of draft documents entitled Identity and Access Management for Electric Utilities.  A "snapshot view" of the covers of these three documents is shown below.

https://nccoe.nist.gov/projects/use_cases/idam 

The NCCoE collaborated with experts from the energy sector to develop a use-case scenario based on day-to-day operations and worked with technology vendors to develop example solutions demonstrating a centralized identity and access management system that would make changing or revoking privileges simple and quick.

The practice guide provides instructions on how to achieve a centralized identity and access management system and includes examples of all the necessary components and installation, configuration, and integration. The guide, which is modular and suitable for organizations of all sizes, also maps security characteristics to guidance and best practices from NIST and other standards organizations, and to North American Electric Reliability Corporation’s Critical Infrastructure Protection(NERC CIP) standards.

The guide offered:

• maps security characteristics to guidance and best practices from NIST and other standards organizations, and to NERC CIP standards
  
• provides:
• a detailed example solution with capabilities that address security controls
• a demonstrated approach using multiple products that achieve the same result
• instructions for implementers and security engineers, including examples of all the necessary components and installation, configuration, and integration
  
• uses products that are readily available and interoperable with your existing information technology infrastructure and investments
  
• is modular and suitable for organizations of all sizes, including corporate and regional business offices, power generation plants, and substations

The documents can be found and downloaded at the URL listed above in the caption.  

Call to Action

NIST and the NCCoE are asking for comments on these documents.  The comment period closes October 23, 2015. You can submit comments through the Web form via this link.

Self-Development for Cyber Warriors

Because of my 15+ years in cyber security and roles in cyber security management I am often asked about career development and ideas on ways to advance their positions to CISO-level jobs.  I often suggest looking at certifications and experience as being the best starting points; however, I recently came across a really useful document from the Small Wars Journal written by Gregory Conti, James Caroland, Thomas cook and Howard Taylor.

http://smallwarsjournal.com/sites/default/files/893-conti.pdf

In 2011, Conti, et al wrote Self-Development for Cyber Warriors (screen shot above).  You can download the full article at http://smallwarsjournal.com/sites/default/files/893-conti.pdf .

Although this is intended for current military personnel advancing in the US Cyber Command there are many good -- no, EXCELLENT -- ideas written down to guide someone to becoming a smarter and more valuable cyber security professional.

Some key elements of this 34-page document include:

• Key Categories of Cyber Expertise
• Professional Reading (Books, Sci-fi)
• Technology News, Magazines and Blogs
• Cyber Warfare Journal and Magazine Articles
• Doctrine and Policy
• Professional Societies and Local Gatherings
• Academic, Military, Government and Hacker Conferences
• Videos and Podcasts
• Movies
• Training, Education, Certification and Self-Study

Starting on page 26 the authors provide five different "Self-Development Roadmaps" for military officers and NCOs in different stages of their cyber careers.  Regardless of the focus on the military career elements, the Roadmaps offer some great ideas for the new cyber student up to the more seasoned cyber expert.  You may want to look over the Roadmaps for ideas and then build your own.

Lastly, Table 12 offers a "heat map" if you will of various topics and based on which Cyber Workforce you are in (or want to be in) you can gauge the importance of various sectors and areas of specialization.  An excerpt of the table is included below:

Overall, I wish I had this resource when I was just starting out in the field.  And, even though this was written in 2011, the guidance is timeless and can provide a super foundation for your and your cyber-co-workers' career growth.

Well done to Messrs. Conti, Caroland, Cook and Taylor!  Thanks for the contribution to the cyber society!

###

Pervasive Sensing and Risk Implications

For the past four years I have been talking one class a quarter towards a Masters in Infrastructure Planning and Management offered by the College of Built Environments at the University of Washington in Seattle.

This program is very unique, the classes are entirely online, and I've not seen one like it in my global travels.  It is a fantastic program covering a broad range of critical infrastructure issues (e.g., transportation, water systems, emergency management, etc.) and also offers supporting training in areas such as capital budgeting/finance for government.  Overall I was very impressed with the faculty and level of education.

Well, the end is in sight!  The final assignment due this week is to submit the final Capstone and also prepare a summary presentation on YouTube the  Capstone contents (in 10 minutes!).

The title of my Capstone is: Pervasive Sensing and Industrial Control System Risk Implications.

https://www.youtube.com/watch?v=yyQbUBIVWIo

The YouTube link for the 10-minute narrated PowerPoint is at:  https://www.youtube.com/watch?v=yyQbUBIVWIo

I hope you will find this presentation informative and though-provoking.

