Wednesday, January 27, 2016

CRS Report - Vulnerability of Concentrated Critical Infrastructure

I was recently writing an article for the Hazar Strateji Enstitüsü / Caspian Strategy Institute (HASEN) on the subject of physical security of critical electric infrastructure.  During my research I came across a very interesting -- and I believe timely -- Congressional Research Service (CRS) Report entitled Vulnerability of Concentrated Critical Infrastructure: Background and Policy Options.  The report was prepared by Paul W. Parfomak and updated on September 12, 2008. 

(Hat tip to the Federation of American Scientists for posting this document in their publically available CRS library!)

I found this report to be an exceptional analysis of the vulnerabilities posed to the US with critical infrastructure concentrated in geographic areas.  Such concentration increases the vulnerability to events like natural disasters, epidemics, certain kinds of terrorist attacks, etc.

The report defines "Geographic Concentration" of critical infrastructure as:

"...the physical location of critical assets in sufficient proximity to each other that they are vulnerable to disruption by the same, or successive, regional events."

To give the reader a sense of the degree of geographic concentration (in 2008) here is an interesting list:
  • Energy (Refining) -- Approximately 43% of total US oil refining capacity is clustered along the Texas and Louisiana coasts
  • Banking and Finance (Securities Market) -- Almost 39% of US securities and options are traded on the floors of the NY and American Stock Exchanges in lower Manhattan
  • Chemicals (Chlorine) -- Over 38% of US chlorine production is located in coastal Louisiana
  • Transportation (Rail) -- Over 37% of US freight railcars pass through Illinois, primarily around Chicago.  Over 27% of freight railcars pass primarily through St. Louis
  • Transportation (Marine Cargo) -- Over 33% of US waterborne container shipments pass through the ports of Long Beach and Los Angeles in Southern California (Note: a major tsunami in Southern California could close the Ports of Long Beach/Los Angeles for two months and cost $60B in economic losses)

  • Defense Industrial Base (Shipyards) -- Over 31% of US naval shipbuilding and repair capacity is in and around Norfolk, Virginia
  • Agriculture and Food (Livestock) -- Approximately 29% of US hog inventories are in Iowa; 15% in eastern North Carolina
  • Public Health and Healthcare (Pharmaceuticals) -- Approximately 25% of US pharmaceuticals are manufactured in Puerto Rico/San Juan metro area

In addition to the sobering numbers above, if you look at the combined geographical area of New York City and Northern New Jersey the US port capacity is 12% and airport capacity is 8%.


To the casual observer, geographic concentration of US critical infrastructure is nothing new.  For example, Chicago and Atlanta evolved from railroad hubs; Louisiana and the Coast of Texas are major players in oil and natural gas because that is where the natural resources are, etc.  However, there are some added influences cited by the CRS report.  They include:
  • Resource Location
  • Agglomeration Economies (i.e., spatial concentration itself creates favorable economic environment that supports further or continued concentration
  • Scale Economies (e.g., refineries, ports, etc. are growing larger and larger due to the driver of "economy of scale")
  • Community Preferences (this is more like the concentration of infrastructure in places where the local citizens are not opposed to such facilities)
  • Capital Efficiency (critical infrastructure is located where capital can be efficiently deployed)

Finally, for those who are planners or students of infrastructure planning and management here are some selected Federal policies to discourage geographic concentration:

  • Prescriptive Siting (e.g., In the early 1940s, the US Government financed a major steel plant in Utah as a precaution against shortages in the Western US in case of a Pacific Coast invasion by the Japanese or closure of the Panama Canal)
  • Economic Incentives
  • Environmental Regulation (e.g., Coastal Zone Management Act, Clean Air Act, etc.)
  • Economic Regulation
Finally the report highlights policy options to reduce infrastructure vulnerability that can include:

  • Eliminating Policies Encouraging Concentration
  • Encouraging Geographic Dispersion
  • Ensuring Infrastructure Survivability
  • Ensuring Infrastructure Recovery Capabilities


Overall this is an excellent and thought-provoking report on the strengths and vulnerabilities posed by the concentration of infrastructure in the US economy.  This document is a useful discussion for students focused on urban planning, critical infrastructure planning and management, and those interested in reducing infrastructure vulnerabilities.


Tuesday, January 26, 2016

Seven Strategies to Defend Industrial Control Systems (ICS)

In December 2015 the US National Cybersecurity and Communications Integration Center (NCCIC) -- often referred to as "EN-KICK" -- published a highly readable and brief white paper on Seven Strategies to Defend ICSs.  

This 7-page pdf offers a useful list of seven strategies a company can follow to better protect its industrial control systems.

Not only do they offer a quick, one or two paragraph description of the actions to be taken, but they also offer quick examples of events that could have been possibly prevented if the advice were followed.

The Seven Strategies include:

  1. Implement Application Whitelisting
  2. Ensure Proper Configuration/Patch Management
  3. Reduce Your Attack Surface Area
  4. Build a Dependable Environment
  5. Manage Authentication
  6. Implement Secure Remote Access
  7. Monitor and Respond


Thursday, January 14, 2016

Status of US Infrastructure - Infographic

Hat tip to Ms. Chrissy Gomez for passing along a link to a very interesting and in-depth Infographic discussing US infrastructure challenges and the impacts of the Infrastructure Bill.

The title of the article is The Infrastructure Bill: What it Means for Business and an excerpt of the Infographic is attached below. 

The Infographic does a nice job starting with a summary of the dismal and declining state of US infrastructure and then offers some scenarios of the impacts expected from the December 2015 Congressional Funding of $305B at $61B/year for the next 5 years.

Take a moment to look over the Infographic at the MBA Central website -- this is great information for those worried about US infrastructure and Infrastructure Planning and Management professionals.

Monday, January 11, 2016

CRS Insight - Electric Grid Physical Security: Recent Legislation (US)

(Another Hat Tip to our friends at the Federation of American Scientists for posting this CRS document!)

Last week a two-page summary of recent US government legislation focused on electric grid physical security was prepared by Paul W. Parfomak of the Congressional Research Service (CRS).

The document is a quick read. Besides summarizing the Federal Energy Regulatory Commission (FERC)) / North American Electric Reliability corporation (NERC) efforts on the CIP-014, Physical Security Reliability Standard, the document summarizes some interesting electric grid physical security elements in the Fixing America's Surface Transportation (FAST) Act - P.L. 114-94 and the Energy Policy Modernization Act of 2015 - S. 2012.

Fixing America's Surface Transportation (FAST) Act - P.L. 114-94
  • Became law on December 4, 2015
  • Contains provisions in two sections to facilitate recovery during electric grid emergencies due to physical damage and other causes.
  • Critical Electric Infrastructure Security (§1104) -- This section provides the Secretary of Energy additional authority to order emergency measures to protect or restore the reliability of critical electric infrastructure or defense critical electric infrastructure during a grid security emergency.  The identification of such a grid emergency would be made by written notice from the President with a concurrent notification from Congress.  This section also allows a) grid owners to recover prudent costs incurred under such emergency measures through rates regulated by FERC, and b) increases protection of critical electrical infrastructure information.
  • Strategic Transformer Reserve (§1105) -- This section requires the Secretary of Energy -- in consultation with other agencies, the military, and the utility industry -- to submit to Congress within one year a plan for a Strategic Transformer Reserve.
  • Includes two sections primarily directed at electric grid cybersecurity but with potential impacts on physical asset protection or recovery.
  • Cybersecurity Threats (§2001) -- Would provide the Secretary of Energy additional authority to order emergency measures to avert or mitigate a cybersecurity threat upon receiving notice from the President that such a threat exists.  This section is also intended to increase protection of critical electrical infrastructure information.
  • Cybersecurity Threats (§2002) -- This section would designate the Department of Energy (DOE) as the lead Sector-Specific Agency under Presidential Policy Directive 21 for energy sector cybersecurity.  This bill would require a) DOE to develop a program for modeling and assessing energy infrastructure risks in the face of natural and human-made (physical and cyber) threats, b) DOE to explore alternative structures and funding mechanisms to expand industry participation in the Electricity Information Sharing and Analysis Center (E-ISAC).