Lastly, apologies to those of you made aware of this presentation via a separate Twitter and LinkedIN announcement a few days ago.

Cheers!

###

Insurance and a US Electric Grid Blackout - A Compelling Read

On July 8, 2015, Lloyd's of London published an excellent report Business Blackout - The insurance implications of a cyber attack on the US power grid.  

(The same day as the United Airlines, Wall Street Journal and New York Stock Exchange cyber events...hmmm, any coincidence?)

This 65-page report is an excellent analysis of the insurance and economic impact on the US following a theoretical cyber attack on the US Northeastern corridor affecting Boston to Washington, DC.  The report is a compelling read for anyone in the cyber security or critical infrastructure domains -- at a minimum the analysis by Lloyd's and the Cambridge Center for Risk Studies Team (University of Cambridge Judge Business School) causes you to take pause to a) better understand the interdependency of infrastructures and b) better learn ways to consider economic impacts of such events.

Key sections of the report include:

• Executive Summary
• Introduction to the Scenario
• The Erebos Cyber Blackout Scenario
• Direct Impacts to the Economy**
• Macroeconomic Analysis**
• Cyber as an Emerging Insurance Risk**
• Insurance Industry Loss Estimation
• Annex A:  Cyber Attacks Against Industrial Control Systems since 1999
• Annex B:  The US Electricity Grid and Cyber Risk to Critical Infrastructure
• Annex C:  Constructing the Scenario - Threats and Vulnerabilities

** = Focus your reading here...

For some key "bullets" on the report and the scenario, the following were extracted from the Lloyd's web page:

1. The attackers are able to inflict physical damage on 50 electric generators which supply electrical power in the Northeastern USA, including New York City and Washington, DC.
2. While the attack is relatively limited in scope (nearly 700 generators supply electricity across the region) it triggers wider blackouts which leaves 93 million people without power.
3. The total impact to the US economy is estimated at $243B, rising to more than $1T in the most extreme version of the scenario.
4. Insurance claims arise in over 30 lines of insurance.  The total insured losses are estimated at $21.4B, rising to $71.1B in the most extreme version of the scenario.
5. A key requirement for an insurance response to cyber risks will be to enhance the quality of data available and to continue the development of probabilistic modelling.
6. The sharing of cyber attack data is a complex issue, but could be an important element for enabling the insurance solutions required for this key emerging risk.

Hat tip to Eireann Leverett, Senior Risk Researcher and member of the ENISA ICS Security Stakeholders Group for passing along this analysis.

CONCLUSION

If you are involved with critical infrastructure -- especially the electric grid -- take time to read this report cover-to-cover.  If you are worried about the economic impacts of cyber on your business -- read this report to understand the interdependencies.

###

Control Engineering 2015 Cyber Security Study

Yesterday I posted a review of the recent SANS State of Industrial Control Systems Survey.  You can find that posting here.

Today I'd like to tell you about another interesting and equally disconcerting survey about the status of today's industrial control system security posture.

Each year Control Engineering Magazine conducts a survey of its readers to evaluate cyber security implementation, resources and training for industrial control systems.  Their 2015 Cyber Security report was issued this June.  A summary of the study posted by Control Engineering is located here.

The Control Engineering report is essentially in presentation format and has a collection of graphs and data relative to the data collected.  It is a pretty easy and quick read and offers similar data to the SANS Survey.

Statistics and Findings

The Control Engineering analysis included data collected from 284 respondents in the first quarter of 2015.  The report includes the following summary findings:

1.  Threat Levels:  47% of respondents perceive their control systems to be "moderately" threatened by cyber attacks.  25% say theirs is "highly" threatened and 8% are at the "severe" threat level.

2.  Most Concerning Threat:  Their responses included:

• 35% view the most concerning threat is malware from a random source
• 18% worried about loss of intellectual property
• 8% fear attacks from "hacktivists" with political or environmental agendas.

3.  Most Vulnerable System Components:  The components of most concern include:

• Connections to other internal systems (SANS is similar)
• Computer assets running commercial operating systems (Same as SANS)
• Network devices
• Wireless communication devices and protocols
• Connections to the field SCADA networks

4.  Vulnerability Assessments:  39% of those surveyed said their last vulnerability assessment was performed within the last six months (Good!); while 16% have never executed one (Not So Good).

5.  Publicly Reporting Incidents:  66% of those surveyed say publicly reporting cyber-related incidents would benefit the industry.  36% agree that the biggest problem with public reporting is the fear of losing consumer confidence.

6.  Resources Used to Monitor Control System Cyber Security Events:

• Anti-virus software (99%)
• Network logs (89%)
• Firewall logs (89%)
• Intrusion Detection/Prevention (84%)
• Whitelisting (76%)

Overall....

Overall this is a useful survey to examine and as I noted for the SANS ICS Security Survey, these reports should be reviewed and digested by security professionals responsible for ICS security and shared with their executive management to show them that security is a concern and should be theirs, too.

###

State of Industrial Control Systems Security - A SANS Survey

This month the SANS Institute published its annual State of Security in Control Systems Today.  The results were prepared by Messrs. Derek Harp (SANS) and Bengt Gregory-Brown (Sable Lion Ventures LLC).

You can download the report from the SANS Reading Room at:  https://www.sans.org/reading-room/whitepapers/analyst/state-security-control-systems-today-36042 

Some Thoughts...

The report is a quick and useful read.  I'd highly recommend that not only ICS Security Professionals read and digest this report but also it be shown to the skeptical executives in their organization.

So, here are some key bullets gleaned from my read:

• Top four concerns by those surveyed include:
  
• Ensuring reliability and availability (68%)
• Lowering risk/improving security (40%)
• Preventing damage (28%)
• Ensuring health and safety (27%)
  
• Rapid detection of security incidents on ICS is key because the longer the breaches remain unknown, the greater the potential impact.
  
• The integration of IT into control system networks was chosen by 19% of respondents as the single greatest threat vector.  The top three threat vectors were a) External Threat, b) Internal Threat, and c) Integration of IT into the Control System Networks.
  
• 74% of respondents believe that their external connections are not fully documented.  (Ugh!)  Simply identifying and detailing connections and attached devices in a network is a key step to securing it.
  
• Another challenge highlighted in the survey is a lack of visibility into control system equipment and network activity.  Thus this inhibits progress in securing assets and decreases activity in accuracy of self-evaluations.

Read the Margin Notes!

One editorial and formatting aspect of the report I liked was inclusion of marginal notes called TAKEAWAYs.  These notes are useful helpful ideas for the ICS security person to implement -- or at least consider -- when trying to protect their ICS systems.  A few examples of the TAKEAWAYs are:

• Know what is normal.  Lack of visibility into control system networks is one of the greatest barriers to securing these resources.  Without awareness of normal communications and activity, it's impossible to properly evaluate or improve security of assets.  Operations and security staff must be able to visualize and verify normal network operations to detect and assess possible abnormalities and respond to potential breaches.
  
• Gain visibility into control system networks.  Map all devices, physical interconnections, logical data channels and implemented ICS protocols among devices, including read coils, write registers, scans and time stamps.  Establish a fingerprint of normal control network activity and communication, including communication patterns, schedules and protocols.  Then, establish device logging, strict change management and automated log analysis based on your baseline data.
  
• Integrate security into procurement and decommissioning processes.  Establishing security of software or devices is cheaper, easier and more effective prior to deployment.  The burden of maintaining security is lighter when you start from a secure state.  And, security should be included in the decommissioning and removal of devices to avoid opening serious vulnerabilities.

Again, a great job by SANS, Derek and Bengt!  Take the time to download and read this report and take advantage of the ideas to improve the security of your ICS networks.

###

NIST Publishes Updated ICS Security Guide (Rev 2)

Just a quick note...

NIST Announced today that they have published Rev 2 of the Guide to Industrial Control Systems (ICS) Security SP 800-82!

Great news!  This is a super document to use as a daily reference for ICS security and general knowledge and a great starting point for those who want to learn more about ICS.

You can read more about this release at:  http://www.nist.gov/el/isd/201506_ics_security.cfm

You can download the document (for Free) at:  http://dx.doi.org/10.6028/NIST.SP.800-82r2

CONGRATULATIONS TO KEITH STOUFFER AND HIS TEAM!  WELL DONE!

###

Useful CIKR Resources

This Blog is focused on offering the reader information on two very useful resources focused on Critical Infrastructure and Key Resources (CIKR).  And, because of the George Mason Monthly CIP Report, I was informed about another European-centric CIKR resource the student and professional may be interested.