Thanks again to Mr. Parfomak for this CRS Insight.


Wednesday, January 6, 2016

CRS Report - Data Security & Breach Notification Legislation: Selected Legal Issues

Thanks to our friends at the Federation of American Scientists, the recently issued Congressional Research Service (CRS) report entitled Data Security and Breach Notification Legislation: Selected Legal Issues has been made available.  (21 Pages)
This is a focused report providing a review of the following:

  • Proposed Legislation introduced in the 114th Congress on Data Security and Breach Notification
  • Discussion about State Data Breach Laws (very brief)
  • Legal Analysis of:
    • Preemption of State Laws, Regulations, and Claims should Federal Law(s) be Passed in this Area
    • Agency Enforcement of Data Security and Breach Notification Requirements
Some interesting takeaways from this report:

1) 47 US States, the District of Columbia, and three US territories (Guam, Puerto Rico, US Virgin Islands) have enacted data security laws.

2) Alabama, New Mexico, and South Dakota have not enacted breach notification laws.

3) Massachusetts has issued regulations requiring persons who own or license personal information about a Massachusetts resident to "...develop, implement, and maintain a comprehensive information security program..." (201 Mass. Code Regs. 17.03(1))  Such a program must be in writing and contain administrative, technical and physical safeguards appropriate to the size and type of business, available resources, and amount of stored data.  Businesses must also conduct an annual review of security measures.
4) (Excerpt on Federal Preemption of State Data Security Laws - Page 15 )

5) (Excerpt on Agency Enforcement - Page 19)

Overall, this is an interesting read on the implications of possible Federal legislation in the domain of data breach laws primarily addressed by US state laws.


Monday, January 4, 2016

Planning for Community Infrastructure Resilience - NIST Guidance

In 2015 the US National Institute of Standards and Technology (NIST)  began a process to produce guidance on approaches to aid communities in improving their resilience to prevailing natural and man made disasters that could affect their jurisdiction.  NIST began to produce various guides to offer some processes for community planners to follow including understanding and assessing their current risks as well as develop plans to implement to improve their resilience.  Using the "Guides" the community planners can better integrate their resilience efforts into their economic development, zoning, and other local planning activities impacting buildings, public utilities, and other infrastructure systems.

Currently there are three NIST Guide documents to be summarized below in this Blog:

Volume 1

The first document produced by NIST is Community Resilience Planning Guide for Buildings and Infrastructure Systems Volume 1.   (11MB Download, 125 pages).  Volume I describes the methodology and has an example illustrating the planning process for the fictional town of Riverbend, USA.

As part of this methodology, Volume 1 includes a "Six-Step" Process to Planning for Community Resilience." (Shown Below).  Although the graphic is offering an elementary project planning structure, the contents and discussion of Volume 1 on how to approach the challenges of assessing and improving the resilience of the community is useful.

Volume 1 continues to provide the basis for this approach and also ensures that the reader does not fall into the trap of looking exclusively at "THINGS" such as bridges, roads, public works facilities, but instead helps the reader realize that the THINGS are based on and affected by the social aspects.  A particularly good graphic showing this "cause and effect" so to speak is below:

Volume II

Volume II of this Guide provides details for the planners on issues ranging from Understanding and Characterizing the Social Community (Chapter 10) to Dependencies and Cascading Effects to detailed information for various Critical Infrastructure and Key Resources (CIKR) including:

  • Chapter 12 - Buildings
  • Chapter 13 - Transportation Systems
  • Chapter 14 - Energy Systems
  • Chapter 15 - Communications Systems
  • Chapter 16 - Water and Wastewater Systems
Each CIKR sector reviewed includes parallel analysis to include:
  • Introduction to the Sector
  • Infrastructure, Functions
  • Performance Goals for the Sector
  • Regulatory Environment
  • Standards and Codes for New Construction and Existing Construction
  • Strategies for Implementing Plans for Community Resilience
  • References for the Sector
Finally, Chapter 17 includes a discussion on "Community Resilience Metrics" to include such metrics as:
  • Time to Recover Function
  • Economic Vitality
  • Social Well-Being
  • Environmental Resilience
  • Hybrid Metrics