GEORGE MASON UNIVERSITY - MONTHLY CIP REPORT

Each month the George Mason University School of Law, Center for Infrastructure Protection and Homeland Security, publishes a newsletter focused on a different sector of CIKR.  This past month was on International Issues.  (BTW: The Center is moving to the School of Business in the next few months.)

You can subscribe to The CIP Report at no charge by going to this LINK.

You can visit the George Mason team at:  http://cip.gmu.edu/the-cip-report/   (The page view is below:)

Each month I look forward to this newsletter which is really more like a Journal focused on Critical Infrastructure Protection issues facing the US as well as globally.  As a CIKR professional you should benefit from the contemporary commentary in these monthly analyses.

(PS: The format is changing from a PDF to more of a web-based approach; however, the publication will still be sent out monthly.)

CIPEDIA (C): A CRITICAL INFRASTRUCTURE PROTECTION AND RESILIENCE RESOURCE

This month the immediate benefit from The CIP Report is an article prepared by three very notable European experts in the field of critical infrastructure and resilience.  The article is prepared around the CIPedia (www.cipedia.eu) web site which is a "...Wiki-based body of common knowledge for the wide international community of critical infrastructure (CI) protection and resilience stakeholders such as policy makers, researchers, governmental agencies, emergency management organizations, CI operators and even the public."

CIPedia Home Page www.cipedia.eu

According to the article in The CIP Report the CIPedia is developed within the European Critical Infrastructure Preparedness and Resilience Research Network (CIPRNet) project. 

Essentially, CIPedia is an international glossary on CIKR information.  CIPedia went public in mid-2014.

Of note, CIPedia is more than just a glossary -- as a CIKR portal it provides access to a list of CIP-related conferences, a table with web pointers to CIKR sector-specific glossaries and a pointer to the CIP bibliography.

Below is a screen shot of the CIPedia user links (left hand column).  You can see the links offer some more depth into other CIP-related areas:

CONCLUSION

If you are involved with Critical Infrastructure as a student or policy professional you will probably find the George Mason monthly report very useful and timely.  Secondly, access to the CIPedia and to the CIPRNet will increase your access to new documents and papers on CIKR from an European perspective.  For myself, just wandering around the sites for a few minutes surprised me at some of the work being done in Europe on cascading events studies, as an example.

Take the time to subscribe to The CIP Report and be sure to save the links to the CIPedia and CIPRNet.

###

New ICS Primer from ISACA

Industrial Control Systems (ICS) security continues to gain momentum and awareness in the cyber community.  ISACA has recently published its own version of ICS security awareness (cover of the document is below).

ISACA has published Industrial Control Systems: A Primer for the Rest of Us which can be obtained for no charge (registration is required) at www.isaca.org/ics 

If you are not familiar with ISACA (www.isaca.org) it has been around since 1969 and has about 115,000 constituents in 180 countries.  You may recognize ISACA as supporting COBIT and also the Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certifications.

As you glance through the 19-page document you will recognize most of the graphics used come from either NIST 800-82, Guide to Industrial Control Systems (ICS) Security by Keith Stouffer, et al, or adapted from the ICS-CERT Advisories located at: https://ics-cert.us-cert.gov/advisories-by-vendor

One graphic that I especially liked was on page 13, Figure 7, showing a mind-map of Cybersecurity Threat Agents developed by our friends at the European Union Network and Information Security Agency (ENISA).  A copy of the graphic is below and can also be located at http://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/enisa-threat-landscape-2014

So, the good news is we have another primer to pass along to our bosses and IT managers/technicians  to help them better understand what ICS security involves.  There are a few good ideas in the document such as a list of ICS Components (Pages 4-5) and other references back to the NIST 800-82 document for more details.

###

A Humorous View of our Infrastructure Crisis -- I think!

For those of you who have followed this Blog these past few years you'll know that I'm very passionate about the state of the country's -- let alone world's -- infrastructure.  In particular the US infrastructure grade from the American Society of Civil Engineers remains around a D+.....a failing grade for most schools!

Well, yes, this is a crisis; however, John Oliver of Last Week Tonight on HBO recently offered a thought-provoking and (sadly) quite humorous review of the state of the US infrastructure and how even our politicians are simply not paying attention.

https://www.youtube.com/watch?v=Wpzvaqypav8&feature=youtu.be&t=4m32s

The link to the You Tube video of Oliver's 21-minute essay is:

  https://www.youtube.com/watch?v=Wpzvaqypav8&feature=youtu.be&t=4m32s 

Please enjoy...then write a letter to your Congressman/woman and demand some attention (and funding) to repair and sustain our infrastructure.