Economic Guide

The third Guide just issued in this series is focused on Economics and "Economic Decision Making."   Per the NIST announcement the Economic Guide "... provides a standard economic methodology for evaluating investment decisions aimed to improve the ability of communities to adapt to, withstand, and quickly recover from disasters."  The report is intended to frame the economic decision process by identifying and comparing the relevant present and future streams of costs and benefits with benefits realized through costs savings and damage loss avoidance.

As observed in the report benefits are primarily determined as the improvement in performance during a hazard event over the status quo, i.e., those obtained directly or indirectly by implementation of the new resilience strategy.

And for cost analysis, costs include all costs, including negative effects of implementing a resilience action. That specifically includes the initial costs, operation and maintenance costs, end-of-life costs, and replacement costs. In addition, any non-economic costs (e.g., deaths and injuries) and negative externalities need to be taken into account.

Who Are Served by These Reports?

These reports appear to be excellent resources for city, county, regional and national planners -- especially those examining disaster recovery and Continuity of Operations (COOP) policies, procedures and budgets.  Also, students of infrastructure management should find these reports to be very useful -- not only for their content but also for the references cited in the document and for each analyzed critical infrastructure in Volume II.


Sunday, January 3, 2016

Setting Your Goals for 2016


2016 is upon us and it is a time of revelry, celebration, departing the old year and preparing for the new one.  Of course, it is a time for new Goals for your profession, career, and personal aspects of your life.  However, how can you "build" a decent set of Goals that not only "work" but can be used to help you monitor your progress?

And yes, this approach to Goal Setting can be applied to critical infrastructure projects, advancing your career, etc.

For the past few weeks I did some serious study on the Internet/YouTube and other resources on Goal identification and development.  My favorite resources included Mr. Anthony Robbins, Stefan Pylarinos, Michael Hyatt, the book The Power of Focus by Jack Canfield et al,, and some personal notes I've accumulated over the years developing Goals for my career, employer and personal life.

With the ideas harvested from above, some key concepts surfaced as I began this year's effort to develop my own professional/career Goals as well as some personal ones.  Here are points to consider:

  1. Start with a "Brainstorm" and list all of your goals you have for the next one, five, 10, 20 years.  Just write them down and perhaps categorize them into such areas or categories as Professional, Physical, Personal, Financial, Family, Spiritual, etc.
  2. Select 5 to 10 of the most important Goals identified -- especially those you want to accomplish this year. (Trying to do more than 10 may just overwhelm you)
  3. Using these Goals you've developed, answer the following for each one -- you'll see this approach in the form shown below:
    • What is the AREA of Focus?  Or, what is the "Headline" for the Goal?
    • What is the DEADLINE?  Be sure to put a specific date, not just "This Year."
    • Write down what the Goal is -- Use the SMART approach whereby the Goal should be: Specific, Measurable, Achievable, Realistic and Time-Bound -- Maybe consider writing down what you will "see" when the Goal is achieved (e.g., a bound/prepared report, or a waistline of 32 inches, or starting a new job, etc.)
    • Fill in the necessary actions required to start, pursue and finish the Goals.  Consider set-up actions such as doing research, preparing files, etc.  Then, add a fairly detailed list of actions to take -- preferably in order -- to achieve the Goal.

But, this is just the beginning...

Take time to review your Goals, at least Monthly.  Ascertain your progress, problems, barriers, and successes.  Take the time to savor your wins and look at ways to achieve the "stretch" Goals.  

If anyone would like a .docx file of the above Goals form, please let me know via the comments to this post.

Lastly, I've used the above process and form to set up my Goals for 2016!  My goals are in the areas of physical health, personal habits, writing, photography, and trying to clean out my office and garage!  I'm excited about the new year and I hope you find this approach and the format above useful!