Thanks!

###

Energy Infrastructure - Major Changes Needed

Today the Obama Administration released a "first-ever" Quadrennial Energy Review.  This report is the result of President Obama's order on January 9, 2014 for the performance of this examination of the country's energy infrastructure.  The President's initiative was based on the President's Climate Action Plan and in response to a 2010 recommendation by the President's Councils of Advisers on Science and Technology.  A White House Task Force comprising 22 Federal agencies were assigned to develop the QER.

This particular release is supported by some excellent commentary and documents at the following sites:

• Washington Post Article by Chris Mooney (Link)
• Department of Energy Quadrennial Energy Review Web Page (Link)
• Quadrennial Energy Review Fact Sheet (10 Pages) (Link)

The actual report is 348 pages long and the chapter organization is:

The report included the following segments of energy infrastructure for this analysis:

As with most reviews of our country's energy infrastructure the statistics are daunting.

Some noted include:

• 2.6M miles of interstate and intrastate pipelines
• 640,000 miles of electric transmission lines
• 414 natural gas facilities
• 330 ports handling crude and refined petroleum products
• 140,000+ miles of railways handling crude petroleum

And, of course, as observed in numerous other reports (such as the American Society of Civil Engineers (ASCE) Report Card) "...there has been a lack of timely investment in refurbishing, replacing, and modernizing components of infrastructure that are simply old or obsolete."

Some of the key findings highlighted on Page 25 of the report include:

• Mitigating energy disruptions is fundamental to infrastructure resilience.
• Transmission, Storage and Distribution (TS&D) infrastructure is vulnerable to many natural phenomena.
• Threats and vulnerabilities vary substantially by region.
• Recovery from natural gas and liquid fuel system disruptions can be difficult.
• Cyber incidents and physical attacks are growing concerns.
• High-voltage transformers are critical to the grid..
• Assessment tools and frameworks need to be improved..
• Shifts in the natural gas sector are having mixed effects on resilience, reliability, safety, and asset security.
• Dependencies and interdependencies are growing.
• Aging, leak-prone natural gas distribution pipelines and associated infrastructures prompt safety and environmental concerns.

Finally, one of the graphics in this report was fascinating.  It included a chart showing the "...billion dollar disaster event types by year..."  Not a purely energy-centric issue but certainly a demonstration of the challenges faced by energy infrastructure.

·  

   If If you are an "infrastructure junkie" like me, this is a terrific report to digest and for our country's energy leadership to act upon.

###

SCADA Attacks are Up - Maybe We Need an ICS-OWASP?

In its annual security analysis -- 2015 Dell Security Annual Threat Report -- Dell observed that attacks have doubled on SCADA systems since January 2012.

Dell's report noted the following:

• SCADA attacks increased from 91,676 in January 2012, to 163,228 in January 2013, to 675,186 in January 2014.
• The majority of the attacks targeted Finland, the UK and the US.  And, according to Dell, these countries were targeted because SCADA systems are more common in these regions and more likely to be connected to the Internet.

An interesting graphic in the Dell Report also shows key SCADA attack methods -- useful info for a defender to be aware of...

Dell continued to comment that "SCADA attacks tend to be political in nature, since they target operational capabilities within power plants, factories, and refineries, rather than credit card information."  They are right...SCADA is NOT where the $$ is but you can certainly do some harm under the right circumstances.

Now the Dell report drew my attention today; however, back on March 11 the ICS-CERT published its ICS-CERT MONITOR for the time period September 2014 to February 2015.  In the report's cover graphic (below) there was a major increase with the number incidents reported by the Critical Manufacturing Sector.  And, don't forget, Critical Manufacturing also uses SCADA for its larger plant control systems.

And, of course, the Energy Sector is a major user of SCADA controls due to the large geographic footprints they operate across.

Conclusions...

So the take away from these two reports is that attacks on SCADA systems are on the increase and when you look at the Dell graphic on attack methods, the miscreants are taking advantage of software issues we've seen for years with Web applications, etc.  Perhaps we need an OWASP initiative but for Industrial Control Systems/Software?  It does appear that the vendors need a lot of assistance in making their ICS software more secure.

###

Cyberwarfare and Cyberterrorism - Excellent CRS Report

In my life in security I try to monitor several topics.  Two topics I'm often checking -- usually through Google News Alerts -- are cyberwarfare and cyberterrorism.  This week I came across an excellent summary report from the Congressional Research Service on this very topic.

This 12-page summary document is an excellent overview of these topics and also provides some comparisons between cyberterrorism, cybercrime, cyberespionage, cyberwarfare, and cybervandalism.

The document can be downloaded at: http://fas.org/sgp/crs/natsec/R43955.pdf 

A high level view of the key headings in the document (below) will give you a view of the document and its contents.

• Executive Summary
• Introduction
• The Cyberwarfare Ecosystem: A Variety of Threat Actors
• Cyberwarfare
• Rules of the Road and Norm-Building in Cyberspace
• Law of Armed Conflict
• Council of Europe Convention on Cybercrime
• United Nations General Assembly Resolutions
• International Telecommunications Regulations
• Other International Law
• Cyberterrorism
• Use of the Military: Offensive Cyberspace Operations

Overall, this is an excellent and fairly rapid read on this contemporary subject and I'd recommend it be viewed by students, policy makers and all cybersecurity professionals.

###

Executive Order Promoting Private Sector Cyber Info Sharing

On February 13, 2015 -- a year plus one day after the President's Executive Order directing NIST to build the new Cybersecurity Framework -- President Obama issued an Executive Order entitled Promoting Private Sector Cybersecurity Information Sharing.

There are seven sections to the four-page Order including:

1. Policy
2. Information Sharing and Analysis Organizations (ISAO)
3. ISAO Standards Organization
4. Critical Infrastructure Protection Program
5. Privacy and Civil Liberties Protections
6. National Industrial Security Program
7. Definitions

Policy

The fundamental aspect of the EO is to emphasis that "...entities must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible."  

The EO also notes that information sharing must:

• ...be conducted in a manner that protects the privacy and civil liberties of individuals
• ...preserves business confidentiality
• ...safeguards the information being shared, and
• ...protects the ability of the Government to detect, investigate, prevent and respond to cyber threats...

Certainly commendable policy and something the industry has needed/wanted for years.

Information Sharing and Analysis Organizations (ISAOs)

The Order directs the Secretary of the Department of Homeland security to "...strongly encourage the development and formation of..." ISAOs.

The Order offers some details on how the ISAOs should be organized and how their membership can draw on public or private sectors, and offers the option for the ISAOs to be formed as for-profit or nonprofit entities.

The National Cybersecurity and Communications Integration Center (NCCIC) is ordered to engage in "...continuous, collaborative, and inclusive coordination with ISAOs on the sharing of information..."

ISAO Standards Organization

The Secretary of DHS is orderd to "...enter into an agreement with a nongovernmental organization to serve as the ISAO Standards Organization (SO), which shall identify a common set of voluntary standards or guidelines for the creation and functioning of ISAOs under this order."

Observations and Questions

It is commendable that President Obama has stepped forward -- again -- to help raise awareness and take action relative to the issue of cyberthreats to our country, economy and its businesses and citizens.  However, a question continues to be raised with this Executive Order.  That question really is ... "Aren't we already doing this with Information Sharing and Analysis Centers (ISACs)?"

ISACs have been around since May 1998 and were established under the auspices of Presidential Decision Directive 63 (PDD-63) signed by President Clinton.  If you look at the National Council of ISACs website you will note that the definition of an ISAC is:

ISACs are trusted entities established by Critical Infrastructure Key Resource (CI/KR) owners and operators to provide comprehensive sector analysis, which is shared within the sector, with other sectors and with the government. ... Services provided by ISACs include risk mitigation, incident response, alert and information sharing.  The goal is to provide users with accurate, actionable, and relevant information.

And in another white paper on the subject, a description of an ISAC includes the following:

By definition, an ISAC is a trusted, sector-specific entity which performs the following functions: 

• provides to its constituency a 24/7 secure operating capability that establishes the sector’s specific information sharing/intelligence requirements for incidents, threats and vulnerabilities; 
• collects, analyzes, and disseminates alerts and incident reports to it membership based on its sector focused subject matter analytical expertise; 
• helps the government understand impacts for its sector; 
• provides an electronic, trusted capability for its membership to exchange and share information on cyber, physical and all threats in order to defend the critical infrastructure; and 
• share and provide analytical support to government and other ISACs regarding technical sector details and in mutual information sharing and assistance during actual or potential sector disruptions whether caused by intentional, accidental or natural events. 

Isn't an ISAC filling part of the role of the ISAO discussed in the Executive Order?  Can't ISACs continue with their current roles and capture the essence and elements of the Executive Order?

The idea of establishing a new bureaucracy and hierarchy of ISAOs that essentially parallel the current ISAC structure and functions does not appear to be very efficient and could lead to more confusion, increased bickering and "turf wars" and finally not help or encourage effective information sharing to better protect our country, economy, businesses or citizens.  At a minimum it is highly recommended that the Department of Homeland Security take time to compare the efforts of the ISACs to the Executive Order and build upon current efforts and not try to push through a distracting, parallel effort.

###

CIP-014 Implementation Update from NERC

On February 9, 2015, NERC posted an email regarding implementation of CIP-014-1, Physical Security.

In its email NERC offered three links to items of interest.  They included:

• "CIP-014 Memo to the Industry" from NERC
• "CIP-014-1, Requirement 1 Guidance" from the North American Transmission Forum (NATF)
• Link to the NERC Physical Security Standard Implementation website

And, for the reader's reference, here is the link to CIP-014-1.  Also, I wrote a blog about CIP-014 back on July 22, 2014.

CIP-014 Memo to Industry

The memo to the industry is from the NERC Compliance Assurance organization.  The specific focus of the memo is on CIP-14 Risk Assessment and Third-Party Verifications.  Notably the memo's purpose is to highlight acceptable approaches when implementing Requirements 1 and 2 of CIP-014.

Requirements 1 and 2 required Transmission Owners to perform a risk assessment and third-party verification process to identify Transmission stations and Transmission substations that will ultimately be subject to a physical security assessment (Requirement 4) and the implementation of subsequent physical security plan(s) (Requirement 5).

Per the CIP-014 implementation plans, each applicable Transmission Owner must perform its Requirement 1 risk assessment by October 1, 2015.

Then, within 90 days of completing the R1 risk assessment (i.e., by December 30, 2015) the Transmission owner must ensure that the third-party verifier completes the verification.

Within 60 days of completing the verification the Transmission Owner must either 1) modify its risk assessment to be consistent with the recommendations of the verifier, if any, or 2) document the technical basis for not modifying its risk assessment in accordance with any recommendations.

The memo does need to be read in its entirety; however, a key comment at the end that is probably most useful is that applicable Transmission Owners "...are expected to demonstrate effective application for NERC and the Regional Entities to be able to fully understand, for example:

• Why certain stations or substations are identified to meet the criteria in Requirement 1
• Similarly, why certain stations or substations were not identified by Requirement 1
• What are the defining characteristics of stations and substations identified by Requirement 1
• How the third-party verifying the risk assessment meets the qualifications in Requirement 2 and the mean the third party used to ensure effective verification."

North American Transmission Forum (NATF) Guideline

This document was prepared by the North American Transmission Forum (NATF) and issued on January 19, 2015.  The NATF is headquartered in Charlotte, NC and its members include investor-owned, state-authorized, municipal, cooperative, US federal, and Canadian provincial utilities.  The NATF "...promotes the highest levels of reliability in the operation of the electric transmission systems."

The intent of the document issued by NATF is to provide a general guideline for the risk assessment identified in R1 of CIP-014.  

The guideline offers five suggested steps for the Transmission Owner to follow to accomplish Requirement 1.  A high-level summary of the steps include:

• Step 1:  The Transmission Owner identifies stations to be analyzed based on criteria in CIP-014-1, Section 4.1.1
  
• Step 2:  The Transmission Owner identifies cases/system conditions to be analyzed.  Some cases could include -- summer vs winter peak load levels, shoulder peak load levels with system transfers, alternative generation dispatch assumptions or alternative load models.
  
• Step 3:  The Transmission Owner defines the nature of the initiating event and how it will be modeled in the transmission assessment
  
• Step 4:  The Transmission Owner is responsible for development of criteria/proxies for instability, uncontrolled separation or Cascading.
  
• Step 5:  The Transmission Owner performs appropriate steady-state power flow and/or stability analysis.

There are substantially more details provided under each step in the Guideline.

NERC Physical Security Web Page

A third link in the NERC announcement is for their Physical Security web page (a screenshot is shown below).

This page appears to be an excellent resource for those focused in CIP-014 implementation and compliance.

Conclusion

This blog does not offer adequate details on the contents of the referenced documents, therefore, taking time -- and having your power engineers taking time -- to read the CIP-014 requirements and the guidance from NERC and NATF will be worthwhile.

###

NIST SP800-82 R2 (2nd Draft) Out for Comment

NIST SP800-82, Guide to Industrial Control Systems (ICS) Security, has been a key, seminal guide for those of us working in ICS security.  The original guide was published as a "final" version in June 2011.  Revision 1 to the 800-82 series went final in May 2013.  In May 2014 the Initial Public Draft of Revision 2 was promulgated for comment.  I wrote a blog about this initial public draft on May 20, 2014 and encouraged interested parties to submit their comments.

Brief History of SP800-82

A few months ago I wrote an article for SearchSecurity on the Evolution of SP 800-82.  As part of this article I researched the history of this document and its development and ultimately prepared the Visio timeline shown below.  One thing I was sure to do was to obtain Keith Stouffer's (principal author of SP800-82 series) approval on the timeline accuracy.

(Apologies for the overlay with the right margin; however, if the chart goes too small then it is hard to read.  Thanks for understanding.)

What are the Revisions?

The new document out for comment is the second revision to NIST SP800-82.  From the NIST Website, updates in this new revision include:

• Updates to ICS threats and vulnerabilities
• Updates to ICS risk management recommended practices and architectures
• Updates to current activities in ICS security
• Updates to security capabilities and tools for ICS
• Additional alignment with other ICS security standards and guidelines
• New tailoring guidance for NIST SP800-53, Revision 4 security controls including the introduction of overlays, and
• An ICS overlay for NIST SP800-53, Revision 4 security controls that provides tailored security control baselines for Low, Moderate, and High Impact ICS.

Of note, there is a link at the NIST site for a mark up showing the changes between the first draft to the second and final draft.

When are Comments Due?

The public comment period is from February 9th to March 9th, 2015 (on month).  You can email your comments to nist800-82rev2comments@nist.gov.  You are encouraged to use a comment template form (Excel File) to collect your feedback for submittal.

Your comments are requested to make this a better, more thorough document for the industry.  Thank you!

COMMENTS DUE MARCH 9, 2015

###

ENISA - Identifying Critical Information Infrastructure (CII)

The European Union Agency for Network and Information Security (ENISA) has published a new and interesting document entitled Methodologies for the Identification of Critical Information Infrastructure Assets and Services.  The report documents a study performed by ENISA staff to tackle the problem of identification of Critical Information Infrastructures (aka CII) in communications networks.  However, because of the broad scope of the critical infrastructure inspected for this report, there are ideas herein to help countries and large enterprises identify their critical assets.

The study of 23 Member States did reveal that a "...significant number of Member States present a low level of maturity and lack a structured approach regarding identification of Critical Information Infrastructure..." However, this report does offer an overview of methodologies in the identification of CII assets and services which may be useful to other geographic regions, nation states and even large multi-national corporations.  Some key aspects of the methodologies are summarized below.

Identification of Critical Sectors

One of the first steps listed in Section 4.3 is the identification of critical sectors.  On pages 22-24 the report identifies 14 critical sectors including critical subsectors and critical services to be considered when identifying critical assets.  The table showing this useful list is below:

Identification of Critical Services

Section 5.2 offers a suggested process of using criticality criteria in order to identify critical assets.  The report notes that criticality is the (1) level of contribution of an infrastructure to society in maintaining a minimum level of national and international law and order, public safety, economy, public health and environment, or (2) impact level to citizens or to the government from the loss or disruption of the infrastructure.

Again, ENISA offers a table (below) showing eight different criteria with an explanation:

Assessment of Dependencies

The next step in this process is to examine critical infrastructure (system) for the following types of dependencies:

• Interdependencies within a critical sector (intra-sector)
• Interdependencies between critical sectors (cross-sector), and, especially for CII
• Interdependencies among communication network assets (both physical and logical connectivity)

Conclusion

In the United States we have some guidance when identifying critical infrastructure for the electric grid -- this guidance is mainly in the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards.  Even the US Department of Homeland Security (DHS) has identified a list of critical national sectors. However, the ENISA document would be an excellent resource for a large regional organization or nation state or even large, transnational corporation to identify the critical sectors of concern and the critical assets to be protected.

My compliments to ENISA for this document and the guidelines offered.

###